You are here

Hírolvasó

USN-3468-1: Linux kernel vulnerabilities

Ubuntu security notices - 2017.10.31, k - 13:56
Ubuntu Security Notice USN-3468-1

31st October, 2017

linux, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux - Linux kernel
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
Details

It was discovered that the KVM subsystem in the Linux kernel did not
properly bound guest IRQs. A local attacker in a guest VM could use this to
cause a denial of service (host system crash). (CVE-2017-1000252)

It was discovered that the Flash-Friendly File System (f2fs) implementation
in the Linux kernel did not properly validate superblock metadata. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-10663)

Anthony Perard discovered that the Xen virtual block driver did not
properly initialize some data structures before passing them to user space.
A local attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2017-10911)

It was discovered that a use-after-free vulnerability existed in the POSIX
message queue implementation in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-11176)

Dave Chinner discovered that the XFS filesystem did not enforce that the
realtime inode flag was settable only on filesystems on a realtime device.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2017-14340)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
linux-image-generic-lpae 4.10.0.38.38
linux-image-lowlatency 4.10.0.38.38
linux-image-4.10.0-38-generic-lpae 4.10.0-38.42
linux-image-4.10.0-1020-raspi2 4.10.0-1020.23
linux-image-4.10.0-38-lowlatency 4.10.0-38.42
linux-image-generic 4.10.0.38.38
linux-image-4.10.0-38-generic 4.10.0-38.42
linux-image-raspi2 4.10.0.1020.21

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000252, CVE-2017-10663, CVE-2017-10911, CVE-2017-11176, CVE-2017-14340

Kategóriák: Securiy

USN-3459-2: MySQL vulnerabilities

Ubuntu security notices - 2017.10.30, h - 19:11
Ubuntu Security Notice USN-3459-2

30th October, 2017

mysql-5.5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Several security issues were fixed in MySQL.

Software description
  • mysql-5.5 - MySQL database
Details

USN-3459-1 fixed several vulnerabilities in MySQL. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.58 in Ubuntu 12.04 ESM.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-58.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
mysql-server-5.5 5.5.58-0ubuntu0.12.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-10268, CVE-2017-10378, CVE-2017-10379, CVE-2017-10384

Kategóriák: Securiy

USN-3464-2: Wget vulnerabilities

Ubuntu security notices - 2017.10.30, h - 16:08
Ubuntu Security Notice USN-3464-2

30th October, 2017

wget vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Several security issues were fixed in Wget.

Software description
  • wget - retrieves files from the web
Details

USN-3464-1 fixed several vulnerabilities in Wget. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Antti Levomäki, Christian Jalio, and Joonas Pihlaja discovered that Wget
incorrectly handled certain HTTP responses. A remote attacker could use
this issue to cause Wget to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2017-13089, CVE-2017-13090)

Dawid Golunski discovered that Wget incorrectly handled recursive or
mirroring mode. A remote attacker could possibly use this issue to bypass
intended access list restrictions. (CVE-2016-7098)

Orange Tsai discovered that Wget incorrectly handled CRLF sequences in
HTTP headers. A remote attacker could possibly use this issue to inject
arbitrary HTTP headers. (CVE-2017-6508)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
wget 1.13.4-2ubuntu1.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-7098, CVE-2017-13089, CVE-2017-13090, CVE-2017-6508

Kategóriák: Securiy

USN-3467-1: poppler vulnerability

Ubuntu security notices - 2017.10.30, h - 16:08
Ubuntu Security Notice USN-3467-1

30th October, 2017

poppler vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

poppler could be made to crash if it opened a specially crafted file.

Software description
  • poppler - PDF rendering library
Details

It was discovered that Poppler incorrectly handled certain files.
If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libpoppler68 0.57.0-2ubuntu4.1
poppler-utils 0.57.0-2ubuntu4.1
Ubuntu 17.04:
libpoppler64 0.48.0-2ubuntu2.4
poppler-utils 0.48.0-2ubuntu2.4
Ubuntu 16.04 LTS:
libpoppler58 0.41.0-0ubuntu1.5
poppler-utils 0.41.0-0ubuntu1.5
Ubuntu 14.04 LTS:
poppler-utils 0.24.5-2ubuntu4.8
libpoppler44 0.24.5-2ubuntu4.8

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-15565

Kategóriák: Securiy

USN-3466-1: systemd vulnerability

Ubuntu security notices - 2017.10.26, cs - 23:39
Ubuntu Security Notice USN-3466-1

26th October, 2017

systemd vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
Summary

systemd could be made to temporarily stop responding if it received specially crafted network traffic.

Software description
  • systemd - system and service manager
Details

Karim Hossen & Thomas Imbert discovered that systemd-resolved incorrectly
handled certain DNS responses. A remote attacker could possibly use this
issue to cause systemd to temporarily stop responding, resulting in a
denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
systemd 234-2ubuntu12.1
Ubuntu 17.04:
systemd 232-21ubuntu7.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-15908

Kategóriák: Securiy

USN-3465-1: Irssi vulnerabilities

Ubuntu security notices - 2017.10.26, cs - 23:39
Ubuntu Security Notice USN-3465-1

26th October, 2017

irssi vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in Irssi.

Software description
  • irssi - terminal based IRC client
Details

Brian Carpenter discovered that Irssi incorrectly handled messages with
invalid time stamps. A malicious IRC server could use this issue to cause
Irssi to crash, resulting in a denial of service. (CVE-2017-10965)

Brian Carpenter discovered that Irssi incorrectly handled the internal nick
list. A malicious IRC server could use this issue to cause Irssi to crash,
resulting in a denial of service. (CVE-2017-10966)

Joseph Bisch discovered that Irssi incorrectly removed destroyed channels
from the query list. A malicious IRC server could use this issue to cause
Irssi to crash, resulting in a denial of service. (CVE-2017-15227)

Hanno Böck discovered that Irssi incorrectly handled themes. If a user were
tricked into using a malicious theme, a attacker could use this issue to
cause Irssi to crash, resulting in a denial of service. (CVE-2017-15228)

Joseph Bisch discovered that Irssi incorrectly handled certain DCC CTCP
messages. A malicious IRC server could use this issue to cause Irssi to
crash, resulting in a denial of service. (CVE-2017-15721)

Joseph Bisch discovered that Irssi incorrectly handled certain channel IDs.
A malicious IRC server could use this issue to cause Irssi to crash,
resulting in a denial of service. (CVE-2017-15722)

Joseph Bisch discovered that Irssi incorrectly handled certain long nicks
or targets. A malicious IRC server could use this issue to cause Irssi to
crash, resulting in a denial of service. (CVE-2017-15723)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
irssi 1.0.4-1ubuntu2.1
Ubuntu 17.04:
irssi 0.8.20-2ubuntu2.2
Ubuntu 16.04 LTS:
irssi 0.8.19-1ubuntu1.5
Ubuntu 14.04 LTS:
irssi 0.8.15-5ubuntu3.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Irssi to make all the
necessary changes.

References

CVE-2017-10965, CVE-2017-10966, CVE-2017-15227, CVE-2017-15228, CVE-2017-15721, CVE-2017-15722, CVE-2017-15723

Kategóriák: Securiy

USN-3464-1: Wget vulnerabilities

Ubuntu security notices - 2017.10.26, cs - 23:39
Ubuntu Security Notice USN-3464-1

26th October, 2017

wget vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in Wget.

Software description
  • wget - retrieves files from the web
Details

Antti Levomäki, Christian Jalio, and Joonas Pihlaja discovered that Wget
incorrectly handled certain HTTP responses. A remote attacker could use
this issue to cause Wget to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2017-13089, CVE-2017-13090)

Dawid Golunski discovered that Wget incorrectly handled recursive or
mirroring mode. A remote attacker could possibly use this issue to bypass
intended access list restrictions. (CVE-2016-7098)

Orange Tsai discovered that Wget incorrectly handled CRLF sequences in
HTTP headers. A remote attacker could possibly use this issue to inject
arbitrary HTTP headers. (CVE-2017-6508)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
wget 1.19.1-3ubuntu1.1
Ubuntu 17.04:
wget 1.18-2ubuntu1.1
Ubuntu 16.04 LTS:
wget 1.17.1-1ubuntu1.3
Ubuntu 14.04 LTS:
wget 1.15-1ubuntu1.14.04.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-7098, CVE-2017-13089, CVE-2017-13090, CVE-2017-6508

Kategóriák: Securiy

USN-3463-1: Werkzeug vulnerability

Ubuntu security notices - 2017.10.26, cs - 00:45
Ubuntu Security Notice USN-3463-1

25th October, 2017

python-werkzeug vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Werkzeug could be made to run arbitrary code if it opened a specially crafted file.

Software description
  • python-werkzeug - collection of utilities for WSGI applications
Details

It was discovered that Werkzeug did not properly handle certain
web scripts. A remote attacker could use this to inject arbitrary
code via a field that contains an exception message.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
python3-werkzeug 0.10.4+dfsg1-1ubuntu1.1
python-werkzeug 0.10.4+dfsg1-1ubuntu1.1
Ubuntu 14.04 LTS:
python3-werkzeug 0.9.4+dfsg-1.1ubuntu2.1
python-werkzeug 0.9.4+dfsg-1.1ubuntu2.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-10516

Kategóriák: Securiy

USN-3425-2: Apache HTTP Server vulnerability

Ubuntu security notices - 2017.10.24, k - 22:58
Ubuntu Security Notice USN-3425-2

24th October, 2017

apache2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Apache HTTP Server could be made to expose sensitive information over the network.

Software description
  • apache2 - Apache HTTP server
Details

USN-3425-1 fixed a vulnerability in Apache HTTP Server. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Hanno Böck discovered that the Apache HTTP Server incorrectly handled
Limit directives in .htaccess files. In certain configurations, a remote
attacker could possibly use this issue to read arbitrary server memory,
including sensitive information. This issue is known as Optionsbleed.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
apache2.2-bin 2.2.22-1ubuntu1.14

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-9798

Kategóriák: Securiy

USN-3388-2: Subversion vulnerabilities

Ubuntu security notices - 2017.10.24, k - 22:58
Ubuntu Security Notice USN-3388-2

24th October, 2017

subversion vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Several security issues were fixed in Subversion.

Software description
  • subversion - Advanced version control system
Details

USN-3388-1 fixed several vulnerabilities in Subversion. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Ivan Zhakov discovered that Subversion did not properly handle
some requests. A remote attacker could use this to cause a
denial of service. (CVE-2016-2168)

Original advisory details:

Joern Schneeweisz discovered that Subversion did not properly handle
host names in 'svn+ssh://' URLs. A remote attacker could use this
to construct a subversion repository that when accessed could run
arbitrary code with the privileges of the user. (CVE-2017-9800)

Daniel Shahaf and James McCoy discovered that Subversion did not
properly verify realms when using Cyrus SASL authentication. A
remote attacker could use this to possibly bypass intended access
restrictions. (CVE-2016-2167)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
subversion 1.6.17dfsg-3ubuntu3.7
libapache2-svn 1.6.17dfsg-3ubuntu3.7
libsvn1 1.6.17dfsg-3ubuntu3.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-2167, CVE-2016-2168, CVE-2017-9800

Kategóriák: Securiy

USN-3411-2: Bazaar vulnerability

Ubuntu security notices - 2017.10.24, k - 19:56
Ubuntu Security Notice USN-3411-2

24th October, 2017

bzr vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Bazaar could be made run programs as your login if it opened a specially crafted URL.

Software description
  • bzr - easy to use distributed version control system
Details

USN-3411-1 fixed a vulnerability in Bazaar. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Adam Collard discovered that Bazaar did not properly handle host names
in 'bzr+ssh://' URLs. A remote attacker could use this to construct
a bazaar repository URL that when accessed could run arbitrary code
with the privileges of the user.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
python-bzrlib 2.5.1-0ubuntu2.1
bzr 2.5.1-0ubuntu2.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-14176

Kategóriák: Securiy

USN-3462-1: Pacemaker vulnerabilities

Ubuntu security notices - 2017.10.24, k - 16:56
Ubuntu Security Notice USN-3462-1

24th October, 2017

pacemaker vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in Pacemaker.

Software description
  • pacemaker - Cluster resource manager
Details

Jan Pokorný and Alain Moulle discovered that Pacemaker incorrectly handled
the IPC interface. A local attacker could possibly use this issue to
execute arbitrary code with root privileges. (CVE-2016-7035)

Alain Moulle discovered that Pacemaker incorrectly handled authentication.
A remote attacker could possibly use this issue to shut down connections,
leading to a denial of service. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-7797)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
pacemaker 1.1.14-2ubuntu1.2
Ubuntu 14.04 LTS:
pacemaker 1.1.10+git20130802-1ubuntu2.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-7035, CVE-2016-7797

Kategóriák: Securiy

USN-3454-2: libffi vulnerability

Ubuntu security notices - 2017.10.24, k - 16:56
Ubuntu Security Notice USN-3454-2

24th October, 2017

libffi vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

A security issue was fixed in libffi.

Software description
  • libffi - Foreign Function Interface library (development files, 32bit)
Details

USN-3454-1 fixed a vulnerability in libffi. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that libffi incorrectly enforced an executable stack. An
attacker could possibly use this issue, in combination with another
vulnerability, to facilitate executing arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libffi6 3.0.11~rc1-5ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000376

Kategóriák: Securiy

USN-3434-2: Libidn vulnerability

Ubuntu security notices - 2017.10.24, k - 00:49
Ubuntu Security Notice USN-3434-2

23rd October, 2017

libidn vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Libidn could be made to crash or run programs if it processed specially crafted input.

Software description
  • libidn - implementation of IETF IDN specifications
Details

USN-3434-1 fixed a vulnerability in Libidn. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that Libidn incorrectly handled decoding certain digits.
A remote attacker could use this issue to cause Libidn to crash, resulting
in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libidn11 1.23-2ubuntu0.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-14062

Kategóriák: Securiy

USN-3441-2: curl vulnerabilities

Ubuntu security notices - 2017.10.24, k - 00:49
Ubuntu Security Notice USN-3441-2

23rd October, 2017

curl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Several security issues were fixed in curl.

Software description
  • curl - HTTP, HTTPS, and FTP client and client libraries
Details

USN-3441-1 fixed several vulnerabilities in curl. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Daniel Stenberg discovered that curl incorrectly handled large floating
point output. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-9586)

Even Rouault discovered that curl incorrectly handled large file names when
doing TFTP transfers. A remote attacker could use this issue to cause curl
to crash, resulting in a denial of service, or possibly obtain sensitive
memory contents. (CVE-2017-1000100)

Brian Carpenter and Yongji Ouyang discovered that curl incorrectly handled
numerical range globbing. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly obtain
sensitive memory contents. (CVE-2017-1000101)

Max Dymond discovered that curl incorrectly handled FTP PWD responses. A
remote attacker could use this issue to cause curl to crash, resulting in a
denial of service. (CVE-2017-1000254)

Brian Carpenter discovered that curl incorrectly handled IMAP FETCH
response lines. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code.(CVE-2017-1000257)

Brian Carpenter discovered that curl incorrectly handled the --write-out
command line option. A local attacker could possibly use this issue to
obtain sensitive memory contents. (CVE-2017-7407)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libcurl3-nss 7.22.0-3ubuntu4.18
curl 7.22.0-3ubuntu4.18
libcurl3-gnutls 7.22.0-3ubuntu4.18
libcurl3 7.22.0-3ubuntu4.18

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000254, CVE-2017-1000257, CVE-2017-7407

Kategóriák: Securiy

USN-3458-2: ICU vulnerability

Ubuntu security notices - 2017.10.24, k - 00:49
Ubuntu Security Notice USN-3458-2

23rd October, 2017

icu vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

ICU could be made to crash or run arbitrary code as your login if it received specially crafted input.

Software description
  • icu - International Components for Unicode library
Details

USN-3458-1 fixed a vulnerability in ICU. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that ICU incorrectly handled certain inputs. If an
application using ICU processed crafted data, a remote attacker could
possibly cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libicu48 4.8.1.1-3ubuntu0.9
lib32icu48 4.8.1.1-3ubuntu0.9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-14952

Kategóriák: Securiy

USN-3458-1: ICU vulnerability

Ubuntu security notices - 2017.10.23, h - 21:48
Ubuntu Security Notice USN-3458-1

23rd October, 2017

icu vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

ICU could be made to crash or run arbitrary code as your login if it received specially crafted input.

Software description
  • icu - International Components for Unicode library
Details

It was discovered that ICU incorrectly handled certain inputs. If an
application using ICU processed crafted data, a remote attacker could
possibly cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libicu57 57.1-6ubuntu0.2
Ubuntu 17.04:
libicu57 57.1-5ubuntu0.2
Ubuntu 16.04 LTS:
libicu55 55.1-7ubuntu0.3
Ubuntu 14.04 LTS:
libicu52 52.1-3ubuntu0.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-14952

Kategóriák: Securiy

USN-3461-1: NVIDIA graphics drivers vulnerabilities

Ubuntu security notices - 2017.10.23, h - 21:48
Ubuntu Security Notice USN-3461-1

23rd October, 2017

nvidia-graphics-drivers-384 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

NVIDIA graphics drivers could be made to crash or run programs as an administrator.

Software description
  • nvidia-graphics-drivers-384 - Transitional package for libcuda1-384
Details

It was discovered that the NVIDIA graphics drivers contained flaws in the
kernel mode layer. A local attacker could use these issues to cause a
denial of service or potentially escalate their privileges on the system.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
nvidia-384 384.90-0ubuntu0.17.04.1
Ubuntu 16.04 LTS:
nvidia-384 384.90-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
nvidia-384 384.90-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-6257, CVE-2017-6259, CVE-2017-6266, CVE-2017-6267, CVE-2017-6272

Kategóriák: Securiy

USN-3460-1: WebKitGTK+ vulnerabilities

Ubuntu security notices - 2017.10.23, h - 18:36
Ubuntu Security Notice USN-3460-1

23rd October, 2017

webkit2gtk vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in WebKitGTK+.

Software description
  • webkit2gtk - Web content engine library for GTK+
Details

A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libwebkit2gtk-4.0-37 2.18.0-0ubuntu0.17.04.2
libjavascriptcoregtk-4.0-18 2.18.0-0ubuntu0.17.04.2
Ubuntu 16.04 LTS:
libwebkit2gtk-4.0-37 2.18.0-0ubuntu0.16.04.2
libjavascriptcoregtk-4.0-18 2.18.0-0ubuntu0.16.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.

References

CVE-2017-7087, CVE-2017-7089, CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117, CVE-2017-7120

Kategóriák: Securiy

USN-3459-1: MySQL vulnerabilities

Ubuntu security notices - 2017.10.23, h - 18:36
Ubuntu Security Notice USN-3459-1

23rd October, 2017

mysql-5.5, mysql-5.7 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in MySQL.

Software description
  • mysql-5.5 - MySQL database
  • mysql-5.7 - MySQL database
Details

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.58 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS,
Ubuntu 17.04 and Ubuntu 17.10 have been updated to MySQL 5.7.20.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-58.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-20.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
mysql-server-5.7 5.7.20-0ubuntu0.17.10.1
Ubuntu 17.04:
mysql-server-5.7 5.7.20-0ubuntu0.17.04.1
Ubuntu 16.04 LTS:
mysql-server-5.7 5.7.20-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
mysql-server-5.5 5.5.58-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-10155, CVE-2017-10165, CVE-2017-10167, CVE-2017-10227, CVE-2017-10268, CVE-2017-10276, CVE-2017-10283, CVE-2017-10286, CVE-2017-10294, CVE-2017-10311, CVE-2017-10313, CVE-2017-10314, CVE-2017-10320, CVE-2017-10378, CVE-2017-10379, CVE-2017-10384

Kategóriák: Securiy

Oldalak

Subscribe to Informatikai megoldások hírolvasó