Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2829-1: Linux kernel vulnerabilities

December 4, 2015 007admin

Ubuntu Security Notice USN-2829-1

4th December, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.04

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

It was discovered that the SCTP protocol implementation in the Linux kernel
performed an incorrect sequence of protocol-initialization steps. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2015-5283)

Dmitry Vyukov discovered that the Linux kernel’s keyring handler attempted
to garbage collect incompletely instantiated keys. A local unprivileged
attacker could use this to cause a denial of service (system crash).
(CVE-2015-7872)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:: linux-image-3.19.0-39-powerpc64-emb

3.19.0-39.44; linux-image-3.19.0-39-powerpc64-smp

3.19.0-39.44; linux-image-3.19.0-39-generic

3.19.0-39.44; linux-image-3.19.0-39-powerpc-smp

3.19.0-39.44; linux-image-3.19.0-39-generic-lpae

3.19.0-39.44; linux-image-3.19.0-39-powerpc-e500mc

3.19.0-39.44; linux-image-3.19.0-39-lowlatency

3.19.0-39.44

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-5283,

CVE-2015-7872

Ubuntu

USN-2828-1: QEMU vulnerabilities

December 3, 2015 007admin

Ubuntu Security Notice USN-2828-1

3rd December, 2015

qemu, qemu-kvm vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in QEMU.

Software description

qemu
– Machine emulator and virtualizer
qemu-kvm
– Machine emulator and virtualizer

Details

Jason Wang discovered that QEMU incorrectly handled the virtio-net device.
A remote attacker could use this issue to cause guest network consumption,
resulting in a denial of service. (CVE-2015-7295)

Qinghao Tang and Ling Liu discovered that QEMU incorrectly handled the
pcnet driver when used in loopback mode. A malicious guest could use this
issue to cause a denial of service, or possibly execute arbitrary code on
the host as the user running the QEMU process. In the default installation,
when QEMU is used with libvirt, attackers would be isolated by the libvirt
AppArmor profile. (CVE-2015-7504)

Ling Liu and Jason Wang discovered that QEMU incorrectly handled the
pcnet driver. A remote attacker could use this issue to cause a denial of
service, or possibly execute arbitrary code on the host as the user running
the QEMU process. In the default installation, when QEMU is used with
libvirt, attackers would be isolated by the libvirt AppArmor profile.
(CVE-2015-7512)

Qinghao Tang discovered that QEMU incorrectly handled the eepro100 driver.
A malicious guest could use this issue to cause an infinite loop, leading
to a denial of service. (CVE-2015-8345)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: qemu-system-misc

1:2.3+dfsg-5ubuntu9.1; qemu-system

1:2.3+dfsg-5ubuntu9.1; qemu-system-aarch64

1:2.3+dfsg-5ubuntu9.1; qemu-system-x86

1:2.3+dfsg-5ubuntu9.1; qemu-system-sparc

1:2.3+dfsg-5ubuntu9.1; qemu-system-arm

1:2.3+dfsg-5ubuntu9.1; qemu-system-ppc

1:2.3+dfsg-5ubuntu9.1; qemu-system-mips

1:2.3+dfsg-5ubuntu9.1
Ubuntu 15.04:: qemu-system-misc

1:2.2+dfsg-5expubuntu9.7; qemu-system

1:2.2+dfsg-5expubuntu9.7; qemu-system-aarch64

1:2.2+dfsg-5expubuntu9.7; qemu-system-x86

1:2.2+dfsg-5expubuntu9.7; qemu-system-sparc

1:2.2+dfsg-5expubuntu9.7; qemu-system-arm

1:2.2+dfsg-5expubuntu9.7; qemu-system-ppc

1:2.2+dfsg-5expubuntu9.7; qemu-system-mips

1:2.2+dfsg-5expubuntu9.7
Ubuntu 14.04 LTS:: qemu-system-misc

2.0.0+dfsg-2ubuntu1.21; qemu-system

2.0.0+dfsg-2ubuntu1.21; qemu-system-aarch64

2.0.0+dfsg-2ubuntu1.21; qemu-system-x86

2.0.0+dfsg-2ubuntu1.21; qemu-system-sparc

2.0.0+dfsg-2ubuntu1.21; qemu-system-arm

2.0.0+dfsg-2ubuntu1.21; qemu-system-ppc

2.0.0+dfsg-2ubuntu1.21; qemu-system-mips

2.0.0+dfsg-2ubuntu1.21
Ubuntu 12.04 LTS:: qemu-kvm

1.0+noroms-0ubuntu14.26

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

Ubuntu

USN-2827-1: OpenJDK 6 vulnerabilities

December 3, 2015 007admin

Ubuntu Security Notice USN-2827-1

3rd December, 2015

openjdk-6 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in OpenJDK 6.

Software description

openjdk-6
– Open Source Java implementation

Details

Multiple vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker
could exploit these to cause a denial of service or expose sensitive
data over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843,
CVE-2015-4844, CVE-2015-4860, CVE-2015-4881, CVE-2015-4883)

A vulnerability was discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit
this to expose sensitive data over the network. (CVE-2015-4806)

A vulnerability was discovered in the OpenJDK JRE related to data
integrity. An attacker could exploit this expose sensitive data over
the network. (CVE-2015-4872)

Multiple vulnerabilities were discovered in the OpenJDK JRE related
to information disclosure. An attacker could exploit these to expose
sensitive data over the network. (CVE-2015-4734, CVE-2015-4842,
CVE-2015-4903)

Multiple vulnerabilities were discovered in the OpenJDK JRE related
to availability. An attacker could exploit these to cause a denial of
service. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: icedtea-6-jre-cacao

6b37-1.13.9-1ubuntu0.12.04.1; icedtea-6-jre-jamvm

6b37-1.13.9-1ubuntu0.12.04.1; openjdk-6-jre

6b37-1.13.9-1ubuntu0.12.04.1; openjdk-6-jre-headless

6b37-1.13.9-1ubuntu0.12.04.1; openjdk-6-jre-zero

6b37-1.13.9-1ubuntu0.12.04.1; openjdk-6-jre-lib

6b37-1.13.9-1ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

Ubuntu

USN-2826-1: Linux kernel (Trusty HWE) vulnerabilities

December 3, 2015 007admin

Ubuntu Security Notice USN-2826-1

3rd December, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-trusty
– Linux hardware enablement kernel from Trusty

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.13.0-71-generic-lpae

3.13.0-71.114~precise1; linux-image-3.13.0-71-generic

3.13.0-71.114~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-5283,

CVE-2015-7872

Ubuntu

USN-2824-1: Linux kernel (Utopic HWE) vulnerability

December 2, 2015 007admin

Ubuntu Security Notice USN-2824-1

1st December, 2015

linux-lts-utopic vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

linux-lts-utopic
– Linux hardware enablement kernel from Utopic

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.16.0-55-powerpc64-smp

3.16.0-55.74~14.04.1; linux-image-3.16.0-55-lowlatency

3.16.0-55.74~14.04.1; linux-image-3.16.0-55-generic

3.16.0-55.74~14.04.1; linux-image-3.16.0-55-generic-lpae

3.16.0-55.74~14.04.1; linux-image-3.16.0-55-powerpc-e500mc

3.16.0-55.74~14.04.1; linux-image-3.16.0-55-powerpc64-emb

3.16.0-55.74~14.04.1; linux-image-3.16.0-55-powerpc-smp

3.16.0-55.74~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-7872

Ubuntu

USN-2823-1: Linux kernel vulnerabilities

December 2, 2015 007admin

Ubuntu Security Notice USN-2823-1

1st December, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.13.0-71-powerpc64-emb

3.13.0-71.114; linux-image-3.13.0-71-powerpc-e500

3.13.0-71.114; linux-image-3.13.0-71-generic

3.13.0-71.114; linux-image-3.13.0-71-lowlatency

3.13.0-71.114; linux-image-3.13.0-71-powerpc64-smp

3.13.0-71.114; linux-image-3.13.0-71-powerpc-smp

3.13.0-71.114; linux-image-3.13.0-71-powerpc-e500mc

3.13.0-71.114; linux-image-3.13.0-71-generic-lpae

3.13.0-71.114

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-5283,

CVE-2015-7872

Ubuntu

USN-2819-1: Thunderbird vulnerabilities

December 1, 2015 007admin

Ubuntu Security Notice USN-2819-1

1st December, 2015

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

thunderbird
– Mozilla Open Source mail and newsgroup client

Details

Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky,
Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, and Gary Kwong
discovered multiple memory safety issues in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2015-4513)

Tyson Smith and David Keeler discovered a use-after-poison and buffer
overflow in NSS. An attacker could potentially exploit these to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Thunderbird. (CVE-2015-7181,
CVE-2015-7182)

Ryan Sleevi discovered an integer overflow in NSPR. An attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2015-7183)

Michał Bentkowski discovered that adding white-space to hostnames that are
IP addresses can bypass same-origin protections. If a user were tricked in
to opening a specially crafted website in a browser-like context, an
attacker could potentially exploit this to conduct cross-site scripting
(XSS) attacks. (CVE-2015-7188)

Looben Yang discovered a buffer overflow during script interactions with
the canvas element in some circumstances. If a user were tricked in to
opening a specially crafted website in a browser-like context, an attacker
could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Thunderbird. (CVE-2015-7189)

Shinto K Anto discovered that CORS preflight is bypassed when receiving
non-standard Content-Type headers in some circumstances. If a user were
tricked in to opening a specially crafted website in a browser-like
context, an attacker could potentially exploit this to bypass
same-origin restrictions. (CVE-2015-7193)

Gustavo Grieco discovered a buffer overflow in libjar in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browser-like context, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2015-7194)

Ehsan Akhgari discovered a mechanism for a web worker to bypass secure
requirements for web sockets. If a user were tricked in to opening a
specially crafted website in a browser-like context, an attacker could
exploit this to bypass the mixed content web socket policy.
(CVE-2015-7197)

Ronald Crane discovered several vulnerabilities through code-inspection. If
a user were tricked in to opening a specially crafted website in a
browser-like context, an attacker could potentially exploit these to cause
a denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Thunderbird. (CVE-2015-7198,
CVE-2015-7199, CVE-2015-7200)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: thunderbird

1:38.4.0+build3-0ubuntu0.15.10.1
Ubuntu 15.04:: thunderbird

1:38.4.0+build3-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:: thunderbird

1:38.4.0+build3-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: thunderbird

1:38.4.0+build3-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

Ubuntu

USN-2821-1: GnuTLS vulnerability

November 30, 2015 007admin

Ubuntu Security Notice USN-2821-1

30th November, 2015

gnutls26 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

GnuTLS could be made to expose sensitive information over the network.

Software description

gnutls26
– GNU TLS library

Details

It was discovered that GnuTLS incorrectly validated the first byte of
padding in CBC modes. A remote attacker could possibly use this issue to
perform a padding oracle attack.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: libgnutls26

2.12.23-12ubuntu2.3
Ubuntu 12.04 LTS:: libgnutls26

2.12.14-5ubuntu3.10

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1510163

Ubuntu

USN-2820-1: dpkg vulnerability

November 26, 2015 007admin

Ubuntu Security Notice USN-2820-1

26th November, 2015

dpkg vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

dpkg-deb could be made to crash or run programs as your login if it
opened a specially crafted file.

Software description

dpkg
– Debian package management system

Details

Hanno Boeck discovered that the dpkg-deb tool incorrectly handled certain
old style Debian binary packages. If a user or an automated system were
tricked into unpacking a specially crafted binary package, a remote
attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: dpkg

1.18.2ubuntu5.1
Ubuntu 15.04:: dpkg

1.17.25ubuntu1.1
Ubuntu 14.04 LTS:: dpkg

1.17.5ubuntu5.5
Ubuntu 12.04 LTS:: dpkg

1.16.1.2ubuntu7.7

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-0860

Ubuntu

USN-2818-1: OpenJDK 7 vulnerability

November 25, 2015 007admin

Ubuntu Security Notice USN-2818-1

25th November, 2015

openjdk-7 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS

Summary

A security issue was fixed in OpenJDK 7.

Software description

openjdk-7
– Open Source Java implementation

Details

It was discovered that rebinding of the receiver of a
DirectMethodHandle may allow a protected method to be accessed. Am
attacker could use this to expose sensitive information or possibly
execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: openjdk-7-jre-lib

7u91-2.6.3-0ubuntu0.15.10.1; openjdk-7-jre-zero

7u91-2.6.3-0ubuntu0.15.10.1; icedtea-7-jre-jamvm

7u91-2.6.3-0ubuntu0.15.10.1; openjdk-7-jre-headless

7u91-2.6.3-0ubuntu0.15.10.1; openjdk-7-jre

7u91-2.6.3-0ubuntu0.15.10.1
Ubuntu 15.04:: openjdk-7-jre-lib

7u91-2.6.3-0ubuntu0.15.04.1; openjdk-7-jre-zero

7u91-2.6.3-0ubuntu0.15.04.1; icedtea-7-jre-jamvm

7u91-2.6.3-0ubuntu0.15.04.1; openjdk-7-jre-headless

7u91-2.6.3-0ubuntu0.15.04.1; openjdk-7-jre

7u91-2.6.3-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:: openjdk-7-jre-lib

7u91-2.6.3-0ubuntu0.14.04.1; openjdk-7-jre-zero

7u91-2.6.3-0ubuntu0.14.04.1; icedtea-7-jre-jamvm

7u91-2.6.3-0ubuntu0.14.04.1; openjdk-7-jre-headless

7u91-2.6.3-0ubuntu0.14.04.1; openjdk-7-jre

7u91-2.6.3-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

CVE-2015-4871

Ubuntu Security Notice USN-2829-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2828-1

qemu, qemu-kvm vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2827-1

openjdk-6 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2826-1

linux-lts-trusty vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2824-1

linux-lts-utopic vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2823-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2819-1

thunderbird vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2821-1

gnutls26 vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2820-1

dpkg vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2818-1

openjdk-7 vulnerability

Summary

Software description

Details

Update instructions

References

Software and Security Information