Ubuntu Budgie 17.10 Wallpaper Contest Winners

ubuntu budgie wallpaper contest logoThe winning images in the Ubuntu Budgie 17.10 wallpaper contest have been revealed. Ubuntu Budgie is an official Ubuntu flavor that uses the Budgie desktop environment. The next stable release, due in October, will include a new set of community-sourced desktop backgrounds. 10 wallpapers have been selected from the hundreds of entries submitted, and optimised versions […]

This post, Ubuntu Budgie 17.10 Wallpaper Contest Winners, was written by Joey Sneddon and first appeared on OMG! Ubuntu!.

Read More

USN-3372-1: NSS vulnerability

Ubuntu Security Notice USN-3372-1

31st July, 2017

nss vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in NSS.

Software description

  • nss
    – Network Security Service library

Details

It was discovered that NSS incorrectly handled certain empty SSLv2
messages. A remote attacker could possibly use this issue to cause NSS to
crash, resulting in a denial of service. (CVE-2017-7502)

Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES
ciphers were vulnerable to birthday attacks. A remote attacker could
possibly use this flaw to obtain clear text data from long encrypted
sessions. This update causes NSS to limit use of the same symmetric key.
(CVE-2016-2183)

It was discovered that NSS incorrectly handled Base64 decoding. A remote
attacker could use this flaw to cause NSS to crash, resulting in a denial
of service, or possibly execute arbitrary code. (CVE-2017-5461)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libnss3

2:3.28.4-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.

References

CVE-2016-2183,

CVE-2017-5461,

CVE-2017-7502

Read More

USN-3373-1: Apache HTTP Server vulnerabilities

Ubuntu Security Notice USN-3373-1

31st July, 2017

apache2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Apache HTTP Server.

Software description

  • apache2
    – Apache HTTP server

Details

Emmanuel Dreyfus discovered that third-party modules using the
ap_get_basic_auth_pw() function outside of the authentication phase may
lead to authentication requirements being bypassed. This update adds a new
ap_get_basic_auth_components() function for use by third-party modules.
(CVE-2017-3167)

Vasileios Panopoulos discovered that the Apache mod_ssl module may crash
when third-party modules call ap_hook_process_connection() during an HTTP
request to an HTTPS port. (CVE-2017-3169)

Javier Jiménez discovered that the Apache HTTP Server incorrectly handled
parsing certain requests. A remote attacker could possibly use this issue
to cause the Apache HTTP Server to crash, resulting in a denial of service.
(CVE-2017-7668)

ChenQin and Hanno Böck discovered that the Apache mod_mime module
incorrectly handled certain Content-Type response headers. A remote
attacker could possibly use this issue to cause the Apache HTTP Server to
crash, resulting in a denial of service. (CVE-2017-7679)

David Dennerline and Régis Leroy discovered that the Apache HTTP Server
incorrectly handled unusual whitespace when parsing requests, contrary to
specifications. When being used in combination with a proxy or backend
server, a remote attacker could possibly use this issue to perform an
injection attack and pollute cache. This update may introduce compatibility
issues with clients that do not strictly follow HTTP protocol
specifications. A new configuration option “HttpProtocolOptions Unsafe” can
be used to revert to the previous unsafe behaviour in problematic
environments. (CVE-2016-8743)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
apache2.2-bin

2.2.22-1ubuntu1.12

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-8743,

CVE-2017-3167,

CVE-2017-3169,

CVE-2017-7668,

CVE-2017-7679

Read More

USN-3363-2: ImageMagick regression

Ubuntu Security Notice USN-3363-2

31st July, 2017

imagemagick regression

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

USN-3363-1 caused a regression in ImageMagick.

Software description

  • imagemagick
    – Image manipulation programs and library

Details

USN-3363-1 fixed vulnerabilities in ImageMagick. The update caused a
regression for certain users when processing images. The problematic
patch has been reverted pending further investigation.

We apologize for the inconvenience.

Original advisory details:

It was discovered that ImageMagick incorrectly handled certain malformed
image files. If a user or automated system using ImageMagick were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libmagick++-6.q16-5v5

8:6.8.9.9-7ubuntu5.9
imagemagick

8:6.8.9.9-7ubuntu5.9
imagemagick-6.q16

8:6.8.9.9-7ubuntu5.9
libmagickcore-6.q16-2

8:6.8.9.9-7ubuntu5.9
Ubuntu 14.04 LTS:
libmagick++5

8:6.7.7.10-6ubuntu3.9
libmagickcore5

8:6.7.7.10-6ubuntu3.9
imagemagick

8:6.7.7.10-6ubuntu3.9

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1707015

Read More

USN-3374-1: RabbitMQ vulnerability

Ubuntu Security Notice USN-3374-1

31st July, 2017

rabbitmq-server vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

RabbitMQ could allow unintended access to network services.

Software description

  • rabbitmq-server
    – AMQP server written in Erlang

Details

It was discovered that RabbitMQ incorrectly handled MQTT (MQ Telemetry
Transport) authentication. A remote attacker could use this issue to
authenticate successfully with an existing username by omitting the
password.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
rabbitmq-server

3.5.7-1ubuntu0.16.04.2
Ubuntu 14.04 LTS:
rabbitmq-server

3.2.4-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-9877

Read More