RHSA-2017:2485-1: Important: git security update

Red Hat Enterprise Linux: An update for git is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2017-1000117

Read More

RHSA-2017:2484-1: Important: git security update

Red Hat Enterprise Linux: An update for git is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2017-1000117

Read More

RHSA-2017:2483-1: Important: httpd24-httpd security update

Red Hat Enterprise Linux: An update for httpd24-httpd is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2017-3167, CVE-2017-3169, CVE-2017-7659, CVE-2017-7668, CVE-2017-7679, CVE-2017-9788

Read More

RHSA-2017:2489-1: Important: mercurial security update

Red Hat Enterprise Linux: An update for mercurial is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2017-1000115, CVE-2017-1000116

Read More

RHSA-2017:2486-1: Important: groovy security update

Red Hat Enterprise Linux: An update for groovy is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2016-6814

Read More

USN-3390-1: PostgreSQL vulnerabilities

Ubuntu Security Notice USN-3390-1

15th August, 2017

postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in PostgreSQL.

Software description

  • postgresql-9.3
    – Object-relational SQL database

  • postgresql-9.5
    – Object-relational SQL database

  • postgresql-9.6
    – object-relational SQL database

Details

Ben de Graaff, Jelte Fennema, and Jeroen van der Ham discovered that
PostgreSQL allowed the use of empty passwords in some authentication
methods, contrary to expected behaviour. A remote attacker could use an
empty password to authenticate to servers that were believed to have
password login disabled. (CVE-2017-7546)

Jeff Janes discovered that PostgreSQL incorrectly handled the
pg_user_mappings catalog view. A remote attacker without server privileges
could possibly use this issue to obtain certain passwords. (CVE-2017-7547)

Chapman Flack discovered that PostgreSQL incorrectly handled lo_put()
permissions. A remote attacker could possibly use this issue to change the
data in a large object. (CVE-2017-7548)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
postgresql-9.6

9.6.4-0ubuntu0.17.04.1
Ubuntu 16.04 LTS:
postgresql-9.5

9.5.8-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
postgresql-9.3

9.3.18-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References

CVE-2017-7546,

CVE-2017-7547,

CVE-2017-7548

Read More

USN-3391-1: Firefox vulnerabilities

Ubuntu Security Notice USN-3391-1

15th August, 2017

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software description

  • firefox
    – Mozilla Open Source web browser

Details

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to conduct cross-site scripting (XSS) attacks,
bypass sandbox restrictions, obtain sensitive information, spoof the
origin of modal alerts, bypass same origin restrictions, read
uninitialized memory, cause a denial of service via program crash or hang,
or execute arbitrary code. (CVE-2017-7753, CVE-2017-7779, CVE-2017-7780,
CVE-2017-7781, CVE-2017-7783, CVE-2017-7784, CVE-2017-7785, CVE-2017-7786,
CVE-2017-7787, CVE-2017-7788, CVE-2017-7789, CVE-2017-7791, CVE-2017-7792,
CVE-2017-7794, CVE-2017-7797, CVE-2017-7798, CVE-2017-7799, CVE-2017-7800,
CVE-2017-7801, CVE-2017-7802, CVE-2017-7803, CVE-2017-7806, CVE-2017-7807,
CVE-2017-7808, CVE-2017-7809)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
firefox

55.0.1+build2-0ubuntu0.17.04.2
Ubuntu 16.04 LTS:
firefox

55.0.1+build2-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
firefox

55.0.1+build2-0ubuntu0.14.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2017-7753,

CVE-2017-7779,

CVE-2017-7780,

CVE-2017-7781,

CVE-2017-7783,

CVE-2017-7784,

CVE-2017-7785,

CVE-2017-7786,

CVE-2017-7787,

CVE-2017-7788,

CVE-2017-7789,

CVE-2017-7791,

CVE-2017-7792,

CVE-2017-7794,

CVE-2017-7797,

CVE-2017-7798,

CVE-2017-7799,

CVE-2017-7800,

CVE-2017-7801,

CVE-2017-7802,

CVE-2017-7803,

CVE-2017-7806,

CVE-2017-7807,

CVE-2017-7808,

CVE-2017-7809

Read More

USN-3392-2: Linux kernel (Xenial HWE) regression

Ubuntu Security Notice USN-3392-2

16th August, 2017

linux-lts-xenial regression

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

USN-3378-2 introduced a regression the Linux Hardware Enablement
kernel.

Software description

  • linux-lts-xenial
    – Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3392-1 fixed a regression in the Linux kernel for Ubuntu 16.04 LTS.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

USN-3378-2 fixed vulnerabilities in the Linux Hardware Enablement
kernel. Unfortunately, a regression was introduced that prevented
conntrack from working correctly in some situations. This update
fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Fan Wu and Shixiong Zhao discovered a race condition between inotify events
and vfs rename operations in the Linux kernel. An unprivileged local
attacker could use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2017-7533)

It was discovered that the Linux kernel did not properly restrict
RLIMIT_STACK size. A local attacker could use this in conjunction with
another vulnerability to possibly execute arbitrary code.
(CVE-2017-1000365)

李强 discovered that the Virtio GPU driver in the Linux kernel did not
properly free memory in some situations. A local attacker could use this to
cause a denial of service (memory consumption). (CVE-2017-10810)

石磊 discovered that the RxRPC Kerberos 5 ticket handling code in the
Linux kernel did not properly verify metadata. A remote attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-7482)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-powerpc-smp-lts-xenial

4.4.0.92.76
linux-image-generic-lpae-lts-xenial

4.4.0.92.76
linux-image-4.4.0-92-powerpc-e500mc

4.4.0-92.115~14.04.1
linux-image-4.4.0-92-powerpc64-emb

4.4.0-92.115~14.04.1
linux-image-4.4.0-92-powerpc-smp

4.4.0-92.115~14.04.1
linux-image-4.4.0-92-lowlatency

4.4.0-92.115~14.04.1
linux-image-lowlatency-lts-xenial

4.4.0.92.76
linux-image-generic-lts-xenial

4.4.0.92.76
linux-image-4.4.0-92-generic-lpae

4.4.0-92.115~14.04.1
linux-image-powerpc64-smp-lts-xenial

4.4.0.92.76
linux-image-powerpc64-emb-lts-xenial

4.4.0.92.76
linux-image-4.4.0-92-powerpc64-smp

4.4.0-92.115~14.04.1
linux-image-powerpc-e500mc-lts-xenial

4.4.0.92.76
linux-image-4.4.0-92-generic

4.4.0-92.115~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

https://bugs.launchpad.net/bugs/1709032,

https://usn.ubuntu.com/usn/usn-3378-2

Read More

USN-3392-1: Linux kernel regression

Ubuntu Security Notice USN-3392-1

16th August, 2017

linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon regression

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS

Summary

USN-3378-1 introduced a regression in the Linux kernel.

Software description

  • linux
    – Linux kernel

  • linux-aws
    – Linux kernel for Amazon Web Services (AWS) systems

  • linux-gke
    – Linux kernel for Google Container Engine (GKE) systems

  • linux-raspi2
    – Linux kernel for Raspberry Pi 2

  • linux-snapdragon
    – Linux kernel for Snapdragon processors

Details

USN-3378-1 fixed vulnerabilities in the Linux kernel. Unfortunately, a
regression was introduced that prevented conntrack from working
correctly in some situations. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Fan Wu and Shixiong Zhao discovered a race condition between inotify events
and vfs rename operations in the Linux kernel. An unprivileged local
attacker could use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2017-7533)

It was discovered that the Linux kernel did not properly restrict
RLIMIT_STACK size. A local attacker could use this in conjunction with
another vulnerability to possibly execute arbitrary code.
(CVE-2017-1000365)

李强 discovered that the Virtio GPU driver in the Linux kernel did not
properly free memory in some situations. A local attacker could use this to
cause a denial of service (memory consumption). (CVE-2017-10810)

石磊 discovered that the RxRPC Kerberos 5 ticket handling code in the
Linux kernel did not properly verify metadata. A remote attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-7482)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
linux-image-powerpc-e500mc 4.4.0.92.97
linux-image-4.4.0-92-powerpc-smp

4.4.0-92.115
linux-image-4.4.0-92-lowlatency

4.4.0-92.115
linux-image-4.4.0-92-powerpc64-emb

4.4.0-92.115
linux-image-4.4.0-92-generic

4.4.0-92.115
linux-image-4.4.0-1027-gke

4.4.0-1027.27
linux-image-4.4.0-92-powerpc-e500mc

4.4.0-92.115
linux-image-4.4.0-1072-snapdragon

4.4.0-1072.77
linux-image-snapdragon 4.4.0.1072.64
linux-image-4.4.0-92-powerpc64-smp

4.4.0-92.115
linux-image-powerpc64-emb 4.4.0.92.97
linux-image-gke 4.4.0.1027.28
linux-image-generic 4.4.0.92.97
linux-image-4.4.0-92-generic-lpae

4.4.0-92.115
linux-image-aws 4.4.0.1031.33
linux-image-raspi2 4.4.0.1070.70
linux-image-powerpc-smp 4.4.0.92.97
linux-image-generic-lpae 4.4.0.92.97
linux-image-4.4.0-1031-aws

4.4.0-1031.40
linux-image-powerpc64-smp 4.4.0.92.97
linux-image-4.4.0-1070-raspi2

4.4.0-1070.78
linux-image-lowlatency 4.4.0.92.97

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

https://bugs.launchpad.net/bugs/1709032,

https://usn.ubuntu.com/usn/usn-3378-1

Read More

Linux Administration – News and Blog