Ubuntu Security Notice USN-2642-2

21st June, 2015

linux-lts-trusty regression

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux-lts-trusty
  – Linux hardware enablement kernel from Trusty

Details

The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s
overlayfs file system. The removal of a directory that only exists on the
lower layer results in a kernel panic.

We apologize for the inconvenience.

Original advisory details:

Philip Pettersson discovered a privilege escalation when using overlayfs
mounts inside of user namespaces. A local user could exploit this flaw to
gain administrative privileges on the system.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.13.0-55-generic-lpae

3.13.0-55.94~precise1

linux-image-3.13.0-55-generic

3.13.0-55.94~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

http://bugs.launchpad.net/bugs/1465998

Ubuntu Security Notice USN-2641-2

21st June, 2015

linux-ti-omap4 regression

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux-ti-omap4
  – Linux kernel for OMAP4

Details

The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s
overlayfs file system. The removal of a directory that only exists on the
lower layer results in a kernel panic.

We apologize for the inconvenience.

Original advisory details:

Philip Pettersson discovered a privilege escalation when using overlayfs
mounts inside of user namespaces. A local user could exploit this flaw to
gain administrative privileges on the system.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.2.0-1466-omap4

3.2.0-1466.87

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

http://bugs.launchpad.net/bugs/1465998

Ubuntu Security Notice USN-2643-2

21st June, 2015

linux regression

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux
  – Linux kernel

Details

The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s
overlayfs file system. The removal of a directory that only exists on the
lower layer results in a kernel panic.

We apologize for the inconvenience.

Original advisory details:

Philip Pettersson discovered a privilege escalation when using overlayfs
mounts inside of user namespaces. A local user could exploit this flaw to
gain administrative privileges on the system.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-3.13.0-55-generic-lpae

3.13.0-55.94

linux-image-3.13.0-55-generic

3.13.0-55.94

linux-image-3.13.0-55-powerpc-e500mc

3.13.0-55.94

linux-image-3.13.0-55-powerpc-smp

3.13.0-55.94

linux-image-3.13.0-55-powerpc64-emb

3.13.0-55.94

linux-image-3.13.0-55-powerpc-e500

3.13.0-55.94

linux-image-3.13.0-55-powerpc64-smp

3.13.0-55.94

linux-image-3.13.0-55-lowlatency

3.13.0-55.94

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

http://bugs.launchpad.net/bugs/1465998

Ubuntu Security Notice USN-2646-2

21st June, 2015

linux regression

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10

Summary

The system could be made to crash under certain conditions.

Software description

• linux
  – Linux kernel

Details

The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s
overlayfs file system. The removal of a directory that only exists on the
lower layer results in a kernel panic.

We apologize for the inconvenience.

Original advisory details:

Philip Pettersson discovered a privilege escalation when using overlayfs
mounts inside of user namespaces. A local user could exploit this flaw to
gain administrative privileges on the system.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

linux-image-3.16.0-41-powerpc-smp

3.16.0-41.57

linux-image-3.16.0-41-powerpc64-smp

3.16.0-41.57

linux-image-3.16.0-41-powerpc64-emb

3.16.0-41.57

linux-image-3.16.0-41-powerpc-e500mc

3.16.0-41.57

linux-image-3.16.0-41-generic-lpae

3.16.0-41.57

linux-image-3.16.0-41-lowlatency

3.16.0-41.57

linux-image-3.16.0-41-generic

3.16.0-41.57

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

http://bugs.launchpad.net/bugs/1465998

Ubuntu Security Notice USN-2644-2

21st June, 2015

linux-lts-utopic regression

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux-lts-utopic
  – Linux hardware enablement kernel from Utopic

Details

The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s
overlayfs file system. The removal of a directory that only exists on the
lower layer results in a kernel panic.

We apologize for the inconvenience.

Original advisory details:

Philip Pettersson discovered a privilege escalation when using overlayfs
mounts inside of user namespaces. A local user could exploit this flaw to
gain administrative privileges on the system.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-3.16.0-41-powerpc-smp

3.16.0-41.57~14.04.1

linux-image-3.16.0-41-powerpc64-smp

3.16.0-41.57~14.04.1

linux-image-3.16.0-41-generic

3.16.0-41.57~14.04.1

linux-image-3.16.0-41-powerpc-e500mc

3.16.0-41.57~14.04.1

linux-image-3.16.0-41-generic-lpae

3.16.0-41.57~14.04.1

linux-image-3.16.0-41-lowlatency

3.16.0-41.57~14.04.1

linux-image-3.16.0-41-powerpc64-emb

3.16.0-41.57~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

http://bugs.launchpad.net/bugs/1465998

Ubuntu Security Notice USN-2648-1

16th June, 2015

aptdaemon vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.04
• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Aptdaemon could be made to expose sensitive information, or allow file
access as the administrator.

Software description

• aptdaemon
  – transaction based package management service

Details

Tavis Ormandy discovered that Aptdeamon incorrectly handled the simulate
dbus method. A local attacker could use this issue to possibly expose
sensitive information, or perform other file access as the root user.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:

aptdaemon

1.1.1+bzr982-0ubuntu3.1

Ubuntu 14.10:

aptdaemon

1.1.1+bzr980-0ubuntu1.1

Ubuntu 14.04 LTS:

aptdaemon

1.1.1-1ubuntu5.2

Ubuntu 12.04 LTS:

aptdaemon

0.43+bzr805-0ubuntu10

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-1323

Ubuntu Security Notice USN-2650-1

16th June, 2015

wpa, wpasupplicant vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.04
• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

wpa_supplicant and hostapd could be made to crash if they received
specially crafted network traffic.

Software description

• wpa
  – client support for WPA and WPA2

• wpasupplicant
  – client support for WPA and WPA2

Details

Kostya Kortchinsky discovered multiple flaws in wpa_supplicant and hostapd.
A remote attacker could use these issues to cause wpa_supplicant or hostapd
to crash, resulting in a denial of service. (CVE-2015-4141, CVE-2015-4142,
CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:

hostapd

2.1-0ubuntu7.2

wpasupplicant

2.1-0ubuntu7.2

Ubuntu 14.10:

hostapd

2.1-0ubuntu4.2

wpasupplicant

2.1-0ubuntu4.2

Ubuntu 14.04 LTS:

hostapd

2.1-0ubuntu1.3

wpasupplicant

2.1-0ubuntu1.3

Ubuntu 12.04 LTS:

wpasupplicant

0.7.3-6ubuntu2.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-4141,

CVE-2015-4142,

CVE-2015-4143,

CVE-2015-4144,

CVE-2015-4145,

CVE-2015-4146

Ubuntu Security Notice USN-2649-1

16th June, 2015

devscripts vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

devscripts could be made to overwrite files.

Software description

• devscripts
  – scripts to make the life of a Debian Package maintainer easier

Details

It was discovered that the uupdate tool incorrectly handled symlinks.
If a user or automated system were tricked into processing specially
crafted files, a remote attacker could possibly replace arbitrary files,
leading to a privilege escalation.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

devscripts

2.14.6ubuntu0.1

Ubuntu 14.04 LTS:

devscripts

2.14.1ubuntu0.1

Ubuntu 12.04 LTS:

devscripts

2.11.6ubuntu1.7

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-1833

Ubuntu Security Notice USN-2642-1

15th June, 2015

linux-lts-trusty vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

• linux-lts-trusty
  – Linux hardware enablement kernel from Trusty

Details

Philip Pettersson discovered a privilege escalation when using overlayfs
mounts inside of user namespaces. A local user could exploit this flaw to
gain administrative privileges on the system.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.13.0-55-generic-lpae

3.13.0-55.92~precise1

linux-image-3.13.0-55-generic

3.13.0-55.92~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-1328

Ubuntu Security Notice USN-2641-1

15th June, 2015

linux-ti-omap4 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

• linux-ti-omap4
  – Linux kernel for OMAP4

Details

Philip Pettersson discovered a privilege escalation when using overlayfs
mounts inside of user namespaces. A local user could exploit this flaw to
gain administrative privileges on the system.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.2.0-1466-omap4

3.2.0-1466.86

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-1328