Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-3019-1: Linux kernel (Utopic HWE) vulnerabilities

June 28, 2016 007admin

Ubuntu Security Notice USN-3019-1

27th June, 2016

linux-lts-utopic vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-utopic
– Linux hardware enablement kernel from Utopic for Trusty

Details

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling 32 bit
compatibility IPT_SO_SET_REPLACE events on 64 bit platforms. A local
unprivileged attacker could use this to cause a denial of service (system
crash) or execute arbitrary code with administrative privileges.
(CVE-2016-4997)

Kangjie Lu discovered an information leak in the core USB implementation in
the Linux kernel. A local attacker could use this to obtain potentially
sensitive information from kernel memory. (CVE-2016-4482)

Jann Horn discovered that the InfiniBand interfaces within the Linux kernel
could be coerced into overwriting kernel memory. A local unprivileged
attacker could use this to possibly gain administrative privileges on
systems where InifiniBand related kernel modules are loaded.
(CVE-2016-4565)

Kangjie Lu discovered an information leak in the timer handling
implementation in the Advanced Linux Sound Architecture (ALSA) subsystem of
the Linux kernel. A local attacker could use this to obtain potentially
sensitive information from kernel memory. (CVE-2016-4569, CVE-2016-4578)

Kangjie Lu discovered an information leak in the X.25 Call Request handling
in the Linux kernel. A local attacker could use this to obtain potentially
sensitive information from kernel memory. (CVE-2016-4580)

It was discovered that an information leak exists in the Rock Ridge
implementation in the Linux kernel. A local attacker who is able to mount a
malicious iso9660 file system image could exploit this flaw to obtain
potentially sensitive information from kernel memory. (CVE-2016-4913)

Jesse Hertz and Tim Newsham discovered that the Linux netfilter
implementation did not correctly perform validation when handling
IPT_SO_SET_REPLACE events. A local unprivileged attacker could use this to
cause a denial of service (system crash) or obtain potentially sensitive
information from kernel memory. (CVE-2016-4998)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.16.0-76-generic-lpae

3.16.0-76.98~14.04.1; linux-image-3.16.0-76-lowlatency

3.16.0-76.98~14.04.1; linux-image-3.16.0-76-generic

3.16.0-76.98~14.04.1; linux-image-3.16.0-76-powerpc-e500mc

3.16.0-76.98~14.04.1; linux-image-3.16.0-76-powerpc64-smp

3.16.0-76.98~14.04.1; linux-image-3.16.0-76-powerpc64-emb

3.16.0-76.98~14.04.1; linux-image-3.16.0-76-powerpc-smp

3.16.0-76.98~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

Ubuntu

USN-3018-2: Linux kernel (Trusty HWE) vulnerabilities

June 28, 2016 007admin

Ubuntu Security Notice USN-3018-2

27th June, 2016

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-trusty
– Linux hardware enablement kernel from Trusty for Precise

Details

USN-3018-1 fixed vulnerabilities in the Linux kernel for Ubuntu
14.04 LTS. This update provides the corresponding updates for the
Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for
Ubuntu 12.04 LTS.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.13.0-91-generic-lpae

3.13.0-91.138~precise1; linux-image-3.13.0-91-generic

3.13.0-91.138~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-3020-1: Linux kernel (Vivid HWE) vulnerabilities

June 28, 2016 007admin

Ubuntu Security Notice USN-3020-1

27th June, 2016

linux-lts-vivid vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-vivid
– Linux hardware enablement kernel from Vivid for Trusty

Details

Baozeng Ding discovered that the Transparent Inter-process Communication
(TIPC) implementation in the Linux kernel did not verify socket existence
before use in some situations. A local attacker could use this to cause a
denial of service (system crash). (CVE-2016-4951)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.19.0-64-generic-lpae

3.19.0-64.72~14.04.1; linux-image-3.19.0-64-lowlatency

3.19.0-64.72~14.04.1; linux-image-3.19.0-64-generic

3.19.0-64.72~14.04.1; linux-image-3.19.0-64-powerpc-e500mc

3.19.0-64.72~14.04.1; linux-image-3.19.0-64-powerpc64-smp

3.19.0-64.72~14.04.1; linux-image-3.19.0-64-powerpc64-emb

3.19.0-64.72~14.04.1; linux-image-3.19.0-64-powerpc-smp

3.19.0-64.72~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-3021-1: Linux kernel vulnerabilities

June 28, 2016 007admin

Ubuntu Security Notice USN-3021-1

27th June, 2016

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

Andrey Konovalov discovered that the CDC Network Control Model USB driver
in the Linux kernel did not cancel work events queued if a later error
occurred, resulting in a use-after-free. An attacker with physical access
could use this to cause a denial of service (system crash). (CVE-2016-3951)

Baozeng Ding discovered a use-after-free issue in the generic PPP layer in
the Linux kernel. A local attacker could use this to cause a denial of
service (system crash). (CVE-2016-4805)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-105-powerpc64-smp

3.2.0-105.146; linux-image-3.2.0-105-generic-pae

3.2.0-105.146; linux-image-3.2.0-105-highbank

3.2.0-105.146; linux-image-3.2.0-105-generic

3.2.0-105.146; linux-image-3.2.0-105-virtual

3.2.0-105.146; linux-image-3.2.0-105-powerpc-smp

3.2.0-105.146; linux-image-3.2.0-105-omap

3.2.0-105.146

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-3021-2: Linux kernel (OMAP4) vulnerabilities

June 28, 2016 007admin

Ubuntu Security Notice USN-3021-2

27th June, 2016

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-ti-omap4
– Linux kernel for OMAP4

Details

Baozeng Ding discovered a use-after-free issue in the generic PPP layer in
the Linux kernel. A local attacker could use this to cause a denial of
service (system crash). (CVE-2016-4805)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-1483-omap4

3.2.0-1483.110

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-3014-1: Spice vulnerabilities

June 22, 2016 007admin

Ubuntu Security Notice USN-3014-1

21st June, 2016

spice vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS
Ubuntu 15.10
Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Spice.

Software description

spice
– SPICE protocol client and server library

Details

Jing Zhao discovered that the Spice smartcard support incorrectly handled
memory. A remote attacker could use this issue to cause Spice to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only applied to Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-0749)

Frediano Ziglio discovered that Spice incorrectly handled certain primary
surface parameters. A malicious guest operating system could potentially
exploit this issue to escape virtualization. (CVE-2016-2150)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: libspice-server1

0.12.6-4ubuntu0.1
Ubuntu 15.10:: libspice-server1

0.12.5-1.1ubuntu2.1
Ubuntu 14.04 LTS:: libspice-server1

0.12.4-0nocelt2ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart qemu guests to make
all the necessary changes.

References

CVE-2016-0749,

CVE-2016-2150

Ubuntu

USN-3011-1: HAProxy vulnerability

June 21, 2016 007admin

Ubuntu Security Notice USN-3011-1

20th June, 2016

haproxy vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS

Summary

HAProxy could be made to crash if it received specially crafted network
traffic.

Software description

haproxy
– fast and reliable load balancing reverse proxy

Details

Falco Schmutz discovered that HAProxy incorrectly handled the reqdeny
filter. A remote attacker could use this issue to cause HAProxy to crash,
resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: haproxy

1.6.3-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-5360

Ubuntu

USN-3009-1: Dnsmasq vulnerability

June 21, 2016 007admin

Ubuntu Security Notice USN-3009-1

20th June, 2016

dnsmasq vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS
Ubuntu 15.10

Summary

Dnsmasq could be made to crash if it received specially crafted network
traffic.

Software description

dnsmasq
– Small caching DNS proxy and DHCP/TFTP server

Details

Edwin Török discovered that Dnsmasq incorrectly handled certain CNAME
responses. A remote attacker could use this issue to cause Dnsmasq to
crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: dnsmasq

2.75-1ubuntu0.16.04.1; dnsmasq-utils

2.75-1ubuntu0.16.04.1; dnsmasq-base

2.75-1ubuntu0.16.04.1
Ubuntu 15.10:: dnsmasq

2.75-1ubuntu0.15.10.1; dnsmasq-utils

2.75-1ubuntu0.15.10.1; dnsmasq-base

2.75-1ubuntu0.15.10.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-8899

Ubuntu

USN-3010-1: Expat vulnerabilities

June 21, 2016 007admin

Ubuntu Security Notice USN-3010-1

20th June, 2016

expat vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS
Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Expat.

Software description

expat
– XML parsing C library

Details

It was discovered that Expat unexpectedly called srand in certain
circumstances. This could reduce the security of calling applications.
(CVE-2012-6702)

It was discovered that Expat incorrectly handled seeding the random number
generator. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2016-5300)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: libexpat1

2.1.0-7ubuntu0.16.04.2; lib64expat1

2.1.0-7ubuntu0.16.04.2
Ubuntu 15.10:: libexpat1

2.1.0-7ubuntu0.15.10.2; lib64expat1

2.1.0-7ubuntu0.15.10.2
Ubuntu 14.04 LTS:: libexpat1

2.1.0-4ubuntu1.3; lib64expat1

2.1.0-4ubuntu1.3
Ubuntu 12.04 LTS:: libexpat1

2.0.1-7.2ubuntu1.4; lib64expat1

2.0.1-7.2ubuntu1.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart any applications linked
against Expat to effect the necessary changes.

References

CVE-2012-6702,

CVE-2016-5300

Ubuntu

USN-3012-1: Wget vulnerability

June 21, 2016 007admin

Ubuntu Security Notice USN-3012-1

20th June, 2016

wget vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS
Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Wget could be made to overwrite files.

Software description

wget
– retrieves files from the web

Details

Dawid Golunski discovered that Wget incorrectly handled filenames when
being redirected from an HTTP to an FTP URL. A malicious server could
possibly use this issue to overwrite local files.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: wget

1.17.1-1ubuntu1.1
Ubuntu 15.10:: wget

1.16.1-1ubuntu1.1
Ubuntu 14.04 LTS:: wget

1.15-1ubuntu1.14.04.2
Ubuntu 12.04 LTS:: wget

1.13.4-2ubuntu1.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-4971

Ubuntu Security Notice USN-3019-1

linux-lts-utopic vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3018-2

linux-lts-trusty vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3020-1

linux-lts-vivid vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3021-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3021-2

linux-ti-omap4 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3014-1

spice vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3011-1

haproxy vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3009-1

dnsmasq vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3010-1

expat vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3012-1

wget vulnerability

Summary

Software description

Details

Update instructions

References

Software and Security Information