Category Archives: Ubuntu

Ubuntu

USN-3493-1: Exim vulnerability

Ubuntu Security Notice USN-3493-1

27th November, 2017

exim4 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04

Summary

Exim could be made to crash or run programs if it received specially
crafted network traffic.

Software description

  • exim4
    – Exim is a mail transport agent

Details

It was discovered that Exim incorrectly handled memory in the ESMTP
CHUNKING extension. A remote attacker could use this issue to cause Exim to
crash, resulting in a denial of service, or possibly execute arbitrary
code. The default compiler options for affected releases should reduce the
vulnerability to a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
exim4-daemon-heavy

4.89-5ubuntu1.1
exim4-daemon-light

4.89-5ubuntu1.1
Ubuntu 17.04:
exim4-daemon-heavy

4.88-5ubuntu1.2
exim4-daemon-light

4.88-5ubuntu1.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-16943

Read More

USN-3477-2: Firefox regression

Ubuntu Security Notice USN-3477-2

27th November, 2017

firefox regression

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

USN-3477-1 caused a regression in Firefox.

Software description

  • firefox
    – Mozilla Open Source web browser

Details

USN-3477-1 fixed vulnerabilities in Firefox. The update caused search
suggestions to not be displayed when performing Google searches from the
search bar. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, read uninitialized
memory, obtain sensitive information, bypass same-origin restrictions,
bypass CSP protections, bypass mixed content blocking, spoof the
addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827,
CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833,
CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)

It was discovered that javascript: URLs pasted in to the addressbar
would be executed instead of being blocked in some circumstances. If a
user were tricked in to copying a specially crafted URL in to the
addressbar, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2017-7839)

It was discovered that exported bookmarks do not strip script elements
from user-supplied tags. If a user were tricked in to adding specially
crafted tags to bookmarks, exporting them and then opening the resulting
HTML file, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2017-7840)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
firefox

57.0+build4-0ubuntu0.17.10.6
Ubuntu 17.04:
firefox

57.0+build4-0ubuntu0.17.04.6
Ubuntu 16.04 LTS:
firefox

57.0+build4-0ubuntu0.16.04.6
Ubuntu 14.04 LTS:
firefox

57.0+build4-0ubuntu0.14.04.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

LP: 1733970

Read More

USN-3476-2: postgresql-common vulnerabilities

Ubuntu Security Notice USN-3476-2

27th November, 2017

postgresql-common vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

postgresql-common could be made to overwrite files as the administrator.

Software description

  • postgresql-common
    – PostgreSQL database-cluster manager

Details

USN-3476-1 fixed two vulnerabilities in postgresql-common. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Dawid Golunski discovered that the postgresql-common pg_ctlcluster script
incorrectly handled symlinks. A local attacker could possibly use this
issue to escalate privileges. (CVE-2016-1255)

It was discovered that the postgresql-common helper scripts incorrectly
handled symlinks. A local attacker could possibly use this issue to
escalate privileges. (CVE-2017-8806)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
postgresql-common

129ubuntu1.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-1255,

CVE-2017-8806

Read More

USN-3495-1: OptiPNG vulnerability

Ubuntu Security Notice USN-3495-1

27th November, 2017

optipng vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

OptiPNG could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

  • optipng
    – advanced PNG (Portable Network Graphics) optimizer

Details

It was discovered that OptiPNG incorrectly handled memory. A remote
attacker could use this issue with a specially crafted image file to cause
OptiPNG to crash, resulting in a denial of service, or possibly execute
arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
optipng

0.7.6-1ubuntu0.17.10.1
Ubuntu 17.04:
optipng

0.7.6-1ubuntu0.17.04.1
Ubuntu 16.04 LTS:
optipng

0.7.6-1ubuntu0.16.04.1
Ubuntu 14.04 LTS:
optipng

0.6.4-1ubuntu0.14.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000229

Read More

USN-3494-1: XML::LibXML vulnerability

Ubuntu Security Notice USN-3494-1

27th November, 2017

libxml-libxml-perl vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

XML::LibXML could be made to crash or run programs if it processed
specially crafted input.

Software description

  • libxml-libxml-perl
    – Perl interface to the libxml2 library

Details

It was discovered that XML::LibXML incorrectly handled memory when
processing a replaceChild call. A remote attacker could possibly use this
issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
libxml-libxml-perl

2.0128+dfsg-3ubuntu0.1
Ubuntu 17.04:
libxml-libxml-perl

2.0128+dfsg-1ubuntu0.1
Ubuntu 16.04 LTS:
libxml-libxml-perl

2.0123+dfsg-1ubuntu0.1
Ubuntu 14.04 LTS:
libxml-libxml-perl

2.0108+dfsg-1ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-10672

Read More