Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2883-1: OpenSSL vulnerability

January 29, 2016 007admin

Ubuntu Security Notice USN-2883-1

28th January, 2016

openssl vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10

Summary

OpenSSL could be made to expose sensitive information over the network.

Software description

openssl
– Secure Socket Layer (SSL) cryptographic library and tools

Details

Antonio Sanso discovered that OpenSSL reused the same private DH exponent
for the life of a server process when configured with a X9.42 style
parameter file. This could allow a remote attacker to possibly discover the
server’s private DH exponent when being used with non-safe primes.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: libssl1.0.0

1.0.2d-0ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-0701

Ubuntu

USN-2880-1: Firefox vulnerabilities

January 28, 2016 007admin

Ubuntu Security Notice USN-2880-1

27th January, 2016

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software description

firefox
– Mozilla Open Source web browser

Details

Bob Clary, Christian Holler, Nils Ohlmeier, Gary Kwong, Jesse Ruderman,
Carsten Book, Randell Jesup, Nicolas Pierron, Eric Rescorla, Tyson Smith,
and Gabor Krizsanits discovered multiple memory safety issues in Firefox.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit these to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1930, CVE-2016-1931)

Gustavo Grieco discovered an out-of-memory crash when loading GIF images
in some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could exploit this to cause a denial of
service. (CVE-2016-1933)

Aki Helin discovered a buffer overflow when rendering WebGL content in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2016-1935)

It was discovered that a delay was missing when focusing the protocol
handler dialog. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to conduct
clickjacking attacks. (CVE-2016-1937)

Hanno Böck discovered that calculations with mp_div and mp_exptmod in NSS
produce incorrect results in some circumstances, resulting in
cryptographic weaknesses. (CVE-2016-1938)

Nicholas Hurley discovered that Firefox allows for control characters to
be set in cookie names. An attacker could potentially exploit this to
conduct cookie injection attacks on some web servers. (CVE-2016-1939)

It was discovered that when certain invalid URLs are pasted in to the
addressbar, the addressbar contents may be manipulated to show the
location of arbitrary websites. An attacker could potentially exploit this
to conduct URL spoofing attacks. (CVE-2016-1942)

Ronald Crane discovered three vulnerabilities through code inspection. If
a user were tricked in to opening a specially crafted website, an attacker
could potentially exploit these to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2016-1944, CVE-2016-1945, CVE-2016-1946)

François Marier discovered that Application Reputation lookups didn’t
work correctly, disabling warnings for potentially malicious downloads. An
attacker could potentially exploit this by tricking a user in to
downloading a malicious file. Other parts of the Safe Browsing feature
were unaffected by this. (CVE-2016-1947)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: firefox

44.0+build3-0ubuntu0.15.10.1
Ubuntu 15.04:: firefox

44.0+build3-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:: firefox

44.0+build3-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: firefox

44.0+build3-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

Ubuntu

USN-2882-1: curl vulnerability

January 28, 2016 007admin

Ubuntu Security Notice USN-2882-1

27th January, 2016

curl vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

curl would incorrectly re-use credentials.

Software description

curl
– HTTP, HTTPS, and FTP client and client libraries

Details

Isaac Boukris discovered that curl could incorrectly re-use NTLM proxy
credentials when subsequently connecting to the same host.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: libcurl3-nss

7.43.0-1ubuntu2.1; libcurl3-gnutls

7.43.0-1ubuntu2.1; libcurl3

7.43.0-1ubuntu2.1
Ubuntu 15.04:: libcurl3-nss

7.38.0-3ubuntu2.3; libcurl3-gnutls

7.38.0-3ubuntu2.3; libcurl3

7.38.0-3ubuntu2.3
Ubuntu 14.04 LTS:: libcurl3-nss

7.35.0-1ubuntu2.6; libcurl3-gnutls

7.35.0-1ubuntu2.6; libcurl3

7.35.0-1ubuntu2.6
Ubuntu 12.04 LTS:: libcurl3-nss

7.22.0-3ubuntu4.15; libcurl3-gnutls

7.22.0-3ubuntu4.15; libcurl3

7.22.0-3ubuntu4.15

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-0755

Ubuntu

USN-2877-1: Oxide vulnerabilities

January 28, 2016 007admin

Ubuntu Security Notice USN-2877-1

27th January, 2016

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

oxide-qt
– Web browser engine library for Qt (QML plugin)

Details

A bad cast was discovered in V8. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service via renderer crash or execute arbitrary code
with the privileges of the sandboxed render process. (CVE-2016-1612)

An issue was discovered when initializing the UnacceleratedImageBufferSurface
class in Blink. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to obtain sensitive
information. (CVE-2016-1614)

An issue was discovered with the CSP implementation in Blink. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to determine whether specific HSTS sites had been
visited by reading a CSP report. (CVE-2016-1617)

An issue was discovered with random number generator in Blink. An attacker
could potentially exploit this to defeat cryptographic protection
mechanisms. (CVE-2016-1618)

Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2016-1620)

Multiple security issues were discovered in V8. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit these to read uninitialized memory, cause a denial of service via
renderer crash or execute arbitrary code with the privileges of the
sandboxed render process. (CVE-2016-2051)

Multiple security issues were discovered in Harfbuzz. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via renderer
crash or execute arbitrary code with the privileges of the sandboxed
render process. (CVE-2016-2052)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: liboxideqtcore0

1.12.5-0ubuntu0.15.10.1
Ubuntu 15.04:: liboxideqtcore0

1.12.5-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:: liboxideqtcore0

1.12.5-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-2881-1: MySQL vulnerabilities

January 27, 2016 007admin

Ubuntu Security Notice USN-2881-1

26th January, 2016

mysql-5.5, mysql-5.6 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in MySQL.

Software description

mysql-5.5
– MySQL database
mysql-5.6
– MySQL database

Details

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.47 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
Ubuntu 15.04 and Ubuntu 15.10 have been updated to MySQL 5.6.28.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-47.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-28.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: mysql-server-5.6

5.6.28-0ubuntu0.15.10.1
Ubuntu 15.04:: mysql-server-5.6

5.6.28-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:: mysql-server-5.5

5.5.47-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: mysql-server-5.5

5.5.47-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-2878-1: Perl vulnerability

January 22, 2016 007admin

Ubuntu Security Notice USN-2878-1

21st January, 2016

perl vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04

Summary

Perl incorrectly handled the taint attribute.

Software description

perl
– Practical Extraction and Report Language

Details

David Golden discovered that the canonpath function in the Perl File::Spec
module did not properly preserve the taint attribute. An attacker could
possibly use this issue to bypass the taint protection mechanism.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: perl

5.20.2-6ubuntu0.1
Ubuntu 15.04:: perl

5.20.2-2ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8607

Ubuntu

USN-2879-1: rsync vulnerability

January 22, 2016 007admin

Ubuntu Security Notice USN-2879-1

21st January, 2016

rsync vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

rsync could be made to write files outside of the expected directory.

Software description

rsync
– fast, versatile, remote (and local) file-copying tool

Details

It was discovered that rsync incorrectly handled invalid filenames. A
malicious server could use this issue to write files outside of the
intended destination directory.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: rsync

3.1.1-3ubuntu0.15.10.1
Ubuntu 15.04:: rsync

3.1.1-3ubuntu0.15.04.1
Ubuntu 14.04 LTS:: rsync

3.1.0-2ubuntu0.2
Ubuntu 12.04 LTS:: rsync

3.0.9-1ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9512

Ubuntu

USN-2876-1: eCryptfs vulnerability

January 21, 2016 007admin

Ubuntu Security Notice USN-2876-1

20th January, 2016

ecryptfs-utils vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

mount.ecryptfs_private could be used to run programs as an administrator.

Software description

ecryptfs-utils
– eCryptfs cryptographic filesystem utilities

Details

Jann Horn discovered that mount.ecryptfs_private would mount over certain
directories in the proc filesystem. A local attacker could use this to escalate
their privileges. (CVE-2016-1572)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: ecryptfs-utils

108-0ubuntu1.1
Ubuntu 15.04:: ecryptfs-utils

107-0ubuntu1.3
Ubuntu 14.04 LTS:: ecryptfs-utils

104-0ubuntu1.14.04.4
Ubuntu 12.04 LTS:: ecryptfs-utils

96-0ubuntu3.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-1572

Ubuntu

USN-2870-1: Linux kernel vulnerability

January 20, 2016 007admin

Ubuntu Security Notice USN-2870-1

19th January, 2016

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

linux
– Linux kernel

Details

Yevgeny Pats discovered that the session keyring implementation in the
Linux kernel did not properly reference count when joining an existing
session keyring. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code with
administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.13.0-76-generic-lpae

3.13.0-76.120; linux-image-3.13.0-76-lowlatency

3.13.0-76.120; linux-image-3.13.0-76-powerpc-e500mc

3.13.0-76.120; linux-image-3.13.0-76-powerpc-smp

3.13.0-76.120; linux-image-3.13.0-76-powerpc64-smp

3.13.0-76.120; linux-image-3.13.0-76-powerpc-e500

3.13.0-76.120; linux-image-3.13.0-76-generic

3.13.0-76.120; linux-image-3.13.0-76-powerpc64-emb

3.13.0-76.120

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-0728

Ubuntu

USN-2872-1: Linux kernel vulnerability

January 20, 2016 007admin

Ubuntu Security Notice USN-2872-1

19th January, 2016

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10

Summary

The system could be made to crash or run programs as an administrator.

Software description

linux
– Linux kernel

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: linux-image-4.2.0-25-powerpc64-smp

4.2.0-25.30; linux-image-4.2.0-25-powerpc-smp

4.2.0-25.30; linux-image-4.2.0-25-lowlatency

4.2.0-25.30; linux-image-4.2.0-25-powerpc-e500mc

4.2.0-25.30; linux-image-4.2.0-25-generic-lpae

4.2.0-25.30; linux-image-4.2.0-25-powerpc64-emb

4.2.0-25.30; linux-image-4.2.0-25-generic

4.2.0-25.30

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-0728

Ubuntu Security Notice USN-2883-1

openssl vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2880-1

firefox vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2882-1

curl vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2877-1

oxide-qt vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2881-1

mysql-5.5, mysql-5.6 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2878-1

perl vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2879-1

rsync vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2876-1

ecryptfs-utils vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2870-1

linux vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2872-1

linux vulnerability

Summary

Software description

Details

Update instructions

References

Software and Security Information