Category Archives: Ubuntu

Ubuntu

USN-3573-1: Quagga vulnerabilities

Ubuntu Security Notice USN-3573-1

15th February, 2018

quagga vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Quagga.

Software description

  • quagga
    – BGP/OSPF/RIP routing daemon

Details

It was discovered that a double-free vulnerability existed in the
Quagga BGP daemon when processing certain forms of UPDATE message.
A remote attacker could use this to cause a denial of service or
possibly execute arbitrary code. (CVE-2018-5379)

It was discovered that the Quagga BGP daemon did not properly bounds
check the data sent with a NOTIFY to a peer. An attacker could use this
to expose sensitive information or possibly cause a denial of service.
This issue only affected Ubuntu 17.10. (CVE-2018-5378)

It was discovered that a table overrun vulnerability existed in the
Quagga BGP daemon. An attacker in control of a configured peer could
use this to possibly expose sensitive information or possibly cause
a denial of service. (CVE-2018-5380)

It was discovered that the Quagga BGP daemon in some configurations
did not properly handle invalid OPEN messages. An attacker in control
of a configured peer could use this to cause a denial of service
(infinite loop). (CVE-2018-5381)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
quagga

1.1.1-3ubuntu0.2
quagga-bgpd

1.1.1-3ubuntu0.2
Ubuntu 16.04 LTS:
quagga

0.99.24.1-2ubuntu1.4
Ubuntu 14.04 LTS:
quagga

0.99.22.4-3ubuntu1.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Quagga to make
all the necessary changes.

References

CVE-2018-5378,

CVE-2018-5379,

CVE-2018-5380,

CVE-2018-5381

Read More

USN-3570-1: AdvanceCOMP vulnerability

Ubuntu Security Notice USN-3570-1

14th February, 2018

advancecomp vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

AdvanceCOMP could be made to crash or run programs if it opened a specially
crafted file.

Software description

  • advancecomp
    – collection of recompression utilities

Details

Joonun Jang discovered that AdvanceCOMP incorrectly handled certain
malformed zip files. If a user or automated system were tricked into
processing a specially crafted zip file, a remote attacker could cause
AdvanceCOMP to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
advancecomp

2.0-1ubuntu0.1
Ubuntu 16.04 LTS:
advancecomp

1.20-1ubuntu0.1
Ubuntu 14.04 LTS:
advancecomp

1.18-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2018-1056

Read More

USN-3572-1: FreeType vulnerability

Ubuntu Security Notice USN-3572-1

14th February, 2018

freetype vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10

Summary

FreeType could be made to crash if it opened a specially crafted file.

Software description

  • freetype
    – FreeType 2 is a font engine library

Details

It was discovered that FreeType incorrectly handled certain files.
An attacker could possibly use this to cause a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
libfreetype6

2.8-0.2ubuntu2.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2018-6942

Read More

USN-3571-1: Erlang vulnerabilities

Ubuntu Security Notice USN-3571-1

14th February, 2018

erlang vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Erlang.

Software description

  • erlang
    – Concurrent, real-time, distributed functional language

Details

It was discovered that the Erlang FTP module incorrectly handled certain
CRLF sequences. A remote attacker could possibly use this issue to inject
arbitrary FTP commands. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-1693)

It was discovered that Erlang incorrectly checked CBC padding bytes. A
remote attacker could possibly use this issue to perform a padding oracle
attack and decrypt traffic. This issue only affected Ubuntu 14.04 LTS.
(CVE-2015-2774)

It was discovered that Erlang incorrectly handled certain regular
expressions. A remote attacker could possibly use this issue to cause
Erlang to crash, resulting in a denial of service, or execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-10253)

Hanno Böck, Juraj Somorovsky and Craig Young discovered that the Erlang
otp TLS server incorrectly handled error reporting. A remote attacker could
possibly use this issue to perform a variation of the Bleichenbacher attack
and decrypt traffic or sign messages. (CVE-2017-1000385)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
erlang

1:20.0.4+dfsg-1ubuntu1.1
Ubuntu 16.04 LTS:
erlang

1:18.3-dfsg-1ubuntu3.1
Ubuntu 14.04 LTS:
erlang

1:16.b.3-dfsg-1ubuntu2.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2014-1693,

CVE-2015-2774,

CVE-2016-10253,

CVE-2017-1000385

Read More

USN-3569-1: libvorbis vulnerabilities

Ubuntu Security Notice USN-3569-1

13th February, 2018

libvorbis vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in libvorbis.

Software description

  • libvorbis
    – The Vorbis General Audio Compression Codec

Details

It was discovered that libvorbis incorrectly handled certain sound files.
An attacker could possibly use this to execute arbitrary code.
(CVE-2017-14632)

It was discovered that libvorbis incorrectly handled certain sound files.
An attacker could use this to cause a denial of service.
(CVE-2017-14633)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
libvorbis0a

1.3.5-4ubuntu0.1
Ubuntu 16.04 LTS:
libvorbis0a

1.3.5-3ubuntu0.1
Ubuntu 14.04 LTS:
libvorbis0a

1.3.2-1.3ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart any applications that
use libvorbis, such as Totem and gtkpod, to effect the necessary changes.

References

CVE-2017-14632,

CVE-2017-14633

Read More

USN-3567-1: Puppet vulnerability

Ubuntu Security Notice USN-3567-1

12th February, 2018

puppet vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

Puppet could be made to crash or run programs.

Software description

  • puppet
    – Centralized configuration management

Details

It was discovered that Puppet incorrectly handled permissions when
unpacking certain tarballs. A local user could possibly use this issue to
execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
puppet-common

3.4.3-1ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-10689

Read More

USN-3566-1: PHP vulnerabilities

Ubuntu Security Notice USN-3566-1

12th February, 2018

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in PHP.

Software description

  • php5
    – HTML-embedded scripting language interpreter

Details

It was discovered that PHP incorrectly handled the PHAR 404 error page. A
remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks. (CVE-2018-5712)

It was discovered that PHP incorrectly handled memory when unserializing
certain data. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2017-12933)

It was discovered that PHP incorrectly handled ‘front of’ and ‘back of’
date directives. A remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2017-16642)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
php5-cli

5.5.9+dfsg-1ubuntu4.23
php5-cgi

5.5.9+dfsg-1ubuntu4.23
libapache2-mod-php5

5.5.9+dfsg-1ubuntu4.23
php5-fpm

5.5.9+dfsg-1ubuntu4.23

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-12933,

CVE-2017-16642,

CVE-2018-5712

Read More