Ubuntu

USN-3906-2: LibTIFF vulnerabilities

2 hours 56 minutes ago
tiff vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 ESM
Summary

LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file.

Software Description
  • tiff - Tag Image File Format (TIFF) library
Details

USN-3906-1 and USN-3864-1fixed several vulnerabilities in LibTIFF. This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM
libtiff-tools - 3.9.5-2ubuntu1.12
libtiff4 - 3.9.5-2ubuntu1.12

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3911-1: file vulnerabilities

4 hours 4 minutes ago
file vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in file.

Software Description
  • file - Tool to determine file types
Details

It was discovered that file incorrectly handled certain malformed ELF files. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
file - 1:5.34-2ubuntu0.1
libmagic1 - 1:5.34-2ubuntu0.1
Ubuntu 18.04 LTS
file - 1:5.32-2ubuntu0.2
libmagic1 - 1:5.32-2ubuntu0.2
Ubuntu 16.04 LTS
file - 1:5.25-2ubuntu1.2
libmagic1 - 1:5.25-2ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3910-1: Linux kernel vulnerabilities

2 days 18 hours ago
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon processors
Details

It was discovered that the f2fs filesystem implementation in the Linux kernel did not handle the noflush_merge mount option correctly. An attacker could use this to cause a denial of service (system crash). (CVE-2017-18241)

It was discovered that the procfs filesystem did not properly handle processes mapping some memory elements onto files. A local attacker could use this to block utilities that examine the procfs filesystem to report operating system state, such as ps(1). (CVE-2018-1120)

Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985)

It was discovered that multiple integer overflows existed in the hugetlbfs implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7740)

Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations. (CVE-2019-6133)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
linux-image-4.4.0-1041-kvm - 4.4.0-1041.47
linux-image-4.4.0-1077-aws - 4.4.0-1077.87
linux-image-4.4.0-1104-raspi2 - 4.4.0-1104.112
linux-image-4.4.0-1108-snapdragon - 4.4.0-1108.113
linux-image-4.4.0-143-generic - 4.4.0-143.169
linux-image-4.4.0-143-generic-lpae - 4.4.0-143.169
linux-image-4.4.0-143-lowlatency - 4.4.0-143.169
linux-image-4.4.0-143-powerpc-e500mc - 4.4.0-143.169
linux-image-4.4.0-143-powerpc-smp - 4.4.0-143.169
linux-image-4.4.0-143-powerpc64-emb - 4.4.0-143.169
linux-image-4.4.0-143-powerpc64-smp - 4.4.0-143.169
linux-image-aws - 4.4.0.1077.80
linux-image-generic - 4.4.0.143.151
linux-image-generic-lpae - 4.4.0.143.151
linux-image-kvm - 4.4.0.1041.41
linux-image-lowlatency - 4.4.0.143.151
linux-image-powerpc-e500mc - 4.4.0.143.151
linux-image-powerpc-smp - 4.4.0.143.151
linux-image-powerpc64-emb - 4.4.0.143.151
linux-image-powerpc64-smp - 4.4.0.143.151
linux-image-raspi2 - 4.4.0.1104.104
linux-image-snapdragon - 4.4.0.1108.100
linux-image-virtual - 4.4.0.143.151

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3910-2: Linux kernel (Xenial HWE) vulnerabilities

2 days 18 hours ago
linux-lts-xenial, linux-aws vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty
Details

USN-3910-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that the f2fs filesystem implementation in the Linux kernel did not handle the noflush_merge mount option correctly. An attacker could use this to cause a denial of service (system crash). (CVE-2017-18241)

It was discovered that the procfs filesystem did not properly handle processes mapping some memory elements onto files. A local attacker could use this to block utilities that examine the procfs filesystem to report operating system state, such as ps(1). (CVE-2018-1120)

Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985)

It was discovered that multiple integer overflows existed in the hugetlbfs implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7740)

Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations. (CVE-2019-6133)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS
linux-image-4.4.0-1039-aws - 4.4.0-1039.42
linux-image-4.4.0-143-generic - 4.4.0-143.169~14.04.2
linux-image-4.4.0-143-generic-lpae - 4.4.0-143.169~14.04.2
linux-image-4.4.0-143-lowlatency - 4.4.0-143.169~14.04.2
linux-image-4.4.0-143-powerpc-e500mc - 4.4.0-143.169~14.04.2
linux-image-4.4.0-143-powerpc-smp - 4.4.0-143.169~14.04.2
linux-image-4.4.0-143-powerpc64-emb - 4.4.0-143.169~14.04.2
linux-image-4.4.0-143-powerpc64-smp - 4.4.0-143.169~14.04.2
linux-image-aws - 4.4.0.1039.40
linux-image-generic-lpae-lts-xenial - 4.4.0.143.125
linux-image-generic-lts-xenial - 4.4.0.143.125
linux-image-lowlatency-lts-xenial - 4.4.0.143.125
linux-image-powerpc-e500mc-lts-xenial - 4.4.0.143.125
linux-image-powerpc-smp-lts-xenial - 4.4.0.143.125
linux-image-powerpc64-emb-lts-xenial - 4.4.0.143.125
linux-image-powerpc64-smp-lts-xenial - 4.4.0.143.125
linux-image-virtual-lts-xenial - 4.4.0.143.125

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3909-1: libvirt vulnerability

3 days 23 hours ago
libvirt vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

libvirt could be made to crash under certain conditions.

Software Description
  • libvirt - Libvirt virtualization toolkit
Details

It was discovered that libvirt incorrectly handled waiting for certain agent events. An attacker inside a guest could possibly use this issue to cause libvirtd to stop responding, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
libvirt-clients - 4.6.0-2ubuntu3.4
libvirt-daemon - 4.6.0-2ubuntu3.4
libvirt0 - 4.6.0-2ubuntu3.4
Ubuntu 18.04 LTS
libvirt-clients - 4.0.0-1ubuntu8.8
libvirt-daemon - 4.0.0-1ubuntu8.8
libvirt0 - 4.0.0-1ubuntu8.8
Ubuntu 16.04 LTS
libvirt-bin - 1.3.1-1ubuntu10.25
libvirt0 - 1.3.1-1ubuntu10.25

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

USN-3908-2: Linux kernel (Trusty HWE) vulnerability

4 days 22 hours ago
linux-lts-trusty vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 ESM
Summary

The system could be made to run programs as an administrator.

Software Description
  • linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise ESM
Details

USN-3908-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM.

Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM
linux-image-3.13.0-166-generic - 3.13.0-166.216~precise1
linux-image-3.13.0-166-generic-lpae - 3.13.0-166.216~precise1
linux-image-3.13.0-166-lowlatency - 3.13.0-166.216~precise1
linux-image-generic-lpae-lts-trusty - 3.13.0.166.156
linux-image-generic-lts-trusty - 3.13.0.166.156

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3908-1: Linux kernel vulnerability

5 days 19 hours ago
linux vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

The system could be made to run programs as an administrator.

Software Description
  • linux - Linux kernel
Details

Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS
linux-image-3.13.0-166-generic - 3.13.0-166.216
linux-image-3.13.0-166-generic-lpae - 3.13.0-166.216
linux-image-3.13.0-166-lowlatency - 3.13.0-166.216
linux-image-3.13.0-166-powerpc-e500 - 3.13.0-166.216
linux-image-3.13.0-166-powerpc-e500mc - 3.13.0-166.216
linux-image-3.13.0-166-powerpc-smp - 3.13.0-166.216
linux-image-3.13.0-166-powerpc64-emb - 3.13.0-166.216
linux-image-3.13.0-166-powerpc64-smp - 3.13.0-166.216
linux-image-generic - 3.13.0.166.177
linux-image-generic-lpae - 3.13.0.166.177
linux-image-lowlatency - 3.13.0.166.177
linux-image-powerpc-e500 - 3.13.0.166.177
linux-image-powerpc-e500mc - 3.13.0.166.177
linux-image-powerpc-smp - 3.13.0.166.177
linux-image-powerpc64-emb - 3.13.0.166.177
linux-image-powerpc64-smp - 3.13.0.166.177
linux-image-virtual - 3.13.0.166.177

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3902-2: PHP vulnerabilities

5 days 22 hours ago
php5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 ESM
Summary

Several security issues were fixed in PHP.

Software Description
  • php5 - HTML-embedded scripting language interpreter
Details

USN-3902-1 fixed a vulnerability in PHP. This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that the PHP XML-RPC module incorrectly handled decoding XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2019-9020, CVE-2019-9024)

It was discovered that the PHP PHAR module incorrectly handled certain filenames. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2019-9021)

It was discovered that PHP incorrectly handled mbstring regular expressions. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2019-9023)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM
libapache2-mod-php5 - 5.3.10-1ubuntu3.33
php5-cgi - 5.3.10-1ubuntu3.33
php5-cli - 5.3.10-1ubuntu3.33
php5-fpm - 5.3.10-1ubuntu3.33
php5-xmlrpc - 5.3.10-1ubuntu3.33

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3907-1: WALinuxAgent vulnerability

5 days 23 hours ago
walinuxagent vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

WALinuxAgent could be made to expose sensitive information.

Software Description
  • walinuxagent - Windows Azure Linux Agent
Details

It was discovered that WALinuxAgent created swap files with incorrect permissions. A local attacker could possibly use this issue to obtain sensitive information from the swap file.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
walinuxagent - 2.2.32-0ubuntu1~18.10.2
Ubuntu 18.04 LTS
walinuxagent - 2.2.32-0ubuntu1~18.04.2
Ubuntu 16.04 LTS
walinuxagent - 2.2.32-0ubuntu1~16.04.2
Ubuntu 14.04 LTS
walinuxagent - 2.2.32-0ubuntu1~14.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3906-1: LibTIFF vulnerabilities

6 days 3 hours ago
tiff vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file.

Software Description
  • tiff - Tag Image File Format (TIFF) library
Details

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
libtiff-tools - 4.0.9-6ubuntu0.2
libtiff5 - 4.0.9-6ubuntu0.2
Ubuntu 18.04 LTS
libtiff-tools - 4.0.9-5ubuntu0.2
libtiff5 - 4.0.9-5ubuntu0.2
Ubuntu 16.04 LTS
libtiff-tools - 4.0.6-1ubuntu0.6
libtiff5 - 4.0.6-1ubuntu0.6
Ubuntu 14.04 LTS
libtiff-tools - 4.0.3-7ubuntu0.11
libtiff5 - 4.0.3-7ubuntu0.11

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3905-1: poppler vulnerability

1 week ago
poppler vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

poppler could be made to crash if it opened a specially crafted file.

Software Description
  • poppler - PDF rendering library
Details

It was discovered that poppler incorrectly handled certain PDF files. An attacker could possibly use this issue to cause a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
libpoppler79 - 0.68.0-0ubuntu1.6
poppler-utils - 0.68.0-0ubuntu1.6
Ubuntu 18.04 LTS
libpoppler73 - 0.62.0-2ubuntu2.8
poppler-utils - 0.62.0-2ubuntu2.8
Ubuntu 16.04 LTS
libpoppler58 - 0.41.0-0ubuntu1.13
poppler-utils - 0.41.0-0ubuntu1.13
Ubuntu 14.04 LTS
libpoppler44 - 0.24.5-2ubuntu4.17
poppler-utils - 0.24.5-2ubuntu4.17

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3904-1: NVIDIA graphics drivers vulnerability

1 week 4 days ago
nvidia-graphics-drivers-390 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
Summary

NVIDIA graphics drivers could be made to expose sensitive information.

Software Description
  • nvidia-graphics-drivers-390 - NVIDIA binary X.Org driver
Details

It was discovered that the NVIDIA graphics drivers incorrectly handled the GPU performance counters. A local attacker could possibly use this issue to access the application data processed on the GPU.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
xserver-xorg-video-nvidia-390 - 390.116-0ubuntu0.18.10.1
Ubuntu 18.04 LTS
xserver-xorg-video-nvidia-390 - 390.116-0ubuntu0.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

USN-3903-2: Linux kernel (HWE) vulnerabilities

1 week 4 days ago
linux-hwe, linux-azure vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
Details

USN-3903-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS.

Jason Wang discovered that the vhost net driver in the Linux kernel contained an out of bounds write vulnerability. An attacker in a guest virtual machine could use this to cause a denial of service (host system crash) or possibly execute arbitrary code in the host kernel. (CVE-2018-16880)

Jann Horn discovered that the userfaultd implementation in the Linux kernel did not properly restrict access to certain ioctls. A local attacker could use this possibly to modify files. (CVE-2018-18397)

Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations. (CVE-2019-6133)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-4.18.0-1013-azure - 4.18.0-1013.13~18.04.1
linux-image-4.18.0-16-generic - 4.18.0-16.17~18.04.1
linux-image-4.18.0-16-generic-lpae - 4.18.0-16.17~18.04.1
linux-image-4.18.0-16-lowlatency - 4.18.0-16.17~18.04.1
linux-image-4.18.0-16-snapdragon - 4.18.0-16.17~18.04.1
linux-image-azure - 4.18.0.1013.12
linux-image-generic-hwe-18.04 - 4.18.0.16.66
linux-image-generic-lpae-hwe-18.04 - 4.18.0.16.66
linux-image-lowlatency-hwe-18.04 - 4.18.0.16.66
linux-image-snapdragon-hwe-18.04 - 4.18.0.16.66

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3903-1: Linux kernel vulnerabilities

1 week 4 days ago
linux, linux-azure, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
Details

Jason Wang discovered that the vhost net driver in the Linux kernel contained an out of bounds write vulnerability. An attacker in a guest virtual machine could use this to cause a denial of service (host system crash) or possibly execute arbitrary code in the host kernel. (CVE-2018-16880)

Jann Horn discovered that the userfaultd implementation in the Linux kernel did not properly restrict access to certain ioctls. A local attacker could use this possibly to modify files. (CVE-2018-18397)

Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations. (CVE-2019-6133)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
linux-image-4.18.0-1007-gcp - 4.18.0-1007.8
linux-image-4.18.0-1008-kvm - 4.18.0-1008.8
linux-image-4.18.0-1010-raspi2 - 4.18.0-1010.12
linux-image-4.18.0-1013-azure - 4.18.0-1013.13
linux-image-4.18.0-16-generic - 4.18.0-16.17
linux-image-4.18.0-16-generic-lpae - 4.18.0-16.17
linux-image-4.18.0-16-lowlatency - 4.18.0-16.17
linux-image-4.18.0-16-snapdragon - 4.18.0-16.17
linux-image-azure - 4.18.0.1013.14
linux-image-gcp - 4.18.0.1007.7
linux-image-generic - 4.18.0.16.17
linux-image-generic-lpae - 4.18.0.16.17
linux-image-gke - 4.18.0.1007.7
linux-image-kvm - 4.18.0.1008.8
linux-image-lowlatency - 4.18.0.16.17
linux-image-raspi2 - 4.18.0.1010.7
linux-image-snapdragon - 4.18.0.16.17

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3902-1: PHP vulnerabilities

1 week 5 days ago
php5, php7.0 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in PHP.

Software Description
  • php7.0 - HTML-embedded scripting language interpreter
  • php5 - HTML-embedded scripting language interpreter
Details

It was discovered that the PHP XML-RPC module incorrectly handled decoding XML data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2019-9020, CVE-2019-9024)

It was discovered that the PHP PHAR module incorrectly handled certain filenames. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2019-9021)

It was discovered that PHP incorrectly parsed certain DNS responses. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2019-9022)

It was discovered that PHP incorrectly handled mbstring regular expressions. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2019-9023)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
libapache2-mod-php7.0 - 7.0.33-0ubuntu0.16.04.2
php7.0-cgi - 7.0.33-0ubuntu0.16.04.2
php7.0-cli - 7.0.33-0ubuntu0.16.04.2
php7.0-fpm - 7.0.33-0ubuntu0.16.04.2
php7.0-mbstring - 7.0.33-0ubuntu0.16.04.2
php7.0-xmlrpc - 7.0.33-0ubuntu0.16.04.2
Ubuntu 14.04 LTS
libapache2-mod-php5 - 5.5.9+dfsg-1ubuntu4.27
php5-cgi - 5.5.9+dfsg-1ubuntu4.27
php5-cli - 5.5.9+dfsg-1ubuntu4.27
php5-fpm - 5.5.9+dfsg-1ubuntu4.27
php5-xmlrpc - 5.5.9+dfsg-1ubuntu4.27

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3901-2: Linux kernel (HWE) vulnerabilities

1 week 5 days ago
linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
  • linux-oracle - Linux kernel for Oracle Cloud systems
Details

USN-3901-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.

Jann Horn discovered that the userfaultd implementation in the Linux kernel did not properly restrict access to certain ioctls. A local attacker could use this possibly to modify files. (CVE-2018-18397)

It was discovered that the crypto subsystem of the Linux kernel leaked uninitialized memory to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-19854)

Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations. (CVE-2019-6133)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
linux-image-4.15.0-1009-oracle - 4.15.0-1009.11~16.04.1
linux-image-4.15.0-1028-gcp - 4.15.0-1028.29~16.04.1
linux-image-4.15.0-1033-aws - 4.15.0-1033.35~16.04.1
linux-image-4.15.0-1040-azure - 4.15.0-1040.44
linux-image-4.15.0-46-generic - 4.15.0-46.49~16.04.1
linux-image-4.15.0-46-generic-lpae - 4.15.0-46.49~16.04.1
linux-image-4.15.0-46-lowlatency - 4.15.0-46.49~16.04.1
linux-image-aws-hwe - 4.15.0.1033.34
linux-image-azure - 4.15.0.1040.44
linux-image-gcp - 4.15.0.1028.42
linux-image-generic-hwe-16.04 - 4.15.0.46.67
linux-image-generic-lpae-hwe-16.04 - 4.15.0.46.67
linux-image-gke - 4.15.0.1028.42
linux-image-lowlatency-hwe-16.04 - 4.15.0.46.67
linux-image-oem - 4.15.0.46.67
linux-image-oracle - 4.15.0.1009.3
Ubuntu 14.04 LTS
linux-image-4.15.0-1040-azure - 4.15.0-1040.44~14.04.1
linux-image-azure - 4.15.0.1040.27

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3901-1: Linux kernel vulnerabilities

1 week 5 days ago
linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oem - Linux kernel for OEM processors
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
Details

Jann Horn discovered that the userfaultd implementation in the Linux kernel did not properly restrict access to certain ioctls. A local attacker could use this possibly to modify files. (CVE-2018-18397)

It was discovered that the crypto subsystem of the Linux kernel leaked uninitialized memory to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-19854)

Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations. (CVE-2019-6133)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-4.15.0-1009-oracle - 4.15.0-1009.11
linux-image-4.15.0-1028-gcp - 4.15.0-1028.29
linux-image-4.15.0-1030-kvm - 4.15.0-1030.30
linux-image-4.15.0-1032-raspi2 - 4.15.0-1032.34
linux-image-4.15.0-1033-aws - 4.15.0-1033.35
linux-image-4.15.0-1034-oem - 4.15.0-1034.39
linux-image-4.15.0-46-generic - 4.15.0-46.49
linux-image-4.15.0-46-generic-lpae - 4.15.0-46.49
linux-image-4.15.0-46-lowlatency - 4.15.0-46.49
linux-image-4.15.0-46-snapdragon - 4.15.0-46.49
linux-image-aws - 4.15.0.1033.32
linux-image-gcp - 4.15.0.1028.30
linux-image-generic - 4.15.0.46.48
linux-image-generic-lpae - 4.15.0.46.48
linux-image-gke - 4.15.0.1028.30
linux-image-kvm - 4.15.0.1030.30
linux-image-lowlatency - 4.15.0.46.48
linux-image-oem - 4.15.0.1034.39
linux-image-oracle - 4.15.0.1009.12
linux-image-raspi2 - 4.15.0.1032.30
linux-image-snapdragon - 4.15.0.46.48

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3885-2: OpenSSH vulnerability

1 week 6 days ago
openssh vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

One of the fixes in USN-3885-1 was incomplete.

Software Description
  • openssh - secure shell (SSH) for secure access to remote machines
Details

USN-3885-1 fixed vulnerabilities in OpenSSH. It was discovered that the fix for CVE-2019-6111 turned out to be incomplete. This update fixes the problem.

Original advisory details:

Harry Sintonen discovered multiple issues in the OpenSSH scp utility. If a user or automated system were tricked into connecting to an untrusted server, a remote attacker could possibly use these issues to write to arbitrary files, change directory permissions, and spoof client output.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
openssh-client - 1:7.7p1-4ubuntu0.3
Ubuntu 18.04 LTS
openssh-client - 1:7.6p1-4ubuntu0.3
Ubuntu 16.04 LTS
openssh-client - 1:7.2p2-4ubuntu2.8
Ubuntu 14.04 LTS
openssh-client - 1:6.6p1-2ubuntu2.13

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3900-1: GD vulnerabilities

2 weeks 4 days ago
libgd2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in GD.

Software Description
  • libgd2 - GD Graphics Library
Details

It was discovered that GD incorrectly handled memory when processing certain images. A remote attacker could use this issue with a specially crafted image file to cause GD to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
libgd-tools - 2.2.5-4ubuntu1.1
libgd3 - 2.2.5-4ubuntu1.1
Ubuntu 18.04 LTS
libgd-tools - 2.2.5-4ubuntu0.3
libgd3 - 2.2.5-4ubuntu0.3
Ubuntu 16.04 LTS
libgd-tools - 2.1.1-4ubuntu0.16.04.11
libgd3 - 2.1.1-4ubuntu0.16.04.11
Ubuntu 14.04 LTS
libgd-tools - 2.1.0-3ubuntu0.11
libgd3 - 2.1.0-3ubuntu0.11

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3898-2: NSS vulnerability

2 weeks 4 days ago
nss vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 ESM
Summary

NSS could be made to crash if it received specially crafted network traffic.

Software Description
  • nss - Network Security Service library
Details

USN-3898-1 fixed a vulnerability in NSS. This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Hanno Böck and Damian Poddebniak discovered that NSS incorrectly handled certain CMS functions. A remote attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM
libnss3 - 2:3.28.4-0ubuntu0.12.04.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any applications that use NSS, such as Evolution, to make all the necessary changes.

References
Checked
2 hours 19 minutes ago
Recent content on Ubuntu security notices
Subscribe to Ubuntu feed
Categrory