You are here

Hírolvasó

USN-3424-2: libxml2 vulnerabilities

Ubuntu security notices - 2017.10.11, sze - 03:05
Ubuntu Security Notice USN-3424-2

10th October, 2017

libxml2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Several security issues were fixed in libxml2.

Software description
  • libxml2 - GNOME XML library
Details

USN-3424-1 fixed several vulnerabilities in libxml2. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that a type confusion error existed in libxml2. An
attacker could use this to specially construct XML data that
could cause a denial of service or possibly execute arbitrary
code. (CVE-2017-0663)

It was discovered that libxml2 did not properly validate parsed entity
references. An attacker could use this to specially construct XML
data that could expose sensitive information. (CVE-2017-7375)

It was discovered that a buffer overflow existed in libxml2 when
handling HTTP redirects. An attacker could use this to specially
construct XML data that could cause a denial of service or possibly
execute arbitrary code. (CVE-2017-7376)

Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in
libxml2 when handling elements. An attacker could use this to specially
construct XML data that could cause a denial of service or possibly
execute arbitrary code. (CVE-2017-9047)

Marcel Böhme and Van-Thuan Pham discovered a buffer overread
in libxml2 when handling elements. An attacker could use this
to specially construct XML data that could cause a denial of
service. (CVE-2017-9048)

Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads
in libxml2 when handling parameter-entity references. An attacker
could use these to specially construct XML data that could cause a
denial of service. (CVE-2017-9049, CVE-2017-9050)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
libxml2 2.7.8.dfsg-5.1ubuntu4.18

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-0663, CVE-2017-7375, CVE-2017-7376, CVE-2017-9047, CVE-2017-9048, CVE-2017-9049, CVE-2017-9050

Kategóriák: Securiy

USN-3443-2: Linux kernel (HWE) vulnerabilities

Ubuntu security notices - 2017.10.10, k - 23:25
Ubuntu Security Notice USN-3443-2

10th October, 2017

linux-hwe vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux-hwe - Linux hardware enablement (HWE) kernel
Details


USN-3443-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.

It was discovered that on the PowerPC architecture, the kernel did not
properly sanitize the signal stack when handling sigreturn(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-1000255)

Andrey Konovalov discovered that a divide-by-zero error existed in the TCP
stack implementation in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-14106)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:
linux-image-4.10.0-37-lowlatency 4.10.0-37.41~16.04.1
linux-image-lowlatency-hwe-16.04 4.10.0.37.39
linux-image-generic-hwe-16.04 4.10.0.37.39
linux-image-4.10.0-37-generic-lpae 4.10.0-37.41~16.04.1
linux-image-4.10.0-37-generic 4.10.0-37.41~16.04.1
linux-image-generic-lpae-hwe-16.04 4.10.0.37.39

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000255, CVE-2017-14106

Kategóriák: Securiy

USN-3443-1: Linux kernel vulnerabilities

Ubuntu security notices - 2017.10.10, k - 23:25
Ubuntu Security Notice USN-3443-1

10th October, 2017

linux, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
Summary

Several security issues were fixed in the Linux kernel.

Software description
  • linux - Linux kernel
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
Details

It was discovered that on the PowerPC architecture, the kernel did not
properly sanitize the signal stack when handling sigreturn(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-1000255)

Andrey Konovalov discovered that a divide-by-zero error existed in the TCP
stack implementation in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-14106)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
linux-image-powerpc-smp 4.10.0.37.37
linux-image-powerpc-e500mc 4.10.0.37.37
linux-image-4.10.0-37-lowlatency 4.10.0-37.41
linux-image-generic-lpae 4.10.0.37.37
linux-image-lowlatency 4.10.0.37.37
linux-image-virtual 4.10.0.37.37
linux-image-4.10.0-1019-raspi2 4.10.0-1019.22
linux-image-powerpc64-smp 4.10.0.37.37
linux-image-generic 4.10.0.37.37
linux-image-4.10.0-37-generic-lpae 4.10.0-37.41
linux-image-4.10.0-37-generic 4.10.0-37.41
linux-image-powerpc64-emb 4.10.0.37.37
linux-image-raspi2 4.10.0.1019.20

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000255, CVE-2017-14106

Kategóriák: Securiy

USN-3442-1: libXfont vulnerabilities

Ubuntu security notices - 2017.10.10, k - 20:23
Ubuntu Security Notice USN-3442-1

10th October, 2017

libxfont, libxfont1, libxfont2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in libXfont.

Software description
  • libxfont - X11 font rasterisation library
  • libxfont1 - X11 font rasterisation library
  • libxfont2 - X11 font rasterisation library
Details

It was discovered that libXfont incorrectly handled certain patterns in
PatternMatch. A local attacker could use this issue to cause libXfont to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2017-13720)

It was discovered that libXfont incorrectly handled certain malformed PCF
files. A local attacker could use this issue to cause libXfont to crash,
resulting in a denial of service, or possibly obtain sensitive information.
(CVE-2017-13722)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libxfont1 1:1.5.2-4ubuntu0.1
libxfont2 1:2.0.1-3ubuntu0.1
Ubuntu 16.04 LTS:
libxfont1 1:1.5.1-1ubuntu0.16.04.3
libxfont2 1:2.0.1-3~ubuntu16.04.2
Ubuntu 14.04 LTS:
libxfont1 1:1.4.7-1ubuntu0.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-13720, CVE-2017-13722

Kategóriák: Securiy

USN-3441-1: curl vulnerabilities

Ubuntu security notices - 2017.10.10, k - 20:23
Ubuntu Security Notice USN-3441-1

10th October, 2017

curl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in curl.

Software description
  • curl - HTTP, HTTPS, and FTP client and client libraries
Details

Daniel Stenberg discovered that curl incorrectly handled large floating
point output. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-9586)

Even Rouault discovered that curl incorrectly handled large file names when
doing TFTP transfers. A remote attacker could use this issue to cause curl
to crash, resulting in a denial of service, or possibly obtain sensitive
memory contents. (CVE-2017-1000100)

Brian Carpenter and Yongji Ouyang discovered that curl incorrectly handled
numerical range globbing. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly obtain
sensitive memory contents. (CVE-2017-1000101)

Max Dymond discovered that curl incorrectly handled FTP PWD responses. A
remote attacker could use this issue to cause curl to crash, resulting in a
denial of service. (CVE-2017-1000254)

Brian Carpenter discovered that curl incorrectly handled the --write-out
command line option. A local attacker could possibly use this issue to
obtain sensitive memory contents. (CVE-2017-7407)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libcurl3-nss 7.52.1-4ubuntu1.2
curl 7.52.1-4ubuntu1.2
libcurl3-gnutls 7.52.1-4ubuntu1.2
libcurl3 7.52.1-4ubuntu1.2
Ubuntu 16.04 LTS:
libcurl3-nss 7.47.0-1ubuntu2.3
curl 7.47.0-1ubuntu2.3
libcurl3-gnutls 7.47.0-1ubuntu2.3
libcurl3 7.47.0-1ubuntu2.3
Ubuntu 14.04 LTS:
libcurl3-nss 7.35.0-1ubuntu2.11
curl 7.35.0-1ubuntu2.11
libcurl3-gnutls 7.35.0-1ubuntu2.11
libcurl3 7.35.0-1ubuntu2.11

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000101, CVE-2017-1000254, CVE-2017-7407

Kategóriák: Securiy

Ubuntu Hour október

Ubuntu magyar közösség - 2017.10.09, h - 20:52

Időpont: 2017. október 13. (péntek)

BUDAPEST
Kezdés: 18.00 óra
Helyszín: A Grund Bazsesz terem (Budapest, VIII. Nagytemplom utca 30.)
Téma: Küszöbön az Artful Aardvark
Megközelítés: Corvin negyedtől 8 perc, Klinikák megállótól 5 perc séta.
Kapcsolatfelvétel a szervezővel.
MISKOLC
Kezdés: 18.00 óra
Helyszín: Avasi Sörház (Miskolc, Meggyesalja u. 1.)
Téma: Artful Aardvark újdonságai
Megközelítés: a Városház tértől az Avasi kilátó irányába 2 percnyi séta
Kapcsolatfelvétel a szervezőkkel: itt és itt.

A rendezvények mindenki számára ingyenesek.

Programozzunk Pythonban 10. különkiadás 54-59. rész

Full Circle Magazin - 2017.10.08, v - 20:29

Sokak örömére folytatjuk a “Programozzunk Pythonban” sorozat cikkeinek összegyűjtött kiadását. Most ez a sorozat 54-59. részének az újabb kiadása, semmi extra, csak a tények.

Kérlek, ne feledkezz meg az eredeti kiadási dátumról. A hardver és szoftver jelenlegi verziói eltérhetnek az akkor közöltektől, így ellenőrizd a hardvered és szoftvered verzióit, mielőtt megpróbálod emulálni/utánozni a különkiadásokban lévő ismertetőket. Előfordulhat, hogy a szoftver későbbi verziói vannak meg neked, vagy érhetők el a kiadásod tárolóiban.

Programozzunk Pythonban 10. (0)

Programozzunk Pythonban (10. különkiadás): 54–59. rész

Ubuntu magyar közösség - 2017.10.08, v - 18:47

Sokak örömére folytatjuk a „Programozzunk Pythonban” sorozat cikkeinek összegyűjtött kiadását. Most ez a cikksorozat 54–59. részének az újabb kiadása (a magazin 85–87, 91 , 95, 100. számaiból), semmi extra, csak a tények.

Ne feledkezzetek meg az eredeti kiadási dátumról. A hardver és szoftver jelenlegi verziói eltérhetnek az akkor közöltektől, ellenőrizzétek a verziószámokat, mielőtt kipróbáljátok a cikkekben leírtakat. Nem feltétlenül fog működni az akkori megoldás a mostani rendszereken.

Letöltés: Programozzunk Pythonban 54–59. rész

Emlékeztetőül az előző részek elérhetősége:

  1. http://ubuntu.hu/node/32801
  2. http://ubuntu.hu/node/33119
  3. http://ubuntu.hu/node/37112
  4. http://ubuntu.hu/node/37460
  5. http://ubuntu.hu/node/39036
  6. http://ubuntu.hu/node/39059
  7. http://ubuntu.hu/node/39189
  8. http://ubuntu.hu/node/43115
  9. http://ubuntu.hu/node/43117

Jó szórakozást!

USN-3440-1: poppler vulnerabilities

Ubuntu security notices - 2017.10.06, p - 18:46
Ubuntu Security Notice USN-3440-1

6th October, 2017

poppler vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in poppler.

Software description
  • poppler - PDF rendering library
Details

It was discovered that Poppler incorrectly handled certain files.
If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause a denial of service.
(CVE-2017-14518, CVE-2017-14520, CVE-2017-14617, CVE-2017-14929,
CVE-2017-14975, CVE-2017-14977)

It was discovered that Poppler incorrectly handled certain files.
If a user or automated system were tricked into opening a crafted
PDF file, an attacker could cause a denial of service. This issue
only affected Ubuntu 17.04 and 16.04. (CVE-2017-14926, CVE-2017-14928)

Alberto Garcia, Francisco Oca and Suleman Ali discovered that Poppler
incorrectly handled certain files. If a user or automated system were
tricked into opening a crafted PDF file, an attacker could cause a
denial of service. (CVE-2017-9776)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libpoppler64 0.48.0-2ubuntu2.3
poppler-utils 0.48.0-2ubuntu2.3
Ubuntu 16.04 LTS:
libpoppler58 0.41.0-0ubuntu1.4
poppler-utils 0.41.0-0ubuntu1.4
Ubuntu 14.04 LTS:
poppler-utils 0.24.5-2ubuntu4.7
libpoppler44 0.24.5-2ubuntu4.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-14518, CVE-2017-14520, CVE-2017-14617, CVE-2017-14926, CVE-2017-14928, CVE-2017-14929, CVE-2017-14975, CVE-2017-14977, CVE-2017-9776

Kategóriák: Securiy

Megjelent a Full Circle magazin 122. számának magyar fordítása

Ubuntu magyar közösség - 2017.10.06, p - 17:45

A fordítócsapat örömmel jelenti be, hogy elkészült a Full Circle magazin 122. számának magyar fordítása.

Tartalom:

  • Hírek
  • Parancsolj és uralkodj: Hogyan tanulhatok programozni?
  • Hogyanok:
    • Python a való világban – 79. rész
    • Bevezető a FreeCAD-hez – 3. rész
    • UBports telepítése Ubuntu Touch-ra
    • Inkscape – 62. rész
    • Kdenlive – 6. rész
    • Kutatás Linuxszal
    • Hogyan írjunk a Full Circle-be!
  • Linux labor: Csomagfrissítések
  • Fókuszban: Etcher
  • Különvélemény: Snappy
  • Levelek
  • KáVé
  • Játékok Ubuntun: Siltbreaker Act 1
  • Az én asztalom
  • Támogatóink
  • Közreműködnél?

Az új szám elérhető a régiek mellett a http://fullcircle.hu oldalon.

Letöltési link: 122. szám

A fordítást a Full Circle magazin magyar fordítócsapata készítette.

A régebbi számok továbbra is elérhetők a fordítócsapat oldalán, a fullcircle.hu oldalon, továbbá a Full Circle magazin hivatalos oldalának letöltései között: http://fullcirclemagazine.org/downloads/

Megpróbálunk minél hamarabb jelentkezni a 123. számmal. A régebbi számok mindegyike elérhető és letölthető weboldalunkról, illetve kereshettek minket a Facebookon is.

Jó olvasgatást kívánunk mindenkinek!

122. szám

Full Circle Magazin - 2017.10.06, p - 14:46
Tartalom 122. szám
  • Hírek
  • Parancsolj és uralkodj: Hogyan tanulhatok programozni
  • Hogyanok:
    • Python a való világban – 79. rész
    • Gyakorlati bevezető a FreeCAD-hez – 3. rész
    • UBports telepítése Ubuntu Touch-ra
    • Inkscape – 62. rész
    • Kdenlive – 6. rész
    • Kutatás Linuxszal
    • Hogyan írjunk a Full Circle-be?
  • Linux labor: Csomagfrissítések
  • Fókuszban: Etcher
  • Különvélemény: Snappy
  • Levelek
  • KáVé
  • Játékok Ubuntun: Siltbreaker Act 1
  • Az én asztalom
  • Támogatóink
  • Közreműködnél?
122. szám (0)

USN-3439-1: Ruby vulnerabilities

Ubuntu security notices - 2017.10.06, p - 00:06
Ubuntu Security Notice USN-3439-1

5th October, 2017

ruby1.9.1 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in Ruby.

Software description
  • ruby1.9.1 - Object-oriented scripting language
Details

It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun.
(CVE-2017-0898)

Yusuke Endoh discovered that Ruby incorrectly handled certain files.
An attacker could use this to execute terminal escape sequences.
(CVE-2017-0899)

Yusuke Endoh discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a denial of service.
(CVE-2017-0900)

It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)

It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to execute arbitrary code.
(CVE-2017-10784)

It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a denial of service.
(CVE-2017-14033)

It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to expose sensitive information.
(CVE-2017-14064)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
ruby1.9.1 1.9.3.484-2ubuntu1.5
libruby1.9.1 1.9.3.484-2ubuntu1.5
ruby1.9.3 1.9.3.484-2ubuntu1.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-0898, CVE-2017-0899, CVE-2017-0900, CVE-2017-0901, CVE-2017-10784, CVE-2017-14033, CVE-2017-14064

Kategóriák: Securiy

USN-3438-1: Git vulnerability

Ubuntu security notices - 2017.10.05, cs - 17:53
Ubuntu Security Notice USN-3438-1

5th October, 2017

git vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Git be made to run programs if it processed a specially crafted file.

Software description
  • git - fast, scalable, distributed revision control system
Details

It was discovered that Git incorrectly handled certain subcommands such as
cvsserver. A remote attacker could possibly use this issue via shell
metacharacters in modules names to execute arbitrary code.

This update also removes the cvsserver subcommand from git-shell by
default.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
git 1:2.11.0-2ubuntu0.3
Ubuntu 16.04 LTS:
git 1:2.7.4-0ubuntu1.3
Ubuntu 14.04 LTS:
git 1:1.9.1-1ubuntu0.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-14867

Kategóriák: Securiy

USN-3435-2: Firefox regression

Ubuntu security notices - 2017.10.05, cs - 01:52
Ubuntu Security Notice USN-3435-2

4th October, 2017

firefox regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

USN-3435-1 caused a regression in Firefox.

Software description
  • firefox - Mozilla Open Source web browser
Details

USN-3435-1 fixed vulnerabilities in Firefox. The update caused the Flash
plugin to crash in some circumstances. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, bypass phishing and malware protection, spoof the origin in
modal dialogs, conduct cross-site scripting (XSS) attacks, cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2017-7793, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812,
CVE-2017-7813, CVE-2017-7814, CVE-2017-7815, CVE-2017-7818, CVE-2017-7819,
CVE-2017-7820, CVE-2017-7822, CVE-2017-7823, CVE-2017-7824)

Martin Thomson discovered that NSS incorrectly generated handshake hashes.
A remote attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-7805)

Multiple security issues were discovered in WebExtensions. If a user were
tricked in to installing a specially crafted extension, an attacker could
potentially exploit these to download and open non-executable files
without interaction, or obtain elevated privileges. (CVE-2017-7816,
CVE-2017-7821)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
firefox 56.0+build6-0ubuntu0.17.04.2
Ubuntu 16.04 LTS:
firefox 56.0+build6-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
firefox 56.0+build6-0ubuntu0.14.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

LP: 1720908

Kategóriák: Securiy

USN-3437-1: OCaml vulnerability

Ubuntu security notices - 2017.10.04, sze - 00:14
Ubuntu Security Notice USN-3437-1

3rd October, 2017

ocaml vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

OCaml applications could be made to crash, expose sensitive information, or run programs.

Software description
  • ocaml - ML language implementation with a class-based object system
Details

Radek Micek discovered that OCaml incorrectly handled sign extensions. A
remote attacker could use this issue to cause applications using OCaml to
crash, to possibly obtain sensitive information, or to possibly execute
arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:
ocaml 4.01.0-3ubuntu3.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8869

Kategóriák: Securiy

USN-3430-2: Dnsmasq vulnerabilities

Ubuntu security notices - 2017.10.03, k - 17:12
Ubuntu Security Notice USN-3430-2

3rd October, 2017

dnsmasq vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 LTS
Summary

Several security issues were fixed in Dnsmasq.

Software description
  • dnsmasq - Small caching DNS proxy and DHCP/TFTP server
Details

USN-3430-1 fixed several vulnerabilities in Dnsmasq. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)

Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2017-14492)

Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DHCPv6 requests. A remote
attacker could use this issue to cause Dnsmasq to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2017-14493)

Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DHCPv6 packets. A remote
attacker could use this issue to possibly obtain sensitive memory contents.
(CVE-2017-14494)

Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to consume memory, resulting in a
denial of service. (CVE-2017-14495)

Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service. (CVE-2017-14496)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:
dnsmasq 2.59-4ubuntu0.3
dnsmasq-utils 2.59-4ubuntu0.3
dnsmasq-base 2.59-4ubuntu0.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496

Kategóriák: Securiy

USN-3435-1: Firefox vulnerabilities

Ubuntu security notices - 2017.10.03, k - 03:39
Ubuntu Security Notice USN-3435-1

2nd October, 2017

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Firefox could be made to crash or run programs as your login if it opened a malicious website.

Software description
  • firefox - Mozilla Open Source web browser
Details

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, bypass phishing and malware protection, spoof the origin in
modal dialogs, conduct cross-site scripting (XSS) attacks, cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2017-7793, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812,
CVE-2017-7813, CVE-2017-7814, CVE-2017-7815, CVE-2017-7818, CVE-2017-7819,
CVE-2017-7820, CVE-2017-7822, CVE-2017-7823, CVE-2017-7824)

Martin Thomson discovered that NSS incorrectly generated handshake hashes.
A remote attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-7805)

Multiple security issues were discovered in WebExtensions. If a user were
tricked in to installing a specially crafted extension, an attacker could
potentially exploit these to download and open non-executable files
without interaction, or obtain elevated privileges. (CVE-2017-7816,
CVE-2017-7821)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
firefox 56.0+build6-0ubuntu0.17.04.1
Ubuntu 16.04 LTS:
firefox 56.0+build6-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
firefox 56.0+build6-0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2017-7793, CVE-2017-7805, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812, CVE-2017-7813, CVE-2017-7814, CVE-2017-7815, CVE-2017-7816, CVE-2017-7818, CVE-2017-7819, CVE-2017-7820, CVE-2017-7821, CVE-2017-7822, CVE-2017-7823, CVE-2017-7824

Kategóriák: Securiy

USN-3434-1: Libidn vulnerability

Ubuntu security notices - 2017.10.02, h - 21:03
Ubuntu Security Notice USN-3434-1

2nd October, 2017

libidn vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Libidn could be made to crash or run programs if it processed specially crafted input.

Software description
  • libidn - implementation of IETF IDN specifications
Details

It was discovered that Libidn incorrectly handled decoding certain digits.
A remote attacker could use this issue to cause Libidn to crash, resulting
in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libidn11 1.33-1ubuntu0.1
Ubuntu 16.04 LTS:
libidn11 1.32-3ubuntu1.2
Ubuntu 14.04 LTS:
libidn11 1.28-1ubuntu2.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-14062

Kategóriák: Securiy

USN-3433-1: poppler vulnerabilities

Ubuntu security notices - 2017.10.02, h - 21:03
Ubuntu Security Notice USN-3433-1

2nd October, 2017

poppler vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

poppler could be made to crash if opened a specially crafted file.

Software description
  • poppler - PDF rendering library
Details

It was discovered that Poppler incorrectly handled certain files.
If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause a denial service.
This issue only affected Ubuntu 17.04. (CVE-2017-14517)

It was discovered that Poppler incorrectly handled certain files.
If a user or automated system were tricked into opening a crafted PDF file,
an attacker could cause a denial of service. (CVE-2017-14519)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
libpoppler64 0.48.0-2ubuntu2.2
poppler-utils 0.48.0-2ubuntu2.2
Ubuntu 16.04 LTS:
libpoppler58 0.41.0-0ubuntu1.3
poppler-utils 0.41.0-0ubuntu1.3
Ubuntu 14.04 LTS:
poppler-utils 0.24.5-2ubuntu4.6
libpoppler44 0.24.5-2ubuntu4.6

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-14517, CVE-2017-14519

Kategóriák: Securiy

USN-3430-1: Dnsmasq vulnerabilities

Ubuntu security notices - 2017.10.02, h - 21:03
Ubuntu Security Notice USN-3430-1

2nd October, 2017

dnsmasq vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in Dnsmasq.

Software description
  • dnsmasq - Small caching DNS proxy and DHCP/TFTP server
Details

Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2017-14491)

Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled IPv6 router advertisements. A
remote attacker could use this issue to cause Dnsmasq to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2017-14492)

Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DHCPv6 requests. A remote
attacker could use this issue to cause Dnsmasq to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2017-14493)

Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DHCPv6 packets. A remote
attacker could use this issue to possibly obtain sensitive memory contents.
(CVE-2017-14494)

Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to consume memory, resulting in a
denial of service. (CVE-2017-14495)

Felix Wilhelm, Fermin J. Serna, Gabriel Campana and Kevin Hamacher
discovered that Dnsmasq incorrectly handled DNS requests. A remote attacker
could use this issue to cause Dnsmasq to crash, resulting in a denial of
service. (CVE-2017-14496)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:
dnsmasq 2.76-5ubuntu0.1
dnsmasq-utils 2.76-5ubuntu0.1
dnsmasq-base 2.76-5ubuntu0.1
Ubuntu 16.04 LTS:
dnsmasq 2.75-1ubuntu0.16.04.3
dnsmasq-utils 2.75-1ubuntu0.16.04.3
dnsmasq-base 2.75-1ubuntu0.16.04.3
Ubuntu 14.04 LTS:
dnsmasq 2.68-1ubuntu0.2
dnsmasq-utils 2.68-1ubuntu0.2
dnsmasq-base 2.68-1ubuntu0.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496

Kategóriák: Securiy

Oldalak

Subscribe to Informatikai megoldások hírolvasó