Category Archives: Ubuntu

Ubuntu

USN-3231-1: Pidgin vulnerability

Ubuntu Security Notice USN-3231-1

14th March, 2017

pidgin vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Pidgin could be made to crash or run programs if it received specially
crafted network traffic.

Software description

  • pidgin
    – graphical multi-protocol instant messaging client for X

Details

Joseph Bisch discovered that Pidgin incorrectly handled certain xml
messages. A remote attacker could use this issue to cause Pidgin to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
libpurple0

1:2.10.9-0ubuntu3.4
Ubuntu 12.04 LTS:
libpurple0

1:2.10.3-0ubuntu1.8

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Pidgin to make all the
necessary changes.

References

CVE-2017-2640

Read More

USN-3230-1: Pillow vulnerabilities

Ubuntu Security Notice USN-3230-1

13th March, 2017

pillow vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Pillow.

Software description

  • pillow
    – Python Imaging Library

Details

It was discovered that Pillow incorrectly handled certain compressed text
chunks in PNG images. A remote attacker could possibly use this issue to
cause Pillow to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS. (CVE-2014-9601)

Cris Neckar discovered that Pillow incorrectly handled certain malformed
images. A remote attacker could use this issue to cause Pillow to crash,
resulting in a denial of service, or possibly obtain sensitive information.
(CVE-2016-9189)

Cris Neckar discovered that Pillow incorrectly handled certain malformed
images. A remote attacker could use this issue to cause Pillow to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-9190)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
python-imaging

3.3.1-1ubuntu0.1
python3-pil

3.3.1-1ubuntu0.1
python-pil

3.3.1-1ubuntu0.1
Ubuntu 16.04 LTS:
python-imaging

3.1.2-0ubuntu1.1
python3-pil

3.1.2-0ubuntu1.1
python-pil

3.1.2-0ubuntu1.1
Ubuntu 14.04 LTS:
python-imaging

2.3.0-1ubuntu3.4
python3-pil

2.3.0-1ubuntu3.4
python-pil

2.3.0-1ubuntu3.4
python3-imaging

2.3.0-1ubuntu3.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9601,

CVE-2016-9189,

CVE-2016-9190

Read More

USN-3229-1: Python Imaging Library vulnerabilities

Ubuntu Security Notice USN-3229-1

13th March, 2017

python-imaging vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the Python Imaging Library.

Software description

  • python-imaging
    – Python Imaging Library

Details

It was discovered that the Python Imaging Library incorrectly handled
certain compressed text chunks in PNG images. A remote attacker could
possibly use this issue to cause the Python Imaging Library to crash,
resulting in a denial of service. (CVE-2014-9601)

Cris Neckar discovered that the Python Imaging Library incorrectly handled
certain malformed images. A remote attacker could use this issue to cause
the Python Imaging Library to crash, resulting in a denial of service, or
possibly obtain sensitive information. (CVE-2016-9189)

Cris Neckar discovered that the Python Imaging Library incorrectly handled
certain malformed images. A remote attacker could use this issue to cause
the Python Imaging Library to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2016-9190)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
python-imaging

1.1.7-4ubuntu0.12.04.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9601,

CVE-2016-9189,

CVE-2016-9190

Read More

USN-3224-1: LXC vulnerability

Ubuntu Security Notice USN-3224-1

9th March, 2017

lxc vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

LXC could be made to create arbitrary virtual network interfaces as an
administrator.

Software description

  • lxc
    – Linux Containers userspace tools

Details

Jann Horn discovered that LXC incorrectly verified permissions when creating
virtual network interfaces. A local attacker could possibly use this issue to
create virtual network interfaces in network namespaces that they do not own.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
lxc-common

2.0.7-0ubuntu1~16.10.2
Ubuntu 16.04 LTS:
lxc-common

2.0.7-0ubuntu1~16.04.2
Ubuntu 14.04 LTS:
lxc

1.0.9-0ubuntu3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-5985

Read More

USN-3225-1: libarchive vulnerabilities

Ubuntu Security Notice USN-3225-1

9th March, 2017

libarchive vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

libarchive could be made to crash, overwrite files, or run programs as your
login if it opened a specially crafted file.

Software description

  • libarchive
    – Library to read/write archive files

Details

It was discovered that libarchive incorrectly handled hardlink entries when
extracting archives. A remote attacker could possibly use this issue to
overwrite arbitrary files. (CVE-2016-5418)

Christian Wressnegger, Alwin Maier, and Fabian Yamaguchi discovered that
libarchive incorrectly handled filename lengths when writing ISO9660
archives. A remote attacker could use this issue to cause libarchive to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and
Ubuntu 16.04 LTS. (CVE-2016-6250)

Alexander Cherepanov discovered that libarchive incorrectly handled
recursive decompressions. A remote attacker could possibly use this issue
to cause libarchive to hang, resulting in a denial of service. This issue
only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-7166)

It was discovered that libarchive incorrectly handled non-printable
multibyte characters in filenames. A remote attacker could possibly use
this issue to cause libarchive to crash, resulting in a denial of service.
(CVE-2016-8687)

It was discovered that libarchive incorrectly handled line sizes when
extracting certain archives. A remote attacker could possibly use this
issue to cause libarchive to crash, resulting in a denial of service.
(CVE-2016-8688)

It was discovered that libarchive incorrectly handled multiple EmptyStream
attributes when extracting certain 7zip archives. A remote attacker could
possibly use this issue to cause libarchive to crash, resulting in a denial
of service. (CVE-2016-8689)

Jakub Jirasek discovered that libarchive incorrectly handled memory when
extracting certain archives. A remote attacker could possibly use this
issue to cause libarchive to crash, resulting in a denial of service.
(CVE-2017-5601)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
libarchive13

3.2.1-2ubuntu0.1
Ubuntu 16.04 LTS:
libarchive13

3.1.2-11ubuntu0.16.04.3
Ubuntu 14.04 LTS:
libarchive13

3.1.2-7ubuntu2.4
Ubuntu 12.04 LTS:
libarchive12

3.0.3-6ubuntu1.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-5418,

CVE-2016-6250,

CVE-2016-7166,

CVE-2016-8687,

CVE-2016-8688,

CVE-2016-8689,

CVE-2017-5601

Read More

USN-3220-3: Linux kernel (AWS) vulnerability

Ubuntu Security Notice USN-3220-3

8th March, 2017

linux-aws vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

  • linux-aws
    – Linux kernel for Amazon Web Services (AWS) systems

Details

USN-3220-1 fixed a vulnerability in the Linux kernel. This update
provides the corresponding updates for the Linux kernel for Amazon
Web Services (AWS).

Alexander Popov discovered that the N_HDLC line discipline implementation
in the Linux kernel contained a double-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
linux-image-4.4.0-1007-aws

4.4.0-1007.16
linux-image-aws

4.4.0.1007.8

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-2636

Read More

USN-3223-1: KDE-Libs vulnerability

Ubuntu Security Notice USN-3223-1

9th March, 2017

kde4libs vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

KDE-Libs could be made to expose sensitive information over the network.

Software description

  • kde4libs
    – KDE 4 core applications and libraries

Details

Itzik Kotler, Yonatan Fridburg, and Amit Klein discovered that KDE-Libs
incorrectly handled certain PAC files. A remote attacker could possibly use
this issue to obtain sensitive information.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
kdelibs5-plugins

4:4.13.3-0ubuntu0.4
Ubuntu 12.04 LTS:
kdelibs5-plugins

4:4.8.5-0ubuntu0.6

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-6410

Read More