Category Archives: Ubuntu

Ubuntu

USN-3201-1: Bind vulnerabilities

Ubuntu Security Notice USN-3201-1

16th February, 2017

bind9 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Bind could be made to crash if it received specially crafted network
traffic.

Software description

  • bind9
    – Internet Domain Name Server

Details

It was discovered that Bind incorrectly handled rewriting certain query
responses when using both DNS64 and RPZ. A remote attacker could possibly
use this issue to cause Bind to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
bind9

1:9.10.3.dfsg.P4-10.1ubuntu1.3
Ubuntu 16.04 LTS:
bind9

1:9.10.3.dfsg.P4-8ubuntu1.5
Ubuntu 14.04 LTS:
bind9

1:9.9.5.dfsg-3ubuntu0.13
Ubuntu 12.04 LTS:
bind9

1:9.8.1.dfsg.P1-4ubuntu0.21

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-3135

Read More

USN-3200-1: WebKitGTK+ vulnerabilities

Ubuntu Security Notice USN-3200-1

16th February, 2017

webkit2gtk vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in WebKitGTK+.

Software description

  • webkit2gtk
    – Web content engine library for GTK+

Details

A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
libwebkit2gtk-4.0-37

2.14.5-0ubuntu0.16.10.1
libjavascriptcoregtk-4.0-18

2.14.5-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libwebkit2gtk-4.0-37

2.14.5-0ubuntu0.16.04.1
libjavascriptcoregtk-4.0-18

2.14.5-0ubuntu0.16.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.

References

CVE-2017-2350,

CVE-2017-2354,

CVE-2017-2355,

CVE-2017-2356,

CVE-2017-2362,

CVE-2017-2363,

CVE-2017-2364,

CVE-2017-2365,

CVE-2017-2366,

CVE-2017-2369,

CVE-2017-2371,

CVE-2017-2373

Read More

USN-3199-1: Python Crypto vulnerability

Ubuntu Security Notice USN-3199-1

16th February, 2017

Python Crypto vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Programs using the Python Cryptography Toolkit could be made to crash or run
programs if they receive specially crafted network traffic or other input.

Software description

  • python-crypto
    – cryptographic algorithms and protocols for Python

Details

It was discovered that the ALGnew function in block_templace.c in the Python
Cryptography Toolkit contained a heap-based buffer overflow vulnerability.
A remote attacker could use this flaw to execute arbitrary code by using
a crafted initialization vector parameter.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
python3-crypto

2.6.1-6ubuntu0.16.10.2
python-crypto

2.6.1-6ubuntu0.16.10.2
Ubuntu 16.04 LTS:
python3-crypto

2.6.1-6ubuntu0.16.04.1
python-crypto

2.6.1-6ubuntu0.16.04.1
Ubuntu 14.04 LTS:
python3-crypto

2.6.1-4ubuntu0.1
python-crypto

2.6.1-4ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-7459

Read More

USN-3198-1: OpenJDK 6 vulnerabilities

Ubuntu Security Notice USN-3198-1

15th February, 2017

openjdk-6 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in OpenJDK 6.

Software description

  • openjdk-6
    – Open Source Java implementation

Details

Karthik Bhargavan and Gaetan Leurent discovered that the DES and
Triple DES ciphers were vulnerable to birthday attacks. A remote
attacker could possibly use this flaw to obtain clear text data from
long encrypted sessions. This update moves those algorithms to the
legacy algorithm set and causes them to be used only if no non-legacy
algorithms can be negotiated. (CVE-2016-2183)

It was discovered that OpenJDK accepted ECSDA signatures using
non-canonical DER encoding. An attacker could use this to modify or
expose sensitive data. (CVE-2016-5546)

It was discovered that covert timing channel vulnerabilities existed
in the DSA implementations in OpenJDK. A remote attacker could use
this to expose sensitive information. (CVE-2016-5548)

It was discovered that the URLStreamHandler class in OpenJDK did not
properly parse user information from a URL. A remote attacker could
use this to expose sensitive information. (CVE-2016-5552)

It was discovered that the URLClassLoader class in OpenJDK did not
properly check access control context when downloading class files. A
remote attacker could use this to expose sensitive information.
(CVE-2017-3231)

It was discovered that the Remote Method Invocation (RMI)
implementation in OpenJDK performed deserialization of untrusted
inputs. A remote attacker could use this to execute arbitrary
code. (CVE-2017-3241)

It was discovered that the Java Authentication and Authorization
Service (JAAS) component of OpenJDK did not properly perform user
search LDAP queries. An attacker could use a specially constructed
LDAP entry to expose or modify sensitive information. (CVE-2017-3252)

It was discovered that the PNGImageReader class in OpenJDK did not
properly handle iTXt and zTXt chunks. An attacker could use this to
cause a denial of service (memory consumption). (CVE-2017-3253)

It was discovered that integer overflows existed in the
SocketInputStream and SocketOutputStream classes of OpenJDK. An
attacker could use this to expose sensitive information.
(CVE-2017-3261)

It was discovered that the atomic field updaters in the
java.util.concurrent.atomic package in OpenJDK did not properly
restrict access to protected field members. An attacker could use
this to specially craft a Java application or applet that could bypass
Java sandbox restrictions. (CVE-2017-3272)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
icedtea-6-jre-cacao

6b41-1.13.13-0ubuntu0.12.04.1
icedtea-6-jre-jamvm

6b41-1.13.13-0ubuntu0.12.04.1
openjdk-6-jdk

6b41-1.13.13-0ubuntu0.12.04.1
openjdk-6-jre

6b41-1.13.13-0ubuntu0.12.04.1
openjdk-6-jre-headless

6b41-1.13.13-0ubuntu0.12.04.1
openjdk-6-jre-zero

6b41-1.13.13-0ubuntu0.12.04.1
openjdk-6-jre-lib

6b41-1.13.13-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

CVE-2016-2183,

CVE-2016-5546,

CVE-2016-5548,

CVE-2016-5552,

CVE-2017-3231,

CVE-2017-3241,

CVE-2017-3252,

CVE-2017-3253,

CVE-2017-3261,

CVE-2017-3272

Read More

USN-3197-1: libgc vulnerability

Ubuntu Security Notice USN-3197-1

15th February, 2017

libgc vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Applications using libgc could be made to crash or run programs as
your login.

Software description

  • libgc
    – Boehm-Demers-Weiser garbage collecting storage allocator library

Details

Kuang-che Wu discovered that multiple integer overflow vulnerabilities
existed in libgc. An attacker could use these to cause a denial of
service (application crash) or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
libgc1c2

1:7.4.2-8ubuntu0.1
Ubuntu 16.04 LTS:
libgc1c2

1:7.4.2-7.3ubuntu0.1
Ubuntu 14.04 LTS:
libgc1c2

1:7.2d-5ubuntu2.1
Ubuntu 12.04 LTS:
libgc1c2

1:7.1-8ubuntu0.12.04.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart applications using
libgc to make all the necessary changes.

References

CVE-2016-9427

Read More

USN-3196-1: PHP vulnerabilities

Ubuntu Security Notice USN-3196-1

14th February, 2017

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in PHP.

Software description

  • php5
    – HTML-embedded scripting language interpreter

Details

It was discovered that PHP incorrectly handled certain arguments to the
locale_get_display_name function. A remote attacker could use this issue to
cause PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2014-9912)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
hang, resulting in a denial of service. (CVE-2016-7478)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-7479)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2016-9137)

It was discovered that PHP incorrectly handled unserializing certain
wddxPacket XML documents. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service. (CVE-2016-9934)

It was discovered that PHP incorrectly handled unserializing certain
wddxPacket XML documents. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-9935)

It was discovered that PHP incorrectly handled certain EXIF data. A remote
attacker could use this issue to cause PHP to crash, resulting in a denial
of service. (CVE-2016-10158)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash or consume
resources, resulting in a denial of service. (CVE-2016-10159)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-10160)

It was discovered that PHP incorrectly handled certain invalid objects when
unserializing data. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2016-10161)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
php5-cli

5.5.9+dfsg-1ubuntu4.21
php5-cgi

5.5.9+dfsg-1ubuntu4.21
libapache2-mod-php5

5.5.9+dfsg-1ubuntu4.21
php5-fpm

5.5.9+dfsg-1ubuntu4.21
Ubuntu 12.04 LTS:
php5-cli

5.3.10-1ubuntu3.26
php5-cgi

5.3.10-1ubuntu3.26
libapache2-mod-php5

5.3.10-1ubuntu3.26
php5-fpm

5.3.10-1ubuntu3.26

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9912,

CVE-2016-10158,

CVE-2016-10159,

CVE-2016-10160,

CVE-2016-10161,

CVE-2016-7478,

CVE-2016-7479,

CVE-2016-9137,

CVE-2016-9934,

CVE-2016-9935

Read More

USN-3195-1: Nova-LXD vulnerability

Ubuntu Security Notice USN-3195-1

9th February, 2017

nova-lxd vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS

Summary

Nova-LXD could allow unintended access to LXD instances over the network.

Software description

  • nova-lxd
    – Openstack Compute – LXD container hypervisor support

Details

James Page discovered that Nova-LXD incorrectly set up virtual network devices
when creating LXD instances. This could result in an unintended firewall
configuration.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
python-nova-lxd

13.2.0-0ubuntu1.16.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes for
new instances. However, existing instances will still be affected and must be
manually updated.

References

CVE-2017-5936,

LP: 1656847

Read More