1. Server >
  2. Unix Server


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

Unix Server


Suchen

News RSS Quellen: 8x
News Kategorien unterhalb von Unix Server: 0x
News RSS Feeds dieser Unix Server Kategorie: RSS Feed Unix Server
Benutze Feedly zum Abonieren.Folge uns auf feedly
Download RSS Feed App für Windows 10 Store (Leider gibt es nicht mehr viele Extensions mit welchen Sie RSS-Feeds in einer Software abonieren können. Der Browser Support für RSS-Feeds wurde eingestellt (Firefox,Chrome).

Eigene IT Security Webseite / Blog / Quelle hinzufügen

Seitennavigation

Seite 92 von 97 Seiten (Bei Beitrag 3185 - 3220)
3.383x Beiträge in dieser Kategorie

Auf Seite 91 zurück | Nächste 93 Seite | Letzte Seite

[ 87 ] [ 88 ] [ 89 ] [ 90 ] [ 91 ] [92] [ 93 ] [ 94 ] [ 95 ] [ 96 ] [ 97 ]

USN-2919-1: JasPer vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2919-1

3rd March, 2016

jasper vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in JasPer.

Software description

  • jasper - Library for manipulating JPEG-2000 files

Details

Jacob Baines discovered that JasPer incorrectly handled ICC color profiles
in JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker could cause JasPer to
crash or possibly execute arbitrary code with user privileges.
(CVE-2016-1577)

Tyler Hicks discovered that JasPer incorrectly handled memory when
processing JPEG-2000 image files. If a user were tricked into opening a
specially crafted JPEG-2000 image file, a remote attacker could cause
JasPer to consume memory, resulting in a denial of service.
(CVE-2016-2116)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
libjasper1 1.900.1-debian1-2.4ubuntu0.15.10.1
Ubuntu 14.04 LTS:
libjasper1 1.900.1-14ubuntu3.3
Ubuntu 12.04 LTS:
libjasper1 1.900.1-13ubuntu0.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-1577, CVE-2016-2116


News Bewertung

Weiterlesen Weiterlesen

USN-2936-2: Oxygen-GTK3 update

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2936-2

2nd May, 2016

oxygen-gtk3 update

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

USN-2936-1 caused Firefox to crash on startup with the Oxygen GTK theme

Software description

  • oxygen-gtk3 - Oxygen widget theme for GTK3-based applications

Details

USN-2936-1 fixed vulnerabilities in Firefox. The update caused Firefox to
crash on startup with the Oxygen GTK theme due to a pre-existing bug in
the Oxygen-GTK3 theme engine. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Christian Holler, Tyson Smith, Phil Ringalda, Gary Kwong, Jesse Ruderman,
Mats Palmgren, Carsten Book, Boris Zbarsky, David Bolter, Randell Jesup,
Andrew McCreight, and Steve Fink discovered multiple memory safety issues
in Firefox. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit these to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-2804, CVE-2016-2806,
CVE-2016-2807)

An invalid write was discovered when using the JavaScript .watch() method in
some circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-2808)

Looben Yang discovered a use-after-free and buffer overflow in service
workers. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit these to cause a denial of service
via application crash, or execute arbitrary code with the privileges of
the user invoking Firefox. (CVE-2016-2811, CVE-2016-2812)

Sascha Just discovered a buffer overflow in libstagefright in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2016-2814)

Muneaki Nishimura discovered that CSP is not applied correctly to web
content sent with the multipart/x-mixed-replace MIME type. An attacker
could potentially exploit this to conduct cross-site scripting (XSS)
attacks when they would otherwise be prevented. (CVE-2016-2816)

Muneaki Nishimura discovered that the chrome.tabs.update API for web
extensions allows for navigation to javascript: URLs. A malicious
extension could potentially exploit this to conduct cross-site scripting
(XSS) attacks. (CVE-2016-2817)

Mark Goodwin discovered that about:healthreport accepts certain events
from any content present in the remote-report iframe. If another
vulnerability allowed the injection of web content in the remote-report
iframe, an attacker could potentially exploit this to change the user's
sharing preferences. (CVE-2016-2820)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
gtk3-engines-oxygen 1.0.2-0ubuntu3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1575781


News Bewertung

Weiterlesen Weiterlesen

USN-3000-1: Linux kernel (Utopic HWE) vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-3000-1

10th June, 2016

linux-lts-utopic vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-utopic - Linux hardware enablement kernel from Utopic for Trusty

Details

Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux
kernel incorrectly enables scatter/gather I/O. A remote attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-2117)

Jann Horn discovered that eCryptfs improperly attempted to use the mmap()
handler of a lower filesystem that did not implement one, causing a
recursive page fault to occur. A local unprivileged attacker could use to
cause a denial of service (system crash) or possibly execute arbitrary code
with administrative privileges. (CVE-2016-1583)

Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB
over wifi device drivers in the Linux kernel. A remote attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2015-4004)

Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB
device driver did not properly validate endpoint descriptors. An attacker
with physical access could use this to cause a denial of service (system
crash). (CVE-2016-2187)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the
MCT USB RS232 Converter device driver in the Linux kernel did not properly
validate USB device descriptors. An attacker with physical access could use
this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the
Cypress M8 USB device driver in the Linux kernel did not properly validate
USB device descriptors. An attacker with physical access could use this to
cause a denial of service (system crash). (CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the
Linux kernel's USB driver for Digi AccelePort serial converters did not
properly validate USB device descriptors. An attacker with physical access
could use this to cause a denial of service (system crash). (CVE-2016-3140)

Hector Marco and Ismael Ripoll discovered that the Linux kernel would
improperly disable Address Space Layout Randomization (ASLR) for x86
processes running in 32 bit mode if stack-consumption resource limits were
disabled. A local attacker could use this to make it easier to exploit an
existing vulnerability in a setuid/setgid program. (CVE-2016-3672)

It was discovered that the Linux kernel's USB driver for IMS Passenger
Control Unit devices did not properly validate the device's interfaces. An
attacker with physical access could use this to cause a denial of service
(system crash). (CVE-2016-3689)

Andrey Konovalov discovered that the CDC Network Control Model USB driver
in the Linux kernel did not cancel work events queued if a later error
occurred, resulting in a use-after-free. An attacker with physical access
could use this to cause a denial of service (system crash). (CVE-2016-3951)

It was discovered that an out-of-bounds write could occur when handling
incoming packets in the USB/IP implementation in the Linux kernel. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-3955)

Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2
Support implementations in the Linux kernel. A local attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-4485)

Kangjie Lu discovered an information leak in the routing netlink socket
interface (rtnetlink) implementation in the Linux kernel. A local attacker
could use this to obtain potentially sensitive information from kernel
memory. (CVE-2016-4486)

It was discovered that in some situations the Linux kernel did not handle
propagated mounts correctly. A local unprivileged attacker could use this
to cause a denial of service (system crash). (CVE-2016-4581)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.16.0-73-powerpc-e500mc 3.16.0-73.95~14.04.1
linux-image-3.16.0-73-powerpc64-smp 3.16.0-73.95~14.04.1
linux-image-3.16.0-73-generic-lpae 3.16.0-73.95~14.04.1
linux-image-3.16.0-73-powerpc-smp 3.16.0-73.95~14.04.1
linux-image-3.16.0-73-lowlatency 3.16.0-73.95~14.04.1
linux-image-3.16.0-73-generic 3.16.0-73.95~14.04.1
linux-image-3.16.0-73-powerpc64-emb 3.16.0-73.95~14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2015-4004, CVE-2016-1583, CVE-2016-2117, CVE-2016-2187, CVE-2016-3136, CVE-2016-3137, CVE-2016-3140, CVE-2016-3672, CVE-2016-3689, CVE-2016-3951, CVE-2016-3955, CVE-2016-4485, CVE-2016-4486, CVE-2016-4581


News Bewertung

Weiterlesen Weiterlesen

USN-2918-1: pixman vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2918-1

3rd March, 2016

pixman vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

pixman could be made to crash or run programs as your login if it processed specially crafted data.

Software description

  • pixman - pixel-manipulation library for X and cairo

Details

Vincent LE GARREC discovered an integer underflow in pixman. If a user were
tricked into opening a specially crafted file, a remote attacker could
cause pixman to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
libpixman-1-0 0.30.2-2ubuntu1.1
Ubuntu 12.04 LTS:
libpixman-1-0 0.30.2-1ubuntu0.0.0.0.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2014-9766


News Bewertung

Weiterlesen Weiterlesen

USN-2999-1: Linux kernel vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2999-1

10th June, 2016

linux vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

  • linux - Linux kernel

Details

Jann Horn discovered that eCryptfs improperly attempted to use the mmap()
handler of a lower filesystem that did not implement one, causing a
recursive page fault to occur. A local unprivileged attacker could use to
cause a denial of service (system crash) or possibly execute arbitrary code
with administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.13.0-88-powerpc64-emb 3.13.0-88.135
linux-image-3.13.0-88-powerpc-e500 3.13.0-88.135
linux-image-3.13.0-88-generic 3.13.0-88.135
linux-image-3.13.0-88-lowlatency 3.13.0-88.135
linux-image-3.13.0-88-powerpc64-smp 3.13.0-88.135
linux-image-3.13.0-88-powerpc-smp 3.13.0-88.135
linux-image-3.13.0-88-powerpc-e500mc 3.13.0-88.135
linux-image-3.13.0-88-generic-lpae 3.13.0-88.135

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-1583


News Bewertung

Weiterlesen Weiterlesen

USN-2998-1: Linux kernel (Trusty HWE) vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2998-1

10th June, 2016

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise

Details

Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux
kernel incorrectly enables scatter/gather I/O. A remote attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-2117)

Jann Horn discovered that eCryptfs improperly attempted to use the mmap()
handler of a lower filesystem that did not implement one, causing a
recursive page fault to occur. A local unprivileged attacker could use to
cause a denial of service (system crash) or possibly execute arbitrary code
with administrative privileges. (CVE-2016-1583)

Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB
over wifi device drivers in the Linux kernel. A remote attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2015-4004)

Andy Lutomirski discovered a race condition in the Linux kernel's
translation lookaside buffer (TLB) handling of flush events. A local
attacker could use this to cause a denial of service or possibly leak
sensitive information. (CVE-2016-2069)

Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB
device driver did not properly validate endpoint descriptors. An attacker
with physical access could use this to cause a denial of service (system
crash). (CVE-2016-2187)

Hector Marco and Ismael Ripoll discovered that the Linux kernel would
improperly disable Address Space Layout Randomization (ASLR) for x86
processes running in 32 bit mode if stack-consumption resource limits were
disabled. A local attacker could use this to make it easier to exploit an
existing vulnerability in a setuid/setgid program. (CVE-2016-3672)

Andrey Konovalov discovered that the CDC Network Control Model USB driver
in the Linux kernel did not cancel work events queued if a later error
occurred, resulting in a use-after-free. An attacker with physical access
could use this to cause a denial of service (system crash). (CVE-2016-3951)

It was discovered that an out-of-bounds write could occur when handling
incoming packets in the USB/IP implementation in the Linux kernel. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-3955)

Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2
Support implementations in the Linux kernel. A local attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-4485)

Kangjie Lu discovered an information leak in the routing netlink socket
interface (rtnetlink) implementation in the Linux kernel. A local attacker
could use this to obtain potentially sensitive information from kernel
memory. (CVE-2016-4486)

It was discovered that in some situations the Linux kernel did not handle
propagated mounts correctly. A local unprivileged attacker could use this
to cause a denial of service (system crash). (CVE-2016-4581)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-88-generic-lpae 3.13.0-88.135~precise1
linux-image-3.13.0-88-generic 3.13.0-88.135~precise1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2015-4004, CVE-2016-1583, CVE-2016-2069, CVE-2016-2117, CVE-2016-2187, CVE-2016-3672, CVE-2016-3951, CVE-2016-3955, CVE-2016-4485, CVE-2016-4486, CVE-2016-4581


News Bewertung

Weiterlesen Weiterlesen

USN-2997-1: Linux kernel (OMAP4) vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2997-1

10th June, 2016

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-ti-omap4 - Linux kernel for OMAP4

Details

Jann Horn discovered that eCryptfs improperly attempted to use the mmap()
handler of a lower filesystem that did not implement one, causing a
recursive page fault to occur. A local unprivileged attacker could use to
cause a denial of service (system crash) or possibly execute arbitrary code
with administrative privileges. (CVE-2016-1583)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel
did not properly validate USB device descriptors. An attacker with physical
access could use this to cause a denial of service (system crash).
(CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the
Linux kernel did not properly validate USB device descriptors. An attacker
with physical access could use this to cause a denial of service (system
crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux
kernel did not properly validate USB device descriptors. An attacker with
physical access could use this to cause a denial of service (system crash).
(CVE-2016-2186)

Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB
device driver did not properly validate endpoint descriptors. An attacker
with physical access could use this to cause a denial of service (system
crash). (CVE-2016-2187)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the
Linux kernel did not properly validate USB device descriptors. An attacker
with physical access could use this to cause a denial of service (system
crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the
MCT USB RS232 Converter device driver in the Linux kernel did not properly
validate USB device descriptors. An attacker with physical access could use
this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the
Cypress M8 USB device driver in the Linux kernel did not properly validate
USB device descriptors. An attacker with physical access could use this to
cause a denial of service (system crash). (CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the
USB abstract device control driver for modems and ISDN adapters did not
validate endpoint descriptors. An attacker with physical access could use
this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the
Linux kernel's USB driver for Digi AccelePort serial converters did not
properly validate USB device descriptors. An attacker with physical access
could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not
perform the destruction of inet device objects properly. An attacker in a
guest OS could use this to cause a denial of service (networking outage) in
the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context-
switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use
this to cause a denial of service (guest OS crash), gain privileges, or
obtain sensitive information. (CVE-2016-3157)

Hector Marco and Ismael Ripoll discovered that the Linux kernel would
improperly disable Address Space Layout Randomization (ASLR) for x86
processes running in 32 bit mode if stack-consumption resource limits were
disabled. A local attacker could use this to make it easier to exploit an
existing vulnerability in a setuid/setgid program. (CVE-2016-3672)

It was discovered that an out-of-bounds write could occur when handling
incoming packets in the USB/IP implementation in the Linux kernel. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-3955)

Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2
Support implementations in the Linux kernel. A local attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-4485)

Kangjie Lu discovered an information leak in the routing netlink socket
interface (rtnetlink) implementation in the Linux kernel. A local attacker
could use this to obtain potentially sensitive information from kernel
memory. (CVE-2016-4486)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1482-omap4 3.2.0-1482.109

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-1583, CVE-2016-2184, CVE-2016-2185, CVE-2016-2186, CVE-2016-2187, CVE-2016-2188, CVE-2016-3136, CVE-2016-3137, CVE-2016-3138, CVE-2016-3140, CVE-2016-3156, CVE-2016-3157, CVE-2016-3672, CVE-2016-3955, CVE-2016-4485, CVE-2016-4486


News Bewertung

Weiterlesen Weiterlesen

USN-2996-1: Linux kernel vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2996-1

9th June, 2016

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux - Linux kernel

Details

Jann Horn discovered that eCryptfs improperly attempted to use the mmap()
handler of a lower filesystem that did not implement one, causing a
recursive page fault to occur. A local unprivileged attacker could use to
cause a denial of service (system crash) or possibly execute arbitrary code
with administrative privileges. (CVE-2016-1583)

Ralf Spenneberg discovered that the USB sound subsystem in the Linux kernel
did not properly validate USB device descriptors. An attacker with physical
access could use this to cause a denial of service (system crash).
(CVE-2016-2184)

Ralf Spenneberg discovered that the ATI Wonder Remote II USB driver in the
Linux kernel did not properly validate USB device descriptors. An attacker
with physical access could use this to cause a denial of service (system
crash). (CVE-2016-2185)

Ralf Spenneberg discovered that the PowerMate USB driver in the Linux
kernel did not properly validate USB device descriptors. An attacker with
physical access could use this to cause a denial of service (system crash).
(CVE-2016-2186)

Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB
device driver did not properly validate endpoint descriptors. An attacker
with physical access could use this to cause a denial of service (system
crash). (CVE-2016-2187)

Ralf Spenneberg discovered that the I/O-Warrior USB device driver in the
Linux kernel did not properly validate USB device descriptors. An attacker
with physical access could use this to cause a denial of service (system
crash). (CVE-2016-2188)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the
MCT USB RS232 Converter device driver in the Linux kernel did not properly
validate USB device descriptors. An attacker with physical access could use
this to cause a denial of service (system crash). (CVE-2016-3136)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the
Cypress M8 USB device driver in the Linux kernel did not properly validate
USB device descriptors. An attacker with physical access could use this to
cause a denial of service (system crash). (CVE-2016-3137)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the
USB abstract device control driver for modems and ISDN adapters did not
validate endpoint descriptors. An attacker with physical access could use
this to cause a denial of service (system crash). (CVE-2016-3138)

Sergej Schumilo, Hendrik Schwartke, and Ralf Spenneberg discovered that the
Linux kernel's USB driver for Digi AccelePort serial converters did not
properly validate USB device descriptors. An attacker with physical access
could use this to cause a denial of service (system crash). (CVE-2016-3140)

It was discovered that the IPv4 implementation in the Linux kernel did not
perform the destruction of inet device objects properly. An attacker in a
guest OS could use this to cause a denial of service (networking outage) in
the host OS. (CVE-2016-3156)

Andy Lutomirski discovered that the Linux kernel did not properly context-
switch IOPL on 64-bit PV Xen guests. An attacker in a guest OS could use
this to cause a denial of service (guest OS crash), gain privileges, or
obtain sensitive information. (CVE-2016-3157)

Hector Marco and Ismael Ripoll discovered that the Linux kernel would
improperly disable Address Space Layout Randomization (ASLR) for x86
processes running in 32 bit mode if stack-consumption resource limits were
disabled. A local attacker could use this to make it easier to exploit an
existing vulnerability in a setuid/setgid program. (CVE-2016-3672)

It was discovered that an out-of-bounds write could occur when handling
incoming packets in the USB/IP implementation in the Linux kernel. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-3955)

Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2
Support implementations in the Linux kernel. A local attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-4485)

Kangjie Lu discovered an information leak in the routing netlink socket
interface (rtnetlink) implementation in the Linux kernel. A local attacker
could use this to obtain potentially sensitive information from kernel
memory. (CVE-2016-4486)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-104-omap 3.2.0-104.145
linux-image-3.2.0-104-powerpc-smp 3.2.0-104.145
linux-image-3.2.0-104-generic-pae 3.2.0-104.145
linux-image-3.2.0-104-generic 3.2.0-104.145
linux-image-3.2.0-104-virtual 3.2.0-104.145
linux-image-3.2.0-104-highbank 3.2.0-104.145
linux-image-3.2.0-104-powerpc64-smp 3.2.0-104.145

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-1583, CVE-2016-2184, CVE-2016-2185, CVE-2016-2186, CVE-2016-2187, CVE-2016-2188, CVE-2016-3136, CVE-2016-3137, CVE-2016-3138, CVE-2016-3140, CVE-2016-3156, CVE-2016-3157, CVE-2016-3672, CVE-2016-3955, CVE-2016-4485, CVE-2016-4486


News Bewertung

Weiterlesen Weiterlesen

USN-2950-4: Samba regressions

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2950-4

18th May, 2016

samba regressions

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

USN-2950-1 introduced regressions in Samba.

Software description

  • samba - SMB/CIFS file, print, and login server for Unix

Details

USN-2950-1 fixed vulnerabilities in Samba. The backported fixes introduced
in Ubuntu 12.04 LTS caused interoperability issues. This update fixes
compatibility with certain NAS devices, and allows connecting to Samba 3.6
servers by relaxing the "client ipc signing" parameter to "auto".

We apologize for the inconvenience.

Original advisory details:

Jouni Knuutinen discovered that Samba contained multiple flaws in the
DCE/RPC implementation. A remote attacker could use this issue to perform
a denial of service, downgrade secure connections by performing a man in
the middle attack, or possibly execute arbitrary code. (CVE-2015-5370)

Stefan Metzmacher discovered that Samba contained multiple flaws in the
NTLMSSP authentication implementation. A remote attacker could use this
issue to downgrade connections to plain text by performing a man in the
middle attack. (CVE-2016-2110)

Alberto Solino discovered that a Samba domain controller would establish a
secure connection to a server with a spoofed computer name. A remote
attacker could use this issue to obtain sensitive information.
(CVE-2016-2111)

Stefan Metzmacher discovered that the Samba LDAP implementation did not
enforce integrity protection. A remote attacker could use this issue to
hijack LDAP connections by performing a man in the middle attack.
(CVE-2016-2112)

Stefan Metzmacher discovered that Samba did not validate TLS certificates.
A remote attacker could use this issue to spoof a Samba server.
(CVE-2016-2113)

Stefan Metzmacher discovered that Samba did not enforce SMB signing even if
configured to. A remote attacker could use this issue to perform a man in
the middle attack. (CVE-2016-2114)

Stefan Metzmacher discovered that Samba did not enable integrity protection
for IPC traffic. A remote attacker could use this issue to perform a man in
the middle attack. (CVE-2016-2115)

Stefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR and
MS-LSAD protocols. A remote attacker could use this flaw with a man in the
middle attack to impersonate users and obtain sensitive information from
the Security Account Manager database. This flaw is known as Badlock.
(CVE-2016-2118)

Samba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10.
Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fixes.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes. Configuration changes may
be required in certain environments.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
samba 2:3.6.25-0ubuntu0.12.04.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1574403, LP: 1576109


News Bewertung

Weiterlesen Weiterlesen

USN-2864-1: NSS vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2864-1

7th January, 2016

nss vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

NSS could be made to expose sensitive information over the network.

Software description

  • nss - Network Security Service library

Details

Karthikeyan Bhargavan and Gaetan Leurent discovered that NSS incorrectly
allowed MD5 to be used for TLS 1.2 connections. If a remote attacker were
able to perform a man-in-the-middle attack, this flaw could be exploited to
view sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
libnss3 2:3.19.2.1-0ubuntu0.15.10.2
Ubuntu 15.04:
libnss3 2:3.19.2.1-0ubuntu0.15.04.2
Ubuntu 14.04 LTS:
libnss3 2:3.19.2.1-0ubuntu0.14.04.2
Ubuntu 12.04 LTS:
libnss3 3.19.2.1-0ubuntu0.12.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any applications that
use NSS, such as Evolution and Chromium, to make all the necessary changes.

References

CVE-2015-7575


News Bewertung

Weiterlesen Weiterlesen

USN-2863-1: OpenSSL vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2863-1

7th January, 2016

openssl vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

OpenSSL could be made to expose sensitive information over the network.

Software description

  • openssl - Secure Socket Layer (SSL) cryptographic library and tools

Details

Karthikeyan Bhargavan and Gaetan Leurent discovered that OpenSSL
incorrectly allowed MD5 to be used for TLS 1.2 connections. If a remote
attacker were able to perform a man-in-the-middle attack, this flaw could
be exploited to view sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.33

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2015-7575


News Bewertung

Weiterlesen Weiterlesen

USN-2862-1: Pygments vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2862-1

7th January, 2016

pygments vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Pygments could be made to crash or run programs if it processed a specially crafted font request.

Software description

  • pygments - syntax highlighting package written in Python

Details

It was discovered that Pygments incorrectly sanitized strings used to
search system fonts. An attacker could possibly use this issue to execute
arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
python3-pygments 2.0.1+dfsg-1.1svn1.1
python-pygments 2.0.1+dfsg-1.1svn1.1
Ubuntu 15.04:
python3-pygments 2.0.1+dfsg-1svn1.1
python-pygments 2.0.1+dfsg-1svn1.1
Ubuntu 14.04 LTS:
python3-pygments 1.6+dfsg-1ubuntu1.1
python-pygments 1.6+dfsg-1ubuntu1.1
Ubuntu 12.04 LTS:
python3-pygments 1.4+dfsg-2ubuntu0.1
python-pygments 1.4+dfsg-2ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8557


News Bewertung

Weiterlesen Weiterlesen

USN-2992-1: Oxide vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2992-1

6th June, 2016

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

  • oxide-qt - Web browser engine for Qt (QML plugin)

Details

An unspecified security issue was discovered in Blink. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to bypass same-origin restrictions.
(CVE-2016-1673)

An issue was discovered with Document reattachment in Blink in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to bypass same-origin
restrictions. (CVE-2016-1675)

A type confusion bug was discovered in V8. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to obtain sensitive information. (CVE-2016-1677)

A heap overflow was discovered in V8. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this to
cause a denial of service (application crash) or execute arbitrary code.
(CVE-2016-1678)

A use-after-free was discovered in the V8ValueConverter implementation in
Chromium in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service (application crash) or execute arbitrary code.
(CVE-2016-1679)

A use-after-free was discovered in Skia. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service (application crash) or execute arbitrary
code. (CVE-2016-1680)

A security issue was discovered in ServiceWorker registration in Blink in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to bypass
Content Security Policy (CSP) protections. (CVE-2016-1682)

An out-of-bounds memory access was discovered in libxslt. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service (application crash)
or execute arbitrary code. (CVE-2016-1683)

An integer overflow was discovered in libxslt. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service (application crash or resource
consumption). (CVE-2016-1684)

An out-of-bounds read was discovered in the regular expression
implementation in V8. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service (application crash). (CVE-2016-1688)

A heap overflow was discovered in Chromium. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service (application crash) or execute arbitrary
code. (CVE-2016-1689)

A heap overflow was discovered in Skia. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service (application crash) or execute arbitrary
code. (CVE-2016-1691)

It was discovered that Blink permits cross-origin loading of stylesheets
by a service worker even when the stylesheet download has an incorrect
MIME type. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to bypass same-origin
restrictions. (CVE-2016-1692)

Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service (application crash) or execute arbitrary code. (CVE-2016-1695,
CVE-2016-1703)

It was discovered that Blink does not prevent frame navigation during
DocumentLoader detach operations. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
bypass same-origin restrictions. (CVE-2016-1697)

A parameter sanitization bug was discovered in the devtools subsystem in
Blink. An attacker could potentially exploit this to bypass intended
access restrictions. (CVE-2016-1699)

An out-of-bounds read was discovered in Skia. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service (application crash).
(CVE-2016-1702)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
liboxideqtcore0 1.15.7-0ubuntu0.16.04.1
Ubuntu 15.10:
liboxideqtcore0 1.15.7-0ubuntu0.15.10.1
Ubuntu 14.04 LTS:
liboxideqtcore0 1.15.7-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-1673, CVE-2016-1675, CVE-2016-1677, CVE-2016-1678, CVE-2016-1679, CVE-2016-1680, CVE-2016-1682, CVE-2016-1683, CVE-2016-1684, CVE-2016-1688, CVE-2016-1689, CVE-2016-1691, CVE-2016-1692, CVE-2016-1695, CVE-2016-1697, CVE-2016-1699, CVE-2016-1702, CVE-2016-1703


News Bewertung

Weiterlesen Weiterlesen

USN-2861-1: libpng vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2861-1

6th January, 2016

libpng vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

libpng could be made to crash or run programs as your login if it opened a specially crafted file.

Software description

  • libpng - PNG (Portable Network Graphics) file library

Details

It was discovered that libpng incorrectly handled certain small bit-depth
values. If a user or automated system using libpng were tricked into
opening a specially crafted image, an attacker could exploit this to cause
a denial of service or execute code with the privileges of the user
invoking the program. (CVE-2015-8472)

Qixue Xiao and Chen Yu discovered that libpng incorrectly handled certain
malformed images. If a user or automated system using libpng were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service. (CVE-2015-8540)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
libpng12-0 1.2.51-0ubuntu3.15.10.2
Ubuntu 15.04:
libpng12-0 1.2.51-0ubuntu3.15.04.2
Ubuntu 14.04 LTS:
libpng12-0 1.2.50-1ubuntu2.14.04.2
Ubuntu 12.04 LTS:
libpng12-0 1.2.46-3ubuntu4.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2015-8472, CVE-2015-8540


News Bewertung

Weiterlesen Weiterlesen

USN-2974-1: QEMU vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2974-1

12th May, 2016

qemu, qemu-kvm vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in QEMU.

Software description

  • qemu - Machine emulator and virtualizer
  • qemu-kvm - Machine emulator and virtualizer

Details

Zuozhi Fzz discovered that QEMU incorrectly handled USB OHCI emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2016-2391)

Qinghao Tang discovered that QEMU incorrectly handled USB Net emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2016-2392)

Qinghao Tang discovered that QEMU incorrectly handled USB Net emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly leak
host memory bytes. (CVE-2016-2538)

Hongke Yang discovered that QEMU incorrectly handled NE2000 emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2016-2841)

Ling Liu discovered that QEMU incorrectly handled IP checksum routines. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service, or possibly leak host memory bytes.
(CVE-2016-2857)

It was discovered that QEMU incorrectly handled the PRNG back-end support.
An attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. This issue only applied to Ubuntu 14.04
LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-2858)

Wei Xiao and Qinghao Tang discovered that QEMU incorrectly handled access
in the VGA module. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code on the host. In the default installation, when QEMU
is used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2016-3710)

Zuozhi Fzz discovered that QEMU incorrectly handled access in the VGA
module. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code on the host. In the default installation, when QEMU
is used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2016-3712)

Oleksandr Bazhaniuk discovered that QEMU incorrectly handled Luminary
Micro Stellaris ethernet controller emulation. A remote attacker could use
this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-4001)

Oleksandr Bazhaniuk discovered that QEMU incorrectly handled MIPSnet
controller emulation. A remote attacker could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2016-4002)

Donghai Zdh discovered that QEMU incorrectly handled the Task Priority
Register(TPR). A privileged attacker inside the guest could use this issue
to possibly leak host memory bytes. This issue only applied to Ubuntu 14.04
LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2016-4020)

Du Shaobo discovered that QEMU incorrectly handled USB EHCI emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to consume resources, resulting in a denial of service.
(CVE-2016-4037)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
qemu-system-misc 1:2.5+dfsg-5ubuntu10.1
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.1
qemu-system 1:2.5+dfsg-5ubuntu10.1
qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.1
qemu-system-x86 1:2.5+dfsg-5ubuntu10.1
qemu-system-sparc 1:2.5+dfsg-5ubuntu10.1
qemu-system-arm 1:2.5+dfsg-5ubuntu10.1
qemu-system-ppc 1:2.5+dfsg-5ubuntu10.1
qemu-system-mips 1:2.5+dfsg-5ubuntu10.1
Ubuntu 15.10:
qemu-system-misc 1:2.3+dfsg-5ubuntu9.4
qemu-system 1:2.3+dfsg-5ubuntu9.4
qemu-system-aarch64 1:2.3+dfsg-5ubuntu9.4
qemu-system-x86 1:2.3+dfsg-5ubuntu9.4
qemu-system-sparc 1:2.3+dfsg-5ubuntu9.4
qemu-system-arm 1:2.3+dfsg-5ubuntu9.4
qemu-system-ppc 1:2.3+dfsg-5ubuntu9.4
qemu-system-mips 1:2.3+dfsg-5ubuntu9.4
Ubuntu 14.04 LTS:
qemu-system-misc 2.0.0+dfsg-2ubuntu1.24
qemu-system 2.0.0+dfsg-2ubuntu1.24
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.24
qemu-system-x86 2.0.0+dfsg-2ubuntu1.24
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.24
qemu-system-arm 2.0.0+dfsg-2ubuntu1.24
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.24
qemu-system-mips 2.0.0+dfsg-2ubuntu1.24
Ubuntu 12.04 LTS:
qemu-kvm 1.0+noroms-0ubuntu14.28

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

CVE-2016-2391, CVE-2016-2392, CVE-2016-2538, CVE-2016-2841, CVE-2016-2857, CVE-2016-2858, CVE-2016-3710, CVE-2016-3712, CVE-2016-4001, CVE-2016-4002, CVE-2016-4020, CVE-2016-4037


News Bewertung

Weiterlesen Weiterlesen

USN-2979-4: Linux kernel (Qualcomm Snapdragon) vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2979-4

16th May, 2016

linux-snapdragon vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

  • linux-snapdragon - Linux kernel for Snapdragon Processors

Details

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did
not properly process certificate files with tags of indefinite length. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-4.4.0-1013-snapdragon 4.4.0-1013.15

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-0758


News Bewertung

Weiterlesen Weiterlesen

USN-2979-3: Linux kernel (Raspberry Pi 2) vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2979-3

16th May, 2016

linux-raspi2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

  • linux-raspi2 - Linux kernel for Raspberry Pi 2

Details

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did
not properly process certificate files with tags of indefinite length. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-4.4.0-1010-raspi2 4.4.0-1010.13

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-0758


News Bewertung

Weiterlesen Weiterlesen

USN-2979-2: Linux kernel (Xenial HWE) vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2979-2

16th May, 2016

linux-lts-xenial vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty

Details

USN-2979-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

David Matlack discovered that the Kernel-based Virtual Machine (KVM)
implementation in the Linux kernel did not properly restrict variable
Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a
guest VM could use this to cause a denial of service (system crash) in the
host, expose sensitive information from the host, or possibly gain
administrative privileges in the host. (CVE-2016-3713)

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did
not properly process certificate files with tags of indefinite length. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-0758)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-4.4.0-22-powerpc-e500mc 4.4.0-22.40~14.04.1
linux-image-4.4.0-22-powerpc64-smp 4.4.0-22.40~14.04.1
linux-image-4.4.0-22-generic-lpae 4.4.0-22.40~14.04.1
linux-image-4.4.0-22-lowlatency 4.4.0-22.40~14.04.1
linux-image-4.4.0-22-powerpc-smp 4.4.0-22.40~14.04.1
linux-image-4.4.0-22-powerpc64-emb 4.4.0-22.40~14.04.1
linux-image-4.4.0-22-generic 4.4.0-22.40~14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-xenial, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-0758, CVE-2016-3713


News Bewertung

Weiterlesen Weiterlesen

USN-2979-1: Linux kernel vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2979-1

16th May, 2016

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux - Linux kernel

Details

David Matlack discovered that the Kernel-based Virtual Machine (KVM)
implementation in the Linux kernel did not properly restrict variable
Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a
guest VM could use this to cause a denial of service (system crash) in the
host, expose sensitive information from the host, or possibly gain
administrative privileges in the host. (CVE-2016-3713)

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did
not properly process certificate files with tags of indefinite length. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-0758)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-4.4.0-22-powerpc-e500mc 4.4.0-22.40
linux-image-4.4.0-22-powerpc64-smp 4.4.0-22.40
linux-image-4.4.0-22-generic-lpae 4.4.0-22.40
linux-image-4.4.0-22-lowlatency 4.4.0-22.40
linux-image-4.4.0-22-powerpc-smp 4.4.0-22.40
linux-image-4.4.0-22-generic 4.4.0-22.40
linux-image-4.4.0-22-powerpc64-emb 4.4.0-22.40

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-0758, CVE-2016-3713


News Bewertung

Weiterlesen Weiterlesen

USN-2978-3: Linux kernel (Raspberry Pi 2) vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2978-3

16th May, 2016

linux-raspi2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10

Summary

The system could be made to crash or run programs as an administrator.

Software description

  • linux-raspi2 - Linux kernel for Raspberry Pi 2

Details

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did
not properly process certificate files with tags of indefinite length. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
linux-image-4.2.0-1029-raspi2 4.2.0-1029.38

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-0758


News Bewertung

Weiterlesen Weiterlesen

USN-2978-2: Linux kernel (Wily HWE) vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2978-2

16th May, 2016

linux-lts-wily vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-wily - Linux hardware enablement kernel from Wily for Trusty

Details

USN-2978-1 fixed vulnerabilities in the Linux kernel for Ubuntu 15.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 15.10 for Ubuntu 14.04 LTS.

David Matlack discovered that the Kernel-based Virtual Machine (KVM)
implementation in the Linux kernel did not properly restrict variable
Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a
guest VM could use this to cause a denial of service (system crash) in the
host, expose sensitive information from the host, or possibly gain
administrative privileges in the host. (CVE-2016-3713)

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did
not properly process certificate files with tags of indefinite length. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-0758)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-4.2.0-36-generic 4.2.0-36.42~14.04.1
linux-image-4.2.0-36-powerpc64-smp 4.2.0-36.42~14.04.1
linux-image-4.2.0-36-powerpc64-emb 4.2.0-36.42~14.04.1
linux-image-4.2.0-36-powerpc-smp 4.2.0-36.42~14.04.1
linux-image-4.2.0-36-powerpc-e500mc 4.2.0-36.42~14.04.1
linux-image-4.2.0-36-lowlatency 4.2.0-36.42~14.04.1
linux-image-4.2.0-36-generic-lpae 4.2.0-36.42~14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-wily, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-0758, CVE-2016-3713


News Bewertung

Weiterlesen Weiterlesen

USN-2898-2: Eye of GNOME vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2898-2

15th February, 2016

eog vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Eye of GNOME could be made to crash or run programs as your login if it opened a specially crafted image.

Software description

  • eog - Eye of GNOME graphics viewer program

Details

It was discovered that Eye of GNOME incorrectly handled certain large
images. If a user were tricked into opening a specially-crafted image, a
remote attacker could use this issue to cause Eye of GNOME to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
eog 3.16.3-1ubuntu2.1
Ubuntu 14.04 LTS:
eog 3.10.2-0ubuntu5.1
Ubuntu 12.04 LTS:
eog 3.4.2-0ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-7447


News Bewertung

Weiterlesen Weiterlesen

USN-2915-1: Django vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2915-1

1st March, 2016

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Django.

Software description

  • python-django - High-level Python web development framework

Details

Mark Striemer discovered that Django incorrectly handled user-supplied
redirect URLs containing basic authentication credentials. A remote
attacker could possibly use this issue to perform a cross-site scripting
attack or a malicious redirect. (CVE-2016-2512)

Sjoerd Job Postmus discovered that Django incorrectly handled timing when
doing password hashing operations. A remote attacker could possibly use
this issue to perform user enumeration. (CVE-2016-2513)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
python3-django 1.7.9-1ubuntu5.2
python-django 1.7.9-1ubuntu5.2
Ubuntu 14.04 LTS:
python-django 1.6.1-2ubuntu0.12
Ubuntu 12.04 LTS:
python-django 1.3.1-4ubuntu1.20

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-2512, CVE-2016-2513


News Bewertung

Weiterlesen Weiterlesen

USN-2978-1: Linux kernel vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2978-1

16th May, 2016

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10

Summary

Several security issues were fixed in the kernel.

Software description

  • linux - Linux kernel

Details

David Matlack discovered that the Kernel-based Virtual Machine (KVM)
implementation in the Linux kernel did not properly restrict variable
Memory Type Range Registers (MTRR) in KVM guests. A privileged user in a
guest VM could use this to cause a denial of service (system crash) in the
host, expose sensitive information from the host, or possibly gain
administrative privileges in the host. (CVE-2016-3713)

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did
not properly process certificate files with tags of indefinite length. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-0758)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
linux-image-4.2.0-36-generic-lpae 4.2.0-36.42
linux-image-4.2.0-36-powerpc64-smp 4.2.0-36.42
linux-image-4.2.0-36-powerpc64-emb 4.2.0-36.42
linux-image-4.2.0-36-powerpc-smp 4.2.0-36.42
linux-image-4.2.0-36-powerpc-e500mc 4.2.0-36.42
linux-image-4.2.0-36-lowlatency 4.2.0-36.42
linux-image-4.2.0-36-generic 4.2.0-36.42

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-0758, CVE-2016-3713


News Bewertung

Weiterlesen Weiterlesen

USN-2990-1: ImageMagick vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2990-1

2nd June, 2016

imagemagick vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in ImageMagick.

Software description

  • imagemagick - Image manipulation programs and library

Details

Nikolay Ermishkin and Stewie discovered that ImageMagick incorrectly
sanitized untrusted input. A remote attacker could use these issues to
execute arbitrary code. These issues are known as "ImageTragick". This
update disables problematic coders via the /etc/ImageMagick-6/policy.xml
configuration file. In certain environments the coders may need to be
manually re-enabled after making sure that ImageMagick does not process
untrusted input. (CVE-2016-3714, CVE-2016-3715, CVE-2016-3716,
CVE-2016-3717, CVE-2016-3718)

Bob Friesenhahn discovered that ImageMagick allowed injecting commands via
an image file or filename. A remote attacker could use this issue to
execute arbitrary code. (CVE-2016-5118)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu5.1
imagemagick-common 8:6.8.9.9-7ubuntu5.1
imagemagick 8:6.8.9.9-7ubuntu5.1
imagemagick-6.q16 8:6.8.9.9-7ubuntu5.1
libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu5.1
Ubuntu 15.10:
libmagick++-6.q16-5v5 8:6.8.9.9-5ubuntu2.1
imagemagick-common 8:6.8.9.9-5ubuntu2.1
imagemagick 8:6.8.9.9-5ubuntu2.1
imagemagick-6.q16 8:6.8.9.9-5ubuntu2.1
libmagickcore-6.q16-2 8:6.8.9.9-5ubuntu2.1
Ubuntu 14.04 LTS:
libmagick++5 8:6.7.7.10-6ubuntu3.1
imagemagick-common 8:6.7.7.10-6ubuntu3.1
libmagickcore5 8:6.7.7.10-6ubuntu3.1
imagemagick 8:6.7.7.10-6ubuntu3.1
Ubuntu 12.04 LTS:
imagemagick-common 8:6.6.9.7-5ubuntu3.4
libmagickcore4 8:6.6.9.7-5ubuntu3.4
imagemagick 8:6.6.9.7-5ubuntu3.4
libmagick++4 8:6.6.9.7-5ubuntu3.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718, CVE-2016-5118


News Bewertung

Weiterlesen Weiterlesen

USN-2898-1: GTK+ vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2898-1

15th February, 2016

gtk+2.0, gtk+3.0 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

GTK+ could be made to crash or run programs as your login if it processed a specially crafted image.

Software description

  • gtk+2.0 - GTK+ graphical user interface library
  • gtk+3.0 - GTK+ graphical user interface library

Details

It was discovered that GTK+ incorrectly handled certain large images. A
remote attacker could use this issue to cause GTK+ applications to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
libgtk2.0-0 2.24.28-1ubuntu1.1
Ubuntu 14.04 LTS:
libgtk2.0-0 2.24.23-0ubuntu1.4
Ubuntu 12.04 LTS:
libgtk2.0-0 2.24.10-0ubuntu6.3
libgtk-3-0 3.4.2-0ubuntu0.9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2013-7447


News Bewertung

Weiterlesen Weiterlesen

USN-2977-1: Linux kernel (Vivid HWE) vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2977-1

16th May, 2016

linux-lts-vivid vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

  • linux-lts-vivid - Linux hardware enablement kernel from Vivid for Trusty

Details

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did
not properly process certificate files with tags of indefinite length. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.19.0-59-powerpc64-smp 3.19.0-59.66~14.04.1
linux-image-3.19.0-59-lowlatency 3.19.0-59.66~14.04.1
linux-image-3.19.0-59-powerpc64-emb 3.19.0-59.66~14.04.1
linux-image-3.19.0-59-powerpc-smp 3.19.0-59.66~14.04.1
linux-image-3.19.0-59-powerpc-e500mc 3.19.0-59.66~14.04.1
linux-image-3.19.0-59-generic-lpae 3.19.0-59.66~14.04.1
linux-image-3.19.0-59-generic 3.19.0-59.66~14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-vivid, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-0758


News Bewertung

Weiterlesen Weiterlesen

USN-2897-1: Nettle vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2897-1

15th February, 2016

nettle vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Nettle.

Software description

  • nettle - low level cryptographic library (public-key cryptos)

Details

Hanno Böck discovered that Nettle incorrectly handled carry propagation in
the NIST P-256 elliptic curve. (CVE-2015-8803)

Hanno Böck discovered that Nettle incorrectly handled carry propagation in
the NIST P-384 elliptic curve. (CVE-2015-8804)

Niels Moeller discovered that Nettle incorrectly handled carry propagation
in the NIST P-256 elliptic curve. (CVE-2015-8805)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
libnettle6 3.1.1-4ubuntu0.1
Ubuntu 14.04 LTS:
libnettle4 2.7.1-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8803, CVE-2015-8804, CVE-2015-8805


News Bewertung

Weiterlesen Weiterlesen

USN-2976-1: Linux kernel (Utopic HWE) vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2976-1

16th May, 2016

linux-lts-utopic vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

  • linux-lts-utopic - Linux hardware enablement kernel from Utopic for Trusty

Details

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did
not properly process certificate files with tags of indefinite length. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.16.0-71-powerpc-smp 3.16.0-71.92~14.04.1
linux-image-3.16.0-71-generic-lpae 3.16.0-71.92~14.04.1
linux-image-3.16.0-71-powerpc-e500mc 3.16.0-71.92~14.04.1
linux-image-3.16.0-71-lowlatency 3.16.0-71.92~14.04.1
linux-image-3.16.0-71-powerpc64-emb 3.16.0-71.92~14.04.1
linux-image-3.16.0-71-powerpc64-smp 3.16.0-71.92~14.04.1
linux-image-3.16.0-71-generic 3.16.0-71.92~14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-0758


News Bewertung

Weiterlesen Weiterlesen

USN-2896-1: Libgcrypt vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2896-1

15th February, 2016

libgcrypt11, libgcrypt20 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Libgcrypt could be made to expose sensitive information.

Software description

  • libgcrypt11 - LGPL Crypto library
  • libgcrypt20 - LGPL Crypto library

Details

Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer discovered
that Libgcrypt was susceptible to an attack via physical side channels. A
local attacker could use this attack to possibly recover private keys.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
libgcrypt20 1.6.3-2ubuntu1.1
Ubuntu 14.04 LTS:
libgcrypt11 1.5.3-2ubuntu4.3
Ubuntu 12.04 LTS:
libgcrypt11 1.5.0-3ubuntu0.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-7511


News Bewertung

Weiterlesen Weiterlesen

USN-2913-3: OpenSSL update

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2913-3

24th February, 2016

openssl update

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Updated OpenSSL packages are required for the USN-2913-1 update.

Software description

  • openssl - Secure Socket Layer (SSL) cryptographic library and tools

Details

USN-2913-1 removed 1024-bit RSA CA certificates from the ca-certificates
package. This update adds support for alternate certificate chains to the
OpenSSL package to properly handle the removal.

Original advisory details:

The ca-certificates package contained outdated CA certificates. This update
refreshes the included certificates to those contained in the 20160104
package, including the removal of the SPI CA and CA certificates with
1024-bit RSA keys.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.17
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.34

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1528645


News Bewertung

Weiterlesen Weiterlesen

USN-2975-2: Linux kernel (Trusty HWE) vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2975-2

16th May, 2016

linux-lts-trusty vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

  • linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise

Details

USN-2975-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.

Philip Pettersson discovered that the Linux kernel's ASN.1 DER decoder did
not properly process certificate files with tags of indefinite length. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-86-generic 3.13.0-86.131~precise1
linux-image-3.13.0-86-generic-lpae 3.13.0-86.131~precise1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-trusty, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-0758


News Bewertung

Weiterlesen Weiterlesen

USN-2871-2: Linux kernel (Vivid HWE) vulnerability

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2871-2

19th January, 2016

linux-lts-vivid vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software description

  • linux-lts-vivid - Linux hardware enablement kernel from Vivid

Details

Yevgeny Pats discovered that the session keyring implementation in the
Linux kernel did not properly reference count when joining an existing
session keyring. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code with
administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.19.0-47-powerpc-e500mc 3.19.0-47.53~14.04.1
linux-image-3.19.0-47-powerpc64-emb 3.19.0-47.53~14.04.1
linux-image-3.19.0-47-powerpc-smp 3.19.0-47.53~14.04.1
linux-image-3.19.0-47-powerpc64-smp 3.19.0-47.53~14.04.1
linux-image-3.19.0-47-lowlatency 3.19.0-47.53~14.04.1
linux-image-3.19.0-47-generic 3.19.0-47.53~14.04.1
linux-image-3.19.0-47-generic-lpae 3.19.0-47.53~14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-0728


News Bewertung

Weiterlesen Weiterlesen

USN-2913-2: glib-networking update

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2913-2

24th February, 2016

glib-networking update

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Updated glib-networking packages are required for the USN-2913-1 update.

Software description

  • glib-networking - network-related giomodules for GLib

Details

USN-2913-1 removed 1024-bit RSA CA certificates from the ca-certificates
package. This update adds support for alternate certificate chains to the
glib-networking package to properly handle the removal.

Original advisory details:

The ca-certificates package contained outdated CA certificates. This update
refreshes the included certificates to those contained in the 20160104
package, including the removal of the SPI CA and CA certificates with
1024-bit RSA keys.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
glib-networking 2.46.0-1ubuntu0.1
Ubuntu 14.04 LTS:
glib-networking 2.40.0-1ubuntu0.1
Ubuntu 12.04 LTS:
glib-networking 2.32.1-1ubuntu2.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1528645


News Bewertung

Weiterlesen Weiterlesen

USN-2933-1: Exim vulnerabilities

Zur Kategorie wechselnUnix Server vom | Quelle: ubuntu.com Direktlink direkt öffnen

Ubuntu Security Notice USN-2933-1

15th March, 2016

exim4 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Exim.

Software description

  • exim4 - Exim is a mail transport agent

Details

It was discovered that Exim incorrectly filtered environment variables when
used with the perl_startup configuration option. If the perl_startup option
was enabled, a local attacker could use this issue to escalate their
privileges to the root user. This issue has been fixed by having Exim clean
the complete execution environment by default on startup, including any
subprocesses such as transports that call other programs. This change in
behaviour may break existing installations and can be adjusted by using two
new configuration options, keep_environment and add_environment.
(CVE-2016-1531)

Patrick William discovered that Exim incorrectly expanded mathematical
comparisons twice. A local attacker could possibly use this issue to
perform arbitrary file operations as the Exim user. This issue only
affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2972)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 15.10:
exim4-daemon-heavy 4.86-3ubuntu1.1
exim4-daemon-light 4.86-3ubuntu1.1
Ubuntu 14.04 LTS:
exim4-daemon-heavy 4.82-3ubuntu2.1
exim4-daemon-custom 4.82-3ubuntu2.1
exim4-daemon-light 4.82-3ubuntu2.1
Ubuntu 12.04 LTS:
exim4-daemon-heavy 4.76-3ubuntu3.3
exim4-daemon-custom 4.76-3ubuntu3.3
exim4-daemon-light 4.76-3ubuntu3.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update introduces environment filtering, which may break certain
existing installations. After performing a standard system update, the new
keep_environment and add_environment configurations options can be used
to adjust the new behaviour.

References

CVE-2014-2972, CVE-2016-1531


News Bewertung

Weiterlesen Weiterlesen

Seitennavigation

Seite 92 von 97 Seiten (Bei Beitrag 3185 - 3220)
3.383x Beiträge in dieser Kategorie

Auf Seite 91 zurück | Nächste 93 Seite | Letzte Seite

[ 87 ] [ 88 ] [ 89 ] [ 90 ] [ 91 ] [92] [ 93 ] [ 94 ] [ 95 ] [ 96 ] [ 97 ]