Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2948-1: Linux kernel (Utopic HWE) vulnerabilities

April 6, 2016 007admin

Ubuntu Security Notice USN-2948-1

6th April, 2016

linux-lts-utopic vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-utopic
– Linux hardware enablement kernel from Utopic for Trusty

Details

Ralf Spenneberg discovered that the USB driver for Clie devices in the
Linux kernel did not properly sanity check the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2015-7566)

Ralf Spenneberg discovered that the usbvision driver in the Linux kernel
did not properly sanity check the interfaces and endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2015-7833)

Venkatesh Pottem discovered a use-after-free vulnerability in the Linux
kernel’s CXGB3 driver. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2015-8812)

It was discovered that a race condition existed in the ioctl handler for
the TTY driver in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or expose sensitive information.
(CVE-2016-0723)

Xiaofei Rex Guo discovered a timing side channel vulnerability in the Linux
Extended Verification Module (EVM). An attacker could use this to affect
system integrity. (CVE-2016-2085)

David Herrmann discovered that the Linux kernel incorrectly accounted file
descriptors to the original opener for in-flight file descriptors sent over
a unix domain socket. A local attacker could use this to cause a denial of
service (resource exhaustion). (CVE-2016-2550)

Ralf Spenneberg discovered that the USB driver for Treo devices in the
Linux kernel did not properly sanity check the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2016-2782)

It was discovered that the Linux kernel did not enforce limits on the
amount of data allocated to buffer pipes. A local attacker could use this
to cause a denial of service (resource exhaustion). (CVE-2016-2847)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.16.0-69-generic-lpae

3.16.0-69.89~14.04.1; linux-image-3.16.0-69-lowlatency

3.16.0-69.89~14.04.1; linux-image-3.16.0-69-generic

3.16.0-69.89~14.04.1; linux-image-3.16.0-69-powerpc-e500mc

3.16.0-69.89~14.04.1; linux-image-3.16.0-69-powerpc64-smp

3.16.0-69.89~14.04.1; linux-image-3.16.0-69-powerpc64-emb

3.16.0-69.89~14.04.1; linux-image-3.16.0-69-powerpc-smp

3.16.0-69.89~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

Ubuntu

USN-2947-3: Linux kernel (Raspberry Pi 2) vulnerabilities

April 6, 2016 007admin

Ubuntu Security Notice USN-2947-3

6th April, 2016

linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10

Summary

Several security issues were fixed in the kernel.

Software description

linux-raspi2
– Linux kernel for Raspberry Pi 2

Details

Xiaofei Rex Guo discovered a timing side channel vulnerability in the Linux
Extended Verification Module (EVM). An attacker could use this to affect
system integrity. (CVE-2016-2085)

It was discovered that the extended Berkeley Packet Filter (eBPF)
implementation in the Linux kernel did not correctly compute branch offsets
for backward jumps after ctx expansion. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2016-2383)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: linux-image-4.2.0-1028-raspi2

4.2.0-1028.36

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2949-1: Linux kernel (Vivid HWE) vulnerabilities

April 6, 2016 007admin

Ubuntu Security Notice USN-2949-1

6th April, 2016

linux-lts-vivid vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-vivid
– Linux hardware enablement kernel from Vivid for Trusty

Details

Xiaofei Rex Guo discovered a timing side channel vulnerability in the Linux
Extended Verification Module (EVM). An attacker could use this to affect
system integrity. (CVE-2016-2085)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.19.0-58-powerpc64-smp

3.19.0-58.64~14.04.1; linux-image-3.19.0-58-lowlatency

3.19.0-58.64~14.04.1; linux-image-3.19.0-58-generic

3.19.0-58.64~14.04.1; linux-image-3.19.0-58-generic-lpae

3.19.0-58.64~14.04.1; linux-image-3.19.0-58-powerpc-e500mc

3.19.0-58.64~14.04.1; linux-image-3.19.0-58-powerpc64-emb

3.19.0-58.64~14.04.1; linux-image-3.19.0-58-powerpc-smp

3.19.0-58.64~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2944-1: Libav vulnerabilities

April 5, 2016 007admin

Ubuntu Security Notice USN-2944-1

4th April, 2016

libav vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Libav could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

libav
– Multimedia player, server, encoder and transcoder

Details

It was discovered that Libav incorrectly handled certain malformed media
files. If a user were tricked into opening a crafted media file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: libavformat53

4:0.8.17-0ubuntu0.12.04.2; libavcodec53

4:0.8.17-0ubuntu0.12.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-2945-1: XChat-GNOME vulnerability

April 5, 2016 007admin

Ubuntu Security Notice USN-2945-1

4th April, 2016

xchat-gnome vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

XChat-GNOME could be made to expose sensitive information over the network.

Software description

xchat-gnome
– simple and featureful IRC client for GNOME

Details

It was discovered that XChat-GNOME incorrectly verified the hostname in an
SSL certificate. An attacker could trick XChat-GNOME into trusting a rogue
server’s certificate, which was signed by a trusted certificate authority,
to perform a man-in-the-middle attack.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: xchat-gnome

1:0.30.0~git20141005.816798-0ubuntu6.2
Ubuntu 14.04 LTS:: xchat-gnome

1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2
Ubuntu 12.04 LTS:: xchat-gnome

1:0.30.0~git20110821.e2a400-0.2ubuntu4.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart XChat-GNOME to make
all the necessary changes.

References

LP: 1565000

Ubuntu

USN-2943-1: PCRE vulnerabilities

March 30, 2016 007admin

Ubuntu Security Notice USN-2943-1

29th March, 2016

pcre3 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

PCRE could be made to crash or run programs if it processed a
specially-crafted regular expression.

Software description

pcre3
– Perl 5 Compatible Regular Expression Library

Details

It was discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: libpcre3

2:8.35-7.1ubuntu1.3
Ubuntu 14.04 LTS:: libpcre3

1:8.31-2ubuntu2.2
Ubuntu 12.04 LTS:: libpcre3

8.12-4ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart applications using PCRE,
such as the Apache HTTP server and Nginx, to make all the necessary
changes.

References

Ubuntu

USN-2942-1: OpenJDK 7 vulnerability

March 25, 2016 007admin

Ubuntu Security Notice USN-2942-1

24th March, 2016

openjdk-7 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS

Summary

OpenJDK could be made to crash or run programs as your login if it received
specially crafted input.

Software description

openjdk-7
– Open Source Java implementation

Details

A vulnerability was discovered in the JRE related to information
disclosure, data integrity, and availability. An attacker could exploit
these to cause a denial of service, expose sensitive data over the network,
or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: openjdk-7-jre-lib

7u95-2.6.4-0ubuntu0.15.10.2; openjdk-7-jre-zero

7u95-2.6.4-0ubuntu0.15.10.2; icedtea-7-jre-jamvm

7u95-2.6.4-0ubuntu0.15.10.2; openjdk-7-jre-headless

7u95-2.6.4-0ubuntu0.15.10.2; openjdk-7-jre

7u95-2.6.4-0ubuntu0.15.10.2
Ubuntu 14.04 LTS:: openjdk-7-jre-zero

7u95-2.6.4-0ubuntu0.14.04.2; icedtea-7-jre-jamvm

7u95-2.6.4-0ubuntu0.14.04.2; openjdk-7-jre-lib

7u95-2.6.4-0ubuntu0.14.04.2; openjdk-7-jdk

7u95-2.6.4-0ubuntu0.14.04.2; openjdk-7-jre-headless

7u95-2.6.4-0ubuntu0.14.04.2; openjdk-7-jre

7u95-2.6.4-0ubuntu0.14.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

CVE-2016-0636

Ubuntu

USN-2941-1: Quagga vulnerabilities

March 24, 2016 007admin

Ubuntu Security Notice USN-2941-1

24th March, 2016

quagga vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Quagga could be made to crash or run programs if it received specially
crafted network traffic.

Software description

quagga
– BGP/OSPF/RIP routing daemon

Details

Kostya Kortchinsky discovered that Quagga incorrectly handled certain route
data when configured with BGP peers enabled for VPNv4. A remote attacker
could use this issue to cause Quagga to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2016-2342)

It was discovered that Quagga incorrectly handled messages with a large
LSA when used in certain configurations. A remote attacker could use this
issue to cause Quagga to crash, resulting in a denial of service. This
issue only affected Ubuntu 12.04 LTS. (CVE-2013-2236)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: quagga

0.99.24.1-2ubuntu0.1
Ubuntu 14.04 LTS:: quagga

0.99.22.4-3ubuntu1.1
Ubuntu 12.04 LTS:: quagga

0.99.20.1-0ubuntu0.12.04.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Quagga to make all the
necessary changes.

References

CVE-2013-2236,

CVE-2016-2342

Ubuntu

USN-2939-1: LibTIFF vulnerabilities

March 24, 2016 007admin

Ubuntu Security Notice USN-2939-1

23rd March, 2016

tiff vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

tiff
– Tag Image File Format (TIFF) library

Details

It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: libtiff5

4.0.3-12.3ubuntu2.1
Ubuntu 14.04 LTS:: libtiff5

4.0.3-7ubuntu0.4
Ubuntu 12.04 LTS:: libtiff4

3.9.5-2ubuntu1.9

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-2937-1: WebKitGTK+ vulnerabilities

March 22, 2016 007admin

Ubuntu Security Notice USN-2937-1

21st March, 2016

webkitgtk vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS

Summary

Several security issues were fixed in WebKitGTK+.

Software description

webkitgtk
– Web content engine library for GTK+

Details

A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: libjavascriptcoregtk-3.0-0

2.4.10-0ubuntu0.15.10.1; libjavascriptcoregtk-1.0-0

2.4.10-0ubuntu0.15.10.1; libwebkitgtk-1.0-0

2.4.10-0ubuntu0.15.10.1; libwebkitgtk-3.0-0

2.4.10-0ubuntu0.15.10.1
Ubuntu 14.04 LTS:: libjavascriptcoregtk-3.0-0

2.4.10-0ubuntu0.14.04.1; libjavascriptcoregtk-1.0-0

2.4.10-0ubuntu0.14.04.1; libwebkitgtk-1.0-0

2.4.10-0ubuntu0.14.04.1; libwebkitgtk-3.0-0

2.4.10-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany and Evolution, to make all the
necessary changes.