Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-3199-1: Python Crypto vulnerability

February 16, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3199-1

16th February, 2017

Python Crypto vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS

Summary

Programs using the Python Cryptography Toolkit could be made to crash or run
programs if they receive specially crafted network traffic or other input.

Software description

python-crypto
– cryptographic algorithms and protocols for Python

Details

It was discovered that the ALGnew function in block_templace.c in the Python
Cryptography Toolkit contained a heap-based buffer overflow vulnerability.
A remote attacker could use this flaw to execute arbitrary code by using
a crafted initialization vector parameter.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: python3-crypto

2.6.1-6ubuntu0.16.10.2; python-crypto

2.6.1-6ubuntu0.16.10.2
Ubuntu 16.04 LTS:: python3-crypto

2.6.1-6ubuntu0.16.04.1; python-crypto

2.6.1-6ubuntu0.16.04.1
Ubuntu 14.04 LTS:: python3-crypto

2.6.1-4ubuntu0.1; python-crypto

2.6.1-4ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-7459

Ubuntu

USN-3201-1: Bind vulnerabilities

February 16, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3201-1

16th February, 2017

bind9 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Bind could be made to crash if it received specially crafted network
traffic.

Software description

bind9
– Internet Domain Name Server

Details

It was discovered that Bind incorrectly handled rewriting certain query
responses when using both DNS64 and RPZ. A remote attacker could possibly
use this issue to cause Bind to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: bind9

1:9.10.3.dfsg.P4-10.1ubuntu1.3
Ubuntu 16.04 LTS:: bind9

1:9.10.3.dfsg.P4-8ubuntu1.5
Ubuntu 14.04 LTS:: bind9

1:9.9.5.dfsg-3ubuntu0.13
Ubuntu 12.04 LTS:: bind9

1:9.8.1.dfsg.P1-4ubuntu0.21

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-3135

Ubuntu

USN-3197-1: libgc vulnerability

February 15, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3197-1

15th February, 2017

libgc vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Applications using libgc could be made to crash or run programs as
your login.

Software description

libgc
– Boehm-Demers-Weiser garbage collecting storage allocator library

Details

Kuang-che Wu discovered that multiple integer overflow vulnerabilities
existed in libgc. An attacker could use these to cause a denial of
service (application crash) or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: libgc1c2

1:7.4.2-8ubuntu0.1
Ubuntu 16.04 LTS:: libgc1c2

1:7.4.2-7.3ubuntu0.1
Ubuntu 14.04 LTS:: libgc1c2

1:7.2d-5ubuntu2.1
Ubuntu 12.04 LTS:: libgc1c2

1:7.1-8ubuntu0.12.04.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart applications using
libgc to make all the necessary changes.

References

CVE-2016-9427

Ubuntu

USN-3196-1: PHP vulnerabilities

February 14, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3196-1

14th February, 2017

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in PHP.

Software description

php5
– HTML-embedded scripting language interpreter

Details

It was discovered that PHP incorrectly handled certain arguments to the
locale_get_display_name function. A remote attacker could use this issue to
cause PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2014-9912)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
hang, resulting in a denial of service. (CVE-2016-7478)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-7479)

It was discovered that PHP incorrectly handled unserializing certain
wddxPacket XML documents. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2016-9934)

It was discovered that PHP incorrectly handled certain EXIF data. A remote
attacker could use this issue to cause PHP to crash, resulting in a denial
of service. (CVE-2016-10158)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash or consume
resources, resulting in a denial of service. (CVE-2016-10159)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-10160)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: php5-cli

5.5.9+dfsg-1ubuntu4.21; php5-cgi

5.5.9+dfsg-1ubuntu4.21; libapache2-mod-php5

5.5.9+dfsg-1ubuntu4.21; php5-fpm

5.5.9+dfsg-1ubuntu4.21
Ubuntu 12.04 LTS:: php5-cli

5.3.10-1ubuntu3.26; php5-cgi

5.3.10-1ubuntu3.26; libapache2-mod-php5

5.3.10-1ubuntu3.26; php5-fpm

5.3.10-1ubuntu3.26

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-3195-1: Nova-LXD vulnerability

February 10, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3195-1

9th February, 2017

nova-lxd vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS

Summary

Nova-LXD could allow unintended access to LXD instances over the network.

Software description

nova-lxd
– Openstack Compute – LXD container hypervisor support

Details

James Page discovered that Nova-LXD incorrectly set up virtual network devices
when creating LXD instances. This could result in an unintended firewall
configuration.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: python-nova-lxd

13.2.0-0ubuntu1.16.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes for
new instances. However, existing instances will still be affected and must be
manually updated.

References

CVE-2017-5936,

LP: 1656847

Ubuntu

USN-3194-1: OpenJDK 7 vulnerabilities

February 9, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3194-1

8th February, 2017

openjdk-7 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in OpenJDK 7.

Software description

openjdk-7
– Open Source Java implementation

Details

Karthik Bhargavan and Gaetan Leurent discovered that the DES and
Triple DES ciphers were vulnerable to birthday attacks. A remote
attacker could possibly use this flaw to obtain clear text data from
long encrypted sessions. This update moves those algorithms to the
legacy algorithm set and causes them to be used only if no non-legacy
algorithms can be negotiated. (CVE-2016-2183)

It was discovered that OpenJDK accepted ECSDA signatures using
non-canonical DER encoding. An attacker could use this to modify or
expose sensitive data. (CVE-2016-5546)

It was discovered that OpenJDK did not properly verify object
identifier (OID) length when reading Distinguished Encoding Rules
(DER) records, as used in x.509 certificates and elsewhere. An
attacker could use this to cause a denial of service (memory
consumption). (CVE-2016-5547)

It was discovered that covert timing channel vulnerabilities existed
in the DSA implementations in OpenJDK. A remote attacker could use
this to expose sensitive information. (CVE-2016-5548)

It was discovered that the URLStreamHandler class in OpenJDK did not
properly parse user information from a URL. A remote attacker could
use this to expose sensitive information. (CVE-2016-5552)

It was discovered that the URLClassLoader class in OpenJDK did not
properly check access control context when downloading class files. A
remote attacker could use this to expose sensitive information.
(CVE-2017-3231)

It was discovered that the Remote Method Invocation (RMI)
implementation in OpenJDK performed deserialization of untrusted
inputs. A remote attacker could use this to execute arbitrary
code. (CVE-2017-3241)

It was discovered that the Java Authentication and Authorization
Service (JAAS) component of OpenJDK did not properly perform user
search LDAP queries. An attacker could use a specially constructed
LDAP entry to expose or modify sensitive information. (CVE-2017-3252)

It was discovered that the PNGImageReader class in OpenJDK did not
properly handle iTXt and zTXt chunks. An attacker could use this to
cause a denial of service (memory consumption). (CVE-2017-3253)

It was discovered that integer overflows existed in the
SocketInputStream and SocketOutputStream classes of OpenJDK. An
attacker could use this to expose sensitive information.
(CVE-2017-3261)

It was discovered that the atomic field updaters in the
java.util.concurrent.atomic package in OpenJDK did not properly
restrict access to protected field members. An attacker could use
this to specially craft a Java application or applet that could bypass
Java sandbox restrictions. (CVE-2017-3272)

It was discovered that a vulnerability existed in the class
construction implementation in OpenJDK. An attacker could use this
to specially craft a Java application or applet that could bypass
Java sandbox restrictions. (CVE-2017-3289)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: openjdk-7-jre-zero

7u121-2.6.8-1ubuntu0.14.04.3; icedtea-7-jre-jamvm

7u121-2.6.8-1ubuntu0.14.04.3; openjdk-7-jre-headless

7u121-2.6.8-1ubuntu0.14.04.3; openjdk-7-jdk

7u121-2.6.8-1ubuntu0.14.04.3; openjdk-7-jre

7u121-2.6.8-1ubuntu0.14.04.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

Ubuntu

USN-3190-2: Linux kernel (Raspberry Pi 2) vulnerabilities

February 9, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3190-2

9th February, 2017

linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10

Summary

Several security issues were fixed in the kernel.

Software description

linux-raspi2
– Linux kernel for Raspberry Pi 2

Details

Mikulas Patocka discovered that the asynchronous multibuffer cryptographic
daemon (mcryptd) in the Linux kernel did not properly handle being invoked
with incompatible algorithms. A local attacker could use this to cause a
denial of service (system crash). (CVE-2016-10147)

It was discovered that a use-after-free existed in the KVM susbsystem of
the Linux kernel when creating devices. A local attacker could use this to
cause a denial of service (system crash). (CVE-2016-10150)

Qidan He discovered that the ICMP implementation in the Linux kernel did
not properly check the size of an ICMP header. A local attacker with
CAP_NET_ADMIN could use this to expose sensitive information.
(CVE-2016-8399)

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build()
function in the Linux kernel. A local attacker could use to cause a denial
of service (system crash) or possible execute arbitrary code with
administrative privileges. (CVE-2016-8632)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel
did not properly restrict the VCPU index when I/O APIC is enabled, An
attacker in a guest VM could use this to cause a denial of service (system
crash) or possibly gain privileges in the host OS. (CVE-2016-9777)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: linux-image-4.8.0-1024-raspi2

4.8.0-1024.27; linux-image-raspi2

4.8.0.1024.27

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

Ubuntu

USN-3187-2: Linux kernel (OMAP4) vulnerabilities

February 9, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3187-2

9th February, 2017

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-ti-omap4
– Linux kernel for OMAP4

Details

Andrey Konovalov discovered that the SCTP implementation in the Linux
kernel improperly handled validation of incoming data. A remote attacker
could use this to cause a denial of service (system crash). (CVE-2016-9555)

It was discovered that multiple memory leaks existed in the XFS
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (memory consumption). (CVE-2016-9685)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-omap4

3.2.0.1499.94; linux-image-3.2.0-1499-omap4

3.2.0-1499.126

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-9555,

CVE-2016-9685

Ubuntu

USN-3180-1: Oxide vulnerabilities

February 8, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3180-1

8th February, 2017

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

oxide-qt
– Web browser engine for Qt (QML plugin)

Details

Multiple vulnerabilities were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to conduct cross-site scripting (XSS) attacks,
read uninitialized memory, obtain sensitive information, spoof the
webview URL or other UI components, bypass same origin restrictions or
other security restrictions, cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5006, CVE-2017-5007,
CVE-2017-5008, CVE-2017-5009, CVE-2017-5010, CVE-2017-5011, CVE-2017-5012,
CVE-2017-5014, CVE-2017-5017, CVE-2017-5019, CVE-2017-5022, CVE-2017-5023,
CVE-2017-5024, CVE-2017-5025, CVE-2017-5026)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: liboxideqtcore0

1.20.4-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:: liboxideqtcore0

1.20.4-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:: liboxideqtcore0

1.20.4-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-3191-1: WebKitGTK+ vulnerabilities

February 6, 2017 007admin Leave a comment

Ubuntu Security Notice USN-3191-1

6th February, 2017

webkit2gtk vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS

Summary

Several security issues were fixed in WebKitGTK+.

Software description

webkit2gtk
– Web content engine library for GTK+

Details

A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: libwebkit2gtk-4.0-37

2.14.3-0ubuntu0.16.10.1; libjavascriptcoregtk-4.0-18

2.14.3-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:: libwebkit2gtk-4.0-37

2.14.3-0ubuntu0.16.04.1; libjavascriptcoregtk-4.0-18

2.14.3-0ubuntu0.16.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.

References

Ubuntu Security Notice USN-3199-1

Python Crypto vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3201-1

bind9 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3197-1

libgc vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3196-1

php5 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3195-1

nova-lxd vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3194-1

openjdk-7 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3190-2

linux-raspi2 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3187-2

linux-ti-omap4 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3180-1

oxide-qt vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3191-1

webkit2gtk vulnerabilities

Summary

Software description

Details

Update instructions

References

Software and Security Information