Category Archives: Ubuntu

Ubuntu Security Notices

USN-3564-1: PostgreSQL vulnerability

Ubuntu Security Notice USN-3564-1

9th February, 2018

postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

PostgreSQL could be made to expose sensitive information.

Software description

  • postgresql-9.3
    – Object-relational SQL database

  • postgresql-9.5
    – Object-relational SQL database

  • postgresql-9.6
    – Object-relational SQL database

Details

It was discovered that PostgreSQL incorrectly handled certain temp files.
An attacker could possibly use this to access sensitive information.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
postgresql-9.6

9.6.7-0ubuntu0.17.10
Ubuntu 16.04 LTS:
postgresql-9.5

9.5.11-0ubuntu0.16.04
Ubuntu 14.04 LTS:
postgresql-9.3

9.3.21-0ubuntu0.14.04

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.

References

CVE-2018-1053

Read More

USN-3563-1: Mailman vulnerability

Ubuntu Security Notice USN-3563-1

8th February, 2018

mailman vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Mailman could be made to run arbitrary code.

Software description

  • mailman
    – Powerful, web-based mailing list manager

Details

It was discovered that Mailman incorrectly handled certain web scripts.
An attacker could possibly use this to inject arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
mailman

1:2.1.23-1ubuntu0.2
Ubuntu 16.04 LTS:
mailman

1:2.1.20-1ubuntu0.3
Ubuntu 14.04 LTS:
mailman

1:2.1.16-2ubuntu0.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2018-5950

Read More

USN-3561-1: libvirt update

Ubuntu Security Notice USN-3561-1

7th February, 2018

libvirt update

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Spectre mitigations were added to libvirt.

Software description

  • libvirt
    – Libvirt virtualization toolkit

Details

It was discovered that microprocessors utilizing speculative execution
and branch prediction may allow unauthorized memory reads via sidechannel
attacks. This flaw is known as Spectre. An attacker in the guest could use
this to expose sensitive guest information, including kernel memory.

This update allows libvirt to expose new CPU features added by microcode
updates to guests. On amd64 and i386, new CPU models that match the updated
microcode features were added with an -IBRS suffix. Certain environments
will require guests to be switched manually to the new CPU models after
microcode updates have been applied to the host.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
libvirt0

3.6.0-1ubuntu6.2
libvirt-bin

3.6.0-1ubuntu6.2
Ubuntu 16.04 LTS:
libvirt0

1.3.1-1ubuntu10.17
libvirt-bin

1.3.1-1ubuntu10.17
Ubuntu 14.04 LTS:
libvirt0

1.2.2-0ubuntu13.1.25
libvirt-bin

1.2.2-0ubuntu13.1.25

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-5715

Read More

USN-3560-1: QEMU update

Ubuntu Security Notice USN-3560-1

7th February, 2018

qemu update

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Spectre mitigations were added to QEMU.

Software description

  • qemu
    – Machine emulator and virtualizer

Details

It was discovered that microprocessors utilizing speculative execution
and branch prediction may allow unauthorized memory reads via sidechannel
attacks. This flaw is known as Spectre. An attacker in the guest could use
this to expose sensitive guest information, including kernel memory.

This update allows QEMU to expose new CPU features added by microcode
updates to guests on amd64, i386, and s390x. On amd64 and i386, new CPU
models that match the updated microcode features were added with an -IBRS
suffix. Certain environments will require guests to be switched manually to
the new CPU models after microcode updates have been applied to the host.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
qemu-system-x86

1:2.10+dfsg-0ubuntu3.4
qemu-system

1:2.10+dfsg-0ubuntu3.4
qemu-system-s390x

1:2.10+dfsg-0ubuntu3.4
Ubuntu 16.04 LTS:
qemu-system-x86

1:2.5+dfsg-5ubuntu10.20
qemu-system

1:2.5+dfsg-5ubuntu10.20
qemu-system-s390x

1:2.5+dfsg-5ubuntu10.20
Ubuntu 14.04 LTS:
qemu-system-x86

2.0.0+dfsg-2ubuntu1.38
qemu-system

2.0.0+dfsg-2ubuntu1.38

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

CVE-2017-5715

Read More

USN-3559-1: Django vulnerabilities

Ubuntu Security Notice USN-3559-1

7th February, 2018

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10

Summary

Several security issues were fixed in Django.

Software description

  • python-django
    – High-level Python web development framework

Details

It was discovered that Django incorrectly handled certain requests.
An attacker could possibly use this to access sensitive information.
(CVE-2017-12794, CVE-2018-6188)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
python3-django

1:1.11.4-1ubuntu1.1
python-django

1:1.11.4-1ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-12794,

CVE-2018-6188

Read More

USN-3562-1: MiniUPnP vulnerabilities

Ubuntu Security Notice USN-3562-1

7th February, 2018

miniupnpc vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

MiniUPnP could be made to crash or run programs if it received specially
crafted network traffic.

Software description

  • miniupnpc
    – UPnP IGD client lightweight library

Details

It was discovered that MiniUPnP incorrectly handled memory. A remote
attacker could use this issue to cause a denial of service or possibly
execute arbitrary code with privileges of the user running an application
that uses the MiniUPnP library.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
libminiupnpc10

1.9.20140610-4ubuntu1.1
Ubuntu 16.04 LTS:
libminiupnpc10

1.9.20140610-2ubuntu2.16.04.2
Ubuntu 14.04 LTS:
libminiupnpc8

1.6-3ubuntu2.14.04.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-1000494

Read More

USN-3557-1: Squid vulnerabilities

Ubuntu Security Notice USN-3557-1

5th February, 2018

squid3 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Squid.

Software description

  • squid3
    – Web proxy cache server

Details

Mathias Fischer discovered that Squid incorrectly handled certain long
strings in headers. A malicious remote server could possibly cause Squid to
crash, resulting in a denial of service. This issue was only addressed in
Ubuntu 16.04 LTS. (CVE-2016-2569)

William Lima discovered that Squid incorrectly handled XML parsing when
processing Edge Side Includes (ESI). A malicious remote server could
possibly cause Squid to crash, resulting in a denial of service. This issue
was only addressed in Ubuntu 16.04 LTS. (CVE-2016-2570)

Alex Rousskov discovered that Squid incorrectly handled response-parsing
failures. A malicious remote server could possibly cause Squid to crash,
resulting in a denial of service. This issue only applied to Ubuntu 16.04
LTS. (CVE-2016-2571)

Santiago Ruano Rincón discovered that Squid incorrectly handled certain
Vary headers. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. This issue was only
addressed in Ubuntu 16.04 LTS. (CVE-2016-3948)

Louis Dion-Marcil discovered that Squid incorrectly handled certain Edge
Side Includes (ESI) responses. A malicious remote server could possibly
cause Squid to crash, resulting in a denial of service. (CVE-2018-1000024)

Louis Dion-Marcil discovered that Squid incorrectly handled certain Edge
Side Includes (ESI) responses. A malicious remote server could possibly
cause Squid to crash, resulting in a denial of service. (CVE-2018-1000027)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
squid3

3.5.23-5ubuntu1.1
Ubuntu 16.04 LTS:
squid3

3.5.12-1ubuntu7.5
Ubuntu 14.04 LTS:
squid3

3.3.8-1ubuntu6.11

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-2569,

CVE-2016-2570,

CVE-2016-2571,

CVE-2016-3948,

CVE-2018-1000024,

CVE-2018-1000027

Read More

USN-3550-2: ClamAV vulnerabilities

Ubuntu Security Notice USN-3550-2

5th February, 2018

clamav vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in ClamAV.

Software description

  • clamav
    – Anti-virus utility for Unix

Details

USN-3550-1 fixed several vulnerabilities in ClamAV. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that ClamAV incorrectly handled parsing certain mail
messages. A remote attacker could use this issue to cause ClamAV to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2017-12374, CVE-2017-12375, CVE-2017-12379, CVE-2017-12380)

It was discovered that ClamAV incorrectly handled parsing certain PDF
files. A remote attacker could use this issue to cause ClamAV to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2017-12376)

It was discovered that ClamAV incorrectly handled parsing certain mew
packet files. A remote attacker could use this issue to cause ClamAV to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2017-12377)

It was discovered that ClamAV incorrectly handled parsing certain TAR
files. A remote attacker could possibly use this issue to cause ClamAV to
crash, resulting in a denial of service. (CVE-2017-12378)

In the default installation, attackers would be isolated by the ClamAV
AppArmor profile.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
clamav

0.99.3+addedllvm-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

CVE-2017-12374,

CVE-2017-12375,

CVE-2017-12376,

CVE-2017-12377,

CVE-2017-12378,

CVE-2017-12379,

CVE-2017-12380

Read More

USN-3558-1: systemd vulnerabilities

Ubuntu Security Notice USN-3558-1

5th February, 2018

systemd vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in systemd.

Software description

  • systemd
    – system and service manager

Details

Karim Hossen & Thomas Imbert and Nelson William Gamazo Sanchez
independently discovered that systemd-resolved incorrectly handled certain
DNS responses. A remote attacker could possibly use this issue to cause
systemd to temporarily stop responding, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS. (CVE-2017-15908)

It was discovered that systemd incorrectly handled automounted volumes. A
local attacker could possibly use this issue to cause applications to hang,
resulting in a denial of service. (CVE-2018-1049)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
systemd

229-4ubuntu21.1
Ubuntu 14.04 LTS:
systemd

204-5ubuntu20.26

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-15908,

CVE-2018-1049

Read More

USN-3555-1: w3m vulnerabilities

Ubuntu Security Notice USN-3555-1

1st February, 2018

w3m vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in w3m.

Software description

  • w3m
    – WWW browsable pager with excellent tables/frames support

Details

It was discovered that w3m incorrectly handled certain inputs.
An attacker could possibly use this to cause a denial of service.
(CVE-2018-6196, CVE-2018-6197)

It was discovered that w3m incorrectly handled temporary files.
An attacker could possibly use this to overwrite arbitrary files.
(CVE-2018-6198)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
w3m

0.5.3-34ubuntu0.1
Ubuntu 16.04 LTS:
w3m

0.5.3-26ubuntu0.2
Ubuntu 14.04 LTS:
w3m

0.5.3-15ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2018-6196,

CVE-2018-6197,

CVE-2018-6198

Read More