Ubuntu

USN-3860-2: libcaca vulnerabilities

5 hours 55 minutes ago
libcaca vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 ESM
Summary

Several security issues were fixed in libcaca.

Software Description
  • libcaca - text mode graphics utilities
Details

USN-3860-1 fixed a vulnerability in libcaca. This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-20544)

It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-20545, CVE-2018-20548, CVE-2018-20459)

It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to access sensitive information. (CVE-2018-20546, CVE-2018-20547)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM
caca-utils - 0.99.beta17-2.1ubuntu2.1
libcaca0 - 0.99.beta17-2.1ubuntu2.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3860-1: libcaca vulnerabilities

7 hours 49 minutes ago
libcaca vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in libcaca.

Software Description
  • libcaca - text mode graphics utilities
Details

It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-20544)

It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-20545, CVE-2018-20548, CVE-2018-20459)

It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to access sensitive information. (CVE-2018-20546, CVE-2018-20547)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
caca-utils - 0.99.beta19-2ubuntu0.18.10.1
libcaca0 - 0.99.beta19-2ubuntu0.18.10.1
Ubuntu 18.04 LTS
caca-utils - 0.99.beta19-2ubuntu0.18.04.1
libcaca0 - 0.99.beta19-2ubuntu0.18.04.1
Ubuntu 16.04 LTS
caca-utils - 0.99.beta19-2ubuntu0.16.04.1
libcaca0 - 0.99.beta19-2ubuntu0.16.04.1
Ubuntu 14.04 LTS
caca-utils - 0.99.beta18-1ubuntu5.1
libcaca0 - 0.99.beta18-1ubuntu5.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3859-1: libarchive vulnerabilities

10 hours 15 minutes ago
libarchive vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in libarchive.

Software Description
  • libarchive - Library to read/write archive files
Details

It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to cause a denial of service. CVE-2018-1000880 affected only Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000880)

It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2017-14502)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
libarchive13 - 3.2.2-5ubuntu0.1
Ubuntu 18.04 LTS
libarchive13 - 3.2.2-3.1ubuntu0.2
Ubuntu 16.04 LTS
libarchive13 - 3.1.2-11ubuntu0.16.04.5
Ubuntu 14.04 LTS
libarchive13 - 3.1.2-7ubuntu2.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3858-1: HAProxy vulnerabilities

12 hours 18 minutes ago
haproxy vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in HAProxy.

Software Description
  • haproxy - fast and reliable load balancing reverse proxy
Details

It was discovered that HAProxy incorrectly handled certain requests. An attacker could possibly use this to expose sensitive information. (CVE-2018-20102)

It was discovered that HAProxy incorrectly handled certain requests. A attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-20103, CVE-2018-20615)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
haproxy - 1.8.13-2ubuntu0.1
Ubuntu 18.04 LTS
haproxy - 1.8.8-1ubuntu0.3
Ubuntu 16.04 LTS
haproxy - 1.6.3-1ubuntu0.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3857-1: PEAR vulnerability

1 day 6 hours ago
php-pear vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

PEAR could be made to run programs if it processed a specially crafted file.

Software Description
  • php-pear - PHP Extension and Application Repository
Details

Fariskhi Vidyan discovered that PEAR Archive_Tar incorrectly handled certain archive paths. A remote attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
php-pear - 1:1.10.5+submodules+notgz-1ubuntu1.18.10.1
Ubuntu 18.04 LTS
php-pear - 1:1.10.5+submodules+notgz-1ubuntu1.18.04.1
Ubuntu 16.04 LTS
php-pear - 1:1.10.1+submodules+notgz-6ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3856-1: GNOME Bluetooth vulnerability

1 day 10 hours ago
gnome-bluetooth vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
Summary

GNOME Bluetooth could allow unintended access to devices.

Software Description
  • gnome-bluetooth - GNOME Bluetooth tools
Details

Chris Marchesi discovered that BlueZ incorrectly handled disabling Bluetooth visibility. A remote attacker could possibly pair to devices, contrary to expectations. This update adds a workaround to GNOME Bluetooth to fix the issue.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
gnome-bluetooth - 3.28.0-2ubuntu0.1
libgnome-bluetooth13 - 3.28.0-2ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

USN-3855-1: systemd vulnerabilities

4 days 9 hours ago
systemd vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in systemd.

Software Description
  • systemd - system and service manager
Details

It was discovered that systemd-journald allocated variable-length buffers for certain message fields on the stack. A local attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2018-16864)

It was discovered that systemd-journald allocated variable-length arrays of objects representing message fields on the stack. A local attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2018-16865)

An out-of-bounds read was discovered in systemd-journald. A local attacker could potentially exploit this to obtain sensitive information and bypass ASLR protections. (CVE-2018-16866)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
systemd - 239-7ubuntu10.6
Ubuntu 18.04 LTS
systemd - 237-3ubuntu10.11
Ubuntu 16.04 LTS
systemd - 229-4ubuntu21.15

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

USN-3854-1: WebKitGTK+ vulnerabilities

5 days 4 hours ago
webkit2gtk vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in WebKitGTK+.

Software Description
  • webkit2gtk - Web content engine library for GTK+
Details

A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
libjavascriptcoregtk-4.0-18 - 2.22.5-0ubuntu0.18.10.1
libwebkit2gtk-4.0-37 - 2.22.5-0ubuntu0.18.10.1
Ubuntu 18.04 LTS
libjavascriptcoregtk-4.0-18 - 2.22.5-0ubuntu0.18.04.1
libwebkit2gtk-4.0-37 - 2.22.5-0ubuntu0.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK+, such as Epiphany, to make all the necessary changes.

References

USN-3853-1: GnuPG vulnerability

5 days 6 hours ago
gnupg2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
Summary

GnuPG could allow unintended access to network services.

Software Description
  • gnupg2 - GNU privacy guard - a free PGP replacement
Details

Ben Fuhrmannek discovered that GnuPG incorrectly handled Web Key Directory lookups. A remote attacker could possibly use this issue to cause a denial of service, or perform Cross-Site Request Forgery attacks.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
gnupg - 2.2.8-3ubuntu1.1
gpg-wks-client - 2.2.8-3ubuntu1.1
Ubuntu 18.04 LTS
gnupg - 2.2.4-1ubuntu1.2
gpg-wks-client - 2.2.4-1ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3852-1: Exiv2 vulnerabilities

5 days 8 hours ago
exiv2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in Exiv2.

Software Description
  • exiv2 - EXIF/IPTC/XMP metadata manipulation tool
Details

It was discovered that Exiv2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. CVE-2017-9239 only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-11591, CVE-2017-11683, CVE-2017-14859, CVE-2017-14862, CVE-2017-14864, CVE-2017-17669, CVE-2017-9239, CVE-2018-16336, CVE-2018-1758)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
exiv2 - 0.25-4ubuntu0.1
libexiv2-14 - 0.25-4ubuntu0.1
Ubuntu 18.04 LTS
exiv2 - 0.25-3.1ubuntu0.18.04.2
libexiv2-14 - 0.25-3.1ubuntu0.18.04.2
Ubuntu 16.04 LTS
exiv2 - 0.25-2.1ubuntu16.04.3
libexiv2-14 - 0.25-2.1ubuntu16.04.3
Ubuntu 14.04 LTS
exiv2 - 0.23-1ubuntu2.2
libexiv2-12 - 0.23-1ubuntu2.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3851-1: Django vulnerability

6 days 6 hours ago
python-django vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Django could be made to expose spoofed information over the network.

Software Description
  • python-django - High-level Python web development framework
Details

It was discovered that Django incorrectly handled the default 404 page. A remote attacker could use this issue to spoof content using a malicious URL.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
python-django - 1:1.11.15-1ubuntu1.1
python3-django - 1:1.11.15-1ubuntu1.1
Ubuntu 18.04 LTS
python-django - 1:1.11.11-1ubuntu1.2
python3-django - 1:1.11.11-1ubuntu1.2
Ubuntu 16.04 LTS
python-django - 1.8.7-1ubuntu5.7
python3-django - 1.8.7-1ubuntu5.7
Ubuntu 14.04 LTS
python-django - 1.6.11-0ubuntu1.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3850-1: NSS vulnerabilities

6 days 6 hours ago
nss vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in NSS.

Software Description
  • nss - Network Security Service library
Details

Keegan Ryan discovered that NSS incorrectly handled ECDSA key generation. A local attacker could possibly use this issue to perform a cache-timing attack and recover private ECDSA keys. (CVE-2018-0495)

It was discovered that NSS incorrectly handled certain v2-compatible ClientHello messages. A remote attacker could possibly use this issue to perform a replay attack. (CVE-2018-12384)

It was discovered that NSS incorrectly handled certain padding oracles. A remote attacker could possibly use this issue to perform a variant of the Bleichenbacher attack. (CVE-2018-12404)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
libnss3 - 2:3.36.1-1ubuntu1.1
Ubuntu 18.04 LTS
libnss3 - 2:3.35-2ubuntu2.1
Ubuntu 16.04 LTS
libnss3 - 2:3.28.4-0ubuntu0.16.04.4
Ubuntu 14.04 LTS
libnss3 - 2:3.28.4-0ubuntu0.14.04.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any applications that use NSS, such as Evolution, to make all the necessary changes.

References

USN-3848-2: Linux kernel (Xenial HWE) vulnerabilities

3 weeks 5 days ago
linux-lts-xenial, linux-aws vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty
Details

USN-3848-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that a double free existed in the AMD GPIO driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18174)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS
linux-image-4.4.0-1037-aws - 4.4.0-1037.40
linux-image-4.4.0-141-generic - 4.4.0-141.167~14.04.1
linux-image-4.4.0-141-generic-lpae - 4.4.0-141.167~14.04.1
linux-image-4.4.0-141-lowlatency - 4.4.0-141.167~14.04.1
linux-image-4.4.0-141-powerpc-e500mc - 4.4.0-141.167~14.04.1
linux-image-4.4.0-141-powerpc-smp - 4.4.0-141.167~14.04.1
linux-image-4.4.0-141-powerpc64-emb - 4.4.0-141.167~14.04.1
linux-image-4.4.0-141-powerpc64-smp - 4.4.0-141.167~14.04.1
linux-image-aws - 4.4.0.1037.37
linux-image-generic-lpae-lts-xenial - 4.4.0.141.121
linux-image-generic-lts-xenial - 4.4.0.141.121
linux-image-lowlatency-lts-xenial - 4.4.0.141.121
linux-image-powerpc-e500mc-lts-xenial - 4.4.0.141.121
linux-image-powerpc-smp-lts-xenial - 4.4.0.141.121
linux-image-powerpc64-emb-lts-xenial - 4.4.0.141.121
linux-image-powerpc64-smp-lts-xenial - 4.4.0.141.121

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3849-2: Linux kernel (Trusty HWE) vulnerabilities

3 weeks 5 days ago
linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 12.04 ESM
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise ESM
Details

USN-3849-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM.

It was discovered that a NULL pointer dereference existed in the keyring subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2647)

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16276)

Tetsuo Handa discovered a logic error in the TTY subsystem of the Linux kernel. A local attacker with access to pseudo terminal devices could use this to cause a denial of service. (CVE-2018-18386)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM
linux-image-3.13.0-164-generic - 3.13.0-164.214~precise1
linux-image-3.13.0-164-generic-lpae - 3.13.0-164.214~precise1
linux-image-generic-lpae-lts-trusty - 3.13.0.164.154
linux-image-generic-lts-trusty - 3.13.0.164.154

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3849-1: Linux kernel vulnerabilities

3 weeks 5 days ago
linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
Details

It was discovered that a NULL pointer dereference existed in the keyring subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2647)

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16276)

Tetsuo Handa discovered a logic error in the TTY subsystem of the Linux kernel. A local attacker with access to pseudo terminal devices could use this to cause a denial of service. (CVE-2018-18386)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS
linux-image-3.13.0-164-generic - 3.13.0-164.214
linux-image-3.13.0-164-generic-lpae - 3.13.0-164.214
linux-image-3.13.0-164-lowlatency - 3.13.0-164.214
linux-image-3.13.0-164-powerpc-e500 - 3.13.0-164.214
linux-image-3.13.0-164-powerpc-e500mc - 3.13.0-164.214
linux-image-3.13.0-164-powerpc-smp - 3.13.0-164.214
linux-image-3.13.0-164-powerpc64-emb - 3.13.0-164.214
linux-image-3.13.0-164-powerpc64-smp - 3.13.0-164.214
linux-image-generic - 3.13.0.164.174
linux-image-generic-lpae - 3.13.0.164.174
linux-image-lowlatency - 3.13.0.164.174
linux-image-powerpc-e500 - 3.13.0.164.174
linux-image-powerpc-e500mc - 3.13.0.164.174
linux-image-powerpc-smp - 3.13.0.164.174
linux-image-powerpc64-emb - 3.13.0.164.174
linux-image-powerpc64-smp - 3.13.0.164.174

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3848-1: Linux kernel vulnerabilities

3 weeks 5 days ago
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon processors
Details

It was discovered that a double free existed in the AMD GPIO driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18174)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
linux-image-4.4.0-1039-kvm - 4.4.0-1039.45
linux-image-4.4.0-1074-aws - 4.4.0-1074.84
linux-image-4.4.0-1102-raspi2 - 4.4.0-1102.110
linux-image-4.4.0-1106-snapdragon - 4.4.0-1106.111
linux-image-4.4.0-141-generic - 4.4.0-141.167
linux-image-4.4.0-141-generic-lpae - 4.4.0-141.167
linux-image-4.4.0-141-lowlatency - 4.4.0-141.167
linux-image-4.4.0-141-powerpc-e500mc - 4.4.0-141.167
linux-image-4.4.0-141-powerpc-smp - 4.4.0-141.167
linux-image-4.4.0-141-powerpc64-emb - 4.4.0-141.167
linux-image-4.4.0-141-powerpc64-smp - 4.4.0-141.167
linux-image-aws - 4.4.0.1074.76
linux-image-generic - 4.4.0.141.147
linux-image-generic-lpae - 4.4.0.141.147
linux-image-kvm - 4.4.0.1039.38
linux-image-lowlatency - 4.4.0.141.147
linux-image-powerpc-e500mc - 4.4.0.141.147
linux-image-powerpc-smp - 4.4.0.141.147
linux-image-powerpc64-emb - 4.4.0.141.147
linux-image-powerpc64-smp - 4.4.0.141.147
linux-image-raspi2 - 4.4.0.1102.102
linux-image-snapdragon - 4.4.0.1106.98

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3847-3: Linux kernel (Azure) vulnerabilities

3 weeks 5 days ago
linux-azure vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
Details

USN-3847-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux kernel for Microsoft Azure Cloud systems for Ubuntu 14.04 LTS.

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16276)

It was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS
linux-image-4.15.0-1036-azure - 4.15.0-1036.38~14.04.2
linux-image-azure - 4.15.0.1036.23

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3847-2: Linux kernel (HWE) vulnerabilities

3 weeks 5 days ago
linux-hwe, linux-aws-hwe, linux-azure, linux-gcp vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
Details

USN-3847-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16276)

It was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
linux-image-4.15.0-1026-gcp - 4.15.0-1026.27~16.04.1
linux-image-4.15.0-1031-aws - 4.15.0-1031.33~16.04.1
linux-image-4.15.0-1036-azure - 4.15.0-1036.38~16.04.1
linux-image-4.15.0-43-generic - 4.15.0-43.46~16.04.1
linux-image-4.15.0-43-generic-lpae - 4.15.0-43.46~16.04.1
linux-image-4.15.0-43-lowlatency - 4.15.0-43.46~16.04.1
linux-image-aws-hwe - 4.15.0.1031.32
linux-image-azure - 4.15.0.1036.41
linux-image-gcp - 4.15.0.1026.40
linux-image-generic-hwe-16.04 - 4.15.0.43.64
linux-image-generic-lpae-hwe-16.04 - 4.15.0.43.64
linux-image-gke - 4.15.0.1026.40
linux-image-lowlatency-hwe-16.04 - 4.15.0.43.64

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3847-1: Linux kernel vulnerabilities

3 weeks 5 days ago
linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oem - Linux kernel for OEM processors
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
Details

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16276)

It was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-4.15.0-1026-gcp - 4.15.0-1026.27
linux-image-4.15.0-1028-kvm - 4.15.0-1028.28
linux-image-4.15.0-1030-oem - 4.15.0-1030.35
linux-image-4.15.0-1030-raspi2 - 4.15.0-1030.32
linux-image-4.15.0-1031-aws - 4.15.0-1031.33
linux-image-4.15.0-1036-azure - 4.15.0-1036.38
linux-image-4.15.0-43-generic - 4.15.0-43.46
linux-image-4.15.0-43-generic-lpae - 4.15.0-43.46
linux-image-4.15.0-43-lowlatency - 4.15.0-43.46
linux-image-4.15.0-43-snapdragon - 4.15.0-43.46
linux-image-aws - 4.15.0.1031.30
linux-image-azure - 4.15.0.1036.36
linux-image-gcp - 4.15.0.1026.28
linux-image-generic - 4.15.0.43.45
linux-image-generic-lpae - 4.15.0.43.45
linux-image-gke - 4.15.0.1026.28
linux-image-kvm - 4.15.0.1028.28
linux-image-lowlatency - 4.15.0.43.45
linux-image-oem - 4.15.0.1030.35
linux-image-raspi2 - 4.15.0.1030.28
linux-image-snapdragon - 4.15.0.43.45

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-3846-1: Linux kernel vulnerability

3 weeks 5 days ago
linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.10
Summary

The system could be made to expose sensitive information.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
Details

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory).

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10
linux-image-4.18.0-1005-gcp - 4.18.0-1005.6
linux-image-4.18.0-1006-kvm - 4.18.0-1006.6
linux-image-4.18.0-1007-aws - 4.18.0-1007.9
linux-image-4.18.0-1007-azure - 4.18.0-1007.7
linux-image-4.18.0-1008-raspi2 - 4.18.0-1008.10
linux-image-4.18.0-13-generic - 4.18.0-13.14
linux-image-4.18.0-13-generic-lpae - 4.18.0-13.14
linux-image-4.18.0-13-lowlatency - 4.18.0-13.14
linux-image-4.18.0-13-snapdragon - 4.18.0-13.14
linux-image-aws - 4.18.0.1007.7
linux-image-azure - 4.18.0.1007.8
linux-image-gcp - 4.18.0.1005.5
linux-image-generic - 4.18.0.13.14
linux-image-generic-lpae - 4.18.0.13.14
linux-image-gke - 4.18.0.1005.5
linux-image-kvm - 4.18.0.1006.6
linux-image-lowlatency - 4.18.0.13.14
linux-image-raspi2 - 4.18.0.1008.5
linux-image-snapdragon - 4.18.0.13.14

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
Checked
1 hour 28 minutes ago
Recent content on Ubuntu security notices
Subscribe to Ubuntu feed
Categrory