Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2618-1: python-dbusmock vulnerability

Ubuntu Security Notice USN-2618-1

21st May, 2015

python-dbusmock vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS

Summary

python-dbusmock could be tricked into running arbitrary programs.

Software description

  • python-dbusmock
    – mock D-Bus objects for tests

Details

It was discovered that python-dbusmock incorrectly handled template
loading from shared directories. A local attacker could possibly use this
issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
python-dbusmock

0.14-1ubuntu2
python3-dbusmock

0.14-1ubuntu2
Ubuntu 14.10:
python-dbusmock

0.11.4-1ubuntu1
python3-dbusmock

0.11.4-1ubuntu1
Ubuntu 14.04 LTS:
python-dbusmock

0.10.1-1ubuntu1
python3-dbusmock

0.10.1-1ubuntu1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-1326

Ubuntu

USN-2609-1: Apport vulnerabilities

Ubuntu Security Notice USN-2609-1

21st May, 2015

apport vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Apport could be tricked into creating arbitrary files as an administrator,
resulting in privilege escalation.

Software description

  • apport
    – automatically generate crash reports for debugging

Details

Sander Bos discovered that Apport incorrectly handled permissions when
the system was configured to generate core dumps for setuid binaries. A
local attacker could use this issue to gain elevated privileges.
(CVE-2015-1324)

Philip Pettersson discovered that Apport contained race conditions
resulting core dumps to be generated with incorrect permissions in
arbitrary locations. A local attacker could use this issue to gain elevated
privileges. (CVE-2015-1325)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
apport

2.17.2-0ubuntu1.1
Ubuntu 14.10:
apport

2.14.7-0ubuntu8.5
Ubuntu 14.04 LTS:
apport

2.14.1-0ubuntu3.11
Ubuntu 12.04 LTS:
apport

2.0.1-0ubuntu17.9

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-1324,

CVE-2015-1325

Ubuntu

USN-2617-1: FUSE vulnerability

Ubuntu Security Notice USN-2617-1

21st May, 2015

fuse vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

FUSE could be made to overwrite files as the administrator.

Software description

  • fuse
    – Filesystem in Userspace

Details

Tavis Ormandy discovered that FUSE incorrectly filtered environment
variables. A local attacker could use this issue to gain administrative
privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
fuse

2.9.2-4ubuntu4.15.04.1
Ubuntu 14.10:
fuse

2.9.2-4ubuntu4.14.10.1
Ubuntu 14.04 LTS:
fuse

2.9.2-4ubuntu4.14.04.1
Ubuntu 12.04 LTS:
fuse

2.8.6-2ubuntu2.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-3202

Ubuntu

USN-2611-1: Linux kernel vulnerability

Ubuntu Security Notice USN-2611-1

20th May, 2015

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

The system could be made to crash if it received specially crafted
network traffic.

Software description

  • linux
    – Linux kernel

Details

Vincent Tondellier discovered an integer overflow in the Linux kernel’s
netfilter connection tracking accounting of loaded extensions. An attacker
on the local area network (LAN) could potential exploit this flaw to cause
a denial of service (system crash of targeted system).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-84-omap

3.2.0-84.121
linux-image-3.2.0-84-generic

3.2.0-84.121
linux-image-3.2.0-84-powerpc-smp

3.2.0-84.121
linux-image-3.2.0-84-powerpc64-smp

3.2.0-84.121
linux-image-3.2.0-84-virtual

3.2.0-84.121
linux-image-3.2.0-84-generic-pae

3.2.0-84.121
linux-image-3.2.0-84-highbank

3.2.0-84.121

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-9715

Ubuntu

USN-2612-1: Linux kernel (OMAP4) vulnerabilities

Ubuntu Security Notice USN-2612-1

20th May, 2015

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-ti-omap4
    – Linux kernel for OMAP4

Details

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges. (CVE-2015-3339)

Vincent Tondellier discovered an integer overflow in the Linux kernel’s
netfilter connection tracking accounting of loaded extensions. An attacker
on the local area network (LAN) could potential exploit this flaw to cause
a denial of service (system crash of targeted system). (CVE-2014-9715)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1464-omap4

3.2.0-1464.84

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-9715,

CVE-2015-3339

Ubuntu

USN-2615-1: Linux kernel (Utopic HWE) vulnerabilities

Ubuntu Security Notice USN-2615-1

20th May, 2015

linux-lts-utopic vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-utopic
    – Linux hardware enablement kernel from Utopic

Details

Alexandre Oliva reported a race condition flaw in the btrfs file system’s
handling of extended attributes (xattrs). A local attacker could exploit
this flaw to bypass ACLs and potentially escalate privileges.
(CVE-2014-9710)

A memory corruption issue was discovered in AES decryption when using the
Intel AES-NI accelerated code path. A remote attacker could exploit this
flaw to cause a denial of service (system crash) or potentially escalate
privileges on Intel base machines with AEC-GCM mode IPSec security
association. (CVE-2015-3331)

A flaw was discovered in the Linux kernel’s IPv4 networking when using TCP
fast open to initiate a connection. An unprivileged local user could
exploit this flaw to cause a denial of service (system crash).
(CVE-2015-3332)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-3.16.0-38-powerpc64-emb

3.16.0-38.52~14.04.1
linux-image-3.16.0-38-powerpc64-smp

3.16.0-38.52~14.04.1
linux-image-3.16.0-38-generic

3.16.0-38.52~14.04.1
linux-image-3.16.0-38-powerpc-smp

3.16.0-38.52~14.04.1
linux-image-3.16.0-38-generic-lpae

3.16.0-38.52~14.04.1
linux-image-3.16.0-38-powerpc-e500mc

3.16.0-38.52~14.04.1
linux-image-3.16.0-38-lowlatency

3.16.0-38.52~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-9710,

CVE-2015-3331,

CVE-2015-3332

Ubuntu

USN-2614-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-2614-1

20th May, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux
    – Linux kernel

Details

Vincent Tondellier discovered an integer overflow in the Linux kernel’s
netfilter connection tracking accounting of loaded extensions. An attacker
on the local area network (LAN) could potential exploit this flaw to cause
a denial of service (system crash of targeted system). (CVE-2014-9715)

Jan Beulich discovered the Xen virtual machine subsystem of the Linux
kernel did not properly restrict access to PCI command registers. A local
guest user could exploit this flaw to cause a denial of service (host
crash). (CVE-2015-2150)

A privilege escalation was discovered in the fork syscal vi the int80 entry
on 64 bit kernels with 32 bit emulation support. An unprivileged local
attacker could exploit this flaw to increase their privileges on the
system. (CVE-2015-2830)

A memory corruption issue was discovered in AES decryption when using the
Intel AES-NI accelerated code path. A remote attacker could exploit this
flaw to cause a denial of service (system crash) or potentially escalate
privileges on Intel base machines with AEC-GCM mode IPSec security
association. (CVE-2015-3331)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-3.13.0-53-generic-lpae

3.13.0-53.88
linux-image-3.13.0-53-powerpc64-emb

3.13.0-53.88
linux-image-3.13.0-53-powerpc-smp

3.13.0-53.88
linux-image-3.13.0-53-lowlatency

3.13.0-53.88
linux-image-3.13.0-53-powerpc-e500

3.13.0-53.88
linux-image-3.13.0-53-generic

3.13.0-53.88
linux-image-3.13.0-53-powerpc-e500mc

3.13.0-53.88
linux-image-3.13.0-53-powerpc64-smp

3.13.0-53.88

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-9715,

CVE-2015-2150,

CVE-2015-2830,

CVE-2015-3331

Ubuntu

USN-2613-1: Linux kernel (Trusty HWE) vulnerabilities

Ubuntu Security Notice USN-2613-1

20th May, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-trusty
    – Linux hardware enablement kernel from Trusty

Details

Vincent Tondellier discovered an integer overflow in the Linux kernel’s
netfilter connection tracking accounting of loaded extensions. An attacker
on the local area network (LAN) could potential exploit this flaw to cause
a denial of service (system crash of targeted system). (CVE-2014-9715)

Jan Beulich discovered the Xen virtual machine subsystem of the Linux
kernel did not properly restrict access to PCI command registers. A local
guest user could exploit this flaw to cause a denial of service (host
crash). (CVE-2015-2150)

A privilege escalation was discovered in the fork syscal vi the int80 entry
on 64 bit kernels with 32 bit emulation support. An unprivileged local
attacker could exploit this flaw to increase their privileges on the
system. (CVE-2015-2830)

A memory corruption issue was discovered in AES decryption when using the
Intel AES-NI accelerated code path. A remote attacker could exploit this
flaw to cause a denial of service (system crash) or potentially escalate
privileges on Intel base machines with AEC-GCM mode IPSec security
association. (CVE-2015-3331)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-53-generic-lpae

3.13.0-53.87~precise1
linux-image-3.13.0-53-generic

3.13.0-53.87~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-9715,

CVE-2015-2150,

CVE-2015-2830,

CVE-2015-3331

Ubuntu

USN-2616-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-2616-1

20th May, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10

Summary

Several security issues were fixed in the kernel.

Software description

  • linux
    – Linux kernel

Details

Alexandre Oliva reported a race condition flaw in the btrfs file system’s
handling of extended attributes (xattrs). A local attacker could exploit
this flaw to bypass ACLs and potentially escalate privileges.
(CVE-2014-9710)

A memory corruption issue was discovered in AES decryption when using the
Intel AES-NI accelerated code path. A remote attacker could exploit this
flaw to cause a denial of service (system crash) or potentially escalate
privileges on Intel base machines with AEC-GCM mode IPSec security
association. (CVE-2015-3331)

A flaw was discovered in the Linux kernel’s IPv4 networking when using TCP
fast open to initiate a connection. An unprivileged local user could
exploit this flaw to cause a denial of service (system crash).
(CVE-2015-3332)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
linux-image-3.16.0-38-powerpc64-emb

3.16.0-38.52
linux-image-3.16.0-38-powerpc64-smp

3.16.0-38.52
linux-image-3.16.0-38-generic

3.16.0-38.52
linux-image-3.16.0-38-powerpc-smp

3.16.0-38.52
linux-image-3.16.0-38-generic-lpae

3.16.0-38.52
linux-image-3.16.0-38-powerpc-e500mc

3.16.0-38.52
linux-image-3.16.0-38-lowlatency

3.16.0-38.52

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-9710,

CVE-2015-3331,

CVE-2015-3332

Ubuntu

USN-2603-1: Thunderbird vulnerabilities

Ubuntu Security Notice USN-2603-1

18th May, 2015

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

  • thunderbird
    – Mozilla Open Source mail and newsgroup client

Details

Jesse Ruderman, Mats Palmgren, Byron Campen, and Steve Fink discovered
multiple memory safety issues in Thunderbird. If a user were tricked in to
opening a specially crafted message with scripting enabled, an attacker
could potentially exploit these to cause a denial of service via
application crash, or execute arbitrary code with the privileges of the
user invoking Thunderbird. (CVE-2015-2708)

Atte Kettunen discovered a buffer overflow during the rendering of SVG
content with certain CSS properties in some circumstances. If a user were
tricked in to opening a specially crafted message with scripting enabled,
an attacker could potentially exploit this to cause a denial of service
via application crash, or execute arbitrary code with the privileges of
the user invoking Thunderbird. (CVE-2015-2710)

Scott Bell discovered a use-afer-free during the processing of text when
vertical text is enabled. If a user were tricked in to opening a specially
crafted message, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Thunderbird. (CVE-2015-2713)

Ucha Gobejishvili discovered a buffer overflow when parsing compressed XML
content. If a user were tricked in to opening a specially crafted message
with scripting enabled, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary code
with the privileges of the user invoking Thunderbird. (CVE-2015-2716)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
thunderbird

1:31.7.0+build1-0ubuntu0.15.04.1
Ubuntu 14.10:
thunderbird

1:31.7.0+build1-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
thunderbird

1:31.7.0+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
thunderbird

1:31.7.0+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2015-2708,

CVE-2015-2710,

CVE-2015-2713,

CVE-2015-2716