Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2793-1: LibreOffice vulnerabilities

November 6, 2015 007admin

Ubuntu Security Notice USN-2793-1

5th November, 2015

libreoffice vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.04
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in LibreOffice.

Software description

libreoffice
– Office productivity suite

Details

Federico Scrinzi discovered that LibreOffice incorrectly handled documents
inserted into Writer or Calc via links. If a user were tricked into opening
a specially crafted document, a remote attacker could possibly obtain the
contents of arbitrary files. (CVE-2015-4551)

It was discovered that LibreOffice incorrectly handled PrinterSetup data
stored in ODF files. If a user were tricked into opening a specially
crafted ODF document, a remote attacker could cause LibreOffice to crash,
and possibly execute arbitrary code. (CVE-2015-5212)

It was discovered that LibreOffice incorrectly handled the number of pieces
in DOC files. If a user were tricked into opening a specially crafted DOC
document, a remote attacker could cause LibreOffice to crash, and possibly
execute arbitrary code. (CVE-2015-5213)

It was discovered that LibreOffice incorrectly handled bookmarks in DOC
files. If a user were tricked into opening a specially crafted DOC
document, a remote attacker could cause LibreOffice to crash, and possibly
execute arbitrary code. (CVE-2015-5214)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:: libreoffice-core

1:4.4.6~rc3-0ubuntu1
Ubuntu 14.04 LTS:: libreoffice-core

1:4.2.8-0ubuntu3
Ubuntu 12.04 LTS:: libreoffice-core

1:3.5.7-0ubuntu9

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart LibreOffice to make all
the necessary changes.

References

Ubuntu

USN-2792-1: Linux kernel vulnerabilities

November 6, 2015 007admin

Ubuntu Security Notice USN-2792-1

4th November, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

Dmitry Vyukov discovered that the Linux kernel did not properly initialize
IPC object state in certain situations. A local attacker could use this to
escalate their privileges, expose confidential information, or cause a
denial of service (system crash). (CVE-2015-7613)

It was discovered that the Linux kernel did not check if a new IPv6 MTU set
by a user space application was valid. A remote attacker could forge a
route advertisement with an invalid MTU that a user space daemon like
NetworkManager would honor and apply to the kernel, causing a denial of
service. (CVE-2015-0272)

It was discovered that in certain situations, a directory could be renamed
outside of a bind mounted location. An attacker could use this to escape
bind mount containment and gain access to sensitive information.
(CVE-2015-2925)

Moein Ghasemzadeh discovered that the USB WhiteHEAT serial driver contained
hardcoded attributes about the USB devices. An attacker could construct a
fake WhiteHEAT USB device that, when inserted, causes a denial of service
(system crash). (CVE-2015-5257)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-93-omap

3.2.0-93.133; linux-image-3.2.0-93-generic

3.2.0-93.133; linux-image-3.2.0-93-powerpc-smp

3.2.0-93.133; linux-image-3.2.0-93-powerpc64-smp

3.2.0-93.133; linux-image-3.2.0-93-virtual

3.2.0-93.133; linux-image-3.2.0-93-generic-pae

3.2.0-93.133; linux-image-3.2.0-93-highbank

3.2.0-93.133

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

Ubuntu

USN-2796-1: Linux kernel (OMAP4) vulnerabilities

November 6, 2015 007admin

Ubuntu Security Notice USN-2796-1

5th November, 2015

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-ti-omap4
– Linux kernel for OMAP4

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-1473-omap4

3.2.0-1473.95

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2795-1: Linux kernel (Trusty HWE) vulnerabilities

November 6, 2015 007admin

Ubuntu Security Notice USN-2795-1

5th November, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-trusty
– Linux hardware enablement kernel from Trusty

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.13.0-67-generic-lpae

3.13.0-67.110~precise1; linux-image-3.13.0-67-generic

3.13.0-67.110~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-2925,

CVE-2015-5257

Ubuntu

USN-2798-1: Linux kernel (Vivid HWE) vulnerabilities

November 6, 2015 007admin

Ubuntu Security Notice USN-2798-1

5th November, 2015

linux-lts-vivid vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-vivid
– Linux hardware enablement kernel from Vivid

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.19.0-32-powerpc-e500mc

3.19.0-32.37~14.04.1; linux-image-3.19.0-32-powerpc-smp

3.19.0-32.37~14.04.1; linux-image-3.19.0-32-powerpc64-emb

3.19.0-32.37~14.04.1; linux-image-3.19.0-32-lowlatency

3.19.0-32.37~14.04.1; linux-image-3.19.0-32-generic

3.19.0-32.37~14.04.1; linux-image-3.19.0-32-powerpc64-smp

3.19.0-32.37~14.04.1; linux-image-3.19.0-32-generic-lpae

3.19.0-32.37~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-2925,

CVE-2015-5257

Ubuntu

USN-2797-1: Linux kernel (Utopic HWE) vulnerabilities

November 6, 2015 007admin

Ubuntu Security Notice USN-2797-1

5th November, 2015

linux-lts-utopic vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-utopic
– Linux hardware enablement kernel from Utopic

Details

It was discovered that the SCTP protocol implementation in the Linux kernel
performed an incorrect sequence of protocol-initialization steps. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2015-5283)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.16.0-52-powerpc-smp

3.16.0-52.71~14.04.1; linux-image-3.16.0-52-powerpc64-smp

3.16.0-52.71~14.04.1; linux-image-3.16.0-52-powerpc64-emb

3.16.0-52.71~14.04.1; linux-image-3.16.0-52-powerpc-e500mc

3.16.0-52.71~14.04.1; linux-image-3.16.0-52-generic-lpae

3.16.0-52.71~14.04.1; linux-image-3.16.0-52-lowlatency

3.16.0-52.71~14.04.1; linux-image-3.16.0-52-generic

3.16.0-52.71~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2799-1: Linux kernel vulnerabilities

November 6, 2015 007admin

Ubuntu Security Notice USN-2799-1

5th November, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.04

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:: linux-image-3.19.0-32-powerpc-e500mc

3.19.0-32.37; linux-image-3.19.0-32-powerpc-smp

3.19.0-32.37; linux-image-3.19.0-32-powerpc64-emb

3.19.0-32.37; linux-image-3.19.0-32-lowlatency

3.19.0-32.37; linux-image-3.19.0-32-generic

3.19.0-32.37; linux-image-3.19.0-32-powerpc64-smp

3.19.0-32.37; linux-image-3.19.0-32-generic-lpae

3.19.0-32.37

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-2925,

CVE-2015-5257

Ubuntu

USN-2790-1: NSPR vulnerability

November 5, 2015 007admin

Ubuntu Security Notice USN-2790-1

4th November, 2015

nspr vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

NSPR could be made to crash or run programs if it received specially
crafted input.

Software description

nspr
– NetScape Portable Runtime Library

Details

Ryan Sleevi discovered that NSPR incorrectly handled memory allocation. A
remote attacker could use this issue to cause NSPR to crash, resulting in a
denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: libnspr4

2:4.10.10-0ubuntu0.15.10.1
Ubuntu 15.04:: libnspr4

2:4.10.10-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:: libnspr4

2:4.10.10-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: libnspr4

4.10.10-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make all
the necessary changes.

References

CVE-2015-7183

Ubuntu

USN-2791-1: NSS vulnerabilities

November 5, 2015 007admin

Ubuntu Security Notice USN-2791-1

4th November, 2015

nss vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

NSS could be made to crash or run programs if it received specially
crafted input.

Software description

nss
– Network Security Service library

Details

Tyson Smith and David Keeler discovered that NSS incorrectly handled
decoding certain ASN.1 data. An remote attacker could use this issue to
cause NSS to crash, resulting in a denial of service, or possibly execute
arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: libnss3

2:3.19.2.1-0ubuntu0.15.10.1
Ubuntu 15.04:: libnss3

2:3.19.2.1-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:: libnss3

2:3.19.2.1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: libnss3

3.19.2.1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any applications that
use NSS, such as Evolution and Chromium, to make all the necessary changes.

References

CVE-2015-7181,

CVE-2015-7182

Ubuntu

USN-2785-1: Firefox vulnerabilities

November 5, 2015 007admin

Ubuntu Security Notice USN-2785-1

4th November, 2015

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 15.10
Ubuntu 15.04
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software description

firefox
– Mozilla Open Source web browser

Details

Christian Holler, David Major, Jesse Ruderman, Tyson Smith, Boris Zbarsky,
Randell Jesup, Olli Pettay, Karl Tomlinson, Jeff Walden, Gary Kwong,
Andrew McCreight, Georg Fritzsche, and Carsten Book discovered multiple
memory safety issues in Firefox. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code with the privileges of the user invoking Firefox. (CVE-2015-4513,
CVE-2015-4514)

Tim Brown discovered that Firefox discloses the hostname during NTLM
authentication in some circumstances. If a user were tricked in to
opening a specially crafted website with NTLM v1 enabled, an attacker
could exploit this to obtain sensitive information. (CVE-2015-4515)

Mario Heiderich and Frederik Braun discovered that CSP could be bypassed
in reader mode in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this to
conduct cross-site scripting (XSS) attacks. (CVE-2015-4518)

Tyson Smith and David Keeler discovered a use-after-poison and buffer
overflow in NSS. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit these to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-7181, CVE-2015-7182)

Ryan Sleevi discovered an integer overflow in NSPR. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-7183)

Jason Hamilton, Peter Arremann and Sylvain Giroux discovered that panels
created via the Addon SDK with { script: false } could still execute
inline script. If a user installed an addon that relied on this as a
security mechanism, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks, depending on the source of the panel
content. (CVE-2015-7187)

Michał Bentkowski discovered that adding white-space to hostnames that are
IP address can bypass same-origin protections. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2015-7188)

Looben Yang discovered a buffer overflow during script interactions with
the canvas element in some circumstances. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-7189)

Shinto K Anto discovered that CORS preflight is bypassed when receiving
non-standard Content-Type headers in some circumstances. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to bypass same-origin restrictions.
(CVE-2015-7193)

Gustavo Grieco discovered a buffer overflow in libjar in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-7194)

Frans Rosén discovered that certain escaped characters in the Location
header are parsed incorrectly, resulting in a navigation to the previously
parsed version of a URL. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to obtain site
specific tokens. (CVE-2015-7195)

Vytautas Staraitis discovered a garbage collection crash when interacting
with Java applets in some circumstances. If a user were tricked in to
opening a specially crafted website with the Java plugin installed, an
attacker could potentially exploit this to execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-7196)

Ehsan Akhgari discovered a mechanism for a web worker to bypass secure
requirements for web sockets. If a user were tricked in to opening a
specially crafted website, an attacker could exploit this to bypass the
mixed content web socket policy. (CVE-2015-7197)

Ronald Crane discovered several vulnerabilities through code-inspection. If
a user were tricked in to opening a specially crafted website, an attacker
could potentially exploit these to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2015-7198, CVE-2015-7199, CVE-2015-7200)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.10:: firefox

42.0+build2-0ubuntu0.15.10.1
Ubuntu 15.04:: firefox

42.0+build2-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:: firefox

42.0+build2-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: firefox

42.0+build2-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

Ubuntu Security Notice USN-2793-1

libreoffice vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2792-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2796-1

linux-ti-omap4 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2795-1

linux-lts-trusty vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2798-1

linux-lts-vivid vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2797-1

linux-lts-utopic vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2799-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2790-1

nspr vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2791-1

nss vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2785-1

firefox vulnerabilities

Summary

Software description

Details

Update instructions

References

Software and Security Information