Ubuntu Security Notice USN-2816-1

24th November, 2015

python-django vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.10
• Ubuntu 15.04
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Django could be made to expose sensitive information over the network.

Software description

• python-django
  – High-level Python web development framework

Details

Ryan Butterfield discovered that Django incorrectly handled the date
template filter. A remote attacker could possibly use this issue to obtain
secrets from application settings.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:

python3-django

1.7.9-1ubuntu5.1

python-django

1.7.9-1ubuntu5.1

Ubuntu 15.04:

python3-django

1.7.6-1ubuntu2.3

python-django

1.7.6-1ubuntu2.3

Ubuntu 14.04 LTS:

python-django

1.6.1-2ubuntu0.11

Ubuntu 12.04 LTS:

python-django

1.3.1-4ubuntu1.19

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8213

Ubuntu Security Notice USN-2817-1

24th November, 2015

icedtea-web vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.10
• Ubuntu 15.04
• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in IcedTea Web.

Software description

• icedtea-web
  – A web browser plugin to execute Java applets

Details

It was discovered that IcedTea Web incorrectly handled applet URLs. A
remote attacker could possibly use this issue to inject applets into the
.appletTrustSettings configuration file and bypass user approval.
(CVE-2015-5234)

Andrea Palazzo discovered that IcedTea Web incorrectly determined the
origin of unsigned applets. A remote attacker could possibly use this issue
to bypass user approval, or to trick the user into approving applet
execution. (CVE-2015-5235)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:

icedtea-7-plugin

1.5.3-0ubuntu0.15.10.1

Ubuntu 15.04:

icedtea-7-plugin

1.5.3-0ubuntu0.15.04.1

Ubuntu 14.04 LTS:

icedtea-7-plugin

1.5.3-0ubuntu0.14.04.1

icedtea-6-plugin

1.5.3-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your browser to make
all the necessary changes.

References

CVE-2015-5234,

CVE-2015-5235

Ubuntu Security Notice USN-2815-1

19th November, 2015

libpng vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.10
• Ubuntu 15.04
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

libpng could be made to crash or run programs as your login if it
opened a specially crafted file.

Software description

• libpng
  – PNG (Portable Network Graphics) file library

Details

Mikulas Patocka discovered that libpng incorrectly handled certain large
fields. If a user or automated system using libpng were tricked into
opening a specially crafted image, an attacker could exploit this to cause
libpng to crash, leading to a denial of service. This issue only affected
Ubuntu 12.04 LTS. (CVE-2012-3425)

Qixue Xiao discovered that libpng incorrectly handled certain time values.
If a user or automated system using libpng were tricked into opening a
specially crafted image, an attacker could exploit this to cause libpng to
crash, leading to a denial of service. (CVE-2015-7981)

It was discovered that libpng incorrectly handled certain small bit-depth
values. If a user or automated system using libpng were tricked into
opening a specially crafted image, an attacker could exploit this to cause
a denial of service or execute code with the privileges of the user
invoking the program. (CVE-2015-8126)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:

libpng12-0

1.2.51-0ubuntu3.15.10.1

Ubuntu 15.04:

libpng12-0

1.2.51-0ubuntu3.15.04.1

Ubuntu 14.04 LTS:

libpng12-0

1.2.50-1ubuntu2.14.04.1

Ubuntu 12.04 LTS:

libpng12-0

1.2.46-3ubuntu4.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2012-3425,

CVE-2015-7981,

CVE-2015-8126

Ubuntu Security Notice USN-2814-1

18th November, 2015

nvidia-graphics-drivers-304, nvidia-graphics-drivers-304-updates, nvidia-graphics-drivers-340, nvidia-graphics-drivers-340-updates, nvidia-graphics-drivers-352, nvidia-graphics-drivers-352-updates vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.10
• Ubuntu 15.04
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

NVIDIA graphics drivers could be made to run programs as an administrator.

Software description

• nvidia-graphics-drivers-304
  – NVIDIA binary X.Org driver

• nvidia-graphics-drivers-304-updates
  – NVIDIA binary X.Org driver

• nvidia-graphics-drivers-340
  – NVIDIA binary X.Org driver

• nvidia-graphics-drivers-340-updates
  – NVIDIA binary X.Org driver

• nvidia-graphics-drivers-352
  – NVIDIA binary X.Org driver

• nvidia-graphics-drivers-352-updates
  – NVIDIA binary X.Org driver

Details

It was discovered that the NVIDIA graphics drivers incorrectly sanitized
user mode inputs. A local attacker could use this issue to possibly gain
root privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:

nvidia-331 340.96-0ubuntu0.15.10.1

nvidia-346 352.63-0ubuntu0.15.10.1

nvidia-352 352.63-0ubuntu0.15.10.1

nvidia-346-updates 352.63-0ubuntu0.15.10.1

nvidia-340-updates 340.96-0ubuntu0.15.10.1

nvidia-340 340.96-0ubuntu0.15.10.1

nvidia-331-updates 340.96-0ubuntu0.15.10.1

nvidia-304 304.131-0ubuntu0.15.10.1

nvidia-304-updates 304.131-0ubuntu0.15.10.1

nvidia-352-updates 352.63-0ubuntu0.15.10.1

Ubuntu 15.04:

nvidia-331 340.96-0ubuntu0.15.04.1

nvidia-346 352.63-0ubuntu0.15.04.1

nvidia-352 352.63-0ubuntu0.15.04.1

nvidia-346-updates 352.63-0ubuntu0.15.04.1

nvidia-340-updates 340.96-0ubuntu0.15.04.1

nvidia-340 340.96-0ubuntu0.15.04.1

nvidia-331-updates 340.96-0ubuntu0.15.04.1

nvidia-304 304.131-0ubuntu0.15.04.1

nvidia-304-updates 304.131-0ubuntu0.15.04.1

nvidia-352-updates 352.63-0ubuntu0.15.04.1

Ubuntu 14.04 LTS:

nvidia-331 340.96-0ubuntu0.14.04.1

nvidia-346 352.63-0ubuntu0.14.04.1

nvidia-352 352.63-0ubuntu0.14.04.1

nvidia-346-updates 352.63-0ubuntu0.14.04.1

nvidia-340-updates 340.96-0ubuntu0.14.04.1

nvidia-340 340.96-0ubuntu0.14.04.1

nvidia-331-updates 340.96-0ubuntu0.14.04.1

nvidia-304 304.131-0ubuntu0.14.04.1

nvidia-304-updates 304.131-0ubuntu0.14.04.1

nvidia-352-updates 352.63-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

nvidia-331-updates 340.96-0ubuntu0.12.04.1

nvidia-304 304.131-0ubuntu0.12.04.1

nvidia-304-updates 304.131-0ubuntu0.12.04.1

nvidia-340-updates 340.96-0ubuntu0.12.04.1

nvidia-340 340.96-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-7869

Ubuntu Security Notice USN-2813-1

17th November, 2015

lxcfs vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.10
• Ubuntu 15.04

Summary

Several security issues were fixed in LXCFS.

Software description

• lxcfs
  – FUSE based filesystem for LXC

Details

It was discovered that LXCFS incorrectly enforced directory escapes. A
local attacker could use this issue to possibly escalate privileges.
(CVE-2015-1342)

It was discovered that LXCFS incorrectly checked certain permissions. A
local attacker could use this issue t possibly escalate privileges.
(CVE-2015-1344)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:

lxcfs

0.10-0ubuntu2.1

Ubuntu 15.04:

lxcfs

0.7-0ubuntu4.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-1342,

CVE-2015-1344

Ubuntu Security Notice USN-2811-1

16th November, 2015

strongswan vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.10
• Ubuntu 15.04
• Ubuntu 14.04 LTS

Summary

strongSwan could be made to bypass authentication.

Software description

• strongswan
  – IPsec VPN solution

Details

It was discovered that the strongSwan eap-mschapv2 plugin incorrectly
handled state. A remote attacker could use this issue to bypass
authentication.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:

strongswan-plugin-eap-mschapv2

5.1.2-0ubuntu6.2

Ubuntu 15.04:

strongswan-plugin-eap-mschapv2

5.1.2-0ubuntu5.3

Ubuntu 14.04 LTS:

strongswan-plugin-eap-mschapv2

5.1.2-0ubuntu2.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8023

Ubuntu Security Notice USN-2812-1

16th November, 2015

libxml2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.10
• Ubuntu 15.04
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in libxml2.

Software description

• libxml2
  – GNOME XML library

Details

Florian Weimer discovered that libxml2 incorrectly handled certain XML
data. If a user or automated system were tricked into opening a specially
crafted document, an attacker could possibly cause resource consumption,
resulting in a denial of service. This issue only affected
Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-1819)

Michal Zalewski discovered that libxml2 incorrectly handled certain XML
data. If a user or automated system were tricked into opening a specially
crafted document, an attacker could possibly cause libxml2 to crash,
resulting in a denial of service. This issue only affected
Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-7941)

Kostya Serebryany discovered that libxml2 incorrectly handled certain XML
data. If a user or automated system were tricked into opening a specially
crafted document, an attacker could possibly cause libxml2 to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-7942)

Gustavo Grieco discovered that libxml2 incorrectly handled certain XML
data. If a user or automated system were tricked into opening a specially
crafted document, an attacker could possibly cause libxml2 to crash,
resulting in a denial of service. This issue only affected
Ubuntu 14.04 LTS. (CVE-2015-8035)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:

libxml2

2.9.2+zdfsg1-4ubuntu0.1

Ubuntu 15.04:

libxml2

2.9.2+dfsg1-3ubuntu0.1

Ubuntu 14.04 LTS:

libxml2

2.9.1+dfsg1-3ubuntu4.5

Ubuntu 12.04 LTS:

libxml2

2.7.8.dfsg-5.1ubuntu4.12

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-1819,

CVE-2015-7941,

CVE-2015-7942,

CVE-2015-8035

Ubuntu Security Notice USN-2809-1

12th November, 2015

lxd vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.10

Summary

LXD could be made to run programs as an administrator.

Software description

• lxd
  – Container hypervisor based on LXC

Details

Jeroen Simonetti discovered that LXD incorrectly set socket permissions. A
local attacker could use this issue to escalate privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:

lxd

0.20-0ubuntu4.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1515689

Ubuntu Security Notice USN-2810-1

12th November, 2015

krb5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.10
• Ubuntu 15.04
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Kerberos.

Software description

• krb5
  – MIT Kerberos Network Authentication Protocol

Details

It was discovered that the Kerberos kpasswd service incorrectly handled
certain UDP packets. A remote attacker could possibly use this issue to
cause resource consumption, resulting in a denial of service. This issue
only affected Ubuntu 12.04 LTS. (CVE-2002-2443)

It was discovered that Kerberos incorrectly handled null bytes in certain
data fields. A remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. (CVE-2014-5355)

It was discovered that the Kerberos kdcpreauth modules incorrectly tracked
certain client requests. A remote attacker could possibly use this issue
to bypass intended preauthentication requirements. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-2694)

It was discovered that Kerberos incorrectly handled certain SPNEGO packets.
A remote attacker could possibly use this issue to cause a denial of
service. (CVE-2015-2695)

It was discovered that Kerberos incorrectly handled certain IAKERB packets.
A remote attacker could possibly use this issue to cause a denial of
service. (CVE-2015-2696, CVE-2015-2698)

It was discovered that Kerberos incorrectly handled certain TGS requests. A
remote attacker could possibly use this issue to cause a denial of service.
(CVE-2015-2697)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:

libk5crypto3

1.13.2+dfsg-2ubuntu0.1

krb5-k5tls

1.13.2+dfsg-2ubuntu0.1

libkrad0

1.13.2+dfsg-2ubuntu0.1

krb5-otp

1.13.2+dfsg-2ubuntu0.1

krb5-pkinit

1.13.2+dfsg-2ubuntu0.1

libkadm5clnt-mit9

1.13.2+dfsg-2ubuntu0.1

krb5-admin-server

1.13.2+dfsg-2ubuntu0.1

libkrb5-3

1.13.2+dfsg-2ubuntu0.1

krb5-kdc-ldap

1.13.2+dfsg-2ubuntu0.1

krb5-user

1.13.2+dfsg-2ubuntu0.1

krb5-kdc

1.13.2+dfsg-2ubuntu0.1

libgssrpc4

1.13.2+dfsg-2ubuntu0.1

libkrb5support0

1.13.2+dfsg-2ubuntu0.1

libgssapi-krb5-2

1.13.2+dfsg-2ubuntu0.1

libkdb5-8

1.13.2+dfsg-2ubuntu0.1

Ubuntu 15.04:

libk5crypto3

1.12.1+dfsg-18ubuntu0.1

krb5-kdc-ldap

1.12.1+dfsg-18ubuntu0.1

libkrad0

1.12.1+dfsg-18ubuntu0.1

krb5-otp

1.12.1+dfsg-18ubuntu0.1

libkdb5-7

1.12.1+dfsg-18ubuntu0.1

krb5-pkinit

1.12.1+dfsg-18ubuntu0.1

libkadm5clnt-mit9

1.12.1+dfsg-18ubuntu0.1

libkrb5-3

1.12.1+dfsg-18ubuntu0.1

krb5-user

1.12.1+dfsg-18ubuntu0.1

krb5-kdc

1.12.1+dfsg-18ubuntu0.1

libgssrpc4

1.12.1+dfsg-18ubuntu0.1

libkrb5support0

1.12.1+dfsg-18ubuntu0.1

libgssapi-krb5-2

1.12.1+dfsg-18ubuntu0.1

krb5-admin-server

1.12.1+dfsg-18ubuntu0.1

Ubuntu 14.04 LTS:

libk5crypto3

1.12+dfsg-2ubuntu5.2

krb5-kdc-ldap

1.12+dfsg-2ubuntu5.2

libkrad0

1.12+dfsg-2ubuntu5.2

krb5-otp

1.12+dfsg-2ubuntu5.2

libkdb5-7

1.12+dfsg-2ubuntu5.2

krb5-pkinit

1.12+dfsg-2ubuntu5.2

libkadm5clnt-mit9

1.12+dfsg-2ubuntu5.2

libkrb5-3

1.12+dfsg-2ubuntu5.2

krb5-user

1.12+dfsg-2ubuntu5.2

krb5-kdc

1.12+dfsg-2ubuntu5.2

libgssrpc4

1.12+dfsg-2ubuntu5.2

libkrb5support0

1.12+dfsg-2ubuntu5.2

libgssapi-krb5-2

1.12+dfsg-2ubuntu5.2

krb5-admin-server

1.12+dfsg-2ubuntu5.2

Ubuntu 12.04 LTS:

libk5crypto3

1.10+dfsg~beta1-2ubuntu0.7

krb5-kdc-ldap

1.10+dfsg~beta1-2ubuntu0.7

libkdb5-6

1.10+dfsg~beta1-2ubuntu0.7

libkrb53

1.10+dfsg~beta1-2ubuntu0.7

krb5-pkinit

1.10+dfsg~beta1-2ubuntu0.7

libkadm5clnt-mit8

1.10+dfsg~beta1-2ubuntu0.7

libkrb5-3

1.10+dfsg~beta1-2ubuntu0.7

krb5-user

1.10+dfsg~beta1-2ubuntu0.7

krb5-kdc

1.10+dfsg~beta1-2ubuntu0.7

libgssrpc4

1.10+dfsg~beta1-2ubuntu0.7

libkrb5support0

1.10+dfsg~beta1-2ubuntu0.7

libgssapi-krb5-2

1.10+dfsg~beta1-2ubuntu0.7

krb5-admin-server

1.10+dfsg~beta1-2ubuntu0.7

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2002-2443,

CVE-2014-5355,

CVE-2015-2694,

CVE-2015-2695,

CVE-2015-2696,

CVE-2015-2697,

CVE-2015-2698

Ubuntu Security Notice USN-2807-1

10th November, 2015

linux-lts-wily vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux-lts-wily
  – Linux hardware enablement kernel from Wily

Details

Ben Serebrin discovered that the KVM hypervisor implementation in the Linux
kernel did not properly catch Alignment Check exceptions. An attacker in a
guest virtual machine could use this to cause a denial of service (system
crash) in the host OS.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-4.2.0-18-lowlatency

4.2.0-18.22~14.04.1

linux-image-4.2.0-18-generic-lpae

4.2.0-18.22~14.04.1

linux-image-4.2.0-18-powerpc64-emb

4.2.0-18.22~14.04.1

linux-image-4.2.0-18-generic

4.2.0-18.22~14.04.1

linux-image-4.2.0-18-powerpc-e500mc

4.2.0-18.22~14.04.1

linux-image-4.2.0-18-powerpc64-smp

4.2.0-18.22~14.04.1

linux-image-4.2.0-18-powerpc-smp

4.2.0-18.22~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-5307