UbuntuSecurity

Subscribe to UbuntuSecurity feed
Updated: 51 min 56 sec ago

USN-4327-1: libssh vulnerability

8 hours 29 min ago
libssh vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
Summary

libssh could be made to crash if it received specially crafted network traffic.

Software Description
  • libssh - A tiny C SSH library
Details

Yasheng Yang discovered that libssh incorrectly handled AES-CTR ciphers. A remote attacker could possibly use this issue to cause libssh to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
libssh-4 - 0.9.0-1ubuntu1.4
Ubuntu 18.04 LTS
libssh-4 - 0.8.0~20170825.94fa1e38-1ubuntu0.6

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4326-1: libiberty vulnerabilities

Wed, 08/04/2020 - 17:33
libiberty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in libiberty.

Software Description
  • libiberty - library of utility functions used by GNU programs
Details

It was discovered that libiberty incorrectly handled parsing certain binaries. If a user or automated system were tricked into processing a specially crafted binary, a remote attacker could use this issue to cause libiberty to crash, resulting in a denial of service, or possibly execute arbitrary code

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
libiberty-dev - 20170913-1ubuntu0.1
Ubuntu 16.04 LTS
libiberty-dev - 20160215-1ubuntu0.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4325-1: Linux kernel vulnerabilities

Wed, 08/04/2020 - 02:25
linux-azure, linux-gcp, linux-gke-5.0, linux-oem-osp1, linux-oracle-5.0 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-gke-5.0 - Linux kernel for Google Container Engine (GKE) systems
  • linux-oem-osp1 - Linux kernel for OEM processors
  • linux-oracle-5.0 - Linux kernel for Oracle Cloud systems
Details

It was discovered that the IPMI message handler implementation in the Linux kernel did not properly deallocate memory in certain situations. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19046)

Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-8428)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-5.0.0-1014-oracle - 5.0.0-1014.19
linux-image-5.0.0-1033-gke - 5.0.0-1033.34
linux-image-5.0.0-1034-gcp - 5.0.0-1034.35
linux-image-5.0.0-1036-azure - 5.0.0-1036.38
linux-image-5.0.0-1047-oem-osp1 - 5.0.0-1047.52
linux-image-azure - 5.0.0.1036.47
linux-image-gcp - 5.0.0.1034.38
linux-image-gke-5.0 - 5.0.0.1033.21
linux-image-oem-osp1 - 5.0.0.1047.50
linux-image-oracle - 5.0.0.1014.15

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4324-1: Linux kernel vulnerabilities

Wed, 08/04/2020 - 00:00
linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gke-4.15 - Linux kernel for Google Container Engine (GKE) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oem - Linux kernel for OEM processors
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon processors
  • linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
Details

Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-8428)

Shijie Luo discovered that the ext4 file system implementation in the Linux kernel did not properly check for a too-large journal size. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (soft lockup). (CVE-2020-8992)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-4.15.0-1037-oracle - 4.15.0-1037.41
linux-image-4.15.0-1057-gke - 4.15.0-1057.60
linux-image-4.15.0-1058-kvm - 4.15.0-1058.59
linux-image-4.15.0-1060-raspi2 - 4.15.0-1060.64
linux-image-4.15.0-1065-aws - 4.15.0-1065.69
linux-image-4.15.0-1076-snapdragon - 4.15.0-1076.83
linux-image-4.15.0-1079-oem - 4.15.0-1079.89
linux-image-aws - 4.15.0.1065.67
linux-image-aws-lts-18.04 - 4.15.0.1065.67
linux-image-gke - 4.15.0.1057.61
linux-image-gke-4.15 - 4.15.0.1057.61
linux-image-kvm - 4.15.0.1058.58
linux-image-oem - 4.15.0.1079.83
linux-image-oracle-lts-18.04 - 4.15.0.1037.45
linux-image-raspi2 - 4.15.0.1060.58
linux-image-snapdragon - 4.15.0.1076.79
Ubuntu 16.04 LTS
linux-image-4.15.0-1037-oracle - 4.15.0-1037.41~16.04.1
linux-image-4.15.0-1060-gcp - 4.15.0-1060.64
linux-image-4.15.0-1065-aws - 4.15.0-1065.69~16.04.1
linux-image-4.15.0-1077-azure - 4.15.0-1077.82
linux-image-aws-hwe - 4.15.0.1065.65
linux-image-azure - 4.15.0.1077.80
linux-image-azure-edge - 4.15.0.1077.80
linux-image-gcp - 4.15.0.1060.74
linux-image-gke - 4.15.0.1060.74
linux-image-oracle - 4.15.0.1037.30
Ubuntu 14.04 ESM
linux-image-4.15.0-1077-azure - 4.15.0-1077.82~14.04.1
linux-image-azure - 4.15.0.1077.62

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4323-1: Firefox vulnerabilities

Tue, 07/04/2020 - 20:34
firefox vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Firefox could be made to crash or run programs as your login if it opened a malicious website.

Software Description
  • firefox - Mozilla Open Source web browser
Details

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbitrary code. (CVE-2020-6821, CVE-2020-6822, CVE-2020-6824, CVE-2020-6825, CVE-2020-6826)

It was discovered that extensions could obtain auth codes from OAuth login flows in some circumstances. If a user were tricked in to installing a specially crafted extension, an attacker could potentially exploit this to obtain access to the user’s account. (CVE-2020-6823)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
firefox - 75.0+build3-0ubuntu0.19.10.1
Ubuntu 18.04 LTS
firefox - 75.0+build3-0ubuntu0.18.04.1
Ubuntu 16.04 LTS
firefox - 75.0+build3-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make all the necessary changes.

References
Categories: Linux, Security

USN-4322-1: GnuTLS vulnerability

Tue, 07/04/2020 - 16:35
gnutls28 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
Summary

GnuTLS could expose sensitive information over the network.

Software Description
  • gnutls28 - GNU TLS library
Details

It was discovered that GnuTLS incorrectly handled randomness when performing DTLS negotiation. A remote attacker could possibly use this issue to obtain sensitive information, contrary to expectations.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
libgnutls30 - 3.6.9-5ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4321-1: HAProxy vulnerability

Tue, 07/04/2020 - 15:10
haproxy vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
Summary

HAProxy could be made to execute arbitrary code if it received a specially crafted HTTP/2 request.

Software Description
  • haproxy - fast and reliable load balancing reverse proxy
Details

Felix Wilhelm discovered that HAProxy incorrectly handled certain HTTP/2 requests. An attacker could possibly use this to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
haproxy - 2.0.5-1ubuntu0.4
Ubuntu 18.04 LTS
haproxy - 1.8.8-1ubuntu0.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4318-1: Linux kernel vulnerabilities

Mon, 06/04/2020 - 23:29
linux, linux-hwe vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-hwe - Linux hardware enablement (HWE) kernel
Details

Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-8428)

Gustavo Romero and Paul Mackerras discovered that the KVM implementation in the Linux kernel for PowerPC processors did not properly keep guest state separate from host state. A local attacker in a KVM guest could use this to cause a denial of service (host system crash). (CVE-2020-8834)

Shijie Luo discovered that the ext4 file system implementation in the Linux kernel did not properly check for a too-large journal size. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (soft lockup). (CVE-2020-8992)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-4.15.0-96-generic - 4.15.0-96.97
linux-image-4.15.0-96-generic-lpae - 4.15.0-96.97
linux-image-4.15.0-96-lowlatency - 4.15.0-96.97
linux-image-generic - 4.15.0.96.87
linux-image-generic-lpae - 4.15.0.96.87
linux-image-lowlatency - 4.15.0.96.87
linux-image-powerpc-e500mc - 4.15.0.96.87
linux-image-powerpc-smp - 4.15.0.96.87
linux-image-powerpc64-emb - 4.15.0.96.87
linux-image-powerpc64-smp - 4.15.0.96.87
linux-image-virtual - 4.15.0.96.87
Ubuntu 16.04 LTS
linux-image-4.15.0-96-generic - 4.15.0-96.97~16.04.1
linux-image-4.15.0-96-generic-lpae - 4.15.0-96.97~16.04.1
linux-image-4.15.0-96-lowlatency - 4.15.0-96.97~16.04.1
linux-image-generic-hwe-16.04 - 4.15.0.96.104
linux-image-generic-lpae-hwe-16.04 - 4.15.0.96.104
linux-image-lowlatency-hwe-16.04 - 4.15.0.96.104
linux-image-oem - 4.15.0.96.104
linux-image-virtual-hwe-16.04 - 4.15.0.96.104

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4320-1: Linux kernel vulnerability

Mon, 06/04/2020 - 23:15
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM
Summary

The system could be made to crash or expose sensitive information.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon processors
  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty
Details

Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory).

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
linux-image-4.4.0-1069-kvm - 4.4.0-1069.76
linux-image-4.4.0-1105-aws - 4.4.0-1105.116
linux-image-4.4.0-1131-raspi2 - 4.4.0-1131.140
linux-image-4.4.0-1135-snapdragon - 4.4.0-1135.143
linux-image-4.4.0-177-generic - 4.4.0-177.207
linux-image-4.4.0-177-generic-lpae - 4.4.0-177.207
linux-image-4.4.0-177-lowlatency - 4.4.0-177.207
linux-image-4.4.0-177-powerpc-e500mc - 4.4.0-177.207
linux-image-4.4.0-177-powerpc-smp - 4.4.0-177.207
linux-image-4.4.0-177-powerpc64-emb - 4.4.0-177.207
linux-image-4.4.0-177-powerpc64-smp - 4.4.0-177.207
linux-image-aws - 4.4.0.1105.109
linux-image-generic - 4.4.0.177.185
linux-image-generic-lpae - 4.4.0.177.185
linux-image-kvm - 4.4.0.1069.69
linux-image-lowlatency - 4.4.0.177.185
linux-image-powerpc-e500mc - 4.4.0.177.185
linux-image-powerpc-smp - 4.4.0.177.185
linux-image-powerpc64-emb - 4.4.0.177.185
linux-image-powerpc64-smp - 4.4.0.177.185
linux-image-raspi2 - 4.4.0.1131.131
linux-image-snapdragon - 4.4.0.1135.127
linux-image-virtual - 4.4.0.177.185
Ubuntu 14.04 ESM
linux-image-4.4.0-1065-aws - 4.4.0-1065.69
linux-image-4.4.0-177-generic - 4.4.0-177.207~14.04.1
linux-image-4.4.0-177-generic-lpae - 4.4.0-177.207~14.04.1
linux-image-4.4.0-177-lowlatency - 4.4.0-177.207~14.04.1
linux-image-4.4.0-177-powerpc-e500mc - 4.4.0-177.207~14.04.1
linux-image-4.4.0-177-powerpc-smp - 4.4.0-177.207~14.04.1
linux-image-4.4.0-177-powerpc64-emb - 4.4.0-177.207~14.04.1
linux-image-4.4.0-177-powerpc64-smp - 4.4.0-177.207~14.04.1
linux-image-aws - 4.4.0.1065.66
linux-image-generic-lpae-lts-xenial - 4.4.0.177.156
linux-image-generic-lts-xenial - 4.4.0.177.156
linux-image-lowlatency-lts-xenial - 4.4.0.177.156
linux-image-powerpc-e500mc-lts-xenial - 4.4.0.177.156
linux-image-powerpc-smp-lts-xenial - 4.4.0.177.156
linux-image-powerpc64-emb-lts-xenial - 4.4.0.177.156
linux-image-powerpc64-smp-lts-xenial - 4.4.0.177.156
linux-image-virtual-lts-xenial - 4.4.0.177.156

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4319-1: Linux kernel vulnerabilities

Mon, 06/04/2020 - 22:09
linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2, linux-raspi2-5.3 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-gcp-5.3 - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
  • linux-oracle-5.3 - Linux kernel Oracle Cloud systems
  • linux-raspi2-5.3 - Linux kernel for Raspberry Pi 2
Details

It was discovered that the IPMI message handler implementation in the Linux kernel did not properly deallocate memory in certain situations. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19046)

Al Viro discovered that the vfs layer in the Linux kernel contained a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). (CVE-2020-8428)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
linux-image-5.3.0-1014-oracle - 5.3.0-1014.15
linux-image-5.3.0-1015-kvm - 5.3.0-1015.16
linux-image-5.3.0-1016-aws - 5.3.0-1016.17
linux-image-5.3.0-1017-gcp - 5.3.0-1017.18
linux-image-5.3.0-1022-raspi2 - 5.3.0-1022.24
linux-image-5.3.0-46-generic - 5.3.0-46.38
linux-image-5.3.0-46-generic-lpae - 5.3.0-46.38
linux-image-5.3.0-46-lowlatency - 5.3.0-46.38
linux-image-5.3.0-46-snapdragon - 5.3.0-46.38
linux-image-aws - 5.3.0.1016.18
linux-image-gcp - 5.3.0.1017.18
linux-image-generic - 5.3.0.46.39
linux-image-generic-lpae - 5.3.0.46.39
linux-image-gke - 5.3.0.1017.18
linux-image-kvm - 5.3.0.1015.17
linux-image-lowlatency - 5.3.0.46.39
linux-image-oracle - 5.3.0.1014.15
linux-image-raspi2 - 5.3.0.1022.19
linux-image-snapdragon - 5.3.0.46.39
linux-image-virtual - 5.3.0.46.39
Ubuntu 18.04 LTS
linux-image-5.3.0-1014-oracle - 5.3.0-1014.15~18.04.1
linux-image-5.3.0-1017-gcp - 5.3.0-1017.18~18.04.1
linux-image-5.3.0-1022-raspi2 - 5.3.0-1022.24~18.04.1
linux-image-5.3.0-46-generic - 5.3.0-46.38~18.04.1
linux-image-5.3.0-46-generic-lpae - 5.3.0-46.38~18.04.1
linux-image-5.3.0-46-lowlatency - 5.3.0-46.38~18.04.1
linux-image-gcp-edge - 5.3.0.1017.16
linux-image-generic-hwe-18.04 - 5.3.0.46.102
linux-image-generic-lpae-hwe-18.04 - 5.3.0.46.102
linux-image-lowlatency-hwe-18.04 - 5.3.0.46.102
linux-image-oracle-edge - 5.3.0.1014.13
linux-image-raspi2-hwe-18.04 - 5.3.0.1022.11
linux-image-snapdragon-hwe-18.04 - 5.3.0.46.102
linux-image-virtual-hwe-18.04 - 5.3.0.46.102

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4317-1: Firefox vulnerabilities

Sat, 04/04/2020 - 16:02
firefox vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Firefox could be made to crash or run programs as your login if it opened a malicious website.

Software Description
  • firefox - Mozilla Open Source web browser
Details

Two use-after-free bugs were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could exploit these to cause a denial of service or execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
firefox - 74.0.1+build1-0ubuntu0.19.10.1
Ubuntu 18.04 LTS
firefox - 74.0.1+build1-0ubuntu0.18.04.1
Ubuntu 16.04 LTS
firefox - 74.0.1+build1-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make all the necessary changes.

References
Categories: Linux, Security

USN-4316-2: GD Graphics Library vulnerabilities

Fri, 03/04/2020 - 01:14
libgd2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
Summary

Several security issues were fixed in GD Graphics Library.

Software Description
  • libgd2 - Open source code library for the dynamic creation of images
Details

USN-4316-1 fixed a vulnerability in GD Graphics Library. This update provides the corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that GD Graphics Library incorrectly handled cloning an image. An attacker could possibly use this issue to cause GD Graphics Library to crash, resulting in a denial of service. (CVE-2018-14553)

It was discovered that GD Graphics Library incorrectly handled loading images from X bitmap format files. An attacker could possibly use this issue to cause GD Graphics Library to crash, resulting in a denial of service, or to disclose contents of the stack that has been left there by previous code. (CVE-2019-11038)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
libgd-tools - 2.1.0-3ubuntu0.11+esm1
libgd3 - 2.1.0-3ubuntu0.11+esm1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4316-1: GD Graphics Library vulnerabilities

Fri, 03/04/2020 - 01:06
libgd2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in GD Graphics Library.

Software Description
  • libgd2 - Open source code library for the dynamic creation of images
Details

It was discovered that GD Graphics Library incorrectly handled cloning an image. An attacker could possibly use this issue to cause GD Graphics Library to crash, resulting in a denial of service. (CVE-2018-14553)

It was discovered that GD Graphics Library incorrectly handled loading images from X bitmap format files. An attacker could possibly use this issue to cause GD Graphics Library to crash, resulting in a denial of service, or to disclose contents of the stack that has been left there by previous code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 16.04 LTS. (CVE-2019-11038)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
libgd-tools - 2.2.5-5.2ubuntu0.19.10.1
libgd3 - 2.2.5-5.2ubuntu0.19.10.1
Ubuntu 18.04 LTS
libgd-tools - 2.2.5-4ubuntu0.4
libgd3 - 2.2.5-4ubuntu0.4
Ubuntu 16.04 LTS
libgd-tools - 2.1.1-4ubuntu0.16.04.12
libgd3 - 2.1.1-4ubuntu0.16.04.12

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4315-1: Apport vulnerabilities

Thu, 02/04/2020 - 03:55
apport vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in Apport.

Software Description
  • apport - automatically generate crash reports for debugging
Details

Maximilien Bourgeteau discovered that the Apport lock file was created with insecure permissions. This could allow a local attacker to escalate their privileges via a symlink attack. (CVE-2020-8831)

Maximilien Bourgeteau discovered a race condition in Apport when setting crash report permissions. This could allow a local attacker to read arbitrary files via a symlink attack. (CVE-2020-8833)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
apport - 2.20.11-0ubuntu8.8
python-apport - 2.20.11-0ubuntu8.8
python3-apport - 2.20.11-0ubuntu8.8
Ubuntu 18.04 LTS
apport - 2.20.9-0ubuntu7.14
python-apport - 2.20.9-0ubuntu7.14
python3-apport - 2.20.9-0ubuntu7.14
Ubuntu 16.04 LTS
apport - 2.20.1-0ubuntu2.23
python-apport - 2.20.1-0ubuntu2.23
python3-apport - 2.20.1-0ubuntu2.23

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4314-1: pam-krb5 vulnerability

Tue, 31/03/2020 - 16:42
libpam-krb5 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

pam-krb5 could be made to execute arbitrary code if it received a specially crafted response.

Software Description
  • libpam-krb5 - PAM module for MIT Kerberos
Details

Russ Allbery discovered that pam-krb5 incorrectly handled some responses. An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
libpam-krb5 - 4.8-2ubuntu0.1
Ubuntu 18.04 LTS
libpam-krb5 - 4.8-1ubuntu0.1
Ubuntu 16.04 LTS
libpam-krb5 - 4.7-2ubuntu0.1
Ubuntu 14.04 ESM
libpam-krb5 - 4.6-2ubuntu0.1~esm1
Ubuntu 12.04 ESM
libpam-krb5 - 4.5-3ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4313-1: Linux kernel vulnerability

Mon, 30/03/2020 - 21:10
linux, linux-aws, linux-azure, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2, linux-raspi2-5.3 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
Summary

The system could be made to expose sensitive information or run programs as an administrator.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-azure-5.3 - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp-5.3 - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-gke-5.3 - Linux kernel for Google Container Engine (GKE) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
  • linux-oracle-5.3 - Linux kernel buildinfo for version 5.3.0 on 64 bit x86 SMP
  • linux-raspi2-5.3 - Linux kernel for Raspberry Pi 2
Details

Manfred Paul discovered that the bpf verifier in the Linux kernel did not properly calculate register bounds for certain operations. A local attacker could use this to expose sensitive information (kernel memory) or gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
linux-image-5.3.0-1013-oracle - 5.3.0-1013.14
linux-image-5.3.0-1014-kvm - 5.3.0-1014.15
linux-image-5.3.0-1015-aws - 5.3.0-1015.16
linux-image-5.3.0-1016-gcp - 5.3.0-1016.17
linux-image-5.3.0-1018-azure - 5.3.0-1018.19
linux-image-5.3.0-1021-raspi2 - 5.3.0-1021.23
linux-image-5.3.0-45-generic - 5.3.0-45.37
linux-image-5.3.0-45-generic-lpae - 5.3.0-45.37
linux-image-5.3.0-45-lowlatency - 5.3.0-45.37
linux-image-5.3.0-45-snapdragon - 5.3.0-45.37
linux-image-aws - 5.3.0.1015.17
linux-image-azure - 5.3.0.1018.37
linux-image-gcp - 5.3.0.1016.17
linux-image-generic - 5.3.0.45.38
linux-image-generic-lpae - 5.3.0.45.38
linux-image-gke - 5.3.0.1016.17
linux-image-kvm - 5.3.0.1014.16
linux-image-lowlatency - 5.3.0.45.38
linux-image-oracle - 5.3.0.1013.14
linux-image-raspi2 - 5.3.0.1021.18
linux-image-snapdragon - 5.3.0.45.38
linux-image-virtual - 5.3.0.45.38
Ubuntu 18.04 LTS
linux-image-5.3.0-1013-oracle - 5.3.0-1013.14~18.04.1
linux-image-5.3.0-1016-gcp - 5.3.0-1016.17~18.04.1
linux-image-5.3.0-1016-gke - 5.3.0-1016.17~18.04.1
linux-image-5.3.0-1018-azure - 5.3.0-1018.19~18.04.1
linux-image-5.3.0-1021-raspi2 - 5.3.0-1021.23~18.04.1
linux-image-5.3.0-45-generic - 5.3.0-45.37~18.04.1
linux-image-5.3.0-45-generic-lpae - 5.3.0-45.37~18.04.1
linux-image-5.3.0-45-lowlatency - 5.3.0-45.37~18.04.1
linux-image-azure-edge - 5.3.0.1018.18
linux-image-gcp-edge - 5.3.0.1016.15
linux-image-generic-hwe-18.04 - 5.3.0.45.101
linux-image-generic-lpae-hwe-18.04 - 5.3.0.45.101
linux-image-gke-5.3 - 5.3.0.1016.6
linux-image-lowlatency-hwe-18.04 - 5.3.0.45.101
linux-image-oracle-edge - 5.3.0.1013.12
linux-image-raspi2-hwe-18.04 - 5.3.0.1021.10
linux-image-snapdragon-hwe-18.04 - 5.3.0.45.101
linux-image-virtual-hwe-18.04 - 5.3.0.45.101

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4311-1: BlueZ vulnerabilities

Mon, 30/03/2020 - 20:49
bluez vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in BlueZ.

Software Description
  • bluez - Bluetooth tools and daemons
Details

It was discovered that BlueZ incorrectly handled bonding HID and HOGP devices. A local attacker could possibly use this issue to impersonate non-bonded devices. (CVE-2020-0556)

It was discovered that BlueZ incorrectly handled certain commands. A local attacker could use this issue to cause BlueZ to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-7837)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
bluez - 5.50-0ubuntu5.1
libbluetooth3 - 5.50-0ubuntu5.1
Ubuntu 18.04 LTS
bluez - 5.48-0ubuntu3.4
libbluetooth3 - 5.48-0ubuntu3.4
Ubuntu 16.04 LTS
bluez - 5.37-0ubuntu5.3
libbluetooth3 - 5.37-0ubuntu5.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4312-1: Timeshift vulnerability

Mon, 30/03/2020 - 17:35
Timeshift vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
Summary

Timeshift could be made to run programs as an administrator.

Software Description
  • timeshift - System restore utility
Details

Matthias Gerstner discovered that Timeshift did not securely create temporary files. An attacker could exploit a race condition in Timeshift and potentially execute arbitrary commands as root.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
timeshift - 19.01+ds-2ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4310-1: WebKitGTK+ vulnerability

Mon, 30/03/2020 - 15:22
webkit2gtk vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in WebKitGTK+.

Software Description
  • webkit2gtk - Web content engine library for GTK+
Details

A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
libjavascriptcoregtk-4.0-18 - 2.28.0-0ubuntu0.19.10.2
libwebkit2gtk-4.0-37 - 2.28.0-0ubuntu0.19.10.2
Ubuntu 18.04 LTS
libjavascriptcoregtk-4.0-18 - 2.28.0-0ubuntu0.18.04.3
libwebkit2gtk-4.0-37 - 2.28.0-0ubuntu0.18.04.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK+, such as Epiphany, to make all the necessary changes.

References
Categories: Linux, Security

USN-4308-2: Twisted vulnerabilities

Mon, 30/03/2020 - 15:00
twisted vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
Summary

Several security issues were fixed in Twisted.

Software Description
  • twisted - Event-based framework for internet applications
Details

USN-4308-1 fixed several vulnerabilities in Twisted. This update provides the corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

it was discovered that Twisted incorrectly validated or sanitized certain URIs or HTTP methods. A remote attacker could use this issue to inject invalid characters and possibly perform header injection attacks. (CVE-2019-12387)

It was discovered that Twisted incorrectly verified XMPP TLS certificates. A remote attacker could possibly use this issue to perform a man-in-the-middle attack and obtain sensitive information. (CVE-2019-12855)

Jake Miller and ZeddYu Lu discovered that Twisted incorrectly handled certain content-length headers. A remote attacker could possibly use this issue to perform HTTP request splitting attacks. (CVE-2020-10108, CVE-2020-10109)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
python-twisted - 13.2.0-1ubuntu1.2+esm1
python-twisted-bin - 13.2.0-1ubuntu1.2+esm1
python-twisted-web - 13.2.0-1ubuntu1.2+esm1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

Pages