You are here

Hírolvasó

USN-3513-2: libxml2 vulnerability

Ubuntu security notices - 2017.12.13, sze - 20:00
Ubuntu Security Notice USN-3513-2

13th December, 2017

libxml2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

libxml2 could be made to crash or run arbitrary code if it opened a specially crafted file.

Software description
  • libxml2 - GNOME XML library
Details

USN-3513-1 fixed a vulnerability in libxml2. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that libxml2 incorrecty handled certain files. An attacker
could use this issue with specially constructed XML data to cause libxml2 to
consume resources, leading to a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libxml2 2.7.8.dfsg-5.1ubuntu4.20
libxml2-utils 2.7.8.dfsg-5.1ubuntu4.20
python-libxml2 2.7.8.dfsg-5.1ubuntu4.20

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-15412

Kategóriák: Securiy

USN-3513-1: libxml2 vulnerability

Ubuntu security notices - 2017.12.13, sze - 16:40
Ubuntu Security Notice USN-3513-1

13th December, 2017

libxml2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

libxml2 could be made to crash or run arbitrary code if it opened a specially crafted file.

Software description
  • libxml2 - GNOME XML library
Details

It was discovered that libxml2 incorrecty handled certain files. An attacker
could use this issue with specially constructed XML data to cause libxml2 to
consume resources, leading to a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libxml2 2.9.4+dfsg1-4ubuntu1.2
libxml2-utils 2.9.4+dfsg1-4ubuntu1.2
python-libxml2 2.9.4+dfsg1-4ubuntu1.2
python3-libxml2 2.9.4+dfsg1-4ubuntu1.2
Ubuntu 17.04:
libxml2 2.9.4+dfsg1-2.2ubuntu0.3
libxml2-utils 2.9.4+dfsg1-2.2ubuntu0.3
python-libxml2 2.9.4+dfsg1-2.2ubuntu0.3
python3-libxml2 2.9.4+dfsg1-2.2ubuntu0.3
Ubuntu 16.04 LTS:
libxml2 2.9.3+dfsg1-1ubuntu0.5
libxml2-utils 2.9.3+dfsg1-1ubuntu0.5
python-libxml2 2.9.3+dfsg1-1ubuntu0.5
Ubuntu 14.04 LTS:
libxml2 2.9.1+dfsg1-3ubuntu4.12
libxml2-utils 2.9.1+dfsg1-3ubuntu4.12
python-libxml2 2.9.1+dfsg1-3ubuntu4.12

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-15412

Kategóriák: Securiy

4056318 - Guidance for securing AD DS account used by Azure AD Connect for directory synchronization - Version: 1.0

Microsoft Security Advisories - 2017.12.12, k - 20:00
Revision Note: V1.0 (December 12, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information regarding security settings for the AD DS (Active Directory Domain Services) account used by Azure AD Connect for directory synchronization. This advisory also provides guidance on what on-premises AD administrators can do to ensure that the account is properly secured.
Kategóriák: Securiy

USN-3512-1: OpenSSL vulnerabilities

Ubuntu security notices - 2017.12.11, h - 23:29
Ubuntu Security Notice USN-3512-1

11th December, 2017

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in OpenSSL.

Software description
  • openssl - Secure Socket Layer (SSL) cryptographic library and tools
Details

David Benjamin discovered that OpenSSL did not correctly prevent
buggy applications that ignore handshake errors from subsequently calling
certain functions. (CVE-2017-3737)

It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery
multiplication procedure. While unlikely, a remote attacker could possibly
use this issue to recover private keys. (CVE-2017-3738)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libssl1.0.0 1.0.2g-1ubuntu13.3
Ubuntu 17.04:
libssl1.0.0 1.0.2g-1ubuntu11.4
Ubuntu 16.04 LTS:
libssl1.0.0 1.0.2g-1ubuntu4.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-3737, CVE-2017-3738

Kategóriák: Securiy

USN-3507-2: Linux kernel (GCP) vulnerabilities

Ubuntu security notices - 2017.12.08, p - 08:41
Ubuntu Security Notice USN-3507-2

7th December, 2017

linux-gcp vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
Details

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could use this to cause a denial of service
(system crash). (CVE-2017-12193)

Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)

It was discovered that a null pointer dereference error existed in the
PowerPC KVM implementation in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash). (CVE-2017-15306)

Eric Biggers discovered a race condition in the key management subsystem of
the Linux kernel around keys in a negative state. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-15951)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-gke 4.13.0.1002.4
linux-image-4.13.0-1002-gcp 4.13.0-1002.5
linux-image-gcp 4.13.0.1002.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405, CVE-2017-12193, CVE-2017-15299, CVE-2017-15306, CVE-2017-15951, CVE-2017-16939

Kategóriák: Securiy

USN-3511-1: Linux kernel (Azure) vulnerabilities

Ubuntu security notices - 2017.12.08, p - 05:40
Ubuntu Security Notice USN-3511-1

7th December, 2017

linux-azure vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
Details

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-azure 4.11.0.1016.16
linux-image-4.11.0-1016-azure 4.11.0-1016.16

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405, CVE-2017-16939

Kategóriák: Securiy

USN-3510-2: Linux kernel (Trusty HWE) vulnerabilities

Ubuntu security notices - 2017.12.08, p - 05:40
Ubuntu Security Notice USN-3510-2

7th December, 2017

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise ESM
Details

USN-3510-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 ESM.

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-137-generic 3.13.0-137.186~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.137.127
linux-image-3.13.0-137-generic-lpae 3.13.0-137.186~precise1
linux-image-generic-lts-trusty 3.13.0.137.127

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405, CVE-2017-16939

Kategóriák: Securiy

USN-3510-1: Linux kernel vulnerabilities

Ubuntu security notices - 2017.12.08, p - 05:40
Ubuntu Security Notice USN-3510-1

7th December, 2017

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux - Linux kernel
Details

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.13.0-137-powerpc-smp 3.13.0-137.186
linux-image-powerpc-smp 3.13.0.137.146
linux-image-powerpc-e500mc 3.13.0.137.146
linux-image-generic 3.13.0.137.146
linux-image-3.13.0-137-powerpc64-smp 3.13.0-137.186
linux-image-3.13.0-137-powerpc64-emb 3.13.0-137.186
linux-image-powerpc64-emb 3.13.0.137.146
linux-image-3.13.0-137-generic 3.13.0-137.186
linux-image-generic-lpae 3.13.0.137.146
linux-image-powerpc-e500 3.13.0.137.146
linux-image-powerpc64-smp 3.13.0.137.146
linux-image-3.13.0-137-generic-lpae 3.13.0-137.186
linux-image-3.13.0-137-powerpc-e500mc 3.13.0-137.186
linux-image-3.13.0-137-powerpc-e500 3.13.0-137.186
linux-image-lowlatency 3.13.0.137.146
linux-image-3.13.0-137-lowlatency 3.13.0-137.186

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405, CVE-2017-16939

Kategóriák: Securiy

USN-3509-2: Linux kernel (Xenial HWE) vulnerabilities

Ubuntu security notices - 2017.12.08, p - 05:40
Ubuntu Security Notice USN-3509-2

7th December, 2017

linux-lts-xenial, linux-aws vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty
Details

USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could use this to cause a denial of service
(system crash). (CVE-2017-12193)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB
driver for the Linux kernel. A physically proximate attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-16643)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-powerpc-smp-lts-xenial 4.4.0.103.86
linux-image-powerpc64-emb-lts-xenial 4.4.0.103.86
linux-image-4.4.0-1005-aws 4.4.0-1005.5
linux-image-generic-lts-xenial 4.4.0.103.86
linux-image-4.4.0-103-powerpc64-smp 4.4.0-103.126~14.04.1
linux-image-lowlatency-lts-xenial 4.4.0.103.86
linux-image-4.4.0-103-powerpc-smp 4.4.0-103.126~14.04.1
linux-image-powerpc-e500mc-lts-xenial 4.4.0.103.86
linux-image-generic-lpae-lts-xenial 4.4.0.103.86
linux-image-4.4.0-103-powerpc64-emb 4.4.0-103.126~14.04.1
linux-image-4.4.0-103-generic 4.4.0-103.126~14.04.1
linux-image-4.4.0-103-generic-lpae 4.4.0-103.126~14.04.1
linux-image-powerpc64-smp-lts-xenial 4.4.0.103.86
linux-image-aws 4.4.0.1005.5
linux-image-4.4.0-103-powerpc-e500mc 4.4.0-103.126~14.04.1
linux-image-4.4.0-103-lowlatency 4.4.0-103.126~14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405, CVE-2017-12193, CVE-2017-16643, CVE-2017-16939

Kategóriák: Securiy

USN-3509-1: Linux kernel vulnerabilities

Ubuntu security notices - 2017.12.08, p - 05:40
Ubuntu Security Notice USN-3509-1

7th December, 2017

linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon processors
Details

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could use this to cause a denial of service
(system crash). (CVE-2017-12193)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB
driver for the Linux kernel. A physically proximate attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-16643)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-powerpc-e500mc 4.4.0.103.108
linux-image-4.4.0-103-powerpc64-smp 4.4.0-103.126
linux-image-4.4.0-103-generic 4.4.0-103.126
linux-image-4.4.0-103-powerpc-e500mc 4.4.0-103.126
linux-image-4.4.0-1012-kvm 4.4.0-1012.17
linux-image-4.4.0-103-generic-lpae 4.4.0-103.126
linux-image-4.4.0-103-powerpc64-emb 4.4.0-103.126
linux-image-generic 4.4.0.103.108
linux-image-snapdragon 4.4.0.1081.73
linux-image-powerpc64-emb 4.4.0.103.108
linux-image-4.4.0-103-powerpc-smp 4.4.0-103.126
linux-image-4.4.0-1079-raspi2 4.4.0-1079.87
linux-image-aws 4.4.0.1043.45
linux-image-kvm 4.4.0.1012.12
linux-image-4.4.0-103-lowlatency 4.4.0-103.126
linux-image-raspi2 4.4.0.1079.79
linux-image-powerpc-smp 4.4.0.103.108
linux-image-generic-lpae 4.4.0.103.108
linux-image-4.4.0-1043-aws 4.4.0-1043.52
linux-image-powerpc64-smp 4.4.0.103.108
linux-image-4.4.0-1081-snapdragon 4.4.0-1081.86
linux-image-lowlatency 4.4.0.103.108

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405, CVE-2017-12193, CVE-2017-16643, CVE-2017-16939

Kategóriák: Securiy

USN-3508-2: Linux kernel (HWE) vulnerabilities

Ubuntu security notices - 2017.12.08, p - 05:40
Ubuntu Security Notice USN-3508-2

7th December, 2017

linux-hwe vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux-hwe - Linux hardware enablement (HWE) kernel
Details

USN-3508-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu
16.04 LTS.

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Yonggang Guo discovered that a race condition existed in the driver
subsystem in the Linux kernel. A local attacker could use this to possibly
gain administrative privileges. (CVE-2017-12146)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-4.10.0-42-generic-lpae 4.10.0-42.46~16.04.1
linux-image-4.10.0-42-generic 4.10.0-42.46~16.04.1
linux-image-generic-hwe-16.04 4.10.0.42.44
linux-image-lowlatency-hwe-16.04 4.10.0.42.44
linux-image-4.10.0-42-lowlatency 4.10.0-42.46~16.04.1
linux-image-generic-lpae-hwe-16.04 4.10.0.42.44

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405, CVE-2017-12146, CVE-2017-16939

Kategóriák: Securiy

USN-3508-1: Linux kernel vulnerabilities

Ubuntu security notices - 2017.12.08, p - 05:40
Ubuntu Security Notice USN-3508-1

7th December, 2017

linux, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux - Linux kernel
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
Details

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Yonggang Guo discovered that a race condition existed in the driver
subsystem in the Linux kernel. A local attacker could use this to possibly
gain administrative privileges. (CVE-2017-12146)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
linux-image-4.10.0-42-generic-lpae 4.10.0-42.46
linux-image-generic-lpae 4.10.0.42.42
linux-image-4.10.0-42-generic 4.10.0-42.46
linux-image-4.10.0-1023-raspi2 4.10.0-1023.26
linux-image-generic 4.10.0.42.42
linux-image-4.10.0-42-lowlatency 4.10.0-42.46
linux-image-lowlatency 4.10.0.42.42
linux-image-raspi2 4.10.0.1023.24

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405, CVE-2017-12146, CVE-2017-16939

Kategóriák: Securiy

USN-3507-1: Linux kernel vulnerabilities

Ubuntu security notices - 2017.12.08, p - 05:40
Ubuntu Security Notice USN-3507-1

7th December, 2017

linux, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux - Linux kernel
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
Details

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could use this to cause a denial of service
(system crash). (CVE-2017-12193)

Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)

It was discovered that a null pointer dereference error existed in the
PowerPC KVM implementation in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash). (CVE-2017-15306)

Eric Biggers discovered a race condition in the key management subsystem of
the Linux kernel around keys in a negative state. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-15951)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did
not properly validate USB BOS metadata. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2017-16535)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB
driver for the Linux kernel. A physically proximate attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-16643)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
linux-image-4.13.0-19-generic 4.13.0-19.22
linux-image-4.13.0-19-generic-lpae 4.13.0-19.22
linux-image-generic-lpae 4.13.0.19.20
linux-image-4.13.0-19-lowlatency 4.13.0-19.22
linux-image-generic 4.13.0.19.20
linux-image-4.13.0-1008-raspi2 4.13.0-1008.8
linux-image-lowlatency 4.13.0.19.20
linux-image-raspi2 4.13.0.1008.6

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405, CVE-2017-12193, CVE-2017-15299, CVE-2017-15306, CVE-2017-15951, CVE-2017-16535, CVE-2017-16643, CVE-2017-16939

Kategóriák: Securiy

USN-3506-2: rsync vulnerabilities

Ubuntu security notices - 2017.12.07, cs - 16:25
Ubuntu Security Notice USN-3506-2

7th December, 2017

rsync vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Several security issues were fixed in rsync.

Software description
  • rsync - fast, versatile, remote (and local) file-copying tool
Details

USN-3506-1 fixed two vulnerabilities in rsync. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that rsync proceeds with certain file metadata updates
before checking for a filename. An attacker could use this to bypass access
restrictions. (CVE-2017-17433)

It was discovered that rsync does not check for fnamecmp filenames and also
does not apply the sanitize_paths protection mechanism to pathnames. An attacker
could use this to bypass access restrictions. (CVE-2017-17434)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
rsync 3.0.9-1ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-17433, CVE-2017-17434

Kategóriák: Securiy

USN-3506-1: rsync vulnerabilities

Ubuntu security notices - 2017.12.07, cs - 16:25
Ubuntu Security Notice USN-3506-1

7th December, 2017

rsync vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in rsync.

Software description
  • rsync - fast, versatile, remote (and local) file-copying tool
Details

It was discovered that rsync proceeds with certain file metadata updates
before checking for a filename. An attacker could use this to bypass access
restrictions. (CVE-2017-17433)

It was discovered that rsync does not check for fnamecmp filenames and also
does not apply the sanitize_paths protection mechanism to pathnames. An attacker
could use this to bypass access restrictions. (CVE-2017-17434)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
rsync 3.1.2-2ubuntu0.1
Ubuntu 17.04:
rsync 3.1.2-1ubuntu0.1
Ubuntu 16.04 LTS:
rsync 3.1.1-3ubuntu1.1
Ubuntu 14.04 LTS:
rsync 3.1.0-2ubuntu0.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-17433, CVE-2017-17434

Kategóriák: Securiy

USN-3505-1: Linux firmware vulnerabilities

Ubuntu security notices - 2017.12.06, sze - 11:35
Ubuntu Security Notice USN-3505-1

6th December, 2017

linux-firmware vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in linux-firmware.

Software description
  • linux-firmware - Firmware for Linux kernel drivers
Details

Mathy Vanhoef discovered that the firmware for several Intel WLAN
devices incorrectly handled WPA2 in relation to Wake on WLAN. A
remote attacker could use this issue with key reinstallation attacks
to obtain sensitive information. (CVE-2017-13080, CVE-2017-13081)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
linux-firmware 1.169.1
Ubuntu 17.04:
linux-firmware 1.164.2
Ubuntu 16.04 LTS:
linux-firmware 1.157.14
Ubuntu 14.04 LTS:
linux-firmware 1.127.24

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-13080, CVE-2017-13081

Kategóriák: Securiy

USN-3504-2: libxml2 vulnerability

Ubuntu security notices - 2017.12.05, k - 19:01
Ubuntu Security Notice USN-3504-2

5th December, 2017

libxml2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

curl could be made to crash if it received specially crafted input.

Software description
  • libxml2 - GNOME XML library
Details

USN-3504-1 fixed a vulnerability in libxml2. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Wei Lei discovered that libxml2 incorrecty handled certain parameter
entities. An attacker could use this issue with specially constructed XML
data to cause libxml2 to consume resources, leading to a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libxml2 2.7.8.dfsg-5.1ubuntu4.19
libxml2-utils 2.7.8.dfsg-5.1ubuntu4.19
python-libxml2 2.7.8.dfsg-5.1ubuntu4.19

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-16932

Kategóriák: Securiy

USN-3504-1: libxml2 vulnerability

Ubuntu security notices - 2017.12.05, k - 19:01
Ubuntu Security Notice USN-3504-1

5th December, 2017

libxml2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

libxml2 could be made to crash if it opened a specially crafted file.

Software description
  • libxml2 - GNOME XML library
Details

Wei Lei discovered that libxml2 incorrecty handled certain parameter
entities. An attacker could use this issue with specially constructed XML
data to cause libxml2 to consume resources, leading to a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libxml2 2.9.4+dfsg1-4ubuntu1.1
libxml2-utils 2.9.4+dfsg1-4ubuntu1.1
python-libxml2 2.9.4+dfsg1-4ubuntu1.1
python3-libxml2 2.9.4+dfsg1-4ubuntu1.1
Ubuntu 17.04:
libxml2 2.9.4+dfsg1-2.2ubuntu0.2
libxml2-utils 2.9.4+dfsg1-2.2ubuntu0.2
python-libxml2 2.9.4+dfsg1-2.2ubuntu0.2
python3-libxml2 2.9.4+dfsg1-2.2ubuntu0.2
Ubuntu 16.04 LTS:
libxml2 2.9.3+dfsg1-1ubuntu0.4
libxml2-utils 2.9.3+dfsg1-1ubuntu0.4
python-libxml2 2.9.3+dfsg1-1ubuntu0.4
Ubuntu 14.04 LTS:
libxml2 2.9.1+dfsg1-3ubuntu4.11
libxml2-utils 2.9.1+dfsg1-3ubuntu4.11
python-libxml2 2.9.1+dfsg1-3ubuntu4.11

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-16932

Kategóriák: Securiy

USN-3498-2: curl vulnerability

Ubuntu security notices - 2017.12.04, h - 20:45
Ubuntu Security Notice USN-3498-2

4th December, 2017

curl vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

curl could be made to crash if it received specially crafted input.

Software description
  • curl - HTTP, HTTPS, and FTP client and client libraries
Details

USN-3498-1 fixed a vulnerability in curl. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that curl incorrectly handled FTP wildcard matching. A
remote attacker could use this issue to cause curl to crash, resulting in a
denial of service, or possibly obtain sensitive information.
(CVE-2017-8817)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libcurl3-nss 7.22.0-3ubuntu4.19
curl 7.22.0-3ubuntu4.19
libcurl3-gnutls 7.22.0-3ubuntu4.19
libcurl3 7.22.0-3ubuntu4.19

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-8817

Kategóriák: Securiy

USN-3503-1: Evince vulnerability

Ubuntu security notices - 2017.12.04, h - 20:45
Ubuntu Security Notice USN-3503-1

4th December, 2017

evince vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Evince could be made to run programs if it printed a specially crafted file.

Software description
  • evince - Document viewer
Details

It was discovered that Evince incorrectly handled printing certain DVI
files. If a user were tricked into opening and printing a specially-named
DVI file, an attacker could use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
evince 3.24.0-0ubuntu1.3
evince-common 3.24.0-0ubuntu1.3
Ubuntu 16.04 LTS:
evince 3.18.2-1ubuntu4.3
evince-common 3.18.2-1ubuntu4.3
Ubuntu 14.04 LTS:
evince 3.10.3-0ubuntu10.4
evince-common 3.10.3-0ubuntu10.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000159

Kategóriák: Securiy

Oldalak

Subscribe to Informatikai megoldások hírolvasó