Ubuntu Security Notice USN-2625-1

2nd June, 2015

apache2 update

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Several security improvements have been made to the Apache HTTP Server.

Software description

• apache2
  – Apache HTTP server

Details

As a security improvement, this update makes the following changes to
the Apache package in Ubuntu 12.04 LTS:

Added support for ECC keys and ECDH ciphers.

The SSLProtocol configuration directive now allows specifying the TLSv1.1
and TLSv1.2 protocols.

Ephemeral key handling has been improved, including allowing DH parameters
to be loaded from the SSL certificate file specified in SSLCertificateFile.

The export cipher suites are now disabled by default.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

apache2.2-bin

2.2.22-1ubuntu1.9

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

This update may cause DH parameters to change which could impact certain Java
clients. See http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#javadh for more
information.

References

LP: 1197884,

LP: 1400473

Ubuntu Security Notice USN-2623-1

1st June, 2015

ipsec-tools vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

ipsec-tools could be made to crash if it received specially crafted network
traffic.

Software description

• ipsec-tools
  – IPsec tools for Linux

Details

It was discovered that racoon, the ipsec-tools IKE daemon, incorrectly
handled certain UDP packets. A remote attacker could use this issue to
cause racoon to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

racoon

1:0.8.0-9ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-4047

Ubuntu Security Notice USN-2624-1

1st June, 2015

openssl update

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.04
• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

The export cipher suites have been disabled in OpenSSL.

Software description

• openssl
  – Secure Socket Layer (SSL) cryptographic library and tools

Details

As a security improvement, this update removes the export cipher suites
from the default cipher list to prevent their use in possible downgrade
attacks.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:

libssl1.0.0

1.0.1f-1ubuntu11.1

Ubuntu 14.10:

libssl1.0.0

1.0.1f-1ubuntu9.5

Ubuntu 14.04 LTS:

libssl1.0.0

1.0.1f-1ubuntu2.12

Ubuntu 12.04 LTS:

libssl1.0.0

1.0.1-4ubuntu5.28

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1460735

Ubuntu Security Notice USN-2617-3

27th May, 2015

ntfs-3g vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.04

Summary

NTFS-3G could be made to overwrite files as the administrator.

Software description

• ntfs-3g
  – read/write NTFS driver for FUSE

Details

USN-2617-1 fixed a vulnerability in NTFS-3G. The original patch did not
completely address the issue. This update fixes the problem.

Original advisory details:

Tavis Ormandy discovered that FUSE incorrectly filtered environment
variables. A local attacker could use this issue to gain administrative
privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:

ntfs-3g

1:2014.2.15AR.3-1ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-3202

Ubuntu Security Notice USN-2622-1

26th May, 2015

openldap vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.04
• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

OpenLDAP could be made to crash if it received specially crafted network
traffic.

Software description

• openldap
  – OpenLDAP utilities

Details

It was discovered that OpenLDAP incorrectly handled certain search queries
that returned empty attributes. A remote attacker could use this issue to
cause OpenLDAP to assert, resulting in a denial of service. This issue only
affected Ubuntu 12.04 LTS. (CVE-2012-1164)

Michael Vishchers discovered that OpenLDAP improperly counted references
when the rwm overlay was used. A remote attacker could use this issue to
cause OpenLDAP to crash, resulting in a denial of service. (CVE-2013-4449)

It was discovered that OpenLDAP incorrectly handled certain empty attribute
lists in search requests. A remote attacker could use this issue to cause
OpenLDAP to crash, resulting in a denial of service. (CVE-2015-1545)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:

slapd

2.4.31-1+nmu2ubuntu12.1

Ubuntu 14.10:

slapd

2.4.31-1+nmu2ubuntu11.1

Ubuntu 14.04 LTS:

slapd

2.4.31-1+nmu2ubuntu8.1

Ubuntu 12.04 LTS:

slapd

2.4.28-1.1ubuntu4.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2012-1164,

CVE-2013-4449,

CVE-2015-1545

Ubuntu Security Notice USN-2621-1

25th May, 2015

postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.04
• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in PostgreSQL.

Software description

• postgresql-9.1
  – Object-relational SQL database

• postgresql-9.3
  – Object-relational SQL database

• postgresql-9.4
  – Object-relational SQL database

Details

Benkocs Norbert Attila discovered that PostgreSQL incorrectly handled
authentication timeouts. A remote attacker could use this flaw to cause the
unauthenticated session to crash, possibly leading to a security issue.
(CVE-2015-3165)

Noah Misch discovered that PostgreSQL incorrectly handled certain standard
library function return values, possibly leading to security issues.
(CVE-2015-3166)

Noah Misch discovered that the pgcrypto function could return different
error messages when decrypting using an incorrect key, possibly leading to
a security issue. (CVE-2015-3167)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:

postgresql-9.4

9.4.2-0ubuntu0.15.04

Ubuntu 14.10:

postgresql-9.4

9.4.2-0ubuntu0.14.10

Ubuntu 14.04 LTS:

postgresql-9.3

9.3.7-0ubuntu0.14.04

Ubuntu 12.04 LTS:

postgresql-9.1

9.1.16-0ubuntu0.12.04

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

CVE-2015-3165,

CVE-2015-3166,

CVE-2015-3167

Ubuntu Security Notice USN-2620-1

23rd May, 2015

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux
  – Linux kernel

Details

A flaw was discovered in the Linux kernel’s IPv4 networking when using TCP
fast open to initiate a connection. An unprivileged local user could
exploit this flaw to cause a denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-3.13.0-53-generic-lpae

3.13.0-53.89

linux-image-3.13.0-53-powerpc64-emb

3.13.0-53.89

linux-image-3.13.0-53-powerpc-smp

3.13.0-53.89

linux-image-3.13.0-53-lowlatency

3.13.0-53.89

linux-image-3.13.0-53-powerpc-e500

3.13.0-53.89

linux-image-3.13.0-53-generic

3.13.0-53.89

linux-image-3.13.0-53-powerpc-e500mc

3.13.0-53.89

linux-image-3.13.0-53-powerpc64-smp

3.13.0-53.89

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-3332

Ubuntu Security Notice USN-2619-1

23rd May, 2015

linux-lts-trusty vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux-lts-trusty
  – Linux hardware enablement kernel from Trusty

Details

A flaw was discovered in the Linux kernel’s IPv4 networking when using TCP
fast open to initiate a connection. An unprivileged local user could
exploit this flaw to cause a denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.13.0-53-generic-lpae

3.13.0-53.89~precise1

linux-image-3.13.0-53-generic

3.13.0-53.89~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-3332

Ubuntu Security Notice USN-2617-2

22nd May, 2015

ntfs-3g vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.04

Summary

NTFS-3G could be made to overwrite files as the administrator.

Software description

• ntfs-3g
  – read/write NTFS driver for FUSE

Details

USN-2617-1 fixed a vulnerability in FUSE. This update provides the
corresponding fix for the embedded FUSE copy in NTFS-3G.

Original advisory details:

Tavis Ormandy discovered that FUSE incorrectly filtered environment
variables. A local attacker could use this issue to gain administrative
privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:

ntfs-3g

1:2014.2.15AR.3-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-3202

Ubuntu Security Notice USN-2610-1

21st May, 2015

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 15.04
• Ubuntu 14.10
• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

• oxide-qt
  – Web browser engine library for Qt (QML plugin)

Details

Several security issues were discovered in the DOM implementation in
Blink. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit these to bypass Same Origin Policy
restrictions. (CVE-2015-1253, CVE-2015-1254)

A use-after-free was discovered in the WebAudio implementation in
Chromium. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via renderer crash, or execute arbitrary code with the privileges
of the sandboxed render process. (CVE-2015-1255)

A use-after-free was discovered in the SVG implementation in Blink. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via renderer
crash, or execute arbitrary code with the privileges of the sandboxed
render process. (CVE-2015-1256)

A security issue was discovered in the SVG implementation in Blink. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via renderer
crash. (CVE-2015-1257)

An issue was discovered with the build of libvpx. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via renderer crash, or execute
arbitrary code with the privileges of the sandboxed render process.
(CVE-2015-1258)

Multiple use-after-free issues were discovered in the WebRTC
implementation in Chromium. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit these to
cause a denial of service via renderer crash, or execute arbitrary code
with the privileges of the sandboxed render process. (CVE-2015-1260)

An uninitialized value bug was discovered in the font shaping code in
Blink. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit this to cause a denial of service
via renderer crash. (CVE-2015-1262)

Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-1265)

Multiple security issues were discovered in V8. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit these to read uninitialized memory, cause a denial of service via
renderer crash or execute arbitrary code with the privileges of the
sandboxed render process. (CVE-2015-3910)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:

liboxideqtcore0

1.7.8-0ubuntu0.15.04.1

oxideqt-codecs

1.7.8-0ubuntu0.15.04.1

oxideqt-codecs-extra

1.7.8-0ubuntu0.15.04.1

Ubuntu 14.10:

liboxideqtcore0

1.7.8-0ubuntu0.14.10.1

oxideqt-codecs

1.7.8-0ubuntu0.14.10.1

oxideqt-codecs-extra

1.7.8-0ubuntu0.14.10.1

Ubuntu 14.04 LTS:

liboxideqtcore0

1.7.8-0ubuntu0.14.04.1

oxideqt-codecs

1.7.8-0ubuntu0.14.04.1

oxideqt-codecs-extra

1.7.8-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-1253,

CVE-2015-1254,

CVE-2015-1255,

CVE-2015-1256,

CVE-2015-1257,

CVE-2015-1258,

CVE-2015-1260,

CVE-2015-1262,

CVE-2015-1265,

CVE-2015-3910