Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2543-1: Linux kernel (Trusty HWE) vulnerabilities

March 24, 2015 007admin

Ubuntu Security Notice USN-2543-1

24th March, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-trusty
– Linux hardware enablement kernel from Trusty

Details

Eric Windisch discovered flaw in how the Linux kernel’s XFS file system
replaces remote attributes. A local access with access to an XFS file
system could exploit this flaw to escalate their privileges.
(CVE-2015-0274)

A flaw was discovered in the automatic loading of modules in the crypto
subsystem of the Linux kernel. A local user could exploit this flaw to load
installed kernel modules, increasing the attack surface and potentially
using this to gain administrative privileges. (CVE-2013-7421)

The Linux kernel’s splice system call did not correctly validate its
parameters. A local, unprivileged user could exploit this flaw to cause a
denial of service (system crash). (CVE-2014-7822)

A flaw was discovered in the crypto subsystem when screening module names
for automatic module loading if the name contained a valid crypto module
name, eg. vfat(aes). A local user could exploit this flaw to load installed
kernel modules, increasing the attack surface and potentially using this to
gain administrative privileges. (CVE-2014-9644)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.13.0-48-generic-lpae

3.13.0-48.80~precise1; linux-image-3.13.0-48-generic

3.13.0-48.80~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

Ubuntu

USN-2542-1: Linux kernel (OMAP4) vulnerabilities

March 24, 2015 007admin

Ubuntu Security Notice USN-2542-1

24th March, 2015

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-ti-omap4
– Linux kernel for OMAP4

Details

The Linux kernel’s splice system call did not correctly validate its
parameters. A local, unprivileged user could exploit this flaw to cause a
denial of service (system crash). (CVE-2014-7822)

A flaw was discovered in how Thread Local Storage (TLS) is handled by the
task switching function in the Linux kernel for x86_64 based machines. A
local user could exploit this flaw to bypass the Address Space Layout
Radomization (ASLR) protection mechanism. (CVE-2014-9419)

Dmitry Chernenkov discovered a buffer overflow in eCryptfs’ encrypted file
name decoding. A local unprivileged user could exploit this flaw to cause a
denial of service (system crash) or potentially gain administrative
privileges. (CVE-2014-9683)

Sun Baoliang discovered a use after free flaw in the Linux kernel’s SCTP
(Stream Control Transmission Protocol) subsystem during INIT collisions. A
remote attacker could exploit this flaw to cause a denial of service
(system crash) or potentially escalate their privileges on the system.
(CVE-2015-1421)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-1461-omap4

3.2.0-1461.81

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2546-1: Linux kernel vulnerabilities

March 24, 2015 007admin

Ubuntu Security Notice USN-2546-1

24th March, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

Marcelo Leitner discovered a flaw in the Linux kernel’s routing of packets
to too many different dsts/too fast. A remote attacker can exploit this
flaw to cause a denial of service (system crash). (CVE-2015-1465)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: linux-image-3.16.0-33-powerpc-e500mc

3.16.0-33.44; linux-image-3.16.0-33-powerpc-smp

3.16.0-33.44; linux-image-3.16.0-33-powerpc64-emb

3.16.0-33.44; linux-image-3.16.0-33-powerpc64-smp

3.16.0-33.44; linux-image-3.16.0-33-lowlatency

3.16.0-33.44; linux-image-3.16.0-33-generic

3.16.0-33.44; linux-image-3.16.0-33-generic-lpae

3.16.0-33.44

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2545-1: Linux kernel (Utopic HWE) vulnerabilities

March 24, 2015 007admin

Ubuntu Security Notice USN-2545-1

24th March, 2015

linux-lts-utopic vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-utopic
– Linux hardware enablement kernel from Utopic

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.16.0-33-powerpc-e500mc

3.16.0-33.44~14.04.1; linux-image-3.16.0-33-powerpc-smp

3.16.0-33.44~14.04.1; linux-image-3.16.0-33-powerpc64-emb

3.16.0-33.44~14.04.1; linux-image-3.16.0-33-powerpc64-smp

3.16.0-33.44~14.04.1; linux-image-3.16.0-33-lowlatency

3.16.0-33.44~14.04.1; linux-image-3.16.0-33-generic

3.16.0-33.44~14.04.1; linux-image-3.16.0-33-generic-lpae

3.16.0-33.44~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2544-1: Linux kernel vulnerabilities

March 24, 2015 007admin

Ubuntu Security Notice USN-2544-1

24th March, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

The Linux kernel’s splice system call did not correctly validate its
parameters. A local, unprivileged user could exploit this flaw to cause a
denial of service (system crash). (CVE-2014-7822)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.13.0-48-powerpc-smp

3.13.0-48.80; linux-image-3.13.0-48-powerpc-e500mc

3.13.0-48.80; linux-image-3.13.0-48-generic-lpae

3.13.0-48.80; linux-image-3.13.0-48-powerpc-e500

3.13.0-48.80; linux-image-3.13.0-48-generic

3.13.0-48.80; linux-image-3.13.0-48-powerpc64-smp

3.13.0-48.80; linux-image-3.13.0-48-lowlatency

3.13.0-48.80; linux-image-3.13.0-48-powerpc64-emb

3.13.0-48.80

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2547-1: Mono vulnerabilities

March 24, 2015 007admin

Ubuntu Security Notice USN-2547-1

24th March, 2015

mono vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Mono.

Software description

mono
– Mono is a platform for running and developing applications

Details

It was discovered that the Mono TLS implementation was vulnerable to the
SKIP-TLS vulnerability. A remote attacker could possibly use this issue
to perform client impersonation attacks. (CVE-2015-2318)

It was discovered that the Mono TLS implementation was vulnerable to the
FREAK vulnerability. A remote attacker or a man in the middle could
possibly use this issue to force the use of insecure ciphersuites.
(CVE-2015-2319)

It was discovered that the Mono TLS implementation still supported a
fallback to SSLv2. This update removes the functionality as use of SSLv2 is
known to be insecure. (CVE-2015-2320)

It was discovered that Mono incorrectly handled memory in certain
circumstances. A remote attacker could possibly use this issue to cause
Mono to crash, resulting in a denial of service, or to obtain sensitive
information. This issue only applied to Ubuntu 12.04 LTS. (CVE-2011-0992)

It was discovered that Mono incorrectly handled hash collisions. A remote
attacker could possibly use this issue to cause Mono to crash, resulting in
a denial of service. This issue only applied to Ubuntu 12.04 LTS.
(CVE-2012-3543)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: libmono-2.0-1

3.2.8+dfsg-4ubuntu2.1; mono-runtime

3.2.8+dfsg-4ubuntu2.1
Ubuntu 14.04 LTS:: libmono-2.0-1

3.2.8+dfsg-4ubuntu1.1; mono-runtime

3.2.8+dfsg-4ubuntu1.1
Ubuntu 12.04 LTS:: libmono-2.0-1

2.10.8.1-1ubuntu2.3; mono-runtime

2.10.8.1-1ubuntu2.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Mono applications to
make all the necessary changes.

References

Ubuntu

USN-2538-1: Firefox vulnerabilities

March 22, 2015 007admin

Ubuntu Security Notice USN-2538-1

22nd March, 2015

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software description

firefox
– Mozilla Open Source web browser

Details

A flaw was discovered in the implementation of typed array bounds checking
in the Javascript just-in-time compilation. If a user were tricked in to
opening a specially crafted website, an attacked could exploit this to
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-0817)

Mariusz Mlynski discovered a flaw in the processing of SVG format content
navigation. If a user were tricked in to opening a specially crafted
website, an attacker could exploit this to run arbitrary script in a
privileged context. (CVE-2015-0818)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: firefox

36.0.4+build1-0ubuntu0.14.10.1
Ubuntu 14.04 LTS:: firefox

36.0.4+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: firefox

36.0.4+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2015-0817,

CVE-2015-0818

Ubuntu

USN-2537-1: OpenSSL vulnerabilities

March 20, 2015 007admin

Ubuntu Security Notice USN-2537-1

19th March, 2015

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software description

openssl
– Secure Socket Layer (SSL) cryptographic library and tools

Details

It was discovered that OpenSSL incorrectly handled malformed EC private key
files. A remote attacker could possibly use this issue to cause OpenSSL to
crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2015-0209)

Stephen Henson discovered that OpenSSL incorrectly handled comparing ASN.1
boolean types. A remote attacker could possibly use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2015-0286)

Emilia Käsper discovered that OpenSSL incorrectly handled ASN.1 structure
reuse. A remote attacker could possibly use this issue to cause OpenSSL to
crash, resulting in a denial of service, or execute arbitrary code.
(CVE-2015-0287)

Brian Carpenter discovered that OpenSSL incorrectly handled invalid
certificate keys. A remote attacker could possibly use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2015-0288)

Michal Zalewski discovered that OpenSSL incorrectly handled missing outer
ContentInfo when parsing PKCS#7 structures. A remote attacker could
possibly use this issue to cause OpenSSL to crash, resulting in a denial of
service, or execute arbitrary code. (CVE-2015-0289)

Robert Dugal and David Ramos discovered that OpenSSL incorrectly handled
decoding Base64 encoded data. A remote attacker could possibly use this
issue to cause OpenSSL to crash, resulting in a denial of service, or
execute arbitrary code. (CVE-2015-0292)

Sean Burford and Emilia Käsper discovered that OpenSSL incorrectly handled
specially crafted SSLv2 CLIENT-MASTER-KEY messages. A remote attacker could
possibly use this issue to cause OpenSSL to crash, resulting in a denial of
service. (CVE-2015-0293)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: libssl1.0.0

1.0.1f-1ubuntu9.4
Ubuntu 14.04 LTS:: libssl1.0.0

1.0.1f-1ubuntu2.11
Ubuntu 12.04 LTS:: libssl1.0.0

1.0.1-4ubuntu5.25
Ubuntu 10.04 LTS:: libssl0.9.8

0.9.8k-7ubuntu8.27

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2536-1: libXfont vulnerabilities

March 18, 2015 007admin

Ubuntu Security Notice USN-2536-1

18th March, 2015

libxfont vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

libXfont could be made to crash or run programs as an administrator
if it opened a specially crafted bdf font file.

Software description

libxfont
– X11 font rasterisation library

Details

Ilja van Sprundel, Alan Coopersmith, and William Robinet discovered that
libXfont incorrectly handled malformed bdf fonts. A local attacker could
use this issue to cause libXfont to crash, or possibly execute arbitrary
code in order to gain privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: libxfont1

1:1.4.99.901-1ubuntu0.1
Ubuntu 14.04 LTS:: libxfont1

1:1.4.7-1ubuntu0.2
Ubuntu 12.04 LTS:: libxfont1

1:1.4.4-1ubuntu0.3
Ubuntu 10.04 LTS:: libxfont1

1:1.4.1-1ubuntu0.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-1802,

CVE-2015-1803,

CVE-2015-1804

Ubuntu

USN-2535-1: PHP vulnerabilities

March 18, 2015 007admin

Ubuntu Security Notice USN-2535-1

18th March, 2015

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

Several security issues were fixed in PHP.

Software description

php5
– HTML-embedded scripting language interpreter

Details

Thomas Jarosch discovered that PHP incorrectly limited recursion in the
fileinfo extension. A remote attacker could possibly use this issue to
cause PHP to consume resources or crash, resulting in a denial of service.
(CVE-2014-8117)

S. Paraschoudis discovered that PHP incorrectly handled memory in the
enchant binding. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2014-9705)

Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-0273)

It was discovered that PHP incorrectly handled memory in the phar
extension. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-2301)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: php5-cli

5.5.12+dfsg-2ubuntu4.3; php5-cgi

5.5.12+dfsg-2ubuntu4.3; libapache2-mod-php5

5.5.12+dfsg-2ubuntu4.3; php5-fpm

5.5.12+dfsg-2ubuntu4.3; php5-enchant

5.5.12+dfsg-2ubuntu4.3
Ubuntu 14.04 LTS:: php5-cli

5.5.9+dfsg-1ubuntu4.7; php5-cgi

5.5.9+dfsg-1ubuntu4.7; libapache2-mod-php5

5.5.9+dfsg-1ubuntu4.7; php5-fpm

5.5.9+dfsg-1ubuntu4.7; php5-enchant

5.5.9+dfsg-1ubuntu4.7
Ubuntu 12.04 LTS:: php5-cli

5.3.10-1ubuntu3.17; php5-cgi

5.3.10-1ubuntu3.17; libapache2-mod-php5

5.3.10-1ubuntu3.17; php5-fpm

5.3.10-1ubuntu3.17; php5-enchant

5.3.10-1ubuntu3.17
Ubuntu 10.04 LTS:: php5-cli

5.3.2-1ubuntu4.29; php5-cgi

5.3.2-1ubuntu4.29; libapache2-mod-php5

5.3.2-1ubuntu4.29; php5-enchant

5.3.2-1ubuntu4.29

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu Security Notice USN-2543-1

linux-lts-trusty vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2542-1

linux-ti-omap4 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2546-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2545-1

linux-lts-utopic vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2544-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2547-1

mono vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2538-1

firefox vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2537-1

openssl vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2536-1

libxfont vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2535-1

php5 vulnerabilities

Summary

Software description

Details

Update instructions

References

Software and Security Information