Category Archives: Ubuntu

Ubuntu

USN-3457-1: curl vulnerability

Ubuntu Security Notice USN-3457-1

23rd October, 2017

curl vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

curl could be made to crash or run programs if it received specially
crafted network traffic.

Software description

  • curl
    – HTTP, HTTPS, and FTP client and client libraries

Details

Brian Carpenter discovered that curl incorrectly handled IMAP FETCH
response lines. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
libcurl3-nss

7.55.1-1ubuntu2.1
curl

7.55.1-1ubuntu2.1
libcurl3-gnutls

7.55.1-1ubuntu2.1
libcurl3

7.55.1-1ubuntu2.1
Ubuntu 17.04:
libcurl3-nss

7.52.1-4ubuntu1.3
curl

7.52.1-4ubuntu1.3
libcurl3-gnutls

7.52.1-4ubuntu1.3
libcurl3

7.52.1-4ubuntu1.3
Ubuntu 16.04 LTS:
libcurl3-nss

7.47.0-1ubuntu2.4
curl

7.47.0-1ubuntu2.4
libcurl3-gnutls

7.47.0-1ubuntu2.4
libcurl3

7.47.0-1ubuntu2.4
Ubuntu 14.04 LTS:
libcurl3-nss

7.35.0-1ubuntu2.12
curl

7.35.0-1ubuntu2.12
libcurl3-gnutls

7.35.0-1ubuntu2.12
libcurl3

7.35.0-1ubuntu2.12

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000257

Read More

USN-3434-2: Libidn vulnerability

Ubuntu Security Notice USN-3434-2

23rd October, 2017

libidn vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Libidn could be made to crash or run programs if it processed specially
crafted input.

Software description

  • libidn
    – implementation of IETF IDN specifications

Details

USN-3434-1 fixed a vulnerability in Libidn. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that Libidn incorrectly handled decoding certain digits.
A remote attacker could use this issue to cause Libidn to crash, resulting
in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libidn11

1.23-2ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-14062

Read More

USN-3441-2: curl vulnerabilities

Ubuntu Security Notice USN-3441-2

23rd October, 2017

curl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in curl.

Software description

  • curl
    – HTTP, HTTPS, and FTP client and client libraries

Details

USN-3441-1 fixed several vulnerabilities in curl. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Daniel Stenberg discovered that curl incorrectly handled large floating
point output. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-9586)

Even Rouault discovered that curl incorrectly handled large file names when
doing TFTP transfers. A remote attacker could use this issue to cause curl
to crash, resulting in a denial of service, or possibly obtain sensitive
memory contents. (CVE-2017-1000100)

Brian Carpenter and Yongji Ouyang discovered that curl incorrectly handled
numerical range globbing. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly obtain
sensitive memory contents. (CVE-2017-1000101)

Max Dymond discovered that curl incorrectly handled FTP PWD responses. A
remote attacker could use this issue to cause curl to crash, resulting in a
denial of service. (CVE-2017-1000254)

Brian Carpenter discovered that curl incorrectly handled IMAP FETCH
response lines. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code.(CVE-2017-1000257)

Brian Carpenter discovered that curl incorrectly handled the –write-out
command line option. A local attacker could possibly use this issue to
obtain sensitive memory contents. (CVE-2017-7407)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libcurl3-nss

7.22.0-3ubuntu4.18
curl

7.22.0-3ubuntu4.18
libcurl3-gnutls

7.22.0-3ubuntu4.18
libcurl3

7.22.0-3ubuntu4.18

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-9586,

CVE-2017-1000100,

CVE-2017-1000254,

CVE-2017-1000257,

CVE-2017-7407

Read More

USN-3458-2: ICU vulnerability

Ubuntu Security Notice USN-3458-2

23rd October, 2017

icu vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

ICU could be made to crash or run arbitrary code as your login
if it received specially crafted input.

Software description

  • icu
    – International Components for Unicode library

Details

USN-3458-1 fixed a vulnerability in ICU. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that ICU incorrectly handled certain inputs. If an
application using ICU processed crafted data, a remote attacker could
possibly cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libicu48

4.8.1.1-3ubuntu0.9
lib32icu48

4.8.1.1-3ubuntu0.9

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-14952

Read More

USN-3458-1: ICU vulnerability

Ubuntu Security Notice USN-3458-1

23rd October, 2017

icu vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

ICU could be made to crash or run arbitrary code as your login
if it received specially crafted input.

Software description

  • icu
    – International Components for Unicode library

Details

It was discovered that ICU incorrectly handled certain inputs. If an
application using ICU processed crafted data, a remote attacker could
possibly cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
libicu57

57.1-6ubuntu0.2
Ubuntu 17.04:
libicu57

57.1-5ubuntu0.2
Ubuntu 16.04 LTS:
libicu55

55.1-7ubuntu0.3
Ubuntu 14.04 LTS:
libicu52

52.1-3ubuntu0.7

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-14952

Read More

USN-3461-1: NVIDIA graphics drivers vulnerabilities

Ubuntu Security Notice USN-3461-1

23rd October, 2017

nvidia-graphics-drivers-384 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

NVIDIA graphics drivers could be made to crash or run programs as an
administrator.

Software description

  • nvidia-graphics-drivers-384
    – Transitional package for libcuda1-384

Details

It was discovered that the NVIDIA graphics drivers contained flaws in the
kernel mode layer. A local attacker could use these issues to cause a
denial of service or potentially escalate their privileges on the system.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
nvidia-384

384.90-0ubuntu0.17.04.1
Ubuntu 16.04 LTS:
nvidia-384

384.90-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
nvidia-384

384.90-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-6257,

CVE-2017-6259,

CVE-2017-6266,

CVE-2017-6267,

CVE-2017-6272

Read More

USN-3460-1: WebKitGTK+ vulnerabilities

Ubuntu Security Notice USN-3460-1

23rd October, 2017

webkit2gtk vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in WebKitGTK+.

Software description

  • webkit2gtk
    – Web content engine library for GTK+

Details

A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
libwebkit2gtk-4.0-37

2.18.0-0ubuntu0.17.04.2
libjavascriptcoregtk-4.0-18

2.18.0-0ubuntu0.17.04.2
Ubuntu 16.04 LTS:
libwebkit2gtk-4.0-37

2.18.0-0ubuntu0.16.04.2
libjavascriptcoregtk-4.0-18

2.18.0-0ubuntu0.16.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.

References

CVE-2017-7087,

CVE-2017-7089,

CVE-2017-7090,

CVE-2017-7091,

CVE-2017-7092,

CVE-2017-7093,

CVE-2017-7095,

CVE-2017-7096,

CVE-2017-7098,

CVE-2017-7100,

CVE-2017-7102,

CVE-2017-7104,

CVE-2017-7107,

CVE-2017-7109,

CVE-2017-7111,

CVE-2017-7117,

CVE-2017-7120

Read More

USN-3459-1: MySQL vulnerabilities

Ubuntu Security Notice USN-3459-1

23rd October, 2017

mysql-5.5, mysql-5.7 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in MySQL.

Software description

  • mysql-5.5
    – MySQL database

  • mysql-5.7
    – MySQL database

Details

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.58 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS,
Ubuntu 17.04 and Ubuntu 17.10 have been updated to MySQL 5.7.20.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-58.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-20.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
mysql-server-5.7

5.7.20-0ubuntu0.17.10.1
Ubuntu 17.04:
mysql-server-5.7

5.7.20-0ubuntu0.17.04.1
Ubuntu 16.04 LTS:
mysql-server-5.7

5.7.20-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
mysql-server-5.5

5.5.58-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-10155,

CVE-2017-10165,

CVE-2017-10167,

CVE-2017-10227,

CVE-2017-10268,

CVE-2017-10276,

CVE-2017-10283,

CVE-2017-10286,

CVE-2017-10294,

CVE-2017-10311,

CVE-2017-10313,

CVE-2017-10314,

CVE-2017-10320,

CVE-2017-10378,

CVE-2017-10379,

CVE-2017-10384

Read More

USN-3456-1: X.Org X server vulnerabilities

Ubuntu Security Notice USN-3456-1

17th October, 2017

xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the X.Org X server.

Software description

  • xorg-server
    – X.Org X11 server

  • xorg-server-hwe-16.04
    – X.Org X11 server

  • xorg-server-lts-xenial
    – X.Org X11 server

Details

It was discovered that the X.Org X server incorrectly handled certain
lengths. An attacker able to connect to an X server, either locally or
remotely, could use these issues to crash the server, or possibly execute
arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
xserver-xorg-core

2:1.19.3-1ubuntu1.3
Ubuntu 16.04 LTS:
xserver-xorg-core

2:1.18.4-0ubuntu0.7
xserver-xorg-core-hwe-16.04

2:1.19.3-1ubuntu1~16.04.4
Ubuntu 14.04 LTS:
xserver-xorg-core

2:1.15.1-0ubuntu2.11
xserver-xorg-core-lts-xenial

2:1.18.3-1ubuntu2.3~trusty4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-12176,

CVE-2017-12177,

CVE-2017-12178,

CVE-2017-12179,

CVE-2017-12180,

CVE-2017-12181,

CVE-2017-12182,

CVE-2017-12183,

CVE-2017-12184,

CVE-2017-12185,

CVE-2017-12186,

CVE-2017-12187

Read More

USN-3455-1: wpa_supplicant and hostapd vulnerabilities

Ubuntu Security Notice USN-3455-1

16th October, 2017

wpa vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in wpa_supplicant.

Software description

  • wpa
    – client support for WPA and WPA2

Details

Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly
handled WPA2. A remote attacker could use this issue with key
reinstallation attacks to obtain sensitive information. (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)

Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A remote attacker could use
this issue to cause a denial of service. (CVE-2016-4476)

Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A local attacker could use
this issue to cause a denial of service, or possibly execute arbitrary
code. (CVE-2016-4477)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
hostapd

2.4-0ubuntu9.1
wpasupplicant

2.4-0ubuntu9.1
Ubuntu 16.04 LTS:
hostapd

2.4-0ubuntu6.2
wpasupplicant

2.4-0ubuntu6.2
Ubuntu 14.04 LTS:
hostapd

2.1-0ubuntu1.5
wpasupplicant

2.1-0ubuntu1.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-4476,

CVE-2016-4477,

CVE-2017-13077,

CVE-2017-13078,

CVE-2017-13079,

CVE-2017-13080,

CVE-2017-13081,

CVE-2017-13082,

CVE-2017-13086,

CVE-2017-13087,

CVE-2017-13088

Read More