Ubuntu Security Notice USN-2351-1

22nd September, 2014

nginx vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

nginx could be made to expose sensitive information over the network.

Software description

• nginx
  – small, powerful, scalable web/proxy server

Details

Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that nginx
incorrectly reused cached SSL sessions. An attacker could possibly use this
issue in certain configurations to obtain access to information from a
different virtual host.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

nginx-extras

1.4.6-1ubuntu3.1

nginx-full

1.4.6-1ubuntu3.1

nginx-core

1.4.6-1ubuntu3.1

nginx-light

1.4.6-1ubuntu3.1

nginx-naxsi

1.4.6-1ubuntu3.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3616

Ubuntu Security Notice USN-2352-1

22nd September, 2014

dbus vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in DBus.

Software description

• dbus
  – simple interprocess messaging system

Details

Simon McVittie discovered that DBus incorrectly handled the file
descriptors message limit. A local attacker could use this issue to cause
DBus to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only applied to Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. (CVE-2014-3635)

Alban Crequy discovered that DBus incorrectly handled a large number of
file descriptor messages. A local attacker could use this issue to cause
DBus to stop responding, resulting in a denial of service. This issue only
applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3636)

Alban Crequy discovered that DBus incorrectly handled certain file
descriptor messages. A local attacker could use this issue to cause DBus
to maintain persistent connections, possibly resulting in a denial of
service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-3637)

Alban Crequy discovered that DBus incorrectly handled a large number of
parallel connections and parallel message calls. A local attacker could use
this issue to cause DBus to consume resources, possibly resulting in a
denial of service. (CVE-2014-3638)

Alban Crequy discovered that DBus incorrectly handled incomplete
connections. A local attacker could use this issue to cause DBus to fail
legitimate connection attempts, resulting in a denial of service.
(CVE-2014-3639)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

dbus

1.6.18-0ubuntu4.2

libdbus-1-3

1.6.18-0ubuntu4.2

Ubuntu 12.04 LTS:

dbus

1.4.18-1ubuntu1.6

libdbus-1-3

1.4.18-1ubuntu1.6

Ubuntu 10.04 LTS:

dbus

1.2.16-2ubuntu4.8

libdbus-1-3

1.2.16-2ubuntu4.8

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all
the necessary changes.

References

CVE-2014-3635,

CVE-2014-3636,

CVE-2014-3637,

CVE-2014-3638,

CVE-2014-3639

Ubuntu Security Notice USN-2353-1

23rd September, 2014

apt vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

APT could be made to crash or run programs if it received specially crafted
network traffic.

Software description

• apt
  – Advanced front-end for dpkg

Details

It was discovered that APT incorrectly handled certain http URLs. If a
remote attacker were able to perform a man-in-the-middle attack, this flaw
could be exploited to cause APT to crash, resulting in a denial of service,
or possibly execute arbitrary code. The default compiler options for
affected releases should reduce the vulnerability to a denial of service.
(CVE-2014-6273)

In addition, this update fixes regressions introduced by the USN-2348-1
security update: APT incorrectly handled file:/// sources on a different
partition, incorrectly handled Dir::state::lists set to a relative path,
and incorrectly handled cdrom: sources.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

apt

1.0.1ubuntu2.4.1

Ubuntu 12.04 LTS:

apt

0.8.16~exp12ubuntu10.20.1

Ubuntu 10.04 LTS:

apt

0.7.25.3ubuntu9.17.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-6273

Ubuntu Security Notice USN-2354-1

23rd September, 2014

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux
  – Linux kernel

Details

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:

linux-image-2.6.32-66-lpia

2.6.32-66.132

linux-image-2.6.32-66-generic-pae

2.6.32-66.132

linux-image-2.6.32-66-sparc64

2.6.32-66.132

linux-image-2.6.32-66-ia64

2.6.32-66.132

linux-image-2.6.32-66-386

2.6.32-66.132

linux-image-2.6.32-66-powerpc

2.6.32-66.132

linux-image-2.6.32-66-versatile

2.6.32-66.132

linux-image-2.6.32-66-generic

2.6.32-66.132

linux-image-2.6.32-66-powerpc64-smp

2.6.32-66.132

linux-image-2.6.32-66-preempt

2.6.32-66.132

linux-image-2.6.32-66-powerpc-smp

2.6.32-66.132

linux-image-2.6.32-66-server

2.6.32-66.132

linux-image-2.6.32-66-sparc64-smp

2.6.32-66.132

linux-image-2.6.32-66-virtual

2.6.32-66.132

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-5471,

CVE-2014-5472

Ubuntu Security Notice USN-2355-1

23rd September, 2014

linux-ec2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux-ec2
  – Linux kernel for EC2

Details

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:

linux-image-2.6.32-370-ec2

2.6.32-370.86

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-5471,

CVE-2014-5472

Ubuntu Security Notice USN-2356-1

23rd September, 2014

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux
  – Linux kernel

Details

Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl
Virtual Machine) subsystem in the Linux kernel. A guest OS user could
exploit this flaw to cause a denial of service (host OS memory corruption)
or possibly have other unspecified impact on the host OS. (CVE-2014-3601)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.2.0-69-powerpc64-smp

3.2.0-69.103

linux-image-3.2.0-69-powerpc-smp

3.2.0-69.103

linux-image-3.2.0-69-generic-pae

3.2.0-69.103

linux-image-3.2.0-69-virtual

3.2.0-69.103

linux-image-3.2.0-69-highbank

3.2.0-69.103

linux-image-3.2.0-69-omap

3.2.0-69.103

linux-image-3.2.0-69-generic

3.2.0-69.103

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-3601,

CVE-2014-5471,

CVE-2014-5472

Ubuntu Security Notice USN-2357-1

23rd September, 2014

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux-ti-omap4
  – Linux kernel for OMAP4

Details

Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl
Virtual Machine) subsystem in the Linux kernel. A guest OS user could
exploit this flaw to cause a denial of service (host OS memory corruption)
or possibly have other unspecified impact on the host OS. (CVE-2014-3601)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.2.0-1453-omap4

3.2.0-1453.73

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-3601,

CVE-2014-5471,

CVE-2014-5472

Ubuntu Security Notice USN-2358-1

23rd September, 2014

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux-lts-trusty
  – Linux hardware enablement kernel from Trusty

Details

Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl
Virtual Machine) subsystem in the Linux kernel. A guest OS user could
exploit this flaw to cause a denial of service (host OS memory corruption)
or possibly have other unspecified impact on the host OS. (CVE-2014-3601)

Jason Gunthorpe reported a flaw with SCTP authentication in the Linux
kernel. A remote attacker could exploit this flaw to cause a denial of
service (NULL pointer dereference and OOPS). (CVE-2014-5077)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.13.0-36-generic-lpae

3.13.0-36.63~precise1

linux-image-3.13.0-36-generic

3.13.0-36.63~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-3601,

CVE-2014-5077,

CVE-2014-5471,

CVE-2014-5472

Ubuntu Security Notice USN-2359-1

23rd September, 2014

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux
  – Linux kernel

Details

Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl
Virtual Machine) subsystem in the Linux kernel. A guest OS user could
exploit this flaw to cause a denial of service (host OS memory corruption)
or possibly have other unspecified impact on the host OS. (CVE-2014-3601)

Jason Gunthorpe reported a flaw with SCTP authentication in the Linux
kernel. A remote attacker could exploit this flaw to cause a denial of
service (NULL pointer dereference and OOPS). (CVE-2014-5077)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-3.13.0-36-powerpc64-emb

3.13.0-36.63

linux-image-3.13.0-36-generic

3.13.0-36.63

linux-image-3.13.0-36-powerpc64-smp

3.13.0-36.63

linux-image-3.13.0-36-powerpc-e500mc

3.13.0-36.63

linux-image-3.13.0-36-lowlatency

3.13.0-36.63

linux-image-3.13.0-36-powerpc-e500

3.13.0-36.63

linux-image-3.13.0-36-generic-lpae

3.13.0-36.63

linux-image-3.13.0-36-powerpc-smp

3.13.0-36.63

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-3601,

CVE-2014-5077,

CVE-2014-5471,

CVE-2014-5472

Ubuntu Security Notice USN-2362-1

24th September, 2014

bash vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Bash allowed bypassing environment restrictions in certain environments.

Software description

• bash
  – GNU Bourne Again SHell

Details

Stephane Chazelas discovered that Bash incorrectly handled trailing code in
function definitions. An attacker could use this issue to bypass
environment restrictions, such as SSH forced command environments.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

bash

4.3-7ubuntu1.1

Ubuntu 12.04 LTS:

bash

4.2-2ubuntu2.2

Ubuntu 10.04 LTS:

bash

4.1-2ubuntu3.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-6271