You are here

Hírolvasó

USN-3457-1: curl vulnerability

Ubuntu security notices - 2017.10.23, h - 18:36
Ubuntu Security Notice USN-3457-1

23rd October, 2017

curl vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

curl could be made to crash or run programs if it received specially crafted network traffic.

Software description
  • curl - HTTP, HTTPS, and FTP client and client libraries
Details

Brian Carpenter discovered that curl incorrectly handled IMAP FETCH
response lines. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:
libcurl3-nss 7.55.1-1ubuntu2.1
curl 7.55.1-1ubuntu2.1
libcurl3-gnutls 7.55.1-1ubuntu2.1
libcurl3 7.55.1-1ubuntu2.1
Ubuntu 17.04:
libcurl3-nss 7.52.1-4ubuntu1.3
curl 7.52.1-4ubuntu1.3
libcurl3-gnutls 7.52.1-4ubuntu1.3
libcurl3 7.52.1-4ubuntu1.3
Ubuntu 16.04 LTS:
libcurl3-nss 7.47.0-1ubuntu2.4
curl 7.47.0-1ubuntu2.4
libcurl3-gnutls 7.47.0-1ubuntu2.4
libcurl3 7.47.0-1ubuntu2.4
Ubuntu 14.04 LTS:
libcurl3-nss 7.35.0-1ubuntu2.12
curl 7.35.0-1ubuntu2.12
libcurl3-gnutls 7.35.0-1ubuntu2.12
libcurl3 7.35.0-1ubuntu2.12

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000257

Kategóriák: Securiy

Megjelent az Ubuntu 17.10

Ubuntu magyar közösség - 2017.10.19, cs - 20:09

Megjelent az Ubuntu legújabb kiadása, az Ubuntu 17.10, fejlesztői kódnevén a Artful Aardvark. Az új Ubuntu ingyenesen letölthető az ubuntu.hu oldal letöltési szekciójából. Azok számára pedig, akik az Ubuntu korábbi kiadását használják, a rendszer fel fogja ajánlani a frissítés lehetőségét. A frissítésnél minden adatunk és beállításunk megmarad, egyszerűen a rendszer és az alkalmazások frissülnek az aktuális verzióra.

Letöltés 64 bites változat

torrent | Ausztria | Németország | Hollandia | Svédország | main

32 bites változat

Ettől a verziótól kezdve az asztali kiadásból nem lesz elérhető 32 bites lemezkép. Korábbi 32 bites rendszerét tudja frissíteni, viszont új 32 bites Ubuntut már csak a minimal vagy net install lemezképek segítségével telepíthet.

USN-3456-1: X.Org X server vulnerabilities

Ubuntu security notices - 2017.10.17, k - 21:36
Ubuntu Security Notice USN-3456-1

17th October, 2017

xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the X.Org X server.

Software description
  • xorg-server - X.Org X11 server
  • xorg-server-hwe-16.04 - X.Org X11 server
  • xorg-server-lts-xenial - X.Org X11 server
Details

It was discovered that the X.Org X server incorrectly handled certain
lengths. An attacker able to connect to an X server, either locally or
remotely, could use these issues to crash the server, or possibly execute
arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
xserver-xorg-core 2:1.19.3-1ubuntu1.3
Ubuntu 16.04 LTS:
xserver-xorg-core 2:1.18.4-0ubuntu0.7
xserver-xorg-core-hwe-16.04 2:1.19.3-1ubuntu1~16.04.4
Ubuntu 14.04 LTS:
xserver-xorg-core 2:1.15.1-0ubuntu2.11
xserver-xorg-core-lts-xenial 2:1.18.3-1ubuntu2.3~trusty4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-12176, CVE-2017-12177, CVE-2017-12178, CVE-2017-12179, CVE-2017-12180, CVE-2017-12181, CVE-2017-12182, CVE-2017-12183, CVE-2017-12184, CVE-2017-12185, CVE-2017-12186, CVE-2017-12187

Kategóriák: Securiy

USN-3455-1: wpa_supplicant and hostapd vulnerabilities

Ubuntu security notices - 2017.10.16, h - 20:00
Ubuntu Security Notice USN-3455-1

16th October, 2017

wpa vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in wpa_supplicant.

Software description
  • wpa - client support for WPA and WPA2
Details

Mathy Vanhoef discovered that wpa_supplicant and hostapd incorrectly
handled WPA2. A remote attacker could use this issue with key
reinstallation attacks to obtain sensitive information. (CVE-2017-13077,
CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)

Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A remote attacker could use
this issue to cause a denial of service. (CVE-2016-4476)

Imre Rad discovered that wpa_supplicant and hostapd incorrectly handled
invalid characters in passphrase parameters. A local attacker could use
this issue to cause a denial of service, or possibly execute arbitrary
code. (CVE-2016-4477)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
hostapd 2.4-0ubuntu9.1
wpasupplicant 2.4-0ubuntu9.1
Ubuntu 16.04 LTS:
hostapd 2.4-0ubuntu6.2
wpasupplicant 2.4-0ubuntu6.2
Ubuntu 14.04 LTS:
hostapd 2.1-0ubuntu1.5
wpasupplicant 2.1-0ubuntu1.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-4476, CVE-2016-4477, CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088

Kategóriák: Securiy

Ubuntu 17.10, Artful Aardvark Release Party

Ubuntu magyar közösség - 2017.10.15, v - 11:22

Az Ubuntu 17.10-es, Artful Aardvark kódnévre hallgató verziója 2017. október 19-én jelenik meg, aminek alkalmából Budapesten és Miskolcon Release Party-t szervezünk (Pécsen is lesz később).

Időpont: 2017. október 19. (csütörtök)
Kezdés: 18.00 óra

BUDAPEST
Helyszín: A Grund 5-ös terem (Budapest, VIII. Nagytemplom utca 30.)
Megközelítés: Corvin negyedtől 8 perc, Klinikák megállótól 5 perc séta.
Kapcsolatfelvétel a szervezővel.


MISKOLC
Helyszín: Jazz Cafe & Bar (Miskolc, Toronyalja u. 17.)
Megközelítés: Villamossal a Városház téri megállótól, autóbusszal az Erzsébet téri megállótól pár percnyi sétával.
Kapcsolatfelvétel a szervezőkkel: itt és itt.



A Release Party célközönsége a hétköznapi felhasználó, a rendezvényt nem visszük el szakmai témák irányába. Release Party után veszi kezdetét a hagyományos Ubuntu Hour ismerkedéssel, kötetlen beszélgetéssel.


A rendezvények mindenki számára ingyenesek.

USN-3454-1: libffi vulnerability

Ubuntu security notices - 2017.10.13, p - 00:43
Ubuntu Security Notice USN-3454-1

12th October, 2017

libffi vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

A security issue was fixed in libffi.

Software description
  • libffi - Foreign Function Interface library
Details

It was discovered that libffi incorrectly enforced an executable stack. An
attacker could possibly use this issue, in combination with another
vulnerability, to facilitate executing arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
libffi6 3.1~rc1+r3.0.13-12ubuntu0.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000376

Kategóriák: Securiy

USN-3453-1: X.Org X server vulnerabilities

Ubuntu security notices - 2017.10.12, cs - 21:42
Ubuntu Security Notice USN-3453-1

12th October, 2017

xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the X.Org X server.

Software description
  • xorg-server - X.Org X11 server
  • xorg-server-hwe-16.04 - X.Org X11 server
  • xorg-server-lts-xenial - X.Org X11 server
Details

Michal Srb discovered that the X.Org X server incorrectly handled shared
memory segments. An attacker able to connect to an X server, either locally
or remotely, could use this issue to crash the server, or possibly replace
shared memory segments of other X clients in the same session.
(CVE-2017-13721)

Michal Srb discovered that the X.Org X server incorrectly handled XKB
buffers. An attacker able to connect to an X server, either locally or
remotely, could use this issue to crash the server, or possibly execute
arbitrary code. (CVE-2017-13723)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
xserver-xorg-core 2:1.19.3-1ubuntu1.2
Ubuntu 16.04 LTS:
xserver-xorg-core 2:1.18.4-0ubuntu0.6
xserver-xorg-core-hwe-16.04 2:1.19.3-1ubuntu1~16.04.3
Ubuntu 14.04 LTS:
xserver-xorg-core 2:1.15.1-0ubuntu2.10
xserver-xorg-core-lts-xenial 2:1.18.3-1ubuntu2.3~trusty3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-13721, CVE-2017-13723

Kategóriák: Securiy

USN-3452-1: Ceph vulnerabilities

Ubuntu security notices - 2017.10.11, sze - 18:52
Ubuntu Security Notice USN-3452-1

11th October, 2017

ceph vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in Ceph.

Software description
  • ceph - distributed storage and file system
Details

It was discovered that Ceph incorrectly handled the handle_command
function. A remote authenticated user could use this issue to cause Ceph to
crash, resulting in a denial of service. (CVE-2016-5009)

Rahul Aggarwal discovered that Ceph incorrectly handled the
authenticated-read ACL. A remote attacker could possibly use this issue to
list bucket contents via a URL. (CVE-2016-7031)

Diluga Salome discovered that Ceph incorrectly handled certain POST objects
with null conditions. A remote attacker could possibly use this issue to
cuase Ceph to crash, resulting in a denial of service. (CVE-2016-8626)

Yang Liu discovered that Ceph incorrectly handled invalid HTTP Origin
headers. A remote attacker could possibly use this issue to cuase Ceph to
crash, resulting in a denial of service. (CVE-2016-9579)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
ceph 0.80.11-0ubuntu1.14.04.3
ceph-common 0.80.11-0ubuntu1.14.04.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-5009, CVE-2016-7031, CVE-2016-8626, CVE-2016-9579

Kategóriák: Securiy

USN-3451-1: OpenStack Swift vulnerabilities

Ubuntu security notices - 2017.10.11, sze - 18:52
Ubuntu Security Notice USN-3451-1

11th October, 2017

swift vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in OpenStack Swift.

Software description
  • swift - OpenStack distributed virtual object store
Details

It was discovered that OpenStack Swift incorrectly handled tempurls. A
remote authenticated user in possession of a tempurl key authorized for PUT
could retrieve other objects in the same Swift account. (CVE-2015-5223)

Romain Le Disez and Örjan Persson discovered that OpenStack Swift
incorrectly closed client connections. A remote attacker could possibly use
this issue to consume resources, resulting in a denial of service.
(CVE-2016-0737, CVE-2016-0738)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
swift 1.13.1-0ubuntu1.5
python-swift 1.13.1-0ubuntu1.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-5223, CVE-2016-0737, CVE-2016-0738

Kategóriák: Securiy

USN-3450-1: Open vSwitch vulnerabilities

Ubuntu security notices - 2017.10.11, sze - 18:52
Ubuntu Security Notice USN-3450-1

11th October, 2017

openvswitch vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in Open vSwitch.

Software description
  • openvswitch - Ethernet virtual switch
Details

Bhargava Shastry discovered that Open vSwitch incorrectly handled certain
OFP messages. A remote attacker could possibly use this issue to cause
Open vSwitch to crash, resulting in a denial of service. (CVE-2017-9214)

It was discovered that Open vSwitch incorrectly handled certain OpenFlow
role messages. A remote attacker could possibly use this issue to cause
Open vSwitch to crash, resulting in a denial of service. (CVE-2017-9263)

It was discovered that Open vSwitch incorrectly handled certain malformed
packets. A remote attacker could possibly use this issue to cause Open
vSwitch to crash, resulting in a denial of service. This issue only
affected Ubuntu 17.04. (CVE-2017-9264)

It was discovered that Open vSwitch incorrectly handled group mod OpenFlow
messages. A remote attacker could possibly use this issue to cause Open
vSwitch to crash, resulting in a denial of service. (CVE-2017-9265)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
openvswitch-common 2.6.1-0ubuntu5.1
Ubuntu 16.04 LTS:
openvswitch-common 2.5.2-0ubuntu0.16.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-9214, CVE-2017-9263, CVE-2017-9264, CVE-2017-9265

Kategóriák: Securiy

USN-3449-1: OpenStack Nova vulnerabilities

Ubuntu security notices - 2017.10.11, sze - 18:52
Ubuntu Security Notice USN-3449-1

11th October, 2017

nova vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in OpenStack Nova.

Software description
  • nova - OpenStack Compute cloud infrastructure
Details

George Shuklin discovered that OpenStack Nova incorrectly handled the
migration process. A remote authenticated user could use this issue to
consume resources, resulting in a denial of service. (CVE-2015-3241)

George Shuklin and Tushar Patil discovered that OpenStack Nova incorrectly
handled deleting instances. A remote authenticated user could use this
issue to consume disk resources, resulting in a denial of service.
(CVE-2015-3280)

It was discovered that OpenStack Nova incorrectly limited qemu-img calls. A
remote authenticated user could use this issue to consume resources,
resulting in a denial of service. (CVE-2015-5162)

Matthew Booth discovered that OpenStack Nova incorrectly handled snapshots.
A remote authenticated user could use this issue to read arbitrary files.
(CVE-2015-7548)

Sreekumar S. and Suntao discovered that OpenStack Nova incorrectly applied
security group changes. A remote attacker could possibly use this issue to
bypass intended restriction changes by leveraging an instance that was
running when the change was made. (CVE-2015-7713)

Matt Riedemann discovered that OpenStack Nova incorrectly handled logging.
A local attacker could possibly use this issue to obtain sensitive
information from log files. (CVE-2015-8749)

Matthew Booth discovered that OpenStack Nova incorrectly handled certain
qcow2 headers. A remote authenticated user could possibly use this issue to
read arbitrary files. (CVE-2016-2140)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
python-nova 1:2014.1.5-0ubuntu1.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-3241, CVE-2015-3280, CVE-2015-5162, CVE-2015-7548, CVE-2015-7713, CVE-2015-8749, CVE-2016-2140

Kategóriák: Securiy

USN-3448-1: OpenStack Keystone vulnerability

Ubuntu security notices - 2017.10.11, sze - 18:52
Ubuntu Security Notice USN-3448-1

11th October, 2017

keystone vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

OpenStack Keystone would allow unintended access over the network.

Software description
  • keystone - OpenStack identity service
Details

Boris Bobrov discovered that OpenStack Keystone incorrectly handled
federation mapping when there are rules in which group-based assignments
are not used. A remote authenticated user may receive all the roles
assigned to a project regardless of the federation mapping, contrary to
expectations.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
keystone 2:9.3.0-0ubuntu3.1
python-keystone 2:9.3.0-0ubuntu3.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-2673

Kategóriák: Securiy

USN-3447-1: OpenStack Horizon vulnerability

Ubuntu security notices - 2017.10.11, sze - 18:52
Ubuntu Security Notice USN-3447-1

11th October, 2017

horizon vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

OpenStack Horizon could be made to expose sensitive information over the network.

Software description
  • horizon - Web interface for OpenStack cloud infrastructure
Details

Beth Lancaster and Brandon Sawyers discovered that OpenStack Horizon was
incorrect protected against cross-site scripting (XSS) attacks. A remote
authenticated user could use this issue to inject web script or HTML in
a dashboard form.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
openstack-dashboard 1:2014.1.5-0ubuntu2.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-4428

Kategóriák: Securiy

USN-3446-1: OpenStack Glance vulnerabilities

Ubuntu security notices - 2017.10.11, sze - 18:52
Ubuntu Security Notice USN-3446-1

11th October, 2017

glance vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in OpenStack Glance.

Software description
  • glance - OpenStack Image Registry and Delivery Service
Details

Hemanth Makkapati discovered that OpenStack Glance incorrectly handled
access restrictions. A remote authenticated user could use this issue to
change the status of images, contrary to access restrictions.
(CVE-2015-5251)

Mike Fedosin and Alexei Galkin discovered that OpenStack Glance incorrectly
handled the storage quota. A remote authenticated user could use this issue
to consume disk resources, leading to a denial of service. (CVE-2015-5286)

Erno Kuvaja discovered that OpenStack Glance incorrectly handled the
show_multiple_locations option. When show_multiple_locations is enabled,
a remote authenticated user could change an image status and upload new
image data. (CVE-2016-0757)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
glance-common 1:2014.1.5-0ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-5251, CVE-2015-5286, CVE-2016-0757

Kategóriák: Securiy

USN-3436-1: Thunderbird vulnerabilities

Ubuntu security notices - 2017.10.11, sze - 15:46
Ubuntu Security Notice USN-3436-1

11th October, 2017

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in Thunderbird.

Software description
  • thunderbird - Mozilla Open Source mail and newsgroup client
Details

Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing-like
context, an attacker could potentially exploit these to read uninitialized
memory, bypass phishing and malware protection, conduct cross-site
scripting (XSS) attacks, cause a denial of service via application crash,
or execute arbitrary code. (CVE-2017-7793, CVE-2017-7810, CVE-2017-7814,
CVE-2017-7818, CVE-2017-7819, CVE-2017-7823, CVE-2017-7824)

Martin Thomson discovered that NSS incorrectly generated handshake hashes.
A remote attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-7805)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
thunderbird 1:52.4.0+build1-0ubuntu0.17.04.2
Ubuntu 16.04 LTS:
thunderbird 1:52.4.0+build1-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
thunderbird 1:52.4.0+build1-0ubuntu0.14.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2017-7793, CVE-2017-7805, CVE-2017-7810, CVE-2017-7814, CVE-2017-7818, CVE-2017-7819, CVE-2017-7823, CVE-2017-7824

Kategóriák: Securiy

USN-3445-2: Linux kernel (Trusty HWE) vulnerabilities

Ubuntu security notices - 2017.10.11, sze - 09:30
Ubuntu Security Notice USN-3445-2

11th October, 2017

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise ESM
Details

USN-3445-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 ESM.

Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation
in the Linux kernel contained a buffer overflow when handling fragmented
packets. A remote attacker could use this to possibly execute arbitrary
code with administrative privileges. (CVE-2016-8633)

Andrey Konovalov discovered that a divide-by-zero error existed in the TCP
stack implementation in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-14106)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-133-generic-lpae 3.13.0-133.182~precise1
linux-image-3.13.0-133-generic 3.13.0-133.182~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.133.123
linux-image-generic-lts-trusty 3.13.0.133.123

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-8633, CVE-2017-14106

Kategóriák: Securiy

USN-3443-3: Linux kernel (GCP) vulnerability

Ubuntu security notices - 2017.10.11, sze - 09:30
Ubuntu Security Notice USN-3443-3

11th October, 2017

linux-gcp vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

The system could be made to crash under certain conditions.

Software description
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
Details

Andrey Konovalov discovered that a divide-by-zero error existed in the TCP
stack implementation in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-14106)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-gcp 4.10.0.1007.9
linux-image-4.10.0-1007-gcp 4.10.0-1007.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-14106

Kategóriák: Securiy

USN-3444-2: Linux kernel (Xenial HWE) vulnerabilities

Ubuntu security notices - 2017.10.11, sze - 06:17
Ubuntu Security Notice USN-3444-2

10th October, 2017

linux-lts-xenial vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty
Details

USN-3444-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

Jan H. Schönherr discovered that the Xen subsystem did not properly handle
block IO merges correctly in some situations. An attacker in a guest vm
could use this to cause a denial of service (host crash) or possibly gain
administrative privileges in the host. (CVE-2017-12134)

Andrey Konovalov discovered that a divide-by-zero error existed in the TCP
stack implementation in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-14106)

Otto Ebeling discovered that the memory manager in the Linux kernel did not
properly check the effective UID in some situations. A local attacker could
use this to expose sensitive information. (CVE-2017-14140)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-powerpc-smp-lts-xenial 4.4.0.97.81
linux-image-lowlatency-lts-xenial 4.4.0.97.81
linux-image-4.4.0-97-generic 4.4.0-97.120~14.04.1
linux-image-4.4.0-97-generic-lpae 4.4.0-97.120~14.04.1
linux-image-4.4.0-97-powerpc64-emb 4.4.0-97.120~14.04.1
linux-image-generic-lpae-lts-xenial 4.4.0.97.81
linux-image-generic-lts-xenial 4.4.0.97.81
linux-image-4.4.0-97-powerpc-smp 4.4.0-97.120~14.04.1
linux-image-powerpc64-smp-lts-xenial 4.4.0.97.81
linux-image-powerpc64-emb-lts-xenial 4.4.0.97.81
linux-image-4.4.0-97-powerpc64-smp 4.4.0-97.120~14.04.1
linux-image-powerpc-e500mc-lts-xenial 4.4.0.97.81
linux-image-4.4.0-97-lowlatency 4.4.0-97.120~14.04.1
linux-image-4.4.0-97-powerpc-e500mc 4.4.0-97.120~14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-12134, CVE-2017-14106, CVE-2017-14140

Kategóriák: Securiy

USN-3445-1: Linux kernel vulnerabilities

Ubuntu security notices - 2017.10.11, sze - 06:17
Ubuntu Security Notice USN-3445-1

10th October, 2017

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux - Linux kernel
Details

Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation
in the Linux kernel contained a buffer overflow when handling fragmented
packets. A remote attacker could use this to possibly execute arbitrary
code with administrative privileges. (CVE-2016-8633)

Andrey Konovalov discovered that a divide-by-zero error existed in the TCP
stack implementation in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-14106)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
linux-image-3.13.0-133-powerpc64-smp 3.13.0-133.182
linux-image-powerpc-smp 3.13.0.133.142
linux-image-powerpc-e500mc 3.13.0.133.142
linux-image-3.13.0-133-powerpc-e500mc 3.13.0-133.182
linux-image-3.13.0-133-powerpc-e500 3.13.0-133.182
linux-image-generic 3.13.0.133.142
linux-image-3.13.0-133-generic-lpae 3.13.0-133.182
linux-image-3.13.0-133-powerpc-smp 3.13.0-133.182
linux-image-powerpc64-emb 3.13.0.133.142
linux-image-3.13.0-133-lowlatency 3.13.0-133.182
linux-image-powerpc-e500 3.13.0.133.142
linux-image-powerpc64-smp 3.13.0.133.142
linux-image-generic-lpae 3.13.0.133.142
linux-image-3.13.0-133-powerpc64-emb 3.13.0-133.182
linux-image-3.13.0-133-generic 3.13.0-133.182
linux-image-lowlatency 3.13.0.133.142

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-8633, CVE-2017-14106

Kategóriák: Securiy

USN-3444-1: Linux kernel vulnerabilities

Ubuntu security notices - 2017.10.11, sze - 06:17
Ubuntu Security Notice USN-3444-1

10th October, 2017

linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gke - Linux kernel for Google Container Engine (GKE) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon processors
Details

Jan H. Schönherr discovered that the Xen subsystem did not properly handle
block IO merges correctly in some situations. An attacker in a guest vm
could use this to cause a denial of service (host crash) or possibly gain
administrative privileges in the host. (CVE-2017-12134)

Andrey Konovalov discovered that a divide-by-zero error existed in the TCP
stack implementation in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-14106)

Otto Ebeling discovered that the memory manager in the Linux kernel did not
properly check the effective UID in some situations. A local attacker could
use this to expose sensitive information. (CVE-2017-14140)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-powerpc-e500mc 4.4.0.97.102
linux-image-4.4.0-97-lowlatency 4.4.0-97.120
linux-image-4.4.0-1032-gke 4.4.0-1032.32
linux-image-kvm 4.4.0.1008.8
linux-image-4.4.0-97-generic 4.4.0-97.120
linux-image-4.4.0-1075-raspi2 4.4.0-1075.83
linux-image-4.4.0-1008-kvm 4.4.0-1008.13
linux-image-4.4.0-97-powerpc-smp 4.4.0-97.120
linux-image-snapdragon 4.4.0.1077.69
linux-image-4.4.0-97-powerpc64-smp 4.4.0-97.120
linux-image-powerpc64-emb 4.4.0.97.102
linux-image-4.4.0-97-powerpc-e500mc 4.4.0-97.120
linux-image-gke 4.4.0.1032.33
linux-image-4.4.0-97-generic-lpae 4.4.0-97.120
linux-image-generic 4.4.0.97.102
linux-image-4.4.0-1077-snapdragon 4.4.0-1077.82
linux-image-aws 4.4.0.1038.40
linux-image-4.4.0-97-powerpc64-emb 4.4.0-97.120
linux-image-raspi2 4.4.0.1075.75
linux-image-powerpc-smp 4.4.0.97.102
linux-image-generic-lpae 4.4.0.97.102
linux-image-4.4.0-1038-aws 4.4.0-1038.47
linux-image-powerpc64-smp 4.4.0.97.102
linux-image-lowlatency 4.4.0.97.102

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-12134, CVE-2017-14106, CVE-2017-14140

Kategóriák: Securiy

Oldalak

Subscribe to Informatikai megoldások hírolvasó