Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-3037-1: Linux kernel (Vivid HWE) vulnerability

Ubuntu Security Notice USN-3037-1

14th July, 2016

linux-lts-vivid vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

  • linux-lts-vivid
    – Linux hardware enablement kernel from Vivid for Trusty

Details

Jan Stancek discovered that the Linux kernel’s memory manager did not
properly handle moving pages mapped by the asynchronous I/O (AIO) ring
buffer to the other nodes. A local attacker could use this to cause a
denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-3.19.0-65-powerpc64-smp

3.19.0-65.73~14.04.1
linux-image-3.19.0-65-powerpc-smp

3.19.0-65.73~14.04.1
linux-image-3.19.0-65-powerpc-e500mc

3.19.0-65.73~14.04.1
linux-image-3.19.0-65-powerpc64-emb

3.19.0-65.73~14.04.1
linux-image-3.19.0-65-generic

3.19.0-65.73~14.04.1
linux-image-3.19.0-65-generic-lpae

3.19.0-65.73~14.04.1
linux-image-3.19.0-65-lowlatency

3.19.0-65.73~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-3070

Ubuntu

USN-3031-1: Pidgin vulnerabilities

Ubuntu Security Notice USN-3031-1

12th July, 2016

pidgin vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Pidgin could be made to crash or run programs if it received
specially crafted network traffic.

Software description

  • pidgin
    – graphical multi-protocol instant messaging client for X

Details

Yves Younan discovered that Pidgin contained multiple issues in the MXit
protocol support. A remote attacker could use this issue to cause Pidgin to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:
libpurple0

1:2.10.11-0ubuntu4.2
Ubuntu 14.04 LTS:
libpurple0

1:2.10.9-0ubuntu3.3
Ubuntu 12.04 LTS:
libpurple0

1:2.10.3-0ubuntu1.7

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Pidgin to make all the
necessary changes.

References

CVE-2016-2365,

CVE-2016-2366,

CVE-2016-2367,

CVE-2016-2368,

CVE-2016-2369,

CVE-2016-2370,

CVE-2016-2371,

CVE-2016-2372,

CVE-2016-2373,

CVE-2016-2374,

CVE-2016-2375,

CVE-2016-2376,

CVE-2016-2377,

CVE-2016-2378,

CVE-2016-2380,

CVE-2016-4323

Ubuntu

USN-3028-1: NSPR vulnerability

Ubuntu Security Notice USN-3028-1

11th July, 2016

nspr vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

NSPR could be made to crash or run programs if it received specially
crafted input.

Software description

  • nspr
    – NetScape Portable Runtime Library

Details

It was discovered that NSPR incorrectly handled memory allocation. A remote
attacker could use this issue to cause NSPR to crash, resulting in a denial
of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libnspr4

2:4.12-0ubuntu0.16.04.1
Ubuntu 15.10:
libnspr4

2:4.12-0ubuntu0.15.10.1
Ubuntu 14.04 LTS:
libnspr4

2:4.12-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
libnspr4

4.12-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make all
the necessary changes.

References

CVE-2016-1951

Ubuntu

USN-3029-1: NSS vulnerability

Ubuntu Security Notice USN-3029-1

11th July, 2016

nss vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

NSS could be made to crash or run programs if it processed specially
crafted network traffic.

Software description

  • nss
    – Network Security Service library

Details

Tyson Smith and Jed Davis discovered that NSS incorrectly handled memory. A
remote attacker could use this issue to cause NSS to crash, resulting in a
denial of service, or possibly execute arbitrary code.

This update refreshes the NSS package to version 3.23 which includes
the latest CA certificate bundle. As a security improvement, this update
also modifies NSS behaviour to reject DH key sizes below 1024 bits,
preventing a possible downgrade attack.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libnss3

2:3.23-0ubuntu0.16.04.1
Ubuntu 15.10:
libnss3

2:3.23-0ubuntu0.15.10.1
Ubuntu 14.04 LTS:
libnss3

2:3.23-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
libnss3

2:3.23-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.

References

CVE-2016-2834

Ubuntu

USN-3030-1: GD library vulnerabilities

Ubuntu Security Notice USN-3030-1

11th July, 2016

libgd2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

The GD library could be made to crash or run programs if it processed a
specially crafted image file.

Software description

  • libgd2
    – GD Graphics Library

Details

It was discovered that the GD library incorrectly handled memory when using
gdImageScaleTwoPass(). A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 14.04 LTS.
(CVE-2013-7456)

It was discovered that the GD library incorrectly handled certain malformed
XBM images. If a user or automated system were tricked into processing a
specially crafted XBM image, an attacker could cause a denial of service.
This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04
LTS. (CVE-2016-5116)

It was discovered that the GD library incorrectly handled memory when using
_gd2GetHeader(). A remote attacker could possibly use this issue to cause a
denial of service or possibly execute arbitrary code. (CVE-2016-5766)

It was discovered that the GD library incorrectly handled certain color
indexes. A remote attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.10 and
Ubuntu 16.04 LTS. (CVE-2016-6128)

It was discovered that the GD library incorrectly handled memory when
encoding a GIF image. A remote attacker could possibly use this issue to
cause a denial of service. (CVE-2016-6161)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libgd3

2.1.1-4ubuntu0.16.04.2
Ubuntu 15.10:
libgd3

2.1.1-4ubuntu0.15.10.2
Ubuntu 14.04 LTS:
libgd3

2.1.0-3ubuntu0.2
Ubuntu 12.04 LTS:
libgd2-xpm

2.0.36~rc1~dfsg-6ubuntu2.2
libgd2-noxpm

2.0.36~rc1~dfsg-6ubuntu2.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-7456,

CVE-2016-5116,

CVE-2016-5766,

CVE-2016-6128,

CVE-2016-6161

Ubuntu

USN-3027-1: Tomcat vulnerability

Ubuntu Security Notice USN-3027-1

6th July, 2016

tomcat8 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS

Summary

Tomcat could be made to hang if it received specially crafted network
traffic.

Software description

  • tomcat8
    – Servlet and JSP engine

Details

It was discovered that the Tomcat Fileupload library incorrectly handled
certain upload requests. A remote attacker could possibly use this issue to
cause a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
tomcat8

8.0.32-1ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-3092

Ubuntu

USN-3024-1: Tomcat vulnerabilities

Ubuntu Security Notice USN-3024-1

5th July, 2016

tomcat6, tomcat7 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Tomcat.

Software description

  • tomcat6
    – Servlet and JSP engine

  • tomcat7
    – Servlet and JSP engine

Details

It was discovered that Tomcat incorrectly handled pathnames used by web
applications in a getResource, getResourceAsStream, or getResourcePaths
call. A remote attacker could use this issue to possibly list a parent
directory . This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and
Ubuntu 15.10. (CVE-2015-5174)

It was discovered that the Tomcat mapper component incorrectly handled
redirects. A remote attacker could use this issue to determine the
existence of a directory. This issue only affected Ubuntu 12.04 LTS,
Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5345)

It was discovered that Tomcat incorrectly handled different session
settings when multiple versions of the same web application was deployed. A
remote attacker could possibly use this issue to hijack web sessions. This
issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5346)

It was discovered that the Tomcat Manager and Host Manager applications
incorrectly handled new requests. A remote attacker could possibly use this
issue to bypass CSRF protection mechanisms. This issue only affected Ubuntu
14.04 LTS and Ubuntu 15.10. (CVE-2015-5351)

It was discovered that Tomcat did not place StatusManagerServlet on the
RestrictedServlets list. A remote attacker could possibly use this issue to
read arbitrary HTTP requests, including session ID values. This issue only
affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10.
(CVE-2016-0706)

It was discovered that the Tomcat session-persistence implementation
incorrectly handled session attributes. A remote attacker could possibly
use this issue to execute arbitrary code in a privileged context. This
issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10.
(CVE-2016-0714)

It was discovered that the Tomcat setGlobalContext method incorrectly
checked if callers were authorized. A remote attacker could possibly use
this issue to read or wite to arbitrary application data, or cause a denial
of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and
Ubuntu 15.10. (CVE-2016-0763)

It was discovered that the Tomcat Fileupload library incorrectly handled
certain upload requests. A remote attacker could possibly use this issue to
cause a denial of service. (CVE-2016-3092)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libtomcat7-java

7.0.68-1ubuntu0.1
Ubuntu 15.10:
libtomcat7-java

7.0.64-1ubuntu0.3
Ubuntu 14.04 LTS:
libtomcat7-java

7.0.52-1ubuntu0.6
Ubuntu 12.04 LTS:
libtomcat6-java

6.0.35-1ubuntu3.7

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-5174,

CVE-2015-5345,

CVE-2015-5346,

CVE-2015-5351,

CVE-2016-0706,

CVE-2016-0714,

CVE-2016-0763,

CVE-2016-3092

Ubuntu

USN-3026-1: libimobiledevice vulnerability

Ubuntu Security Notice USN-3026-1

5th July, 2016

libimobiledevice vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS

Summary

libimobiledevice would allow unintended access to devices over the network.

Software description

  • libimobiledevice
    – Library for communicating with iPhone and iPod Touch devices

Details

It was discovered that libimobiledevice incorrectly handled socket
permissions. A remote attacker could use this issue to access services on
iOS devices, contrary to expectations.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libimobiledevice6

1.2.0+dfsg-3~ubuntu0.2
Ubuntu 15.10:
libimobiledevice4

1.1.6+dfsg-3.1ubuntu0.1
Ubuntu 14.04 LTS:
libimobiledevice4

1.1.5+git20140313.bafe6a9e-0ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-5104

Ubuntu

USN-3025-1: GIMP vulnerability

Ubuntu Security Notice USN-3025-1

5th July, 2016

gimp vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

GIMP could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

  • gimp
    – The GNU Image Manipulation Program

Details

It was discovered that GIMP incorrectly handled malformed XCF files. If a
user were tricked into opening a specially crafted XCF file, an attacker
could cause GIMP to crash, or possibly execute arbitrary code with the
user’s privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:
gimp

2.8.14-1ubuntu2.1
Ubuntu 14.04 LTS:
gimp

2.8.10-0ubuntu1.1
Ubuntu 12.04 LTS:
gimp

2.6.12-1ubuntu1.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-4994

Ubuntu

USN-3026-2: libusbmuxd vulnerability

Ubuntu Security Notice USN-3026-2

5th July, 2016

libusbmuxd vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10

Summary

libusbmuxd would allow unintended access to devices over the network.

Software description

  • libusbmuxd
    – USB multiplexor daemon for iPhone and iPod Touch devices

Details

It was discovered that libusbmuxd incorrectly handled socket permissions.
A remote attacker could use this issue to access services on iOS devices,
contrary to expectations.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libusbmuxd4

1.0.10-2ubuntu0.1
Ubuntu 15.10:
libusbmuxd2

1.0.9-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-5104