Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-3122-1: NVIDIA graphics drivers vulnerabilities

November 4, 2016 007admin Leave a comment

Ubuntu Security Notice USN-3122-1

3rd November, 2016

nvidia-graphics-drivers-304, nvidia-graphics-drivers-340, nvidia-graphics-drivers-367 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

NVIDIA graphics drivers could be made to run programs as an administrator.

Software description

nvidia-graphics-drivers-304
– NVIDIA binary X.Org driver
nvidia-graphics-drivers-340
– NVIDIA binary X.Org driver
nvidia-graphics-drivers-367
– NVIDIA binary X.Org driver

Details

It was discovered that the NVIDIA graphics drivers incorrectly sanitized
user mode inputs. A local attacker could use this issue to possibly gain
root privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: nvidia-331

340.98-0ubuntu0.16.04.1; nvidia-current

304.132-0ubuntu0.16.04.2; nvidia-340-updates

340.98-0ubuntu0.16.04.1; nvidia-340

340.98-0ubuntu0.16.04.1; nvidia-331-updates

340.98-0ubuntu0.16.04.1; nvidia-361

367.57-0ubuntu0.16.04.1; nvidia-367

367.57-0ubuntu0.16.04.1; nvidia-304-updates

304.132-0ubuntu0.16.04.2; nvidia-304

304.132-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:: nvidia-331

340.98-0ubuntu0.14.04.1; nvidia-current

304.132-0ubuntu0.14.04.2; nvidia-352

367.57-0ubuntu0.14.04.1; nvidia-340-updates

340.98-0ubuntu0.14.04.1; nvidia-340

340.98-0ubuntu0.14.04.1; nvidia-331-updates

340.98-0ubuntu0.14.04.1; nvidia-304

304.132-0ubuntu0.14.04.2; nvidia-367

367.57-0ubuntu0.14.04.1; nvidia-304-updates

304.132-0ubuntu0.14.04.2; nvidia-352-updates

367.57-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: nvidia-331

340.98-0ubuntu0.12.04.1; nvidia-current

304.132-0ubuntu0.12.04.1; nvidia-340-updates

340.98-0ubuntu0.12.04.1; nvidia-340

340.98-0ubuntu0.12.04.1; nvidia-331-updates

340.98-0ubuntu0.12.04.1; nvidia-304-updates

304.132-0ubuntu0.12.04.1; nvidia-304

304.132-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-7382,

CVE-2016-7389

Ubuntu

USN-3123-1: curl vulnerabilities

November 4, 2016 007admin Leave a comment

Ubuntu Security Notice USN-3123-1

3rd November, 2016

curl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in curl.

Software description

curl
– HTTP, HTTPS, and FTP client and client libraries

Details

It was discovered that curl incorrectly reused client certificates when
built with NSS. A remote attacker could possibly use this issue to hijack
the authentication of a TLS connection. (CVE-2016-7141)

Nguyen Vu Hoang discovered that curl incorrectly handled escaping certain
strings. A remote attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-7167)

It was discovered that curl incorrectly handled storing cookies. A remote
attacker could possibly use this issue to inject cookies for arbitrary
domains in the cookie jar. (CVE-2016-8615)

It was discovered that curl incorrect handled case when comparing user
names and passwords. A remote attacker with knowledge of a case-insensitive
version of the correct password could possibly use this issue to cause
a connection to be reused. (CVE-2016-8616)

It was discovered that curl incorrect handled memory when encoding to
base64. A remote attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-8617)

It was discovered that curl incorrect handled memory when preparing
formatted output. A remote attacker could possibly use this issue to cause
curl to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-8618)

It was discovered that curl incorrect handled memory when performing
Kerberos authentication. A remote attacker could possibly use this issue to
cause curl to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-8619)

Luật Nguyễn discovered that curl incorrectly handled parsing globs. A
remote attacker could possibly use this issue to cause curl to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-8620)

Luật Nguyễn discovered that curl incorrectly handled converting dates. A
remote attacker could possibly use this issue to cause curl to crash,
resulting in a denial of service. (CVE-2016-8621)

It was discovered that curl incorrectly handled URL percent-encoding
decoding. A remote attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-8622)

It was discovered that curl incorrectly handled shared cookies. A remote
server could possibly obtain incorrect cookies or other sensitive
information. (CVE-2016-8623)

Fernando Muñoz discovered that curl incorrect parsed certain URLs. A remote
attacker could possibly use this issue to trick curl into connecting to a
different host. (CVE-2016-8624)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: libcurl3-nss

7.50.1-1ubuntu1.1; libcurl3-gnutls

7.50.1-1ubuntu1.1; libcurl3

7.50.1-1ubuntu1.1
Ubuntu 16.04 LTS:: libcurl3-nss

7.47.0-1ubuntu2.2; libcurl3-gnutls

7.47.0-1ubuntu2.2; libcurl3

7.47.0-1ubuntu2.2
Ubuntu 14.04 LTS:: libcurl3-nss

7.35.0-1ubuntu2.10; libcurl3-gnutls

7.35.0-1ubuntu2.10; libcurl3

7.35.0-1ubuntu2.10
Ubuntu 12.04 LTS:: libcurl3-nss

7.22.0-3ubuntu4.17; libcurl3-gnutls

7.22.0-3ubuntu4.17; libcurl3

7.22.0-3ubuntu4.17

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-3113-1: Oxide vulnerabilities

November 3, 2016 007admin Leave a comment

Ubuntu Security Notice USN-3113-1

2nd November, 2016

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

oxide-qt
– Web browser engine for Qt (QML plugin)

Details

It was discovered that a long running unload handler could cause an
incognito profile to be reused in some circumstances. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to obtain sensitive information. (CVE-2016-1586)

Multiple security vulnerabilities were discovered in Chromium. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit these to conduct cross-site scripting (XSS) attacks,
spoof an application’s URL bar, obtain sensitive information, cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-5181, CVE-2016-5182, CVE-2016-5185, CVE-2016-5186,
CVE-2016-5187, CVE-2016-5188, CVE-2016-5189, CVE-2016-5192, CVE-2016-5194)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: liboxideqtcore0

1.18.3-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:: liboxideqtcore0

1.18.3-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:: liboxideqtcore0

1.18.3-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-3120-1: Memcached vulnerabilities

November 3, 2016 007admin Leave a comment

Ubuntu Security Notice USN-3120-1

2nd November, 2016

memcached vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Memcached could be made to crash or run programs if it received specially
crafted network traffic.

Software description

memcached
– A high-performance memory object caching system

Details

Aleksandar Nikolic discovered that Memcached incorrectly handled certain
malformed commands. A remote attacker could use this issue to cause
Memcached to crash, resulting in a denial of service, or possibly execute
arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: memcached

1.4.25-2ubuntu2.1
Ubuntu 16.04 LTS:: memcached

1.4.25-2ubuntu1.2
Ubuntu 14.04 LTS:: memcached

1.4.14-0ubuntu9.1
Ubuntu 12.04 LTS:: memcached

1.4.13-0ubuntu2.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-8704,

CVE-2016-8705,

CVE-2016-8706

Ubuntu

USN-3121-1: OpenJDK 8 vulnerabilities

November 3, 2016 007admin Leave a comment

Ubuntu Security Notice USN-3121-1

3rd November, 2016

openjdk-8 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS

Summary

Several security issues were fixed in OpenJDK 8.

Software description

openjdk-8
– Open Source Java implementation

Details

It was discovered that the Hotspot component of OpenJDK did not properly
check arguments of the System.arraycopy() function in certain cases. An
attacker could use this to bypass Java sandbox restrictions.
(CVE-2016-5582)

It was discovered that OpenJDK did not restrict the set of algorithms used
for Jar integrity verification. An attacker could use this to modify
without detection the content of a JAR file, affecting system integrity.
(CVE-2016-5542)

It was discovered that the JMX component of OpenJDK did not sufficiently
perform classloader consistency checks. An attacker could use this to
bypass Java sandbox restrictions. (CVE-2016-5554)

It was discovered that the Hotspot component of OpenJDK did not properly
check received Java Debug Wire Protocol (JDWP) packets. An attacker could
use this to send debugging commands to a Java application with debugging
enabled. (CVE-2016-5573)

It was discovered that OpenJDK did not properly handle HTTP proxy
authentication. An attacker could use this to expose HTTPS server
authentication credentials. (CVE-2016-5597)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: openjdk-8-jdk

8u111-b14-2ubuntu0.16.10.2; openjdk-8-jre-headless

8u111-b14-2ubuntu0.16.10.2; openjdk-8-jre

8u111-b14-2ubuntu0.16.10.2; openjdk-8-jdk-headless

8u111-b14-2ubuntu0.16.10.2; openjdk-8-jre-zero

8u111-b14-2ubuntu0.16.10.2; openjdk-8-jre-jamvm

8u111-b14-2ubuntu0.16.10.2
Ubuntu 16.04 LTS:: openjdk-8-jdk

8u111-b14-2ubuntu0.16.04.2; openjdk-8-jre-headless

8u111-b14-2ubuntu0.16.04.2; openjdk-8-jre

8u111-b14-2ubuntu0.16.04.2; openjdk-8-jdk-headless

8u111-b14-2ubuntu0.16.04.2; openjdk-8-jre-zero

8u111-b14-2ubuntu0.16.04.2; openjdk-8-jre-jamvm

8u111-b14-2ubuntu0.16.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

Ubuntu

USN-3117-1: GD library vulnerabilities

November 2, 2016 007admin Leave a comment

Ubuntu Security Notice USN-3117-1

1st November, 2016

libgd2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

The GD library could be made to crash or run programs if it processed a
specially crafted image file.

Software description

libgd2
– GD Graphics Library

Details

Ibrahim El-Sayed discovered that the GD library incorrectly handled certain
malformed Tiff images. If a user or automated system were tricked into
processing a specially crafted Tiff image, an attacker could cause a denial
of service. (CVE-2016-6911)

Ke Liu discovered that the GD library incorrectly handled certain integers
when processing WebP images. If a user or automated system were tricked
into processing a specially crafted WebP image, an attacker could cause a
denial of service, or possibly execute arbitrary code. This issue only
applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-7568)

Emmanuel Law discovered that the GD library incorrectly handled certain
strings when creating images. If a user or automated system were tricked
into processing a specially crafted image, an attacker could cause a denial
of service, or possibly execute arbitrary code. (CVE-2016-8670)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: libgd3

2.2.1-1ubuntu3.2
Ubuntu 16.04 LTS:: libgd3

2.1.1-4ubuntu0.16.04.5
Ubuntu 14.04 LTS:: libgd3

2.1.0-3ubuntu0.5
Ubuntu 12.04 LTS:: libgd2-xpm

2.0.36~rc1~dfsg-6ubuntu2.3; libgd2-noxpm

2.0.36~rc1~dfsg-6ubuntu2.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-6911,

CVE-2016-7568,

CVE-2016-8670

Ubuntu

USN-3116-1: DBus vulnerabilities

November 2, 2016 007admin Leave a comment

Ubuntu Security Notice USN-3116-1

1st November, 2016

dbus vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in DBus.

Software description

dbus
– simple interprocess messaging system

Details

It was discovered that DBus incorrectly validated the source of
ActivationFailure signals. A local attacker could use this issue to cause a
denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. (CVE-2015-0245)

It was discovered that DBus incorrectly handled certain format strings. A
local attacker could use this issue to cause a denial of service, or
possibly execute arbitrary code. This issue is only exposed to unprivileged
users when the fix for CVE-2015-0245 is not applied, hence this issue is
only likely to affect Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 16.04
LTS and Ubuntu 16.10 have been updated as a preventative measure in the
event that a new attack vector for this issue is discovered.
(No CVE number)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: dbus

1.10.10-1ubuntu1.1; libdbus-1-3

1.10.10-1ubuntu1.1
Ubuntu 16.04 LTS:: dbus

1.10.6-1ubuntu3.1; libdbus-1-3

1.10.6-1ubuntu3.1
Ubuntu 14.04 LTS:: dbus

1.6.18-0ubuntu4.4; libdbus-1-3

1.6.18-0ubuntu4.4
Ubuntu 12.04 LTS:: dbus

1.4.18-1ubuntu1.8; libdbus-1-3

1.4.18-1ubuntu1.8

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-0245

Ubuntu

USN-3115-1: Django vulnerabilities

November 2, 2016 007admin Leave a comment

Ubuntu Security Notice USN-3115-1

1st November, 2016

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Django.

Software description

python-django
– High-level Python web development framework

Details

Marti Raudsepp discovered that Django incorrectly used a hardcoded password
when running tests on an Oracle database. A remote attacker could possibly
connect to the database while the tests are running and prevent the test
user with the hardcoded password from being removed. (CVE-2016-9013)

Aymeric Augustin discovered that Django incorrectly validated hosts when
being run with the debug setting enabled. A remote attacker could possibly
use this issue to perform DNS rebinding attacks. (CVE-2016-9014)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: python3-django

1.8.7-1ubuntu8.1; python-django

1.8.7-1ubuntu8.1
Ubuntu 16.04 LTS:: python3-django

1.8.7-1ubuntu5.4; python-django

1.8.7-1ubuntu5.4
Ubuntu 14.04 LTS:: python-django

1.6.1-2ubuntu0.16
Ubuntu 12.04 LTS:: python-django

1.3.1-4ubuntu1.22

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-9013,

CVE-2016-9014

Ubuntu

USN-3119-1: Bind vulnerability

November 2, 2016 007admin Leave a comment

Ubuntu Security Notice USN-3119-1

1st November, 2016

bind9 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Bind could be made to crash if it received specially crafted network
traffic.

Software description

bind9
– Internet Domain Name Server

Details

Tony Finch and Marco Davids discovered that Bind incorrectly handled
certain responses containing a DNAME answer. A remote attacker could
possibly use this issue to cause Bind to crash, resulting in a denial of
service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: bind9

1:9.10.3.dfsg.P4-10.1ubuntu1.1
Ubuntu 16.04 LTS:: bind9

1:9.10.3.dfsg.P4-8ubuntu1.2
Ubuntu 14.04 LTS:: bind9

1:9.9.5.dfsg-3ubuntu0.10
Ubuntu 12.04 LTS:: bind9

1:9.8.1.dfsg.P1-4ubuntu0.19

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-8864

Ubuntu

USN-3118-1: Mailman vulnerabilities

November 2, 2016 007admin Leave a comment

Ubuntu Security Notice USN-3118-1

1st November, 2016

mailman vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Mailman.

Software description

mailman
– Powerful, web-based mailing list manager

Details

It was discovered that the Mailman administrative web interface did not
protect against cross-site request forgery (CSRF) attacks. If an
authenticated user were tricked into visiting a malicious website while
logged into Mailman, a remote attacker could perform administrative
actions. This issue only affected Ubuntu 12.04 LTS. (CVE-2016-7123)

Nishant Agarwala discovered that the Mailman user options page did not
protect against cross-site request forgery (CSRF) attacks. If an
authenticated user were tricked into visiting a malicious website while
logged into Mailman, a remote attacker could modify user options.
(CVE-2016-6893)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: mailman

1:2.1.22-1ubuntu0.1
Ubuntu 16.04 LTS:: mailman

1:2.1.20-1ubuntu0.1
Ubuntu 14.04 LTS:: mailman

1:2.1.16-2ubuntu0.2
Ubuntu 12.04 LTS:: mailman

1:2.1.14-3ubuntu0.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-6893,

CVE-2016-7123

Ubuntu Security Notice USN-3122-1

nvidia-graphics-drivers-304, nvidia-graphics-drivers-340, nvidia-graphics-drivers-367 vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3123-1

curl vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3113-1

oxide-qt vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3120-1

memcached vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3121-1

openjdk-8 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3117-1

libgd2 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3116-1

dbus vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3115-1

python-django vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3119-1

bind9 vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3118-1

mailman vulnerabilities

Summary

Software description

Details

Update instructions

References

Software and Security Information