1. Server >
  2. Unix Server

EnglishFrenchGermanItalianPortugueseRussianSpanish

Unix Server


Suchen

DSA-3948 ioquake3 - security update

Unix Server vom 19.08.2017 um 00:00 Uhr | Quelle debian.org

A read buffer overflow was discovered in the idtech3 (Quake III Arena) family of game engines. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted packet.


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3396-1: OpenJDK 7 vulnerabilities

Unix Server vom 18.08.2017 um 06:17 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3396-1

18th August, 2017

openjdk-7 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in OpenJDK 7.

Software description

  • openjdk-7 - Open Source Java implementation

Details

It was discovered that the JPEGImageReader class in OpenJDK would
incorrectly read unused image data. An attacker could use this to specially
construct a jpeg image file that when opened by a Java application would
cause a denial of service. (CVE-2017-10053)

It was discovered that the JAR verifier in OpenJDK did not properly handle
archives containing files missing digests. An attacker could use this to
modify the signed contents of a JAR file. (CVE-2017-10067)

It was discovered that integer overflows existed in the Hotspot component
of OpenJDK when generating range check loop predicates. An attacker could
use this to specially construct an untrusted Java application or applet
that could escape sandbox restrictions and cause a denial of service or
possibly execute arbitrary code. (CVE-2017-10074)

It was discovered that OpenJDK did not properly process parentheses in
function signatures. An attacker could use this to specially construct an
untrusted Java application or applet that could escape sandbox
restrictions. (CVE-2017-10081)

It was discovered that the ThreadPoolExecutor class in OpenJDK did not
properly perform access control checks when cleaning up threads. An
attacker could use this to specially construct an untrusted Java
application or applet that could escape sandbox restrictions and possibly
execute arbitrary code. (CVE-2017-10087)

It was discovered that the ServiceRegistry implementation in OpenJDK did
not perform access control checks in certain situations. An attacker could
use this to specially construct an untrusted Java application or applet
that escaped sandbox restrictions. (CVE-2017-10089)

It was discovered that the channel groups implementation in OpenJDK did not
properly perform access control checks in some situations. An attacker
could use this to specially construct an untrusted Java application or
applet that could escape sandbox restrictions. (CVE-2017-10090)

It was discovered that the DTM exception handling code in the JAXP
component of OpenJDK did not properly perform access control checks. An
attacker could use this to specially construct an untrusted Java
application or applet that could escape sandbox restrictions.
(CVE-2017-10096)

It was discovered that the JAXP component of OpenJDK incorrectly granted
access to some internal resolvers. An attacker could use this to specially
construct an untrusted Java application or applet that could escape sandbox
restrictions. (CVE-2017-10101)

It was discovered that the Distributed Garbage Collector (DGC) in OpenJDK
did not properly track references in some situations. A remote attacker
could possibly use this to execute arbitrary code. (CVE-2017-10102)

It was discovered that the Activation ID implementation in the RMI
component of OpenJDK did not properly check access control permissions in
some situations. An attacker could use this to specially construct an
untrusted Java application or applet that could escape sandbox
restrictions. (CVE-2017-10107)

It was discovered that the BasicAttribute class in OpenJDK did not properly
bound memory allocation when de-serializing objects. An attacker could use
this to cause a denial of service (memory consumption). (CVE-2017-10108)

It was discovered that the CodeSource class in OpenJDK did not properly
bound memory allocations when de-serializing object instances. An attacker
could use this to cause a denial of service (memory consumption).
(CVE-2017-10109)

It was discovered that the AWT ImageWatched class in OpenJDK did not
properly perform access control checks, An attacker could use this to
specially construct an untrusted Java application or applet that could
escape sandbox restrictions (CVE-2017-10110)

It was discovered that a timing side-channel vulnerability existed in the
DSA implementation in OpenJDK. An attacker could use this to expose
sensitive information. (CVE-2017-10115)

It was discovered that the LDAP implementation in OpenJDK incorrectly
followed references to non-LDAP URLs. An attacker could use this to
specially craft an LDAP referral URL that exposes sensitive information or
bypass access restrictions. (CVE-2017-10116)

It was discovered that a timing side-channel vulnerability existed in the
ECDSA implementation in OpenJDK. An attacker could use this to expose
sensitive information. (CVE-2017-10118)

Ilya Maykov discovered that a timing side-channel vulnerability existed in
the PKCS#8 implementation in OpenJDK. An attacker could use this to expose
sensitive information. (CVE-2017-10135)

It was discovered that the Elliptic Curve (EC) implementation in OpenJDK
did not properly compute certain elliptic curve points. An attacker could
use this to expose sensitive information. (CVE-2017-10176)

It was discovered that OpenJDK did not properly perform access control
checks when handling Web Service Definition Language (WSDL) XML documents.
An attacker could use this to expose sensitive information.
(CVE-2017-10243)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
openjdk-7-jre-lib 7u151-2.6.11-0ubuntu1.14.04.1
openjdk-7-jre-zero 7u151-2.6.11-0ubuntu1.14.04.1
icedtea-7-jre-jamvm 7u151-2.6.11-0ubuntu1.14.04.1
openjdk-7-jre-headless 7u151-2.6.11-0ubuntu1.14.04.1
openjdk-7-jre 7u151-2.6.11-0ubuntu1.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10081, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10115, CVE-2017-10116, CVE-2017-10118, CVE-2017-10135, CVE-2017-10176, CVE-2017-10243


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3946 libmspack - security update

Unix Server vom 18.08.2017 um 00:00 Uhr | Quelle debian.org

It was discovered that libsmpack, a library used to handle Microsoft compression formats, did not properly validate its input. A remote attacker could craft malicious CAB or CHM files and use this flaw to cause a denial of service via application crash, or potentially execute arbitrary code.


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3947 newsbeuter - security update

Unix Server vom 18.08.2017 um 00:00 Uhr | Quelle debian.org

Jeriko One discovered that newsbeuter, a text-mode RSS feed reader, did not properly escape the title and description of a news article when bookmarking it. This allowed a remote attacker to run an arbitrary shell command on the client machine.


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3391-3: Firefox regression

Unix Server vom 17.08.2017 um 22:49 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3391-3

17th August, 2017

firefox regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

USN-3391-1 introduced a regression in Firefox.

Software description

  • firefox - Mozilla Open Source web browser

Details

USN-3391-1 fixed vulnerabilities in Firefox. The update introduced a
performance regression with WebExtensions. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to conduct cross-site scripting (XSS) attacks,
bypass sandbox restrictions, obtain sensitive information, spoof the
origin of modal alerts, bypass same origin restrictions, read
uninitialized memory, cause a denial of service via program crash or hang,
or execute arbitrary code. (CVE-2017-7753, CVE-2017-7779, CVE-2017-7780,
CVE-2017-7781, CVE-2017-7783, CVE-2017-7784, CVE-2017-7785, CVE-2017-7786,
CVE-2017-7787, CVE-2017-7788, CVE-2017-7789, CVE-2017-7791, CVE-2017-7792,
CVE-2017-7794, CVE-2017-7797, CVE-2017-7798, CVE-2017-7799, CVE-2017-7800,
CVE-2017-7801, CVE-2017-7802, CVE-2017-7803, CVE-2017-7806, CVE-2017-7807,
CVE-2017-7808, CVE-2017-7809)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
firefox 55.0.2+build1-0ubuntu0.17.04.1
Ubuntu 16.04 LTS:
firefox 55.0.2+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
firefox 55.0.2+build1-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

LP: 1710987


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3393-2: ClamAV vulnerabilities

Unix Server vom 17.08.2017 um 20:20 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3393-2

17th August, 2017

clamav vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in ClamAV.

Software description

  • clamav - Anti-virus utility for Unix

Details

USN-3393-1 fixed several vulnerabilities in ClamAV. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that ClamAV incorrectly handled parsing certain e-mail
messages. A remote attacker could possibly use this issue to cause ClamAV
to crash, resulting in a denial of service. (CVE-2017-6418)

It was discovered that ClamAV incorrectly handled certain malformed CHM
files. A remote attacker could use this issue to cause ClamAV to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS. In the default installation,
attackers would be isolated by the ClamAV AppArmor profile. (CVE-2017-6419)

It was discovered that ClamAV incorrectly handled parsing certain PE files
with WWPack compression. A remote attacker could possibly use this issue to
cause ClamAV to crash, resulting in a denial of service. (CVE-2017-6420)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
clamav 0.99.2+addedllvm-0ubuntu0.12.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-6418, CVE-2017-6419, CVE-2017-6420


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3394-1: libmspack vulnerabilities

Unix Server vom 17.08.2017 um 17:50 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3394-1

17th August, 2017

libmspack vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in libmspack.

Software description

  • libmspack - library for Microsoft compression formats

Details

It was discovered that libmspack incorrectly handled certain malformed CHM
files. A remote attacker could use this issue to cause libmspack to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2017-6419)

It was discovered that libmspack incorrectly handled certain malformed CAB
files. A remote attacker could use this issue to cause libmspack to crash,
resulting in a denial of service. (CVE-2017-6419)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libmspack0 0.5-1ubuntu0.17.04.1
Ubuntu 16.04 LTS:
libmspack0 0.5-1ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-11423, CVE-2017-6419


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3395-1: c-ares vulnerability

Unix Server vom 17.08.2017 um 17:50 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3395-1

17th August, 2017

c-ares vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

c-ares could be made to crash if it received specially crafted network traffic.

Software description

  • c-ares - library for asynchronous name resolution

Details

It was discovered that c-ares incorrectly handled certain NAPTR responses.
A remote attacker could possibly use this issue to cause applications using
c-ares to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libc-ares2 1.12.0-1ubuntu0.1
Ubuntu 16.04 LTS:
libc-ares2 1.10.0-3ubuntu0.2
Ubuntu 14.04 LTS:
libc-ares2 1.10.0-2ubuntu0.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000381


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3393-1: ClamAV vulnerabilities

Unix Server vom 17.08.2017 um 17:50 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3393-1

17th August, 2017

clamav vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in ClamAV.

Software description

  • clamav - Anti-virus utility for Unix

Details

It was discovered that ClamAV incorrectly handled parsing certain e-mail
messages. A remote attacker could possibly use this issue to cause ClamAV
to crash, resulting in a denial of service. (CVE-2017-6418)

It was discovered that ClamAV incorrectly handled certain malformed CHM
files. A remote attacker could use this issue to cause ClamAV to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS. In the default installation,
attackers would be isolated by the ClamAV AppArmor profile. (CVE-2017-6419)

It was discovered that ClamAV incorrectly handled parsing certain PE files
with WWPack compression. A remote attacker could possibly use this issue to
cause ClamAV to crash, resulting in a denial of service. (CVE-2017-6420)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
clamav 0.99.2+dfsg-6ubuntu0.1
Ubuntu 16.04 LTS:
clamav 0.99.2+dfsg-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
clamav 0.99.2+addedllvm-0ubuntu0.14.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-6418, CVE-2017-6419, CVE-2017-6420


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3944 mariadb-10.0 - security update

Unix Server vom 17.08.2017 um 00:00 Uhr | Quelle debian.org

Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.32. Please see the MariaDB 10.0 Release Notes for further details:


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3945 linux - security update

Unix Server vom 17.08.2017 um 00:00 Uhr | Quelle debian.org

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3391-2: Ubufox update

Unix Server vom 16.08.2017 um 14:50 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3391-2

16th August, 2017

ubufox update

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

This update provides compatible packages for Firefox 55.

Software description

  • ubufox - Ubuntu Firefox specific configuration defaults and apt support

Details

USN-3391-1 fixed vulnerabilities in Firefox. This update provides the
corresponding update for Ubufox.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to conduct cross-site scripting (XSS) attacks,
bypass sandbox restrictions, obtain sensitive information, spoof the
origin of modal alerts, bypass same origin restrictions, read
uninitialized memory, cause a denial of service via program crash or hang,
or execute arbitrary code. (CVE-2017-7753, CVE-2017-7779, CVE-2017-7780,
CVE-2017-7781, CVE-2017-7783, CVE-2017-7784, CVE-2017-7785, CVE-2017-7786,
CVE-2017-7787, CVE-2017-7788, CVE-2017-7789, CVE-2017-7791, CVE-2017-7792,
CVE-2017-7794, CVE-2017-7797, CVE-2017-7798, CVE-2017-7799, CVE-2017-7800,
CVE-2017-7801, CVE-2017-7802, CVE-2017-7803, CVE-2017-7806, CVE-2017-7807,
CVE-2017-7808, CVE-2017-7809)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
xul-ext-ubufox 3.4-0ubuntu0.17.04.1
Ubuntu 16.04 LTS:
xul-ext-ubufox 3.4-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
xul-ext-ubufox 3.4-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

LP: 1711137


News bewerten

Weiterlesen Artikel komplett ansehen

ShadowPad: Spionage-Hintertür in Admintools für Unix- und Linux-Server aufgedeckt

Unix Server vom 16.08.2017 um 09:00 Uhr | Quelle google.com
Eine raffinierte Hintertür wurde von Angreifern per korrekt signiertem Update an die Netzwerk-Admin-Tools der koreanischen Firma NetSarang ...
News bewerten

Weiterlesen Artikel komplett ansehen

USN-3392-2: Linux kernel (Xenial HWE) regression

Unix Server vom 16.08.2017 um 08:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3392-2

16th August, 2017

linux-lts-xenial regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

USN-3378-2 introduced a regression the Linux Hardware Enablement kernel.

Software description

  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3392-1 fixed a regression in the Linux kernel for Ubuntu 16.04 LTS.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

USN-3378-2 fixed vulnerabilities in the Linux Hardware Enablement
kernel. Unfortunately, a regression was introduced that prevented
conntrack from working correctly in some situations. This update
fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Fan Wu and Shixiong Zhao discovered a race condition between inotify events
and vfs rename operations in the Linux kernel. An unprivileged local
attacker could use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2017-7533)

It was discovered that the Linux kernel did not properly restrict
RLIMIT_STACK size. A local attacker could use this in conjunction with
another vulnerability to possibly execute arbitrary code.
(CVE-2017-1000365)

李强 discovered that the Virtio GPU driver in the Linux kernel did not
properly free memory in some situations. A local attacker could use this to
cause a denial of service (memory consumption). (CVE-2017-10810)

石磊 discovered that the RxRPC Kerberos 5 ticket handling code in the
Linux kernel did not properly verify metadata. A remote attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-7482)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-powerpc-smp-lts-xenial 4.4.0.92.76
linux-image-generic-lpae-lts-xenial 4.4.0.92.76
linux-image-4.4.0-92-powerpc-e500mc 4.4.0-92.115~14.04.1
linux-image-4.4.0-92-powerpc64-emb 4.4.0-92.115~14.04.1
linux-image-4.4.0-92-powerpc-smp 4.4.0-92.115~14.04.1
linux-image-4.4.0-92-lowlatency 4.4.0-92.115~14.04.1
linux-image-lowlatency-lts-xenial 4.4.0.92.76
linux-image-generic-lts-xenial 4.4.0.92.76
linux-image-4.4.0-92-generic-lpae 4.4.0-92.115~14.04.1
linux-image-powerpc64-smp-lts-xenial 4.4.0.92.76
linux-image-powerpc64-emb-lts-xenial 4.4.0.92.76
linux-image-4.4.0-92-powerpc64-smp 4.4.0-92.115~14.04.1
linux-image-powerpc-e500mc-lts-xenial 4.4.0.92.76
linux-image-4.4.0-92-generic 4.4.0-92.115~14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

https://bugs.launchpad.net/bugs/1709032, https://usn.ubuntu.com/usn/usn-3378-2


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3392-1: Linux kernel regression

Unix Server vom 16.08.2017 um 08:00 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3392-1

16th August, 2017

linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

USN-3378-1 introduced a regression in the Linux kernel.

Software description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gke - Linux kernel for Google Container Engine (GKE) systems
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon processors

Details

USN-3378-1 fixed vulnerabilities in the Linux kernel. Unfortunately, a
regression was introduced that prevented conntrack from working
correctly in some situations. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Fan Wu and Shixiong Zhao discovered a race condition between inotify events
and vfs rename operations in the Linux kernel. An unprivileged local
attacker could use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2017-7533)

It was discovered that the Linux kernel did not properly restrict
RLIMIT_STACK size. A local attacker could use this in conjunction with
another vulnerability to possibly execute arbitrary code.
(CVE-2017-1000365)

李强 discovered that the Virtio GPU driver in the Linux kernel did not
properly free memory in some situations. A local attacker could use this to
cause a denial of service (memory consumption). (CVE-2017-10810)

石磊 discovered that the RxRPC Kerberos 5 ticket handling code in the
Linux kernel did not properly verify metadata. A remote attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-7482)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-powerpc-e500mc 4.4.0.92.97
linux-image-4.4.0-92-powerpc-smp 4.4.0-92.115
linux-image-4.4.0-92-lowlatency 4.4.0-92.115
linux-image-4.4.0-92-powerpc64-emb 4.4.0-92.115
linux-image-4.4.0-92-generic 4.4.0-92.115
linux-image-4.4.0-1027-gke 4.4.0-1027.27
linux-image-4.4.0-92-powerpc-e500mc 4.4.0-92.115
linux-image-4.4.0-1072-snapdragon 4.4.0-1072.77
linux-image-snapdragon 4.4.0.1072.64
linux-image-4.4.0-92-powerpc64-smp 4.4.0-92.115
linux-image-powerpc64-emb 4.4.0.92.97
linux-image-gke 4.4.0.1027.28
linux-image-generic 4.4.0.92.97
linux-image-4.4.0-92-generic-lpae 4.4.0-92.115
linux-image-aws 4.4.0.1031.33
linux-image-raspi2 4.4.0.1070.70
linux-image-powerpc-smp 4.4.0.92.97
linux-image-generic-lpae 4.4.0.92.97
linux-image-4.4.0-1031-aws 4.4.0-1031.40
linux-image-powerpc64-smp 4.4.0.92.97
linux-image-4.4.0-1070-raspi2 4.4.0-1070.78
linux-image-lowlatency 4.4.0.92.97

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

https://bugs.launchpad.net/bugs/1709032, https://usn.ubuntu.com/usn/usn-3378-1


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3391-1: Firefox vulnerabilities

Unix Server vom 15.08.2017 um 20:34 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3391-1

15th August, 2017

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Firefox could be made to crash or run programs as your login if it opened a malicious website.

Software description

  • firefox - Mozilla Open Source web browser

Details

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to conduct cross-site scripting (XSS) attacks,
bypass sandbox restrictions, obtain sensitive information, spoof the
origin of modal alerts, bypass same origin restrictions, read
uninitialized memory, cause a denial of service via program crash or hang,
or execute arbitrary code. (CVE-2017-7753, CVE-2017-7779, CVE-2017-7780,
CVE-2017-7781, CVE-2017-7783, CVE-2017-7784, CVE-2017-7785, CVE-2017-7786,
CVE-2017-7787, CVE-2017-7788, CVE-2017-7789, CVE-2017-7791, CVE-2017-7792,
CVE-2017-7794, CVE-2017-7797, CVE-2017-7798, CVE-2017-7799, CVE-2017-7800,
CVE-2017-7801, CVE-2017-7802, CVE-2017-7803, CVE-2017-7806, CVE-2017-7807,
CVE-2017-7808, CVE-2017-7809)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
firefox 55.0.1+build2-0ubuntu0.17.04.2
Ubuntu 16.04 LTS:
firefox 55.0.1+build2-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
firefox 55.0.1+build2-0ubuntu0.14.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2017-7753, CVE-2017-7779, CVE-2017-7780, CVE-2017-7781, CVE-2017-7783, CVE-2017-7784, CVE-2017-7785, CVE-2017-7786, CVE-2017-7787, CVE-2017-7788, CVE-2017-7789, CVE-2017-7791, CVE-2017-7792, CVE-2017-7794, CVE-2017-7797, CVE-2017-7798, CVE-2017-7799, CVE-2017-7800, CVE-2017-7801, CVE-2017-7802, CVE-2017-7803, CVE-2017-7806, CVE-2017-7807, CVE-2017-7808, CVE-2017-7809


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3390-1: PostgreSQL vulnerabilities

Unix Server vom 15.08.2017 um 18:05 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3390-1

15th August, 2017

postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in PostgreSQL.

Software description

  • postgresql-9.3 - Object-relational SQL database
  • postgresql-9.5 - Object-relational SQL database
  • postgresql-9.6 - object-relational SQL database

Details

Ben de Graaff, Jelte Fennema, and Jeroen van der Ham discovered that
PostgreSQL allowed the use of empty passwords in some authentication
methods, contrary to expected behaviour. A remote attacker could use an
empty password to authenticate to servers that were believed to have
password login disabled. (CVE-2017-7546)

Jeff Janes discovered that PostgreSQL incorrectly handled the
pg_user_mappings catalog view. A remote attacker without server privileges
could possibly use this issue to obtain certain passwords. (CVE-2017-7547)

Chapman Flack discovered that PostgreSQL incorrectly handled lo_put()
permissions. A remote attacker could possibly use this issue to change the
data in a large object. (CVE-2017-7548)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
postgresql-9.6 9.6.4-0ubuntu0.17.04.1
Ubuntu 16.04 LTS:
postgresql-9.5 9.5.8-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
postgresql-9.3 9.3.18-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References

CVE-2017-7546, CVE-2017-7547, CVE-2017-7548


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3389-2: GD vulnerability

Unix Server vom 14.08.2017 um 20:04 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3389-2

14th August, 2017

libgd2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

The system could be made to expose sensitive information.

Software description

  • libgd2 - GD Graphics Library

Details

USN-3389-1 fixed a vulnerability in GD Graphics Library.
This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

A vulnerability was discovered in GD Graphics Library (aka libgd),
as used in PHP that does not zero colorMap arrays before use.
A specially crafted GIF image could use the uninitialized tables to
read bytes from the top of the stack.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libgd-tools 2.0.36~rc1~dfsg-6ubuntu2.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-7890


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3389-1: LibGD vulnerability

Unix Server vom 14.08.2017 um 19:02 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3389-1

14th August, 2017

libgd2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

The system could be made to expose sensitive information.

Software description

  • libgd2 - GD Graphics Library

Details

A vulnerability was descovered in GD Graphics Library (aka libgd),
as used in PHP before that does not zero colorMap arrays before use.
A specially crafted GIF image could use the uninitialized tables to
read bytes from the top of the stack.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libgd-tools 2.2.4-2ubuntu0.2
Ubuntu 16.04 LTS:
libgd-tools 2.1.1-4ubuntu0.16.04.7
Ubuntu 14.04 LTS:
libgd-tools 2.1.0-3ubuntu0.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-7890


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3943 gajim - security update

Unix Server vom 14.08.2017 um 00:00 Uhr | Quelle debian.org

Gajim, a GTK+-based XMPP/Jabber client, unconditionally implements the "XEP-0146: Remote Controlling Clients" extension, allowing a malicious XMPP server to trigger commands to leak private conversations from encrypted sessions. With this update XEP-0146 support has been disabled by default and made opt-in via the remote_commands option.


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3941 iortcw - security update

Unix Server vom 13.08.2017 um 00:00 Uhr | Quelle debian.org

A read buffer overflow was discovered in the idtech3 (Quake III Arena) family of game engines. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted packet.


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3942 supervisor - security update

Unix Server vom 13.08.2017 um 00:00 Uhr | Quelle debian.org

Calum Hutton reported that the XML-RPC server in supervisor, a system for controlling process state, does not perform validation on requested XML-RPC methods, allowing an authenticated client to send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server as the same user as supervisord.


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3940 cvs - security update

Unix Server vom 13.08.2017 um 00:00 Uhr | Quelle debian.org

It was discovered that CVS, a centralised version control system, did not correctly handle maliciously constructed repository URLs, which allowed an attacker to run an arbitrary shell command.


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3937 zabbix - security update

Unix Server vom 12.08.2017 um 00:00 Uhr | Quelle debian.org

Lilith Wyatt discovered two vulnerabilities in the Zabbix network monitoring system which may result in execution of arbitrary code or database writes by malicious proxies.


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3938 libgd2 - security update

Unix Server vom 12.08.2017 um 00:00 Uhr | Quelle debian.org

Matviy Kotoniy reported that the gdImageCreateFromGifCtx() function used to load images from GIF format files in libgd2, a library for programmatic graphics creation and manipulation, does not zero stack allocated color map buffers before their use, which may result in information disclosure if a specially crafted file is processed.


News bewerten

Weiterlesen Artikel komplett ansehen

DSA-3939 botan1.10 - security update

Unix Server vom 12.08.2017 um 00:00 Uhr | Quelle debian.org

Aleksandar Nikolic discovered that an error in the x509 parser of the Botan crypto library could result in an out-of-bounds memory read, resulting in denial of service or an information leak if processing a malformed certificate.


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3388-1: Subversion vulnerabilities

Unix Server vom 11.08.2017 um 07:33 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3388-1

11th August, 2017

subversion vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Subversion.

Software description

  • subversion - Advanced version control system

Details

Joern Schneeweisz discovered that Subversion did not properly handle
host names in 'svn+ssh://' URLs. A remote attacker could use this
to construct a subversion repository that when accessed could run
arbitrary code with the privileges of the user. (CVE-2017-9800)

Daniel Shahaf and James McCoy discovered that Subversion did not
properly verify realms when using Cyrus SASL authentication. A
remote attacker could use this to possibly bypass intended access
restrictions. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2016-2167)

Florian Weimer discovered that Subversion clients did not properly
restrict XML entity expansion when accessing http(s):// URLs. A remote
attacker could use this to cause a denial of service. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-8734)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
subversion 1.9.5-1ubuntu1.1
libsvn1 1.9.5-1ubuntu1.1
Ubuntu 16.04 LTS:
subversion 1.9.3-2ubuntu1.1
libapache2-svn 1.9.3-2ubuntu1.1
libapache2-mod-svn 1.9.3-2ubuntu1.1
libsvn1 1.9.3-2ubuntu1.1
Ubuntu 14.04 LTS:
subversion 1.8.8-1ubuntu3.3
libapache2-svn 1.8.8-1ubuntu3.3
libapache2-mod-svn 1.8.8-1ubuntu3.3
libsvn1 1.8.8-1ubuntu3.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-2167, CVE-2016-8734, CVE-2017-9800


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3384-2: Linux kernel (HWE) vulnerabilities

Unix Server vom 11.08.2017 um 04:49 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3384-2

10th August, 2017

linux-hwe vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

  • linux-hwe - Linux hardware enablement (HWE) kernel

Details

USN-3384-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu
16.04 LTS.

Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)

Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-4.10.0-32-generic-lpae 4.10.0-32.36~16.04.1
linux-image-generic-hwe-16.04 4.10.0.32.34
linux-image-lowlatency-hwe-16.04 4.10.0.32.34
linux-image-4.10.0-32-generic 4.10.0-32.36~16.04.1
linux-image-4.10.0-32-lowlatency 4.10.0-32.36~16.04.1
linux-image-generic-lpae-hwe-16.04 4.10.0.32.34

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000111, CVE-2017-1000112


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3386-1: Linux kernel vulnerabilities

Unix Server vom 11.08.2017 um 04:49 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3386-1

10th August, 2017

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

  • linux - Linux kernel

Details

Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)

Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.13.0-128-powerpc-smp 3.13.0-128.177
linux-image-powerpc-smp 3.13.0.128.137
linux-image-powerpc-e500mc 3.13.0.128.137
linux-image-3.13.0-128-powerpc64-emb 3.13.0-128.177
linux-image-3.13.0-128-powerpc64-smp 3.13.0-128.177
linux-image-lowlatency 3.13.0.128.137
linux-image-3.13.0-128-generic 3.13.0-128.177
linux-image-generic-lpae 3.13.0.128.137
linux-image-powerpc-e500 3.13.0.128.137
linux-image-powerpc64-smp 3.13.0.128.137
linux-image-3.13.0-128-generic-lpae 3.13.0-128.177
linux-image-generic 3.13.0.128.137
linux-image-3.13.0-128-powerpc-e500mc 3.13.0-128.177
linux-image-3.13.0-128-powerpc-e500 3.13.0-128.177
linux-image-powerpc64-emb 3.13.0.128.137
linux-image-3.13.0-128-lowlatency 3.13.0-128.177

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000111, CVE-2017-1000112


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3385-1: Linux kernel vulnerabilities

Unix Server vom 11.08.2017 um 04:49 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3385-1

10th August, 2017

linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gke - Linux kernel for Google Container Engine (GKE) systems
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon processors

Details

Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)

Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-powerpc-e500mc 4.4.0.91.96
linux-image-4.4.0-91-powerpc-e500mc 4.4.0-91.114
linux-image-4.4.0-91-lowlatency 4.4.0-91.114
linux-image-4.4.0-91-powerpc-smp 4.4.0-91.114
linux-image-4.4.0-91-generic-lpae 4.4.0-91.114
linux-image-4.4.0-1026-gke 4.4.0-1026.26
linux-image-snapdragon 4.4.0.1071.63
linux-image-powerpc64-emb 4.4.0.91.96
linux-image-gke 4.4.0.1026.27
linux-image-4.4.0-1030-aws 4.4.0-1030.39
linux-image-4.4.0-91-powerpc64-emb 4.4.0-91.114
linux-image-generic 4.4.0.91.96
linux-image-4.4.0-91-generic 4.4.0-91.114
linux-image-aws 4.4.0.1030.32
linux-image-raspi2 4.4.0.1069.69
linux-image-powerpc-smp 4.4.0.91.96
linux-image-4.4.0-91-powerpc64-smp 4.4.0-91.114
linux-image-generic-lpae 4.4.0.91.96
linux-image-4.4.0-1069-raspi2 4.4.0-1069.77
linux-image-4.4.0-1071-snapdragon 4.4.0-1071.76
linux-image-powerpc64-smp 4.4.0.91.96
linux-image-lowlatency 4.4.0.91.96

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000111, CVE-2017-1000112


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3386-2: Linux kernel (Trusty HWE) vulnerabilities

Unix Server vom 11.08.2017 um 04:49 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3386-2

10th August, 2017

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

  • linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise ESM

Details

USN-3386-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 ESM.

Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)

Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-128-generic 3.13.0-128.177~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.128.118
linux-image-generic-lts-trusty 3.13.0.128.118
linux-image-3.13.0-128-generic-lpae 3.13.0-128.177~precise1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000111, CVE-2017-1000112


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3385-2: Linux kernel (Xenial HWE) vulnerabilities

Unix Server vom 11.08.2017 um 04:49 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3385-2

10th August, 2017

linux-lts-xenial vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3385-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)

Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-4.4.0-91-powerpc-smp 4.4.0-91.114~14.04.1
linux-image-generic-lpae-lts-xenial 4.4.0.91.75
linux-image-4.4.0-91-generic-lpae 4.4.0-91.114~14.04.1
linux-image-generic-lts-xenial 4.4.0.91.75
linux-image-4.4.0-91-powerpc-e500mc 4.4.0-91.114~14.04.1
linux-image-4.4.0-91-powerpc64-emb 4.4.0-91.114~14.04.1
linux-image-4.4.0-91-generic 4.4.0-91.114~14.04.1
linux-image-lowlatency-lts-xenial 4.4.0.91.75
linux-image-4.4.0-91-powerpc64-smp 4.4.0-91.114~14.04.1
linux-image-powerpc-smp-lts-xenial 4.4.0.91.75
linux-image-powerpc64-smp-lts-xenial 4.4.0.91.75
linux-image-powerpc64-emb-lts-xenial 4.4.0.91.75
linux-image-4.4.0-91-lowlatency 4.4.0-91.114~14.04.1
linux-image-powerpc-e500mc-lts-xenial 4.4.0.91.75

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000111, CVE-2017-1000112


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3387-1: Git vulnerability

Unix Server vom 11.08.2017 um 04:49 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3387-1

10th August, 2017

git vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Git could be made run programs as your login if it opened a specially crafted git repository.

Software description

  • git - fast, scalable, distributed revision control system

Details

Brian Neel, Joern Schneeweisz, and Jeff King discovered that Git did
not properly handle host names in 'ssh://' URLs. A remote attacker
could use this to construct a git repository that when accessed could
run arbitrary code with the privileges of the user.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
git 1:2.11.0-2ubuntu0.2
Ubuntu 16.04 LTS:
git 1:2.7.4-0ubuntu1.2
Ubuntu 14.04 LTS:
git 1:1.9.1-1ubuntu0.6

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000117


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3384-1: Linux kernel vulnerabilities

Unix Server vom 11.08.2017 um 04:49 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3384-1

10th August, 2017

linux, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04

Summary

Several security issues were fixed in the Linux kernel.

Software description

  • linux - Linux kernel
  • linux-raspi2 - Linux kernel for Raspberry Pi 2

Details

Andrey Konovalov discovered a race condition in the UDP Fragmentation
Offload (UFO) code in the Linux kernel. A local attacker could use this to
cause a denial of service or execute arbitrary code. (CVE-2017-1000112)

Andrey Konovalov discovered a race condition in AF_PACKET socket option
handling code in the Linux kernel. A local unprivileged attacker could use
this to cause a denial of service or possibly execute arbitrary code.
(CVE-2017-1000111)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
linux-image-4.10.0-32-generic-lpae 4.10.0-32.36
linux-image-generic 4.10.0.32.32
linux-image-generic-lpae 4.10.0.32.32
linux-image-4.10.0-32-generic 4.10.0-32.36
linux-image-4.10.0-1015-raspi2 4.10.0-1015.18
linux-image-4.10.0-32-lowlatency 4.10.0-32.36
linux-image-lowlatency 4.10.0.32.32
linux-image-raspi2 4.10.0.1015.16

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000111, CVE-2017-1000112


News bewerten

Weiterlesen Artikel komplett ansehen

USN-3383-1: libsoup vulnerability

Unix Server vom 10.08.2017 um 17:35 Uhr | Quelle ubuntu.com

Ubuntu Security Notice USN-3383-1

10th August, 2017

libsoup2.4 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Applications using libsoup could be made to crash or run programs as your login if it received specially crafted network traffic.

Software description

  • libsoup2.4 - HTTP client/server library for GNOME

Details

Aleksandar Nikolic discovered a stack based buffer overflow when
handling chunked encoding. An attacker could use this to cause a
denial of service or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libsoup2.4-1 2.56.0-2ubuntu0.1
gir1.2-soup-2.4 2.56.0-2ubuntu0.1
libsoup-gnome2.4-1 2.56.0-2ubuntu0.1
Ubuntu 16.04 LTS:
libsoup2.4-1 2.52.2-1ubuntu0.2
gir1.2-soup-2.4 2.52.2-1ubuntu0.2
libsoup-gnome2.4-1 2.52.2-1ubuntu0.2
Ubuntu 14.04 LTS:
libsoup2.4-1 2.44.2-1ubuntu2.2
gir1.2-soup-2.4 2.44.2-1ubuntu2.2
libsoup-gnome2.4-1 2.44.2-1ubuntu2.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-2885


News bewerten

Weiterlesen Artikel komplett ansehen

Seitennavigation

Seite 1 von 39 Seiten (Bei Beitrag 1 - 35)
1.363x Beiträge in dieser Kategorie

Nächste 2 Seite | Letzte Seite