Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2758-1: PHP vulnerabilities

Ubuntu Security Notice USN-2758-1

30th September, 2015

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in PHP.

Software description

  • php5
    – HTML-embedded scripting language interpreter

Details

It was discovered that the PHP phar extension incorrectly handled certain
files. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2015-5589)

It was discovered that the PHP phar extension incorrectly handled certain
filepaths. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-5590)

Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-6831, CVE-2015-6834, CVE-2015-6835

Sean Heelan discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-6832)

It was discovered that the PHP phar extension incorrectly handled certain
archives. A remote attacker could use this issue to cause files to be
placed outside of the destination directory. (CVE-2015-6833)

Andrea Palazzo discovered that the PHP Soap client incorrectly validated
data types. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-6836)

It was discovered that the PHP XSLTProcessor class incorrectly handled
certain data. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2015-6837)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
php5-cli

5.6.4+dfsg-4ubuntu6.3
php5-cgi

5.6.4+dfsg-4ubuntu6.3
libapache2-mod-php5

5.6.4+dfsg-4ubuntu6.3
php5-fpm

5.6.4+dfsg-4ubuntu6.3
Ubuntu 14.04 LTS:
php5-cli

5.5.9+dfsg-1ubuntu4.13
php5-cgi

5.5.9+dfsg-1ubuntu4.13
libapache2-mod-php5

5.5.9+dfsg-1ubuntu4.13
php5-fpm

5.5.9+dfsg-1ubuntu4.13
Ubuntu 12.04 LTS:
php5-cli

5.3.10-1ubuntu3.20
php5-cgi

5.3.10-1ubuntu3.20
libapache2-mod-php5

5.3.10-1ubuntu3.20
php5-fpm

5.3.10-1ubuntu3.20

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-5589,

CVE-2015-5590,

CVE-2015-6831,

CVE-2015-6832,

CVE-2015-6833,

CVE-2015-6834,

CVE-2015-6835,

CVE-2015-6836,

CVE-2015-6837,

CVE-2015-6838

Ubuntu

USN-2749-1: Linux kernel (Trusty HWE) vulnerabilities

Ubuntu Security Notice USN-2749-1

29th September, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-trusty
    – Linux hardware enablement kernel from Trusty

Details

Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-5697)

Marc-André Lureau discovered that the vhost driver did not properly
release the userspace provided log file descriptor. A privileged attacker
could use this to cause a denial of service (resource exhaustion).
(CVE-2015-6252)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-65-generic-lpae

3.13.0-65.105~precise1
linux-image-3.13.0-65-generic

3.13.0-65.105~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-5697,

CVE-2015-6252

Ubuntu

USN-2750-1: Linux kernel (Utopic HWE) vulnerability

Ubuntu Security Notice USN-2750-1

29th September, 2015

linux-lts-utopic vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

  • linux-lts-utopic
    – Linux hardware enablement kernel from Utopic

Details

It was discovered that an integer overflow error existed in the SCSI
generic (sg) driver in the Linux kernel. A local attacker with write
permission to a SCSI generic device could use this to cause a denial of
service (system crash) or potentially escalate their privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-3.16.0-50-powerpc64-emb

3.16.0-50.66~14.04.1
linux-image-3.16.0-50-generic

3.16.0-50.66~14.04.1
linux-image-3.16.0-50-lowlatency

3.16.0-50.66~14.04.1
linux-image-3.16.0-50-powerpc64-smp

3.16.0-50.66~14.04.1
linux-image-3.16.0-50-powerpc-smp

3.16.0-50.66~14.04.1
linux-image-3.16.0-50-powerpc-e500mc

3.16.0-50.66~14.04.1
linux-image-3.16.0-50-generic-lpae

3.16.0-50.66~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-5707

Ubuntu

USN-2752-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-2752-1

29th September, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04

Summary

Several security issues were fixed in the kernel.

Software description

  • linux
    – Linux kernel

Details

Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-5697)

Marc-André Lureau discovered that the vhost driver did not properly
release the userspace provided log file descriptor. A privileged attacker
could use this to cause a denial of service (resource exhaustion).
(CVE-2015-6252)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
linux-image-3.19.0-30-powerpc64-smp

3.19.0-30.33
linux-image-3.19.0-30-generic

3.19.0-30.33
linux-image-3.19.0-30-powerpc64-emb

3.19.0-30.33
linux-image-3.19.0-30-powerpc-smp

3.19.0-30.33
linux-image-3.19.0-30-generic-lpae

3.19.0-30.33
linux-image-3.19.0-30-lowlatency

3.19.0-30.33
linux-image-3.19.0-30-powerpc-e500mc

3.19.0-30.33

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-5697,

CVE-2015-6252

Ubuntu

USN-2751-1: Linux kernel (Vivid HWE) vulnerabilities

Ubuntu Security Notice USN-2751-1

29th September, 2015

linux-lts-vivid vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-vivid
    – Linux hardware enablement kernel from Vivid

Details

Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-5697)

Marc-André Lureau discovered that the vhost driver did not properly
release the userspace provided log file descriptor. A privileged attacker
could use this to cause a denial of service (resource exhaustion).
(CVE-2015-6252)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-3.19.0-30-powerpc64-smp

3.19.0-30.33~14.04.1
linux-image-3.19.0-30-generic

3.19.0-30.33~14.04.1
linux-image-3.19.0-30-powerpc-smp

3.19.0-30.33~14.04.1
linux-image-3.19.0-30-powerpc64-emb

3.19.0-30.33~14.04.1
linux-image-3.19.0-30-generic-lpae

3.19.0-30.33~14.04.1
linux-image-3.19.0-30-lowlatency

3.19.0-30.33~14.04.1
linux-image-3.19.0-30-powerpc-e500mc

3.19.0-30.33~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-5697,

CVE-2015-6252

Ubuntu

USN-2753-1: LXC vulnerability

Ubuntu Security Notice USN-2753-1

29th September, 2015

lxc vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS

Summary

LXC could be made to start containers without AppArmor confinement or access
the host filesystem.

Software description

  • lxc
    – Linux Containers userspace tools

Details

Roman Fiedler discovered a directory traversal flaw in lxc-start. A local
attacker with access to an LXC container could exploit this flaw to run
programs inside the container that are not confined by AppArmor or expose
unintended files in the host to the container.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
lxc

1.1.2-0ubuntu3.2
Ubuntu 14.04 LTS:
lxc

1.0.7-0ubuntu0.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-1335

Ubuntu

USN-2747-1: NVIDIA graphics drivers vulnerability

Ubuntu Security Notice USN-2747-1

28th September, 2015

nvidia-graphics-drivers-304, nvidia-graphics-drivers-304-updates, nvidia-graphics-drivers-340, nvidia-graphics-drivers-340-updates, nvidia-graphics-drivers-346, nvidia-graphics-drivers-346-updates, jockey vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

NVIDIA graphics drivers could be made to run programs as an administrator.

Software description

  • jockey
    – user interface and desktop integration for driver management

  • nvidia-graphics-drivers-304
    – NVIDIA binary X.Org driver

  • nvidia-graphics-drivers-304-updates
    – NVIDIA binary X.Org driver

  • nvidia-graphics-drivers-340
    – NVIDIA binary X.Org driver

  • nvidia-graphics-drivers-340-updates
    – NVIDIA binary X.Org driver

  • nvidia-graphics-drivers-346
    – NVIDIA binary X.Org driver

  • nvidia-graphics-drivers-346-updates
    – NVIDIA binary X.Org driver

Details

Dario Weisser discovered that the NVIDIA graphics drivers incorrectly
handled certain IOCTL writes. A local attacker could use this issue to
possibly gain root privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
nvidia-346 346.96-0ubuntu0.1
nvidia-346-updates 346.96-0ubuntu0.1
nvidia-340-updates 340.93-0ubuntu0.1
nvidia-340 340.93-0ubuntu0.1
nvidia-304-updates 304.128-0ubuntu0.1
nvidia-304 304.128-0ubuntu0.1
Ubuntu 14.04 LTS:
nvidia-346 346.96-0ubuntu0.0.1
nvidia-346-updates 346.96-0ubuntu0.0.1
nvidia-340-updates 340.93-0ubuntu0.0.1
nvidia-340 340.93-0ubuntu0.0.1
nvidia-304-updates 304.128-0ubuntu0.0.1
nvidia-304 304.128-0ubuntu0.0.1
Ubuntu 12.04 LTS:
jockey-common

0.9.7-0ubuntu7.16
nvidia-304 304.128-0ubuntu0.0.0.1
nvidia-304-updates 304.128-0ubuntu0.0.0.1
nvidia-340-updates 340.93-0ubuntu0.0.0.1
nvidia-340 340.93-0ubuntu0.0.0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-5950

Ubuntu

USN-2748-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-2748-1

28th September, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux
    – Linux kernel

Details

Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-5697)

Marc-André Lureau discovered that the vhost driver did not properly
release the userspace provided log file descriptor. A privileged attacker
could use this to cause a denial of service (resource exhaustion).
(CVE-2015-6252)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-3.13.0-65-powerpc-e500

3.13.0-65.105
linux-image-3.13.0-65-powerpc64-smp

3.13.0-65.105
linux-image-3.13.0-65-powerpc-smp

3.13.0-65.105
linux-image-3.13.0-65-powerpc64-emb

3.13.0-65.105
linux-image-3.13.0-65-generic

3.13.0-65.105
linux-image-3.13.0-65-generic-lpae

3.13.0-65.105
linux-image-3.13.0-65-powerpc-e500mc

3.13.0-65.105
linux-image-3.13.0-65-lowlatency

3.13.0-65.105

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-5697,

CVE-2015-6252

Ubuntu

USN-2746-2: Simple Streams regression

Ubuntu Security Notice USN-2746-2

25th September, 2015

simplestreams regression

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS

Summary

USN-2746-1 introduced a regression in Simple Streams.

Software description

  • simplestreams
    – Library and tools for using Simple Streams data

Details

USN-2746-1 fixed a vulnerability in Simple Streams. The update caused a
regression preventing MAAS from downloading PXE images. This update fixes
the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that Simple Streams did not properly perform gpg
verification in some situations. A remote attacker could use this to
perform a man-in-the-middle attack and inject malicious content into
the stream.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
python-simplestreams

0.1.0~bzr354-0ubuntu1.15.04.2
simplestreams

0.1.0~bzr354-0ubuntu1.15.04.2
python-simplestreams-openstack

0.1.0~bzr354-0ubuntu1.15.04.2
python3-simplestreams

0.1.0~bzr354-0ubuntu1.15.04.2
Ubuntu 14.04 LTS:
python-simplestreams

0.1.0~bzr341-0ubuntu2.3
simplestreams

0.1.0~bzr341-0ubuntu2.3
python-simplestreams-openstack

0.1.0~bzr341-0ubuntu2.3
python3-simplestreams

0.1.0~bzr341-0ubuntu2.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any services that
make use of python-simplestreams or python3-simplestreams to make
all the necessary changes.

References

LP: 1499749

Ubuntu

USN-2744-1: Apport vulnerability

Ubuntu Security Notice USN-2744-1

24th September, 2015

apport vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Apport could be made to crash or overwrite files as an administrator.

Software description

  • apport
    – automatically generate crash reports for debugging

Details

Halfdog discovered that Apport incorrectly handled kernel crash dump files.
A local attacker could use this issue to cause a denial of service, or
possibly elevate privileges. The default symlink protections for affected
releases should reduce the vulnerability to a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
apport

2.17.2-0ubuntu1.5
Ubuntu 14.04 LTS:
apport

2.14.1-0ubuntu3.15
Ubuntu 12.04 LTS:
apport

2.0.1-0ubuntu17.10

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-1338