Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-3114-2: nginx regression

Leave a comment

Ubuntu Security Notice USN-3114-2

27th October, 2016

nginx regression

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

USN-3114-1 introduced a regression in nginx packaging.

Software description

  • nginx
    – small, powerful, scalable web/proxy server

Details

USN-3114-1 fixed a vulnerability in nginx. A packaging issue prevented
nginx from being reinstalled or upgraded to a subsequent release. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Dawid Golunski discovered that the nginx package incorrectly handled log
file permissions. A remote attacker could possibly use this issue to obtain
root privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
nginx-extras

1.10.1-0ubuntu1.2
nginx-full

1.10.1-0ubuntu1.2
nginx-common

1.10.1-0ubuntu1.2
nginx-light

1.10.1-0ubuntu1.2
nginx-core

1.10.1-0ubuntu1.2
Ubuntu 16.04 LTS:
nginx-extras

1.10.0-0ubuntu0.16.04.4
nginx-full

1.10.0-0ubuntu0.16.04.4
nginx-common

1.10.0-0ubuntu0.16.04.4
nginx-light

1.10.0-0ubuntu0.16.04.4
nginx-core

1.10.0-0ubuntu0.16.04.4
Ubuntu 14.04 LTS:
nginx-extras

1.4.6-1ubuntu3.7
nginx-full

1.4.6-1ubuntu3.7
nginx-common

1.4.6-1ubuntu3.7
nginx-light

1.4.6-1ubuntu3.7
nginx-core

1.4.6-1ubuntu3.7

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1637058

Ubuntu

USN-3111-1: Firefox vulnerabilities

Leave a comment

Ubuntu Security Notice USN-3111-1

27th October, 2016

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Firefox.

Software description

  • firefox
    – Mozilla Open Source web browser

Details

A use-after-free was discovered in service workers. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via program crash, or execute
arbitrary code. (CVE-2016-5287)

It was discovered that web content could access information in the HTTP
cache in some circumstances. An attacker could potentially exploit this
to obtain sensitive information. (CVE-2016-5288)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
firefox

49.0.2+build2-0ubuntu0.16.10.2
Ubuntu 16.04 LTS:
firefox

49.0.2+build2-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
firefox

49.0.2+build2-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
firefox

49.0.2+build2-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2016-5287,

CVE-2016-5288

Ubuntu

USN-3112-1: Thunderbird vulnerabilities

Leave a comment

Ubuntu Security Notice USN-3112-1

27th October, 2016

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

  • thunderbird
    – Mozilla Open Source mail and newsgroup client

Details

Catalin Dumitru discovered that URLs of resources loaded after a
navigation start could be leaked to the following page via the Resource
Timing API. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to obtain sensitive information. (CVE-2016-5250)

Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard,
Steve Fink, Tyson Smith, and Carsten Book discovered multiple memory
safety issues in Thunderbird. If a user were tricked in to opening a
specially crafted message, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5257)

Atte Kettunen discovered a heap buffer overflow during text conversion
with some unicode characters. If a user were tricked in to opening a
specially crafted message, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5270)

Abhishek Arya discovered a bad cast when processing layout with input
elements in some circumstances. If a user were tricked in to opening a
specially crafted website in a browsing context, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-5272)

A use-after-free was discovered in web animations during restyling. If a
user were tricked in to opening a specially crafted website in a browsing
context, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-5274)

A use-after-free was discovered in accessibility. If a user were tricked
in to opening a specially crafted website in a browsing context, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2016-5276)

A use-after-free was discovered in web animations when destroying a
timeline. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5277)

A buffer overflow was discovered when encoding image frames to images in
some circumstances. If a user were tricked in to opening a specially
crafted message, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-5278)

Mei Wang discovered a use-after-free when changing text direction. If a
user were tricked in to opening a specially crafted website in a browsing
context, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-5280)

Brian Carpenter discovered a use-after-free when manipulating SVG content
in some circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2016-5281)

An issue was discovered with the preloaded Public Key Pinning (HPKP). If
a man-in-the-middle (MITM) attacker was able to obtain a fraudulent
certificate for a Mozilla site, they could exploit this by providing
malicious addon updates. (CVE-2016-5284)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
thunderbird

1:45.4.0+build1-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
thunderbird

1:45.4.0+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
thunderbird

1:45.4.0+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
thunderbird

1:45.4.0+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2016-5250,

CVE-2016-5257,

CVE-2016-5270,

CVE-2016-5272,

CVE-2016-5274,

CVE-2016-5276,

CVE-2016-5277,

CVE-2016-5278,

CVE-2016-5280,

CVE-2016-5281,

CVE-2016-5284

Ubuntu

USN-3109-1: MySQL vulnerabilities

Leave a comment

Ubuntu Security Notice USN-3109-1

25th October, 2016

mysql-5.5, mysql-5.7 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in MySQL.

Software description

  • mysql-5.5
    – MySQL database

  • mysql-5.7
    – MySQL database

Details

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.53 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
Ubuntu 16.04 LTS and Ubuntu 16.10 have been updated to MySQL 5.7.16.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-53.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-16.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
mysql-server-5.7

5.7.16-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
mysql-server-5.7

5.7.16-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
mysql-server-5.5

5.5.53-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
mysql-server-5.5

5.5.53-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-5584,

CVE-2016-7440

Ubuntu

USN-3110-1: Quagga vulnerability

Leave a comment

Ubuntu Security Notice USN-3110-1

25th October, 2016

quagga vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Quagga could be made to crash if it received specially crafted network
traffic.

Software description

  • quagga
    – BGP/OSPF/RIP routing daemon

Details

David Lamparter discovered that Quagga incorrectly handled certain IPv6
router advertisements. A remote attacker could possibly use this issue to
cause Quagga to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
quagga

1.0.20160315-2ubuntu0.1
Ubuntu 16.04 LTS:
quagga

0.99.24.1-2ubuntu1.2
Ubuntu 14.04 LTS:
quagga

0.99.22.4-3ubuntu1.3
Ubuntu 12.04 LTS:
quagga

0.99.20.1-0ubuntu0.12.04.6

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Quagga to make all the
necessary changes.

References

CVE-2016-1245

Ubuntu

USN-3114-1: nginx vulnerability

Leave a comment

Ubuntu Security Notice USN-3114-1

25th October, 2016

nginx vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

  • nginx
    – small, powerful, scalable web/proxy server

Details

Dawid Golunski discovered that the nginx package incorrectly handled log
file permissions. A remote attacker could possibly use this issue to obtain
root privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
nginx-extras

1.10.1-0ubuntu1.1
nginx-full

1.10.1-0ubuntu1.1
nginx-common

1.10.1-0ubuntu1.1
nginx-light

1.10.1-0ubuntu1.1
nginx-core

1.10.1-0ubuntu1.1
Ubuntu 16.04 LTS:
nginx-extras

1.10.0-0ubuntu0.16.04.3
nginx-full

1.10.0-0ubuntu0.16.04.3
nginx-common

1.10.0-0ubuntu0.16.04.3
nginx-light

1.10.0-0ubuntu0.16.04.3
nginx-core

1.10.0-0ubuntu0.16.04.3
Ubuntu 14.04 LTS:
nginx-extras

1.4.6-1ubuntu3.6
nginx-full

1.4.6-1ubuntu3.6
nginx-common

1.4.6-1ubuntu3.6
nginx-light

1.4.6-1ubuntu3.6
nginx-core

1.4.6-1ubuntu3.6

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-1247

Ubuntu

USN-3107-2: Linux kernel (Raspberry Pi 2) vulnerability

Leave a comment

Ubuntu Security Notice USN-3107-2

24th October, 2016

linux-raspi2 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10

Summary

The system could be made to run programs as an administrator.

Software description

  • linux-raspi2
    – Linux kernel for Raspberry Pi 2

Details

It was discovered that a race condition existed in the memory manager of
the Linux kernel when handling copy-on-write breakage of private read-only
memory mappings. A local attacker could use this to gain administrative
privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
linux-image-4.8.0-1017-raspi2

4.8.0-1017.20

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-5195

Ubuntu

USN-3108-1: Bind vulnerability

Leave a comment

Ubuntu Security Notice USN-3108-1

21st October, 2016

bind9 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Bind could be made to crash if it received specially crafted network
traffic.

Software description

  • bind9
    – Internet Domain Name Server

Details

Toshifumi Sakaguchi discovered that Bind incorrectly handled certain
packets with malformed options. A remote attacker could possibly use this
issue to cause Bind to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
bind9

1:9.8.1.dfsg.P1-4ubuntu0.18

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-2848

Ubuntu

USN-3104-1: Linux kernel vulnerability

Leave a comment

Ubuntu Security Notice USN-3104-1

19th October, 2016

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

  • linux
    – Linux kernel

Details

It was discovered that a race condition existed in the memory manager of
the Linux kernel when handling copy-on-write breakage of private read-only
memory mappings. A local attacker could use this to gain administrative
privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-113-powerpc64-smp

3.2.0-113.155
linux-image-3.2.0-113-powerpc-smp

3.2.0-113.155
linux-image-3.2.0-113-generic-pae

3.2.0-113.155
linux-image-3.2.0-113-virtual

3.2.0-113.155
linux-image-3.2.0-113-generic

3.2.0-113.155
linux-image-3.2.0-113-omap

3.2.0-113.155
linux-image-3.2.0-113-highbank

3.2.0-113.155

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-5195

Ubuntu

USN-3106-1: Linux kernel vulnerability

Leave a comment

Ubuntu Security Notice USN-3106-1

19th October, 2016

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

  • linux
    – Linux kernel

Details

It was discovered that a race condition existed in the memory manager of
the Linux kernel when handling copy-on-write breakage of private read-only
memory mappings. A local attacker could use this to gain administrative
privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
linux-image-4.4.0-45-powerpc64-emb

4.4.0-45.66
linux-image-4.4.0-45-powerpc-smp

4.4.0-45.66
linux-image-4.4.0-45-lowlatency

4.4.0-45.66
linux-image-4.4.0-45-generic

4.4.0-45.66
linux-image-4.4.0-45-generic-lpae

4.4.0-45.66
linux-image-4.4.0-45-powerpc-e500mc

4.4.0-45.66
linux-image-4.4.0-45-powerpc64-smp

4.4.0-45.66

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-5195