Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2369-1: file vulnerability

Leave a comment

Ubuntu Security Notice USN-2369-1

2nd October, 2014

file vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

file could be made to crash or run programs as your login if it
opened a specially crafted file.

Software description

  • file
    – Tool to determine file types

Details

It was discovered that file incorrectly handled certain CDF documents. A
attacker could use this issue to cause file to hang or crash, resulting
in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
file

1:5.14-2ubuntu3.2
Ubuntu 12.04 LTS:
file

5.09-2ubuntu0.5
Ubuntu 10.04 LTS:
file

5.03-5ubuntu1.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3587

Ubuntu

USN-2368-1: OpenVPN vulnerability

Leave a comment

Ubuntu Security Notice USN-2368-1

2nd October, 2014

openvpn vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

OpenVPN could be made to expose sensitive information over the network.

Software description

  • openvpn
    – virtual private network software

Details

It was discovered that OpenVPN incorrectly handled HMAC comparisons when
running in UDP mode. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could possibly be used to perform a
plaintext recovery attack.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
openvpn

2.2.1-8ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-2061

Ubuntu

USN-2380-1: Bash vulnerabilities

Leave a comment

Ubuntu Security Notice USN-2380-1

9th October, 2014

bash vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in Bash.

Software description

  • bash
    – The GNU Bourne Again SHell

Details

Michal Zalewski discovered that Bash incorrectly handled parsing certain
function definitions. If an attacker were able to create an environment
variable containing a function definition with a very specific name, these
issues could possibly be used to bypass certain environment restrictions
and execute arbitrary code. (CVE-2014-6277, CVE-2014-6278)

Please note that the previous Bash security update, USN-2364-1, includes
a hardening measure that prevents these issues from being used in a
Shellshock attack.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
bash

4.3-7ubuntu1.5
Ubuntu 12.04 LTS:
bash

4.2-2ubuntu2.6
Ubuntu 10.04 LTS:
bash

4.1-2ubuntu3.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-6277,

CVE-2014-6278

Ubuntu

USN-2381-1: Rsyslog vulnerabilities

Leave a comment

Ubuntu Security Notice USN-2381-1

9th October, 2014

rsyslog vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Rsyslog could be made to crash if it received specially crafted input.

Software description

  • rsyslog
    – Enhanced syslogd

Details

It was discovered that Rsyslog incorrectly handled invalid PRI values. An
attacker could use this issue to send malformed messages to the Rsyslog
server and cause it to stop responding, resulting in a denial of service
and possibly message loss. (CVE-2014-3634, CVE-2014-3683)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
rsyslog

7.4.4-1ubuntu2.3
Ubuntu 12.04 LTS:
rsyslog

5.8.6-1ubuntu8.9
Ubuntu 10.04 LTS:
rsyslog

4.2.0-2ubuntu8.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3634,

CVE-2014-3683