You are here

Hírolvasó

Ubuntu Hour december

Ubuntu magyar közösség - 2017.12.04, h - 10:21

Időpont: 2017. december 8. (péntek)

BUDAPEST
Kezdés: 18.00 óra
Helyszín: A Grund Bazsesz terem (Budapest, VIII. Nagytemplom utca 30.)
Téma: Ubuntu 17.10 egy vlogger szemében
Megközelítés: Corvin negyedtől 8 perc, Klinikák megállótól 5 perc séta.
Kapcsolatfelvétel a szervezővel.
MISKOLC
Kezdés: 18.00 óra
Helyszín: Avasi Sörház (Miskolc, Meggyesalja u. 1.)
Téma: Ubuntu Budgie
Megközelítés: a Városház tértől az Avasi kilátó irányába 2 percnyi séta
Kapcsolatfelvétel a szervezőkkel: itt és itt.
PÉCS
Kezdés: 18.00 óra
Helyszín: HANGULAT Presszó (7624 Pécs, Ifjúság útja 6.)
Téma: Firefox Quantum
Megközelítés: Petőfi utcai megálló (2, 2A, 25, 26, 27, 28, 37, 55 buszok), Megyeri téri megálló (21, 121, 23, 23Y, 123, 123Y, 24, 124 buszok)
Közösségi oldal: Ubuntu Hour - Pécs
Kapcsolatfelvétel a szervezővel.

A rendezvények mindenki számára ingyenesek.

USN-3477-3: Firefox regressions

Ubuntu security notices - 2017.12.01, p - 20:39
Ubuntu Security Notice USN-3477-3

1st December, 2017

firefox regressions

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

USN-3477-1 caused some minor regressions in Firefox.

Software description
  • firefox - Mozilla Open Source web browser
Details

USN-3477-1 fixed vulnerabilities in Firefox. The update introduced various
minor regressions. This update fixes the problems.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, read uninitialized
memory, obtain sensitive information, bypass same-origin restrictions,
bypass CSP protections, bypass mixed content blocking, spoof the
addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827,
CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833,
CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)

It was discovered that javascript: URLs pasted in to the addressbar
would be executed instead of being blocked in some circumstances. If a
user were tricked in to copying a specially crafted URL in to the
addressbar, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2017-7839)

It was discovered that exported bookmarks do not strip script elements
from user-supplied tags. If a user were tricked in to adding specially
crafted tags to bookmarks, exporting them and then opening the resulting
HTML file, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2017-7840)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
firefox 57.0.1+build2-0ubuntu0.17.10.1
Ubuntu 17.04:
firefox 57.0.1+build2-0ubuntu0.17.04.1
Ubuntu 16.04 LTS:
firefox 57.0.1+build2-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
firefox 57.0.1+build2-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

LP: 1735801

Kategóriák: Securiy

USN-3490-1: Thunderbird vulnerabilities

Ubuntu security notices - 2017.12.01, p - 17:34
Ubuntu Security Notice USN-3490-1

1st December, 2017

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in Thunderbird.

Software description
  • thunderbird - Mozilla Open Source mail and newsgroup client
Details

Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing-like
context, an attacker could potentially exploit these to bypass same-origin
restrictions, cause a denial of service via application crash, or execute
arbitrary code. (CVE-2017-7826, CVE-2017-7828, CVE-2017-7830)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
thunderbird 1:52.5.0+build1-0ubuntu0.17.10.1
Ubuntu 17.04:
thunderbird 1:52.5.0+build1-0ubuntu0.17.04.1
Ubuntu 16.04 LTS:
thunderbird 1:52.5.0+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
thunderbird 1:52.5.0+build1-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2017-7826, CVE-2017-7828, CVE-2017-7830

Kategóriák: Securiy

USN-3501-1: libxcursor vulnerability

Ubuntu security notices - 2017.11.29, sze - 22:52
Ubuntu Security Notice USN-3501-1

29th November, 2017

libxcursor vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

libxcursor could be made to crash or run programs if it opened a specially crafted file.

Software description
  • libxcursor - X11 cursor management library
Details

It was discovered that libxcursor incorrectly handled certain files. An
attacker could use these issues to cause libxcursor to crash, resulting in
a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libxcursor1 1:1.1.14-3ubuntu0.1
Ubuntu 17.04:
libxcursor1 1:1.1.14-1ubuntu0.17.04.1
Ubuntu 16.04 LTS:
libxcursor1 1:1.1.14-1ubuntu0.16.04.1
Ubuntu 14.04 LTS:
libxcursor1 1:1.1.14-1ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-16612

Kategóriák: Securiy

USN-3500-1: libXfont vulnerability

Ubuntu security notices - 2017.11.29, sze - 22:52
Ubuntu Security Notice USN-3500-1

29th November, 2017

libxfont, libxfont1, libxfont2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

libXfont could be made to access arbitrary files, including special device files.

Software description
  • libxfont - X11 font rasterisation library
  • libxfont1 - X11 font rasterisation library
  • libxfont2 - X11 font rasterisation library
Details

It was discovered that libXfont incorrectly followed symlinks when opening
font files. A local unprivileged user could use this issue to cause the X
server to access arbitrary files, including special device files.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libxfont1 1:1.5.2-4ubuntu1.1
libxfont2 1:2.0.1-3ubuntu1.1
Ubuntu 17.04:
libxfont1 1:1.5.2-4ubuntu0.2
libxfont2 1:2.0.1-3ubuntu0.2
Ubuntu 16.04 LTS:
libxfont1 1:1.5.1-1ubuntu0.16.04.4
libxfont2 1:2.0.1-3~ubuntu16.04.3
Ubuntu 14.04 LTS:
libxfont1 1:1.4.7-1ubuntu0.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-16611

Kategóriák: Securiy

USN-3499-1: Exim vulnerability

Ubuntu security notices - 2017.11.29, sze - 22:52
Ubuntu Security Notice USN-3499-1

29th November, 2017

exim4 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
Summary

Exim could be made to crash if it received specially crafted network traffic.

Software description
  • exim4 - Exim is a mail transport agent
Details

It was discovered that Exim incorrectly handled certain BDAT data headers.
A remote attacker could possibly use this issue to cause Exim to crash,
resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
exim4-daemon-heavy 4.89-5ubuntu1.2
exim4-daemon-light 4.89-5ubuntu1.2
Ubuntu 17.04:
exim4-daemon-heavy 4.88-5ubuntu1.3
exim4-daemon-light 4.88-5ubuntu1.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-16944

Kategóriák: Securiy

USN-3498-1: curl vulnerabilities

Ubuntu security notices - 2017.11.29, sze - 16:49
Ubuntu Security Notice USN-3498-1

29th November, 2017

curl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in curl.

Software description
  • curl - HTTP, HTTPS, and FTP client and client libraries
Details

Alex Nichols discovered that curl incorrectly handled NTLM authentication
credentials. A remote attacker could use this issue to cause curl to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 16.04 LTS, Ubuntu 17.04 and Ubuntu 17.10.
(CVE-2017-8816)

It was discovered that curl incorrectly handled FTP wildcard matching. A
remote attacker could use this issue to cause curl to crash, resulting in a
denial of service, or possibly obtain sensitive information.
(CVE-2017-8817)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libcurl3-nss 7.55.1-1ubuntu2.2
curl 7.55.1-1ubuntu2.2
libcurl3-gnutls 7.55.1-1ubuntu2.2
libcurl3 7.55.1-1ubuntu2.2
Ubuntu 17.04:
libcurl3-nss 7.52.1-4ubuntu1.4
curl 7.52.1-4ubuntu1.4
libcurl3-gnutls 7.52.1-4ubuntu1.4
libcurl3 7.52.1-4ubuntu1.4
Ubuntu 16.04 LTS:
libcurl3-nss 7.47.0-1ubuntu2.5
curl 7.47.0-1ubuntu2.5
libcurl3-gnutls 7.47.0-1ubuntu2.5
libcurl3 7.47.0-1ubuntu2.5
Ubuntu 14.04 LTS:
libcurl3-nss 7.35.0-1ubuntu2.13
curl 7.35.0-1ubuntu2.13
libcurl3-gnutls 7.35.0-1ubuntu2.13
libcurl3 7.35.0-1ubuntu2.13

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-8816, CVE-2017-8817

Kategóriák: Securiy

USN-3497-1: OpenJDK 7 vulnerabilities

Ubuntu security notices - 2017.11.29, sze - 13:46
Ubuntu Security Notice USN-3497-1

29th November, 2017

openjdk-7 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in OpenJDK 7.

Software description
  • openjdk-7 - Open Source Java implementation
Details

It was discovered that the Smart Card IO subsystem in OpenJDK did not
properly maintain state. An attacker could use this to specially construct
an untrusted Java application or applet to gain access to a smart card,
bypassing sandbox restrictions. (CVE-2017-10274)

Gaston Traberg discovered that the Serialization component of OpenJDK did
not properly limit the amount of memory allocated when performing
deserializations. An attacker could use this to cause a denial of service
(memory exhaustion). (CVE-2017-10281)

It was discovered that the Remote Method Invocation (RMI) component in
OpenJDK did not properly handle unreferenced objects. An attacker could use
this to specially construct an untrusted Java application or applet that
could escape sandbox restrictions. (CVE-2017-10285)

It was discovered that the HTTPUrlConnection classes in OpenJDK did not
properly handle newlines. An attacker could use this to convince a Java
application or applet to inject headers into http requests.
(CVE-2017-10295)

Francesco Palmarini, Marco Squarcina, Mauro Tempesta, and Riccardo Focardi
discovered that the Serialization component of OpenJDK did not properly
restrict the amount of memory allocated when deserializing objects from
Java Cryptography Extension KeyStore (JCEKS). An attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2017-10345)

It was discovered that the Hotspot component of OpenJDK did not properly
perform loader checks when handling the invokespecial JVM instruction. An
attacker could use this to specially construct an untrusted Java
application or applet that could escape sandbox restrictions.
(CVE-2017-10346)

Gaston Traberg discovered that the Serialization component of OpenJDK did
not properly limit the amount of memory allocated when performing
deserializations in the SimpleTimeZone class. An attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2017-10347)

It was discovered that the Serialization component of OpenJDK did not
properly limit the amount of memory allocated when performing
deserializations. An attacker could use this to cause a denial of service
(memory exhaustion). (CVE-2017-10348, CVE-2017-10357)

It was discovered that the JAXP component in OpenJDK did not properly limit
the amount of memory allocated when performing deserializations. An
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2017-10349)

It was discovered that the JAX-WS component in OpenJDK did not properly
limit the amount of memory allocated when performing deserializations. An
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2017-10350)

It was discovered that the Networking component of OpenJDK did not properly
set timeouts on FTP client actions. A remote attacker could use this to
cause a denial of service (application hang). (CVE-2017-10355)

Francesco Palmarini, Marco Squarcina, Mauro Tempesta, Riccardo Focardi, and
Tobias Ospelt discovered that the Security component in OpenJDK did not
sufficiently protect password-based encryption keys in key stores. An
attacker could use this to expose sensitive information. (CVE-2017-10356)

Jeffrey Altman discovered that the Kerberos client implementation in
OpenJDK incorrectly trusted unauthenticated portions of Kerberos tickets. A
remote attacker could use this to impersonate trusted network services or
perform other attacks. (CVE-2017-10388)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
openjdk-7-jre-lib 7u151-2.6.11-2ubuntu0.14.04.1
openjdk-7-jre-zero 7u151-2.6.11-2ubuntu0.14.04.1
icedtea-7-jre-jamvm 7u151-2.6.11-2ubuntu0.14.04.1
openjdk-7-jre-headless 7u151-2.6.11-2ubuntu0.14.04.1
openjdk-7-jre 7u151-2.6.11-2ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

CVE-2017-10274, CVE-2017-10281, CVE-2017-10285, CVE-2017-10295, CVE-2017-10345, CVE-2017-10346, CVE-2017-10347, CVE-2017-10348, CVE-2017-10349, CVE-2017-10350, CVE-2017-10355, CVE-2017-10356, CVE-2017-10357, CVE-2017-10388

Kategóriák: Securiy

USN-3496-3: Python vulnerability

Ubuntu security notices - 2017.11.29, sze - 00:47
Ubuntu Security Notice USN-3496-3

28th November, 2017

python3.4, python3.5 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Python could be made to run arbitrary code.

Software description
  • python3.4 - An interactive high-level object-oriented language
  • python3.5 - An interactive high-level object-oriented language
Details

USN-3496-1 fixed a vulnerability in Python2.7. This update provides
the corresponding update for versions 3.4 and 3.5.

Original advisory details:

It was discovered that Python incorrectly handled decoding certain strings.
An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
python3.5 3.5.3-1ubuntu0~17.04.2
python3.5-minimal 3.5.3-1ubuntu0~17.04.2
Ubuntu 16.04 LTS:
python3.5 3.5.2-2ubuntu0~16.04.4
python3.5-minimal 3.5.2-2ubuntu0~16.04.4
Ubuntu 14.04 LTS:
python3.4 3.4.3-1ubuntu1~14.04.6
python3.4-minimal 3.4.3-1ubuntu1~14.04.6

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000158

Kategóriák: Securiy

USN-3496-2: Python vulnerability

Ubuntu security notices - 2017.11.28, k - 21:34
Ubuntu Security Notice USN-3496-2

28th November, 2017

python2.7 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Python could be made to run arbitrary code.

Software description
  • python2.7 - An interactive high-level object-oriented language
Details

USN-3496-1 fixed a vulnerability in Python. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that Python incorrectly handled decoding certain strings.
An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
python2.7-minimal 2.7.3-0ubuntu3.10
python2.7 2.7.3-0ubuntu3.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000158

Kategóriák: Securiy

USN-3496-1: Python vulnerability

Ubuntu security notices - 2017.11.28, k - 21:34
Ubuntu Security Notice USN-3496-1

28th November, 2017

python2.7 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Python could be made to run arbitrary code.

Software description
  • python2.7 - An interactive high-level object-oriented language
Details

It was discovered that Python incorrectly handled decoding certain strings.
An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
python2.7-minimal 2.7.13-2ubuntu0.1
python2.7 2.7.13-2ubuntu0.1
Ubuntu 16.04 LTS:
python2.7-minimal 2.7.12-1ubuntu0~16.04.2
python2.7 2.7.12-1ubuntu0~16.04.2
Ubuntu 14.04 LTS:
python2.7-minimal 2.7.6-8ubuntu0.4
python2.7 2.7.6-8ubuntu0.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000158

Kategóriák: Securiy

USN-3477-2: Firefox regression

Ubuntu security notices - 2017.11.28, k - 02:25
Ubuntu Security Notice USN-3477-2

27th November, 2017

firefox regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

USN-3477-1 caused a regression in Firefox.

Software description
  • firefox - Mozilla Open Source web browser
Details

USN-3477-1 fixed vulnerabilities in Firefox. The update caused search
suggestions to not be displayed when performing Google searches from the
search bar. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, read uninitialized
memory, obtain sensitive information, bypass same-origin restrictions,
bypass CSP protections, bypass mixed content blocking, spoof the
addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827,
CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833,
CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)

It was discovered that javascript: URLs pasted in to the addressbar
would be executed instead of being blocked in some circumstances. If a
user were tricked in to copying a specially crafted URL in to the
addressbar, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2017-7839)

It was discovered that exported bookmarks do not strip script elements
from user-supplied tags. If a user were tricked in to adding specially
crafted tags to bookmarks, exporting them and then opening the resulting
HTML file, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2017-7840)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
firefox 57.0+build4-0ubuntu0.17.10.6
Ubuntu 17.04:
firefox 57.0+build4-0ubuntu0.17.04.6
Ubuntu 16.04 LTS:
firefox 57.0+build4-0ubuntu0.16.04.6
Ubuntu 14.04 LTS:
firefox 57.0+build4-0ubuntu0.14.04.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

LP: 1733970

Kategóriák: Securiy

USN-3476-2: postgresql-common vulnerabilities

Ubuntu security notices - 2017.11.27, h - 23:22
Ubuntu Security Notice USN-3476-2

27th November, 2017

postgresql-common vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

postgresql-common could be made to overwrite files as the administrator.

Software description
  • postgresql-common - PostgreSQL database-cluster manager
Details

USN-3476-1 fixed two vulnerabilities in postgresql-common. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Dawid Golunski discovered that the postgresql-common pg_ctlcluster script
incorrectly handled symlinks. A local attacker could possibly use this
issue to escalate privileges. (CVE-2016-1255)

It was discovered that the postgresql-common helper scripts incorrectly
handled symlinks. A local attacker could possibly use this issue to
escalate privileges. (CVE-2017-8806)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
postgresql-common 129ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-1255, CVE-2017-8806

Kategóriák: Securiy

USN-3495-1: OptiPNG vulnerability

Ubuntu security notices - 2017.11.27, h - 23:22
Ubuntu Security Notice USN-3495-1

27th November, 2017

optipng vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

OptiPNG could be made to crash or run programs as your login if it opened a specially crafted file.

Software description
  • optipng - advanced PNG (Portable Network Graphics) optimizer
Details

It was discovered that OptiPNG incorrectly handled memory. A remote
attacker could use this issue with a specially crafted image file to cause
OptiPNG to crash, resulting in a denial of service, or possibly execute
arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
optipng 0.7.6-1ubuntu0.17.10.1
Ubuntu 17.04:
optipng 0.7.6-1ubuntu0.17.04.1
Ubuntu 16.04 LTS:
optipng 0.7.6-1ubuntu0.16.04.1
Ubuntu 14.04 LTS:
optipng 0.6.4-1ubuntu0.14.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000229

Kategóriák: Securiy

USN-3494-1: XML::LibXML vulnerability

Ubuntu security notices - 2017.11.27, h - 23:22
Ubuntu Security Notice USN-3494-1

27th November, 2017

libxml-libxml-perl vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

XML::LibXML could be made to crash or run programs if it processed specially crafted input.

Software description
  • libxml-libxml-perl - Perl interface to the libxml2 library
Details

It was discovered that XML::LibXML incorrectly handled memory when
processing a replaceChild call. A remote attacker could possibly use this
issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libxml-libxml-perl 2.0128+dfsg-3ubuntu0.1
Ubuntu 17.04:
libxml-libxml-perl 2.0128+dfsg-1ubuntu0.1
Ubuntu 16.04 LTS:
libxml-libxml-perl 2.0123+dfsg-1ubuntu0.1
Ubuntu 14.04 LTS:
libxml-libxml-perl 2.0108+dfsg-1ubuntu0.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-10672

Kategóriák: Securiy

USN-3493-1: Exim vulnerability

Ubuntu security notices - 2017.11.27, h - 23:22
Ubuntu Security Notice USN-3493-1

27th November, 2017

exim4 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
Summary

Exim could be made to crash or run programs if it received specially crafted network traffic.

Software description
  • exim4 - Exim is a mail transport agent
Details

It was discovered that Exim incorrectly handled memory in the ESMTP
CHUNKING extension. A remote attacker could use this issue to cause Exim to
crash, resulting in a denial of service, or possibly execute arbitrary
code. The default compiler options for affected releases should reduce the
vulnerability to a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
exim4-daemon-heavy 4.89-5ubuntu1.1
exim4-daemon-light 4.89-5ubuntu1.1
Ubuntu 17.04:
exim4-daemon-heavy 4.88-5ubuntu1.2
exim4-daemon-light 4.88-5ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-16943

Kategóriák: Securiy

USN-3492-1: LibRaw vulnerabilities

Ubuntu security notices - 2017.11.23, cs - 00:35
Ubuntu Security Notice USN-3492-1

22nd November, 2017

libraw vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

LibRaw could be made to crash or run programs as your login if it opened a specially crafted file.

Software description
  • libraw - raw image decoder library
Details

It was discovered that LibRaw incorrectly handled photo files. If a user or
automated system were tricked into processing a specially crafted photo
file, a remote attacker could cause applications linked against LibRaw
to crash, resulting in a denial of service, or possibly execute arbitrary
code

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libraw16 0.18.2-2ubuntu0.1
Ubuntu 17.04:
libraw16 0.18.1-1ubuntu0.1
Ubuntu 16.04 LTS:
libraw15 0.17.1-1ubuntu0.1
Ubuntu 14.04 LTS:
libraw9 0.15.4-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2015-3885, CVE-2015-8366, CVE-2015-8367, CVE-2017-13735, CVE-2017-14265, CVE-2017-14348, CVE-2017-14608, CVE-2017-6886, CVE-2017-6887

Kategóriák: Securiy

USN-3491-1: ldns vulnerabilities

Ubuntu security notices - 2017.11.23, cs - 00:35
Ubuntu Security Notice USN-3491-1

22nd November, 2017

ldns vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in ldns.

Software description
  • ldns - ldns library for DNS programming
Details

Leon Weber discovered that the ldns-keygen tool incorrectly set permissions
on private keys. A local attacker could possibly use this issue to obtain
generated private keys. This issue only applied to Ubuntu 14.04 LTS.
(CVE-2014-3209)

Stephan Zeisberg discovered that ldns incorrectly handled memory when
processing data. A remote attacker could use this issue to cause ldns to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2017-1000231, CVE-2017-1000232)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libldns2 1.7.0-1ubuntu1.17.10.1
Ubuntu 17.04:
libldns2 1.7.0-1ubuntu1.17.04.1
Ubuntu 16.04 LTS:
libldns1 1.6.17-8ubuntu0.1
Ubuntu 14.04 LTS:
libldns1 1.6.17-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3209, CVE-2017-1000231, CVE-2017-1000232

Kategóriák: Securiy

USN-3489-2: Berkeley DB vulnerability

Ubuntu security notices - 2017.11.22, sze - 01:59
Ubuntu Security Notice USN-3489-2

21st November, 2017

db, db4.8 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Berkeley DB could be made to expose sensitive information.

Software description
  • db - Berkeley v5.1 Database Utilities
  • db4.8 - Berkeley v4.8 Database Utilities
Details

USN-3489-1 fixed a vulnerability in Berkeley DB. This update provides the
corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that Berkeley DB incorrectly handled certain configuration files.
An attacker could possibly use this issue to read sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
db4.8-util 4.8.30-11ubuntu1.1
db5.1-util 5.1.25-11ubuntu0.1
libdb4.8 4.8.30-11ubuntu1.1
libdb5.1 5.1.25-11ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-10140

Kategóriák: Securiy

USN-3489-1: Berkeley DB vulnerability

Ubuntu security notices - 2017.11.22, sze - 01:59
Ubuntu Security Notice USN-3489-1

21st November, 2017

db5.3 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Berkeley DB could be made to expose sensitive information.

Software description
  • db5.3 - Berkeley v5.3 Database Documentation [html]
Details

It was discovered that Berkeley DB incorrectly handled certain configuration files.
An attacker could possibly use this issue to read sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
db5.3-util 5.3.28-12ubuntu0.1
libdb5.3 5.3.28-12ubuntu0.1
Ubuntu 16.04 LTS:
db5.3-util 5.3.28-11ubuntu0.1
libdb5.3 5.3.28-11ubuntu0.1
Ubuntu 14.04 LTS:
db5.3-util 5.3.28-3ubuntu3.1
libdb5.3 5.3.28-3ubuntu3.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-10140

Kategóriák: Securiy

Oldalak

Subscribe to Informatikai megoldások hírolvasó