Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2922-1: Samba vulnerabilities

March 9, 2016 007admin

Ubuntu Security Notice USN-2922-1

8th March, 2016

samba vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Samba.

Software description

samba
– SMB/CIFS file, print, and login server for Unix

Details

Jeremy Allison discovered that Samba incorrectly handled ACLs on symlink
paths. A remote attacker could use this issue to overwrite the ownership of
ACLs using symlinks. (CVE-2015-7560)

Garming Sam and Douglas Bagnall discovered that the Samba internal DNS
server incorrectly handled certain DNS TXT records. A remote attacker could
use this issue to cause Samba to crash, resulting in a denial of service,
or possibly obtain uninitialized memory contents. This issue only applied
to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-0771)

It was discovered that the Samba Web Administration Tool (SWAT) was
vulnerable to clickjacking and cross-site request forgery attacks. This
issue only affected Ubuntu 12.04 LTS. (CVE-2013-0213, CVE-2013-0214)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: samba

2:4.1.17+dfsg-4ubuntu3.3
Ubuntu 14.04 LTS:: samba

2:4.1.6+dfsg-1ubuntu2.14.04.13
Ubuntu 12.04 LTS:: swat

2:3.6.3-2ubuntu2.17; samba

2:3.6.3-2ubuntu2.17

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-2923-1: BeanShell vulnerability

March 9, 2016 007admin

Ubuntu Security Notice USN-2923-1

8th March, 2016

bsh vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

BeanShell could be made to run programs if it processed specially crafted
input.

Software description

bsh
– Java scripting environment

Details

Alvaro Muñoz and Christian Schneider discovered that BeanShell incorrectly
handled deserialization. A remote attacker could possibly use this issue
to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: libbsh-java

2.0b4-15ubuntu0.15.10.1; bsh

2.0b4-15ubuntu0.15.10.1
Ubuntu 14.04 LTS:: libbsh-java

2.0b4-15ubuntu0.14.04.1; bsh

2.0b4-15ubuntu0.14.04.1
Ubuntu 12.04 LTS:: bsh

2.0b4-12ubuntu0.1; bsh-gcj

2.0b4-12ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-2510

Ubuntu

USN-2915-2: Django regression

March 8, 2016 007admin

Ubuntu Security Notice USN-2915-2

7th March, 2016

python-django regression

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS

Summary

USN-2915-1 introduced a regression in Django.

Software description

python-django
– High-level Python web development framework

Details

USN-2915-1 fixed vulnerabilities in Django. The upstream fix for
CVE-2016-2512 introduced a regression for certain applications. This update
fixes the problem.

Original advisory details:

Mark Striemer discovered that Django incorrectly handled user-supplied
redirect URLs containing basic authentication credentials. A remote
attacker could possibly use this issue to perform a cross-site scripting
attack or a malicious redirect. (CVE-2016-2512)

Sjoerd Job Postmus discovered that Django incorrectly handled timing when
doing password hashing operations. A remote attacker could possibly use
this issue to perform user enumeration. (CVE-2016-2513)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: python3-django

1.7.9-1ubuntu5.3; python-django

1.7.9-1ubuntu5.3
Ubuntu 14.04 LTS:: python-django

1.6.1-2ubuntu0.13

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1553251

Ubuntu

USN-2915-3: Django regression

March 8, 2016 007admin

Ubuntu Security Notice USN-2915-3

7th March, 2016

python-django regression

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS

Summary

USN-2915-1 introduced a regression in Django.

Software description

python-django
– High-level Python web development framework

Details

USN-2915-1 fixed vulnerabilities in Django. The upstream fix for
CVE-2016-2512 introduced a regression for certain applications. This update
fixes the problem by applying the complete upstream regression fix.

Original advisory details:

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: python3-django

1.7.9-1ubuntu5.4; python-django

1.7.9-1ubuntu5.4
Ubuntu 14.04 LTS:: python-django

1.6.1-2ubuntu0.14

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1553251

Ubuntu

USN-2921-1: Squid vulnerabilities

March 8, 2016 007admin

Ubuntu Security Notice USN-2921-1

7th March, 2016

squid3 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Squid.

Software description

squid3
– Web proxy cache server

Details

Sebastian Krahmer discovered that Squid incorrectly handled certain SNMP
requests. If SNMP is enabled, a remote attacker could use this issue to
cause Squid to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2014-6270)

Alex Rousskov discovered that Squid incorrectly handled certain malformed
responses. A remote attacker could possibly use this issue to cause Squid
to crash, resulting in a denial of service. (CVE-2016-2571)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: squid3

3.3.8-1ubuntu16.2
Ubuntu 14.04 LTS:: squid3

3.3.8-1ubuntu6.6
Ubuntu 12.04 LTS:: squid3

3.1.19-1ubuntu3.12.04.6

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-6270,

CVE-2016-2571

Ubuntu

USN-2904-1: Thunderbird vulnerabilities

March 8, 2016 007admin

Ubuntu Security Notice USN-2904-1

8th March, 2016

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

thunderbird
– Mozilla Open Source mail and newsgroup client

Details

Karthikeyan Bhargavan and Gaetan Leurent discovered that NSS incorrectly
allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were
able to perform a man-in-the-middle attack, this flaw could be exploited to
view sensitive information. (CVE-2015-7575)

Yves Younan discovered that graphite2 incorrectly handled certain malformed
fonts. If a user were tricked into opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitary code with the
privileges of the user invoking Thunderbird. (CVE-2016-1523)

Bob Clary, Christian Holler, Nils Ohlmeier, Gary Kwong, Jesse Ruderman,
Carsten Book, and Randell Jesup discovered multiple memory safety issues
in Thunderbird. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit these
to cause a denial of service via application crash, or execute arbitrary
code with the privileges of the user invoking Thunderbird. (CVE-2016-1930)

Aki Helin discovered a buffer overflow when rendering WebGL content in
some circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2016-1935)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: thunderbird

1:38.6.0+build1-0ubuntu0.15.10.1
Ubuntu 14.04 LTS:: thunderbird

1:38.6.0+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: thunderbird

1:38.6.0+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

Ubuntu

USN-2918-1: pixman vulnerability

March 4, 2016 007admin

Ubuntu Security Notice USN-2918-1

3rd March, 2016

pixman vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

pixman could be made to crash or run programs as your login if it processed
specially crafted data.

Software description

pixman
– pixel-manipulation library for X and cairo

Details

Vincent LE GARREC discovered an integer underflow in pixman. If a user were
tricked into opening a specially crafted file, a remote attacker could
cause pixman to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: libpixman-1-0

0.30.2-2ubuntu1.1
Ubuntu 12.04 LTS:: libpixman-1-0

0.30.2-1ubuntu0.0.0.0.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2014-9766

Ubuntu

USN-2919-1: JasPer vulnerabilities

March 4, 2016 007admin

Ubuntu Security Notice USN-2919-1

3rd March, 2016

jasper vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in JasPer.

Software description

jasper
– Library for manipulating JPEG-2000 files

Details

Jacob Baines discovered that JasPer incorrectly handled ICC color profiles
in JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker could cause JasPer to
crash or possibly execute arbitrary code with user privileges.
(CVE-2016-1577)

Tyler Hicks discovered that JasPer incorrectly handled memory when
processing JPEG-2000 image files. If a user were tricked into opening a
specially crafted JPEG-2000 image file, a remote attacker could cause
JasPer to consume memory, resulting in a denial of service.
(CVE-2016-2116)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: libjasper1

1.900.1-debian1-2.4ubuntu0.15.10.1
Ubuntu 14.04 LTS:: libjasper1

1.900.1-14ubuntu3.3
Ubuntu 12.04 LTS:: libjasper1

1.900.1-13ubuntu0.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-1577,

CVE-2016-2116

Ubuntu

USN-2916-1: Perl vulnerabilities

March 3, 2016 007admin

Ubuntu Security Notice USN-2916-1

2nd March, 2016

perl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Perl.

Software description

perl
– Practical Extraction and Report Language

Details

It was discovered that Perl incorrectly handled certain regular expressions
with an invalid backreference. An attacker could use this issue to cause
Perl to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2013-7422)

Markus Vervier discovered that Perl incorrectly handled nesting in the
Data::Dumper module. An attacker could use this issue to cause Perl to
consume memory and crash, resulting in a denial of service. (CVE-2014-4330)

Stephane Chazelas discovered that Perl incorrectly handled duplicate
environment variables. An attacker could possibly use this issue to bypass
the taint protection mechanism. (CVE-2016-2381)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: perl

5.20.2-6ubuntu0.2
Ubuntu 14.04 LTS:: perl

5.18.2-2ubuntu1.1
Ubuntu 12.04 LTS:: perl

5.14.2-6ubuntu2.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-7422,

CVE-2014-4330,

CVE-2016-2381

Ubuntu

USN-2915-1: Django vulnerabilities

March 2, 2016 007admin

Ubuntu Security Notice USN-2915-1

1st March, 2016

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Django.

Software description

python-django
– High-level Python web development framework

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: python3-django

1.7.9-1ubuntu5.2; python-django

1.7.9-1ubuntu5.2
Ubuntu 14.04 LTS:: python-django

1.6.1-2ubuntu0.12
Ubuntu 12.04 LTS:: python-django

1.3.1-4ubuntu1.20

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-2512,

CVE-2016-2513

Ubuntu Security Notice USN-2922-1

samba vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2923-1

bsh vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2915-2

python-django regression

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2915-3

python-django regression

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2921-1

squid3 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2904-1

thunderbird vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2918-1

pixman vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2919-1

jasper vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2916-1

perl vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2915-1

python-django vulnerabilities

Summary

Software description

Details

Update instructions

References

Software and Security Information