Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2575-1: MySQL vulnerabilities

Ubuntu Security Notice USN-2575-1

21st April, 2015

mysql-5.5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in MySQL.

Software description

  • mysql-5.5
    – MySQL database

Details

Multiple security issues were discovered in MySQL and this update includes
a new upstream MySQL version to fix these issues. MySQL has been updated to
5.5.43.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-42.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-43.html
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
mysql-server-5.5

5.5.43-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:
mysql-server-5.5

5.5.43-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
mysql-server-5.5

5.5.43-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-0433,

CVE-2015-0441,

CVE-2015-0499,

CVE-2015-0501,

CVE-2015-0505,

CVE-2015-2568,

CVE-2015-2571,

CVE-2015-2573

Ubuntu

USN-2574-1: OpenJDK 7 vulnerabilities

Ubuntu Security Notice USN-2574-1

21st April, 2015

openjdk-7 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in OpenJDK 7.

Software description

  • openjdk-7
    – Open Source Java implementation

Details

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker
could exploit these to cause a denial of service or expose sensitive
data over the network. (CVE-2015-0460, CVE-2015-0469)

Alexander Cherepanov discovered that OpenJDK JRE was vulnerable to
directory traversal issues with respect to handling jar files. An
attacker could use this to expose sensitive data. (CVE-2015-0480)

Florian Weimer discovered that the RSA implementation in the JCE
component in OpenJDK JRE did not follow recommended practices for
implementing RSA signatures. An attacker could use this to expose
sensitive data. (CVE-2015-0478)

A vulnerability was discovered in the OpenJDK JRE related to data
integrity. An attacker could exploit this expose sensitive data over
the network. (CVE-2015-0477)

A vulnerability was discovered in the OpenJDK JRE related to
availability. An attacker could exploit these to cause a denial
of service. (CVE-2015-0488)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
openjdk-7-jre-zero

7u79-2.5.5-0ubuntu0.14.10.2
openjdk-7-source

7u79-2.5.5-0ubuntu0.14.10.2
icedtea-7-jre-jamvm

7u79-2.5.5-0ubuntu0.14.10.2
openjdk-7-jre-lib

7u79-2.5.5-0ubuntu0.14.10.2
openjdk-7-jdk

7u79-2.5.5-0ubuntu0.14.10.2
openjdk-7-jre-headless

7u79-2.5.5-0ubuntu0.14.10.2
openjdk-7-jre

7u79-2.5.5-0ubuntu0.14.10.2
openjdk-7-doc

7u79-2.5.5-0ubuntu0.14.10.2
openjdk-7-demo

7u79-2.5.5-0ubuntu0.14.10.2
Ubuntu 14.04 LTS:
openjdk-7-jre-zero

7u79-2.5.5-0ubuntu0.14.04.2
openjdk-7-source

7u79-2.5.5-0ubuntu0.14.04.2
icedtea-7-jre-jamvm

7u79-2.5.5-0ubuntu0.14.04.2
openjdk-7-jre-lib

7u79-2.5.5-0ubuntu0.14.04.2
openjdk-7-jdk

7u79-2.5.5-0ubuntu0.14.04.2
openjdk-7-jre-headless

7u79-2.5.5-0ubuntu0.14.04.2
openjdk-7-jre

7u79-2.5.5-0ubuntu0.14.04.2
openjdk-7-doc

7u79-2.5.5-0ubuntu0.14.04.2
openjdk-7-demo

7u79-2.5.5-0ubuntu0.14.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

CVE-2015-0460,

CVE-2015-0469,

CVE-2015-0477,

CVE-2015-0478,

CVE-2015-0480,

CVE-2015-0488

Ubuntu

USN-2572-1: PHP vulnerabilities

Ubuntu Security Notice USN-2572-1

20th April, 2015

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in PHP.

Software description

  • php5
    – HTML-embedded scripting language interpreter

Details

It was discovered that PHP incorrectly handled cleanup when used with
Apache 2.4. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-3330)

It was discovered that PHP incorrectly handled opening tar, zip or phar
archives through the PHAR extension. A remote attacker could use this issue
to cause PHP to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2015-3329)

It was discovered that PHP incorrectly handled regular expressions. A
remote attacker could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2015-2305)

Paulos Yibelo discovered that PHP incorrectly handled moving files when a
pathname contained a null character. A remote attacker could use this issue
to possibly bypass filename restrictions. This issue only applied to
Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2348)

It was discovered that PHP incorrectly handled unserializing PHAR files. A
remote attacker could use this issue to cause PHP to possibly expose
sensitive information. (CVE-2015-2783)

Taoguang Chen discovered that PHP incorrectly handled unserializing certain
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-2787)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
php5-cli

5.5.12+dfsg-2ubuntu4.4
php5-cgi

5.5.12+dfsg-2ubuntu4.4
libapache2-mod-php5

5.5.12+dfsg-2ubuntu4.4
php5-fpm

5.5.12+dfsg-2ubuntu4.4
Ubuntu 14.04 LTS:
php5-cli

5.5.9+dfsg-1ubuntu4.9
php5-cgi

5.5.9+dfsg-1ubuntu4.9
libapache2-mod-php5

5.5.9+dfsg-1ubuntu4.9
php5-fpm

5.5.9+dfsg-1ubuntu4.9
Ubuntu 12.04 LTS:
php5-cli

5.3.10-1ubuntu3.18
php5-cgi

5.3.10-1ubuntu3.18
libapache2-mod-php5

5.3.10-1ubuntu3.18
php5-fpm

5.3.10-1ubuntu3.18
Ubuntu 10.04 LTS:
php5-cli

5.3.2-1ubuntu4.30
php5-cgi

5.3.2-1ubuntu4.30
libapache2-mod-php5

5.3.2-1ubuntu4.30

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-2305,

CVE-2015-2348,

CVE-2015-2783,

CVE-2015-2787,

CVE-2015-3329,

CVE-2015-3330

Ubuntu

USN-2569-2: Apport vulnerability

Ubuntu Security Notice USN-2569-2

16th April, 2015

apport vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS

Summary

Apport could be tricked into running programs as an administrator.

Software description

  • apport
    – automatically generate crash reports for debugging

Details

USN-2569-1 fixed a vulnerability in Apport. Tavis Ormandy discovered that
the fixed packages were still vulnerable to a privilege escalation attack.
This update completely disables crash report handling for containers until
a more complete solution is available.

Original advisory details:

Stéphane Graber and Tavis Ormandy independently discovered that Apport
incorrectly handled the crash reporting feature. A local attacker could use
this issue to gain elevated privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
apport

2.14.7-0ubuntu8.4
Ubuntu 14.04 LTS:
apport

2.14.1-0ubuntu3.10

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1444518

Ubuntu

USN-2569-1: Apport vulnerability

Ubuntu Security Notice USN-2569-1

14th April, 2015

apport vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS

Summary

Apport could be tricked into running programs as an administrator.

Software description

  • apport
    – automatically generate crash reports for debugging

Details

Stéphane Graber and Tavis Ormandy independently discovered that Apport
incorrectly handled the crash reporting feature. A local attacker could use
this issue to gain elevated privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
apport

2.14.7-0ubuntu8.3
Ubuntu 14.04 LTS:
apport

2.14.1-0ubuntu3.9

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-1318

Ubuntu

USN-2568-1: libx11, libxrender vulnerability

Ubuntu Security Notice USN-2568-1

13th April, 2015

libx11, libxrender vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

libx11 could be made to crash or run programs if it processed specially
crafted data.

Software description

  • libx11
    – X11 client-side library

  • libxrender
    – X11 Rendering Extension client library

Details

Abhishek Arya discovered that libX11 incorrectly handled memory in the
MakeBigReq macro. A remote attacker could use this issue to cause
applications to crash, resulting in a denial of service, or possibly
execute arbitrary code.

In addition, following the macro fix in libx11, a number of other packages
have also been rebuilt as security updates including libxrender, libxext,
libxi, libxfixes, libxrandr, libsdl1.2, libxv, libxp, and
xserver-xorg-video-vmware.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
libxrender1

1:0.9.8-1build0.14.10.1
Ubuntu 14.04 LTS:
libxrender1

1:0.9.8-1build0.14.04.1
Ubuntu 12.04 LTS:
libx11-dev

2:1.4.99.1-0ubuntu2.3
libxrender1

1:0.9.6-2ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2013-7439

Ubuntu

USN-2567-1: NTP vulnerabilities

Ubuntu Security Notice USN-2567-1

13th April, 2015

ntp vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in NTP.

Software description

  • ntp
    – Network Time Protocol daemon and utility programs

Details

Miroslav Lichvar discovered that NTP incorrectly validated MAC fields. A
remote attacker could possibly use this issue to bypass authentication and
spoof packets. (CVE-2015-1798)

Miroslav Lichvar discovered that NTP incorrectly handled certain invalid
packets. A remote attacker could possibly use this issue to cause a denial
of service. (CVE-2015-1799)

Juergen Perlinger discovered that NTP incorrectly generated MD5 keys on
big-endian platforms. This issue could either cause ntp-keygen to hang, or
could result in non-random keys. (CVE number pending)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
ntp

1:4.2.6.p5+dfsg-3ubuntu2.14.10.3
Ubuntu 14.04 LTS:
ntp

1:4.2.6.p5+dfsg-3ubuntu2.14.04.3
Ubuntu 12.04 LTS:
ntp

1:4.2.6.p3+dfsg-1ubuntu3.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-1798,

CVE-2015-1799

Ubuntu

USN-2566-1: dpkg vulnerability

Ubuntu Security Notice USN-2566-1

9th April, 2015

dpkg vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

dpkg could be tricked into bypassing source package signature checks.

Software description

  • dpkg
    – Debian package management system

Details

Jann Horn discovered that dpkg incorrectly validated signatures when
extracting local source packages. If a user or an automated system were
tricked into unpacking a specially crafted source package, a remote
attacker could bypass signature verification checks.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
libdpkg-perl

1.17.13ubuntu1.1
Ubuntu 14.04 LTS:
libdpkg-perl

1.17.5ubuntu5.4
Ubuntu 12.04 LTS:
libdpkg-perl

1.16.1.2ubuntu7.6
Ubuntu 10.04 LTS:
dpkg-dev

1.15.5.6ubuntu4.10

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-0840

Ubuntu

USN-2561-1: Linux kernel (OMAP4) vulnerabilities

Ubuntu Security Notice USN-2561-1

8th April, 2015

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-ti-omap4
    – Linux kernel for OMAP4

Details

It was discovered that the Linux kernel’s Infiniband subsystem did not
properly sanitize its input parameters while registering memory regions
from userspace. A local user could exploit this flaw to cause a denial of
service (system crash) or to potentially gain administrative privileges.
(CVE-2014-8159)

An integer overflow was discovered in the stack randomization feature of
the Linux kernel on 64 bit platforms. A local attacker could exploit this
flaw to bypass the Address Space Layout Randomization (ASLR) protection
mechanism. (CVE-2015-1593)

An information leak was discovered in the Linux Kernel’s handling of
userspace configuration of the link layer control (LLC). A local user could
exploit this flaw to read data from other sysctl settings. (CVE-2015-2041)

An information leak was discovered in how the Linux kernel handles setting
the Reliable Datagram Sockets (RDS) settings. A local user could exploit
this flaw to read data from other sysctl settings. (CVE-2015-2042)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1462-omap4

3.2.0-1462.82

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-8159,

CVE-2015-1593,

CVE-2015-2041,

CVE-2015-2042

Ubuntu

USN-2560-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-2560-1

8th April, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux
    – Linux kernel

Details

An integer overflow was discovered in the stack randomization feature of
the Linux kernel on 64 bit platforms. A local attacker could exploit this
flaw to bypass the Address Space Layout Randomization (ASLR) protection
mechanism. (CVE-2015-1593)

An information leak was discovered in the Linux Kernel’s handling of
userspace configuration of the link layer control (LLC). A local user could
exploit this flaw to read data from other sysctl settings. (CVE-2015-2041)

An information leak was discovered in how the Linux kernel handles setting
the Reliable Datagram Sockets (RDS) settings. A local user could exploit
this flaw to read data from other sysctl settings. (CVE-2015-2042)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-80-highbank

3.2.0-80.116
linux-image-3.2.0-80-omap

3.2.0-80.116
linux-image-3.2.0-80-generic-pae

3.2.0-80.116
linux-image-3.2.0-80-powerpc64-smp

3.2.0-80.116
linux-image-3.2.0-80-virtual

3.2.0-80.116
linux-image-3.2.0-80-generic

3.2.0-80.116
linux-image-3.2.0-80-powerpc-smp

3.2.0-80.116

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-1593,

CVE-2015-2041,

CVE-2015-2042