Ubuntu

openjpeg2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

Several security issues were fixed in OpenJPEG.

Software Description

• openjpeg2 - JPEG 2000 image compression/decompression library

Details

It was discovered that OpenJPEG incorrectly handled certain PGX files. An attacker could possibly use this issue to cause a denial of service or possibly remote code execution. (CVE-2017-17480)

It was discovered that OpenJPEG incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-14423)

It was discovered that OpenJPEG incorrectly handled certain PNM files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-18088)

It was discovered that OpenJPEG incorrectly handled certain BMP files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-5785, CVE-2018-6616)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

libopenjp2-7 - 2.3.0-2build0.18.04.1

libopenjp3d7 - 2.3.0-2build0.18.04.1

libopenjpip7 - 2.3.0-2build0.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2017-17480
• CVE-2018-14423
• CVE-2018-18088
• CVE-2018-5785
• CVE-2018-6616

libzstd vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

Zstandard could be made to execute arbitrary code if it received specially crafted input.

Software Description

• libzstd - fast lossless compression algorithm – development files

Details

It was discovered that Zstandard incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

libzstd1 - 1.3.3+dfsg-2ubuntu1.1

zstd - 1.3.3+dfsg-2ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-11922

giflib vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in GIFLIB.

Software Description

• giflib - library for GIF images (utilities)

Details

It was discovered that GIFLIB incorrectly handled certain GIF files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2016-3977)

It was discovered that GIFLIB incorrectly handled certain GIF files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-11490, CVE-2019-15133)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

giflib-tools - 5.1.4-3ubuntu0.1

libgif7 - 5.1.4-3ubuntu0.1

Ubuntu 18.04 LTS

giflib-tools - 5.1.4-2ubuntu0.1

libgif7 - 5.1.4-2ubuntu0.1

Ubuntu 16.04 LTS

giflib-tools - 5.1.4-0.3~16.04.1

libgif7 - 5.1.4-0.3~16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2016-3977
• CVE-2018-11490
• CVE-2019-15133

NLTK vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

NLTK could be made to overwrite files.

Software Description

• nltk - Python libraries for natural language processing

Details

Mike Salvatore discovered that NLTK mishandled crafted ZIP archives during extraction. A remote attacker could use this vulnerability to write arbitrary files to the filesystem

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

python-nltk - 3.4-1ubuntu0.1

python3-nltk - 3.4-1ubuntu0.1

Ubuntu 18.04 LTS

python-nltk - 3.2.5-1ubuntu0.1

python3-nltk - 3.2.5-1ubuntu0.1

Ubuntu 16.04 LTS

python-nltk - 3.1-1ubuntu0.1

python3-nltk - 3.1-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-14751

cups vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in CUPS.

Software Description

• cups - Common UNIX Printing System™

Details

Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled encoded ASN.1 inputs. A remote attacker could possibly use this issue to cause CUPS to crash by providing specially crafted network traffic. (CVE-2019-8696, CVE-2019-8675)

It was discovered that CUPS did not properly handle client disconnection events. A local attacker could possibly use this issue to cause a denial of service or disclose memory from the CUPS server.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

cups - 2.2.10-4ubuntu2.1

Ubuntu 18.04 LTS

cups - 2.2.7-1ubuntu2.7

Ubuntu 16.04 LTS

cups - 2.1.3-4ubuntu0.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-8675
• CVE-2019-8696

nova vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Nova could be made to expose sensitive information.

Software Description

• nova - OpenStack Compute cloud infrastructure

Details

Donny Davis discovered that the Nova Compute service could return configuration or other information in response to a failed API request in some situations. A remote attacker could use this to expose sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

nova-compute - 2:19.0.1-0ubuntu2.1

python3-nova - 2:19.0.1-0ubuntu2.1

Ubuntu 18.04 LTS

nova-compute - 2:17.0.10-0ubuntu2.1

python-nova - 2:17.0.10-0ubuntu2.1

Ubuntu 16.04 LTS

nova-compute - 2:13.1.4-0ubuntu4.5

python-nova - 2:13.1.4-0ubuntu4.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-14433

Docker vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Docker could be made to crash or run programs as your login.

Software Description

• docker.io - Linux container runtime

Details

Jasiel Spelman discovered that a double free existed in the docker-credential- helpers dependency of Docker. A local attacker could use this to cause a denial of service (crash) or possibly execute arbitrary code.

Original advisory details:

Jasiel Spelman discovered that a double free existed in docker-credential- helpers. A local attacker could use this to cause a denial of service (crash) or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

docker.io - 18.09.7-0ubuntu1~19.04.5

Ubuntu 18.04 LTS

docker.io - 18.09.7-0ubuntu1~18.04.4

Ubuntu 16.04 LTS

docker.io - 18.09.7-0ubuntu1~16.04.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-4103-1
• CVE-2019-1020014

docker-credential-helpers vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04

Summary

docker-credential-helpers could be made to crash or run programs as your login

Software Description

• golang-github-docker-docker-credential-helpers - Use native stores to safeguard Docker credentials

Details

Jasiel Spelman discovered that a double free existed in docker-credential- helpers. A local attacker could use this to cause a denial of service (crash) or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

golang-docker-credential-helpers - 0.6.1-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-1020014

openldap vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

Several security issues were fixed in OpenLDAP.

Software Description

• openldap - OpenLDAP utilities

Details

USN-4078-1 fixed several vulnerabilities in openldap. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that OpenLDAP incorrectly handled rootDN delegation. A database administrator could use this issue to request authorization as an identity from another database, contrary to expectations. (CVE-2019-13057)

It was discovered that OpenLDAP incorrectly handled SASL authentication and session encryption. After a first SASL bind was completed, it was possible to obtain access by performing simple binds, contrary to expectations. (CVE-2019-13565)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM

slapd - 2.4.31-1+nmu2ubuntu8.5+esm1

Ubuntu 12.04 ESM

slapd - 2.4.28-1.1ubuntu4.9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-4078-1
• CVE-2019-13057
• CVE-2019-13565

libreoffice vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in LibreOffice.

Software Description

• libreoffice - Office productivity suite

Details

It was discovered that LibreOffice incorrectly handled LibreLogo scripts. If a user were tricked into opening a specially crafted document, a remote attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9850, CVE-2019-9851)

It was discovered that LibreOffice incorrectly handled embedded scripts in document files. If a user were tricked into opening a specially crafted document, a remote attacker could possibly execute arbitrary code. (CVE-2019-9852)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

libreoffice-core - 1:6.2.6-0ubuntu0.19.04.1

Ubuntu 18.04 LTS

libreoffice-core - 1:6.0.7-0ubuntu0.18.04.9

Ubuntu 16.04 LTS

libreoffice-core - 1:5.1.6~rc2-0ubuntu1~xenial9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart LibreOffice to make all the necessary changes.

References

• CVE-2019-9850
• CVE-2019-9851
• CVE-2019-9852

kconfig, kde4libs vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

KConfig and KDE libraries could be made to crash or run programs if it opened a specially crafted file.

Software Description

• kconfig - configuration settings framework for Qt
• kde4libs - KDE 4 core applications and libraries

Details

It was discovered that KConfig and KDE libraries have a vulnerability where an attacker could hide malicious code under desktop and configuration files. (CVE-2019-14744)

It was discovered that KConfig allows remote attackers to write to arbitrary files via a ../ in a filename in an archive file. (CVE-2016-6232)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

libkdecore5 - 4:4.14.38-0ubuntu6.1

libkf5configcore5 - 5.56.0-0ubuntu1.1

Ubuntu 18.04 LTS

libkdecore5 - 4:4.14.38-0ubuntu3.1

libkf5configcore5 - 5.44.0-0ubuntu1.1

Ubuntu 16.04 LTS

libkdecore5 - 4:4.14.16-0ubuntu3.3

libkf5configcore5 - 5.18.0-0ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2016-6232
• CVE-2019-14744

firefox vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

A local attacker could obtain saved passwords.

Software Description

• firefox - Mozilla Open Source web browser

Details

It was discovered that passwords could be copied to the clipboard from the "Saved Logins" dialog without entering the master password, even when a master password has been set. A local attacker could potentially exploit this to obtain saved passwords.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

firefox - 68.0.2+build1-0ubuntu0.19.04.1

Ubuntu 18.04 LTS

firefox - 68.0.2+build1-0ubuntu0.18.04.1

Ubuntu 16.04 LTS

firefox - 68.0.2+build1-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make all the necessary changes.

References

• CVE-2019-11733

nginx vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

nginx could be made to crash if it received specially crafted network traffic.

Software Description

• nginx - small, powerful, scalable web/proxy server

Details

Jonathan Looney discovered that nginx incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to consume resources, leading to a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

nginx-common - 1.15.9-0ubuntu1.1

nginx-core - 1.15.9-0ubuntu1.1

nginx-extras - 1.15.9-0ubuntu1.1

nginx-full - 1.15.9-0ubuntu1.1

nginx-light - 1.15.9-0ubuntu1.1

Ubuntu 18.04 LTS

nginx-common - 1.14.0-0ubuntu1.4

nginx-core - 1.14.0-0ubuntu1.4

nginx-extras - 1.14.0-0ubuntu1.4

nginx-full - 1.14.0-0ubuntu1.4

nginx-light - 1.14.0-0ubuntu1.4

Ubuntu 16.04 LTS

nginx-common - 1.10.3-0ubuntu0.16.04.4

nginx-core - 1.10.3-0ubuntu0.16.04.4

nginx-extras - 1.10.3-0ubuntu0.16.04.4

nginx-full - 1.10.3-0ubuntu0.16.04.4

nginx-light - 1.10.3-0ubuntu0.16.04.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-9511
• CVE-2019-9513
• CVE-2019-9516

wpa vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04
• Ubuntu 18.04 LTS

Summary

wpa_supplicant and hostapd could be made to expose sensitive information over the network.

Software Description

• wpa - client support for WPA and WPA2

Details

It was discovered that wpa_supplicant and hostapd were vulnerable to a side channel attack against EAP-pwd. A remote attacker could possibly use this issue to recover certain passwords.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

hostapd - 2:2.6-21ubuntu3.2

wpasupplicant - 2:2.6-21ubuntu3.2

Ubuntu 18.04 LTS

hostapd - 2:2.6-15ubuntu2.4

wpasupplicant - 2:2.6-15ubuntu2.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

• CVE-2019-13377

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

PHP could be made to crash or execute arbitrary code if it received specially crafted image.

Software Description

• php5 - HTML-embedded scripting language interpreter

Details

USN-4097-1 fixed several vulnerabilities in php5. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that PHP incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2019-11041, CVE-2019-11042)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM

libapache2-mod-php5 - 5.5.9+dfsg-1ubuntu4.29+esm5

php5-cgi - 5.5.9+dfsg-1ubuntu4.29+esm5

php5-cli - 5.5.9+dfsg-1ubuntu4.29+esm5

php5-fpm - 5.5.9+dfsg-1ubuntu4.29+esm5

php5-xmlrpc - 5.5.9+dfsg-1ubuntu4.29+esm5

Ubuntu 12.04 ESM

libapache2-mod-php5 - 5.3.10-1ubuntu3.39

php5-cgi - 5.3.10-1ubuntu3.39

php5-cli - 5.3.10-1ubuntu3.39

php5-fpm - 5.3.10-1ubuntu3.39

php5-xmlrpc - 5.3.10-1ubuntu3.39

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-4097-1
• CVE-2019-11041
• CVE-2019-11042

php7.0, php7.2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

PHP could be made to crash or execute arbitrary code if it received specially crafted image.

Software Description

• php7.2 - HTML-embedded scripting language interpreter
• php7.0 - HTML-embedded scripting language interpreter

Details

It was discovered that PHP incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2019-11041, CVE-2019-11042)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

libapache2-mod-php7.2 - 7.2.19-0ubuntu0.19.04.2

php7.2-cgi - 7.2.19-0ubuntu0.19.04.2

php7.2-cli - 7.2.19-0ubuntu0.19.04.2

php7.2-fpm - 7.2.19-0ubuntu0.19.04.2

php7.2-xmlrpc - 7.2.19-0ubuntu0.19.04.2

Ubuntu 18.04 LTS

libapache2-mod-php7.2 - 7.2.19-0ubuntu0.18.04.2

php7.2-cgi - 7.2.19-0ubuntu0.18.04.2

php7.2-cli - 7.2.19-0ubuntu0.18.04.2

php7.2-fpm - 7.2.19-0ubuntu0.18.04.2

php7.2-xmlrpc - 7.2.19-0ubuntu0.18.04.2

Ubuntu 16.04 LTS

libapache2-mod-php7.0 - 7.0.33-0ubuntu0.16.04.6

php7.0-cgi - 7.0.33-0ubuntu0.16.04.6

php7.0-cli - 7.0.33-0ubuntu0.16.04.6

php7.0-fpm - 7.0.33-0ubuntu0.16.04.6

php7.0-xmlrpc - 7.0.33-0ubuntu0.16.04.6

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-11041
• CVE-2019-11042

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.04
• Ubuntu 18.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software Description

• thunderbird - Mozilla Open Source mail and newsgroup client

Details

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, bypass same-origin protections, or execute arbitrary code. (CVE-2019-18511, CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-9797, CVE-2019-9800, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820)

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service, or execute arbitrary code. (CVE-2019-5798, CVE-2019-7317)

A type confusion bug was discovered with object groups and UnboxedObjects. If a user were tricked in to opening a specially crafted website in a browsing context after enabling the UnboxedObjects feature, an attacker could potentially exploit this to bypass security checks. (CVE-2019-9816)

It was discovered that history data could be exposed via drag and drop of hyperlinks to and from bookmarks. If a user were tricked in to dragging a specially crafted hyperlink to a bookmark toolbar or sidebar, and subsequently back in to the web content area, an attacker could potentially exploit this to obtain sensitive information. (CVE-2019-11698)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04

thunderbird - 1:60.7.0+build1-0ubuntu0.19.04.1

Ubuntu 18.10

thunderbird - 1:60.7.0+build1-0ubuntu0.18.10.1

Ubuntu 18.04 LTS

thunderbird - 1:60.7.0+build1-0ubuntu0.18.04.1

Ubuntu 16.04 LTS

thunderbird - 1:60.7.0+build1-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make all the necessary changes.

References

• CVE-2018-18511
• CVE-2019-11691
• CVE-2019-11692
• CVE-2019-11693
• CVE-2019-11698
• CVE-2019-5798
• CVE-2019-7317
• CVE-2019-9797
• CVE-2019-9800
• CVE-2019-9816
• CVE-2019-9817
• CVE-2019-9819
• CVE-2019-9820

keepalived vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

Keepalived could be made to crash or run programs if it received specially crafted network traffic.

Software Description

• keepalived - Failover and monitoring daemon for LVS clusters

Details

USN-3995-1 fixed a vulnerability in keepalived. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that Keepalived incorrectly handled certain HTTP status response codes. A remote attacker could use this issue to cause Keepalived to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM

keepalived - 1:1.2.7-1ubuntu1+esm1

Ubuntu 12.04 ESM

keepalived - 1:1.2.2-3ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-3995-1
• CVE-2018-19115

freerdp vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS

Summary

Several security issues were fixed in FreeRDP.

Software Description

• freerdp - RDP client for Windows Terminal Services

Details

USN-3845-1 fixed several vulnerabilities in FreeRDP. This update provides the corresponding update for Ubuntu 18.04 LTS and Ubuntu 18.10.

Original advisory details:

Eyal Itkin discovered FreeRDP incorrectly handled certain stream encodings. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applies to Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-8784, CVE-2018-8785)

Eyal Itkin discovered FreeRDP incorrectly handled bitmaps. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-8786, CVE-2018-8787)

Eyal Itkin discovered FreeRDP incorrectly handled certain stream encodings. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applies to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-8788)

Eyal Itkin discovered FreeRDP incorrectly handled NTLM authentication. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applies to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-8789)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

libfreerdp-client1.1 - 1.1.0~git20140921.1.440916e+dfsg1-15ubuntu1.18.10.1

Ubuntu 18.04 LTS

libfreerdp-client1.1 - 1.1.0~git20140921.1.440916e+dfsg1-15ubuntu1.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-3845-1
• CVE-2018-8786
• CVE-2018-8787
• CVE-2018-8788
• CVE-2018-8789

keepalived vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Keepalived could be made to crash or run programs if it received specially crafted network traffic.

Software Description

• keepalived - Failover and monitoring daemon for LVS clusters

Details

It was discovered that Keepalived incorrectly handled certain HTTP status response codes. A remote attacker could use this issue to cause Keepalived to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

keepalived - 1:1.3.9-1ubuntu1.1

Ubuntu 18.04 LTS

keepalived - 1:1.3.9-1ubuntu0.18.04.2

Ubuntu 16.04 LTS

keepalived - 1:1.2.24-1ubuntu0.16.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2018-19115