Ubuntu Security Notice USN-3038-1

18th July, 2016

apache2 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.04 LTS
• Ubuntu 15.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

A security issue was fixed in the Apache HTTP Server.

Software description

• apache2
  – Apache HTTP server

Details

It was discovered that the Apache HTTP Server would set the HTTP_PROXY
environment variable based on the contents of the Proxy header from HTTP
requests. A remote attacker could possibly use this issue in combination
with CGI scripts that honour the HTTP_PROXY variable to redirect outgoing
HTTP requests.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:

apache2-bin

2.4.18-2ubuntu3.1

Ubuntu 15.10:

apache2-bin

2.4.12-2ubuntu2.1

Ubuntu 14.04 LTS:

apache2.2-bin

2.4.7-1ubuntu4.13

Ubuntu 12.04 LTS:

apache2.2-bin

2.2.22-1ubuntu1.11

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-5387

Ubuntu Security Notice USN-3023-1

18th July, 2016

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.04 LTS
• Ubuntu 15.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

• thunderbird
  – Mozilla Open Source mail and newsgroup client

Details

It was discovered that NSPR incorrectly handled memory allocation. If a
user were tricked in to opening a specially crafted message, an attacker
could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2016-1951)

Christian Holler, Gary Kwong, Jesse Ruderman, Tyson Smith, Timothy Nikkel,
Sylvestre Ledru, Julian Seward, Olli Pettay, and Karl Tomlinson,
discovered multiple memory safety issues in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-2818)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:

thunderbird

1:45.2.0+build1-0ubuntu0.16.04.1

Ubuntu 15.10:

thunderbird

1:45.2.0+build1-0ubuntu0.15.10.1

Ubuntu 14.04 LTS:

thunderbird

1:45.2.0+build1-0ubuntu0.14.04.3

Ubuntu 12.04 LTS:

thunderbird

1:45.2.0+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2016-1951,

CVE-2016-2818

Ubuntu Security Notice USN-3032-1

14th July, 2016

ecryptfs-utils vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.04 LTS
• Ubuntu 15.10

Summary

eCryptfs could be made to expose sensitive information.

Software description

• ecryptfs-utils
  – eCryptfs cryptographic filesystem utilities

Details

It was discovered that eCryptfs incorrectly configured the encrypted swap
partition for certain drive types. An attacker could use this issue to discover
sensitive information.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:

ecryptfs-utils

111-0ubuntu1.1

Ubuntu 15.10:

ecryptfs-utils

108-0ubuntu1.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-6224

Ubuntu Security Notice USN-3034-1

14th July, 2016

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux
  – Linux kernel

Details

Jan Stancek discovered that the Linux kernel’s memory manager did not
properly handle moving pages mapped by the asynchronous I/O (AIO) ring
buffer to the other nodes. A local attacker could use this to cause a
denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-3.13.0-92-powerpc-e500mc

3.13.0-92.139

linux-image-3.13.0-92-powerpc-e500

3.13.0-92.139

linux-image-3.13.0-92-powerpc64-smp

3.13.0-92.139

linux-image-3.13.0-92-generic-lpae

3.13.0-92.139

linux-image-3.13.0-92-powerpc-smp

3.13.0-92.139

linux-image-3.13.0-92-lowlatency

3.13.0-92.139

linux-image-3.13.0-92-generic

3.13.0-92.139

linux-image-3.13.0-92-powerpc64-emb

3.13.0-92.139

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-3070

Ubuntu Security Notice USN-3033-1

14th July, 2016

libarchive vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.04 LTS
• Ubuntu 15.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

libarchive could be made to crash or run programs if it opened a specially
crafted file.

Software description

• libarchive
  – Library to read/write archive files

Details

Hanno Böck discovered that libarchive contained multiple security issues
when processing certain malformed archive files. A remote attacker could
use this issue to cause libarchive to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2015-8916, CVE-2015-8917
CVE-2015-8919, CVE-2015-8920, CVE-2015-8921, CVE-2015-8922, CVE-2015-8923,
CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8928, CVE-2015-8930,
CVE-2015-8931, CVE-2015-8932, CVE-2015-8933, CVE-2015-8934, CVE-2016-5844)

Marcin “Icewall” Noga discovered that libarchive contained multiple
security issues when processing certain malformed archive files. A remote
attacker could use this issue to cause libarchive to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-4300,
CVE-2016-4302)

It was discovered that libarchive incorrectly handled memory allocation
with large cpio symlinks. A remote attacker could use this issue to
possibly cause libarchive to crash, resulting in a denial of service.
(CVE-2016-4809)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:

libarchive13

3.1.2-11ubuntu0.16.04.2

Ubuntu 15.10:

libarchive13

3.1.2-11ubuntu0.15.10.2

Ubuntu 14.04 LTS:

libarchive13

3.1.2-7ubuntu2.3

Ubuntu 12.04 LTS:

libarchive12

3.0.3-6ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8916,

CVE-2015-8917,

CVE-2015-8919,

CVE-2015-8920,

CVE-2015-8921,

CVE-2015-8922,

CVE-2015-8923,

CVE-2015-8924,

CVE-2015-8925,

CVE-2015-8926,

CVE-2015-8928,

CVE-2015-8930,

CVE-2015-8931,

CVE-2015-8932,

CVE-2015-8933,

CVE-2015-8934,

CVE-2016-4300,

CVE-2016-4302,

CVE-2016-4809,

CVE-2016-5844

Ubuntu Security Notice USN-3035-1

14th July, 2016

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.10

Summary

The system could be made to crash under certain conditions.

Software description

• linux
  – Linux kernel

Details

Jan Stancek discovered that the Linux kernel’s memory manager did not
properly handle moving pages mapped by the asynchronous I/O (AIO) ring
buffer to the other nodes. A local attacker could use this to cause a
denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:

linux-image-4.2.0-42-powerpc64-smp

4.2.0-42.49

linux-image-4.2.0-42-generic

4.2.0-42.49

linux-image-4.2.0-42-generic-lpae

4.2.0-42.49

linux-image-4.2.0-42-powerpc64-emb

4.2.0-42.49

linux-image-4.2.0-42-powerpc-e500mc

4.2.0-42.49

linux-image-4.2.0-42-lowlatency

4.2.0-42.49

linux-image-4.2.0-42-powerpc-smp

4.2.0-42.49

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-3070

Ubuntu Security Notice USN-3034-2

14th July, 2016

linux-lts-trusty vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux-lts-trusty
  – Linux hardware enablement kernel from Trusty for Precise

Details

USN-3034-1 fixed a vulnerability in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.

Jan Stancek discovered that the Linux kernel’s memory manager did not
properly handle moving pages mapped by the asynchronous I/O (AIO) ring
buffer to the other nodes. A local attacker could use this to cause a
denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.13.0-92-generic-lpae

3.13.0-92.139~precise1

linux-image-3.13.0-92-generic

3.13.0-92.139~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-3070

Ubuntu Security Notice USN-3035-2

14th July, 2016

linux-raspi2 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.10

Summary

The system could be made to crash under certain conditions.

Software description

• linux-raspi2
  – Linux kernel for Raspberry Pi 2

Details

Jan Stancek discovered that the Linux kernel’s memory manager did not
properly handle moving pages mapped by the asynchronous I/O (AIO) ring
buffer to the other nodes. A local attacker could use this to cause a
denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:

linux-image-4.2.0-1034-raspi2

4.2.0-1034.44

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-3070

Ubuntu Security Notice USN-3036-1

14th July, 2016

linux-lts-utopic vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux-lts-utopic
  – Linux hardware enablement kernel from Utopic for Trusty

Details

Jan Stancek discovered that the Linux kernel’s memory manager did not
properly handle moving pages mapped by the asynchronous I/O (AIO) ring
buffer to the other nodes. A local attacker could use this to cause a
denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-3.16.0-77-powerpc-smp

3.16.0-77.99~14.04.1

linux-image-3.16.0-77-powerpc-e500mc

3.16.0-77.99~14.04.1

linux-image-3.16.0-77-powerpc64-smp

3.16.0-77.99~14.04.1

linux-image-3.16.0-77-generic

3.16.0-77.99~14.04.1

linux-image-3.16.0-77-generic-lpae

3.16.0-77.99~14.04.1

linux-image-3.16.0-77-powerpc64-emb

3.16.0-77.99~14.04.1

linux-image-3.16.0-77-lowlatency

3.16.0-77.99~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-3070

Ubuntu Security Notice USN-3035-3

14th July, 2016

linux-lts-wily vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux-lts-wily
  – Linux hardware enablement kernel from Wily for Trusty

Details

USN-3035-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS.

Jan Stancek discovered that the Linux kernel’s memory manager did not
properly handle moving pages mapped by the asynchronous I/O (AIO) ring
buffer to the other nodes. A local attacker could use this to cause a
denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-4.2.0-42-powerpc64-smp

4.2.0-42.49~14.04.1

linux-image-4.2.0-42-generic

4.2.0-42.49~14.04.1

linux-image-4.2.0-42-generic-lpae

4.2.0-42.49~14.04.1

linux-image-4.2.0-42-powerpc64-emb

4.2.0-42.49~14.04.1

linux-image-4.2.0-42-powerpc-e500mc

4.2.0-42.49~14.04.1

linux-image-4.2.0-42-lowlatency

4.2.0-42.49~14.04.1

linux-image-4.2.0-42-powerpc-smp

4.2.0-42.49~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-3070