Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2602-1: Firefox vulnerabilities

May 13, 2015 007admin

Ubuntu Security Notice USN-2602-1

13th May, 2015

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu (vivid)
Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software description

firefox
– Mozilla Open Source web browser

Details

Jesse Ruderman, Mats Palmgren, Byron Campen, Steve Fink, Gary Kwong,
Andrew McCreight, Christian Holler, Jon Coppeard, and Milan Sreckovic
discovered multiple memory safety issues in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-2708, CVE-2015-2709)

Atte Kettunen discovered a buffer overflow during the rendering of SVG
content with certain CSS properties in some circumstances. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-2710)

Alex Verstak discovered that <meta name=”referrer”> is ignored in some
circumstances. (CVE-2015-2711)

Dougall Johnson discovered an out of bounds read and write in asm.js. If
a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to obtain sensitive information,
cause a denial of service via application crash, or execute arbitrary
code with the privileges of the user invoking Firefox. (CVE-2015-2712)

Scott Bell discovered a use-afer-free during the processing of text when
vertical text is enabled. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2015-2713)

Tyson Smith and Jesse Schwartzentruber discovered a use-after-free during
shutdown. An attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-2715)

Ucha Gobejishvili discovered a buffer overflow when parsing compressed XML
content. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit this to cause a denial of service
via application crash, or execute arbitrary code with the privileges of
the user invoking Firefox. (CVE-2015-2716)

A buffer overflow and out-of-bounds read were discovered when parsing
metadata in MP4 files in some circumstances. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-2717)

Mark Hammond discovered that when a trusted page is hosted within an
iframe in an untrusted page, the untrusted page can intercept webchannel
responses meant for the trusted page in some circumstances. If a user
were tricked in to opening a specially crafted website, an attacker could
exploit this to bypass origin restrictions. (CVE-2015-2718)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):: firefox

38.0+build3-0ubuntu0.15.04.1
Ubuntu 14.10:: firefox

38.0+build3-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:: firefox

38.0+build3-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: firefox

38.0+build3-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

Ubuntu

USN-2608-1: QEMU vulnerabilities

May 13, 2015 007admin

Ubuntu Security Notice USN-2608-1

13th May, 2015

qemu, qemu-kvm vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu (vivid)
Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in QEMU.

Software description

qemu
– Machine emulator and virtualizer
qemu-kvm
– Machine emulator and virtualizer

Details

Jason Geffner discovered that QEMU incorrectly handled the virtual floppy
driver. This issue is known as VENOM. A malicious guest could use this
issue to cause a denial of service, or possibly execute arbitrary code on
the host as the user running the QEMU process. In the default installation,
when QEMU is used with libvirt, attackers would be isolated by the libvirt
AppArmor profile. (CVE-2015-3456)

Daniel P. Berrange discovered that QEMU incorrectly handled VNC websockets.
A remote attacker could use this issue to cause QEMU to consume memory,
resulting in a denial of service. This issue only affected Ubuntu 14.04
LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-1779)

Jan Beulich discovered that QEMU, when used with Xen, didn’t properly
restrict access to PCI command registers. A malicious guest could use this
issue to cause a denial of service. This issue only affected Ubuntu 14.04
LTS and Ubuntu 14.10. (CVE-2015-2756)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):: qemu-system-misc

1:2.2+dfsg-5expubuntu9.1; qemu-system

1:2.2+dfsg-5expubuntu9.1; qemu-system-aarch64

1:2.2+dfsg-5expubuntu9.1; qemu-system-x86

1:2.2+dfsg-5expubuntu9.1; qemu-system-sparc

1:2.2+dfsg-5expubuntu9.1; qemu-system-arm

1:2.2+dfsg-5expubuntu9.1; qemu-system-ppc

1:2.2+dfsg-5expubuntu9.1; qemu-system-mips

1:2.2+dfsg-5expubuntu9.1
Ubuntu 14.10:: qemu-system-misc

2.1+dfsg-4ubuntu6.6; qemu-system

2.1+dfsg-4ubuntu6.6; qemu-system-aarch64

2.1+dfsg-4ubuntu6.6; qemu-system-x86

2.1+dfsg-4ubuntu6.6; qemu-system-sparc

2.1+dfsg-4ubuntu6.6; qemu-system-arm

2.1+dfsg-4ubuntu6.6; qemu-system-ppc

2.1+dfsg-4ubuntu6.6; qemu-system-mips

2.1+dfsg-4ubuntu6.6
Ubuntu 14.04 LTS:: qemu-system-misc

2.0.0+dfsg-2ubuntu1.11; qemu-system

2.0.0+dfsg-2ubuntu1.11; qemu-system-aarch64

2.0.0+dfsg-2ubuntu1.11; qemu-system-x86

2.0.0+dfsg-2ubuntu1.11; qemu-system-sparc

2.0.0+dfsg-2ubuntu1.11; qemu-system-arm

2.0.0+dfsg-2ubuntu1.11; qemu-system-ppc

2.0.0+dfsg-2ubuntu1.11; qemu-system-mips

2.0.0+dfsg-2ubuntu1.11
Ubuntu 12.04 LTS:: qemu-kvm

1.0+noroms-0ubuntu14.22

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

CVE-2015-1779,

CVE-2015-2756,

CVE-2015-3456

Ubuntu

USN-2607-1: Module::Signature vulnerabilities

May 12, 2015 007admin

Ubuntu Security Notice USN-2607-1

12th May, 2015

libmodule-signature-perl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu (vivid)
Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Module::Signature.

Software description

libmodule-signature-perl
– module to manipulate CPAN SIGNATURE files

Details

John Lightsey discovered that Module::Signature incorrectly handled PGP
signature boundaries. A remote attacker could use this issue to trick
Module::Signature into parsing the unsigned portion of the SIGNATURE file
as the signed portion. (CVE-2015-3406)

John Lightsey discovered that Module::Signature incorrectly handled files
that were not listed in the SIGNATURE file. A remote attacker could use
this flaw to execute arbitrary code when tests were run. (CVE-2015-3407)

John Lightsey discovered that Module::Signature incorrectly handled
embedded shell commands in the SIGNATURE file. A remote attacker could use
this issue to execute arbitrary code during signature verification.
(CVE-2015-3408)

John Lightsey discovered that Module::Signature incorrectly handled module
loading. A remote attacker could use this issue to execute arbitrary code
during signature verification. (CVE-2015-3409)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):: libmodule-signature-perl

0.73-1ubuntu0.15.04.1
Ubuntu 14.10:: libmodule-signature-perl

0.73-1ubuntu0.14.10.1
Ubuntu 14.04 LTS:: libmodule-signature-perl

0.73-1ubuntu0.14.04.1
Ubuntu 12.04 LTS:: libmodule-signature-perl

0.68-1ubuntu0.12.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-2606-1: OpenSSL update

May 12, 2015 007admin

Ubuntu Security Notice USN-2606-1

12th May, 2015

openssl update

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

OpenSSL TLSv1.2 client support has been enabled in Ubuntu 12.04 LTS.

Software description

openssl
– Secure Socket Layer (SSL) cryptographic library and tools

Details

For compatibility reasons, Ubuntu 12.04 LTS shipped OpenSSL with TLSv1.2
disabled when being used as a client.

This update re-enables TLSv1.2 by default now that the majority of
problematic sites have been updated to fix compatibility issues.

For problematic environments, TLSv1.2 can be disabled again by setting the
OPENSSL_NO_CLIENT_TLS1_2 environment variable before library
initialization.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: libssl1.0.0

1.0.1-4ubuntu5.27

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1442970

Ubuntu

USN-2604-1: Libtasn1 vulnerability

May 11, 2015 007admin

Ubuntu Security Notice USN-2604-1

11th May, 2015

libtasn1-3, libtasn1-6 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu (vivid)
Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Libtasn1 could be made to crash or run programs if it processed specially
crafted data.

Software description

libtasn1-3
– Library to manage ASN.1 structures
libtasn1-6
– Library to manage ASN.1 structures

Details

Hanno Böck discovered that Libtasn1 incorrectly handled certain ASN.1 data.
A remote attacker could possibly exploit this with specially crafted ASN.1
data and cause applications using Libtasn1 to crash, resulting in a denial
of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):: libtasn1-6

4.2-2ubuntu1.1
Ubuntu 14.10:: libtasn1-6

4.0-2ubuntu0.2
Ubuntu 14.04 LTS:: libtasn1-6

3.4-3ubuntu0.3
Ubuntu 12.04 LTS:: libtasn1-3

2.10-1ubuntu1.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-3622

Ubuntu

USN-2605-1: ICU vulnerabilities

May 11, 2015 007admin

Ubuntu Security Notice USN-2605-1

11th May, 2015

icu vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu (vivid)
Ubuntu 14.10
Ubuntu 14.04 LTS

Summary

ICU could be made to crash or run programs as your login if it processed
specially crafted data.

Software description

icu
– International Components for Unicode library

Details

Pedro Ribeiro discovered that ICU incorrectly handled certain memory
operations when processing data. If an application using ICU processed
crafted data, an attacker could cause it to crash or potentially execute
arbitrary code with the privileges of the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):: libicu52

52.1-8ubuntu0.1
Ubuntu 14.10:: libicu52

52.1-6ubuntu0.3
Ubuntu 14.04 LTS:: libicu52

52.1-3ubuntu0.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-8146,

CVE-2014-8147

Ubuntu

USN-2598-2: Linux kernel regression

May 9, 2015 007admin

Ubuntu Security Notice USN-2598-2

8th May, 2015

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

USN-2598-1 Introduced a regression in the Linux kernel.

Software description

linux
– Linux kernel

Details

USN-2598-1 fixed vulnerabilities in the Linux kernel, however an unrelated
regression in the auditing of some path names was introduced. Due to the
regression the system could crash under certain conditions.

This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.13.0-52-generic

3.13.0-52.86; linux-image-3.13.0-52-generic-lpae

3.13.0-52.86; linux-image-3.13.0-52-powerpc-e500

3.13.0-52.86; linux-image-3.13.0-52-lowlatency

3.13.0-52.86; linux-image-3.13.0-52-powerpc-smp

3.13.0-52.86; linux-image-3.13.0-52-powerpc-e500mc

3.13.0-52.86; linux-image-3.13.0-52-powerpc64-emb

3.13.0-52.86; linux-image-3.13.0-52-powerpc64-smp

3.13.0-52.86

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1450442

Ubuntu

USN-2597-2: Linux kernel (Trusty HWE) regression

May 9, 2015 007admin

Ubuntu Security Notice USN-2597-2

8th May, 2015

linux-lts-trusty vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

USN-2597-1 Introduced a regression in the Linux kernel.

Software description

linux-lts-trusty
– Linux hardware enablement kernel from Trusty

Details

USN-2597-1 fixed vulnerabilities in the Linux kernel, however an unrelated
regression in the auditing of some path names was introduced. Due to the
regression the system could crash under certain conditions.

This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.13.0-52-generic

3.13.0-52.86~precise1; linux-image-3.13.0-52-generic-lpae

3.13.0-52.86~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

https://launchpad.net/bugs/XXXXXX

Ubuntu

USN-2600-2: Linux kernel regression

May 9, 2015 007admin

Ubuntu Security Notice USN-2600-2

8th May, 2015

linux regression

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10

Summary

USN-2600-1 Introduced a regression in the Linux kernel.

Software description

linux
– Linux kernel

Details

USN-2600-1 fixed vulnerabilities in the Linux kernel, however an unrelated
regression in the auditing of some path names was introduced. Due to the
regression the system could crash under certain conditions.

This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: linux-image-3.16.0-37-powerpc64-emb

3.16.0-37.51; linux-image-3.16.0-37-lowlatency

3.16.0-37.51; linux-image-3.16.0-37-powerpc64-smp

3.16.0-37.51; linux-image-3.16.0-37-generic-lpae

3.16.0-37.51; linux-image-3.16.0-37-powerpc-smp

3.16.0-37.51; linux-image-3.16.0-37-generic

3.16.0-37.51; linux-image-3.16.0-37-powerpc-e500mc

3.16.0-37.51

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1450442

Ubuntu

USN-2599-2: Linux kernel (Utopic HWE) vulnerability

May 9, 2015 007admin

Ubuntu Security Notice USN-2599-2

8th May, 2015

linux-lts-utopic vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

USN-2599-1 Introduced a regression in the Linux kernel.

Software description

linux-lts-utopic
– Linux hardware enablement kernel from Utopic

Details

USN-2599-1 fixed vulnerabilities in the Linux kernel, however an unrelated
regression in the auditing of some path names was introduced. Due to the
regression the system could crash under certain conditions.

This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.16.0-37-generic

3.16.0-37.51~14.04.1; linux-image-3.16.0-37-lowlatency

3.16.0-37.51~14.04.1; linux-image-3.16.0-37-powerpc64-emb

3.16.0-37.51~14.04.1; linux-image-3.16.0-37-powerpc64-smp

3.16.0-37.51~14.04.1; linux-image-3.16.0-37-generic-lpae

3.16.0-37.51~14.04.1; linux-image-3.16.0-37-powerpc-smp

3.16.0-37.51~14.04.1; linux-image-3.16.0-37-powerpc-e500mc

3.16.0-37.51~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1450442

Ubuntu Security Notice USN-2602-1

firefox vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2608-1

qemu, qemu-kvm vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2607-1

libmodule-signature-perl vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2606-1

openssl update

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2604-1

libtasn1-3, libtasn1-6 vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2605-1

icu vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2598-2

linux vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2597-2

linux-lts-trusty vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2600-2

linux regression

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2599-2

linux-lts-utopic vulnerability

Summary

Software description

Details

Update instructions

References

Software and Security Information