1. Server >
  2. Unix Server

EnglishFrenchGermanItalianPortugueseRussianSpanish

Unix Server


Suchen

USN-3268-1: QEMU vulnerabilities

Unix Server vom 25.04.2017 um 12:49 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3268-1

25th April, 2017

qemu vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04

Summary

Several security issues were fixed in QEMU.

Software description

  • qemu - Machine emulator and virtualizer

Details

Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU
device. An attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2016-10028)

It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2016-8667)

Jann Horn discovered that QEMU incorrectly handled VirtFS directory
sharing. A privileged attacker inside the guest could use this issue to
access files on the host file system outside of the shared directory and
possibly escalate their privileges. In the default installation, when QEMU
is used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2016-9602)

Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA
device when being used with a VNC connection. A privileged attacker inside
the guest could use this issue to cause QEMU to crash, resulting in a
denial of service, or possibly execute arbitrary code on the host. In the
default installation, when QEMU is used with libvirt, attackers would be
isolated by the libvirt AppArmor profile. (CVE-2016-9603)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An
attacker inside the guest could use this issue to cause QEMU to leak
contents of host memory. (CVE-2016-9908)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. (CVE-2016-9912, CVE-2017-5552,
CVE-2017-5578)

Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing.
A privileged attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2016-9914)

Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI
device emulation. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-5987)

Li Qiang discovered that QEMU incorrectly handled USB OHCI controller
emulation. A privileged attacker inside the guest could use this issue to
cause QEMU to hang, resulting in a denial of service. (CVE-2017-6505)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
qemu-system-misc 1:2.8+dfsg-3ubuntu2.1
qemu-system-s390x 1:2.8+dfsg-3ubuntu2.1
qemu-system 1:2.8+dfsg-3ubuntu2.1
qemu-system-aarch64 1:2.8+dfsg-3ubuntu2.1
qemu-system-x86 1:2.8+dfsg-3ubuntu2.1
qemu-system-sparc 1:2.8+dfsg-3ubuntu2.1
qemu-system-arm 1:2.8+dfsg-3ubuntu2.1
qemu-system-ppc 1:2.8+dfsg-3ubuntu2.1
qemu-system-mips 1:2.8+dfsg-3ubuntu2.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

CVE-2016-10028, CVE-2016-8667, CVE-2016-9602, CVE-2016-9603, CVE-2016-9908, CVE-2016-9912, CVE-2016-9914, CVE-2017-5552, CVE-2017-5578, CVE-2017-5987, CVE-2017-6505


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3267-1: Samba vulnerability

Unix Server vom 25.04.2017 um 12:49 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3267-1

25th April, 2017

samba vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04

Summary

Samba could be made to expose sensitive information over the network.

Software description

  • samba - SMB/CIFS file, print, and login server for Unix

Details

Jann Horn discovered that Samba incorrectly handled symlinks. An
authenticated remote attacker could use this issue to access files on the
server outside of the exported directories.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
samba 2:4.5.8+dfsg-0ubuntu0.17.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

CVE-2017-2619


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3264-2: Linux kernel (Trusty HWE) vulnerability

Unix Server vom 25.04.2017 um 04:03 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3264-2

24th April, 2017

linux-lts-trusty vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

  • linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise

Details

USN-3264-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.

Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-117-generic 3.13.0-117.164~precise1
linux-image-3.13.0-117-generic-lpae 3.13.0-117.164~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.117.108
linux-image-generic-lts-trusty 3.13.0.117.108

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-5986


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3265-1: Linux kernel vulnerabilities

Unix Server vom 25.04.2017 um 04:03 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3265-1

24th April, 2017

linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gke - Linux kernel for Google Container Engine (GKE) systems
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon Processors

Details

It was discovered that a use-after-free flaw existed in the filesystem
encryption subsystem in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-7374)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic
Routing Encapsulation (GRE) tunneling implementation in the Linux kernel.
An attacker could use this to possibly expose sensitive information.
(CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux
kernel did not properly handle invalid IP options in some situations. An
attacker could use this to cause a denial of service or possibly execute
arbitrary code. (CVE-2017-5970)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did
not properly restrict mapping page zero. A local privileged attacker could
use this to execute arbitrary code. (CVE-2017-5669)

Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2017-5986)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP
packets with the URG flag. A remote attacker could use this to cause a
denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did
not properly set up a destructor in certain situations. A local attacker
could use this to cause a denial of service (system crash). (CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling
code in the Linux kernel. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made
improper assumptions about internal data layout when performing checksums.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem
in the Linux kernel. A local attacker could use this to cause a denial of
service (deadlock). (CVE-2017-6348)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-gke 4.4.0.1012.14
linux-image-powerpc-e500mc 4.4.0.75.81
linux-image-4.4.0-1057-snapdragon 4.4.0-1057.61
linux-image-4.4.0-1016-aws 4.4.0-1016.25
linux-image-powerpc-smp 4.4.0.75.81
linux-image-generic 4.4.0.75.81
linux-image-4.4.0-1012-gke 4.4.0-1012.12
linux-image-4.4.0-75-powerpc64-smp 4.4.0-75.96
linux-image-4.4.0-1054-raspi2 4.4.0-1054.61
linux-image-4.4.0-75-generic-lpae 4.4.0-75.96
linux-image-4.4.0-75-generic 4.4.0-75.96
linux-image-4.4.0-75-lowlatency 4.4.0-75.96
linux-image-powerpc64-smp 4.4.0.75.81
linux-image-4.4.0-75-powerpc-smp 4.4.0-75.96
linux-image-generic-lpae 4.4.0.75.81
linux-image-snapdragon 4.4.0.1057.50
linux-image-aws 4.4.0.1016.19
linux-image-4.4.0-75-powerpc-e500mc 4.4.0-75.96
linux-image-lowlatency 4.4.0.75.81
linux-image-raspi2 4.4.0.1054.55

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-5669, CVE-2017-5897, CVE-2017-5970, CVE-2017-5986, CVE-2017-6214, CVE-2017-6345, CVE-2017-6346, CVE-2017-6347, CVE-2017-6348, CVE-2017-7374


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3266-2: Linux kernel (HWE) vulnerability

Unix Server vom 25.04.2017 um 04:03 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3266-2

24th April, 2017

linux-hwe vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

  • linux-hwe - Linux hardware enablement (HWE) kernel

Details

USN-3266-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS.

Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-4.8.0-49-generic 4.8.0-49.52~16.04.1
linux-image-lowlatency-hwe-16.04 4.8.0.49.21
linux-image-generic-hwe-16.04 4.8.0.49.21
linux-image-4.8.0-49-lowlatency 4.8.0-49.52~16.04.1
linux-image-4.8.0-49-generic-lpae 4.8.0-49.52~16.04.1
linux-image-generic-lpae-hwe-16.04 4.8.0.49.21

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-5986


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3266-1: Linux kernel vulnerability

Unix Server vom 25.04.2017 um 04:03 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3266-1

24th April, 2017

linux, linux-raspi2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.10

Summary

The system could be made to crash under certain conditions.

Software description

  • linux - Linux kernel
  • linux-raspi2 - Linux kernel for Raspberry Pi 2

Details

Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:
linux-image-powerpc-smp 4.8.0.49.61
linux-image-powerpc-e500mc 4.8.0.49.61
linux-image-4.8.0-49-generic-lpae 4.8.0-49.52
linux-image-4.8.0-1035-raspi2 4.8.0-1035.38
linux-image-generic-lpae 4.8.0.49.61
linux-image-4.8.0-49-lowlatency 4.8.0-49.52
linux-image-4.8.0-49-powerpc-smp 4.8.0-49.52
linux-image-4.8.0-49-powerpc-e500mc 4.8.0-49.52
linux-image-generic 4.8.0.49.61
linux-image-4.8.0-49-generic 4.8.0-49.52
linux-image-lowlatency 4.8.0.49.61
linux-image-raspi2 4.8.0.1035.39

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-5986


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3265-2: Linux kernel (Xenial HWE) vulnerabilities

Unix Server vom 25.04.2017 um 04:03 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3265-2

24th April, 2017

linux-lts-xenial vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3265-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

It was discovered that a use-after-free flaw existed in the filesystem
encryption subsystem in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-7374)

Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic
Routing Encapsulation (GRE) tunneling implementation in the Linux kernel.
An attacker could use this to possibly expose sensitive information.
(CVE-2017-5897)

Andrey Konovalov discovered that the IPv4 implementation in the Linux
kernel did not properly handle invalid IP options in some situations. An
attacker could use this to cause a denial of service or possibly execute
arbitrary code. (CVE-2017-5970)

Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did
not properly restrict mapping page zero. A local privileged attacker could
use this to execute arbitrary code. (CVE-2017-5669)

Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2017-5986)

Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP
packets with the URG flag. A remote attacker could use this to cause a
denial of service. (CVE-2017-6214)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did
not properly set up a destructor in certain situations. A local attacker
could use this to cause a denial of service (system crash). (CVE-2017-6345)

It was discovered that a race condition existed in the AF_PACKET handling
code in the Linux kernel. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6346)

Andrey Konovalov discovered that the IP layer in the Linux kernel made
improper assumptions about internal data layout when performing checksums.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-6347)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem
in the Linux kernel. A local attacker could use this to cause a denial of
service (deadlock). (CVE-2017-6348)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-powerpc-smp-lts-xenial 4.4.0.75.62
linux-image-generic-lpae-lts-xenial 4.4.0.75.62
linux-image-4.4.0-75-generic 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-powerpc64-smp 4.4.0-75.96~14.04.1
linux-image-lowlatency-lts-xenial 4.4.0.75.62
linux-image-powerpc64-smp-lts-xenial 4.4.0.75.62
linux-image-4.4.0-75-lowlatency 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-generic-lpae 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-powerpc-smp 4.4.0-75.96~14.04.1
linux-image-generic-lts-xenial 4.4.0.75.62
linux-image-4.4.0-75-powerpc-e500mc 4.4.0-75.96~14.04.1
linux-image-powerpc-e500mc-lts-xenial 4.4.0.75.62

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-5669, CVE-2017-5897, CVE-2017-5970, CVE-2017-5986, CVE-2017-6214, CVE-2017-6345, CVE-2017-6346, CVE-2017-6347, CVE-2017-6348, CVE-2017-7374


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3264-1: Linux kernel vulnerability

Unix Server vom 25.04.2017 um 04:03 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3264-1

24th April, 2017

linux vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

  • linux - Linux kernel

Details

Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-powerpc-smp 3.13.0.117.127
linux-image-powerpc-e500mc 3.13.0.117.127
linux-image-3.13.0-117-generic-lpae 3.13.0-117.164
linux-image-3.13.0-117-lowlatency 3.13.0-117.164
linux-image-generic 3.13.0.117.127
linux-image-3.13.0-117-powerpc-e500mc 3.13.0-117.164
linux-image-3.13.0-117-powerpc64-smp 3.13.0-117.164
linux-image-powerpc-e500 3.13.0.117.127
linux-image-powerpc64-smp 3.13.0.117.127
linux-image-generic-lpae 3.13.0.117.127
linux-image-3.13.0-117-powerpc-e500 3.13.0-117.164
linux-image-3.13.0-117-generic 3.13.0-117.164
linux-image-lowlatency 3.13.0.117.127
linux-image-3.13.0-117-powerpc-smp 3.13.0-117.164

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-5986


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3834 mysql-5.5 - security update

Unix Server vom 25.04.2017 um 00:00 Uhr | Quelle debian.org

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.55, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details:


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3833 libav - security update

Unix Server vom 24.04.2017 um 00:00 Uhr | Quelle debian.org

Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. A full list of the changes is available at https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.9


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3260-1: Firefox vulnerabilities

Unix Server vom 21.04.2017 um 17:18 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3260-1

21st April, 2017

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Firefox could be made to crash or run programs as your login if it opened a malicious website.

Software description

  • firefox - Mozilla Open Source web browser

Details

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, spoof the addressbar contents or other UI elements, escape
the sandbox to read local files, conduct cross-site scripting (XSS)
attacks, cause a denial of service via application crash, or execute
arbitrary code. (CVE-2017-5429, CVE-2017-5430, CVE-2017-5432,
CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437,
CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442,
CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447,
CVE-2017-5448, CVE-2017-5449, CVE-2017-5451, CVE-2017-5453, CVE-2017-5454,
CVE-2017-5455, CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460,
CVE-2017-5461, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467,
CVE-2017-5468, CVE-2017-5469)

A flaw was discovered in the DRBG number generation in NSS. If an
attacker were able to perform a man-in-the-middle attack, this flaw
could potentially be exploited to view sensitive information.
(CVE-2017-5462)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
firefox 53.0+build6-0ubuntu0.17.04.1
Ubuntu 16.10:
firefox 53.0+build6-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
firefox 53.0+build6-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
firefox 53.0+build6-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449, CVE-2017-5451, CVE-2017-5453, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460, CVE-2017-5461, CVE-2017-5462, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467, CVE-2017-5468, CVE-2017-5469


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3263-1: FreeType vulnerability

Unix Server vom 21.04.2017 um 02:34 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3263-1

20th April, 2017

freetype vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

FreeType could be made to crash or run programs if it opened a specially crafted font file.

Software description

  • freetype - FreeType 2 is a font engine library

Details

It was discovered that a heap-based buffer overflow existed in the
FreeType library. If a user were tricked into using a specially
crafted font file, a remote attacker could cause FreeType to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libfreetype6 2.6.3-3ubuntu2.1
Ubuntu 16.10:
libfreetype6 2.6.3-3ubuntu1.2
Ubuntu 16.04 LTS:
libfreetype6 2.6.1-0.1ubuntu2.2
Ubuntu 14.04 LTS:
libfreetype6 2.5.2-1ubuntu2.7
Ubuntu 12.04 LTS:
libfreetype6 2.4.8-1ubuntu2.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2016-10328


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3262-1: curl vulnerability

Unix Server vom 21.04.2017 um 01:19 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3262-1

20th April, 2017

curl vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04

Summary

Applications using curl could allow unintended access over the network.

Software description

  • curl - HTTP, HTTPS, and FTP client and client libraries

Details

It was discovered that curl incorrectly handled client certificates when
resuming a TLS session. A remote attacker could use this to hijack a
previously authenticated connection.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libcurl3-nss 7.52.1-4ubuntu1.1
curl 7.52.1-4ubuntu1.1
libcurl3-gnutls 7.52.1-4ubuntu1.1
libcurl3 7.52.1-4ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-7468


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3261-1: QEMU vulnerabilities

Unix Server vom 20.04.2017 um 22:49 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3261-1

20th April, 2017

qemu vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in QEMU.

Software description

  • qemu - Machine emulator and virtualizer

Details

Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU
device. An attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 16.10. (CVE-2016-10028, CVE-2016-10029)

Li Qiang discovered that QEMU incorrectly handled the 6300esb watchdog. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2016-10155)

Li Qiang discovered that QEMU incorrectly handled the i.MX Fast Ethernet
Controller. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. This issue only
affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7907)

It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2016-8667)

It was discovered that QEMU incorrectly handled the 16550A UART device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2016-8669)

It was discovered that QEMU incorrectly handled the shared rings when used
with Xen. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly execute
arbitrary code on the host. (CVE-2016-9381)

Jann Horn discovered that QEMU incorrectly handled VirtFS directory
sharing. A privileged attacker inside the guest could use this issue to
access files on the host file system outside of the shared directory and
possibly escalate their privileges. In the default installation, when QEMU
is used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2016-9602)

Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA
device when being used with a VNC connection. A privileged attacker inside
the guest could use this issue to cause QEMU to crash, resulting in a
denial of service, or possibly execute arbitrary code on the host. In the
default installation, when QEMU is used with libvirt, attackers would be
isolated by the libvirt AppArmor profile. (CVE-2016-9603)

It was discovered that QEMU incorrectly handled the ColdFire Fast Ethernet
Controller. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2016-9776)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An
attacker inside the guest could use this issue to cause QEMU to leak
contents of host memory. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 16.10. (CVE-2016-9845, CVE-2016-9908)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 16.10. (CVE-2016-9846, CVE-2016-9912, CVE-2017-5552,
CVE-2017-5578, CVE-2017-5857)

Li Qiang discovered that QEMU incorrectly handled the USB redirector. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 16.10. (CVE-2016-9907)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. (CVE-2016-9911)

Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing.
A privileged attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2016-9913, CVE-2016-9914,
CVE-2016-9915, CVE-2016-9916)

Qinghao Tang, Li Qiang, and Jiangxin discovered that QEMU incorrectly
handled the Cirrus VGA device. A privileged attacker inside the guest could
use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-9921, CVE-2016-9922)

Wjjzhang and Li Qiang discovered that QEMU incorrectly handled the Cirrus
VGA device. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly execute
arbitrary code on the host. In the default installation, when QEMU is used
with libvirt, attackers would be isolated by the libvirt AppArmor profile.
(CVE-2017-2615)

It was discovered that QEMU incorrectly handled the Cirrus VGA device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service, or possibly execute arbitrary code
on the host. In the default installation, when QEMU is used with libvirt,
attackers would be isolated by the libvirt AppArmor profile.
(CVE-2017-2620)

It was discovered that QEMU incorrectly handled VNC connections. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. (CVE-2017-2633)

Li Qiang discovered that QEMU incorrectly handled the ac97 audio device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2017-5525)

Li Qiang discovered that QEMU incorrectly handled the es1370 audio device.
A privileged attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2017-5526)

Li Qiang discovered that QEMU incorrectly handled the 16550A UART device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2017-5579)

Jiang Xin discovered that QEMU incorrectly handled SDHCI device emulation.
A privileged attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service, or possibly execute arbitrary
code on the host. In the default installation, when QEMU is used with
libvirt, attackers would be isolated by the libvirt AppArmor profile.
(CVE-2017-5667)

Li Qiang discovered that QEMU incorrectly handled the MegaRAID SAS device.
A privileged attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2017-5856)

Li Qiang discovered that QEMU incorrectly handled the CCID Card device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2017-5898)

Li Qiang discovered that QEMU incorrectly handled USB xHCI controller
emulation. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2017-5973)

Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI
device emulation. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-5987)

Li Qiang discovered that QEMU incorrectly handled USB OHCI controller
emulation. A privileged attacker inside the guest could use this issue to
cause QEMU to hang, resulting in a denial of service. (CVE-2017-6505)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:
qemu-system-s390x 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-misc 1:2.6.1+dfsg-0ubuntu5.4
qemu-system 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-aarch64 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-x86 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-sparc 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-arm 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-ppc 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-mips 1:2.6.1+dfsg-0ubuntu5.4
Ubuntu 16.04 LTS:
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.11
qemu-system-misc 1:2.5+dfsg-5ubuntu10.11
qemu-system 1:2.5+dfsg-5ubuntu10.11
qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.11
qemu-system-x86 1:2.5+dfsg-5ubuntu10.11
qemu-system-sparc 1:2.5+dfsg-5ubuntu10.11
qemu-system-arm 1:2.5+dfsg-5ubuntu10.11
qemu-system-ppc 1:2.5+dfsg-5ubuntu10.11
qemu-system-mips 1:2.5+dfsg-5ubuntu10.11
Ubuntu 14.04 LTS:
qemu-system-misc 2.0.0+dfsg-2ubuntu1.33
qemu-system 2.0.0+dfsg-2ubuntu1.33
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.33
qemu-system-x86 2.0.0+dfsg-2ubuntu1.33
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.33
qemu-system-arm 2.0.0+dfsg-2ubuntu1.33
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.33
qemu-system-mips 2.0.0+dfsg-2ubuntu1.33

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

CVE-2016-10028, CVE-2016-10029, CVE-2016-10155, CVE-2016-7907, CVE-2016-8667, CVE-2016-8669, CVE-2016-9381, CVE-2016-9602, CVE-2016-9603, CVE-2016-9776, CVE-2016-9845, CVE-2016-9846, CVE-2016-9907, CVE-2016-9908, CVE-2016-9911, CVE-2016-9912, CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916, CVE-2016-9921, CVE-2016-9922, CVE-2017-2615, CVE-2017-2620, CVE-2017-2633, CVE-2017-5525, CVE-2017-5526, CVE-2017-5552, CVE-2017-5578, CVE-2017-5579, CVE-2017-5667, CVE-2017-5856, CVE-2017-5857, CVE-2017-5898, CVE-2017-5973, CVE-2017-5987, CVE-2017-6505


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3831 firefox-esr - security update

Unix Server vom 20.04.2017 um 00:00 Uhr | Quelle debian.org

Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, buffer overflows and other implementation errors may lead to the execution of arbitrary code, information disclosure or denial of service.


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3832 icedove - security update

Unix Server vom 20.04.2017 um 00:00 Uhr | Quelle debian.org

Multiple security issues have been found in Thunderbird, which may may lead to the execution of arbitrary code or information leaks.


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3830 icu - security update

Unix Server vom 19.04.2017 um 00:00 Uhr | Quelle debian.org

It was discovered that icu, the International Components for Unicode library, did not correctly validate its input. An attacker could use this problem to trigger an out-of-bound write through a heap-based buffer overflow, thus causing a denial of service via application crash, or potential execution of arbitrary code.


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3259-1: Bind vulnerabilities

Unix Server vom 17.04.2017 um 19:03 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3259-1

17th April, 2017

bind9 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Bind.

Software description

  • bind9 - Internet Domain Name Server

Details

It was discovered that the resolver in Bind made incorrect
assumptions about ordering when processing responses containing
a CNAME or DNAME. An attacker could use this cause a denial of
service. (CVE-2017-3137)

Oleg Gorokhov discovered that in some situations, Bind did not properly
handle DNS64 queries. An attacker could use this to cause a denial
of service. (CVE-2017-3136)

Mike Lalumiere discovered that in some situations, Bind did
not properly handle invalid operations requested via its control
channel. An attacker with access to the control channel could cause
a denial of service. (CVE-2017-3138)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
bind9 1:9.10.3.dfsg.P4-10.1ubuntu5
Ubuntu 16.10:
bind9 1:9.10.3.dfsg.P4-10.1ubuntu1.6
Ubuntu 16.04 LTS:
bind9 1:9.10.3.dfsg.P4-8ubuntu1.6
Ubuntu 14.04 LTS:
bind9 1:9.9.5.dfsg-3ubuntu0.14
Ubuntu 12.04 LTS:
bind9 1:9.8.1.dfsg.P1-4ubuntu0.22

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-3136, CVE-2017-3137, CVE-2017-3138


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3258-2: Dovecot regression

Unix Server vom 11.04.2017 um 21:02 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3258-2

11th April, 2017

dovecot regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS

Summary

USN-3258-1 introduced a regression in Dovecot.

Software description

  • dovecot - IMAP and POP3 email server

Details

USN-3258-1 intended to fix a vulnerability in Dovecot. Further investigation
revealed that only Dovecot versions 2.2.26 and newer were affected by the
vulnerability. Additionally, the change introduced a regression when Dovecot
was configured to use the "dict" authentication database. This update reverts
the change. We apologize for the inconvenience.

Original advisory details:

It was discovered that Dovecot incorrectly handled some usernames. An attacker
could possibly use this issue to cause Dovecot to hang or crash, resulting in a
denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:
dovecot-core 1:2.2.24-1ubuntu1.3
Ubuntu 16.04 LTS:
dovecot-core 1:2.2.22-1ubuntu2.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-2669


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3829 bouncycastle - security update

Unix Server vom 11.04.2017 um 00:00 Uhr | Quelle debian.org

Quan Nguyen discovered that a missing boundary check in the Galois/Counter mode implementation of Bouncy Castle (a Java implementation of cryptographic algorithms) may result in information disclosure.


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3258-1: Dovecot vulnerability

Unix Server vom 10.04.2017 um 23:19 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3258-1

10th April, 2017

dovecot vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS

Summary

Dovecot could be made to crash if it received specially crafted input.

Software description

  • dovecot - IMAP and POP3 email server

Details

It was discovered that Dovecot incorrectly handled some usernames. An attacker
could possibly use this issue to cause Dovecot to hang or crash, resulting in a
denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:
dovecot-core 1:2.2.24-1ubuntu1.2
Ubuntu 16.04 LTS:
dovecot-core 1:2.2.22-1ubuntu2.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-2669


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3257-1: WebKitGTK+ vulnerabilities

Unix Server vom 10.04.2017 um 18:20 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3257-1

10th April, 2017

webkit2gtk vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in WebKitGTK+.

Software description

  • webkit2gtk - Web content engine library for GTK+

Details

A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:
libwebkit2gtk-4.0-37 2.16.1-0ubuntu0.16.10.1
libjavascriptcoregtk-4.0-18 2.16.1-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libwebkit2gtk-4.0-37 2.16.1-0ubuntu0.16.04.1
libjavascriptcoregtk-4.0-18 2.16.1-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.

References

CVE-2016-9642, CVE-2016-9643, CVE-2017-2364, CVE-2017-2367, CVE-2017-2376, CVE-2017-2377, CVE-2017-2386, CVE-2017-2392, CVE-2017-2394, CVE-2017-2395, CVE-2017-2396, CVE-2017-2405, CVE-2017-2415, CVE-2017-2419, CVE-2017-2433, CVE-2017-2442, CVE-2017-2445, CVE-2017-2446, CVE-2017-2447, CVE-2017-2454, CVE-2017-2455, CVE-2017-2457, CVE-2017-2459, CVE-2017-2460, CVE-2017-2464, CVE-2017-2465, CVE-2017-2466, CVE-2017-2468, CVE-2017-2469, CVE-2017-2470, CVE-2017-2471, CVE-2017-2475, CVE-2017-2476, CVE-2017-2481


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3828 dovecot - security update

Unix Server vom 10.04.2017 um 00:00 Uhr | Quelle debian.org

It was discovered that the Dovecot email server is vulnerable to a denial of service attack. When the dict passdb and userdb are used for user authentication, the username sent by the IMAP/POP3 client is sent through var_expand() to perform %variable expansion. Sending specially crafted %variable fields could result in excessive memory usage causing the process to crash (and restart).


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3827 jasper - security update

Unix Server vom 07.04.2017 um 00:00 Uhr | Quelle debian.org

Multiple vulnerabilities have been discovered in the JasPer library for processing JPEG-2000 images, which may result in denial of service or the execution of arbitrary code if a malformed image is processed.


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3256-1: Linux kernel vulnerability

Unix Server vom 05.04.2017 um 07:03 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3256-1

4th April, 2017

linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux-ti-omap4 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gke - Linux kernel for Google Container Engine (GKE) systems
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon Processors
  • linux-ti-omap4 - Linux kernel for OMAP4

Details

Andrey Konovalov discovered that the AF_PACKET implementation in the Linux
kernel did not properly validate certain block-size data. A local attacker
could use this to cause a denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:
linux-image-powerpc-smp 4.8.0.46.58
linux-image-powerpc-e500mc 4.8.0.46.58
linux-image-generic 4.8.0.46.58
linux-image-4.8.0-46-lowlatency 4.8.0-46.49
linux-image-4.8.0-46-generic-lpae 4.8.0-46.49
linux-image-4.8.0-46-powerpc-smp 4.8.0-46.49
linux-image-4.8.0-1033-raspi2 4.8.0-1033.36
linux-image-4.8.0-46-powerpc-e500mc 4.8.0-46.49
linux-image-generic-lpae 4.8.0.46.58
linux-image-4.8.0-46-powerpc64-emb 4.8.0-46.49
linux-image-4.8.0-46-generic 4.8.0-46.49
linux-image-lowlatency 4.8.0.46.58
linux-image-raspi2 4.8.0.1033.37
linux-image-powerpc64-smp 4.8.0.46.58
Ubuntu 16.04 LTS:
linux-image-powerpc-e500mc 4.4.0.72.78
linux-image-4.4.0-72-lowlatency 4.4.0-72.93
linux-image-4.4.0-72-powerpc-smp 4.4.0-72.93
linux-image-4.4.0-72-powerpc-e500mc 4.4.0-72.93
linux-image-4.4.0-1055-snapdragon 4.4.0-1055.59
linux-image-powerpc64-smp-lts-utopic 4.4.0.72.78
linux-image-4.4.0-72-generic 4.4.0-72.93
linux-image-4.4.0-72-generic-lpae 4.4.0-72.93
linux-image-powerpc64-smp-lts-xenial 4.4.0.72.78
linux-image-4.4.0-72-powerpc64-smp 4.4.0-72.93
linux-image-gke 4.4.0.1010.12
linux-image-powerpc64-smp-lts-vivid 4.4.0.72.78
linux-image-generic 4.4.0.72.78
linux-image-snapdragon 4.4.0.1055.48
linux-image-aws 4.4.0.1013.16
linux-image-raspi2 4.4.0.1052.53
linux-image-powerpc-smp 4.4.0.72.78
linux-image-4.4.0-1052-raspi2 4.4.0-1052.59
linux-image-generic-lpae 4.4.0.72.78
linux-image-powerpc64-smp-lts-wily 4.4.0.72.78
linux-image-4.4.0-1013-aws 4.4.0-1013.22
linux-image-4.4.0-1010-gke 4.4.0-1010.10
linux-image-powerpc64-smp 4.4.0.72.78
linux-image-lowlatency 4.4.0.72.78
Ubuntu 14.04 LTS:
linux-image-powerpc-smp 3.13.0.116.126
linux-image-powerpc-e500mc 3.13.0.116.126
linux-image-generic 3.13.0.116.126
linux-image-generic-lpae 3.13.0.116.126
linux-image-3.13.0-116-powerpc64-smp 3.13.0-116.163
linux-image-3.13.0-116-powerpc-e500mc 3.13.0-116.163
linux-image-3.13.0-116-lowlatency 3.13.0-116.163
linux-image-powerpc-e500 3.13.0.116.126
linux-image-3.13.0-116-generic 3.13.0-116.163
linux-image-3.13.0-116-powerpc-e500 3.13.0-116.163
linux-image-3.13.0-116-powerpc-smp 3.13.0-116.163
linux-image-powerpc64-smp 3.13.0.116.126
linux-image-lowlatency 3.13.0.116.126
linux-image-3.13.0-116-generic-lpae 3.13.0-116.163
Ubuntu 12.04 LTS:
linux-image-3.2.0-126-virtual 3.2.0-126.169
linux-image-3.2.0-126-highbank 3.2.0-126.169
linux-image-3.2.0-1504-omap4 3.2.0-1504.131
linux-image-3.2.0-126-generic-pae 3.2.0-126.169
linux-image-powerpc-smp 3.2.0.126.141
linux-image-generic 3.2.0.126.141
linux-image-3.2.0-126-omap 3.2.0-126.169
linux-image-3.2.0-126-generic 3.2.0-126.169
linux-image-generic-pae 3.2.0.126.141
linux-image-highbank 3.2.0.126.141
linux-image-3.2.0-126-powerpc64-smp 3.2.0-126.169
linux-image-powerpc64-smp 3.2.0.126.141
linux-image-omap4 3.2.0.1504.99
linux-image-3.2.0-126-powerpc-smp 3.2.0-126.169
linux-image-omap 3.2.0.126.141
linux-image-virtual 3.2.0.126.141

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-7308


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3256-2: Linux kernel (HWE) vulnerability

Unix Server vom 05.04.2017 um 07:03 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3256-2

4th April, 2017

linux-hwe, linux-lts-trusty, linux-lts-xenial vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

  • linux-hwe - Linux hardware enablement (HWE) kernel
  • linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise
  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3256-1 fixed vulnerabilities in the Linux kernel for Ubuntu
14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. This update provides
the corresponding updates for the Linux Hardware Enablement (HWE)
kernel for each of the respective prior Ubuntu LTS releases.

Andrey Konovalov discovered that the AF_PACKET implementation in the Linux
kernel did not properly validate certain block-size data. A local attacker
could use this to cause a denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-4.8.0-46-lowlatency 4.8.0-46.49~16.04.1
linux-image-lowlatency-hwe-16.04 4.8.0.46.18
linux-image-4.8.0-46-generic-lpae 4.8.0-46.49~16.04.1
linux-image-generic-hwe-16.04 4.8.0.46.18
linux-image-4.8.0-46-generic 4.8.0-46.49~16.04.1
linux-image-generic-lpae-hwe-16.04 4.8.0.46.18
Ubuntu 14.04 LTS:
linux-image-powerpc-smp-lts-xenial 4.4.0.72.59
linux-image-4.4.0-72-generic 4.4.0-72.93~14.04.1
linux-image-4.4.0-72-powerpc-smp 4.4.0-72.93~14.04.1
linux-image-4.4.0-72-powerpc-e500mc 4.4.0-72.93~14.04.1
linux-image-generic-lpae-lts-xenial 4.4.0.72.59
linux-image-4.4.0-72-generic-lpae 4.4.0-72.93~14.04.1
linux-image-4.4.0-72-lowlatency 4.4.0-72.93~14.04.1
linux-image-lowlatency-lts-xenial 4.4.0.72.59
linux-image-generic-lts-xenial 4.4.0.72.59
linux-image-powerpc64-smp-lts-xenial 4.4.0.72.59
linux-image-4.4.0-72-powerpc64-smp 4.4.0-72.93~14.04.1
linux-image-powerpc-e500mc-lts-xenial 4.4.0.72.59
Ubuntu 12.04 LTS:
linux-image-generic-lpae-lts-trusty 3.13.0.116.107
linux-image-3.13.0-116-generic 3.13.0-116.163~precise1
linux-image-generic-lts-trusty 3.13.0.116.107
linux-image-3.13.0-116-generic-lpae 3.13.0-116.163~precise1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-7308


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3255-1: LightDM vulnerability

Unix Server vom 05.04.2017 um 00:19 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3255-1

4th April, 2017

lightdm vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS

Summary

LightDM could be made to run programs as an administrator.

Software description

  • lightdm - Display Manager

Details

It was discovered that LightDM incorrectly handled home directory creation for
guest users. A local attacker could use this issue to gain ownership of
arbitrary directory paths and possibly gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:
lightdm 1.19.5-0ubuntu1.1
Ubuntu 16.04 LTS:
lightdm 1.18.3-0ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-7358


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3254-1: Django vulnerabilities

Unix Server vom 04.04.2017 um 20:18 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3254-1

4th April, 2017

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Django.

Software description

  • python-django - High-level Python web development framework

Details

It was discovered that Django incorrectly handled numeric redirect URLs. A
remote attacker could possibly use this issue to perform XSS attacks, and
to use a Django server as an open redirect. (CVE-2017-7233)

Phithon Gong discovered that Django incorrectly handled certain URLs when
the jango.views.static.serve() view is being used. A remote attacker could
possibly use a Django server as an open redirect. (CVE-2017-7234)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:
python3-django 1.8.7-1ubuntu8.2
python-django 1.8.7-1ubuntu8.2
Ubuntu 16.04 LTS:
python3-django 1.8.7-1ubuntu5.5
python-django 1.8.7-1ubuntu5.5
Ubuntu 14.04 LTS:
python-django 1.6.11-0ubuntu1.1
Ubuntu 12.04 LTS:
python-django 1.3.1-4ubuntu1.23

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-7233, CVE-2017-7234


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3826 tryton-server - security update

Unix Server vom 04.04.2017 um 02:00 Uhr | Quelle debian.org

It was discovered that the original patch to address CVE-2016-1242 did not cover all cases, which may result in information disclosure of file contents.


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3253-1: Nagios vulnerabilities

Unix Server vom 03.04.2017 um 20:20 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3253-1

3rd April, 2017

nagios3 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Nagios.

Software description

  • nagios3 - host/service/network monitoring and management system

Details

It was discovered that Nagios incorrectly handled certain long strings. A
remote authenticated attacker could use this issue to cause Nagios to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2013-7108, CVE-2013-7205)

It was discovered that Nagios incorrectly handled certain long messages to
cmd.cgi. A remote attacker could possibly use this issue to cause Nagios to
crash, resulting in a denial of service. (CVE-2014-1878)

Dawid Golunski discovered that Nagios incorrectly handled symlinks when
accessing log files. A local attacker could possibly use this issue to
elevate privileges. In the default installation of Ubuntu, this should be
prevented by the Yama link restrictions. (CVE-2016-9566)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:
nagios3-core 3.5.1.dfsg-2.1ubuntu3.1
nagios3-cgi 3.5.1.dfsg-2.1ubuntu3.1
Ubuntu 16.04 LTS:
nagios3-core 3.5.1.dfsg-2.1ubuntu1.1
nagios3-cgi 3.5.1.dfsg-2.1ubuntu1.1
Ubuntu 14.04 LTS:
nagios3-core 3.5.1-1ubuntu1.1
nagios3-cgi 3.5.1-1ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-7108, CVE-2013-7205, CVE-2014-1878, CVE-2016-9566


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3825 jhead - security update

Unix Server vom 31.03.2017 um 02:00 Uhr | Quelle debian.org

It was discovered that jhead, a tool to manipulate the non-image part of EXIF compliant JPEG files, is prone to an out-of-bounds access vulnerability, which may result in denial of service or, potentially, the execution of arbitrary code if an image with specially crafted EXIF data is processed.


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3216-2: Firefox regression

Unix Server vom 31.03.2017 um 00:21 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3216-2

30th March, 2017

firefox regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

USN-3216-1 introduced a regression in Firefox.

Software description

  • firefox - Mozilla Open Source web browser

Details

USN-3216-1 fixed vulnerabilities in Firefox. The update resulted in a
startup crash when Firefox is used with XRDP. This update fixes the
problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to bypass same origin restrictions, obtain
sensitive information, spoof the addressbar, spoof the print dialog,
cause a denial of service via application crash or hang, or execute
arbitrary code. (CVE-2017-5398, CVE-2017-5399, CVE-2017-5400,
CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5405,
CVE-2017-5406, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5412,
CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417,
CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5421, CVE-2017-5422,
CVE-2017-5426, CVE-2017-5427)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:
firefox 52.0.2+build1-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
firefox 52.0.2+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
firefox 52.0.2+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
firefox 52.0.2+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

LP: 1671079


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3242-2: Samba regression

Unix Server vom 30.03.2017 um 20:35 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3242-2

30th March, 2017

samba regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

USN-3242-1 introduced a regression in Samba.

Software description

  • samba - SMB/CIFS file, print, and login server for Unix

Details

USN-3242-1 fixed a vulnerability in Samba. The upstream fix introduced a
regression when Samba is configured to disable following symbolic links.

This update fixes the problem.

Original advisory details:

Jann Horn discovered that Samba incorrectly handled symlinks. An
authenticated remote attacker could use this issue to access files on the
server outside of the exported directories.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:
samba 2:4.4.5+dfsg-2ubuntu5.5
Ubuntu 16.04 LTS:
samba 2:4.3.11+dfsg-0ubuntu0.16.04.6
Ubuntu 14.04 LTS:
samba 2:4.3.11+dfsg-0ubuntu0.14.04.7
Ubuntu 12.04 LTS:
samba 2:3.6.25-0ubuntu0.12.04.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1675698


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3249-1: Linux kernel vulnerability

Unix Server vom 30.03.2017 um 02:50 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3249-1

29th March, 2017

linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gke - Linux kernel for Google Container Engine (GKE) systems
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon Processors

Details

It was discovered that the xfrm framework for transforming packets in the
Linux kernel did not properly validate data received from user space. A
local attacker could use this to cause a denial of service (system crash)
or execute arbitrary code with administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-gke 4.4.0.1009.11
linux-image-powerpc-e500mc 4.4.0.71.77
linux-image-4.4.0-1054-snapdragon 4.4.0-1054.58
linux-image-raspi2 4.4.0.1051.52
linux-image-powerpc-smp 4.4.0.71.77
linux-image-4.4.0-71-lowlatency 4.4.0-71.92
linux-image-generic 4.4.0.71.77
linux-image-4.4.0-71-powerpc-smp 4.4.0-71.92
linux-image-4.4.0-71-powerpc-e500mc 4.4.0-71.92
linux-image-4.4.0-71-generic 4.4.0-71.92
linux-image-4.4.0-71-powerpc64-smp 4.4.0-71.92
linux-image-4.4.0-1051-raspi2 4.4.0-1051.58
linux-image-generic-lpae 4.4.0.71.77
linux-image-snapdragon 4.4.0.1054.47
linux-image-aws 4.4.0.1012.15
linux-image-4.4.0-1012-aws 4.4.0-1012.21
linux-image-4.4.0-71-generic-lpae 4.4.0-71.92
linux-image-lowlatency 4.4.0.71.77
linux-image-4.4.0-1009-gke 4.4.0-1009.9
linux-image-powerpc64-smp 4.4.0.71.77

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-7184


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3251-1: Linux kernel vulnerability

Unix Server vom 30.03.2017 um 02:50 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3251-1

29th March, 2017

linux, linux-raspi2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.10

Summary

The system could be made to crash or run programs as an administrator.

Software description

  • linux - Linux kernel
  • linux-raspi2 - Linux kernel for Raspberry Pi 2

Details

It was discovered that the xfrm framework for transforming packets in the
Linux kernel did not properly validate data received from user space. A
local attacker could use this to cause a denial of service (system crash)
or execute arbitrary code with administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.10:
linux-image-4.8.0-45-powerpc-e500mc 4.8.0-45.48
linux-image-powerpc-smp 4.8.0.45.57
linux-image-powerpc-e500mc 4.8.0.45.57
linux-image-4.8.0-45-generic-lpae 4.8.0-45.48
linux-image-generic 4.8.0.45.57
linux-image-4.8.0-45-generic 4.8.0-45.48
linux-image-generic-lpae 4.8.0.45.57
linux-image-4.8.0-1032-raspi2 4.8.0-1032.35
linux-image-4.8.0-45-powerpc-smp 4.8.0-45.48
linux-image-4.8.0-45-lowlatency 4.8.0-45.48
linux-image-lowlatency 4.8.0.45.57
linux-image-raspi2 4.8.0.1032.36

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-7184


News bewerten

Weiterlesen Artikel komplett ansehen

Seitennavigation

Seite 1 von 31 Seiten (Bei Beitrag 1 - 35)
1.057x Beiträge in dieser Kategorie

Nächste 2 Seite | Letzte Seite