Ubuntu Security Notice USN-2361-1

24th September, 2014

nss vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Fraudulent security certificates could allow sensitive information to
be exposed when accessing the Internet.

Software description

• nss
  – Network Security Service library

Details

Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled
parsing ASN.1 values. An attacker could use this issue to forge RSA
certificates.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

libnss3

2:3.17.1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

libnss3

3.17.1-0ubuntu0.12.04.1

Ubuntu 10.04 LTS:

libnss3-1d

3.17.1-0ubuntu0.10.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.

References

CVE-2014-1568

Ubuntu Security Notice USN-2360-1

24th September, 2014

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Fraudulent security certificates could allow sensitive information to
be exposed when accessing the Internet.

Software description

• firefox
  – Mozilla Open Source web browser

Details

Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled
parsing ASN.1 values. An attacker could use this issue to forge RSA
certificates.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

firefox

32.0.3+build1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

firefox

32.0.3+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2014-1568

Ubuntu Security Notice USN-2360-2

24th September, 2014

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Fraudulent security certificates could allow sensitive information to
be exposed when accessing the Internet.

Software description

• thunderbird
  – Mozilla Open Source mail and newsgroup client

Details

USN-2360-1 fixed vulnerabilities in Firefox. This update provides the
corresponding updates for Thunderbird.

Original advisory details:

Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled
parsing ASN.1 values. An attacker could use this issue to forge RSA
certificates.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

thunderbird

1:31.1.2+build1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

thunderbird

1:31.1.2+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2014-1568

Ubuntu Security Notice USN-2363-1

25th September, 2014

bash vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Bash allowed bypassing environment restrictions in certain environments.

Software description

• bash
  – GNU Bourne Again SHell

Details

Tavis Ormandy discovered that the security fix for Bash included in
USN-2362-1 was incomplete. An attacker could use this issue to bypass
certain environment restrictions. (CVE-2014-7169)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

bash

4.3-7ubuntu1.2

Ubuntu 12.04 LTS:

bash

4.2-2ubuntu2.3

Ubuntu 10.04 LTS:

bash

4.1-2ubuntu3.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7169

Ubuntu Security Notice USN-2363-2

25th September, 2014

bash vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

Bash allowed bypassing environment restrictions in certain environments.

Software description

• bash
  – GNU Bourne Again SHell

Details

USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch
for CVE-2014-7169 didn’t get properly applied in the Ubuntu 14.04 LTS
package. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Tavis Ormandy discovered that the security fix for Bash included in
USN-2362-1 was incomplete. An attacker could use this issue to bypass
certain environment restrictions. (CVE-2014-7169)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

bash

4.3-7ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7169

Ubuntu Security Notice USN-2364-1

27th September, 2014

bash vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in Bash.

Software description

• bash
  – GNU Bourne Again SHell

Details

Florian Weimer and Todd Sabin discovered that the Bash parser incorrectly
handled memory. An attacker could possibly use this issue to bypass certain
environment restrictions and execute arbitrary code. (CVE-2014-7186,
CVE-2014-7187)

In addition, this update introduces a hardening measure which adds prefixes
and suffixes around environment variable names which contain shell
functions.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

bash

4.3-7ubuntu1.4

Ubuntu 12.04 LTS:

bash

4.2-2ubuntu2.5

Ubuntu 10.04 LTS:

bash

4.1-2ubuntu3.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7186,

CVE-2014-7187

Ubuntu Security Notice USN-2365-1

29th September, 2014

libvncserver vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in LibVNCServer.

Software description

• libvncserver
  – vnc server library

Details

Nicolas Ruff discovered that LibVNCServer incorrectly handled memory when
being advertised large screen sizes by the server. If a user were tricked
into connecting to a malicious server, an attacker could use this issue to
cause a denial of service, or possibly execute arbitrary code.
(CVE-2014-6051, CVE-2014-6052)

Nicolas Ruff discovered that LibVNCServer incorrectly handled large
ClientCutText messages. A remote attacker could use this issue to cause a
server to crash, resulting in a denial of service. (CVE-2014-6053)

Nicolas Ruff discovered that LibVNCServer incorrectly handled zero scaling
factor values. A remote attacker could use this issue to cause a server to
crash, resulting in a denial of service. (CVE-2014-6054)

Nicolas Ruff discovered that LibVNCServer incorrectly handled memory in the
file transfer feature. A remote attacker could use this issue to cause a
server to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2014-6055)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

libvncserver0

0.9.9+dfsg-1ubuntu1.1

Ubuntu 12.04 LTS:

libvncserver0

0.9.8.2-2ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-6051,

CVE-2014-6052,

CVE-2014-6053,

CVE-2014-6054,

CVE-2014-6055

Ubuntu Security Notice USN-2366-1

30th September, 2014

libvirt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in libvirt.

Software description

• libvirt
  – Libvirt virtualization toolkit

Details

Daniel P. Berrange and Richard Jones discovered that libvirt incorrectly
handled XML documents containing XML external entity declarations. An
attacker could use this issue to cause libvirtd to crash, resulting in a
denial of service on all affected releases, or possibly read arbitrary
files if fine grained access control was enabled on Ubuntu 14.04 LTS.
(CVE-2014-0179, CVE-2014-5177)

Luyao Huang discovered that libvirt incorrectly handled certain blkiotune
queries. An attacker could use this issue to cause libvirtd to crash,
resulting in a denial of service. This issue only applied to Ubuntu 12.04
LTS and Ubuntu 14.04 LTS. (CVE-2014-3633)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

libvirt0

1.2.2-0ubuntu13.1.5

libvirt-bin

1.2.2-0ubuntu13.1.5

Ubuntu 12.04 LTS:

libvirt0

0.9.8-2ubuntu17.20

libvirt-bin

0.9.8-2ubuntu17.20

Ubuntu 10.04 LTS:

libvirt0

0.7.5-5ubuntu27.25

libvirt-bin

0.7.5-5ubuntu27.25

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2014-0179,

CVE-2014-3633,

CVE-2014-5177

Ubuntu Security Notice USN-2367-1

2nd October, 2014

openssl update

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

OpenSSL TLSv1.2 support has been improved.

Software description

• openssl
  – Secure Socket Layer (SSL) cryptographic library and tools

Details

For compatibility reasons, OpenSSL in Ubuntu 12.04 LTS disables TLSv1.2
by default when being used as a client. When forcing the use of TLSv1.2,
another compatibility feature (OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) was used
that would truncate the cipher list. This would prevent certain ciphers
from being selected, and would prevent secure renegotiations. This update
removes the cipher list truncation workaround when forcing the use of
TLSv1.2.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

libssl1.0.0

1.0.1-4ubuntu5.18

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1376447

Ubuntu Security Notice USN-2368-1

2nd October, 2014

openvpn vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

OpenVPN could be made to expose sensitive information over the network.

Software description

• openvpn
  – virtual private network software

Details

It was discovered that OpenVPN incorrectly handled HMAC comparisons when
running in UDP mode. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could possibly be used to perform a
plaintext recovery attack.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

openvpn

2.2.1-8ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-2061