You are here

Hírolvasó

USN-3478-1: Perl vulnerabilities

Ubuntu security notices - 2017.11.13, h - 16:54
Ubuntu Security Notice USN-3478-1

13th November, 2017

perl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Perl could be made to crash if it received specially crafted input.

Software description
  • perl - Practical Extraction and Report Language
Details

Jakub Wilk discovered that Perl incorrectly handled certain regular
expressions. An attacker could use this issue to cause Perl to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2017-12837, CVE-2017-12883)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
perl 5.24.1-2ubuntu1.1
Ubuntu 16.04 LTS:
perl 5.22.1-9ubuntu0.2
Ubuntu 14.04 LTS:
perl 5.18.2-2ubuntu1.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-12837, CVE-2017-12883

Kategóriák: Securiy

USN-3476-1: postgresql-common vulnerabilities

Ubuntu security notices - 2017.11.09, cs - 23:11
Ubuntu Security Notice USN-3476-1

9th November, 2017

postgresql-common vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

postgresql-common could be made to overwrite files as the administrator.

Software description
  • postgresql-common - PostgreSQL database-cluster manager
Details

Dawid Golunski discovered that the postgresql-common pg_ctlcluster script
incorrectly handled symlinks. A local attacker could possibly use this
issue to escalate privileges. This issue only affected Ubuntu 14.04 LTS and
Ubuntu 16.04 LTS. (CVE-2016-1255)

It was discovered that the postgresql-common helper scripts incorrectly
handled symlinks. A local attacker could possibly use this issue to
escalate privileges. (CVE-2017-8806)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
postgresql-common 184ubuntu1.1
Ubuntu 17.04:
postgresql-common 179ubuntu0.1
Ubuntu 16.04 LTS:
postgresql-common 173ubuntu0.1
Ubuntu 14.04 LTS:
postgresql-common 154ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-1255, CVE-2017-8806

Kategóriák: Securiy

USN-3346-3: Bind vulnerabilities

Ubuntu security notices - 2017.11.08, sze - 21:33
Ubuntu Security Notice USN-3346-3

8th November, 2017

bind9 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Bind could be made to serve incorrect information or expose sensitive information over the network.

Software description
  • bind9 - Internet Domain Name Server
Details

USN-3346-1 and USN-3346-2 fixed two vulnerabilities in Bind and a regression,
respectively. This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Clément Berthaux discovered that Bind did not correctly check TSIG
authentication for zone update requests. An attacker could use this
to improperly perform zone updates. (CVE-2017-3143)

Clément Berthaux discovered that Bind did not correctly check TSIG
authentication for zone transfer requests. An attacker could use this
to improperly transfer entire zones. (CVE-2017-3142)

In addition, this update adds the new root zone key signing key (KSK).

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
bind9 1:9.8.1.dfsg.P1-4ubuntu0.23

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Bind to make
all the necessary changes.

References

CVE-2017-3142, CVE-2017-3143

Kategóriák: Securiy

4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields - Version: 1.0

Microsoft Security Advisories - 2017.11.08, sze - 20:00
Revision Note: V1.0 (November 8, 2017): Advisory published.
Summary: Microsoft is releasing this security advisory to provide information regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange (DDE) fields.
Kategóriák: Securiy

USN-3473-1: OpenJDK 8 vulnerabilities

Ubuntu security notices - 2017.11.08, sze - 11:52
Ubuntu Security Notice USN-3473-1

8th November, 2017

openjdk-8 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in OpenJDK 8.

Software description
  • openjdk-8 - Open Source Java implementation
Details

It was discovered that the Smart Card IO subsystem in OpenJDK did not
properly maintain state. An attacker could use this to specially construct
an untrusted Java application or applet to gain access to a smart card,
bypassing sandbox restrictions. (CVE-2017-10274)

Gaston Traberg discovered that the Serialization component of OpenJDK did
not properly limit the amount of memory allocated when performing
deserializations. An attacker could use this to cause a denial of service
(memory exhaustion). (CVE-2017-10281)

It was discovered that the Remote Method Invocation (RMI) component in
OpenJDK did not properly handle unreferenced objects. An attacker could use
this to specially construct an untrusted Java application or applet that
could escape sandbox restrictions. (CVE-2017-10285)

It was discovered that the HTTPUrlConnection classes in OpenJDK did not
properly handle newlines. An attacker could use this to convince a Java
application or applet to inject headers into http requests.
(CVE-2017-10295)

Francesco Palmarini, Marco Squarcina, Mauro Tempesta, and Riccardo Focardi
discovered that the Serialization component of OpenJDK did not properly
restrict the amount of memory allocated when deserializing objects from
Java Cryptography Extension KeyStore (JCEKS). An attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2017-10345)

It was discovered that the Hotspot component of OpenJDK did not properly
perform loader checks when handling the invokespecial JVM instruction. An
attacker could use this to specially construct an untrusted Java
application or applet that could escape sandbox restrictions.
(CVE-2017-10346)

Gaston Traberg discovered that the Serialization component of OpenJDK did
not properly limit the amount of memory allocated when performing
deserializations in the SimpleTimeZone class. An attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2017-10347)

It was discovered that the Serialization component of OpenJDK did not
properly limit the amount of memory allocated when performing
deserializations. An attacker could use this to cause a denial of service
(memory exhaustion). (CVE-2017-10348, CVE-2017-10357)

It was discovered that the JAXP component in OpenJDK did not properly limit
the amount of memory allocated when performing deserializations. An
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2017-10349)

It was discovered that the JAX-WS component in OpenJDK did not properly
limit the amount of memory allocated when performing deserializations. An
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2017-10350)

It was discovered that the Networking component of OpenJDK did not properly
set timeouts on FTP client actions. A remote attacker could use this to
cause a denial of service (application hang). (CVE-2017-10355)

Francesco Palmarini, Marco Squarcina, Mauro Tempesta, Riccardo Focardi, and
Tobias Ospelt discovered that the Security component in OpenJDK did not
sufficiently protect password-based encryption keys in key stores. An
attacker could use this to expose sensitive information. (CVE-2017-10356)

Jeffrey Altman discovered that the Kerberos client implementation in
OpenJDK incorrectly trusted unauthenticated portions of Kerberos tickets. A
remote attacker could use this to impersonate trusted network services or
perform other attacks. (CVE-2017-10388)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
openjdk-8-jdk-headless 8u151-b12-0ubuntu0.17.10.2
openjdk-8-jre-zero 8u151-b12-0ubuntu0.17.10.2
openjdk-8-jdk 8u151-b12-0ubuntu0.17.10.2
openjdk-8-jre-headless 8u151-b12-0ubuntu0.17.10.2
openjdk-8-jre 8u151-b12-0ubuntu0.17.10.2
Ubuntu 17.04:
openjdk-8-jdk-headless 8u151-b12-0ubuntu0.17.04.2
openjdk-8-jre-zero 8u151-b12-0ubuntu0.17.04.2
openjdk-8-jdk 8u151-b12-0ubuntu0.17.04.2
openjdk-8-jre-headless 8u151-b12-0ubuntu0.17.04.2
openjdk-8-jre 8u151-b12-0ubuntu0.17.04.2
Ubuntu 16.04 LTS:
openjdk-8-jdk 8u151-b12-0ubuntu0.16.04.2
openjdk-8-jre-headless 8u151-b12-0ubuntu0.16.04.2
openjdk-8-jre 8u151-b12-0ubuntu0.16.04.2
openjdk-8-jdk-headless 8u151-b12-0ubuntu0.16.04.2
openjdk-8-jre-zero 8u151-b12-0ubuntu0.16.04.2
openjdk-8-jre-jamvm 8u151-b12-0ubuntu0.16.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

CVE-2017-10274, CVE-2017-10281, CVE-2017-10285, CVE-2017-10295, CVE-2017-10345, CVE-2017-10346, CVE-2017-10347, CVE-2017-10348, CVE-2017-10349, CVE-2017-10350, CVE-2017-10355, CVE-2017-10356, CVE-2017-10357, CVE-2017-10388

Kategóriák: Securiy

USN-3475-1: OpenSSL vulnerabilities

Ubuntu security notices - 2017.11.06, h - 22:30
Ubuntu Security Notice USN-3475-1

6th November, 2017

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in OpenSSL.

Software description
  • openssl - Secure Socket Layer (SSL) cryptographic library and tools
Details

It was discovered that OpenSSL incorrectly parsed the IPAddressFamily
extension in X.509 certificates, resulting in an erroneous display of the
certificate in text format. (CVE-2017-3735)

It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery
squaring procedure. While unlikely, a remote attacker could possibly use
this issue to recover private keys. This issue only applied to Ubuntu 16.04
LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-3736)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libssl1.0.0 1.0.2g-1ubuntu13.2
Ubuntu 17.04:
libssl1.0.0 1.0.2g-1ubuntu11.3
Ubuntu 16.04 LTS:
libssl1.0.0 1.0.2g-1ubuntu4.9
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.23

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-3735, CVE-2017-3736

Kategóriák: Securiy

USN-3474-1: Liblouis vulnerability

Ubuntu security notices - 2017.11.06, h - 16:10
Ubuntu Security Notice USN-3474-1

6th November, 2017

liblouis vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Liblouis could be made to crash or run programs as your login if it opened a specially crafted file.

Software description
  • liblouis - Braille translation library - utilities
Details

Raphael Sanchez Prudencio discovered that Liblouis incorrectly handled certain files.
If a user were tricked into opening a crafted file, an attacker could possibly use this
to cause a denial of service or potentially execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
liblouis2 2.5.3-2ubuntu1.2
liblouis-bin 2.5.3-2ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-8184

Kategóriák: Securiy

Megjelent a Full Circle magazin 123. számának magyar fordítása

Ubuntu magyar közösség - 2017.11.05, v - 06:03

A fordítócsapat örömmel jelenti be, hogy elkészült a Full Circle magazin 123. számának magyar fordítása.

Tartalom:

  • Hírek
  • Parancsolj és uralkodj: Új lehetőségek
  • Hogyanok:
    • Python a való világban – 80. rész
    • Bevezető a FreeCAD-hez – 4. rész
    • Konvertálás LaTeXbe
    • Inkscape – 63. rész
    • Kdenlive – 7. rész
    • Kutatás Linuxszal
    • Hogyan írjunk a Full Circle-be!
  • Linux labor: Zenelejátszó EEEPC-ből
  • Fókuszban: Veracrypt
  • Különvélemény: Rémálomszerű kísérletem az Ubuntuval egy HP Stream 11-en
  • Levelek
  • KáVé
  • Játékok Ubuntun: Rising World
  • Az én asztalom
  • Támogatóink
  • Közreműködnél?

Az új szám elérhető a régiek mellett a http://fullcircle.hu oldalon.

Letöltési link: 123. szám

A fordítást a Full Circle magazin magyar fordítócsapata készítette.

A régebbi számok továbbra is elérhetők a fordítócsapat oldalán, a fullcircle.hu oldalon, továbbá a Full Circle magazin hivatalos oldalának letöltései között: http://fullcirclemagazine.org/downloads/

Megpróbálunk minél hamarabb jelentkezni a 124. számmal. A régebbi számok mindegyike elérhető és letölthető weboldalunkról, illetve kereshettek minket a Facebookon is.

Jó olvasgatást kívánunk mindenkinek!

123. szám

Full Circle Magazin - 2017.11.04, szo - 21:46
Tartalom 123. szám
  • Hírek
  • Parancsolj és uralkodj: Új lehetőségek
  • Hogyanok:
    • Python a való világban – 80. rész
    • Gyakorlati bevezető a FreeCAD-hez – 4. rész
    • Konvertálás LaTeXbe
    • Inkscape – 63. rész
    • Kdenlive – 7. rész
    • Kutatás Linuxszal
    • Hogyan írjunk a Full Circle-be?
  • Linux labor: Zenelejátszó EEEPC-ből
  • Fókuszban: Veracrypt
  • Különvélemény: Rémálomszerű kísérletem az Ubuntuval egy HP Stream 11-en
  • Levelek
  • KáVé
  • Játékok Ubuntun: Rising World
  • Az én asztalom
  • Támogatóink
  • Közreműködnél?
123. szám (0)

USN-3426-2: Samba vulnerabilities

Ubuntu security notices - 2017.11.02, cs - 16:37
Ubuntu Security Notice USN-3426-2

2nd November, 2017

samba vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Several security issues were fixed in XXX-APP-XXX.

Software description
  • samba - SMB/CIFS file, print, and login server for Unix
Details

USN-3426-1 fixed several vulnerabilities in Samba. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Stefan Metzmacher discovered that Samba incorrectly enforced SMB signing in
certain situations. A remote attacker could use this issue to perform a man
in the middle attack. (CVE-2017-12150)

Yihan Lian and Zhibin Hu discovered that Samba incorrectly handled memory
when SMB1 is being used. A remote attacker could possibly use this issue to
obtain server memory contents. (CVE-2017-12163)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
samba 2:3.6.25-0ubuntu0.12.04.13

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-12150, CVE-2017-12163

Kategóriák: Securiy

USN-3472-1: LibreOffice vulnerabilities

Ubuntu security notices - 2017.11.02, cs - 16:37
Ubuntu Security Notice USN-3472-1

2nd November, 2017

libreoffice vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

LibreOffice could be made to crash or run programs as your login if it opened a specially crafted file.

Software description
  • libreoffice - Office productivity suite
Details

Marcin Noga discovered that LibreOffice incorrectly handled PPT documents.
If a user were tricked into opening a specially crafted PPT document, a
remote attacker could cause LibreOffice to crash, and possibly execute
arbitrary code. (CVE-2017-12607)

Marcin Noga discovered that LibreOffice incorrectly handled Word documents.
If a user were tricked into opening a specially crafted Word document, a
remote attacker could cause LibreOffice to crash, and possibly execute
arbitrary code. (CVE-2017-12608)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
libreoffice-core 1:4.2.8-0ubuntu5.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart LibreOffice to make all
the necessary changes.

References

CVE-2017-12607, CVE-2017-12608

Kategóriák: Securiy

Ubuntu Hour november

Ubuntu magyar közösség - 2017.11.01, sze - 16:18

Időpont: 2017. november 10. (péntek)

BUDAPEST
Kezdés: 18.00 óra
Helyszín: A Grund Bazsesz terem (Budapest, VIII. Nagytemplom utca 30.)
Téma: UBports Project
Megközelítés: Corvin negyedtől 8 perc, Klinikák megállótól 5 perc séta.
Kapcsolatfelvétel a szervezővel.
MISKOLC
Kezdés: 18.00 óra
Helyszín: Avasi Sörház (Miskolc, Meggyesalja u. 1.)
Téma: Bash és más szkriptnyelvek
Megközelítés: a Városház tértől az Avasi kilátó irányába 2 percnyi séta
Kapcsolatfelvétel a szervezőkkel: itt és itt.
PÉCS
Kezdés: 18.00 óra
Helyszín: Pécsi Tudományegyetem Természettudományi Kar (E/220-as terem) (7624 Pécs, Ifjúság útja 6.)
Téma: Ubuntu Lecture Meetup (avagy a megkésett 17.10-es Release Party)
Közösségi oldal: Ubuntu Hour - Pécs
Kapcsolatfelvétel a szervezővel.

A rendezvények mindenki számára ingyenesek.

USN-3470-2: Linux kernel (Trusty HWE) vulnerabilities

Ubuntu security notices - 2017.10.31, k - 23:32
Ubuntu Security Notice USN-3470-2

31st October, 2017

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise ESM
Details

USN-3470-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 ESM.

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build()
function in the Linux kernel. A local attacker could use to cause a denial
of service (system crash) or possibly execute arbitrary code with
administrative privileges. (CVE-2016-8632)

Dmitry Vyukov discovered that a race condition existed in the timerfd
subsystem of the Linux kernel when handling might_cancel queuing. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-10661)

It was discovered that the Flash-Friendly File System (f2fs) implementation
in the Linux kernel did not properly validate superblock metadata. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-10662, CVE-2017-10663)

Anthony Perard discovered that the Xen virtual block driver did not
properly initialize some data structures before passing them to user space.
A local attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2017-10911)

It was discovered that a use-after-free vulnerability existed in the POSIX
message queue implementation in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-11176)

Dave Chinner discovered that the XFS filesystem did not enforce that the
realtime inode flag was settable only on filesystems on a realtime device.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2017-14340)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-135-generic 3.13.0-135.184~precise1
linux-image-3.13.0-135-generic-lpae 3.13.0-135.184~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.135.125
linux-image-generic-lts-trusty 3.13.0.135.125

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-8632, CVE-2017-10661, CVE-2017-10662, CVE-2017-10663, CVE-2017-10911, CVE-2017-11176, CVE-2017-14340

Kategóriák: Securiy

USN-3471-1: Quagga vulnerabilities

Ubuntu security notices - 2017.10.31, k - 23:32
Ubuntu Security Notice USN-3471-1

31st October, 2017

quagga vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in Quagga.

Software description
  • quagga - BGP/OSPF/RIP routing daemon
Details

Andreas Jaggi discovered that Quagga incorrectly handled certain BGP UPDATE
messages. A remote attacker could possibly use this issue to cause Quagga
to crash, resulting in a denial of service. (CVE-2017-16227)

Quentin Young discovered that Quagga incorrectly handled memory in the
telnet vty CLI. An attacker able to connect to the telnet interface could
possibly use this issue to cause Quagga to consume memory, resulting in a
denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2017-5495)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
quagga 1.1.1-3ubuntu0.1
quagga-bgpd 1.1.1-3ubuntu0.1
Ubuntu 17.04:
quagga 1.1.1-1ubuntu0.1
quagga-bgpd 1.1.1-1ubuntu0.1
Ubuntu 16.04 LTS:
quagga 0.99.24.1-2ubuntu1.3
Ubuntu 14.04 LTS:
quagga 0.99.22.4-3ubuntu1.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Quagga to make all the
necessary changes.

References

CVE-2017-16227, CVE-2017-5495

Kategóriák: Securiy

Ubuntu Lecture Meetup - Pécs (avagy a megkésett 17.10-es Release Party)

Ubuntu magyar közösség - 2017.10.31, k - 14:24

Az Ubuntu 17.10-es, Artful Aardvark kódnévre hallgató verziója 2017. október 19-én jelent meg, aminek alkalmából Pécsett egy megkésett Release Party megrendezésére kerül sor.

Időpont: 2017. november 10. (péntek)
Kezdés: 18 óra
Helyszín: Pécsi Tudományegyetem Természettudományi Kar (E/220-as terem)
Cím: 7624 Pécs, Ifjúság útja 6.
ONLINE KÖZVETÍTÉS és információk: itt

Kapcsolatfelvétel: itt

Előadók:

  • Bajor Ádám: OpenVPN Web Access
  • Kiss Norbert: LAMP fejlesztőkörnyezet kialakítása docker segítségével
  • Harka Győző: Secure Socket Layer (SSL)

Az előadások célközönsége a hétköznapi felhasználó, a rendezvényt nem visszük el szakmai témák irányába. A bemutatók időtartama egyenként kb. 20 perc. Az előadások végeztével kérdések feltevésére is lehetőség nyílik, utána pedig átsétálunk egy közeli sörözőbe.

Az egyetem lehetőséget biztosít az Ubuntu új, 17.10-es verziójának kipróbálására!

A rendezvény ingyenes, mindenkit szeretettel várunk!

USN-3469-2: Linux kernel (Xenial HWE) vulnerabilities

Ubuntu security notices - 2017.10.31, k - 13:56
Ubuntu Security Notice USN-3469-2

31st October, 2017

linux-lts-xenial vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty
Details

USN-3469-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

Anthony Perard discovered that the Xen virtual block driver did not
properly initialize some data structures before passing them to user space.
A local attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2017-10911)

Bo Zhang discovered that the netlink wireless configuration interface in
the Linux kernel did not properly validate attributes when handling certain
requests. A local attacker with the CAP_NET_ADMIN could use this to cause a
denial of service (system crash). (CVE-2017-12153)

It was discovered that the nested KVM implementation in the Linux
kernel in some situations did not properly prevent second level guests
from reading and writing the hardware CR8 register. A local attacker
in a guest could use this to cause a denial of service (system crash).

It was discovered that the key management subsystem in the Linux kernel
did not properly restrict key reads on negatively instantiated keys. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2017-12192)

It was discovered that an integer overflow existed in the sysfs interface
for the QLogic 24xx+ series SCSI driver in the Linux kernel. A local
privileged attacker could use this to cause a denial of service (system
crash). (CVE-2017-14051)

It was discovered that the ATI Radeon framebuffer driver in the Linux
kernel did not properly initialize a data structure returned to user space.
A local attacker could use this to expose sensitive information (kernel
memory). (CVE-2017-14156)

Dave Chinner discovered that the XFS filesystem did not enforce that the
realtime inode flag was settable only on filesystems on a realtime device.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2017-14340)

ChunYu Wang discovered that the iSCSI transport implementation in the Linux
kernel did not properly validate data structures. A local attacker could
use this to cause a denial of service (system crash). (CVE-2017-14489)

It was discovered that the generic SCSI driver in the Linux kernel did not
properly initialize data returned to user space in some situations. A local
attacker could use this to expose sensitive information (kernel memory).
(CVE-2017-14991)

Dmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in
the Linux kernel did not properly handle attempts to set reserved bits in a
task's extended state (xstate) area. A local attacker could use this to
cause a denial of service (system crash). (CVE-2017-15537)

Pengfei Wang discovered that the Turtle Beach MultiSound audio device
driver in the Linux kernel contained race conditions when fetching
from the ring-buffer. A local attacker could use this to cause a
denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-powerpc-smp-lts-xenial 4.4.0.98.82
linux-image-4.4.0-98-generic-lpae 4.4.0-98.121~14.04.1
linux-image-generic-lts-xenial 4.4.0.98.82
linux-image-lowlatency-lts-xenial 4.4.0.98.82
linux-image-generic-lpae-lts-xenial 4.4.0.98.82
linux-image-4.4.0-98-powerpc64-emb 4.4.0-98.121~14.04.1
linux-image-4.4.0-98-generic 4.4.0-98.121~14.04.1
linux-image-powerpc64-emb-lts-xenial 4.4.0.98.82
linux-image-4.4.0-98-powerpc-smp 4.4.0-98.121~14.04.1
linux-image-4.4.0-98-powerpc64-smp 4.4.0-98.121~14.04.1
linux-image-powerpc64-smp-lts-xenial 4.4.0.98.82
linux-image-4.4.0-98-lowlatency 4.4.0-98.121~14.04.1
linux-image-4.4.0-98-powerpc-e500mc 4.4.0-98.121~14.04.1
linux-image-powerpc-e500mc-lts-xenial 4.4.0.98.82

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-10911, CVE-2017-12153, CVE-2017-12154, CVE-2017-12192, CVE-2017-14051, CVE-2017-14156, CVE-2017-14340, CVE-2017-14489, CVE-2017-14991, CVE-2017-15537, CVE-2017-9984, CVE-2017-9985

Kategóriák: Securiy

USN-3469-1: Linux kernel vulnerabilities

Ubuntu security notices - 2017.10.31, k - 13:56
Ubuntu Security Notice USN-3469-1

31st October, 2017

linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gke - Linux kernel for Google Container Engine (GKE) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon processors
Details

Anthony Perard discovered that the Xen virtual block driver did not
properly initialize some data structures before passing them to user space.
A local attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2017-10911)

Bo Zhang discovered that the netlink wireless configuration interface in
the Linux kernel did not properly validate attributes when handling certain
requests. A local attacker with the CAP_NET_ADMIN could use this to cause a
denial of service (system crash). (CVE-2017-12153)

It was discovered that the nested KVM implementation in the Linux
kernel in some situations did not properly prevent second level guests
from reading and writing the hardware CR8 register. A local attacker
in a guest could use this to cause a denial of service (system crash).

It was discovered that the key management subsystem in the Linux kernel
did not properly restrict key reads on negatively instantiated keys. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2017-12192)

It was discovered that an integer overflow existed in the sysfs interface
for the QLogic 24xx+ series SCSI driver in the Linux kernel. A local
privileged attacker could use this to cause a denial of service (system
crash). (CVE-2017-14051)

It was discovered that the ATI Radeon framebuffer driver in the Linux
kernel did not properly initialize a data structure returned to user space.
A local attacker could use this to expose sensitive information (kernel
memory). (CVE-2017-14156)

Dave Chinner discovered that the XFS filesystem did not enforce that the
realtime inode flag was settable only on filesystems on a realtime device.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2017-14340)

ChunYu Wang discovered that the iSCSI transport implementation in the Linux
kernel did not properly validate data structures. A local attacker could
use this to cause a denial of service (system crash). (CVE-2017-14489)

It was discovered that the generic SCSI driver in the Linux kernel did not
properly initialize data returned to user space in some situations. A local
attacker could use this to expose sensitive information (kernel memory).
(CVE-2017-14991)

Dmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in
the Linux kernel did not properly handle attempts to set reserved bits in a
task's extended state (xstate) area. A local attacker could use this to
cause a denial of service (system crash). (CVE-2017-15537)

Pengfei Wang discovered that the Turtle Beach MultiSound audio device
driver in the Linux kernel contained race conditions when fetching
from the ring-buffer. A local attacker could use this to cause a
denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-4.4.0-1009-kvm 4.4.0-1009.14
linux-image-powerpc-e500mc 4.4.0.98.103
linux-image-gke 4.4.0.1033.34
linux-image-4.4.0-98-powerpc64-smp 4.4.0-98.121
linux-image-aws 4.4.0.1039.41
linux-image-4.4.0-98-generic 4.4.0-98.121
linux-image-snapdragon 4.4.0.1078.70
linux-image-powerpc64-emb 4.4.0.98.103
linux-image-powerpc64-smp 4.4.0.98.103
linux-image-4.4.0-1033-gke 4.4.0-1033.33
linux-image-powerpc-smp 4.4.0.98.103
linux-image-generic 4.4.0.98.103
linux-image-4.4.0-98-powerpc64-emb 4.4.0-98.121
linux-image-4.4.0-98-powerpc-smp 4.4.0-98.121
linux-image-4.4.0-1076-raspi2 4.4.0-1076.84
linux-image-kvm 4.4.0.1009.9
linux-image-raspi2 4.4.0.1076.76
linux-image-4.4.0-98-generic-lpae 4.4.0-98.121
linux-image-generic-lpae 4.4.0.98.103
linux-image-4.4.0-1039-aws 4.4.0-1039.48
linux-image-4.4.0-1078-snapdragon 4.4.0-1078.83
linux-image-4.4.0-98-lowlatency 4.4.0-98.121
linux-image-4.4.0-98-powerpc-e500mc 4.4.0-98.121
linux-image-lowlatency 4.4.0.98.103

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-10911, CVE-2017-12153, CVE-2017-12154, CVE-2017-12192, CVE-2017-14051, CVE-2017-14156, CVE-2017-14340, CVE-2017-14489, CVE-2017-14991, CVE-2017-15537, CVE-2017-9984, CVE-2017-9985

Kategóriák: Securiy

USN-3470-1: Linux kernel vulnerabilities

Ubuntu security notices - 2017.10.31, k - 13:56
Ubuntu Security Notice USN-3470-1

31st October, 2017

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux - Linux kernel
Details

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build()
function in the Linux kernel. A local attacker could use to cause a denial
of service (system crash) or possibly execute arbitrary code with
administrative privileges. (CVE-2016-8632)

Dmitry Vyukov discovered that a race condition existed in the timerfd
subsystem of the Linux kernel when handling might_cancel queuing. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-10661)

It was discovered that the Flash-Friendly File System (f2fs) implementation
in the Linux kernel did not properly validate superblock metadata. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-10662, CVE-2017-10663)

Anthony Perard discovered that the Xen virtual block driver did not
properly initialize some data structures before passing them to user space.
A local attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2017-10911)

It was discovered that a use-after-free vulnerability existed in the POSIX
message queue implementation in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-11176)

Dave Chinner discovered that the XFS filesystem did not enforce that the
realtime inode flag was settable only on filesystems on a realtime device.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2017-14340)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.13.0-135-lowlatency 3.13.0-135.184
linux-image-powerpc-smp 3.13.0.135.144
linux-image-3.13.0-135-generic 3.13.0-135.184
linux-image-3.13.0-135-powerpc-smp 3.13.0-135.184
linux-image-3.13.0-135-powerpc-e500mc 3.13.0-135.184
linux-image-generic 3.13.0.135.144
linux-image-3.13.0-135-generic-lpae 3.13.0-135.184
linux-image-powerpc-e500mc 3.13.0.135.144
linux-image-lowlatency 3.13.0.135.144
linux-image-powerpc-e500 3.13.0.135.144
linux-image-powerpc64-smp 3.13.0.135.144
linux-image-generic-lpae 3.13.0.135.144
linux-image-3.13.0-135-powerpc64-emb 3.13.0-135.184
linux-image-3.13.0-135-powerpc-e500 3.13.0-135.184
linux-image-powerpc64-emb 3.13.0.135.144
linux-image-3.13.0-135-powerpc64-smp 3.13.0-135.184

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-8632, CVE-2017-10661, CVE-2017-10662, CVE-2017-10663, CVE-2017-10911, CVE-2017-11176, CVE-2017-14340

Kategóriák: Securiy

USN-3468-3: Linux kernel (GCP) vulnerabilities

Ubuntu security notices - 2017.10.31, k - 13:56
Ubuntu Security Notice USN-3468-3

31st October, 2017

linux-gcp vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
Details

It was discovered that the KVM subsystem in the Linux kernel did not
properly bound guest IRQs. A local attacker in a guest VM could use this to
cause a denial of service (host system crash). (CVE-2017-1000252)

It was discovered that the Flash-Friendly File System (f2fs) implementation
in the Linux kernel did not properly validate superblock metadata. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-10663)

Anthony Perard discovered that the Xen virtual block driver did not
properly initialize some data structures before passing them to user space.
A local attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2017-10911)

It was discovered that a use-after-free vulnerability existed in the POSIX
message queue implementation in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-11176)

Dave Chinner discovered that the XFS filesystem did not enforce that the
realtime inode flag was settable only on filesystems on a realtime device.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2017-14340)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-gcp 4.10.0.1008.10
linux-image-4.10.0-1008-gcp 4.10.0-1008.8

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000252, CVE-2017-10663, CVE-2017-10911, CVE-2017-11176, CVE-2017-14340

Kategóriák: Securiy

USN-3468-2: Linux kernel (HWE) vulnerabilities

Ubuntu security notices - 2017.10.31, k - 13:56
Ubuntu Security Notice USN-3468-2

31st October, 2017

linux-hwe vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux-hwe - Linux hardware enablement (HWE) kernel
Details

USN-3468-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.

It was discovered that the KVM subsystem in the Linux kernel did not
properly bound guest IRQs. A local attacker in a guest VM could use this to
cause a denial of service (host system crash). (CVE-2017-1000252)

It was discovered that the Flash-Friendly File System (f2fs) implementation
in the Linux kernel did not properly validate superblock metadata. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-10663)

Anthony Perard discovered that the Xen virtual block driver did not
properly initialize some data structures before passing them to user space.
A local attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2017-10911)

It was discovered that a use-after-free vulnerability existed in the POSIX
message queue implementation in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-11176)

Dave Chinner discovered that the XFS filesystem did not enforce that the
realtime inode flag was settable only on filesystems on a realtime device.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2017-14340)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-lowlatency-hwe-16.04 4.10.0.38.40
linux-image-4.10.0-38-generic-lpae 4.10.0-38.42~16.04.1
linux-image-generic-hwe-16.04 4.10.0.38.40
linux-image-4.10.0-38-lowlatency 4.10.0-38.42~16.04.1
linux-image-4.10.0-38-generic 4.10.0-38.42~16.04.1
linux-image-generic-lpae-hwe-16.04 4.10.0.38.40

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000252, CVE-2017-10663, CVE-2017-10911, CVE-2017-11176, CVE-2017-14340

Kategóriák: Securiy

Oldalak

Subscribe to Informatikai megoldások hírolvasó