Ubuntu Security Notice USN-2592-1

4th May, 2015

libxml-libxml-perl vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu (vivid)
• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

XML::LibXML could be made to expose sensitive information.

Software description

• libxml-libxml-perl
  – Perl interface to the libxml2 library

Details

Tilmann Haak discovered that XML::LibXML incorrectly handled the
expand_entities parameter in certain situations. A remote attacker could
possibly use this issue to access sensitive information.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):

libxml-libxml-perl

2.0116+dfsg-1ubuntu0.15.04.1

Ubuntu 14.10:

libxml-libxml-perl

2.0116+dfsg-1ubuntu0.14.10.1

Ubuntu 14.04 LTS:

libxml-libxml-perl

2.0108+dfsg-1ubuntu0.1

Ubuntu 12.04 LTS:

libxml-libxml-perl

1.89+dfsg-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-3451

Ubuntu Security Notice USN-2585-1

30th April, 2015

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

• linux
  – Linux kernel

Details

It was discovered that the Linux kernel’s IPv6 networking stack has a flaw
that allows using route advertisement (RA) messages to set the ‘hop_limit’
to values that are too low. An unprivileged attacker on a local network
could exploit this flaw to cause a denial of service (IPv6 messages
dropped).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.2.0-82-generic

3.2.0-82.119

linux-image-3.2.0-82-virtual

3.2.0-82.119

linux-image-3.2.0-82-generic-pae

3.2.0-82.119

linux-image-3.2.0-82-highbank

3.2.0-82.119

linux-image-3.2.0-82-powerpc64-smp

3.2.0-82.119

linux-image-3.2.0-82-omap

3.2.0-82.119

linux-image-3.2.0-82-powerpc-smp

3.2.0-82.119

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-2922

Ubuntu Security Notice USN-2584-1

30th April, 2015

linux-ec2 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 10.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

• linux-ec2
  – Linux kernel for EC2

Details

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:

linux-image-2.6.32-377-ec2

2.6.32-377.94

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-3339

Ubuntu Security Notice USN-2583-1

30th April, 2015

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 10.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

• linux
  – Linux kernel

Details

A race condition between chown() and execve() was discovered in the Linux
kernel. A local attacker could exploit this race by using chown on a
setuid-user-binary to gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:

linux-image-2.6.32-74-powerpc

2.6.32-74.142

linux-image-2.6.32-74-386

2.6.32-74.142

linux-image-2.6.32-74-sparc64

2.6.32-74.142

linux-image-2.6.32-74-generic-pae

2.6.32-74.142

linux-image-2.6.32-74-preempt

2.6.32-74.142

linux-image-2.6.32-74-lpia

2.6.32-74.142

linux-image-2.6.32-74-sparc64-smp

2.6.32-74.142

linux-image-2.6.32-74-powerpc64-smp

2.6.32-74.142

linux-image-2.6.32-74-versatile

2.6.32-74.142

linux-image-2.6.32-74-generic

2.6.32-74.142

linux-image-2.6.32-74-virtual

2.6.32-74.142

linux-image-2.6.32-74-server

2.6.32-74.142

linux-image-2.6.32-74-powerpc-smp

2.6.32-74.142

linux-image-2.6.32-74-ia64

2.6.32-74.142

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-3339

Ubuntu Security Notice USN-2588-1

30th April, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux
  – Linux kernel

Details

A stack overflow was discovered in the the microcode loader for the intel
x86 platform. A local attacker could exploit this flaw to cause a denial of
service (kernel crash) or to potentially execute code with kernel
privileges. (CVE-2015-2666)

It was discovered that the Linux kernel’s IPv6 networking stack has a flaw
that allows using route advertisement (RA) messages to set the ‘hop_limit’
to values that are too low. An unprivileged attacker on a local network
could exploit this flaw to cause a denial of service (IPv6 messages
dropped). (CVE-2015-2922)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-3.13.0-51-powerpc64-emb

3.13.0-51.84

linux-image-3.13.0-51-powerpc64-smp

3.13.0-51.84

linux-image-3.13.0-51-generic

3.13.0-51.84

linux-image-3.13.0-51-powerpc-smp

3.13.0-51.84

linux-image-3.13.0-51-powerpc-e500

3.13.0-51.84

linux-image-3.13.0-51-generic-lpae

3.13.0-51.84

linux-image-3.13.0-51-powerpc-e500mc

3.13.0-51.84

linux-image-3.13.0-51-lowlatency

3.13.0-51.84

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-2666,

CVE-2015-2922

Ubuntu Security Notice USN-2587-1

30th April, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux-lts-trusty
  – Linux hardware enablement kernel from Trusty

Details

A stack overflow was discovered in the the microcode loader for the intel
x86 platform. A local attacker could exploit this flaw to cause a denial of
service (kernel crash) or to potentially execute code with kernel
privileges. (CVE-2015-2666)

It was discovered that the Linux kernel’s IPv6 networking stack has a flaw
that allows using route advertisement (RA) messages to set the ‘hop_limit’
to values that are too low. An unprivileged attacker on a local network
could exploit this flaw to cause a denial of service (IPv6 messages
dropped). (CVE-2015-2922)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.13.0-51-generic

3.13.0-51.84~precise1

linux-image-3.13.0-51-generic-lpae

3.13.0-51.84~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-2666,

CVE-2015-2922

Ubuntu Security Notice USN-2586-1

30th April, 2015

linux-ti-omap4 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

• linux-ti-omap4
  – Linux kernel for OMAP4

Details

It was discovered that the Linux kernel’s IPv6 networking stack has a flaw
that allows using route advertisement (RA) messages to set the ‘hop_limit’
to values that are too low. An unprivileged attacker on a local network
could exploit this flaw to cause a denial of service (IPv6 messages
dropped).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.2.0-1463-omap4

3.2.0-1463.83

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-2922

Ubuntu Security Notice USN-2589-1

30th April, 2015

linux-lts-utopic vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux-lts-utopic
  – Linux hardware enablement kernel from Utopic

Details

Jan Beulich discovered the Xen virtual machine subsystem of the Linux
kernel did not properly restrict access to PCI command registers. A local
guest user could exploit this flaw to cause a denial of service (host
crash). (CVE-2015-2150)

A stack overflow was discovered in the the microcode loader for the intel
x86 platform. A local attacker could exploit this flaw to cause a denial of
service (kernel crash) or to potentially execute code with kernel
privileges. (CVE-2015-2666)

A privilege escalation was discovered in the fork syscal vi the int80 entry
on 64 bit kernels with 32 bit emulation support. An unprivileged local
attacker could exploit this flaw to increase their privileges on the
system. (CVE-2015-2830)

It was discovered that the Linux kernel’s IPv6 networking stack has a flaw
that allows using route advertisement (RA) messages to set the ‘hop_limit’
to values that are too low. An unprivileged attacker on a local network
could exploit this flaw to cause a denial of service (IPv6 messages
dropped). (CVE-2015-2922)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-3.16.0-36-generic-lpae

3.16.0-36.48~14.04.1

linux-image-3.16.0-36-powerpc64-emb

3.16.0-36.48~14.04.1

linux-image-3.16.0-36-powerpc64-smp

3.16.0-36.48~14.04.1

linux-image-3.16.0-36-generic

3.16.0-36.48~14.04.1

linux-image-3.16.0-36-lowlatency

3.16.0-36.48~14.04.1

linux-image-3.16.0-36-powerpc-smp

3.16.0-36.48~14.04.1

linux-image-3.16.0-36-powerpc-e500mc

3.16.0-36.48~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-2150,

CVE-2015-2666,

CVE-2015-2830,

CVE-2015-2922

Ubuntu Security Notice USN-2591-1

30th April, 2015

curl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu (vivid)
• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in curl.

Software description

• curl
  – HTTP, HTTPS, and FTP client and client libraries

Details

Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP
credentials when subsequently connecting to the same host over HTTP.
(CVE-2015-3143)

Hanno Böck discovered that curl incorrectly handled zero-length host names.
If a user or automated system were tricked into using a specially crafted
host name, an attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04.
(CVE-2015-3144)

Hanno Böck discovered that curl incorrectly handled cookie path elements.
If a user or automated system were tricked into parsing a specially crafted
cookie, an attacker could possibly use this issue to cause curl to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04.
(CVE-2015-3145)

Isaac Boukris discovered that when using Negotiate authenticated
connections, curl could incorrectly authenticate the entire connection and
not just specific HTTP requests. (CVE-2015-3148)

Yehezkel Horowitz and Oren Souroujon discovered that curl sent HTTP headers
both to servers and proxies by default, contrary to expectations. This
issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3153)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu (vivid):

libcurl3-nss

7.38.0-3ubuntu2.2

libcurl3-gnutls

7.38.0-3ubuntu2.2

libcurl3

7.38.0-3ubuntu2.2

Ubuntu 14.10:

libcurl3-nss

7.37.1-1ubuntu3.4

libcurl3-gnutls

7.37.1-1ubuntu3.4

libcurl3

7.37.1-1ubuntu3.4

Ubuntu 14.04 LTS:

libcurl3-nss

7.35.0-1ubuntu2.5

libcurl3-gnutls

7.35.0-1ubuntu2.5

libcurl3

7.35.0-1ubuntu2.5

Ubuntu 12.04 LTS:

libcurl3-nss

7.22.0-3ubuntu4.14

libcurl3-gnutls

7.22.0-3ubuntu4.14

libcurl3

7.22.0-3ubuntu4.14

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-3143,

CVE-2015-3144,

CVE-2015-3145,

CVE-2015-3148,

CVE-2015-3153

Ubuntu Security Notice USN-2590-1

30th April, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10

Summary

Several security issues were fixed in the kernel.

Software description

• linux
  – Linux kernel

Details

Jan Beulich discovered the Xen virtual machine subsystem of the Linux
kernel did not properly restrict access to PCI command registers. A local
guest user could exploit this flaw to cause a denial of service (host
crash). (CVE-2015-2150)

A stack overflow was discovered in the the microcode loader for the intel
x86 platform. A local attacker could exploit this flaw to cause a denial of
service (kernel crash) or to potentially execute code with kernel
privileges. (CVE-2015-2666)

A privilege escalation was discovered in the fork syscal vi the int80 entry
on 64 bit kernels with 32 bit emulation support. An unprivileged local
attacker could exploit this flaw to increase their privileges on the
system. (CVE-2015-2830)

It was discovered that the Linux kernel’s IPv6 networking stack has a flaw
that allows using route advertisement (RA) messages to set the ‘hop_limit’
to values that are too low. An unprivileged attacker on a local network
could exploit this flaw to cause a denial of service (IPv6 messages
dropped). (CVE-2015-2922)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

linux-image-3.16.0-36-generic-lpae

3.16.0-36.48

linux-image-3.16.0-36-powerpc64-smp

3.16.0-36.48

linux-image-3.16.0-36-powerpc64-emb

3.16.0-36.48

linux-image-3.16.0-36-generic

3.16.0-36.48

linux-image-3.16.0-36-lowlatency

3.16.0-36.48

linux-image-3.16.0-36-powerpc-smp

3.16.0-36.48

linux-image-3.16.0-36-powerpc-e500mc

3.16.0-36.48

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-2150,

CVE-2015-2666,

CVE-2015-2830,

CVE-2015-2922