Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2699-1: HPLIP vulnerability

Ubuntu Security Notice USN-2699-1

30th July, 2015

hplip vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

HPLIP could be tricked into downloading a different GPG key when
performing printer plugin installations.

Software description

  • hplip
    – HP Linux Printing and Imaging System (HPLIP)

Details

Enrico Zini discovered that HPLIP used a short GPG key ID when downloading
keys from the keyserver. An attacker could possibly use this to return a
different key with a duplicate short key id and perform a man-in-the-middle
attack on printer plugin installations.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
hplip-data

3.15.2-0ubuntu4.2
Ubuntu 14.04 LTS:
hplip-data

3.14.3-0ubuntu3.4
Ubuntu 12.04 LTS:
hplip-data

3.12.2-1ubuntu3.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-0839

Ubuntu

USN-2698-1: SQLite vulnerabilities

Ubuntu Security Notice USN-2698-1

30th July, 2015

sqlite3 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

SQLite could be made to crash or run programs if it processed specially
crafted queries.

Software description

  • sqlite3
    – C library that implements an SQL database engine

Details

It was discovered that SQLite incorrectly handled skip-scan optimization.
An attacker could use this issue to cause applications using SQLite to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS. (CVE-2013-7443)

Michal Zalewski discovered that SQLite incorrectly handled dequoting of
collation-sequence names. An attacker could use this issue to cause
applications using SQLite to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 15.04. (CVE-2015-3414)

Michal Zalewski discovered that SQLite incorrectly implemented comparison
operators. An attacker could use this issue to cause applications using
SQLite to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 15.04. (CVE-2015-3415)

Michal Zalewski discovered that SQLite incorrectly handle printf precision
and width values during floating-point conversions. An attacker could use
this issue to cause applications using SQLite to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2015-3416)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
libsqlite3-0

3.8.7.4-1ubuntu0.1
Ubuntu 14.04 LTS:
libsqlite3-0

3.8.2-1ubuntu2.1
Ubuntu 12.04 LTS:
libsqlite3-0

3.7.9-2ubuntu1.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-7443,

CVE-2015-3414,

CVE-2015-3415,

CVE-2015-3416

Ubuntu

USN-2697-1: Ghostscript vulnerability

Ubuntu Security Notice USN-2697-1

30th July, 2015

ghostscript vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Ghostscript could be made to crash or run programs if it processed a
specially crafted file.

Software description

  • ghostscript
    – PostScript and PDF interpreter

Details

William Robinet and Stefan Cornelius discovered that Ghostscript did not
correctly handle certain Postscript files. If a user or automated system
were tricked into opening a specially crafted file, an attacker could cause
a denial of service or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
libgs9

9.15+dfsg-0ubuntu2.1
Ubuntu 14.04 LTS:
libgs9

9.10~dfsg-0ubuntu10.4
Ubuntu 12.04 LTS:
libgs9

9.05~dfsg-0ubuntu4.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-3228

Ubuntu

USN-2701-1: Linux kernel (Trusty HWE) vulnerabilities

Ubuntu Security Notice USN-2701-1

30th July, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-trusty
    – Linux hardware enablement kernel from Trusty

Details

Andy Lutomirski discovered a flaw in the Linux kernel’s handling of nested
NMIs (non-maskable interrupts). An unprivileged local user could exploit
this flaw to cause a denial of service (system crash) or potentially
escalate their privileges. (CVE-2015-3290)

Andy Lutomirski discovered a flaw that allows user to cause the Linux
kernel to ignore some NMIs (non-maskable interrupts). A local unprivileged
user could exploit this flaw to potentially cause the system to miss
important NMIs resulting in unspecified effects. (CVE-2015-3291)

Andy Lutomirski and Petr Matousek discovered that an NMI (non-maskable
interrupt) that interrupts userspace and encounters an IRET fault is
incorrectly handled by the Linux kernel. An unprivileged local user could
exploit this flaw to cause a denial of service (kernel OOPs), corruption,
or potentially escalate privileges on the system. (CVE-2015-5157)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-61-generic

3.13.0-61.100~precise1
linux-image-3.13.0-61-generic-lpae

3.13.0-61.100~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-3290,

CVE-2015-3291,

CVE-2015-5157

Ubuntu

USN-2700-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-2700-1

30th July, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux
    – Linux kernel

Details

Andy Lutomirski discovered a flaw in the Linux kernel’s handling of nested
NMIs (non-maskable interrupts). An unprivileged local user could exploit
this flaw to cause a denial of service (system crash) or potentially
escalate their privileges. (CVE-2015-3290)

Andy Lutomirski discovered a flaw that allows user to cause the Linux
kernel to ignore some NMIs (non-maskable interrupts). A local unprivileged
user could exploit this flaw to potentially cause the system to miss
important NMIs resulting in unspecified effects. (CVE-2015-3291)

Andy Lutomirski and Petr Matousek discovered that an NMI (non-maskable
interrupt) that interrupts userspace and encounters an IRET fault is
incorrectly handled by the Linux kernel. An unprivileged local user could
exploit this flaw to cause a denial of service (kernel OOPs), corruption,
or potentially escalate privileges on the system. (CVE-2015-5157)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-3.13.0-61-generic-lpae

3.13.0-61.100
linux-image-3.13.0-61-lowlatency

3.13.0-61.100
linux-image-3.13.0-61-powerpc-e500mc

3.13.0-61.100
linux-image-3.13.0-61-powerpc64-emb

3.13.0-61.100
linux-image-3.13.0-61-powerpc64-smp

3.13.0-61.100
linux-image-3.13.0-61-powerpc-e500

3.13.0-61.100
linux-image-3.13.0-61-generic

3.13.0-61.100
linux-image-3.13.0-61-powerpc-smp

3.13.0-61.100

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-3290,

CVE-2015-3291,

CVE-2015-5157

Ubuntu

USN-2695-1: HTML Tidy vulnerabilities

Ubuntu Security Notice USN-2695-1

29th July, 2015

tidy vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

HTML Tidy could be made to crash or run programs if it processed specially
crafted data.

Software description

  • tidy
    – HTML syntax checker and reformatter

Details

Fernando Muñoz discovered that HTML Tidy incorrectly handled memory. If a
user or automated system were tricked into processing specially crafted
data, applications linked against HTML Tidy could be made to crash, leading
to a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
libtidy-0.99-0

20091223cvs-1.4ubuntu0.1
Ubuntu 14.04 LTS:
libtidy-0.99-0

20091223cvs-1.2ubuntu1.1
Ubuntu 12.04 LTS:
libtidy-0.99-0

20091223cvs-1ubuntu2.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-5522,

CVE-2015-5523

Ubuntu

USN-2694-1: PCRE vulnerabilities

Ubuntu Security Notice USN-2694-1

29th July, 2015

pcre3 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

PCRE could be made to crash or run programs if it processed a
specially-crafted regular expression.

Software description

  • pcre3
    – Perl 5 Compatible Regular Expression Library

Details

Michele Spagnuolo discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-8964)

Kai Lu discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04.
(CVE-2015-2325, CVE-2015-2326)

Wen Guanxing discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 15.04. (CVE-2015-3210)

It was discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 12.04 LTS and 14.04 LTS.
(CVE-2015-5073)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
libpcre3

2:8.35-3.3ubuntu1.1
Ubuntu 14.04 LTS:
libpcre3

1:8.31-2ubuntu2.1
Ubuntu 12.04 LTS:
libpcre3

8.12-4ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart applications using PCRE,
such as the Apache HTTP server and Nginx, to make all the necessary
changes.

References

CVE-2014-8964,

CVE-2015-2325,

CVE-2015-2326,

CVE-2015-3210,

CVE-2015-5073

Ubuntu

USN-2693-1: Bind vulnerabilities

Ubuntu Security Notice USN-2693-1

28th July, 2015

bind9 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Bind could be made to crash if it received specially crafted network
traffic.

Software description

  • bind9
    – Internet Domain Name Server

Details

Jonathan Foote discovered that Bind incorrectly handled certain TKEY
queries. A remote attacker could use this issue with a specially crafted
packet to cause Bind to crash, resulting in a denial of service.
(CVE-2015-5477)

Pories Ediansyah discovered that Bind incorrectly handled certain
configurations involving DNS64. A remote attacker could use this issue with
a specially crafted query to cause Bind to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-5689)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
bind9

1:9.9.5.dfsg-9ubuntu0.2
Ubuntu 14.04 LTS:
bind9

1:9.9.5.dfsg-3ubuntu0.4
Ubuntu 12.04 LTS:
bind9

1:9.8.1.dfsg.P1-4ubuntu0.12

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2012-5689,

CVE-2015-5477

Ubuntu

USN-2692-1: QEMU vulnerabilities

Ubuntu Security Notice USN-2692-1

28th July, 2015

qemu vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in QEMU.

Software description

  • qemu
    – Machine emulator and virtualizer

Details

Matt Tait discovered that QEMU incorrectly handled PIT emulation. In a
non-default configuration, a malicious guest could use this issue to cause
a denial of service, or possibly execute arbitrary code on the host as the
user running the QEMU process. In the default installation, when QEMU is
used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2015-3214)

Kevin Wolf discovered that QEMU incorrectly handled processing ATAPI
commands. A malicious guest could use this issue to cause a denial of
service, or possibly execute arbitrary code on the host as the user running
the QEMU process. In the default installation, when QEMU is used with
libvirt, attackers would be isolated by the libvirt AppArmor profile.
(CVE-2015-5154)

Zhu Donghai discovered that QEMU incorrectly handled the SCSI driver. A
malicious guest could use this issue to cause a denial of service, or
possibly execute arbitrary code on the host as the user running the QEMU
process. In the default installation, when QEMU is used with libvirt,
attackers would be isolated by the libvirt AppArmor profile. This issue
only affected Ubuntu 15.04. (CVE-2015-5158)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
qemu-system-misc

1:2.2+dfsg-5expubuntu9.3
qemu-system

1:2.2+dfsg-5expubuntu9.3
qemu-system-aarch64

1:2.2+dfsg-5expubuntu9.3
qemu-system-x86

1:2.2+dfsg-5expubuntu9.3
qemu-system-sparc

1:2.2+dfsg-5expubuntu9.3
qemu-system-arm

1:2.2+dfsg-5expubuntu9.3
qemu-system-ppc

1:2.2+dfsg-5expubuntu9.3
qemu-system-mips

1:2.2+dfsg-5expubuntu9.3
Ubuntu 14.04 LTS:
qemu-system-misc

2.0.0+dfsg-2ubuntu1.15
qemu-system

2.0.0+dfsg-2ubuntu1.15
qemu-system-aarch64

2.0.0+dfsg-2ubuntu1.15
qemu-system-x86

2.0.0+dfsg-2ubuntu1.15
qemu-system-sparc

2.0.0+dfsg-2ubuntu1.15
qemu-system-arm

2.0.0+dfsg-2ubuntu1.15
qemu-system-ppc

2.0.0+dfsg-2ubuntu1.15
qemu-system-mips

2.0.0+dfsg-2ubuntu1.15

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

CVE-2015-3214,

CVE-2015-5154,

CVE-2015-5158

Ubuntu

USN-2687-1: Linux kernel (Trusty HWE) vulnerabilities

Ubuntu Security Notice USN-2687-1

28th July, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-trusty
    – Linux hardware enablement kernel from Trusty

Details

Andy Lutomirski discovered a flaw in the Linux kernel’s handling of nested
NMIs (non-maskable interrupts). An unprivileged local user could exploit
this flaw to cause a denial of service (system crash) or potentially
escalate their privileges. (CVE-2015-3290)

Colin King discovered a flaw in the add_key function of the Linux kernel’s
keyring subsystem. A local user could exploit this flaw to cause a denial
of service (memory exhaustion). (CVE-2015-1333)

Andy Lutomirski discovered a flaw that allows user to cause the Linux
kernel to ignore some NMIs (non-maskable interrupts). A local unprivileged
user could exploit this flaw to potentially cause the system to miss
important NMIs resulting in unspecified effects. (CVE-2015-3291)

Andy Lutomirski and Petr Matousek discovered that an NMI (non-maskable
interrupt) that interrupts userspace and encounters an IRET fault is
incorrectly handled by the Linux kernel. An unprivileged local user could
exploit this flaw to cause a denial of service (kernel OOPs), corruption,
or potentially escalate privileges on the system. (CVE-2015-5157)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-59-generic

3.13.0-59.98~precise1
linux-image-3.13.0-59-generic-lpae

3.13.0-59.98~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-1333,

CVE-2015-3290,

CVE-2015-3291,

CVE-2015-5157