Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2342-1: QEMU vulnerabilities

Ubuntu Security Notice USN-2342-1

8th September, 2014

qemu, qemu-kvm vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in QEMU.

Software description

  • qemu
    – Machine emulator and virtualizer

  • qemu-kvm
    – Machine emulator and virtualizer

Details

Michael S. Tsirkin, Anthony Liguori, and Michael Roth discovered multiple
issues with QEMU state loading after migration. An attacker able to modify
the state data could use these issues to cause a denial of service, or
possibly execute arbitrary code. (CVE-2013-4148, CVE-2013-4149,
CVE-2013-4150, CVE-2013-4151, CVE-2013-4526, CVE-2013-4527, CVE-2013-4529,
CVE-2013-4530, CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534,
CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538, CVE-2013-4539,
CVE-2013-4540, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182,
CVE-2014-3461)

Kevin Wolf, Stefan Hajnoczi, Fam Zheng, Jeff Cody, Stefan Hajnoczi, and
others discovered multiple issues in the QEMU block drivers. An attacker
able to modify disk images could use these issues to cause a denial of
service, or possibly execute arbitrary code. (CVE-2014-0142, CVE-2014-0143,
CVE-2014-0144, CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0222,
CVE-2014-0223)

It was discovered that QEMU incorrectly handled certain PCIe bus hotplug
operations. A malicious guest could use this issue to crash the QEMU host,
resulting in a denial of service. (CVE-2014-3471)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
qemu-system-misc

2.0.0+dfsg-2ubuntu1.3
qemu-system

2.0.0+dfsg-2ubuntu1.3
qemu-system-aarch64

2.0.0+dfsg-2ubuntu1.3
qemu-system-x86

2.0.0+dfsg-2ubuntu1.3
qemu-system-sparc

2.0.0+dfsg-2ubuntu1.3
qemu-system-arm

2.0.0+dfsg-2ubuntu1.3
qemu-system-ppc

2.0.0+dfsg-2ubuntu1.3
qemu-system-mips

2.0.0+dfsg-2ubuntu1.3
Ubuntu 12.04 LTS:
qemu-kvm

1.0+noroms-0ubuntu14.17
Ubuntu 10.04 LTS:
qemu-kvm

0.12.3+noroms-0ubuntu9.24

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2013-4148,

CVE-2013-4149,

CVE-2013-4150,

CVE-2013-4151,

CVE-2013-4526,

CVE-2013-4527,

CVE-2013-4529,

CVE-2013-4530,

CVE-2013-4531,

CVE-2013-4532,

CVE-2013-4533,

CVE-2013-4534,

CVE-2013-4535,

CVE-2013-4536,

CVE-2013-4537,

CVE-2013-4538,

CVE-2013-4539,

CVE-2013-4540,

CVE-2013-4541,

CVE-2013-4542,

CVE-2013-6399,

CVE-2014-0142,

CVE-2014-0143,

CVE-2014-0144,

CVE-2014-0145,

CVE-2014-0146,

CVE-2014-0147,

CVE-2014-0182,

CVE-2014-0222,

CVE-2014-0223,

CVE-2014-3461,

CVE-2014-3471

Ubuntu

USN-2351-1: nginx vulnerability

Ubuntu Security Notice USN-2351-1

22nd September, 2014

nginx vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

nginx could be made to expose sensitive information over the network.

Software description

  • nginx
    – small, powerful, scalable web/proxy server

Details

Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that nginx
incorrectly reused cached SSL sessions. An attacker could possibly use this
issue in certain configurations to obtain access to information from a
different virtual host.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
nginx-extras

1.4.6-1ubuntu3.1
nginx-full

1.4.6-1ubuntu3.1
nginx-core

1.4.6-1ubuntu3.1
nginx-light

1.4.6-1ubuntu3.1
nginx-naxsi

1.4.6-1ubuntu3.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3616

Ubuntu

USN-2341-1: CUPS vulnerabilities

Ubuntu Security Notice USN-2341-1

8th September, 2014

cups vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

CUPS could be made to expose sensitive information, leading to privilege
escalation.

Software description

  • cups
    – Common UNIX Printing System(tm)

Details

Salvatore Bonaccorso discovered that the CUPS web interface incorrectly
validated permissions and incorrectly handled symlinks. An attacker could
possibly use this issue to bypass file permissions and read arbitrary
files, possibly leading to a privilege escalation.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
cups

1.7.2-0ubuntu1.2
Ubuntu 12.04 LTS:
cups

1.5.3-0ubuntu8.5
Ubuntu 10.04 LTS:
cups

1.4.3-1ubuntu1.13

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-5029,

CVE-2014-5030,

CVE-2014-5031

Ubuntu

USN-2350-1: NSS update

Ubuntu Security Notice USN-2350-1

22nd September, 2014

nss update

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

NSS was updated to refresh the CA certificates bundle.

Software description

  • nss
    – Network Security Service library

Details

The NSS package contained outdated CA certificates. This update refreshes
the NSS package to version 3.17 which includes the latest CA certificate
bundle.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
libnss3

2:3.17-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
libnss3

3.17-0ubuntu0.12.04.1
Ubuntu 10.04 LTS:
libnss3-1d

3.17-0ubuntu0.10.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.

References

LP: 1372410

Ubuntu

USN-2306-3: GNU C Library regression

Ubuntu Security Notice USN-2306-3

8th September, 2014

eglibc regression

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 10.04 LTS

Summary

USN-2306-1 introduced a regression in the GNU C Library.

Software description

  • eglibc
    – GNU C Library

Details

USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04 LTS,
the fix for CVE-2013-4357 introduced a memory leak in getaddrinfo. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Maksymilian Arciemowicz discovered that the GNU C Library incorrectly
handled the getaddrinfo() function. An attacker could use this issue to
cause a denial of service. This issue only affected Ubuntu 10.04 LTS.
(CVE-2013-4357)

It was discovered that the GNU C Library incorrectly handled the
getaddrinfo() function. An attacker could use this issue to cause a denial
of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2013-4458)

Stephane Chazelas discovered that the GNU C Library incorrectly handled
locale environment variables. An attacker could use this issue to possibly
bypass certain restrictions such as the ForceCommand restrictions in
OpenSSH. (CVE-2014-0475)

David Reid, Glyph Lefkowitz, and Alex Gaynor discovered that the GNU C
Library incorrectly handled posix_spawn_file_actions_addopen() path
arguments. An attacker could use this issue to cause a denial of service.
(CVE-2014-4043)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:
libc6

2.11.1-0ubuntu7.17

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1364584

Ubuntu

USN-2349-1: Libav vulnerabilities

Ubuntu Security Notice USN-2349-1

17th September, 2014

libav vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Libav could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

  • libav
    – Multimedia player, server, encoder and transcoder

Details

It was discovered that Libav incorrectly handled certain malformed media
files. If a user were tricked into opening a crafted media file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libavformat53

4:0.8.16-0ubuntu0.12.04.1
libavcodec53

4:0.8.16-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

LP: 1370175

Ubuntu

USN-2340-1: procmail vulnerability

Ubuntu Security Notice USN-2340-1

4th September, 2014

procmail vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

formail could be made to crash or run programs if it processed specially
crafted mail.

Software description

  • procmail
    – Versatile e-mail processor

Details

Tavis Ormandy discovered that the formail tool incorrectly handled certain
malformed mail headers. An attacker could use this flaw to cause formail to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
procmail

3.22-21ubuntu0.1
Ubuntu 12.04 LTS:
procmail

3.22-19ubuntu0.1
Ubuntu 10.04 LTS:
procmail

3.22-18ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3618

Ubuntu

USN-2319-3: OpenJDK 7 update

Ubuntu Security Notice USN-2319-3

16th September, 2014

openjdk-7 update

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

This update provides stability updates for OpenJDK 7.

Software description

  • openjdk-7
    – Open Source Java implementation

Details

USN-2319-1 fixed vulnerabilities in OpenJDK 7. This update provides
stability fixes for the arm64 and ppc64el architectures.

Original advisory details:

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-2483, CVE-2014-2490, CVE-2014-4216, CVE-2014-4219,
CVE-2014-4223, CVE-2014-4262)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-4209, CVE-2014-4244,
CVE-2014-4263)

Two vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-4218, CVE-2014-4266)

A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2014-4264)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2014-4221, CVE-2014-4252, CVE-2014-4268)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
openjdk-7-jre-lib

7u65-2.5.2-3~14.04
openjdk-7-jre-zero

7u65-2.5.2-3~14.04
icedtea-7-jre-jamvm

7u65-2.5.2-3~14.04
openjdk-7-jre-headless

7u65-2.5.2-3~14.04
openjdk-7-jre

7u65-2.5.2-3~14.04

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

LP: 1370307

Ubuntu

USN-2348-1: APT vulnerabilities

Ubuntu Security Notice USN-2348-1

16th September, 2014

apt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in APT.

Software description

  • apt
    – Advanced front-end for dpkg

Details

It was discovered that APT did not re-verify downloaded files when the
If-Modified-Since wasn’t met. (CVE-2014-0487)

It was discovered that APT did not invalidate repository data when it
switched from an unauthenticated to an authenticated state. (CVE-2014-0488)

It was discovered that the APT Acquire::GzipIndexes option caused APT to
skip checksum validation. This issue only applied to Ubuntu 12.04 LTS and
Ubuntu 14.04 LTS, and was not enabled by default. (CVE-2014-0489)

It was discovered that APT did not correctly validate signatures when
manually downloading packages using the download command. This issue only
applied to Ubuntu 12.04 LTS. (CVE-2014-0490)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
apt

1.0.1ubuntu2.3
Ubuntu 12.04 LTS:
apt

0.8.16~exp12ubuntu10.19
Ubuntu 10.04 LTS:
apt

0.7.25.3ubuntu9.16

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-0487,

CVE-2014-0488,

CVE-2014-0489,

CVE-2014-0490

Ubuntu

USN-2347-1: Django vulnerabilities

Ubuntu Security Notice USN-2347-1

16th September, 2014

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in Django.

Software description

  • python-django
    – High-level Python web development framework

Details

Florian Apolloner discovered that Django incorrectly validated URLs. A
remote attacker could use this issue to conduct phishing attacks.
(CVE-2014-0480)

David Wilson discovered that Django incorrectly handled file name
generation. A remote attacker could use this issue to cause Django to
consume resources, resulting in a denial of service. (CVE-2014-0481)

David Greisen discovered that Django incorrectly handled certain headers in
contrib.auth.middleware.RemoteUserMiddleware. A remote authenticated user
could use this issue to hijack web sessions. (CVE-2014-0482)

Collin Anderson discovered that Django incorrectly checked if a field
represented a relationship between models in the administrative interface.
A remote authenticated user could use this issue to possibly obtain
sensitive information. (CVE-2014-0483)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
python-django

1.6.1-2ubuntu0.4
Ubuntu 12.04 LTS:
python-django

1.3.1-4ubuntu1.12
Ubuntu 10.04 LTS:
python-django

1.1.1-2ubuntu1.13

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-0480,

CVE-2014-0481,

CVE-2014-0482,

CVE-2014-0483