RHSA-2017:2869-1: Important: kernel security and bug fix update

Red Hat Enterprise Linux: An update for kernel is now available for Red Hat Enterprise Linux 7.2 Extended
Update Support.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2017-7533

Read More

USN-3441-1: curl vulnerabilities

Ubuntu Security Notice USN-3441-1

10th October, 2017

curl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in curl.

Software description

  • curl
    – HTTP, HTTPS, and FTP client and client libraries

Details

Daniel Stenberg discovered that curl incorrectly handled large floating
point output. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-9586)

Even Rouault discovered that curl incorrectly handled large file names when
doing TFTP transfers. A remote attacker could use this issue to cause curl
to crash, resulting in a denial of service, or possibly obtain sensitive
memory contents. (CVE-2017-1000100)

Brian Carpenter and Yongji Ouyang discovered that curl incorrectly handled
numerical range globbing. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly obtain
sensitive memory contents. (CVE-2017-1000101)

Max Dymond discovered that curl incorrectly handled FTP PWD responses. A
remote attacker could use this issue to cause curl to crash, resulting in a
denial of service. (CVE-2017-1000254)

Brian Carpenter discovered that curl incorrectly handled the –write-out
command line option. A local attacker could possibly use this issue to
obtain sensitive memory contents. (CVE-2017-7407)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
libcurl3-nss

7.52.1-4ubuntu1.2
curl

7.52.1-4ubuntu1.2
libcurl3-gnutls

7.52.1-4ubuntu1.2
libcurl3

7.52.1-4ubuntu1.2
Ubuntu 16.04 LTS:
libcurl3-nss

7.47.0-1ubuntu2.3
curl

7.47.0-1ubuntu2.3
libcurl3-gnutls

7.47.0-1ubuntu2.3
libcurl3

7.47.0-1ubuntu2.3
Ubuntu 14.04 LTS:
libcurl3-nss

7.35.0-1ubuntu2.11
curl

7.35.0-1ubuntu2.11
libcurl3-gnutls

7.35.0-1ubuntu2.11
libcurl3

7.35.0-1ubuntu2.11

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-9586,

CVE-2017-1000100,

CVE-2017-1000101,

CVE-2017-1000254,

CVE-2017-7407

Read More

USN-3442-1: libXfont vulnerabilities

Ubuntu Security Notice USN-3442-1

10th October, 2017

libxfont, libxfont1, libxfont2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in libXfont.

Software description

  • libxfont
    – X11 font rasterisation library

  • libxfont1
    – X11 font rasterisation library

  • libxfont2
    – X11 font rasterisation library

Details

It was discovered that libXfont incorrectly handled certain patterns in
PatternMatch. A local attacker could use this issue to cause libXfont to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2017-13720)

It was discovered that libXfont incorrectly handled certain malformed PCF
files. A local attacker could use this issue to cause libXfont to crash,
resulting in a denial of service, or possibly obtain sensitive information.
(CVE-2017-13722)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
libxfont1

1:1.5.2-4ubuntu0.1
libxfont2

1:2.0.1-3ubuntu0.1
Ubuntu 16.04 LTS:
libxfont1

1:1.5.1-1ubuntu0.16.04.3
libxfont2

1:2.0.1-3~ubuntu16.04.2
Ubuntu 14.04 LTS:
libxfont1

1:1.4.7-1ubuntu0.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-13720,

CVE-2017-13722

Read More

USN-3443-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-3443-1

10th October, 2017

linux, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04

Summary

Several security issues were fixed in the Linux kernel.

Software description

  • linux
    – Linux kernel

  • linux-raspi2
    – Linux kernel for Raspberry Pi 2

Details

It was discovered that on the PowerPC architecture, the kernel did not
properly sanitize the signal stack when handling sigreturn(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-1000255)

Andrey Konovalov discovered that a divide-by-zero error existed in the TCP
stack implementation in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-14106)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
linux-image-powerpc-smp 4.10.0.37.37
linux-image-powerpc-e500mc 4.10.0.37.37
linux-image-4.10.0-37-lowlatency

4.10.0-37.41
linux-image-generic-lpae 4.10.0.37.37
linux-image-lowlatency 4.10.0.37.37
linux-image-virtual 4.10.0.37.37
linux-image-4.10.0-1019-raspi2

4.10.0-1019.22
linux-image-powerpc64-smp 4.10.0.37.37
linux-image-generic 4.10.0.37.37
linux-image-4.10.0-37-generic-lpae

4.10.0-37.41
linux-image-4.10.0-37-generic

4.10.0-37.41
linux-image-powerpc64-emb 4.10.0.37.37
linux-image-raspi2 4.10.0.1019.20

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000255,

CVE-2017-14106

Read More

USN-3443-2: Linux kernel (HWE) vulnerabilities

Ubuntu Security Notice USN-3443-2

10th October, 2017

linux-hwe vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

  • linux-hwe
    – Linux hardware enablement (HWE) kernel

Details

USN-3443-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.

It was discovered that on the PowerPC architecture, the kernel did not
properly sanitize the signal stack when handling sigreturn(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-1000255)

Andrey Konovalov discovered that a divide-by-zero error existed in the TCP
stack implementation in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-14106)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
linux-image-4.10.0-37-lowlatency

4.10.0-37.41~16.04.1
linux-image-lowlatency-hwe-16.04

4.10.0.37.39
linux-image-generic-hwe-16.04

4.10.0.37.39
linux-image-4.10.0-37-generic-lpae

4.10.0-37.41~16.04.1
linux-image-4.10.0-37-generic

4.10.0-37.41~16.04.1
linux-image-generic-lpae-hwe-16.04

4.10.0.37.39

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000255,

CVE-2017-14106

Read More