Ubuntu Security Notice USN-2350-1

22nd September, 2014

nss update

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

NSS was updated to refresh the CA certificates bundle.

Software description

• nss
  – Network Security Service library

Details

The NSS package contained outdated CA certificates. This update refreshes
the NSS package to version 3.17 which includes the latest CA certificate
bundle.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

libnss3

2:3.17-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

libnss3

3.17-0ubuntu0.12.04.1

Ubuntu 10.04 LTS:

libnss3-1d

3.17-0ubuntu0.10.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.

References

LP: 1372410

Ubuntu Security Notice USN-2306-3

8th September, 2014

eglibc regression

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 10.04 LTS

Summary

USN-2306-1 introduced a regression in the GNU C Library.

Software description

• eglibc
  – GNU C Library

Details

USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04 LTS,
the fix for CVE-2013-4357 introduced a memory leak in getaddrinfo. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Maksymilian Arciemowicz discovered that the GNU C Library incorrectly
handled the getaddrinfo() function. An attacker could use this issue to
cause a denial of service. This issue only affected Ubuntu 10.04 LTS.
(CVE-2013-4357)

It was discovered that the GNU C Library incorrectly handled the
getaddrinfo() function. An attacker could use this issue to cause a denial
of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2013-4458)

Stephane Chazelas discovered that the GNU C Library incorrectly handled
locale environment variables. An attacker could use this issue to possibly
bypass certain restrictions such as the ForceCommand restrictions in
OpenSSH. (CVE-2014-0475)

David Reid, Glyph Lefkowitz, and Alex Gaynor discovered that the GNU C
Library incorrectly handled posix_spawn_file_actions_addopen() path
arguments. An attacker could use this issue to cause a denial of service.
(CVE-2014-4043)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:

libc6

2.11.1-0ubuntu7.17

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1364584

Ubuntu Security Notice USN-2349-1

17th September, 2014

libav vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Libav could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

• libav
  – Multimedia player, server, encoder and transcoder

Details

It was discovered that Libav incorrectly handled certain malformed media
files. If a user were tricked into opening a crafted media file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

libavformat53

4:0.8.16-0ubuntu0.12.04.1

libavcodec53

4:0.8.16-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

LP: 1370175

Ubuntu Security Notice USN-2340-1

4th September, 2014

procmail vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

formail could be made to crash or run programs if it processed specially
crafted mail.

Software description

• procmail
  – Versatile e-mail processor

Details

Tavis Ormandy discovered that the formail tool incorrectly handled certain
malformed mail headers. An attacker could use this flaw to cause formail to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

procmail

3.22-21ubuntu0.1

Ubuntu 12.04 LTS:

procmail

3.22-19ubuntu0.1

Ubuntu 10.04 LTS:

procmail

3.22-18ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3618

Ubuntu Security Notice USN-2319-3

16th September, 2014

openjdk-7 update

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

This update provides stability updates for OpenJDK 7.

Software description

• openjdk-7
  – Open Source Java implementation

Details

USN-2319-1 fixed vulnerabilities in OpenJDK 7. This update provides
stability fixes for the arm64 and ppc64el architectures.

Original advisory details:

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-2483, CVE-2014-2490, CVE-2014-4216, CVE-2014-4219,
CVE-2014-4223, CVE-2014-4262)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-4209, CVE-2014-4244,
CVE-2014-4263)

Two vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-4218, CVE-2014-4266)

A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2014-4264)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2014-4221, CVE-2014-4252, CVE-2014-4268)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

openjdk-7-jre-lib

7u65-2.5.2-3~14.04

openjdk-7-jre-zero

7u65-2.5.2-3~14.04

icedtea-7-jre-jamvm

7u65-2.5.2-3~14.04

openjdk-7-jre-headless

7u65-2.5.2-3~14.04

openjdk-7-jre

7u65-2.5.2-3~14.04

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

LP: 1370307

Ubuntu Security Notice USN-2348-1

16th September, 2014

apt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in APT.

Software description

• apt
  – Advanced front-end for dpkg

Details

It was discovered that APT did not re-verify downloaded files when the
If-Modified-Since wasn’t met. (CVE-2014-0487)

It was discovered that APT did not invalidate repository data when it
switched from an unauthenticated to an authenticated state. (CVE-2014-0488)

It was discovered that the APT Acquire::GzipIndexes option caused APT to
skip checksum validation. This issue only applied to Ubuntu 12.04 LTS and
Ubuntu 14.04 LTS, and was not enabled by default. (CVE-2014-0489)

It was discovered that APT did not correctly validate signatures when
manually downloading packages using the download command. This issue only
applied to Ubuntu 12.04 LTS. (CVE-2014-0490)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

apt

1.0.1ubuntu2.3

Ubuntu 12.04 LTS:

apt

0.8.16~exp12ubuntu10.19

Ubuntu 10.04 LTS:

apt

0.7.25.3ubuntu9.16

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-0487,

CVE-2014-0488,

CVE-2014-0489,

CVE-2014-0490

Ubuntu Security Notice USN-2347-1

16th September, 2014

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in Django.

Software description

• python-django
  – High-level Python web development framework

Details

Florian Apolloner discovered that Django incorrectly validated URLs. A
remote attacker could use this issue to conduct phishing attacks.
(CVE-2014-0480)

David Wilson discovered that Django incorrectly handled file name
generation. A remote attacker could use this issue to cause Django to
consume resources, resulting in a denial of service. (CVE-2014-0481)

David Greisen discovered that Django incorrectly handled certain headers in
contrib.auth.middleware.RemoteUserMiddleware. A remote authenticated user
could use this issue to hijack web sessions. (CVE-2014-0482)

Collin Anderson discovered that Django incorrectly checked if a field
represented a relationship between models in the administrative interface.
A remote authenticated user could use this issue to possibly obtain
sensitive information. (CVE-2014-0483)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

python-django

1.6.1-2ubuntu0.4

Ubuntu 12.04 LTS:

python-django

1.3.1-4ubuntu1.12

Ubuntu 10.04 LTS:

python-django

1.1.1-2ubuntu1.13

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-0480,

CVE-2014-0481,

CVE-2014-0482,

CVE-2014-0483

Ubuntu Security Notice USN-2346-1

15th September, 2014

curl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in curl.

Software description

• curl
  – HTTP, HTTPS, and FTP client and client libraries

Details

Tim Ruehsen discovered that curl incorrectly handled partial literal IP
addresses. This could lead to the disclosure of cookies to the wrong site,
and malicious sites being able to set cookies for others. (CVE-2014-3613)

Tim Ruehsen discovered that curl incorrectly allowed cookies to be set
for Top Level Domains (TLDs). This could allow a malicious site to set a
cookie that gets sent to other sites. (CVE-2014-3620)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

libcurl3-nss

7.35.0-1ubuntu2.1

libcurl3-gnutls

7.35.0-1ubuntu2.1

libcurl3

7.35.0-1ubuntu2.1

Ubuntu 12.04 LTS:

libcurl3-nss

7.22.0-3ubuntu4.10

libcurl3-gnutls

7.22.0-3ubuntu4.10

libcurl3

7.22.0-3ubuntu4.10

Ubuntu 10.04 LTS:

libcurl3-gnutls

7.19.7-1ubuntu1.9

libcurl3

7.19.7-1ubuntu1.9

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3613,

CVE-2014-3620

Ubuntu Security Notice USN-2330-1

11th September, 2014

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

• thunderbird
  – Mozilla Open Source mail and newsgroup client

Details

Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong,
Jesse Ruderman and JW Wang discovered multiple memory safety issues in
Thunderbird. If a user were tricked in to opening a specially crafted
message with scripting enabled, an attacker could potentially exploit
these to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2014-1553, CVE-2014-1562)

Abhishek Arya discovered a use-after-free during DOM interactions with
SVG. If a user were tricked in to opening a specially crafted message
with scripting enabled, an attacker could potentially exploit this to
cause a denial of service via application crash or execute arbitrary code
with the privileges of the user invoking Thunderbird. (CVE-2014-1563)

Michal Zalewski discovered that memory is not initialized properly during
GIF rendering in some circumstances. If a user were tricked in to opening
a specially crafted message, an attacker could potentially exploit this to
steal confidential information. (CVE-2014-1564)

Holger Fuhrmannek discovered an out-of-bounds read in Web Audio. If a
user were tricked in to opening a specially crafted message with scripting
enabled, an attacker could potentially exploit this to cause a denial of
service via application crash or steal confidential information.
(CVE-2014-1565)

A use-after-free was discovered during text layout in some circumstances.
If a user were tricked in to opening a specially crafted message with
scripting enabled, an attacker could potentially exploit this to cause a
denial of service via application crash or execute arbitrary code with
the privileges of the user invoking Thunderbird. (CVE-2014-1567)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

thunderbird

1:31.1.1+build1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

thunderbird

1:31.1.1+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2014-1553,

CVE-2014-1562,

CVE-2014-1563,

CVE-2014-1564,

CVE-2014-1565,

CVE-2014-1567

Ubuntu Security Notice USN-2344-1

9th September, 2014

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

php5 could be made to crash or run programs if it received
specially crafted network traffic.

Software description

• php5
  – HTML-embedded scripting language interpreter

Details

It was discovered that the Fileinfo component in php5 contains an integer
overflow. An attacker could use this flaw to cause a denial of service
or possibly execute arbitrary code via a crafted CDF file. (CVE-2014-3587)

It was discovered that the php_parserr function contains multiple buffer
overflows. An attacker could use this flaw to cause a denial of service
or possibly execute arbitrary code via crafted DNS records. (CVE-2014-3597)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

php5

5.5.9+dfsg-1ubuntu4.4

libapache2-mod-php5

5.5.9+dfsg-1ubuntu4.4

php5-fpm

5.5.9+dfsg-1ubuntu4.4

php5-cgi

5.5.9+dfsg-1ubuntu4.4

Ubuntu 12.04 LTS:

php5

5.3.10-1ubuntu3.14

libapache2-mod-php5

5.3.10-1ubuntu3.14

php5-fpm

5.3.10-1ubuntu3.14

php5-cgi

5.3.10-1ubuntu3.14

Ubuntu 10.04 LTS:

php5

5.3.2-1ubuntu4.27

libapache2-mod-php5

5.3.2-1ubuntu4.27

php5-cgi

5.3.2-1ubuntu4.27

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Apache or
php5-fpm to make all the necessary changes.

References

CVE-2014-3587,

CVE-2014-3597