Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2596-1: Linux kernel vulnerability

Ubuntu Security Notice USN-2596-1

5th May, 2015

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

  • linux
    – Linux kernel

Details

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-83-omap

3.2.0-83.120
linux-image-3.2.0-83-powerpc-smp

3.2.0-83.120
linux-image-3.2.0-83-highbank

3.2.0-83.120
linux-image-3.2.0-83-powerpc64-smp

3.2.0-83.120
linux-image-3.2.0-83-generic-pae

3.2.0-83.120
linux-image-3.2.0-83-virtual

3.2.0-83.120
linux-image-3.2.0-83-generic

3.2.0-83.120

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-3339

Ubuntu

USN-2599-1: Linux kernel (Utopic HWE) vulnerability

Ubuntu Security Notice USN-2599-1

5th May, 2015

linux-lts-utopic vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

  • linux-lts-utopic
    – Linux hardware enablement kernel from Utopic

Details

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-3.16.0-37-powerpc64-emb

3.16.0-37.49~14.04.1
linux-image-3.16.0-37-lowlatency

3.16.0-37.49~14.04.1
linux-image-3.16.0-37-powerpc64-smp

3.16.0-37.49~14.04.1
linux-image-3.16.0-37-generic-lpae

3.16.0-37.49~14.04.1
linux-image-3.16.0-37-powerpc-smp

3.16.0-37.49~14.04.1
linux-image-3.16.0-37-generic

3.16.0-37.49~14.04.1
linux-image-3.16.0-37-powerpc-e500mc

3.16.0-37.49~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-3339

Ubuntu

USN-2598-1: Linux kernel vulnerability

Ubuntu Security Notice USN-2598-1

5th May, 2015

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

  • linux
    – Linux kernel

Details

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-3.13.0-52-generic

3.13.0-52.85
linux-image-3.13.0-52-generic-lpae

3.13.0-52.85
linux-image-3.13.0-52-powerpc-e500

3.13.0-52.85
linux-image-3.13.0-52-lowlatency

3.13.0-52.85
linux-image-3.13.0-52-powerpc-smp

3.13.0-52.85
linux-image-3.13.0-52-powerpc-e500mc

3.13.0-52.85
linux-image-3.13.0-52-powerpc64-emb

3.13.0-52.85
linux-image-3.13.0-52-powerpc64-smp

3.13.0-52.85

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-3339

Ubuntu

USN-2597-1: Linux kernel (Trusty HWE) vulnerability

Ubuntu Security Notice USN-2597-1

5th May, 2015

linux-lts-trusty vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

  • linux-lts-trusty
    – Linux hardware enablement kernel from Trusty

Details

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-52-generic

3.13.0-52.85~precise1
linux-image-3.13.0-52-generic-lpae

3.13.0-52.85~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-3339

Ubuntu

USN-2582-1: Oxide vulnerabilities

Ubuntu Security Notice USN-2582-1

6th May, 2015

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu (vivid)
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

  • oxide-qt
    – Web browser engine library for Qt (QML plugin)

Details

A use-after-free was discovered in the DOM implementation in Blink. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via renderer
crash, or execute arbitrary code with the privileges of the sandboxed
render process. (CVE-2015-1243)

Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-1250)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):
liboxideqtcore0

1.6.6-0ubuntu0.15.04.1
Ubuntu 14.10:
liboxideqtcore0

1.6.6-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
liboxideqtcore0

1.6.6-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-1243,

CVE-2015-1250

Ubuntu

USN-2601-1: Linux kernel vulnerability

Ubuntu Security Notice USN-2601-1

5th May, 2015

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu (vivid)

Summary

The system could be made to run programs as an administrator.

Software description

  • linux
    – Linux kernel

Details

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):
linux-image-3.19.0-16-lowlatency

3.19.0-16.16
linux-image-3.19.0-16-powerpc64-smp

3.19.0-16.16
linux-image-3.19.0-16-generic

3.19.0-16.16
linux-image-3.19.0-16-powerpc-smp

3.19.0-16.16
linux-image-3.19.0-16-powerpc-e500mc

3.19.0-16.16
linux-image-3.19.0-16-generic-lpae

3.19.0-16.16
linux-image-3.19.0-16-powerpc64-emb

3.19.0-16.16

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-3339

Ubuntu

USN-2600-1: Linux kernel vulnerability

Ubuntu Security Notice USN-2600-1

5th May, 2015

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10

Summary

The system could be made to run programs as an administrator.

Software description

  • linux
    – Linux kernel

Details

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
linux-image-3.16.0-37-generic

3.16.0-37.49
linux-image-3.16.0-37-lowlatency

3.16.0-37.49
linux-image-3.16.0-37-powerpc64-emb

3.16.0-37.49
linux-image-3.16.0-37-powerpc64-smp

3.16.0-37.49
linux-image-3.16.0-37-generic-lpae

3.16.0-37.49
linux-image-3.16.0-37-powerpc-smp

3.16.0-37.49
linux-image-3.16.0-37-powerpc-e500mc

3.16.0-37.49

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-3339

Ubuntu

USN-2594-1: ClamAV vulnerabilities

Ubuntu Security Notice USN-2594-1

5th May, 2015

clamav vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu (vivid)
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

ClamAV could be made to crash or run programs if it processed a specially
crafted file.

Software description

  • clamav
    – Anti-virus utility for Unix

Details

It was discovered that ClamAV incorrectly handled certain malformed files.
A remote attacker could use this issue to cause ClamAV to crash, resulting
in a denial of service, or possibly execute arbitrary code.

In the default installation, attackers would be isolated by the ClamAV
AppArmor profile.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):
clamav

0.98.7+dfsg-0ubuntu0.15.04.1
Ubuntu 14.10:
clamav

0.98.7+dfsg-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
clamav

0.98.7+dfsg-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
clamav

0.98.7+dfsg-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

CVE-2015-2170,

CVE-2015-2221,

CVE-2015-2222,

CVE-2015-2305,

CVE-2015-2668

Ubuntu

USN-2595-1: ppp vulnerability

Ubuntu Security Notice USN-2595-1

5th May, 2015

ppp vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

ppp could be made to crash if it received specially crafted network
traffic.

Software description

  • ppp
    – Point-to-Point Protocol (PPP)

Details

It was discovered that ppp incorrectly handled large PIDs. When pppd is
used with a RADIUS server, a remote attacker could use this issue to cause
it to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
ppp

2.4.5-5.1ubuntu3.2
Ubuntu 14.04 LTS:
ppp

2.4.5-5.1ubuntu2.2
Ubuntu 12.04 LTS:
ppp

2.4.5-5ubuntu1.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-3310

Ubuntu

USN-2593-1: Dnsmasq vulnerability

Ubuntu Security Notice USN-2593-1

4th May, 2015

dnsmasq vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu (vivid)
  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Dnsmasq could be made to crash or expose sensitive information if it
received specially crafted network traffic.

Software description

  • dnsmasq
    – Small caching DNS proxy and DHCP/TFTP server

Details

Nick Sampanis discovered that Dnsmasq incorrectly handled certain malformed
DNS requests. A remote attacker could use this issue to cause Dnsmasq to
crash, resulting in a denial of service, or possibly obtain sensitive
information.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):
dnsmasq-base

2.72-3ubuntu0.1
Ubuntu 14.10:
dnsmasq-base

2.71-1ubuntu0.1
Ubuntu 14.04 LTS:
dnsmasq-base

2.68-1ubuntu0.1
Ubuntu 12.04 LTS:
dnsmasq

2.59-4ubuntu0.2
dnsmasq-utils

2.59-4ubuntu0.2
dnsmasq-base

2.59-4ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-3294