Category Archives: Ubuntu

Ubuntu Security Notices

USN-3237-1: FreeType vulnerability

Ubuntu Security Notice USN-3237-1

20th March, 2017

freetype vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

FreeType could be made to crash or run programs if it opened a specially
crafted font file.

Software description

  • freetype
    – FreeType 2 is a font engine library

Details

It was discovered that FreeType did not correctly handle certain malformed
font files. If a user were tricked into using a specially crafted font
file, a remote attacker could cause FreeType to crash, resulting in a
denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
libfreetype6

2.6.3-3ubuntu1.1
Ubuntu 16.04 LTS:
libfreetype6

2.6.1-0.1ubuntu2.1
Ubuntu 14.04 LTS:
libfreetype6

2.5.2-1ubuntu2.6
Ubuntu 12.04 LTS:
libfreetype6

2.4.8-1ubuntu2.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2016-10244

USN-3240-1: NVIDIA graphics vulnerability

Ubuntu Security Notice USN-3240-1

20th March, 2017

nvidia-graphics-drivers-304, nvidia-graphics-drivers-340, nvidia-graphics-drivers-375 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

NVIDIA graphics drivers could be made to crash under certain conditions.

Software description

  • nvidia-graphics-drivers-304
    – NVIDIA binary X.Org driver

  • nvidia-graphics-drivers-340
    – NVIDIA binary X.Org driver

  • nvidia-graphics-drivers-375
    – NVIDIA binary X.Org driver

Details

It was discovered that the NVIDIA graphics drivers contained a flaw in the
kernel mode layer. A local attacker could use this issue to cause a denial of
service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
nvidia-367

375.39-0ubuntu0.16.10.1
nvidia-375

375.39-0ubuntu0.16.10.1
nvidia-331

340.102-0ubuntu0.16.10.1
nvidia-current

304.135-0ubuntu0.16.10.1
nvidia-340-updates

340.102-0ubuntu0.16.10.1
nvidia-340

340.102-0ubuntu0.16.10.1
nvidia-331-updates

340.102-0ubuntu0.16.10.1
nvidia-304-updates

304.135-0ubuntu0.16.10.1
nvidia-304

304.135-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
nvidia-367

375.39-0ubuntu0.16.04.1
nvidia-375

375.39-0ubuntu0.16.04.1
nvidia-331

340.102-0ubuntu0.16.04.1
nvidia-current

304.135-0ubuntu0.16.04.1
nvidia-340-updates

340.102-0ubuntu0.16.04.1
nvidia-340

340.102-0ubuntu0.16.04.1
nvidia-331-updates

340.102-0ubuntu0.16.04.1
nvidia-304-updates

304.135-0ubuntu0.16.04.1
nvidia-304

304.135-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
nvidia-367

375.39-0ubuntu0.14.04.1
nvidia-375

375.39-0ubuntu0.14.04.1
nvidia-331

340.102-0ubuntu0.14.04.1
nvidia-current

304.135-0ubuntu0.14.04.1
nvidia-340-updates

340.102-0ubuntu0.14.04.1
nvidia-340

340.102-0ubuntu0.14.04.1
nvidia-331-updates

340.102-0ubuntu0.14.04.1
nvidia-304-updates

304.135-0ubuntu0.14.04.1
nvidia-304

304.135-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
nvidia-331

340.102-0ubuntu0.12.04.1
nvidia-current

304.135-0ubuntu0.12.04.1
nvidia-340-updates

340.102-0ubuntu0.12.04.1
nvidia-340

340.102-0ubuntu0.12.04.1
nvidia-331-updates

340.102-0ubuntu0.12.04.1
nvidia-304-updates

304.135-0ubuntu0.12.04.1
nvidia-304

304.135-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-0318

USN-3173-2: NVIDIA graphics drivers vulnerability

Ubuntu Security Notice USN-3173-2

20th March, 2017

nvidia-graphics-drivers-375 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

NVIDIA graphics drivers could be made to crash under certain conditions.

Software description

  • nvidia-graphics-drivers-375
    – NVIDIA binary X.Org driver

Details

USN-3173-1 fixed a vulnerability in nvidia-graphics-drivers-304 and
nvidia-graphics-drivers-340. This update provides the corresponding update for
nvidia-graphics-drivers-375.

Original advisory details:

It was discovered that the NVIDIA graphics drivers contained a flaw in the
kernel mode layer. A local attacker could use this issue to cause a denial of
service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
nvidia-367

375.39-0ubuntu0.16.10.1
nvidia-375

375.39-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
nvidia-367

375.39-0ubuntu0.16.04.1
nvidia-375

375.39-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
nvidia-367

375.39-0ubuntu0.14.04.1
nvidia-375

375.39-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-8826

USN-3239-1: GNU C Library vulnerabilities

Ubuntu Security Notice USN-3239-1

20th March, 2017

eglibc, glibc vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the GNU C Library.

Software description

  • eglibc
    – GNU C Library

  • glibc
    – GNU C Library

Details

It was discovered that the GNU C Library incorrectly handled the
strxfrm() function. An attacker could use this issue to cause a denial
of service or possibly execute arbitrary code. This issue only affected
Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8982)

It was discovered that an integer overflow existed in the
_IO_wstr_overflow() function of the GNU C Library. An attacker could
use this to cause a denial of service or possibly execute arbitrary
code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04
LTS. (CVE-2015-8983)

It was discovered that the fnmatch() function in the GNU C Library
did not properly handle certain malformed patterns. An attacker could
use this to cause a denial of service. This issue only affected Ubuntu
12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8984)

Alexander Cherepanov discovered a stack-based buffer overflow in the
glob implementation of the GNU C Library. An attacker could use this
to specially craft a directory layout and cause a denial of service.
(CVE-2016-1234)

Florian Weimer discovered a NULL pointer dereference in the DNS
resolver of the GNU C Library. An attacker could use this to cause
a denial of service. (CVE-2015-5180)

Michael Petlan discovered an unbounded stack allocation in the
getaddrinfo() function of the GNU C Library. An attacker could use
this to cause a denial of service. (CVE-2016-3706)

Aldy Hernandez discovered an unbounded stack allocation in the sunrpc
implementation in the GNU C Library. An attacker could use this to
cause a denial of service. (CVE-2016-4429)

Tim Ruehsen discovered that the getaddrinfo() implementation in the
GNU C Library did not properly track memory allocations. An attacker
could use this to cause a denial of service. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-5417)

Andreas Schwab discovered that the GNU C Library on ARM 32-bit
platforms did not properly set up execution contexts. An attacker
could use this to cause a denial of service. (CVE-2016-6323)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libc6

2.23-0ubuntu6
Ubuntu 14.04 LTS:
libc6

2.19-0ubuntu6.10
Ubuntu 12.04 LTS:
libc6

2.15-0ubuntu10.16

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-5180,

CVE-2015-8982,

CVE-2015-8983,

CVE-2015-8984,

CVE-2016-1234,

CVE-2016-3706,

CVE-2016-4429,

CVE-2016-5417,

CVE-2016-6323

USN-3235-1: libxml2 vulnerabilities

Ubuntu Security Notice USN-3235-1

16th March, 2017

libxml2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in libxml2.

Software description

  • libxml2
    – GNOME XML library

Details

It was discovered that libxml2 incorrectly handled format strings. If a
user or automated system were tricked into opening a specially crafted
document, an attacker could possibly cause libxml2 to crash, resulting in a
denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04
LTS, and Ubuntu 16.04 LTS. (CVE-2016-4448)

It was discovered that libxml2 incorrectly handled certain malformed
documents. If a user or automated system were tricked into opening a
specially crafted document, an attacker could cause libxml2 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-4658)

Nick Wellnhofer discovered that libxml2 incorrectly handled certain
malformed documents. If a user or automated system were tricked into
opening a specially crafted document, an attacker could cause libxml2 to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-5131)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
libxml2

2.9.4+dfsg1-2ubuntu0.1
Ubuntu 16.04 LTS:
libxml2

2.9.3+dfsg1-1ubuntu0.2
Ubuntu 14.04 LTS:
libxml2

2.9.1+dfsg1-3ubuntu4.9
Ubuntu 12.04 LTS:
libxml2

2.7.8.dfsg-5.1ubuntu4.17

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-4448,

CVE-2016-4658,

CVE-2016-5131

USN-3234-2: Linux kernel (Xenial HWE) vulnerabilities

Ubuntu Security Notice USN-3234-2

15th March, 2017

linux-lts-xenial vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-xenial
    – Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3234-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel
did not properly validate meta block groups. An attacker with physical
access could use this to specially craft an ext4 image that causes a denial
of service (system crash). (CVE-2016-10208)

It was discovered that the Linux kernel did not clear the setgid bit during
a setxattr call on a tmpfs filesystem. A local attacker could use this to
gain elevated group privileges. (CVE-2017-5551)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-powerpc-smp-lts-xenial

4.4.0.67.54
linux-image-generic-lpae-lts-xenial

4.4.0.67.54
linux-image-4.4.0-67-lowlatency

4.4.0-67.88~14.04.1
linux-image-4.4.0-67-generic-lpae

4.4.0-67.88~14.04.1
linux-image-lowlatency-lts-xenial

4.4.0.67.54
linux-image-generic-lts-xenial

4.4.0.67.54
linux-image-4.4.0-67-powerpc64-emb

4.4.0-67.88~14.04.1
linux-image-4.4.0-67-powerpc64-smp

4.4.0-67.88~14.04.1
linux-image-powerpc64-smp-lts-xenial

4.4.0.67.54
linux-image-4.4.0-67-generic

4.4.0-67.88~14.04.1
linux-image-4.4.0-67-powerpc-e500mc

4.4.0-67.88~14.04.1
linux-image-powerpc64-emb-lts-xenial

4.4.0.67.54
linux-image-powerpc-e500mc-lts-xenial

4.4.0.67.54
linux-image-4.4.0-67-powerpc-smp

4.4.0-67.88~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-10208,

CVE-2017-5551

USN-3234-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-3234-1

15th March, 2017

linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux
    – Linux kernel

  • linux-aws
    – Linux kernel for Amazon Web Services (AWS) systems

  • linux-gke
    – Linux kernel for Google Container Engine (GKE) systems

  • linux-raspi2
    – Linux kernel for Raspberry Pi 2

  • linux-snapdragon
    – Linux kernel for Snapdragon Processors

Details

Ralf Spenneberg discovered that the ext4 implementation in the Linux kernel
did not properly validate meta block groups. An attacker with physical
access could use this to specially craft an ext4 image that causes a denial
of service (system crash). (CVE-2016-10208)

It was discovered that the Linux kernel did not clear the setgid bit during
a setxattr call on a tmpfs filesystem. A local attacker could use this to
gain elevated group privileges. (CVE-2017-5551)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
linux-image-powerpc-e500mc 4.4.0.67.72
linux-image-4.4.0-1009-aws

4.4.0-1009.18
linux-image-4.4.0-67-powerpc64-smp

4.4.0-67.88
linux-image-4.4.0-1051-snapdragon

4.4.0-1051.55
linux-image-4.4.0-67-powerpc64-emb

4.4.0-67.88
linux-image-4.4.0-67-generic

4.4.0-67.88
linux-image-snapdragon 4.4.0.1051.44
linux-image-powerpc64-emb 4.4.0.67.72
linux-image-gke 4.4.0.1006.7
linux-image-4.4.0-67-lowlatency

4.4.0-67.88
linux-image-4.4.0-1006-gke

4.4.0-1006.6
linux-image-generic 4.4.0.67.72
linux-image-aws 4.4.0.1009.11
linux-image-raspi2 4.4.0.1048.48
linux-image-4.4.0-67-powerpc-smp

4.4.0-67.88
linux-image-powerpc-smp 4.4.0.67.72
linux-image-generic-lpae 4.4.0.67.72
linux-image-4.4.0-67-generic-lpae

4.4.0-67.88
linux-image-4.4.0-1048-raspi2

4.4.0-1048.55
linux-image-powerpc64-smp 4.4.0.67.72
linux-image-4.4.0-67-powerpc-e500mc

4.4.0-67.88
linux-image-lowlatency 4.4.0.67.72

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-10208,

CVE-2017-5551

USN-3232-1: ImageMagick vulnerabilities

Ubuntu Security Notice USN-3232-1

14th March, 2017

imagemagick vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in ImageMagick.

Software description

  • imagemagick
    – Image manipulation programs and library

Details

It was discovered that ImageMagick incorrectly handled certain malformed
image files. If a user or automated system using ImageMagick were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
libmagick++-6.q16-5v5

8:6.8.9.9-7ubuntu8.5
imagemagick

8:6.8.9.9-7ubuntu8.5
libmagickcore-6.q16-2-extra

8:6.8.9.9-7ubuntu8.5
imagemagick-6.q16

8:6.8.9.9-7ubuntu8.5
libmagickcore-6.q16-2

8:6.8.9.9-7ubuntu8.5
Ubuntu 16.04 LTS:
libmagick++-6.q16-5v5

8:6.8.9.9-7ubuntu5.6
imagemagick

8:6.8.9.9-7ubuntu5.6
libmagickcore-6.q16-2-extra

8:6.8.9.9-7ubuntu5.6
imagemagick-6.q16

8:6.8.9.9-7ubuntu5.6
libmagickcore-6.q16-2

8:6.8.9.9-7ubuntu5.6
Ubuntu 14.04 LTS:
libmagick++5

8:6.7.7.10-6ubuntu3.6
libmagickcore5-extra

8:6.7.7.10-6ubuntu3.6
libmagickcore5

8:6.7.7.10-6ubuntu3.6
imagemagick

8:6.7.7.10-6ubuntu3.6
Ubuntu 12.04 LTS:
libmagick++4

8:6.6.9.7-5ubuntu3.9
libmagickcore4

8:6.6.9.7-5ubuntu3.9
imagemagick

8:6.6.9.7-5ubuntu3.9
libmagickcore4-extra

8:6.6.9.7-5ubuntu3.9

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-6498,

CVE-2017-6499,

CVE-2017-6500

USN-3231-1: Pidgin vulnerability

Ubuntu Security Notice USN-3231-1

14th March, 2017

pidgin vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Pidgin could be made to crash or run programs if it received specially
crafted network traffic.

Software description

  • pidgin
    – graphical multi-protocol instant messaging client for X

Details

Joseph Bisch discovered that Pidgin incorrectly handled certain xml
messages. A remote attacker could use this issue to cause Pidgin to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
libpurple0

1:2.10.9-0ubuntu3.4
Ubuntu 12.04 LTS:
libpurple0

1:2.10.3-0ubuntu1.8

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Pidgin to make all the
necessary changes.

References

CVE-2017-2640

USN-3228-1: libevent vulnerabilities

Ubuntu Security Notice USN-3228-1

13th March, 2017

libevent vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in libevent.

Software description

  • libevent
    – Asynchronous event notification library

Details

Guido Vranken discovered that libevent incorrectly handled memory when
processing certain data. A remote attacker could possibly use this issue
with an application that uses libevent to cause a denial of service, or
possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
libevent-2.0-5

2.0.21-stable-2ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libevent-2.0-5

2.0.21-stable-2ubuntu0.16.04.1
Ubuntu 14.04 LTS:
libevent-2.0-5

2.0.21-stable-1ubuntu1.14.04.2
Ubuntu 12.04 LTS:
libevent-2.0-5

2.0.16-stable-1ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-10195,

CVE-2016-10196,

CVE-2016-10197