Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-3084-1: Linux kernel vulnerabilities

September 19, 2016 007admin

Ubuntu Security Notice USN-3084-1

19th September, 2016

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

Pengfei Wang discovered a race condition in the audit subsystem in the
Linux kernel. A local attacker could use this to corrupt audit logs or
disrupt system-call auditing. (CVE-2016-6136)

It was discovered that the powerpc and powerpc64 hypervisor-mode KVM
implementation in the Linux kernel for did not properly maintain state
about transactional memory. An unprivileged attacker in a guest could cause
a denial of service (CPU lockup) in the host OS. (CVE-2016-5412)

Pengfei Wang discovered a race condition in the Chrome OS embedded
controller device driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash). (CVE-2016-6156)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: linux-image-4.4.0-38-powerpc64-emb

4.4.0-38.57; linux-image-4.4.0-38-powerpc64-smp

4.4.0-38.57; linux-image-4.4.0-38-generic

4.4.0-38.57; linux-image-4.4.0-38-powerpc-e500mc

4.4.0-38.57; linux-image-4.4.0-38-powerpc-smp

4.4.0-38.57; linux-image-4.4.0-38-lowlatency

4.4.0-38.57; linux-image-4.4.0-38-generic-lpae

4.4.0-38.57

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-5412,

CVE-2016-6136,

CVE-2016-6156

Ubuntu

USN-3084-3: Linux kernel (Raspberry Pi 2) vulnerabilities

September 19, 2016 007admin

Ubuntu Security Notice USN-3084-3

19th September, 2016

linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-raspi2
– Linux kernel for Raspberry Pi 2

Details

Pengfei Wang discovered a race condition in the audit subsystem in the
Linux kernel. A local attacker could use this to corrupt audit logs or
disrupt system-call auditing. (CVE-2016-6136)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: linux-image-4.4.0-1023-raspi2

4.4.0-1023.29

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-5412,

CVE-2016-6136,

CVE-2016-6156

Ubuntu

USN-3084-2: Linux kernel (Xenial HWE) vulnerabilities

September 19, 2016 007admin

Ubuntu Security Notice USN-3084-2

19th September, 2016

linux-lts-xenial vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-xenial
– Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3084-1 fixed vulnerabilities in the Linux kernel for Ubuntu
16.04 LTS. This update provides the corresponding updates for the
Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for
Ubuntu 14.04 LTS.

Pengfei Wang discovered a race condition in the audit subsystem in the
Linux kernel. A local attacker could use this to corrupt audit logs or
disrupt system-call auditing. (CVE-2016-6136)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-4.4.0-38-powerpc64-emb

4.4.0-38.57~14.04.1; linux-image-4.4.0-38-generic

4.4.0-38.57~14.04.1; linux-image-4.4.0-38-powerpc-e500mc

4.4.0-38.57~14.04.1; linux-image-4.4.0-38-powerpc-smp

4.4.0-38.57~14.04.1; linux-image-4.4.0-38-lowlatency

4.4.0-38.57~14.04.1; linux-image-4.4.0-38-generic-lpae

4.4.0-38.57~14.04.1; linux-image-4.4.0-38-powerpc64-smp

4.4.0-38.57~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-5412,

CVE-2016-6136,

CVE-2016-6156

Ubuntu

USN-3084-4: Linux kernel (Qualcomm Snapdragon) vulnerabilities

September 19, 2016 007admin

Ubuntu Security Notice USN-3084-4

19th September, 2016

linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-snapdragon
– Linux kernel for Snapdragon Processors

Details

Pengfei Wang discovered a race condition in the audit subsystem in the
Linux kernel. A local attacker could use this to corrupt audit logs or
disrupt system-call auditing. (CVE-2016-6136)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: linux-image-4.4.0-1026-snapdragon

4.4.0-1026.29

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-5412,

CVE-2016-6136,

CVE-2016-6156

Ubuntu

USN-3080-1: Python Imaging Library vulnerabilities

September 15, 2016 007admin

Ubuntu Security Notice USN-3080-1

15th September, 2016

python-imaging vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Python Imaging Libary could be made to crash if it received specially crafted
input or opened a specially crafted file.

Software description

python-imaging
– Python Imaging Library

Details

Eric Soroos discovered that the Python Imaging Library incorrectly handled
certain malformed FLI or PhotoCD files. A remote attacker could use this
issue to cause Python Imaging Library to crash, resulting in a denial of
service. (CVE-2016-0775, CVE-2016-2533)

Andrew Drake discovered that the Python Imaging Libray incorrectly validated
input. A remote attacker could use this to cause Python Imaging Library to
crash, resulting in a denial of service. (CVE-2014-3589)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: python-imaging

1.1.7-4ubuntu0.12.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3589,

CVE-2016-0775,

CVE-2016-2533

Ubuntu

USN-3079-1: WebKitGTK+ vulnerabilities

September 14, 2016 007admin

Ubuntu Security Notice USN-3079-1

14th September, 2016

webkit2gtk vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS

Summary

Several security issues were fixed in WebKitGTK+.

Software description

webkit2gtk
– JavaScript engine library from WebKitGTK+ – GObject introspection

Details

A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: libwebkit2gtk-4.0-37

2.12.5-0ubuntu0.16.04.1; libjavascriptcoregtk-4.0-18

2.12.5-0ubuntu0.16.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.

References

Ubuntu

USN-3058-1: Oxide vulnerabilities

September 14, 2016 007admin

Ubuntu Security Notice USN-3058-1

14th September, 2016

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS
Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

oxide-qt
– Web browser engine for Qt (QML plugin)

Details

An issue was discovered in Blink involving the provisional URL for an
initially empty document. An attacker could potentially exploit this to
spoof the currently displayed URL. (CVE-2016-5141)

A use-after-free was discovered in the WebCrypto implementation in Blink.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2016-5142)

It was discovered that the devtools subsystem in Blink mishandles various
parameters. An attacker could exploit this to bypass intended access
restrictions. (CVE-2016-5143, CVE-2016-5144)

It was discovered that Blink does not ensure that a taint property is
preserved after a structure-clone operation on an ImageBitmap object
derived from a cross-origin image. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
bypass same origin restrictions. (CVE-2016-5145)

Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2016-5146, CVE-2016-5167)

It was discovered that Blink mishandles deferred page loads. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-5147)

An issue was discovered in Blink related to widget updates. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-5148)

A use-after-free was discovered in Blink. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code. (CVE-2016-5150)

It was discovered that Chromium does not correctly validate access to the
initial document. An attacker could potentially exploit this to spoof the
currently displayed URL. (CVE-2016-5155)

A use-after-free was discovered in the event bindings in Blink. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-5156)

A type confusion bug was discovered in Blink. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code. (CVE-2016-5161)

An issue was discovered with the devtools implementation. An attacker
could potentially exploit this to conduct cross-site scripting (XSS)
attacks. (CVE-2016-5164)

An issue was discovered with the devtools implementation. An attacker
could potentially exploit this to conduct cross-site scripting (XSS)
attacks. (CVE-2016-5165)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: liboxideqtcore0

1.17.7-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:: liboxideqtcore0

1.17.7-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-3078-1: MySQL vulnerability

September 13, 2016 007admin

Ubuntu Security Notice USN-3078-1

13th September, 2016

mysql-5.5, mysql-5.7 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

MySQL could be made to run programs as an administrator.

Software description

mysql-5.5
– MySQL database
mysql-5.7
– MySQL database

Details

Dawid Golunski discovered that MySQL incorrectly handled configuration
files. A remote attacker could possibly use this issue to execute arbitrary
code with root privileges.

MySQL has been updated to 5.5.52 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
Ubuntu 16.04 LTS has been updated to MySQL 5.7.15.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-51.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-14.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: mysql-server-5.7

5.7.15-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:: mysql-server-5.5

5.5.52-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: mysql-server-5.5

5.5.52-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-6662

Ubuntu

USN-3077-1: OpenJDK 6 vulnerabilities

September 12, 2016 007admin

Ubuntu Security Notice USN-3077-1

12th September, 2016

openjdk-6 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in OpenJDK 6.

Software description

openjdk-6
– Open Source Java implementation

Details

A vulnerability was discovered in the OpenJDK JRE related to data
integrity. An attacker could exploit this to expose sensitive data over the
network or possibly execute arbitrary code. (CVE-2016-3458)

Multiple vulnerabilities were discovered in the OpenJDK JRE related
to availability. An attacker could exploit these to cause a denial
of service. (CVE-2016-3500, CVE-2016-3508)

A vulnerability was discovered in the OpenJDK JRE related to information
disclosure. An attacker could exploit this to expose sensitive data over
the network. (CVE-2016-3550)

A vulnerability was discovered in the OpenJDK JRE related to information
disclosure, data integrity, and availability. An attacker could exploit
this to cause a denial of service, expose sensitive data over the network,
or possibly execute arbitrary code. (CVE-2016-3606)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: icedtea-6-jre-cacao

6b40-1.13.12-0ubuntu0.12.04.1; icedtea-6-jre-jamvm

6b40-1.13.12-0ubuntu0.12.04.1; openjdk-6-jre

6b40-1.13.12-0ubuntu0.12.04.1; openjdk-6-jre-headless

6b40-1.13.12-0ubuntu0.12.04.1; openjdk-6-jre-zero

6b40-1.13.12-0ubuntu0.12.04.1; openjdk-6-jre-lib

6b40-1.13.12-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

Ubuntu

USN-3075-1: Imlib2 vulnerabilities

September 9, 2016 007admin

Ubuntu Security Notice USN-3075-1

8th September, 2016

imlib2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Imlib2.

Software description

imlib2
– Image manipulation and rendering library

Details

Jakub Wilk discovered an out of bounds read in the GIF loader
implementation in Imlib2. An attacker could use this to cause a
denial of service (application crash) or possibly obtain sensitive
information. (CVE-2016-3994)

Yuriy M. Kaminskiy discovered an off-by-one error when handling
coordinates in Imlib2. An attacker could use this to cause a denial of
service (application crash). (CVE-2016-3993)

Yuriy M. Kaminskiy discovered that integer overflows existed in Imlib2
when handling images with large dimensions. An attacker could use
this to cause a denial of service (memory exhaustion or application
crash). (CVE-2014-9771, CVE-2016-4024)

Kevin Ryde discovered that the ellipse drawing code in Imlib2 would
attempt to divide by zero when drawing a 2×1 ellipse. An attacker
could use this to cause a denial of service (application crash).
(CVE-2011-5326)

It was discovered that Imlib2 did not properly handled GIF images
without colormaps. An attacker could use this to cause a denial of
service (application crash). This issue only affected Ubuntu 12.04 LTS
and Ubuntu 14.04 LTS. (CVE-2014-9762)

It was discovered that Imlib2 did not properly handle some PNM images,
leading to a division by zero. An attacker could use this to cause
a denial of service (application crash). This issue only affected
Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-9763)

It was discovered that Imlib2 did not properly handle error conditions
when loading some GIF images. An attacker could use this to cause
a denial of service (application crash). This issue only affected
Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-9764)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: libimlib2

1.4.7-1ubuntu0.1
Ubuntu 14.04 LTS:: libimlib2

1.4.6-2ubuntu0.1
Ubuntu 12.04 LTS:: libimlib2

1.4.4-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you will need to restart applications
that make use of Imlib2 to make all the necessary changes.

References

Ubuntu Security Notice USN-3084-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3084-3

linux-raspi2 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3084-2

linux-lts-xenial vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3084-4

linux-snapdragon vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3080-1

python-imaging vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3079-1

webkit2gtk vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3058-1

oxide-qt vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3078-1

mysql-5.5, mysql-5.7 vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3077-1

openjdk-6 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3075-1

imlib2 vulnerabilities

Summary

Software description

Details

Update instructions

References

Software and Security Information