Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2868-1: DHCP vulnerability

Ubuntu Security Notice USN-2868-1

13th January, 2016

isc-dhcp vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.10
  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

DHCP server, client, or relay could be made to crash if they received
specially crafted network traffic.

Software description

  • isc-dhcp
    – DHCP server and client

Details

Sebastian Poehn discovered that the DHCP server, client, and relay
incorrectly handled certain malformed UDP packets. A remote attacker could
use this issue to cause the DHCP server, client, or relay to stop
responding, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:
isc-dhcp-server

4.3.1-5ubuntu3.1
isc-dhcp-relay

4.3.1-5ubuntu3.1
isc-dhcp-client

4.3.1-5ubuntu3.1
isc-dhcp-server-ldap

4.3.1-5ubuntu3.1
Ubuntu 15.04:
isc-dhcp-server

4.3.1-5ubuntu2.3
isc-dhcp-relay

4.3.1-5ubuntu2.3
isc-dhcp-client

4.3.1-5ubuntu2.3
isc-dhcp-server-ldap

4.3.1-5ubuntu2.3
Ubuntu 14.04 LTS:
isc-dhcp-server

4.2.4-7ubuntu12.4
isc-dhcp-relay

4.2.4-7ubuntu12.4
isc-dhcp-client

4.2.4-7ubuntu12.4
isc-dhcp-server-ldap

4.2.4-7ubuntu12.4
Ubuntu 12.04 LTS:
isc-dhcp-server

4.1.ESV-R4-0ubuntu5.10
isc-dhcp-relay

4.1.ESV-R4-0ubuntu5.10
isc-dhcp-client

4.1.ESV-R4-0ubuntu5.10
isc-dhcp-server-ldap

4.1.ESV-R4-0ubuntu5.10

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8605

Ubuntu

USN-2867-1: libvirt vulnerabilities

Ubuntu Security Notice USN-2867-1

12th January, 2016

libvirt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.10
  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in libvirt.

Software description

  • libvirt
    – Libvirt virtualization toolkit

Details

It was discovered that libvirt incorrectly handled the firewall rules on
bridge networks when the daemon was restarted. This could result in an
unintended firewall configuration. This issue only applied to Ubuntu 12.04
LTS. (CVE-2011-4600)

Peter Krempa discovered that libvirt incorrectly handled locking when
certain ACL checks failed. A local attacker could use this issue to cause
libvirt to stop responding, resulting in a denial of service. This issue
only applied to Ubuntu 14.04 LTS. (CVE-2014-8136)

Luyao Huang discovered that libvirt incorrectly handled VNC passwords in
shapshot and image files. A remote authenticated user could use this issue
to possibly obtain VNC passwords. This issue only affected Ubuntu 14.04
LTS. (CVE-2015-0236)

Han Han discovered that libvirt incorrectly handled volume creation
failure when used with NFS. A remote authenticated user could use this
issue to cause libvirt to crash, resulting in a denial of service. This
issue only applied to Ubuntu 15.10. (CVE-2015-5247)

Ossi Herrala and Joonas Kuorilehto discovered that libvirt incorrectly
performed storage pool name validation. A remote authenticated user could
use this issue to bypass ACLs and gain access to unintended files. This
issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10.
(CVE-2015-5313)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:
libvirt0

1.2.16-2ubuntu11.15.10.2
libvirt-bin

1.2.16-2ubuntu11.15.10.2
Ubuntu 15.04:
libvirt0

1.2.12-0ubuntu14.4
libvirt-bin

1.2.12-0ubuntu14.4
Ubuntu 14.04 LTS:
libvirt0

1.2.2-0ubuntu13.1.16
libvirt-bin

1.2.2-0ubuntu13.1.16
Ubuntu 12.04 LTS:
libvirt0

0.9.8-2ubuntu17.23
libvirt-bin

0.9.8-2ubuntu17.23

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2011-4600,

CVE-2014-8136,

CVE-2015-0236,

CVE-2015-5247,

CVE-2015-5313

Ubuntu

USN-2860-1: Oxide vulnerabilities

Ubuntu Security Notice USN-2860-1

11th January, 2016

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.10
  • Ubuntu 15.04
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

  • oxide-qt
    – Web browser engine library for Qt (QML plugin)

Details

A race condition was discovered in the MutationObserver implementation in
Blink. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit this to cause a denial of service
via renderer crash, or execute arbitrary code with the privileges of the
sandboxed render process. (CVE-2015-6789)

An issue was discovered with the page serializer in Blink. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to inject arbitrary script or HTML.
(CVE-2015-6790)

Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-6791)

Multiple security issues were discovered in V8. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit these to read uninitialized memory, cause a denial of service via
renderer crash or execute arbitrary code with the privileges of the
sandboxed render process. (CVE-2015-8548)

An integer overflow was discovered in the WebCursor::Deserialize function
in Chromium. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-8664)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:
liboxideqtcore0

1.11.4-0ubuntu0.15.10.1
Ubuntu 15.04:
liboxideqtcore0

1.11.4-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:
liboxideqtcore0

1.11.4-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-6789,

CVE-2015-6790,

CVE-2015-6791,

CVE-2015-8548,

CVE-2015-8664

Ubuntu

USN-2865-1: GnuTLS vulnerability

Ubuntu Security Notice USN-2865-1

8th January, 2016

gnutls26, gnutls28 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

GnuTLS could be made to expose sensitive information over the network.

Software description

  • gnutls26
    – GNU TLS library

  • gnutls28
    – GNU TLS library

Details

Karthikeyan Bhargavan and Gaetan Leurent discovered that GnuTLS incorrectly
allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were
able to perform a man-in-the-middle attack, this flaw could be exploited to
view sensitive information.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
libgnutls-openssl27

3.3.8-3ubuntu3.2
libgnutls-deb0-28

3.3.8-3ubuntu3.2
libgnutlsxx28

3.3.8-3ubuntu3.2
Ubuntu 14.04 LTS:
libgnutlsxx27

2.12.23-12ubuntu2.4
libgnutls-openssl27

2.12.23-12ubuntu2.4
libgnutls26

2.12.23-12ubuntu2.4
Ubuntu 12.04 LTS:
libgnutlsxx27

2.12.14-5ubuntu3.11
libgnutls-openssl27

2.12.14-5ubuntu3.11
libgnutls26

2.12.14-5ubuntu3.11

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-7575

Ubuntu

USN-2866-1: Firefox vulnerability

Ubuntu Security Notice USN-2866-1

8th January, 2016

firefox vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.10
  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Firefox could be made to expose sensitive information over the network.

Software description

  • firefox
    – Mozilla Open Source web browser

Details

Karthikeyan Bhargavan and Gaetan Leurent discovered that NSS incorrectly
allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were
able to perform a man-in-the-middle attack, this flaw could be exploited to
view sensitive information.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:
firefox

43.0.4+build3-0ubuntu0.15.10.1
Ubuntu 15.04:
firefox

43.0.4+build3-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:
firefox

43.0.4+build3-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
firefox

43.0.4+build3-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2015-7575

Ubuntu

USN-2863-1: OpenSSL vulnerability

Ubuntu Security Notice USN-2863-1

7th January, 2016

openssl vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

OpenSSL could be made to expose sensitive information over the network.

Software description

  • openssl
    – Secure Socket Layer (SSL) cryptographic library and tools

Details

Karthikeyan Bhargavan and Gaetan Leurent discovered that OpenSSL
incorrectly allowed MD5 to be used for TLS 1.2 connections. If a remote
attacker were able to perform a man-in-the-middle attack, this flaw could
be exploited to view sensitive information.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libssl1.0.0

1.0.1-4ubuntu5.33

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-7575

Ubuntu

USN-2862-1: Pygments vulnerability

Ubuntu Security Notice USN-2862-1

7th January, 2016

pygments vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.10
  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Pygments could be made to crash or run programs if it processed a specially
crafted font request.

Software description

  • pygments
    – syntax highlighting package written in Python

Details

It was discovered that Pygments incorrectly sanitized strings used to
search system fonts. An attacker could possibly use this issue to execute
arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:
python3-pygments

2.0.1+dfsg-1.1svn1.1
python-pygments

2.0.1+dfsg-1.1svn1.1
Ubuntu 15.04:
python3-pygments

2.0.1+dfsg-1svn1.1
python-pygments

2.0.1+dfsg-1svn1.1
Ubuntu 14.04 LTS:
python3-pygments

1.6+dfsg-1ubuntu1.1
python-pygments

1.6+dfsg-1ubuntu1.1
Ubuntu 12.04 LTS:
python3-pygments

1.4+dfsg-2ubuntu0.1
python-pygments

1.4+dfsg-2ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8557

Ubuntu

USN-2864-1: NSS vulnerability

Ubuntu Security Notice USN-2864-1

7th January, 2016

nss vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.10
  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

NSS could be made to expose sensitive information over the network.

Software description

  • nss
    – Network Security Service library

Details

Karthikeyan Bhargavan and Gaetan Leurent discovered that NSS incorrectly
allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were
able to perform a man-in-the-middle attack, this flaw could be exploited to
view sensitive information.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:
libnss3

2:3.19.2.1-0ubuntu0.15.10.2
Ubuntu 15.04:
libnss3

2:3.19.2.1-0ubuntu0.15.04.2
Ubuntu 14.04 LTS:
libnss3

2:3.19.2.1-0ubuntu0.14.04.2
Ubuntu 12.04 LTS:
libnss3

3.19.2.1-0ubuntu0.12.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any applications that
use NSS, such as Evolution and Chromium, to make all the necessary changes.

References

CVE-2015-7575

Ubuntu

USN-2861-1: libpng vulnerabilities

Ubuntu Security Notice USN-2861-1

6th January, 2016

libpng vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.10
  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

libpng could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

  • libpng
    – PNG (Portable Network Graphics) file library

Details

It was discovered that libpng incorrectly handled certain small bit-depth
values. If a user or automated system using libpng were tricked into
opening a specially crafted image, an attacker could exploit this to cause
a denial of service or execute code with the privileges of the user
invoking the program. (CVE-2015-8472)

Qixue Xiao and Chen Yu discovered that libpng incorrectly handled certain
malformed images. If a user or automated system using libpng were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service. (CVE-2015-8540)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:
libpng12-0

1.2.51-0ubuntu3.15.10.2
Ubuntu 15.04:
libpng12-0

1.2.51-0ubuntu3.15.04.2
Ubuntu 14.04 LTS:
libpng12-0

1.2.50-1ubuntu2.14.04.2
Ubuntu 12.04 LTS:
libpng12-0

1.2.46-3ubuntu4.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2015-8472,

CVE-2015-8540

Ubuntu

USN-2857-1: Linux kernel vulnerability

Ubuntu Security Notice USN-2857-1

5th January, 2016

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04

Summary

The system could be made to run programs as an administrator.

Software description

  • linux
    – Linux kernel

Details

Nathan Williams discovered that overlayfs in the Linux kernel incorrectly
handled setattr operations. A local unprivileged attacker could use this to
create files with administrative permission attributes and execute
arbitrary code with elevated privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
linux-image-3.19.0-43-generic

3.19.0-43.49
linux-image-3.19.0-43-lowlatency

3.19.0-43.49
linux-image-3.19.0-43-powerpc64-smp

3.19.0-43.49
linux-image-3.19.0-43-generic-lpae

3.19.0-43.49
linux-image-3.19.0-43-powerpc64-emb

3.19.0-43.49
linux-image-3.19.0-43-powerpc-smp

3.19.0-43.49
linux-image-3.19.0-43-powerpc-e500mc

3.19.0-43.49

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2015-8660