Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-3214-1: w3m vulnerabilities

March 2, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3214-1

2nd March, 2017

w3m vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in w3m.

Software description

w3m
– WWW browsable pager with excellent tables/frames support

Details

A large number of security issues were discovered in the w3m browser. If a
user were tricked into viewing a malicious website, a remote attacker could
exploit a variety of issues related to web browser security, including
cross-site scripting attacks, denial of service attacks, and arbitrary code
execution.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: w3m

0.5.3-15ubuntu0.1
Ubuntu 12.04 LTS:: w3m

0.5.3-5ubuntu1.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-3211-2: PHP regression

March 2, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3211-2

2nd March, 2017

php7.0 regression

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS

Summary

USN-3211-1 introduced a regression in PHP.

Software description

php7.0
– HTML-embedded scripting language interpreter

Details

USN-3211-1 fixed vulnerabilities in PHP by updating to the new 7.0.15
upstream release. PHP 7.0.15 introduced a regression when using MySQL with
large blobs. This update fixes the problem with a backported fix.

Original advisory details:

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-7479)

It was discovered that PHP incorrectly handled unserializing certain
wddxPacket XML documents. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-9935)

It was discovered that PHP incorrectly handled certain EXIF data. A remote
attacker could use this issue to cause PHP to crash, resulting in a denial
of service. (CVE-2016-10158)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash or consume
resources, resulting in a denial of service. (CVE-2016-10159)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-10160)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: php7.0-fpm

7.0.15-0ubuntu0.16.10.4; libapache2-mod-php7.0

7.0.15-0ubuntu0.16.10.4; php7.0-cli

7.0.15-0ubuntu0.16.10.4; php7.0-cgi

7.0.15-0ubuntu0.16.10.4
Ubuntu 16.04 LTS:: php7.0-fpm

7.0.15-0ubuntu0.16.04.4; libapache2-mod-php7.0

7.0.15-0ubuntu0.16.04.4; php7.0-cli

7.0.15-0ubuntu0.16.04.4; php7.0-cgi

7.0.15-0ubuntu0.16.04.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1668017

Ubuntu

USN-3213-1: GD library vulnerabilities

February 28, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3213-1

28th February, 2017

libgd2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

The GD library could be made to crash or run programs if it processed a
specially crafted image file.

Software description

libgd2
– GD Graphics Library

Details

Stefan Esser discovered that the GD library incorrectly handled memory when
processing certain images. If a user or automated system were tricked into
processing a specially crafted image, an attacker could cause a denial of
service, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10166)

It was discovered that the GD library incorrectly handled certain malformed
images. If a user or automated system were tricked into processing a
specially crafted image, an attacker could cause a denial of service.
(CVE-2016-10167)

Ibrahim El-Sayed discovered that the GD library incorrectly handled certain
malformed TGA images. If a user or automated system were tricked into
processing a specially crafted TGA image, an attacker could cause a denial
of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and
Ubuntu 16.10. (CVE-2016-6906)

Ibrahim El-Sayed discovered that the GD library incorrectly handled certain
malformed WebP images. If a user or automated system were tricked into
processing a specially crafted WebP image, an attacker could cause a denial
of service, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6912)

It was discovered that the GD library incorrectly handled creating
oversized images. If a user or automated system were tricked into creating
a specially crafted image, an attacker could cause a denial of service.
(CVE-2016-9317)

It was discovered that the GD library incorrectly handled filling certain
images. If a user or automated system were tricked into filling an image,
an attacker could cause a denial of service. (CVE-2016-9933)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: libgd3

2.2.1-1ubuntu3.3
Ubuntu 16.04 LTS:: libgd3

2.1.1-4ubuntu0.16.04.6
Ubuntu 14.04 LTS:: libgd3

2.1.0-3ubuntu0.6
Ubuntu 12.04 LTS:: libgd2-xpm

2.0.36~rc1~dfsg-6ubuntu2.4; libgd2-noxpm

2.0.36~rc1~dfsg-6ubuntu2.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-3212-1: LibTIFF vulnerabilities

February 27, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3212-1

27th February, 2017

tiff vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS

Summary

LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

tiff
– Tag Image File Format (TIFF) library

Details

It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: libtiff5

4.0.6-2ubuntu0.1; libtiff-tools

4.0.6-2ubuntu0.1
Ubuntu 16.04 LTS:: libtiff5

4.0.6-1ubuntu0.1; libtiff-tools

4.0.6-1ubuntu0.1
Ubuntu 14.04 LTS:: libtiff5

4.0.3-7ubuntu0.6; libtiff-tools

4.0.3-7ubuntu0.6

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-3211-1: PHP vulnerabilities

February 23, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3211-1

23rd February, 2017

php7.0 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS

Summary

Several security issues were fixed in PHP.

Software description

php7.0
– HTML-embedded scripting language interpreter

Details

It was discovered that PHP incorrectly handled certain EXIF data. A remote
attacker could use this issue to cause PHP to crash, resulting in a denial
of service. (CVE-2016-10158)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: php7.0-fpm

7.0.15-0ubuntu0.16.10.2; libapache2-mod-php7.0

7.0.15-0ubuntu0.16.10.2; php7.0-cli

7.0.15-0ubuntu0.16.10.2; php7.0-cgi

7.0.15-0ubuntu0.16.10.2
Ubuntu 16.04 LTS:: php7.0-fpm

7.0.15-0ubuntu0.16.04.2; libapache2-mod-php7.0

7.0.15-0ubuntu0.16.04.2; php7.0-cli

7.0.15-0ubuntu0.16.04.2; php7.0-cgi

7.0.15-0ubuntu0.16.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

Ubuntu

USN-3210-1: LibreOffice vulnerability

February 23, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3210-1

23rd February, 2017

LibreOffice vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

LibreOffice could be made to disclose files if it opened a specially crafted
file.

Software description

libreoffice
– Office productivity suite

Details

Ben Hayak discovered that it was possible to make LibreOffice Calc and Writer
disclose arbitrary files to an attacker if a user opened a specially crafted
file with embedded links.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: libreoffice-base

1:5.1.6~rc2-0ubuntu1~xenial1; libreoffice-calc

1:5.1.6~rc2-0ubuntu1~xenial1; libreoffice-common

1:5.1.6~rc2-0ubuntu1~xenial1; libreoffice-math

1:5.1.6~rc2-0ubuntu1~xenial1; libreoffice-writer

1:5.1.6~rc2-0ubuntu1~xenial1; libreoffice

1:5.1.6~rc2-0ubuntu1~xenial1; libreoffice-base-core

1:5.1.6~rc2-0ubuntu1~xenial1; libreoffice-core

1:5.1.6~rc2-0ubuntu1~xenial1
Ubuntu 14.04 LTS:: libreoffice-base

1:4.2.8-0ubuntu5; libreoffice-calc

1:4.2.8-0ubuntu5; libreoffice-common

1:4.2.8-0ubuntu5; libreoffice-math

1:4.2.8-0ubuntu5; libreoffice-writer

1:4.2.8-0ubuntu5; libreoffice

1:4.2.8-0ubuntu5; libreoffice-base-core

1:4.2.8-0ubuntu5; libreoffice-core

1:4.2.8-0ubuntu5
Ubuntu 12.04 LTS:: libreoffice-base

1:3.5.7-0ubuntu13; libreoffice-calc

1:3.5.7-0ubuntu13; libreoffice-common

1:3.5.7-0ubuntu13; libreoffice-math

1:3.5.7-0ubuntu13; libreoffice-writer

1:3.5.7-0ubuntu13; libreoffice

1:3.5.7-0ubuntu13; libreoffice-base-core

1:3.5.7-0ubuntu13; libreoffice-core

1:3.5.7-0ubuntu13

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-3157

Ubuntu

USN-3207-1: Linux kernel vulnerabilities

February 22, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3207-1

21st February, 2017

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

It was discovered that a use-after-free vulnerability existed in the block
device layer of the Linux kernel. A local attacker could use this to cause
a denial of service (system crash) or possibly gain administrative
privileges. (CVE-2016-7910)

Dmitry Vyukov discovered a use-after-free vulnerability in the
sys_ioprio_get() function in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
administrative privileges. (CVE-2016-7911)

Andrey Konovalov discovered a use-after-free vulnerability in the DCCP
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly gain administrative
privileges. (CVE-2017-6074)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-powerpc-smp

3.13.0.110.118; linux-image-powerpc-e500mc

3.13.0.110.118; linux-image-3.13.0-110-powerpc-e500

3.13.0-110.157; linux-image-3.13.0-110-powerpc64-smp

3.13.0-110.157; linux-image-3.13.0-110-generic

3.13.0-110.157; linux-image-generic

3.13.0.110.118; linux-image-3.13.0-110-powerpc-smp

3.13.0-110.157; linux-image-3.13.0-110-powerpc-e500mc

3.13.0-110.157; linux-image-3.13.0-110-lowlatency

3.13.0-110.157; linux-image-powerpc64-emb

3.13.0.110.118; linux-image-highbank

3.13.0.110.118; linux-image-powerpc-e500

3.13.0.110.118; linux-image-powerpc64-smp

3.13.0.110.118; linux-image-generic-lpae

3.13.0.110.118; linux-image-lowlatency

3.13.0.110.118; linux-image-3.13.0-110-generic-lpae

3.13.0-110.157; linux-image-3.13.0-110-powerpc64-emb

3.13.0-110.157

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-7910,

CVE-2016-7911,

CVE-2017-6074

Ubuntu

USN-3206-1: Linux kernel vulnerabilities

February 22, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3206-1

21st February, 2017

linux, linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel
linux-ti-omap4
– Linux kernel for OMAP4

Details

Dmitry Vyukov discovered a use-after-free vulnerability in the
sys_ioprio_get() function in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly gain
administrative privileges. (CVE-2016-7911)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-1501-omap4

3.2.0-1501.128; linux-image-powerpc-smp 3.2.0.123.138; linux-image-3.2.0-123-powerpc64-smp

3.2.0-123.166; linux-image-3.2.0-123-generic-pae

3.2.0-123.166; linux-image-3.2.0-123-highbank

3.2.0-123.166; linux-image-3.2.0-123-generic

3.2.0-123.166; linux-image-omap4 3.2.0.1501.96; linux-image-3.2.0-123-virtual

3.2.0-123.166; linux-image-generic 3.2.0.123.138; linux-image-generic-pae 3.2.0.123.138; linux-image-highbank 3.2.0.123.138; linux-image-3.2.0-123-powerpc-smp

3.2.0-123.166; linux-image-virtual 3.2.0.123.138; linux-image-powerpc64-smp 3.2.0.123.138; linux-image-omap 3.2.0.123.138; linux-image-3.2.0-123-omap

3.2.0-123.166

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-7910,

CVE-2016-7911,

CVE-2017-6074

Ubuntu

USN-3208-1: Linux kernel vulnerabilities

February 22, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3208-1

22nd February, 2017

linux, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel
linux-snapdragon
– Linux kernel for Snapdragon Processors

Details

It was discovered that the generic SCSI block layer in the Linux kernel did
not properly restrict write operations in certain situations. A local
attacker could use this to cause a denial of service (system crash) or
possibly gain administrative privileges. (CVE-2016-10088)

CAI Qian discovered that the sysctl implementation in the Linux kernel did
not properly perform reference counting in some situations. An unprivileged
attacker could use this to cause a denial of service (system hang).
(CVE-2016-9191)

Jim Mattson discovered that the KVM implementation in the Linux kernel
mismanages the #BP and #OF exceptions. A local attacker in a guest virtual
machine could use this to cause a denial of service (guest OS crash).
(CVE-2016-9588)

Andy Lutomirski and Willy Tarreau discovered that the KVM implementation in
the Linux kernel did not properly emulate instructions on the SS segment
register. A local attacker in a guest virtual machine could use this to
cause a denial of service (guest OS crash) or possibly gain administrative
privileges in the guest OS. (CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel
improperly emulated certain instructions. A local attacker could use this
to obtain sensitive information (kernel memory). (CVE-2017-2584)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver in
the Linux kernel did not properly initialize memory related to logging. A
local attacker could use this to expose sensitive information (kernel
memory). (CVE-2017-5549)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: linux-image-4.4.0-64-powerpc64-emb

4.4.0-64.85; linux-image-4.4.0-64-powerpc64-smp

4.4.0-64.85; linux-image-powerpc-e500mc 4.4.0.64.68; linux-image-4.4.0-64-generic

4.4.0-64.85; linux-image-powerpc-smp 4.4.0.64.68; linux-image-generic 4.4.0.64.68; linux-image-4.4.0-64-powerpc-e500mc

4.4.0-64.85; linux-image-lowlatency 4.4.0.64.68; linux-image-4.4.0-64-powerpc-smp

4.4.0-64.85; linux-image-4.4.0-64-lowlatency

4.4.0-64.85; linux-image-powerpc64-smp 4.4.0.64.68; linux-image-generic-lpae 4.4.0.64.68; linux-image-snapdragon 4.4.0.1048.40; linux-image-4.4.0-64-generic-lpae

4.4.0-64.85; linux-image-powerpc64-emb 4.4.0.64.68; linux-image-4.4.0-1048-snapdragon

4.4.0-1048.52

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-3207-2: Linux kernel (Trusty HWE) vulnerabilities

February 22, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3207-2

21st February, 2017

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-trusty
– Linux hardware enablement kernel from Trusty for Precise

Details

USN-3207-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-generic-lpae-lts-trusty

3.13.0.110.101; linux-image-3.13.0-110-generic

3.13.0-110.157~precise1; linux-image-generic-lts-trusty

3.13.0.110.101; linux-image-3.13.0-110-generic-lpae

3.13.0-110.157~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-7910,

CVE-2016-7911,

CVE-2017-6074

Ubuntu Security Notice USN-3214-1

w3m vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3211-2

php7.0 regression

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3213-1

libgd2 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3212-1

tiff vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3211-1

php7.0 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3210-1

LibreOffice vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3207-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3206-1

linux, linux-ti-omap4 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3208-1

linux, linux-snapdragon vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3207-2

linux-lts-trusty vulnerabilities

Summary

Software description

Details

Update instructions

References

Software and Security Information