Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2564-1: Linux kernel (Utopic HWE) vulnerabilities

April 9, 2015 007admin

Ubuntu Security Notice USN-2564-1

9th April, 2015

linux-lts-utopic vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-utopic
– Linux hardware enablement kernel from Utopic

Details

An integer overflow was discovered in the stack randomization feature of
the Linux kernel on 64 bit platforms. A local attacker could exploit this
flaw to bypass the Address Space Layout Randomization (ASLR) protection
mechanism. (CVE-2015-1593)

An information leak was discovered in the Linux Kernel’s handling of
userspace configuration of the link layer control (LLC). A local user could
exploit this flaw to read data from other sysctl settings. (CVE-2015-2041)

An information leak was discovered in how the Linux kernel handles setting
the Reliable Datagram Sockets (RDS) settings. A local user could exploit
this flaw to read data from other sysctl settings. (CVE-2015-2042)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.16.0-34-generic-lpae

3.16.0-34.45~14.04.1; linux-image-3.16.0-34-lowlatency

3.16.0-34.45~14.04.1; linux-image-3.16.0-34-generic

3.16.0-34.45~14.04.1; linux-image-3.16.0-34-powerpc64-emb

3.16.0-34.45~14.04.1; linux-image-3.16.0-34-powerpc-smp

3.16.0-34.45~14.04.1; linux-image-3.16.0-34-powerpc64-smp

3.16.0-34.45~14.04.1; linux-image-3.16.0-34-powerpc-e500mc

3.16.0-34.45~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-1593,

CVE-2015-2041,

CVE-2015-2042

Ubuntu

USN-2563-1: Linux kernel vulnerabilities

April 9, 2015 007admin

Ubuntu Security Notice USN-2563-1

8th April, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

Sun Baoliang discovered a use after free flaw in the Linux kernel’s SCTP
(Stream Control Transmission Protocol) subsystem during INIT collisions. A
remote attacker could exploit this flaw to cause a denial of service
(system crash) or potentially escalate their privileges on the system.
(CVE-2015-1421)

Marcelo Leitner discovered a flaw in the Linux kernel’s routing of packets
to too many different dsts/too fast. A remote attacker on the same subnet can exploit this
flaw to cause a denial of service (system crash). (CVE-2015-1465)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.13.0-49-powerpc-e500mc

3.13.0-49.81; linux-image-3.13.0-49-powerpc-e500

3.13.0-49.81; linux-image-3.13.0-49-powerpc-smp

3.13.0-49.81; linux-image-3.13.0-49-powerpc64-smp

3.13.0-49.81; linux-image-3.13.0-49-powerpc64-emb

3.13.0-49.81; linux-image-3.13.0-49-lowlatency

3.13.0-49.81; linux-image-3.13.0-49-generic

3.13.0-49.81; linux-image-3.13.0-49-generic-lpae

3.13.0-49.81

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2562-1: Linux kernel (Trusty HWE) vulnerabilities

April 9, 2015 007admin

Ubuntu Security Notice USN-2562-1

8th April, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-trusty
– Linux hardware enablement kernel from Trusty

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.13.0-49-generic

3.13.0-49.81~precise1; linux-image-3.13.0-49-generic-lpae

3.13.0-49.81~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2565-1: Linux kernel vulnerabilities

April 9, 2015 007admin

Ubuntu Security Notice USN-2565-1

9th April, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: linux-image-3.16.0-34-generic-lpae

3.16.0-34.45; linux-image-3.16.0-34-lowlatency

3.16.0-34.45; linux-image-3.16.0-34-generic

3.16.0-34.45; linux-image-3.16.0-34-powerpc64-emb

3.16.0-34.45; linux-image-3.16.0-34-powerpc-smp

3.16.0-34.45; linux-image-3.16.0-34-powerpc64-smp

3.16.0-34.45; linux-image-3.16.0-34-powerpc-e500mc

3.16.0-34.45

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-1593,

CVE-2015-2041,

CVE-2015-2042

Ubuntu

USN-2559-1: Libtasn1 vulnerability

April 8, 2015 007admin

Ubuntu Security Notice USN-2559-1

8th April, 2015

libtasn1-3, libtasn1-6 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

Libtasn1 could be made to crash or run programs if it processed specially
crafted data.

Software description

libtasn1-3
– Library to manage ASN.1 structures
libtasn1-6
– Library to manage ASN.1 structures

Details

Hanno Böck discovered that Libtasn1 incorrectly handled certain ASN.1 data.
A remote attacker could possibly exploit this with specially crafted ASN.1
data and cause applications using Libtasn1 to crash, resulting in a denial
of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: libtasn1-6

4.0-2ubuntu0.1
Ubuntu 14.04 LTS:: libtasn1-6

3.4-3ubuntu0.2
Ubuntu 12.04 LTS:: libtasn1-3

2.10-1ubuntu1.3
Ubuntu 10.04 LTS:: libtasn1-3

2.4-1ubuntu0.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-2806

Ubuntu

USN-2556-1: Oxide vulnerabilities

April 7, 2015 007admin

Ubuntu Security Notice USN-2556-1

7th April, 2015

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

oxide-qt
– Web browser engine library for Qt (QML plugin)

Details

It was discovered that Chromium did not properly handle the interaction
of IPC, the gamepad API and V8. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2015-1233)

A buffer overflow was discovered in the GPU service. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash. (CVE-2015-1234)

It was discovered that Oxide did not correctly manage the lifetime of
BrowserContext, resulting in a potential use-after-free in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-1317)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: liboxideqtcore0

1.5.6-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:: liboxideqtcore0

1.5.6-0ubuntu0.14.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-2557-1: Firefox vulnerability

April 7, 2015 007admin

Ubuntu Security Notice USN-2557-1

7th April, 2015

firefox vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Firefox could be made to bypass SSL certificate verification.

Software description

firefox
– Mozilla Open Source web browser

Details

Muneaki Nishimura discovered a flaw in Mozilla’s HTTP Alternative Services
implementation which meant SSL certificate verification could be bypassed
in some circumstances. A remote attacker could potentially exploit this to
conduct a man in the middle attack. (CVE-2015-0799)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: firefox

37.0.1+build1-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:: firefox

37.0.1+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: firefox

37.0.1+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2015-0799

Ubuntu

USN-2558-1: Mailman vulnerability

April 7, 2015 007admin

Ubuntu Security Notice USN-2558-1

7th April, 2015

mailman vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Mailman could be made to run programs if it processed a specially crafted
list name.

Software description

mailman
– Powerful, web-based mailing list manager

Details

It was discovered that Mailman incorrectly handled special characters
in list names. A local attacker could use this issue to perform a path
traversal attack and execute arbitrary code as the Mailman user.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: mailman

1:2.1.18-1ubuntu0.1
Ubuntu 14.04 LTS:: mailman

1:2.1.16-2ubuntu0.1
Ubuntu 12.04 LTS:: mailman

1:2.1.14-3ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-2775

Ubuntu

USN-2552-1: Thunderbird vulnerabilities

April 2, 2015 007admin

Ubuntu Security Notice USN-2552-1

2nd April, 2015

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

thunderbird
– Mozilla Open Source mail and newsgroup client

Details

Olli Pettay and Boris Zbarsky discovered an issue during anchor
navigations in some circumstances. If a user were tricked in to opening
a specially crafted message with scripting enabled, an attacker could
potentially exploit this to bypass same-origin policy restrictions.
(CVE-2015-0801)

Christoph Kerschbaumer discovered that CORS requests from
navigator.sendBeacon() followed 30x redirections after preflight. If a
user were tricked in to opening a specially crafted message with
scripting enabled, an attacker could potentially exploit this to conduct
cross-site request forgery (XSRF) attacks. (CVE-2015-0807)

Aki Helin discovered a use-after-free when playing MP3 audio files using
the Fluendo MP3 GStreamer plugin in certain circumstances. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2015-0813)

Christian Holler, Steve Fink, and Byron Campen discovered multiple memory
safety issues in Thunderbird. If a user were tricked in to opening a
specially crafted message with scripting enabled, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2015-0815)

Mariusz Mlynski discovered that documents loaded via resource: URLs (such
as PDF.js) could load privileged chrome pages. If a user were tricked in
to opening a specially crafted message with scripting enabled, an attacker
could potentially exploit this in combination with another flaw, in order
to execute arbitrary script in a privileged context. (CVE-2015-0816)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: thunderbird

1:31.6.0+build1-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:: thunderbird

1:31.6.0+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: thunderbird

1:31.6.0+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

Ubuntu

USN-2553-2: LibTIFF regression

April 2, 2015 007admin

Ubuntu Security Notice USN-2553-2

1st April, 2015

tiff regression

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

USN-2553-1 introduced a regression in LibTIFF.

Software description

tiff
– Tag Image File Format (TIFF) library

Details

USN-2553-1 fixed vulnerabilities in LibTIFF. One of the security fixes
caused a regression when saving certain TIFF files with a Predictor tag.
The problematic patch has been temporarily backed out until a more complete
fix is available.

We apologize for the inconvenience.

Original advisory details:

William Robinet discovered that LibTIFF incorrectly handled certain
malformed images. If a user or automated system were tricked into opening a
specially crafted image, a remote attacker could crash the application,
leading to a denial of service, or possibly execute arbitrary code with
user privileges. (CVE-2014-8127, CVE-2014-8128, CVE-2014-8129,
CVE-2014-8130)

Paris Zoumpouloglou discovered that LibTIFF incorrectly handled certain
malformed BMP images. If a user or automated system were tricked into
opening a specially crafted BMP image, a remote attacker could crash the
application, leading to a denial of service. (CVE-2014-9330)

Michal Zalewski discovered that LibTIFF incorrectly handled certain
malformed images. If a user or automated system were tricked into opening a
specially crafted image, a remote attacker could crash the application,
leading to a denial of service, or possibly execute arbitrary code with
user privileges. (CVE-2014-9655)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: libtiff5

4.0.3-10ubuntu0.2
Ubuntu 14.04 LTS:: libtiff5

4.0.3-7ubuntu0.3
Ubuntu 12.04 LTS:: libtiff4

3.9.5-2ubuntu1.8
Ubuntu 10.04 LTS:: libtiff4

3.9.2-2ubuntu0.16

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1439186

Ubuntu Security Notice USN-2564-1

linux-lts-utopic vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2563-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2562-1

linux-lts-trusty vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2565-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2559-1

libtasn1-3, libtasn1-6 vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2556-1

oxide-qt vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2557-1

firefox vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2558-1

mailman vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2552-1

thunderbird vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2553-2

tiff regression

Summary

Software description

Details

Update instructions

References

Software and Security Information