1. Server


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese
Anzeige

Server


Suchen

USN-2848-1: Linux kernel vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2848-1

19th December, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux - Linux kernel

Details

Felix Wilhelm discovered a race condition in the Xen paravirtualized
drivers which can cause double fetch vulnerabilities. An attacker in the
paravirtualized guest could exploit this flaw to cause a denial of service
(crash the host) or potentially execute arbitrary code on the host.
(CVE-2015-8550)

Konrad Rzeszutek Wilk discovered the Xen PCI backend driver does not
perform sanity checks on the device's state. An attacker could exploit this
flaw to cause a denial of service (NULL dereference) on the host.
(CVE-2015-8551)

Konrad Rzeszutek Wilk discovered the Xen PCI backend driver does not
perform sanity checks on the device's state. An attacker could exploit this
flaw to cause a denial of service by flooding the logging system with
WARN() messages causing the initial domain to exhaust disk space.
(CVE-2015-8552)

Jann Horn discovered a ptrace issue with user namespaces in the Linux
kernel. The namespace owner could potentially exploit this flaw by ptracing
a root owned process entering the user namespace to elevate its privileges
and potentially gain access outside of the namespace.
(http://bugs.launchpad.net/bugs/1527374)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.13.0-74-powerpc64-emb 3.13.0-74.118
linux-image-3.13.0-74-lowlatency 3.13.0-74.118
linux-image-3.13.0-74-generic 3.13.0-74.118
linux-image-3.13.0-74-generic-lpae 3.13.0-74.118
linux-image-3.13.0-74-powerpc-e500mc 3.13.0-74.118
linux-image-3.13.0-74-powerpc-e500 3.13.0-74.118
linux-image-3.13.0-74-powerpc64-smp 3.13.0-74.118
linux-image-3.13.0-74-powerpc-smp 3.13.0-74.118

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2015-8550, CVE-2015-8551, CVE-2015-8552, CVE-2015-NNN2


Newsbewertung

Weiterlesen

USN-2939-1: LibTIFF vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2939-1

23rd March, 2016

tiff vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file.

Software description

  • tiff - Tag Image File Format (TIFF) library

Details

It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
libtiff5 4.0.3-12.3ubuntu2.1
Ubuntu 14.04 LTS:
libtiff5 4.0.3-7ubuntu0.4
Ubuntu 12.04 LTS:
libtiff4 3.9.5-2ubuntu1.9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8665, CVE-2015-8683, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2015-8784


Newsbewertung

Weiterlesen

USN-2989-1: Linux kernel vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2989-1

1st June, 2016

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux - Linux kernel

Details

Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux
kernel incorrectly enables scatter/gather I/O. A remote attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-2117)

Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB
over wifi device drivers in the Linux kernel. A remote attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2015-4004)

Andy Lutomirski discovered a race condition in the Linux kernel's
translation lookaside buffer (TLB) handling of flush events. A local
attacker could use this to cause a denial of service or possibly leak
sensitive information. (CVE-2016-2069)

Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB
device driver did not properly validate endpoint descriptors. An attacker
with physical access could use this to cause a denial of service (system
crash). (CVE-2016-2187)

Hector Marco and Ismael Ripoll discovered that the Linux kernel would
improperly disable Address Space Layout Randomization (ASLR) for x86
processes running in 32 bit mode if stack-consumption resource limits were
disabled. A local attacker could use this to make it easier to exploit an
existing vulnerability in a setuid/setgid program. (CVE-2016-3672)

Andrey Konovalov discovered that the CDC Network Control Model USB driver
in the Linux kernel did not cancel work events queued if a later error
occurred, resulting in a use-after-free. An attacker with physical access
could use this to cause a denial of service (system crash). (CVE-2016-3951)

It was discovered that an out-of-bounds write could occur when handling
incoming packets in the USB/IP implementation in the Linux kernel. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-3955)

Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2
Support implementations in the Linux kernel. A local attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-4485)

Kangjie Lu discovered an information leak in the routing netlink socket
interface (rtnetlink) implementation in the Linux kernel. A local attacker
could use this to obtain potentially sensitive information from kernel
memory. (CVE-2016-4486)

It was discovered that in some situations the Linux kernel did not handle
propagated mounts correctly. A local unprivileged attacker could use this
to cause a denial of service (system crash). (CVE-2016-4581)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.13.0-87-powerpc-e500 3.13.0-87.133
linux-image-3.13.0-87-generic 3.13.0-87.133
linux-image-3.13.0-87-powerpc-smp 3.13.0-87.133
linux-image-3.13.0-87-powerpc-e500mc 3.13.0-87.133
linux-image-3.13.0-87-lowlatency 3.13.0-87.133
linux-image-3.13.0-87-generic-lpae 3.13.0-87.133
linux-image-3.13.0-87-powerpc64-smp 3.13.0-87.133
linux-image-3.13.0-87-powerpc64-emb 3.13.0-87.133

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2015-4004, CVE-2016-2069, CVE-2016-2117, CVE-2016-2187, CVE-2016-3672, CVE-2016-3951, CVE-2016-3955, CVE-2016-4485, CVE-2016-4486, CVE-2016-4581


Newsbewertung

Weiterlesen

USN-2847-1: Linux kernel (Trusty HWE) vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2847-1

19th December, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-trusty - Linux hardware enablement kernel from Trusty

Details

Felix Wilhelm discovered a race condition in the Xen paravirtualized
drivers which can cause double fetch vulnerabilities. An attacker in the
paravirtualized guest could exploit this flaw to cause a denial of service
(crash the host) or potentially execute arbitrary code on the host.
(CVE-2015-8550)

Konrad Rzeszutek Wilk discovered the Xen PCI backend driver does not
perform sanity checks on the device's state. An attacker could exploit this
flaw to cause a denial of service (NULL dereference) on the host.
(CVE-2015-8551)

Konrad Rzeszutek Wilk discovered the Xen PCI backend driver does not
perform sanity checks on the device's state. An attacker could exploit this
flaw to cause a denial of service by flooding the logging system with
WARN() messages causing the initial domain to exhaust disk space.
(CVE-2015-8552)

Jann Horn discovered a ptrace issue with user namespaces in the Linux
kernel. The namespace owner could potentially exploit this flaw by ptracing
a root owned process entering the user namespace to elevate its privileges
and potentially gain access outside of the namespace.
(http://bugs.launchpad.net/bugs/1527374)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-74-generic 3.13.0-74.118~precise1
linux-image-3.13.0-74-generic-lpae 3.13.0-74.118~precise1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2015-8550, CVE-2015-8551, CVE-2015-8552, CVE-2015-NNN2


Newsbewertung

Weiterlesen

USN-2846-1: Linux kernel vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2846-1

19th December, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux - Linux kernel

Details

Felix Wilhelm discovered a race condition in the Xen paravirtualized
drivers which can cause double fetch vulnerabilities. An attacker in the
paravirtualized guest could exploit this flaw to cause a denial of service
(crash the host) or potentially execute arbitrary code on the host.
(CVE-2015-8550)

Konrad Rzeszutek Wilk discovered the Xen PCI backend driver does not
perform sanity checks on the device's state. An attacker could exploit this
flaw to cause a denial of service (NULL dereference) on the host.
(CVE-2015-8551)

Konrad Rzeszutek Wilk discovered the Xen PCI backend driver does not
perform sanity checks on the device's state. An attacker could exploit this
flaw to cause a denial of service by flooding the logging system with
WARN() messages causing the initial domain to exhaust disk space.
(CVE-2015-8552)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-97-highbank 3.2.0-97.137
linux-image-3.2.0-97-omap 3.2.0-97.137
linux-image-3.2.0-97-generic-pae 3.2.0-97.137
linux-image-3.2.0-97-powerpc64-smp 3.2.0-97.137
linux-image-3.2.0-97-virtual 3.2.0-97.137
linux-image-3.2.0-97-generic 3.2.0-97.137
linux-image-3.2.0-97-powerpc-smp 3.2.0-97.137

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2015-8550, CVE-2015-8551, CVE-2015-8552


Newsbewertung

Weiterlesen

USN-2845-1: SoS vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2845-1

17th December, 2015

sosreport vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 15.04
  • Ubuntu 14.04 LTS

Summary

sosreport could be made to expose sensitive information or overwrite files as the administrator.

Software description

  • sosreport - Set of tools to gather troubleshooting data from a system

Details

Dolev Farhi discovered an information disclosure issue in SoS. If the
/etc/fstab file contained passwords, the passwords were included in the
SoS report. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-3925)

Mateusz Guzik discovered that SoS incorrectly handled temporary files. A
local attacker could possibly use this issue to overwrite arbitrary files
or gain access to temporary file contents containing sensitive system
information. (CVE-2015-7529)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
sosreport 3.2-2ubuntu1.1
Ubuntu 15.04:
sosreport 3.2-2ubuntu0.1
Ubuntu 14.04 LTS:
sosreport 3.1-1ubuntu2.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3925, CVE-2015-7529


Newsbewertung

Weiterlesen

USN-2840-2: Linux kernel (OMAP4) vulnerability

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2840-2

17th December, 2015

linux-ti-omap4 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

  • linux-ti-omap4 - Linux kernel for OMAP4

Details

Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted
to garbage collect incompletely instantiated keys. A local unprivileged
attacker could use this to cause a denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1475-omap4 3.2.0-1475.97

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-7872


Newsbewertung

Weiterlesen

USN-2942-1: OpenJDK 7 vulnerability

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2942-1

24th March, 2016

openjdk-7 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS

Summary

OpenJDK could be made to crash or run programs as your login if it received specially crafted input.

Software description

  • openjdk-7 - Open Source Java implementation

Details

A vulnerability was discovered in the JRE related to information
disclosure, data integrity, and availability. An attacker could exploit
these to cause a denial of service, expose sensitive data over the network,
or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
openjdk-7-jre-lib 7u95-2.6.4-0ubuntu0.15.10.2
openjdk-7-jre-zero 7u95-2.6.4-0ubuntu0.15.10.2
icedtea-7-jre-jamvm 7u95-2.6.4-0ubuntu0.15.10.2
openjdk-7-jre-headless 7u95-2.6.4-0ubuntu0.15.10.2
openjdk-7-jre 7u95-2.6.4-0ubuntu0.15.10.2
Ubuntu 14.04 LTS:
openjdk-7-jre-zero 7u95-2.6.4-0ubuntu0.14.04.2
icedtea-7-jre-jamvm 7u95-2.6.4-0ubuntu0.14.04.2
openjdk-7-jre-lib 7u95-2.6.4-0ubuntu0.14.04.2
openjdk-7-jdk 7u95-2.6.4-0ubuntu0.14.04.2
openjdk-7-jre-headless 7u95-2.6.4-0ubuntu0.14.04.2
openjdk-7-jre 7u95-2.6.4-0ubuntu0.14.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

CVE-2016-0636


Newsbewertung

Weiterlesen

USN-2945-1: XChat-GNOME vulnerability

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2945-1

4th April, 2016

xchat-gnome vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

XChat-GNOME could be made to expose sensitive information over the network.

Software description

  • xchat-gnome - simple and featureful IRC client for GNOME

Details

It was discovered that XChat-GNOME incorrectly verified the hostname in an
SSL certificate. An attacker could trick XChat-GNOME into trusting a rogue
server's certificate, which was signed by a trusted certificate authority,
to perform a man-in-the-middle attack.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
xchat-gnome 1:0.30.0~git20141005.816798-0ubuntu6.2
Ubuntu 14.04 LTS:
xchat-gnome 1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2
Ubuntu 12.04 LTS:
xchat-gnome 1:0.30.0~git20110821.e2a400-0.2ubuntu4.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart XChat-GNOME to make
all the necessary changes.

References

LP: 1565000


Newsbewertung

Weiterlesen

USN-2950-2: libsoup update

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2950-2

27th April, 2016

libsoup2.4 update

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS

Summary

This update fixes libsoup NTLM authentication.

Software description

  • libsoup2.4 - HTTP client/server library for GNOME

Details

USN-2950-1 fixed vulnerabilities in Samba. The updated Samba packages
introduced a compatibility issue with NTLM authentication in libsoup. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Jouni Knuutinen discovered that Samba contained multiple flaws in the
DCE/RPC implementation. A remote attacker could use this issue to perform
a denial of service, downgrade secure connections by performing a man in
the middle attack, or possibly execute arbitrary code. (CVE-2015-5370)

Stefan Metzmacher discovered that Samba contained multiple flaws in the
NTLMSSP authentication implementation. A remote attacker could use this
issue to downgrade connections to plain text by performing a man in the
middle attack. (CVE-2016-2110)

Alberto Solino discovered that a Samba domain controller would establish a
secure connection to a server with a spoofed computer name. A remote
attacker could use this issue to obtain sensitive information.
(CVE-2016-2111)

Stefan Metzmacher discovered that the Samba LDAP implementation did not
enforce integrity protection. A remote attacker could use this issue to
hijack LDAP connections by performing a man in the middle attack.
(CVE-2016-2112)

Stefan Metzmacher discovered that Samba did not validate TLS certificates.
A remote attacker could use this issue to spoof a Samba server.
(CVE-2016-2113)

Stefan Metzmacher discovered that Samba did not enforce SMB signing even if
configured to. A remote attacker could use this issue to perform a man in
the middle attack. (CVE-2016-2114)

Stefan Metzmacher discovered that Samba did not enable integrity protection
for IPC traffic. A remote attacker could use this issue to perform a man in
the middle attack. (CVE-2016-2115)

Stefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR and
MS-LSAD protocols. A remote attacker could use this flaw with a man in the
middle attack to impersonate users and obtain sensitive information from
the Security Account Manager database. This flaw is known as Badlock.
(CVE-2016-2118)

Samba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10.
Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fixes.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes. Configuration changes may
be required in certain environments.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
libsoup2.4-1 2.52.2-1ubuntu0.1
Ubuntu 15.10:
libsoup2.4-1 2.50.0-2ubuntu0.1
Ubuntu 14.04 LTS:
libsoup2.4-1 2.44.2-1ubuntu2.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1573494


Newsbewertung

Weiterlesen

USN-2843-3: Linux kernel (Raspberry Pi 2) vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2843-3

17th December, 2015

linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-raspi2 - Linux kernel for Raspberry Pi 2

Details

郭永刚 discovered that the ppp implementation in the Linux kernel did
not ensure that certain slot numbers are valid. A local attacker with the
privilege to call ioctl() on /dev/ppp could cause a denial of service
(system crash). (CVE-2015-7799)

Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted
to garbage collect incompletely instantiated keys. A local unprivileged
attacker could use this to cause a denial of service (system crash).
(CVE-2015-7872)

It was discovered that the virtual video osd test driver in the Linux
kernel did not properly initialize data structures. A local attacker could
use this to obtain sensitive information from the kernel. (CVE-2015-7884)

It was discovered that the driver for Digi Neo and ClassicBoard devices did
not properly initialize data structures. A local attacker could use this to
obtain sensitive information from the kernel. (CVE-2015-7885)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
linux-image-4.2.0-1016-raspi2 4.2.0-1016.23

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-7799, CVE-2015-7872, CVE-2015-7884, CVE-2015-7885


Newsbewertung

Weiterlesen

USN-2944-1: Libav vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2944-1

4th April, 2016

libav vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

Libav could be made to crash or run programs as your login if it opened a specially crafted file.

Software description

  • libav - Multimedia player, server, encoder and transcoder

Details

It was discovered that Libav incorrectly handled certain malformed media
files. If a user were tricked into opening a crafted media file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libavformat53 4:0.8.17-0ubuntu0.12.04.2
libavcodec53 4:0.8.17-0ubuntu0.12.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-8541, CVE-2015-1872, CVE-2015-3395, CVE-2015-5479, CVE-2015-6818, CVE-2015-6820, CVE-2015-6824, CVE-2015-6826, CVE-2015-8364, CVE-2015-8365, CVE-2016-1897, CVE-2016-1898, CVE-2016-2326, CVE-2016-2330


Newsbewertung

Weiterlesen

USN-2952-2: PHP regression

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2952-2

27th April, 2016

php5 regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10

Summary

USN-2952-1 caused a regression in PHP.

Software description

  • php5 - HTML-embedded scripting language interpreter

Details

USN-2952-1 fixed vulnerabilities in PHP. One of the backported patches
caused a regression in the PHP Soap client. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that the PHP Zip extension incorrectly handled
directories when processing certain zip files. A remote attacker could
possibly use this issue to create arbitrary directories. (CVE-2014-9767)

It was discovered that the PHP Soap client incorrectly validated data
types. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-8835, CVE-2016-3185)

It was discovered that the PHP MySQL native driver incorrectly handled TLS
connections to MySQL databases. A man in the middle attacker could possibly
use this issue to downgrade and snoop on TLS connections. This
vulnerability is known as BACKRONYM. (CVE-2015-8838)

It was discovered that PHP incorrectly handled the imagerotate function. A
remote attacker could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly obtain sensitive information. This issue
only applied to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-1903)

Hans Jerry Illikainen discovered that the PHP phar extension incorrectly
handled certain tar archives. A remote attacker could use this issue to
cause PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-2554)

It was discovered that the PHP WDDX extension incorrectly handled certain
malformed XML data. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2016-3141)

It was discovered that the PHP phar extension incorrectly handled certain
zip files. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly obtain sensitive information.
(CVE-2016-3142)

It was discovered that the PHP libxml_disable_entity_loader() setting was
shared between threads. When running under PHP-FPM, this could result in
XML external entity injection and entity expansion issues. This issue only
applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (No CVE number)

It was discovered that the PHP openssl_random_pseudo_bytes() function did
not return cryptographically strong pseudo-random bytes. (No CVE number)

It was discovered that the PHP Fileinfo component incorrectly handled
certain magic files. An attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE number pending)

It was discovered that the PHP php_snmp_error() function incorrectly
handled string formatting. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only applied to Ubuntu 14.04 LTS and Ubuntu
15.10. (CVE number pending)

It was discovered that the PHP rawurlencode() function incorrectly handled
large strings. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service. (CVE number pending)

It was discovered that the PHP phar extension incorrectly handled certain
filenames in archives. A remote attacker could use this issue to cause PHP
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE number pending)

It was discovered that the PHP mb_strcut() function incorrectly handled
string formatting. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE number pending)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
php5-cli 5.6.11+dfsg-1ubuntu3.3
php5-cgi 5.6.11+dfsg-1ubuntu3.3
php5-snmp 5.6.11+dfsg-1ubuntu3.3
php5-mysqlnd 5.6.11+dfsg-1ubuntu3.3
php5-gd 5.6.11+dfsg-1ubuntu3.3
libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.3
php5-fpm 5.6.11+dfsg-1ubuntu3.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1575298


Newsbewertung

Weiterlesen

USN-2843-2: Linux kernel (Wily HWE) vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2843-2

17th December, 2015

linux-lts-wily vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-wily - Linux hardware enablement kernel from Wily

Details

Jan Beulich discovered that the KVM svm hypervisor implementation in the
Linux kernel did not properly catch Debug exceptions on AMD processors. An
attacker in a guest virtual machine could use this to cause a denial of
service (system crash) in the host OS. (CVE-2015-8104)

郭永刚 discovered that the ppp implementation in the Linux kernel did
not ensure that certain slot numbers are valid. A local attacker with the
privilege to call ioctl() on /dev/ppp could cause a denial of service
(system crash). (CVE-2015-7799)

Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted
to garbage collect incompletely instantiated keys. A local unprivileged
attacker could use this to cause a denial of service (system crash).
(CVE-2015-7872)

It was discovered that the virtual video osd test driver in the Linux
kernel did not properly initialize data structures. A local attacker could
use this to obtain sensitive information from the kernel. (CVE-2015-7884)

It was discovered that the driver for Digi Neo and ClassicBoard devices did
not properly initialize data structures. A local attacker could use this to
obtain sensitive information from the kernel. (CVE-2015-7885)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-4.2.0-21-powerpc64-emb 4.2.0-21.25~14.04.1
linux-image-4.2.0-21-powerpc-smp 4.2.0-21.25~14.04.1
linux-image-4.2.0-21-lowlatency 4.2.0-21.25~14.04.1
linux-image-4.2.0-21-generic-lpae 4.2.0-21.25~14.04.1
linux-image-4.2.0-21-generic 4.2.0-21.25~14.04.1
linux-image-4.2.0-21-powerpc-e500mc 4.2.0-21.25~14.04.1
linux-image-4.2.0-21-powerpc64-smp 4.2.0-21.25~14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-7799, CVE-2015-7872, CVE-2015-7884, CVE-2015-7885, CVE-2015-8104


Newsbewertung

Weiterlesen

USN-2954-1: MySQL vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2954-1

25th April, 2016

mysql-5.7 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in MySQL.

Software description

  • mysql-5.7 - MySQL database

Details

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.7.12 in Ubuntu 16.04 LTS.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-12.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
mysql-server-5.7 5.7.12-0ubuntu1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-0639, CVE-2016-0642, CVE-2016-0643, CVE-2016-0647, CVE-2016-0648, CVE-2016-0655, CVE-2016-0657, CVE-2016-0659, CVE-2016-0662, CVE-2016-0666, CVE-2016-0667, CVE-2016-2047


Newsbewertung

Weiterlesen

USN-2844-1: Linux kernel (Utopic HWE) vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2844-1

17th December, 2015

linux-lts-utopic vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-utopic - Linux hardware enablement kernel from Utopic

Details

Jan Beulich discovered that the KVM svm hypervisor implementation in the
Linux kernel did not properly catch Debug exceptions on AMD processors. An
attacker in a guest virtual machine could use this to cause a denial of
service (system crash) in the host OS. (CVE-2015-8104)

郭永刚 discovered that the ppp implementation in the Linux kernel did
not ensure that certain slot numbers are valid. A local attacker with the
privilege to call ioctl() on /dev/ppp could cause a denial of service
(system crash). (CVE-2015-7799)

It was discovered that the driver for Digi Neo and ClassicBoard devices did
not properly initialize data structures. A local attacker could use this to
obtain sensitive information from the kernel. (CVE-2015-7885)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.16.0-56-powerpc64-smp 3.16.0-56.75~14.04.1
linux-image-3.16.0-56-powerpc64-emb 3.16.0-56.75~14.04.1
linux-image-3.16.0-56-generic 3.16.0-56.75~14.04.1
linux-image-3.16.0-56-powerpc-e500mc 3.16.0-56.75~14.04.1
linux-image-3.16.0-56-lowlatency 3.16.0-56.75~14.04.1
linux-image-3.16.0-56-powerpc-smp 3.16.0-56.75~14.04.1
linux-image-3.16.0-56-generic-lpae 3.16.0-56.75~14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-7799, CVE-2015-7885, CVE-2015-8104


Newsbewertung

Weiterlesen

USN-2961-1: Little CMS vulnerability

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2961-1

4th May, 2016

lcms2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Applications using the Little CMS library could be made to crash or run programs as your login if it opened a specially crafted file.

Software description

  • lcms2 - Little CMS color management library

Details

It was discovered that a double free() could occur when the intent handling
code in the Little CMS library detected an error. An attacker could use
this to specially craft a file that caused an application using the Little
CMS library to crash or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
liblcms2-utils 2.5-0ubuntu4.1
liblcms2-2 2.5-0ubuntu4.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart applications using
Little CMS to make all the necessary changes.

References

CVE-2013-7455


Newsbewertung

Weiterlesen

USN-2843-1: Linux kernel vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2843-1

17th December, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10

Summary

Several security issues were fixed in the kernel.

Software description

  • linux - Linux kernel

Details

Jan Beulich discovered that the KVM svm hypervisor implementation in the
Linux kernel did not properly catch Debug exceptions on AMD processors. An
attacker in a guest virtual machine could use this to cause a denial of
service (system crash) in the host OS. (CVE-2015-8104)

郭永刚 discovered that the ppp implementation in the Linux kernel did
not ensure that certain slot numbers are valid. A local attacker with the
privilege to call ioctl() on /dev/ppp could cause a denial of service
(system crash). (CVE-2015-7799)

Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted
to garbage collect incompletely instantiated keys. A local unprivileged
attacker could use this to cause a denial of service (system crash).
(CVE-2015-7872)

It was discovered that the virtual video osd test driver in the Linux
kernel did not properly initialize data structures. A local attacker could
use this to obtain sensitive information from the kernel. (CVE-2015-7884)

It was discovered that the driver for Digi Neo and ClassicBoard devices did
not properly initialize data structures. A local attacker could use this to
obtain sensitive information from the kernel. (CVE-2015-7885)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
linux-image-4.2.0-21-powerpc64-emb 4.2.0-21.25
linux-image-4.2.0-21-powerpc-smp 4.2.0-21.25
linux-image-4.2.0-21-lowlatency 4.2.0-21.25
linux-image-4.2.0-21-generic-lpae 4.2.0-21.25
linux-image-4.2.0-21-generic 4.2.0-21.25
linux-image-4.2.0-21-powerpc-e500mc 4.2.0-21.25
linux-image-4.2.0-21-powerpc64-smp 4.2.0-21.25

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-7799, CVE-2015-7872, CVE-2015-7884, CVE-2015-7885, CVE-2015-8104


Newsbewertung

Weiterlesen

USN-2959-1: OpenSSL vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2959-1

3rd May, 2016

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software description

  • openssl - Secure Socket Layer (SSL) cryptographic library and tools

Details

Huzaifa Sidhpurwala, Hanno Böck, and David Benjamin discovered that OpenSSL
incorrectly handled memory when decoding ASN.1 structures. A remote
attacker could use this issue to cause OpenSSL to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-2108)

Juraj Somorovsky discovered that OpenSSL incorrectly performed padding when
the connection uses the AES CBC cipher and the server supports AES-NI. A
remote attacker could possibly use this issue to perform a padding oracle
attack and decrypt traffic. (CVE-2016-2107)

Guido Vranken discovered that OpenSSL incorrectly handled large amounts of
input data to the EVP_EncodeUpdate() function. A remote attacker could use
this issue to cause OpenSSL to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2016-2105)

Guido Vranken discovered that OpenSSL incorrectly handled large amounts of
input data to the EVP_EncryptUpdate() function. A remote attacker could use
this issue to cause OpenSSL to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2016-2106)

Brian Carpenter discovered that OpenSSL incorrectly handled memory when
ASN.1 data is read from a BIO. A remote attacker could possibly use this
issue to cause memory consumption, resulting in a denial of service.
(CVE-2016-2109)

As a security improvement, this update also modifies OpenSSL behaviour to
reject DH key sizes below 1024 bits, preventing a possible downgrade
attack.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
libssl1.0.0 1.0.2g-1ubuntu4.1
Ubuntu 15.10:
libssl1.0.0 1.0.2d-0ubuntu1.5
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.19
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.36

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109


Newsbewertung

Weiterlesen

USN-2950-3: Samba regressions

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2950-3

4th May, 2016

samba regressions

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

USN-2950-1 introduced regressions in Samba.

Software description

  • samba - SMB/CIFS file, print, and login server for Unix

Details

USN-2950-1 fixed vulnerabilities in Samba. The fixes introduced in Samba
4.3.8 caused certain regressions and interoperability issues.

This update resolves some of these issues by updating to Samba 4.3.9 in
Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. Backported regression
fixes were added to Samba 3.6.25 in Ubuntu 12.04 LTS.

This advisory was inadvertently published as USN-2950-2 originally.

Original advisory details:

Jouni Knuutinen discovered that Samba contained multiple flaws in the
DCE/RPC implementation. A remote attacker could use this issue to perform
a denial of service, downgrade secure connections by performing a man in
the middle attack, or possibly execute arbitrary code. (CVE-2015-5370)

Stefan Metzmacher discovered that Samba contained multiple flaws in the
NTLMSSP authentication implementation. A remote attacker could use this
issue to downgrade connections to plain text by performing a man in the
middle attack. (CVE-2016-2110)

Alberto Solino discovered that a Samba domain controller would establish a
secure connection to a server with a spoofed computer name. A remote
attacker could use this issue to obtain sensitive information.
(CVE-2016-2111)

Stefan Metzmacher discovered that the Samba LDAP implementation did not
enforce integrity protection. A remote attacker could use this issue to
hijack LDAP connections by performing a man in the middle attack.
(CVE-2016-2112)

Stefan Metzmacher discovered that Samba did not validate TLS certificates.
A remote attacker could use this issue to spoof a Samba server.
(CVE-2016-2113)

Stefan Metzmacher discovered that Samba did not enforce SMB signing even if
configured to. A remote attacker could use this issue to perform a man in
the middle attack. (CVE-2016-2114)

Stefan Metzmacher discovered that Samba did not enable integrity protection
for IPC traffic. A remote attacker could use this issue to perform a man in
the middle attack. (CVE-2016-2115)

Stefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR and
MS-LSAD protocols. A remote attacker could use this flaw with a man in the
middle attack to impersonate users and obtain sensitive information from
the Security Account Manager database. This flaw is known as Badlock.
(CVE-2016-2118)

Samba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10.
Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fixes.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes. Configuration changes may
be required in certain environments.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
samba 2:4.3.9+dfsg-0ubuntu0.16.04.1
Ubuntu 15.10:
samba 2:4.3.9+dfsg-0ubuntu0.15.10.1
Ubuntu 14.04 LTS:
samba 2:4.3.9+dfsg-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
samba 2:3.6.25-0ubuntu0.12.04.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

LP: 1577739


Newsbewertung

Weiterlesen

USN-2842-2: Linux kernel (Vivid HWE) vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2842-2

17th December, 2015

linux-lts-vivid vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-vivid - Linux hardware enablement kernel from Vivid

Details

Jan Beulich discovered that the KVM svm hypervisor implementation in the
Linux kernel did not properly catch Debug exceptions on AMD processors. An
attacker in a guest virtual machine could use this to cause a denial of
service (system crash) in the host OS. (CVE-2015-8104)

郭永刚 discovered that the ppp implementation in the Linux kernel did
not ensure that certain slot numbers are valid. A local attacker with the
privilege to call ioctl() on /dev/ppp could cause a denial of service
(system crash). (CVE-2015-7799)

It was discovered that the virtual video osd test driver in the Linux
kernel did not properly initialize data structures. A local attacker could
use this to obtain sensitive information from the kernel. (CVE-2015-7884)

It was discovered that the driver for Digi Neo and ClassicBoard devices did
not properly initialize data structures. A local attacker could use this to
obtain sensitive information from the kernel. (CVE-2015-7885)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.19.0-41-powerpc64-emb 3.19.0-41.46~14.04.2
linux-image-3.19.0-41-generic 3.19.0-41.46~14.04.2
linux-image-3.19.0-41-powerpc64-smp 3.19.0-41.46~14.04.2
linux-image-3.19.0-41-powerpc-e500mc 3.19.0-41.46~14.04.2
linux-image-3.19.0-41-lowlatency 3.19.0-41.46~14.04.2
linux-image-3.19.0-41-powerpc-smp 3.19.0-41.46~14.04.2
linux-image-3.19.0-41-generic-lpae 3.19.0-41.46~14.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-7799, CVE-2015-7884, CVE-2015-7885, CVE-2015-8104


Newsbewertung

Weiterlesen

USN-2842-1: Linux kernel vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2842-1

17th December, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.04

Summary

Several security issues were fixed in the kernel.

Software description

  • linux - Linux kernel

Details

Jan Beulich discovered that the KVM svm hypervisor implementation in the
Linux kernel did not properly catch Debug exceptions on AMD processors. An
attacker in a guest virtual machine could use this to cause a denial of
service (system crash) in the host OS. (CVE-2015-8104)

郭永刚 discovered that the ppp implementation in the Linux kernel did
not ensure that certain slot numbers are valid. A local attacker with the
privilege to call ioctl() on /dev/ppp could cause a denial of service
(system crash). (CVE-2015-7799)

It was discovered that the virtual video osd test driver in the Linux
kernel did not properly initialize data structures. A local attacker could
use this to obtain sensitive information from the kernel. (CVE-2015-7884)

It was discovered that the driver for Digi Neo and ClassicBoard devices did
not properly initialize data structures. A local attacker could use this to
obtain sensitive information from the kernel. (CVE-2015-7885)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.04:
linux-image-3.19.0-41-powerpc64-emb 3.19.0-41.46
linux-image-3.19.0-41-generic 3.19.0-41.46
linux-image-3.19.0-41-powerpc64-smp 3.19.0-41.46
linux-image-3.19.0-41-powerpc-e500mc 3.19.0-41.46
linux-image-3.19.0-41-lowlatency 3.19.0-41.46
linux-image-3.19.0-41-generic-lpae 3.19.0-41.46
linux-image-3.19.0-41-powerpc-smp 3.19.0-41.46

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-7799, CVE-2015-7884, CVE-2015-7885, CVE-2015-8104


Newsbewertung

Weiterlesen

USN-2950-5: Samba regression

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2950-5

25th May, 2016

samba regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS

Summary

USN-2950-1 introduced a regression in Samba.

Software description

  • samba - SMB/CIFS file, print, and login server for Unix

Details

USN-2950-1 fixed vulnerabilities in Samba. USN-2950-3 updated Samba to
version 4.3.9, which introduced a regression when using the ntlm_auth tool.
This update fixes the problem.

Original advisory details:

Jouni Knuutinen discovered that Samba contained multiple flaws in the
DCE/RPC implementation. A remote attacker could use this issue to perform
a denial of service, downgrade secure connections by performing a man in
the middle attack, or possibly execute arbitrary code. (CVE-2015-5370)

Stefan Metzmacher discovered that Samba contained multiple flaws in the
NTLMSSP authentication implementation. A remote attacker could use this
issue to downgrade connections to plain text by performing a man in the
middle attack. (CVE-2016-2110)

Alberto Solino discovered that a Samba domain controller would establish a
secure connection to a server with a spoofed computer name. A remote
attacker could use this issue to obtain sensitive information.
(CVE-2016-2111)

Stefan Metzmacher discovered that the Samba LDAP implementation did not
enforce integrity protection. A remote attacker could use this issue to
hijack LDAP connections by performing a man in the middle attack.
(CVE-2016-2112)

Stefan Metzmacher discovered that Samba did not validate TLS certificates.
A remote attacker could use this issue to spoof a Samba server.
(CVE-2016-2113)

Stefan Metzmacher discovered that Samba did not enforce SMB signing even if
configured to. A remote attacker could use this issue to perform a man in
the middle attack. (CVE-2016-2114)

Stefan Metzmacher discovered that Samba did not enable integrity protection
for IPC traffic. A remote attacker could use this issue to perform a man in
the middle attack. (CVE-2016-2115)

Stefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR and
MS-LSAD protocols. A remote attacker could use this flaw with a man in the
middle attack to impersonate users and obtain sensitive information from
the Security Account Manager database. This flaw is known as Badlock.
(CVE-2016-2118)

Samba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10.
Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fixes.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes. Configuration changes may
be required in certain environments.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
samba 2:4.3.9+dfsg-0ubuntu0.16.04.2
Ubuntu 15.10:
samba 2:4.3.9+dfsg-0ubuntu0.15.10.2
Ubuntu 14.04 LTS:
samba 2:4.3.9+dfsg-0ubuntu0.14.04.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1578576


Newsbewertung

Weiterlesen

USN-2841-2: Linux kernel (Trusty HWE) vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2841-2

17th December, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-trusty - Linux hardware enablement kernel from Trusty

Details

Jan Beulich discovered that the KVM svm hypervisor implementation in the
Linux kernel did not properly catch Debug exceptions on AMD processors. An
attacker in a guest virtual machine could use this to cause a denial of
service (system crash) in the host OS. (CVE-2015-8104)

郭永刚 discovered that the ppp implementation in the Linux kernel did
not ensure that certain slot numbers are valid. A local attacker with the
privilege to call ioctl() on /dev/ppp could cause a denial of service
(system crash). (CVE-2015-7799)

It was discovered that the driver for Digi Neo and ClassicBoard devices did
not properly initialize data structures. A local attacker could use this to
obtain sensitive information from the kernel. (CVE-2015-7885)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-73-generic-lpae 3.13.0-73.116~precise1
linux-image-3.13.0-73-generic 3.13.0-73.116~precise1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-7799, CVE-2015-7885, CVE-2015-8104


Newsbewertung

Weiterlesen

USN-2841-1: Linux kernel vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2841-1

17th December, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux - Linux kernel

Details

Jan Beulich discovered that the KVM svm hypervisor implementation in the
Linux kernel did not properly catch Debug exceptions on AMD processors. An
attacker in a guest virtual machine could use this to cause a denial of
service (system crash) in the host OS. (CVE-2015-8104)

郭永刚 discovered that the ppp implementation in the Linux kernel did
not ensure that certain slot numbers are valid. A local attacker with the
privilege to call ioctl() on /dev/ppp could cause a denial of service
(system crash). (CVE-2015-7799)

It was discovered that the driver for Digi Neo and ClassicBoard devices did
not properly initialize data structures. A local attacker could use this to
obtain sensitive information from the kernel. (CVE-2015-7885)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.13.0-73-powerpc-smp 3.13.0-73.116
linux-image-3.13.0-73-powerpc-e500 3.13.0-73.116
linux-image-3.13.0-73-powerpc64-smp 3.13.0-73.116
linux-image-3.13.0-73-powerpc64-emb 3.13.0-73.116
linux-image-3.13.0-73-powerpc-e500mc 3.13.0-73.116
linux-image-3.13.0-73-generic-lpae 3.13.0-73.116
linux-image-3.13.0-73-lowlatency 3.13.0-73.116
linux-image-3.13.0-73-generic 3.13.0-73.116

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-7799, CVE-2015-7885, CVE-2015-8104


Newsbewertung

Weiterlesen

USN-2840-1: Linux kernel vulnerabilities

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2840-1

17th December, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux - Linux kernel

Details

Dmitry Vyukov discovered that the Linux kernel's keyring handler attempted
to garbage collect incompletely instantiated keys. A local unprivileged
attacker could use this to cause a denial of service (system crash).
(CVE-2015-7872)

Jan Beulich discovered that the KVM svm hypervisor implementation in the
Linux kernel did not properly catch Debug exceptions on AMD processors. An
attacker in a guest virtual machine could use this to cause a denial of
service (system crash) in the host OS. (CVE-2015-8104)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-96-generic 3.2.0-96.136
linux-image-3.2.0-96-powerpc-smp 3.2.0-96.136
linux-image-3.2.0-96-virtual 3.2.0-96.136
linux-image-3.2.0-96-highbank 3.2.0-96.136
linux-image-3.2.0-96-omap 3.2.0-96.136
linux-image-3.2.0-96-generic-pae 3.2.0-96.136
linux-image-3.2.0-96-powerpc64-smp 3.2.0-96.136

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-7872, CVE-2015-8104


Newsbewertung

Weiterlesen

USN-2855-2: Samba regression

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2855-2

16th February, 2016

samba regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

USN-2855-1 introduced a regression in Samba.

Software description

  • samba - SMB/CIFS file, print, and login server for Unix

Details

USN-2855-1 fixed vulnerabilities in Samba. The upstream fix for
CVE-2015-5252 introduced a regression in certain specific environments.
This update fixes the problem.

Original advisory details:

Thilo Uttendorfer discovered that the Samba LDAP server incorrectly handled
certain packets. A remote attacker could use this issue to cause the LDAP
server to stop responding, resulting in a denial of service. This issue
only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10.
(CVE-2015-3223)

Jan Kasprzak discovered that Samba incorrectly handled certain symlinks. A
remote attacker could use this issue to access files outside the exported
share path. (CVE-2015-5252)

Stefan Metzmacher discovered that Samba did not enforce signing when
creating encrypted connections. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view sensitive
information. (CVE-2015-5296)

It was discovered that Samba incorrectly performed access control when
using the VFS shadow_copy2 module. A remote attacker could use this issue
to access snapshots, contrary to intended permissions. (CVE-2015-5299)

Douglas Bagnall discovered that Samba incorrectly handled certain string
lengths. A remote attacker could use this issue to possibly access
sensitive information. (CVE-2015-5330)

It was discovered that the Samba LDAP server incorrectly handled certain
packets. A remote attacker could use this issue to cause the LDAP server to
stop responding, resulting in a denial of service. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10. (CVE-2015-7540)

Andrew Bartlett discovered that Samba incorrectly checked administrative
privileges during creation of machine accounts. A remote attacker could
possibly use this issue to bypass intended access restrictions in certain
environments. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and
Ubuntu 15.10. (CVE-2015-8467)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
samba 2:4.1.17+dfsg-4ubuntu3.2
Ubuntu 14.04 LTS:
samba 2:4.1.6+dfsg-1ubuntu2.14.04.12
Ubuntu 12.04 LTS:
samba 2:3.6.3-2ubuntu2.14

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1545750


Newsbewertung

Weiterlesen

USN-2839-1: CUPS update

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2839-1

16th December, 2015

cups update

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

A security improvement has been made to CUPS.

Software description

  • cups - Common UNIX Printing System(tm)

Details

As a security improvement against the POODLE attack, this update disables
SSLv3 support in the CUPS web interface.

For legacy environments where SSLv3 support is still required, it can be
re-enabled by adding "SSLOptions AllowSSL3" to /etc/cups/cupsd.conf.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
cups 1.7.2-0ubuntu1.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1505328


Newsbewertung

Weiterlesen

USN-2838-2: foomatic-filters vulnerability

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2838-2

16th December, 2015

foomatic-filters vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

foomatic-filters could be made to run programs as the lp user if it processed a specially crafted print job.

Software description

  • foomatic-filters - OpenPrinting printer support - filters

Details

Adam Chester discovered that the foomatic-filters foomatic-rip filter
incorrectly stripped shell escape characters. A remote attacker could
possibly use this issue to execute arbitrary code as the lp user.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
foomatic-filters 4.0.16-0ubuntu0.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8560


Newsbewertung

Weiterlesen

USN-2838-1: cups-filters vulnerability

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2838-1

16th December, 2015

cups-filters vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 15.04
  • Ubuntu 14.04 LTS

Summary

cups-filters could be made to run programs as the lp user if it processed a specially crafted print job.

Software description

  • cups-filters - OpenPrinting CUPS Filters

Details

Adam Chester discovered that the cups-filters foomatic-rip filter
incorrectly stripped shell escape characters. A remote attacker could
possibly use this issue to execute arbitrary code as the lp user.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
cups-filters 1.0.76-1ubuntu0.2
Ubuntu 15.04:
cups-filters 1.0.67-0ubuntu2.6
Ubuntu 14.04 LTS:
cups-filters 1.0.52-0ubuntu1.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8560


Newsbewertung

Weiterlesen

USN-2903-2: NSS regression

Unix Server vom 00.00.0000 um 00:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-2903-2

23rd February, 2016

nss regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

USN-2903-1 introduced a regression in NSS.

Software description

  • nss - Network Security Service library

Details

USN-2903-1 fixed a vulnerability in NSS. An incorrect package versioning
change in Ubuntu 12.04 LTS caused a regression when building software
against NSS. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Hanno Böck discovered that NSS incorrectly handled certain division
functions, possibly leading to cryptographic weaknesses. (CVE-2016-1938)

This update also refreshes the NSS package to version 3.21 which includes
the latest CA certificate bundle, and removes the SPI CA.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libnss3-dev 2:3.21-0ubuntu0.12.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1547147


Newsbewertung

Weiterlesen

Seitennavigation

Seite 154 von 154 Seiten (Bei Beitrag 5355 - 5390)
5.386x Beiträge in dieser Kategorie

Auf Seite 153 zurück | nächste Seite
[ 149 ] [ 150 ] [ 151 ] [ 152 ] [ 153 ] [154]