UbuntuSecurity

Subscribe to UbuntuSecurity feed
Updated: 50 min 33 sec ago

USN-4420-1: Cinder and os-brick vulnerability

Tue, 07/07/2020 - 16:51
cinder, python-os-brick vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
Summary

Cinder and os-brick could be made to expose sensitive information.

Software Description
  • cinder - OpenStack storage service
  • python-os-brick - Library for managing local volume attaches
Details

David Hill and Eric Harney discovered that Cinder and os-brick incorrectly handled ScaleIO backend credentials. An attacker could possibly use this issue to expose sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
python3-cinder - 2:16.1.0-0ubuntu1
python3-os-brick - 3.0.1-0ubuntu1.2
Ubuntu 18.04 LTS
python-cinder - 2:12.0.9-0ubuntu1.2
python-os-brick - 2.3.0-0ubuntu1.2
python3-os-brick - 2.3.0-0ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4419-1: Linux kernel vulnerabilities

Mon, 06/07/2020 - 23:36
linux, linux-lts-xenial, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi (V7) systems
  • linux-snapdragon - Linux kernel for Qualcomm Snapdragon processors
  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty
Details

It was discovered that a race condition existed in the Precision Time Protocol (PTP) implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-10690)

Matthew Sheets discovered that the SELinux network label handling implementation in the Linux kernel could be coerced into de-referencing a NULL pointer. A remote attacker could use this to cause a denial of service (system crash). (CVE-2020-10711)

It was discovered that the DesignWare SPI controller driver in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2020-12769)

It was discovered that the SCSI generic (sg) driver in the Linux kernel did not properly handle certain error conditions correctly. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2020-12770)

It was discovered that the USB Gadget device driver in the Linux kernel did not validate arguments passed from configfs in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-13143)

Shijie Luo discovered that the ext4 file system implementation in the Linux kernel did not properly check for a too-large journal size. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (soft lockup). (CVE-2020-8992)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
linux-image-4.4.0-1076-kvm - 4.4.0-1076.83
linux-image-4.4.0-1110-aws - 4.4.0-1110.121
linux-image-4.4.0-1135-raspi2 - 4.4.0-1135.144
linux-image-4.4.0-1139-snapdragon - 4.4.0-1139.147
linux-image-4.4.0-185-generic - 4.4.0-185.215
linux-image-4.4.0-185-generic-lpae - 4.4.0-185.215
linux-image-4.4.0-185-lowlatency - 4.4.0-185.215
linux-image-4.4.0-185-powerpc-e500mc - 4.4.0-185.215
linux-image-4.4.0-185-powerpc-smp - 4.4.0-185.215
linux-image-4.4.0-185-powerpc64-emb - 4.4.0-185.215
linux-image-4.4.0-185-powerpc64-smp - 4.4.0-185.215
linux-image-aws - 4.4.0.1110.114
linux-image-generic - 4.4.0.185.191
linux-image-generic-lpae - 4.4.0.185.191
linux-image-kvm - 4.4.0.1076.74
linux-image-lowlatency - 4.4.0.185.191
linux-image-powerpc-e500mc - 4.4.0.185.191
linux-image-powerpc-smp - 4.4.0.185.191
linux-image-powerpc64-emb - 4.4.0.185.191
linux-image-powerpc64-smp - 4.4.0.185.191
linux-image-raspi2 - 4.4.0.1135.135
linux-image-snapdragon - 4.4.0.1139.131
linux-image-virtual - 4.4.0.185.191
Ubuntu 14.04 ESM
linux-image-4.4.0-1074-aws - 4.4.0-1074.78
linux-image-4.4.0-185-generic - 4.4.0-185.215~14.04.1
linux-image-4.4.0-185-generic-lpae - 4.4.0-185.215~14.04.1
linux-image-4.4.0-185-lowlatency - 4.4.0-185.215~14.04.1
linux-image-4.4.0-185-powerpc-e500mc - 4.4.0-185.215~14.04.1
linux-image-4.4.0-185-powerpc-smp - 4.4.0-185.215~14.04.1
linux-image-4.4.0-185-powerpc64-emb - 4.4.0-185.215~14.04.1
linux-image-4.4.0-185-powerpc64-smp - 4.4.0-185.215~14.04.1
linux-image-aws - 4.4.0.1074.71
linux-image-generic-lpae-lts-xenial - 4.4.0.185.162
linux-image-generic-lts-xenial - 4.4.0.185.162
linux-image-lowlatency-lts-xenial - 4.4.0.185.162
linux-image-powerpc-e500mc-lts-xenial - 4.4.0.185.162
linux-image-powerpc-smp-lts-xenial - 4.4.0.185.162
linux-image-powerpc64-emb-lts-xenial - 4.4.0.185.162
linux-image-powerpc64-smp-lts-xenial - 4.4.0.185.162
linux-image-virtual-lts-xenial - 4.4.0.185.162

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4417-2: NSS vulnerability

Mon, 06/07/2020 - 22:59
nss vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

NSS could be made to expose sensitive information.

Software Description
  • nss - Network Security Service library
Details

USN-4417-1 fixed a vulnerability in NSS. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

Cesar Pereida, Billy Bob Brumley, Yuval Yarom, and Nicola Tuveri discovered that NSS incorrectly handled RSA key generation. A local attacker could possibly use this issue to perform a timing attack and recover RSA keys.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
libnss3 - 2:3.28.4-0ubuntu0.14.04.5+esm6
Ubuntu 12.04 ESM
libnss3 - 2:3.28.4-0ubuntu0.12.04.9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References
Categories: Linux, Security

USN-4418-1: OpenEXR vulnerabilities

Mon, 06/07/2020 - 21:22
openexr vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

OpenEXR could be made to crash or run programs if it opened a specially crafted file.

Software Description
  • openexr - tools for the OpenEXR image format
Details

It was discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libopenexr24 - 2.3.0-6ubuntu0.2
openexr - 2.3.0-6ubuntu0.2
Ubuntu 19.10
libopenexr23 - 2.2.1-4.1ubuntu1.2
openexr - 2.2.1-4.1ubuntu1.2
Ubuntu 18.04 LTS
libopenexr22 - 2.2.0-11.1ubuntu1.3
openexr - 2.2.0-11.1ubuntu1.3
Ubuntu 16.04 LTS
libopenexr22 - 2.2.0-10ubuntu2.3
openexr - 2.2.0-10ubuntu2.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4417-1: NSS vulnerability

Mon, 06/07/2020 - 21:16
nss vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

NSS could be made to expose sensitive information.

Software Description
  • nss - Network Security Service library
Details

Cesar Pereida, Billy Bob Brumley, Yuval Yarom, and Nicola Tuveri discovered that NSS incorrectly handled RSA key generation. A local attacker could possibly use this issue to perform a timing attack and recover RSA keys.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libnss3 - 2:3.49.1-1ubuntu1.2
Ubuntu 19.10
libnss3 - 2:3.45-1ubuntu2.4
Ubuntu 18.04 LTS
libnss3 - 2:3.35-2ubuntu2.9
Ubuntu 16.04 LTS
libnss3 - 2:3.28.4-0ubuntu0.16.04.12

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References
Categories: Linux, Security

USN-4416-1: GNU C Library vulnerabilities

Mon, 06/07/2020 - 21:10
glibc vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in GNU C Library.

Software Description
  • glibc - GNU C Library
Details

Florian Weimer discovered that the GNU C Library incorrectly handled certain memory operations. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-12133)

It was discovered that the GNU C Library incorrectly handled certain SSE2-optimized memmove operations. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2017-18269)

It was discovered that the GNU C Library incorrectly handled certain pathname operations. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-11236)

It was discovered that the GNU C Library incorrectly handled certain AVX-512-optimized mempcpy operations. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-11237)

It was discovered that the GNU C Library incorrectly handled certain hostname loookups. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-19591)

Jakub Wilk discovered that the GNU C Library incorrectly handled certain memalign functions. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2018-6485)

It was discovered that the GNU C Library incorrectly ignored the LD_PREFER_MAP_32BIT_EXEC environment variable after security transitions. A local attacker could use this issue to bypass ASLR restrictions. (CVE-2019-19126)

It was discovered that the GNU C Library incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause the GNU C Library to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9169)

It was discovered that the GNU C Library incorrectly handled certain bit patterns. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-10029)

It was discovered that the GNU C Library incorrectly handled certain signal trampolines on PowerPC. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-1751)

It was discovered that the GNU C Library incorrectly handled tilde expansion. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-1752)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
libc6 - 2.30-0ubuntu2.2
Ubuntu 18.04 LTS
libc6 - 2.27-3ubuntu1.2
Ubuntu 16.04 LTS
libc6 - 2.23-0ubuntu11.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References
Categories: Linux, Security

USN-4415-1: coTURN vulnerabilities

Mon, 06/07/2020 - 20:11
coturn vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in coTURN.

Software Description
  • coturn - TURN and STUN server for VoIP
Details

Felix Dörre discovered that coTURN response buffer is not initialized properly. An attacker could possibly use this issue to obtain sensitive information. (CVE-2020-4067)

It was discovered that coTURN web server incorrectly handled HTTP POST requests. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information or other unspecified impact. (CVE-2020-6061, CVE-2020-6062)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
coturn - 4.5.1.1-1.1ubuntu0.20.04.1
Ubuntu 19.10
coturn - 4.5.1.1-1.1ubuntu0.19.10.1
Ubuntu 18.04 LTS
coturn - 4.5.0.7-1ubuntu2.18.04.2
Ubuntu 16.04 LTS
coturn - 4.5.0.3-1ubuntu0.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4414-1: Linux kernel vulnerabilities

Fri, 03/07/2020 - 03:28
linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gcp-4.15 - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-gke-4.15 - Linux kernel for Google Container Engine (GKE) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oem - Linux kernel for OEM systems
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi2 - Linux kernel for Raspberry Pi (V7) systems
  • linux-snapdragon - Linux kernel for Qualcomm Snapdragon processors
  • linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
Details

It was discovered that the network block device (nbd) implementation in the Linux kernel did not properly check for error conditions in some situations. An attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16089)

It was discovered that the btrfs file system implementation in the Linux kernel did not properly validate file system metadata in some situations. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2019-19036, CVE-2019-19318, CVE-2019-19813, CVE-2019-19816)

It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377)

It was discovered that the kernel->user space relay implementation in the Linux kernel did not properly check return values in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-19462)

Matthew Sheets discovered that the SELinux network label handling implementation in the Linux kernel could be coerced into de-referencing a NULL pointer. A remote attacker could use this to cause a denial of service (system crash). (CVE-2020-10711)

It was discovered that the SCSI generic (sg) driver in the Linux kernel did not properly handle certain error conditions correctly. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2020-12770)

It was discovered that the USB Gadget device driver in the Linux kernel did not validate arguments passed from configfs in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-13143)

It was discovered that the efi subsystem in the Linux kernel did not handle memory allocation failures during early boot in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-12380)

It was discovered that the btrfs file system in the Linux kernel in some error conditions could report register information to the dmesg buffer. A local attacker could possibly use this to expose sensitive information. (CVE-2019-19039)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-4.15.0-1048-oracle - 4.15.0-1048.52
linux-image-4.15.0-1064-gke - 4.15.0-1064.67
linux-image-4.15.0-1065-raspi2 - 4.15.0-1065.69
linux-image-4.15.0-1069-kvm - 4.15.0-1069.70
linux-image-4.15.0-1077-aws - 4.15.0-1077.81
linux-image-4.15.0-1078-gcp - 4.15.0-1078.88
linux-image-4.15.0-1081-snapdragon - 4.15.0-1081.88
linux-image-4.15.0-109-generic - 4.15.0-109.110
linux-image-4.15.0-109-generic-lpae - 4.15.0-109.110
linux-image-4.15.0-109-lowlatency - 4.15.0-109.110
linux-image-4.15.0-1091-oem - 4.15.0-1091.101
linux-image-aws-lts-18.04 - 4.15.0.1077.79
linux-image-gcp-lts-18.04 - 4.15.0.1078.94
linux-image-generic - 4.15.0.109.97
linux-image-generic-lpae - 4.15.0.109.97
linux-image-gke - 4.15.0.1064.66
linux-image-gke-4.15 - 4.15.0.1064.66
linux-image-kvm - 4.15.0.1069.65
linux-image-lowlatency - 4.15.0.109.97
linux-image-oem - 4.15.0.1091.94
linux-image-oracle-lts-18.04 - 4.15.0.1048.57
linux-image-powerpc-e500mc - 4.15.0.109.97
linux-image-powerpc-smp - 4.15.0.109.97
linux-image-powerpc64-emb - 4.15.0.109.97
linux-image-powerpc64-smp - 4.15.0.109.97
linux-image-raspi2 - 4.15.0.1065.63
linux-image-snapdragon - 4.15.0.1081.84
linux-image-virtual - 4.15.0.109.97
Ubuntu 16.04 LTS
linux-image-4.15.0-1046-oracle - 4.15.0-1046.50~16.04.1
linux-image-4.15.0-107-generic - 4.15.0-107.108~16.04.1
linux-image-4.15.0-107-generic-lpae - 4.15.0-107.108~16.04.1
linux-image-4.15.0-107-lowlatency - 4.15.0-107.108~16.04.1
linux-image-4.15.0-1074-aws - 4.15.0-1074.78~16.04.1
linux-image-4.15.0-1078-gcp - 4.15.0-1078.88~16.04.1
linux-image-aws-hwe - 4.15.0.1074.74
linux-image-gcp - 4.15.0.1078.80
linux-image-generic-hwe-16.04 - 4.15.0.107.112
linux-image-generic-lpae-hwe-16.04 - 4.15.0.107.112
linux-image-gke - 4.15.0.1078.80
linux-image-lowlatency-hwe-16.04 - 4.15.0.107.112
linux-image-oem - 4.15.0.107.112
linux-image-oracle - 4.15.0.1046.39
linux-image-virtual-hwe-16.04 - 4.15.0.107.112

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4413-1: Linux kernel vulnerabilities

Fri, 03/07/2020 - 02:39
linux-gke-5.0, linux-oem-osp1 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-gke-5.0 - Linux kernel for Google Container Engine (GKE) systems
  • linux-oem-osp1 - Linux kernel for OEM systems
Details

Matthew Sheets discovered that the SELinux network label handling implementation in the Linux kernel could be coerced into de-referencing a NULL pointer. A remote attacker could use this to cause a denial of service (system crash). (CVE-2020-10711)

It was discovered that the SCSI generic (sg) driver in the Linux kernel did not properly handle certain error conditions correctly. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2020-12770)

It was discovered that the USB Gadget device driver in the Linux kernel did not validate arguments passed from configfs in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-13143)

Dmitry Vyukov discovered that the SELinux netlink security hook in the Linux kernel did not validate messages in some situations. A privileged attacker could use this to bypass SELinux netlink restrictions. (CVE-2020-10751)

It was discovered that the KVM implementation in the Linux kernel did not properly deallocate memory on initialization for some processors. A local attacker could possibly use this to cause a denial of service. (CVE-2020-12768)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-5.0.0-1043-gke - 5.0.0-1043.44
linux-image-5.0.0-1063-oem-osp1 - 5.0.0-1063.68
linux-image-gke-5.0 - 5.0.0.1043.28
linux-image-oem-osp1 - 5.0.0.1063.61

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4412-1: Linux kernel vulnerabilities

Fri, 03/07/2020 - 02:08
linux, linux-azure, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-gcp-5.3 - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
  • linux-oracle-5.3 - Linux kernel for Oracle Cloud systems
Details

Matthew Sheets discovered that the SELinux network label handling implementation in the Linux kernel could be coerced into de-referencing a NULL pointer. A remote attacker could use this to cause a denial of service (system crash). (CVE-2020-10711)

It was discovered that the SCSI generic (sg) driver in the Linux kernel did not properly handle certain error conditions correctly. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2020-12770)

It was discovered that the USB Gadget device driver in the Linux kernel did not validate arguments passed from configfs in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-13143)

Dmitry Vyukov discovered that the SELinux netlink security hook in the Linux kernel did not validate messages in some situations. A privileged attacker could use this to bypass SELinux netlink restrictions. (CVE-2020-10751)

It was discovered that the KVM implementation in the Linux kernel did not properly deallocate memory on initialization for some processors. A local attacker could possibly use this to cause a denial of service. (CVE-2020-12768)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
linux-image-5.3.0-1024-kvm - 5.3.0-1024.26
linux-image-5.3.0-1028-oracle - 5.3.0-1028.30
linux-image-5.3.0-1030-gcp - 5.3.0-1030.32
linux-image-5.3.0-1031-azure - 5.3.0-1031.32
linux-image-5.3.0-62-generic - 5.3.0-62.56
linux-image-5.3.0-62-generic-lpae - 5.3.0-62.56
linux-image-5.3.0-62-lowlatency - 5.3.0-62.56
linux-image-5.3.0-62-snapdragon - 5.3.0-62.56
linux-image-azure - 5.3.0.1031.49
linux-image-gcp - 5.3.0.1030.40
linux-image-generic - 5.3.0.62.52
linux-image-generic-lpae - 5.3.0.62.52
linux-image-gke - 5.3.0.1030.40
linux-image-kvm - 5.3.0.1024.22
linux-image-lowlatency - 5.3.0.62.52
linux-image-oracle - 5.3.0.1028.43
linux-image-snapdragon - 5.3.0.62.52
linux-image-virtual - 5.3.0.62.52
Ubuntu 18.04 LTS
linux-image-5.3.0-1028-oracle - 5.3.0-1028.30~18.04.1
linux-image-5.3.0-1030-gcp - 5.3.0-1030.32~18.04.1
linux-image-5.3.0-62-generic - 5.3.0-62.56~18.04.1
linux-image-5.3.0-62-generic-lpae - 5.3.0-62.56~18.04.1
linux-image-5.3.0-62-lowlatency - 5.3.0-62.56~18.04.1
linux-image-gcp - 5.3.0.1030.24
linux-image-generic-hwe-18.04 - 5.3.0.62.115
linux-image-generic-lpae-hwe-18.04 - 5.3.0.62.115
linux-image-gkeop-5.3 - 5.3.0.62.115
linux-image-lowlatency-hwe-18.04 - 5.3.0.62.115
linux-image-oracle - 5.3.0.1028.25
linux-image-snapdragon-hwe-18.04 - 5.3.0.62.115
linux-image-virtual-hwe-18.04 - 5.3.0.62.115

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4411-1: Linux kernel vulnerabilities

Fri, 03/07/2020 - 01:53
linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv, vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-riscv - Linux kernel for RISC-V systems
Details

It was discovered that the elf handling code in the Linux kernel did not initialize memory before using it in certain situations. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2020-10732)

Matthew Sheets discovered that the SELinux network label handling implementation in the Linux kernel could be coerced into de-referencing a NULL pointer. A remote attacker could use this to cause a denial of service (system crash). (CVE-2020-10711)

It was discovered that the SCSI generic (sg) driver in the Linux kernel did not properly handle certain error conditions correctly. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2020-12770)

It was discovered that the USB Gadget device driver in the Linux kernel did not validate arguments passed from configfs in some situations. A local attacker could possibly use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2020-13143)

It was discovered that the KVM implementation in the Linux kernel did not properly deallocate memory on initialization for some processors. A local attacker could possibly use this to cause a denial of service. (CVE-2020-12768)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
linux-image-5.4.0-1018-aws - 5.4.0-1018.18
linux-image-5.4.0-1019-gcp - 5.4.0-1019.19
linux-image-5.4.0-1019-oracle - 5.4.0-1019.19
linux-image-5.4.0-28-generic - 5.4.0-28.32
linux-image-5.4.0-40-generic - 5.4.0-40.44
linux-image-5.4.0-40-generic-lpae - 5.4.0-40.44
linux-image-5.4.0-40-lowlatency - 5.4.0-40.44
linux-image-aws - 5.4.0.1018.19
linux-image-gcp - 5.4.0.1019.17
linux-image-generic - 5.4.0.28.35
linux-image-generic-lpae - 5.4.0.40.43
linux-image-gke - 5.4.0.1019.17
linux-image-kvm - 5.4.0.1018.17
linux-image-lowlatency - 5.4.0.40.43
linux-image-oem - 5.4.0.40.43
linux-image-oem-osp1 - 5.4.0.40.43
linux-image-oracle - 5.4.0.1019.17
linux-image-virtual - 5.4.0.28.35

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4410-1: Net-SNMP vulnerability

Thu, 02/07/2020 - 22:23
net-snmp vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
Summary

Net-SNMP could be made to crash if it received specially crafted input.

Software Description
  • net-snmp - SNMP (Simple Network Management Protocol) server and applications
Details

A double-free bug was discovered in snmpd server. An authenticated user could potentially cause a DoS by sending a crafted request to the server. (CVE-2019-20892)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libsnmp-base - 5.8+dfsg-2ubuntu2.1
libsnmp-perl - 5.8+dfsg-2ubuntu2.1
libsnmp35 - 5.8+dfsg-2ubuntu2.1
snmpd - 5.8+dfsg-2ubuntu2.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart snmpd to make all the necessary changes.

References
Categories: Linux, Security

USN-4408-1: Firefox vulnerabilities

Thu, 02/07/2020 - 16:39
firefox vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Firefox could be made to crash or run programs as your login if it opened a malicious website.

Software Description
  • firefox - Mozilla Open Source web browser
Details

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass permission prompts, or execute arbitrary code. (CVE-2020-12415, CVE-2020-12416, CVE-2020-12417, CVE-2020-12418, CVE-2020-12419, CVE-2020-12420, CVE-2020-12422, CVE-2020-12424, CVE-2020-12425, CVE-2020-12426)

It was discovered that when performing add-on updates, certificate chains not terminating with built-in roots were silently rejected. This could result in add-ons becoming outdated. (CVE-2020-12421)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
firefox - 78.0.1+build1-0ubuntu0.20.04.1
Ubuntu 19.10
firefox - 78.0.1+build1-0ubuntu0.19.10.1
Ubuntu 18.04 LTS
firefox - 78.0.1+build1-0ubuntu0.18.04.1
Ubuntu 16.04 LTS
firefox - 78.0.1+build1-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make all the necessary changes.

References
Categories: Linux, Security

USN-4409-1: Samba vulnerabilities

Thu, 02/07/2020 - 15:42
samba vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

Several security issues were fixed in Samba.

Software Description
  • samba - SMB/CIFS file, print, and login server for Unix
Details

Andrew Bartlett discovered that Samba incorrectly handled certain LDAP queries. A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-10730)

Douglas Bagnall discovered that Samba incorrectly handled certain queries. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2020-10745)

Andrei Popa discovered that Samba incorrectly handled certain LDAP queries A remote attacker could use this issue to cause Samba to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-10760)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
samba - 2:4.11.6+dfsg-0ubuntu1.3
Ubuntu 19.10
samba - 2:4.10.7+dfsg-0ubuntu2.6
Ubuntu 18.04 LTS
samba - 2:4.7.6+dfsg~ubuntu-0ubuntu2.17
Ubuntu 16.04 LTS
samba - 2:4.3.11+dfsg-0ubuntu0.16.04.28
Ubuntu 14.04 ESM
samba - 2:4.3.11+dfsg-0ubuntu0.14.04.20+esm7
Ubuntu 12.04 ESM
samba - 2:3.6.25-0ubuntu0.12.04.20

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4407-1: LibVNCServer vulnerabilities

Thu, 02/07/2020 - 02:44
libvncserver vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in LibVNCServer.

Software Description
  • libvncserver - vnc server library
Details

It was discovered that LibVNCServer incorrectly handled decompressing data. An attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service. (CVE-2019-15680)

It was discovered that an information disclosure vulnerability existed in LibVNCServer when sending a ServerCutText message. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2019-15681)

It was discovered that LibVNCServer incorrectly handled cursor shape updates. If a user were tricked in to connecting to a malicious server, an attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2019-15690, CVE-2019-20788)

It was discovered that LibVNCServer incorrectly handled decoding WebSocket frames. An attacker could possibly use this issue to cause LibVNCServer to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS. (CVE-2017-18922)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libvncclient1 - 0.9.12+dfsg-9ubuntu0.1
libvncserver1 - 0.9.12+dfsg-9ubuntu0.1
Ubuntu 19.10
libvncclient1 - 0.9.11+dfsg-1.3ubuntu0.1
libvncserver1 - 0.9.11+dfsg-1.3ubuntu0.1
Ubuntu 18.04 LTS
libvncclient1 - 0.9.11+dfsg-1ubuntu1.2
libvncserver1 - 0.9.11+dfsg-1ubuntu1.2
Ubuntu 16.04 LTS
libvncclient1 - 0.9.10+dfsg-3ubuntu0.16.04.4
libvncserver1 - 0.9.10+dfsg-3ubuntu0.16.04.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart LibVNCServer to make all the necessary changes.

References
Categories: Linux, Security

USN-4406-1: Mailman vulnerability

Mon, 29/06/2020 - 16:10
mailman vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Mailman could be made to inject arbitrary content in the login page if it received a specially crafted input.

Software Description
  • mailman - Web-based mailing list manager (legacy branch)
Details

It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this issue to inject arbitrary content in the login page.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
mailman - 1:2.1.26-1ubuntu0.3
Ubuntu 16.04 LTS
mailman - 1:2.1.20-1ubuntu0.6

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4405-1: GLib Networking vulnerability

Mon, 29/06/2020 - 05:05
glib-networking vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet.

Software Description
  • glib-networking - Network extensions for GLib
Details

It was discovered that glib-networking skipped hostname certificate verification if the application failed to specify the server identity. A remote attacker could use this to perform a person-in-the-middle attack and expose sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
glib-networking - 2.64.2-1ubuntu0.1
Ubuntu 19.10
glib-networking - 2.62.1-1ubuntu0.1
Ubuntu 18.04 LTS
glib-networking - 2.56.0-1ubuntu0.1
Ubuntu 16.04 LTS
glib-networking - 2.48.2-1~ubuntu16.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Categories: Linux, Security

USN-4404-2: Linux kernel vulnerabilities

Thu, 25/06/2020 - 23:58
linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the NVIDIA graphics driver kernel modules.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-aws-5.3 - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure-5.3 - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp-5.3 - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
  • linux-oem - Linux kernel for OEM systems
  • linux-oem-osp1 - Linux kernel for OEM systems
  • linux-oracle-5.3 - Linux kernel for Oracle Cloud systems
Details

USN-4404-1 fixed vulnerabilities in the NVIDIA graphics drivers. This update provides the corresponding updates for the NVIDIA Linux DKMS kernel modules.

Original advisory details:

Thomas E. Carroll discovered that the NVIDIA Cuda grpahics driver did not properly perform access control when performing IPC. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2020-5963)

It was discovered that the UVM driver in the NVIDIA graphics driver contained a race condition. A local attacker could use this to cause a denial of service. (CVE-2020-5967)

It was discovered that the NVIDIA virtual GPU guest drivers contained an unspecified vulnerability that could potentially lead to privileged operation execution. An attacker could use this to cause a denial of service. (CVE-2020-5973)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
linux-image-5.4.0-1017-aws - 5.4.0-1017.17
linux-image-5.4.0-1018-gcp - 5.4.0-1018.18
linux-image-5.4.0-1018-oracle - 5.4.0-1018.18
linux-image-5.4.0-1019-azure - 5.4.0-1019.19
linux-image-5.4.0-39-generic - 5.4.0-39.43
linux-image-5.4.0-39-generic-lpae - 5.4.0-39.43
linux-image-5.4.0-39-lowlatency - 5.4.0-39.43
linux-image-aws - 5.4.0.1017.18
linux-image-azure - 5.4.0.1019.18
linux-image-gcp - 5.4.0.1018.16
linux-image-generic - 5.4.0.39.42
linux-image-generic-hwe-20.04 - 5.4.0.39.42
linux-image-generic-lpae - 5.4.0.39.42
linux-image-generic-lpae-hwe-20.04 - 5.4.0.39.42
linux-image-gke - 5.4.0.1018.16
linux-image-lowlatency - 5.4.0.39.42
linux-image-lowlatency-hwe-20.04 - 5.4.0.39.42
linux-image-oem - 5.4.0.39.42
linux-image-oem-osp1 - 5.4.0.39.42
linux-image-oracle - 5.4.0.1018.16
linux-image-virtual - 5.4.0.39.42
linux-image-virtual-hwe-20.04 - 5.4.0.39.42
Ubuntu 19.10
linux-image-5.3.0-1027-oracle - 5.3.0-1027.29
linux-image-5.3.0-1028-aws - 5.3.0-1028.30
linux-image-5.3.0-1029-gcp - 5.3.0-1029.31
linux-image-5.3.0-61-generic - 5.3.0-61.55
linux-image-5.3.0-61-generic-lpae - 5.3.0-61.55
linux-image-5.3.0-61-lowlatency - 5.3.0-61.55
linux-image-5.3.0-61-snapdragon - 5.3.0-61.55
linux-image-aws - 5.3.0.1028.38
linux-image-gcp - 5.3.0.1029.39
linux-image-generic - 5.3.0.61.51
linux-image-generic-lpae - 5.3.0.61.51
linux-image-gke - 5.3.0.1029.39
linux-image-lowlatency - 5.3.0.61.51
linux-image-oracle - 5.3.0.1027.42
linux-image-snapdragon - 5.3.0.61.51
linux-image-virtual - 5.3.0.61.51
Ubuntu 18.04 LTS
linux-image-4.15.0-1047-oracle - 4.15.0-1047.51
linux-image-4.15.0-1076-aws - 4.15.0-1076.80
linux-image-4.15.0-108-generic - 4.15.0-108.109
linux-image-4.15.0-108-generic-lpae - 4.15.0-108.109
linux-image-4.15.0-108-lowlatency - 4.15.0-108.109
linux-image-4.15.0-1090-oem - 4.15.0-1090.100
linux-image-5.0.0-1062-oem-osp1 - 5.0.0-1062.67
linux-image-5.3.0-1027-oracle - 5.3.0-1027.29~18.04.1
linux-image-5.3.0-1028-aws - 5.3.0-1028.30~18.04.1
linux-image-5.3.0-1029-gcp - 5.3.0-1029.31~18.04.1
linux-image-5.3.0-1031-azure - 5.3.0-1031.32~18.04.1
linux-image-5.3.0-61-generic - 5.3.0-61.55~18.04.1
linux-image-5.3.0-61-generic-lpae - 5.3.0-61.55~18.04.1
linux-image-5.3.0-61-lowlatency - 5.3.0-61.55~18.04.1
linux-image-aws - 5.3.0.1028.26
linux-image-aws-lts-18.04 - 4.15.0.1076.78
linux-image-azure - 5.3.0.1031.27
linux-image-gcp - 5.3.0.1029.23
linux-image-generic - 4.15.0.108.96
linux-image-generic-hwe-18.04 - 5.3.0.61.114
linux-image-generic-lpae - 4.15.0.108.96
linux-image-generic-lpae-hwe-18.04 - 5.3.0.61.114
linux-image-gkeop-5.3 - 5.3.0.61.114
linux-image-lowlatency - 4.15.0.108.96
linux-image-lowlatency-hwe-18.04 - 5.3.0.61.114
linux-image-oem - 4.15.0.1090.93
linux-image-oem-osp1 - 5.0.0.1062.60
linux-image-oracle - 5.3.0.1027.24
linux-image-oracle-edge - 5.3.0.1027.24
linux-image-oracle-lts-18.04 - 4.15.0.1047.56
linux-image-powerpc-e500mc - 4.15.0.108.96
linux-image-powerpc-smp - 4.15.0.108.96
linux-image-powerpc64-emb - 4.15.0.108.96
linux-image-powerpc64-smp - 4.15.0.108.96
linux-image-snapdragon-hwe-18.04 - 5.3.0.61.114
linux-image-virtual - 4.15.0.108.96
linux-image-virtual-hwe-18.04 - 5.3.0.61.114

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Categories: Linux, Security

USN-4404-1: NVIDIA graphics drivers vulnerabilities

Thu, 25/06/2020 - 20:46
nvidia-graphics-drivers-390, nvidia-graphics-drivers-440 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in NVIDIA graphics drivers.

Software Description
  • nvidia-graphics-drivers-390 - NVIDIA binary X.Org driver
  • nvidia-graphics-drivers-440 - NVIDIA binary X.Org driver
Details

Thomas E. Carroll discovered that the NVIDIA Cuda grpahics driver did not properly perform access control when performing IPC. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2020-5963)

It was discovered that the UVM driver in the NVIDIA graphics driver contained a race condition. A local attacker could use this to cause a denial of service. (CVE-2020-5967)

It was discovered that the NVIDIA virtual GPU guest drivers contained an unspecified vulnerability that could potentially lead to privileged operation execution. An attacker could use this to cause a denial of service. (CVE-2020-5973)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
xserver-xorg-video-nvidia-390 - 390.138-0ubuntu0.20.04.1
xserver-xorg-video-nvidia-440 - 440.100-0ubuntu0.20.04.1
Ubuntu 19.10
xserver-xorg-video-nvidia-390 - 390.138-0ubuntu0.19.10.1
xserver-xorg-video-nvidia-440 - 440.100-0ubuntu0.19.10.1
Ubuntu 18.04 LTS
xserver-xorg-video-nvidia-390 - 390.138-0ubuntu0.18.04.1
xserver-xorg-video-nvidia-440 - 440.100-0ubuntu0.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References
Categories: Linux, Security

USN-4403-1: Mutt vulnerability and regression

Wed, 24/06/2020 - 19:22
mutt vulnerability and regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 12.04 ESM
Summary

Mutt could be made to enable MITM attacks if it received a specially crafted request.

Software Description
  • mutt - text-based mailreader supporting MIME, GPG, PGP and threading
Details

It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this issue to enable MITM attacks. (CVE-2020-14954)

This update also address a regression caused in the last update USN-4401-1. It only affected Ubuntu 12.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 19.10.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
mutt - 1.13.2-1ubuntu0.2
Ubuntu 19.10
mutt - 1.10.1-2.1ubuntu0.2
Ubuntu 18.04 LTS
mutt - 1.9.4-3ubuntu0.3
Ubuntu 16.04 LTS
mutt - 1.5.24-1ubuntu0.4
Ubuntu 12.04 ESM
mutt - 1.5.21-5ubuntu2.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart mutt to make all the necessary changes.

References
Categories: Linux, Security

Pages