Ubuntu Security Notice USN-2370-1

8th October, 2014

apt vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

APT could be made to overwrite files.

Software description

• apt
  – Advanced front-end for dpkg

Details

Guillem Jover discovered that APT incorrectly created a temporary file when
handling the changelog command. A local attacker could use this issue to
overwrite arbitrary files. In the default installation of Ubuntu, this
should be prevented by the kernel link restrictions.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

apt

1.0.1ubuntu2.5

Ubuntu 12.04 LTS:

apt

0.8.16~exp12ubuntu10.21

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7206

Ubuntu Security Notice USN-2369-1

2nd October, 2014

file vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

file could be made to crash or run programs as your login if it
opened a specially crafted file.

Software description

• file
  – Tool to determine file types

Details

It was discovered that file incorrectly handled certain CDF documents. A
attacker could use this issue to cause file to hang or crash, resulting
in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

file

1:5.14-2ubuntu3.2

Ubuntu 12.04 LTS:

file

5.09-2ubuntu0.5

Ubuntu 10.04 LTS:

file

5.03-5ubuntu1.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3587

Ubuntu Security Notice USN-2368-1

2nd October, 2014

openvpn vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

OpenVPN could be made to expose sensitive information over the network.

Software description

• openvpn
  – virtual private network software

Details

It was discovered that OpenVPN incorrectly handled HMAC comparisons when
running in UDP mode. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could possibly be used to perform a
plaintext recovery attack.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

openvpn

2.2.1-8ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-2061

Ubuntu Security Notice USN-2381-1

9th October, 2014

rsyslog vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Rsyslog could be made to crash if it received specially crafted input.

Software description

• rsyslog
  – Enhanced syslogd

Details

It was discovered that Rsyslog incorrectly handled invalid PRI values. An
attacker could use this issue to send malformed messages to the Rsyslog
server and cause it to stop responding, resulting in a denial of service
and possibly message loss. (CVE-2014-3634, CVE-2014-3683)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

rsyslog

7.4.4-1ubuntu2.3

Ubuntu 12.04 LTS:

rsyslog

5.8.6-1ubuntu8.9

Ubuntu 10.04 LTS:

rsyslog

4.2.0-2ubuntu8.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3634,

CVE-2014-3683