UbuntuSecurity

Subscribe to UbuntuSecurity feed
Updated: 40 min 43 sec ago

USN-4069-1: Linux kernel vulnerabilities

5 hours 25 min ago
linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon processors
Details

It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487)

Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2019-11599)

It was discovered that the ext4 file system implementation in the Linux kernel did not properly zero out memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11833)

It was discovered that the Bluetooth Human Interface Device Protocol (HIDP) implementation in the Linux kernel did not properly verify strings were NULL terminated in certain situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11884)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
linux-image-5.0.0-1011-aws - 5.0.0-1011.12
linux-image-5.0.0-1011-gcp - 5.0.0-1011.11
linux-image-5.0.0-1011-kvm - 5.0.0-1011.12
linux-image-5.0.0-1012-azure - 5.0.0-1012.12
linux-image-5.0.0-1013-raspi2 - 5.0.0-1013.13
linux-image-5.0.0-1017-snapdragon - 5.0.0-1017.18
linux-image-5.0.0-21-generic - 5.0.0-21.22
linux-image-5.0.0-21-generic-lpae - 5.0.0-21.22
linux-image-5.0.0-21-lowlatency - 5.0.0-21.22
linux-image-aws - 5.0.0.1011.11
linux-image-azure - 5.0.0.1012.11
linux-image-gcp - 5.0.0.1011.11
linux-image-generic - 5.0.0.21.22
linux-image-generic-lpae - 5.0.0.21.22
linux-image-gke - 5.0.0.1011.11
linux-image-kvm - 5.0.0.1011.11
linux-image-lowlatency - 5.0.0.21.22
linux-image-raspi2 - 5.0.0.1013.10
linux-image-snapdragon - 5.0.0.1017.10
linux-image-virtual - 5.0.0.21.22

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4068-2: Linux kernel (HWE) vulnerabilities

7 hours 7 min ago
linux-hwe, linux-gcp vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
Details

USN-4068-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 for Ubuntu 16.04 LTS.

Adam Zabrocki discovered that the Intel i915 kernel mode graphics driver in the Linux kernel did not properly restrict mmap() ranges in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11085)

It was discovered that a race condition leading to a use-after-free existed in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11815)

It was discovered that the ext4 file system implementation in the Linux kernel did not properly zero out memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11833)

It was discovered that the Bluetooth Human Interface Device Protocol (HIDP) implementation in the Linux kernel did not properly verify strings were NULL terminated in certain situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11884)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
linux-image-4.15.0-1037-gcp - 4.15.0-1037.39~16.04.1
linux-image-4.15.0-55-generic - 4.15.0-55.60~16.04.2
linux-image-4.15.0-55-generic-lpae - 4.15.0-55.60~16.04.2
linux-image-4.15.0-55-lowlatency - 4.15.0-55.60~16.04.2
linux-image-gcp - 4.15.0.1037.51
linux-image-generic-hwe-16.04 - 4.15.0.55.76
linux-image-generic-lpae-hwe-16.04 - 4.15.0.55.76
linux-image-gke - 4.15.0.1037.51
linux-image-lowlatency-hwe-16.04 - 4.15.0.55.76
linux-image-oem - 4.15.0.55.76
linux-image-virtual-hwe-16.04 - 4.15.0.55.76

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4068-1: Linux kernel vulnerabilities

8 hours 33 min ago
linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon processors
Details

Adam Zabrocki discovered that the Intel i915 kernel mode graphics driver in the Linux kernel did not properly restrict mmap() ranges in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11085)

It was discovered that a race condition leading to a use-after-free existed in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11815)

It was discovered that the ext4 file system implementation in the Linux kernel did not properly zero out memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11833)

It was discovered that the Bluetooth Human Interface Device Protocol (HIDP) implementation in the Linux kernel did not properly verify strings were NULL terminated in certain situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11884)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-4.15.0-1018-oracle - 4.15.0-1018.20
linux-image-4.15.0-1037-gcp - 4.15.0-1037.39
linux-image-4.15.0-1039-kvm - 4.15.0-1039.39
linux-image-4.15.0-1041-raspi2 - 4.15.0-1041.44
linux-image-4.15.0-1044-aws - 4.15.0-1044.46
linux-image-4.15.0-1058-snapdragon - 4.15.0-1058.64
linux-image-4.15.0-55-generic - 4.15.0-55.60
linux-image-4.15.0-55-generic-lpae - 4.15.0-55.60
linux-image-4.15.0-55-lowlatency - 4.15.0-55.60
linux-image-aws - 4.15.0.1044.43
linux-image-gcp - 4.15.0.1037.39
linux-image-generic - 4.15.0.55.57
linux-image-generic-lpae - 4.15.0.55.57
linux-image-kvm - 4.15.0.1039.39
linux-image-lowlatency - 4.15.0.55.57
linux-image-oracle - 4.15.0.1018.21
linux-image-powerpc-e500mc - 4.15.0.55.57
linux-image-powerpc-smp - 4.15.0.55.57
linux-image-powerpc64-emb - 4.15.0.55.57
linux-image-powerpc64-smp - 4.15.0.55.57
linux-image-raspi2 - 4.15.0.1041.39
linux-image-snapdragon - 4.15.0.1058.61
linux-image-virtual - 4.15.0.55.57

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4067-1: Evince vulnerability

Mon, 22/07/2019 - 19:55
evince vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Evince could be made to crash or run arbitrary code if it received a specially crafted PDF file.

Software Description
  • evince - Document viewer
Details

It was discovered that Evince incorrectly handled certain PDF files. An attacker could possibly use this issue to cause a denial of service or to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
evince - 3.18.2-1ubuntu4.6
evince-common - 3.18.2-1ubuntu4.6

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4065-2: Squid vulnerabilities

Mon, 22/07/2019 - 17:46
squid3 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 ESM
Summary

Several security issues were fixed in Squid.

Software Description
  • squid3 - Web proxy cache server
Details

USN-4065-1 fixed several vulnerabilities in Squid. This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that Squid incorrectly handled Digest authentication. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2019-12525)

It was discovered that Squid incorrectly handled Basic authentication. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2019-12529)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM
squid3 - 3.1.19-1ubuntu3.12.04.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4066-2: ClamAV vulnerability

Mon, 22/07/2019 - 14:54
clamav vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

ClamAV could be made to expose sensitive information if it received a specially crafted CHM file.

Software Description
  • clamav - Anti-virus utility for Unix
Details

USN-4066-1 fixed a vulnerability in libmspack. This update provides the corresponding update for ClamAV in Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that ClamAV incorrectly handled certain CHM files. A remote attacker could possibly use this issue to access sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
clamav - 0.100.3+dfsg-0ubuntu0.14.04.1+esm1
Ubuntu 12.04 ESM
clamav - 0.100.3+dfsg-1ubuntu0.12.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4066-1: libmspack vulnerability

Thu, 18/07/2019 - 20:32
libmspack vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

libmspack could be made to expose sensitive information if it received a specially crafted CHM file.

Software Description
  • libmspack - library for Microsoft compression formats
Details

It was discovered that libmspack incorrectly handled certain CHM files. A remote attacker could possibly use this issue to access sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
libmspack0 - 0.6-3ubuntu0.3
Ubuntu 16.04 LTS
libmspack0 - 0.5-1ubuntu0.16.04.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4065-1: Squid vulnerabilities

Thu, 18/07/2019 - 20:22
squid, squid3 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in Squid.

Software Description
  • squid - Web proxy cache server
  • squid3 - Web proxy cache server
Details

It was discovered that Squid incorrectly handled Digest authentication. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2019-12525)

It was discovered that Squid incorrectly handled Basic authentication. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.04. (CVE-2019-12527)

It was discovered that Squid incorrectly handled Basic authentication. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2019-12529)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
squid - 4.4-1ubuntu2.2
Ubuntu 18.04 LTS
squid3 - 3.5.27-1ubuntu1.3
Ubuntu 16.04 LTS
squid3 - 3.5.12-1ubuntu7.8

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4064-1: Thunderbird vulnerabilities

Thu, 18/07/2019 - 01:22
thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in Thunderbird.

Software Description
  • thunderbird - Mozilla Open Source mail and newsgroup client
Details

A sandbox escape was discovered in Thunderbird. If a user were tricked in to installing a malicious language pack, an attacker could exploit this to gain additional privileges. (CVE-2019-9811)

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, bypass same origin restrictions, conduct cross-site scripting (XSS) attacks, spoof origin attributes, or execute arbitrary code. (CVE-2019-11709, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11715, CVE-2019-11717)

It was discovered that NSS incorrectly handled importing certain curve25519 private keys. An attacker could exploit this issue to cause Thunderbird to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2019-11719)

It was discovered that NSS incorrectly handled certain p256-ECDH public keys. An attacker could possibly exploit this issue to cause Thunderbird to crash, resulting in a denial of service. (CVE-2019-11729)

It was discovered that Thunderbird treats all files in a directory as same origin. If a user were tricked in to downloading a specially crafted HTML file, an attacker could potentially exploit this to obtain sensitive information from local files. (CVE-2019-11730)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
thunderbird - 1:60.8.0+build1-0ubuntu0.19.04.1
Ubuntu 18.10
thunderbird - 1:60.8.0+build1-0ubuntu0.18.10.1
Ubuntu 18.04 LTS
thunderbird - 1:60.8.0+build1-0ubuntu0.18.04.1
Ubuntu 16.04 LTS
thunderbird - 1:60.8.0+build1-0ubuntu0.16.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make all the necessary changes.

References
Categories: Linux, Security

USN-4063-1: LibreOffice vulnerabilities

Wed, 17/07/2019 - 21:21
libreoffice vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in LibreOffice.

Software Description
  • libreoffice - Office productivity suite
Details

Nils Emmerich discovered that LibreOffice incorrectly handled LibreLogo scripts. If a user were tricked into opening a specially crafted document, a remote attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9848)

Matei "Mal" Badanoiu discovered that LibreOffice incorrectly handled stealth mode. Contrary to expectations, bullet graphics could be retrieved from remote locations when running in stealth mode. (CVE-2019-9849)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
libreoffice-core - 1:6.2.5-0ubuntu0.19.04.1
Ubuntu 18.04 LTS
libreoffice-core - 1:6.0.7-0ubuntu0.18.04.8
Ubuntu 16.04 LTS
libreoffice-core - 1:5.1.6~rc2-0ubuntu1~xenial8

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart LibreOffice to make all the necessary changes.

References
Categories: Linux, Security

USN-4059-2: Squid vulnerabilities

Wed, 17/07/2019 - 16:25
squid3 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 ESM
Summary

Several security issues were fixed in Squid.

Software Description
  • squid3 - Web proxy cache server
Details

USN-4059-1 and USN-3557-1 fixed several vulnerabilities in Squid. This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Louis Dion-Marcil discovered that Squid incorrectly handled certain Edge Side Includes (ESI) responses. A malicious remote server could possibly cause Squid to crash, resulting in a denial of service. (CVE-2018-1000024)

Louis Dion-Marcil discovered that Squid incorrectly handled certain Edge Side Includes (ESI) responses. A malicious remote server could possibly cause Squid to crash, resulting in a denial of service. (CVE-2018-1000027)

It was discovered that Squid incorrectly handled the cachemgr.cgi web module. A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks. (CVE-2019-13345)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM
squid3 - 3.1.19-1ubuntu3.12.04.9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4062-1: WavPack vulnerabilities

Tue, 16/07/2019 - 20:20
wavpack vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
Summary

WavPack could be made to crash if it received a specially crafted WAV file.

Software Description
  • wavpack - audio codec (lossy and lossless) - encoder and decoder
Details

Rohan Padhye discovered that WavPack incorrectly handled certain WAV files. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-1010315, CVE-2019-1010317, CVE-2019-1010318, CVE-2019-1010319)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
libwavpack1 - 5.1.0-5ubuntu0.2
wavpack - 5.1.0-5ubuntu0.2
Ubuntu 18.04 LTS
libwavpack1 - 5.1.0-2ubuntu1.4
wavpack - 5.1.0-2ubuntu1.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4060-2: NSS vulnerabilities

Tue, 16/07/2019 - 19:21
nss vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

Several security issues were fixed in NSS.

Software Description
  • nss - Network Security Service library
Details

USN-4060-1 fixed several vulnerabilities in nss. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

Henry Corrigan-Gibbs discovered that NSS incorrectly handled importing certain curve25519 private keys. An attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2019-11719)

Jonas Allmann discovered that NSS incorrectly handled certain p256-ECDH public keys. An attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service. (CVE-2019-11729)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
libnss3 - 2:3.28.4-0ubuntu0.14.04.5+esm1
Ubuntu 12.04 ESM
libnss3 - 2:3.28.4-0ubuntu0.12.04.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any applications that use NSS, such as Evolution, to make all the necessary changes.

References
Categories: Linux, Security

USN-4061-1: Redis vulnerabilities

Tue, 16/07/2019 - 16:47
redis vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in Redis.

Software Description
  • redis - Persistent key-value database with network interface
Details

It was discovered that Redis incorrectly handled the hyperloglog data structure. An attacker could use this issue to cause Redis to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
redis - 5:5.0.3-4ubuntu0.1
redis-tools - 5:5.0.3-4ubuntu0.1
Ubuntu 18.04 LTS
redis - 5:4.0.9-1ubuntu0.2
redis-tools - 5:4.0.9-1ubuntu0.2
Ubuntu 16.04 LTS
redis-tools - 2:3.0.6-1ubuntu0.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4060-1: NSS vulnerabilities

Tue, 16/07/2019 - 15:14
nss vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in NSS.

Software Description
  • nss - Network Security Service library
Details

Henry Corrigan-Gibbs discovered that NSS incorrectly handled importing certain curve25519 private keys. An attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2019-11719)

Hubert Kario discovered that NSS incorrectly handled PKCS#1 v1.5 signatures when using TLSv1.3. An attacker could possibly use this issue to trick NSS into using PKCS#1 v1.5 signatures, contrary to expectations. This issue only applied to Ubuntu 19.04. (CVE-2019-11727)

Jonas Allmann discovered that NSS incorrectly handled certain p256-ECDH public keys. An attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service. (CVE-2019-11729)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
libnss3 - 2:3.42-1ubuntu2.1
Ubuntu 18.04 LTS
libnss3 - 2:3.35-2ubuntu2.3
Ubuntu 16.04 LTS
libnss3 - 2:3.28.4-0ubuntu0.16.04.6

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any applications that use NSS, such as Evolution, to make all the necessary changes.

References
Categories: Linux, Security

USN-4059-1: Squid vulnerabilities

Mon, 15/07/2019 - 17:38
squid, squid3 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in Squid.

Software Description
  • squid - Web proxy cache server
  • squid3 - Web proxy cache server
Details

It was discovered that Squid incorrectly handled certain SNMP packets. A remote attacker could possibly use this issue to cause memory consumption, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-19132)

It was discovered that Squid incorrectly handled the cachemgr.cgi web module. A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks. (CVE-2019-13345)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
squid - 4.4-1ubuntu2.1
Ubuntu 18.04 LTS
squid3 - 3.5.27-1ubuntu1.2
Ubuntu 16.04 LTS
squid3 - 3.5.12-1ubuntu7.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4057-1: Zipios vulnerability

Mon, 15/07/2019 - 17:37
Zipios vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Zipios could be made to crash or consume system resources if it received specially crafted input.

Software Description
  • zipios++ - small C++ library for reading zip files (development)
Details

Mike Salvatore discovered that Zipios mishandled certain malformed ZIP files. An attacker could use this vulnerability to cause a denial of service or consume system resources. (CVE-2019-13453)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
libzipios++0v5 - 0.1.5.9+cvs.2007.04.28-10ubuntu0.19.04.1
Ubuntu 18.10
libzipios++0v5 - 0.1.5.9+cvs.2007.04.28-10ubuntu0.18.10.1
Ubuntu 18.04 LTS
libzipios++0v5 - 0.1.5.9+cvs.2007.04.28-10ubuntu0.18.04.1
Ubuntu 16.04 LTS
libzipios++0v5 - 0.1.5.9+cvs.2007.04.28-5.2ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4058-1: Bash vulnerability

Mon, 15/07/2019 - 17:31
bash vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

A system hardening measure could be bypassed.

Software Description
  • bash - GNU Bourne Again SHell
Details

It was discovered that Bash incorrectly handled the restricted shell. An attacker could possibly use this issue to escape restrictions and execute any command.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
bash - 4.3-14ubuntu1.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4055-1: flightcrew vulnerabilities

Mon, 15/07/2019 - 16:42
flightcrew vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in FlightCrew.

Software Description
  • flightcrew - C++ epub validator and plugin for Sigil
Details

Mike Salvatore discovered that FlightCrew improperly handled certain malformed EPUB files. An attacker could potentially use this vulnerability to cause a denial of service. (CVE-2019-13032)

Mike Salvatore discovered that FlightCrew mishandled certain malformed EPUB files. An attacker could use this vulnerability to write arbitrary files to the filesystem. (CVE-2019-13241)

Mike Salvatore discovered that the version of Zipios included in FlightCrew mishandled certain malformed ZIP files. An attacker could use this vulnerability to cause a denial of service or consume system resources. (CVE-2019-13453)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
flightcrew - 0.7.2+dfsg-13ubuntu0.19.04.1
libflightcrew0v5 - 0.7.2+dfsg-13ubuntu0.19.04.1
Ubuntu 18.10
flightcrew - 0.7.2+dfsg-12ubuntu0.1
libflightcrew0v5 - 0.7.2+dfsg-12ubuntu0.1
Ubuntu 18.04 LTS
flightcrew - 0.7.2+dfsg-10ubuntu0.1
libflightcrew0v5 - 0.7.2+dfsg-10ubuntu0.1
Ubuntu 16.04 LTS
flightcrew - 0.7.2+dfsg-6ubuntu0.1
libflightcrew0v5 - 0.7.2+dfsg-6ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4056-1: Exiv2 vulnerabilities

Mon, 15/07/2019 - 16:25
exiv2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in Exiv2.

Software Description
  • exiv2 - EXIF/IPTC/XMP metadata manipulation tool
Details

It was discovered that Exiv2 incorrectly handled certain PSD files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-19107, CVE-2018-19108)

It was discovered that Exiv2 incorrectly handled certain PNG files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-19535, CVE-2019-13112)

It was discovered that Exiv2 incorrectly handled certain CRW files. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-13110, CVE-2019-13113)

It was discovered that incorrectly handled certain HTTP requests. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-13114)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
exiv2 - 0.25-4ubuntu1.1
libexiv2-14 - 0.25-4ubuntu1.1
Ubuntu 18.10
exiv2 - 0.25-4ubuntu0.2
libexiv2-14 - 0.25-4ubuntu0.2
Ubuntu 18.04 LTS
exiv2 - 0.25-3.1ubuntu0.18.04.3
libexiv2-14 - 0.25-3.1ubuntu0.18.04.3
Ubuntu 16.04 LTS
exiv2 - 0.25-2.1ubuntu16.04.4
libexiv2-14 - 0.25-2.1ubuntu16.04.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

Pages