Ubuntu

USN-4375-1: PHP vulnerability

5 hours 33 minutes ago
php5, php7.0, php7.2, php7.3, php7.4 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

PHP could be made to crash if it received a specially crafted file.

Software Description
  • php7.4 - server-side, HTML-embedded scripting language (metapackage)
  • php7.3 - server-side, HTML-embedded scripting language (metapackage)
  • php7.2 - HTML-embedded scripting language interpreter
  • php7.0 - HTML-embedded scripting language interpreter
  • php5 - HTML-embedded scripting language interpreter
Details

It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libapache2-mod-php7.4 - 7.4.3-4ubuntu2.2
php7.4-cgi - 7.4.3-4ubuntu2.2
php7.4-cli - 7.4.3-4ubuntu2.2
php7.4-fpm - 7.4.3-4ubuntu2.2
php7.4-mbstring - 7.4.3-4ubuntu2.2
Ubuntu 19.10
libapache2-mod-php7.3 - 7.3.11-0ubuntu0.19.10.6
php7.3-cgi - 7.3.11-0ubuntu0.19.10.6
php7.3-cli - 7.3.11-0ubuntu0.19.10.6
php7.3-fpm - 7.3.11-0ubuntu0.19.10.6
php7.3-mbstring - 7.3.11-0ubuntu0.19.10.6
Ubuntu 18.04 LTS
libapache2-mod-php7.2 - 7.2.24-0ubuntu0.18.04.6
php7.2-cgi - 7.2.24-0ubuntu0.18.04.6
php7.2-cli - 7.2.24-0ubuntu0.18.04.6
php7.2-fpm - 7.2.24-0ubuntu0.18.04.6
php7.2-mbstring - 7.2.24-0ubuntu0.18.04.6
Ubuntu 16.04 LTS
libapache2-mod-php7.0 - 7.0.33-0ubuntu0.16.04.15
php7.0-cgi - 7.0.33-0ubuntu0.16.04.15
php7.0-cli - 7.0.33-0ubuntu0.16.04.15
php7.0-fpm - 7.0.33-0ubuntu0.16.04.15
php7.0-mbstring - 7.0.33-0ubuntu0.16.04.15
Ubuntu 14.04 ESM
libapache2-mod-php5 - 5.5.9+dfsg-1ubuntu4.29+esm12
php5-cgi - 5.5.9+dfsg-1ubuntu4.29+esm12
php5-cli - 5.5.9+dfsg-1ubuntu4.29+esm12
php5-fpm - 5.5.9+dfsg-1ubuntu4.29+esm12
Ubuntu 12.04 ESM
libapache2-mod-php5 - 5.3.10-1ubuntu3.47
php5-cgi - 5.3.10-1ubuntu3.47
php5-cli - 5.3.10-1ubuntu3.47
php5-fpm - 5.3.10-1ubuntu3.47

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-4374-1: Unbound vulnerabilities

8 hours 14 minutes ago
unbound vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in Unbound.

Software Description
  • unbound - validating, recursive, caching DNS resolver
Details

Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Unbound incorrectly handled certain queries. A remote attacker could use this issue to perform an amplification attack directed at a target. (CVE-2020-12662)

It was discovered that Unbound incorrectly handled certain malformed answers. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service. (CVE-2020-12663)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libunbound8 - 1.9.4-2ubuntu1.1
unbound - 1.9.4-2ubuntu1.1
Ubuntu 19.10
libunbound8 - 1.9.0-2ubuntu1.1
unbound - 1.9.0-2ubuntu1.1
Ubuntu 18.04 LTS
libunbound2 - 1.6.7-1ubuntu2.3
unbound - 1.6.7-1ubuntu2.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-4373-1: Thunderbird vulnerabilities

1 day 9 hours ago
thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in Thunderbird.

Software Description
  • thunderbird - Mozilla Open Source mail and newsgroup client
Details

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, or execute arbitrary code. (CVE-2020-6831, CVE-2020-12387, CVE-2020-12395)

It was discovered that the Devtools’ ‘Copy as cURL’ feature did not properly escape the HTTP POST data of a request. If a user were tricked in to using the ‘Copy as cURL’ feature to copy and paste a command with specially crafted data in to a terminal, an attacker could potentially exploit this to obtain sensitive information from local files. (CVE-2020-12392)

It was discovered that Thunderbird did not correctly handle Unicode whitespace characters within the From email header. An attacker could potentially exploit this to spoof the sender email address that Thunderbird displays. (CVE-2020-12397)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
thunderbird - 1:68.8.0+build2-0ubuntu0.20.04.2
Ubuntu 19.10
thunderbird - 1:68.8.0+build2-0ubuntu0.19.10.2
Ubuntu 18.04 LTS
thunderbird - 1:68.8.0+build2-0ubuntu0.18.04.2
Ubuntu 16.04 LTS
thunderbird - 1:68.8.0+build2-0ubuntu0.16.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make all the necessary changes.

References

USN-4367-1: Linux kernel vulnerabilities

3 days 21 hours ago
linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux-riscv vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi - Linux kernel for Raspberry Pi (V8) systems
  • linux-riscv - Linux kernel for RISC-V systems
Details

It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377)

It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565)

It was discovered that the block layer in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-12657)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
linux-image-5.4.0-1011-aws - 5.4.0-1011.11
linux-image-5.4.0-1011-gcp - 5.4.0-1011.11
linux-image-5.4.0-1011-kvm - 5.4.0-1011.11
linux-image-5.4.0-1011-oracle - 5.4.0-1011.11
linux-image-5.4.0-1011-raspi - 5.4.0-1011.11
linux-image-5.4.0-1012-azure - 5.4.0-1012.12
linux-image-5.4.0-26-generic - 5.4.0-26.30
linux-image-5.4.0-31-generic - 5.4.0-31.35
linux-image-5.4.0-31-generic-lpae - 5.4.0-31.35
linux-image-5.4.0-31-lowlatency - 5.4.0-31.35
linux-image-aws - 5.4.0.1011.14
linux-image-azure - 5.4.0.1012.14
linux-image-gcp - 5.4.0.1011.12
linux-image-generic - 5.4.0.26.33
linux-image-generic-lpae - 5.4.0.31.36
linux-image-gke - 5.4.0.1011.12
linux-image-kvm - 5.4.0.1011.12
linux-image-lowlatency - 5.4.0.31.36
linux-image-oem - 5.4.0.31.36
linux-image-oem-osp1 - 5.4.0.31.36
linux-image-oracle - 5.4.0.1011.12
linux-image-raspi - 5.4.0.1011.11
linux-image-raspi2 - 5.4.0.1011.11
linux-image-virtual - 5.4.0.26.33

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-4369-1: Linux kernel vulnerabilities

3 days 21 hours ago
linux, linux-aws, linux-aws-5.3, linux-azure, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi2 - Linux kernel for Raspberry Pi (V7) systems
  • linux-aws-5.3 - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure-5.3 - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp-5.3 - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-gke-5.3 - Linux kernel for Google Container Engine (GKE) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
  • linux-oracle-5.3 - Linux kernel for Oracle Cloud systems
Details

It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377)

Tristan Madani discovered that the file locking implementation in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service or expose sensitive information. (CVE-2019-19769)

It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494)

It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565)

It was discovered that the OV51x USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11608)

It was discovered that the STV06XX USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11609)

It was discovered that the Xirlink C-It USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11668)

It was discovered that the block layer in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-12657)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
linux-image-5.3.0-1017-kvm - 5.3.0-1017.19
linux-image-5.3.0-1018-oracle - 5.3.0-1018.20
linux-image-5.3.0-1019-aws - 5.3.0-1019.21
linux-image-5.3.0-1020-gcp - 5.3.0-1020.22
linux-image-5.3.0-1022-azure - 5.3.0-1022.23
linux-image-5.3.0-1025-raspi2 - 5.3.0-1025.27
linux-image-5.3.0-53-generic - 5.3.0-53.47
linux-image-5.3.0-53-generic-lpae - 5.3.0-53.47
linux-image-5.3.0-53-lowlatency - 5.3.0-53.47
linux-image-5.3.0-53-snapdragon - 5.3.0-53.47
linux-image-aws - 5.3.0.1019.31
linux-image-azure - 5.3.0.1022.41
linux-image-gcp - 5.3.0.1020.31
linux-image-generic - 5.3.0.53.45
linux-image-generic-lpae - 5.3.0.53.45
linux-image-gke - 5.3.0.1020.31
linux-image-kvm - 5.3.0.1017.19
linux-image-lowlatency - 5.3.0.53.45
linux-image-oracle - 5.3.0.1018.33
linux-image-raspi2 - 5.3.0.1025.22
linux-image-snapdragon - 5.3.0.53.45
linux-image-virtual - 5.3.0.53.45
Ubuntu 18.04 LTS
linux-image-5.3.0-1018-oracle - 5.3.0-1018.20~18.04.1
linux-image-5.3.0-1019-aws - 5.3.0-1019.21~18.04.1
linux-image-5.3.0-1020-gcp - 5.3.0-1020.22~18.04.1
linux-image-5.3.0-1020-gke - 5.3.0-1020.22~18.04.1
linux-image-5.3.0-1022-azure - 5.3.0-1022.23~18.04.1
linux-image-5.3.0-53-generic - 5.3.0-53.47~18.04.1
linux-image-5.3.0-53-generic-lpae - 5.3.0-53.47~18.04.1
linux-image-5.3.0-53-lowlatency - 5.3.0-53.47~18.04.1
linux-image-aws - 5.3.0.1019.20
linux-image-aws-edge - 5.3.0.1019.20
linux-image-azure - 5.3.0.1022.22
linux-image-azure-edge - 5.3.0.1022.22
linux-image-gcp - 5.3.0.1020.19
linux-image-gcp-edge - 5.3.0.1020.19
linux-image-generic-hwe-18.04 - 5.3.0.53.109
linux-image-generic-lpae-hwe-18.04 - 5.3.0.53.109
linux-image-gke-5.3 - 5.3.0.1020.10
linux-image-gkeop-5.3 - 5.3.0.53.109
linux-image-lowlatency-hwe-18.04 - 5.3.0.53.109
linux-image-oracle - 5.3.0.1018.19
linux-image-snapdragon-hwe-18.04 - 5.3.0.53.109
linux-image-virtual-hwe-18.04 - 5.3.0.53.109

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-4370-2: ClamAV vulnerabilities

6 days 4 hours ago
clamav vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

Several security issues were fixed in ClamAV.

Software Description
  • clamav - Anti-virus utility for Unix
Details

USN-4370-1 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM.

Original advisory details:

It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3327)

It was discovered that ClamAV incorrectly handled parsing PDF files. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3341)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
clamav - 0.102.3+dfsg-0ubuntu0.14.04.1+esm1
Ubuntu 12.04 ESM
clamav - 0.102.3+dfsg-0ubuntu0.12.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References

USN-4372-1: QEMU vulnerabilities

6 days 6 hours ago
qemu vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in QEMU.

Software Description
  • qemu - Machine emulator and virtualizer
Details

It was discovered that QEMU incorrectly handled bochs-display devices. A local attacker in a guest could use this to cause a denial of service or possibly execute arbitrary code in the host. This issue only affected Ubuntu 19.10. (CVE-2019-15034)

It was discovered that QEMU incorrectly handled memory during certain VNC operations. A remote attacker could possibly use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10. (CVE-2019-20382)

It was discovered that QEMU incorrectly generated QEMU Pointer Authentication signatures on ARM. A local attacker could possibly use this issue to bypass PAuth. This issue only affected Ubuntu 19.10. (CVE-2020-10702)

Ziming Zhang discovered that QEMU incorrectly handled ATI VGA emulation. A local attacker in a guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-11869)

Aviv Sasson discovered that QEMU incorrectly handled Slirp networking. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10. (CVE-2020-1983)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
qemu - 1:4.2-3ubuntu6.1
qemu-system - 1:4.2-3ubuntu6.1
qemu-system-arm - 1:4.2-3ubuntu6.1
qemu-system-mips - 1:4.2-3ubuntu6.1
qemu-system-ppc - 1:4.2-3ubuntu6.1
qemu-system-s390x - 1:4.2-3ubuntu6.1
qemu-system-sparc - 1:4.2-3ubuntu6.1
qemu-system-x86 - 1:4.2-3ubuntu6.1
Ubuntu 19.10
qemu - 1:4.0+dfsg-0ubuntu9.6
qemu-system - 1:4.0+dfsg-0ubuntu9.6
qemu-system-arm - 1:4.0+dfsg-0ubuntu9.6
qemu-system-mips - 1:4.0+dfsg-0ubuntu9.6
qemu-system-ppc - 1:4.0+dfsg-0ubuntu9.6
qemu-system-s390x - 1:4.0+dfsg-0ubuntu9.6
qemu-system-sparc - 1:4.0+dfsg-0ubuntu9.6
qemu-system-x86 - 1:4.0+dfsg-0ubuntu9.6
Ubuntu 18.04 LTS
qemu - 1:2.11+dfsg-1ubuntu7.26
qemu-system - 1:2.11+dfsg-1ubuntu7.26
qemu-system-arm - 1:2.11+dfsg-1ubuntu7.26
qemu-system-mips - 1:2.11+dfsg-1ubuntu7.26
qemu-system-ppc - 1:2.11+dfsg-1ubuntu7.26
qemu-system-s390x - 1:2.11+dfsg-1ubuntu7.26
qemu-system-sparc - 1:2.11+dfsg-1ubuntu7.26
qemu-system-x86 - 1:2.11+dfsg-1ubuntu7.26
Ubuntu 16.04 LTS
qemu - 1:2.5+dfsg-5ubuntu10.44
qemu-system - 1:2.5+dfsg-5ubuntu10.44
qemu-system-aarch64 - 1:2.5+dfsg-5ubuntu10.44
qemu-system-arm - 1:2.5+dfsg-5ubuntu10.44
qemu-system-mips - 1:2.5+dfsg-5ubuntu10.44
qemu-system-ppc - 1:2.5+dfsg-5ubuntu10.44
qemu-system-s390x - 1:2.5+dfsg-5ubuntu10.44
qemu-system-sparc - 1:2.5+dfsg-5ubuntu10.44
qemu-system-x86 - 1:2.5+dfsg-5ubuntu10.44

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart all QEMU virtual machines to make all the necessary changes.

References

USN-4371-1: libvirt vulnerabilities

6 days 6 hours ago
libvirt vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in libvirt.

Software Description
  • libvirt - Libvirt virtualization toolkit
Details

It was discovered that libvirt incorrectly handled an active pool without a target path. A remote attacker could possibly use this issue to cause libvirt to crash, resulting in a denial of service. (CVE-2020-10703)

It was discovered that libvirt incorrectly handled memory when retrieving certain domain statistics. A remote attacker could possibly use this issue to cause libvirt to consume resources, resulting in a denial of service. This issue only affected Ubuntu 19.10. (CVE-2020-12430)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
libvirt-clients - 5.4.0-0ubuntu5.4
libvirt-daemon - 5.4.0-0ubuntu5.4
libvirt0 - 5.4.0-0ubuntu5.4
Ubuntu 18.04 LTS
libvirt-clients - 4.0.0-1ubuntu8.17
libvirt-daemon - 4.0.0-1ubuntu8.17
libvirt0 - 4.0.0-1ubuntu8.17

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

USN-4370-1: ClamAV vulnerabilities

6 days 6 hours ago
clamav vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in ClamAV.

Software Description
  • clamav - Anti-virus utility for Unix
Details

It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3327)

It was discovered that ClamAV incorrectly handled parsing PDF files. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3341)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
clamav - 0.102.3+dfsg-0ubuntu0.20.04.1
Ubuntu 19.10
clamav - 0.102.3+dfsg-0ubuntu0.19.10.1
Ubuntu 18.04 LTS
clamav - 0.102.3+dfsg-0ubuntu0.18.04.1
Ubuntu 16.04 LTS
clamav - 0.102.3+dfsg-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References

USN-4363-1: Linux kernel vulnerabilities

6 days 19 hours ago
linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gke-4.15 - Linux kernel for Google Container Engine (GKE) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oem - Linux kernel for OEM systems
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi2 - Linux kernel for Raspberry Pi (V7) systems
  • linux-snapdragon - Linux kernel for Qualcomm Snapdragon processors
  • linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
Details

It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494)

It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565)

David Gibson discovered that the Linux kernel on Power9 CPUs did not properly save and restore Authority Mask registers state in some situations. A local attacker in a guest VM could use this to cause a denial of service (host system crash). (CVE-2020-11669)

It was discovered that the block layer in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-12657)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-4.15.0-101-generic - 4.15.0-101.102
linux-image-4.15.0-101-generic-lpae - 4.15.0-101.102
linux-image-4.15.0-101-lowlatency - 4.15.0-101.102
linux-image-4.15.0-1039-oracle - 4.15.0-1039.43
linux-image-4.15.0-1059-gke - 4.15.0-1059.62
linux-image-4.15.0-1060-kvm - 4.15.0-1060.61
linux-image-4.15.0-1062-raspi2 - 4.15.0-1062.66
linux-image-4.15.0-1067-aws - 4.15.0-1067.71
linux-image-4.15.0-1079-snapdragon - 4.15.0-1079.86
linux-image-4.15.0-1081-oem - 4.15.0-1081.91
linux-image-aws-lts-18.04 - 4.15.0.1067.70
linux-image-generic - 4.15.0.101.91
linux-image-generic-lpae - 4.15.0.101.91
linux-image-gke - 4.15.0.1059.63
linux-image-gke-4.15 - 4.15.0.1059.63
linux-image-kvm - 4.15.0.1060.60
linux-image-lowlatency - 4.15.0.101.91
linux-image-oem - 4.15.0.1081.85
linux-image-oracle-lts-18.04 - 4.15.0.1039.48
linux-image-powerpc-e500mc - 4.15.0.101.91
linux-image-powerpc-smp - 4.15.0.101.91
linux-image-powerpc64-emb - 4.15.0.101.91
linux-image-powerpc64-smp - 4.15.0.101.91
linux-image-raspi2 - 4.15.0.1062.60
linux-image-snapdragon - 4.15.0.1079.82
linux-image-virtual - 4.15.0.101.91
Ubuntu 16.04 LTS
linux-image-4.15.0-101-generic - 4.15.0-101.102~16.04.1
linux-image-4.15.0-101-generic-lpae - 4.15.0-101.102~16.04.1
linux-image-4.15.0-101-lowlatency - 4.15.0-101.102~16.04.1
linux-image-4.15.0-1039-oracle - 4.15.0-1039.43~16.04.1
linux-image-4.15.0-1067-aws - 4.15.0-1067.71~16.04.1
linux-image-4.15.0-1071-gcp - 4.15.0-1071.81~16.04.1
linux-image-aws-hwe - 4.15.0.1067.67
linux-image-gcp - 4.15.0.1071.77
linux-image-generic-hwe-16.04 - 4.15.0.101.108
linux-image-generic-lpae-hwe-16.04 - 4.15.0.101.108
linux-image-gke - 4.15.0.1071.77
linux-image-lowlatency-hwe-16.04 - 4.15.0.101.108
linux-image-oem - 4.15.0.101.108
linux-image-oracle - 4.15.0.1039.32
linux-image-virtual-hwe-16.04 - 4.15.0.101.108

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-4365-2: Bind vulnerabilities

1 week ago
bind9 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

Several security issues were fixed in Bind.

Software Description
  • bind9 - Internet Domain Name Server
Details

USN-4365-1 fixed several vulnerabilities in Bind. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM.

Original advisory details:

Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Bind incorrectly limited certain fetches. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service, or possibly use Bind to perform a reflection attack. (CVE-2020-8616)

Tobias Klein discovered that Bind incorrectly handled checking TSIG validity. A remote attacker could use this issue to cause Bind to crash, resulting in a denial of service, or possibly perform other attacks. (CVE-2020-8617)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
bind9 - 1:9.9.5.dfsg-3ubuntu0.19+esm2
Ubuntu 12.04 ESM
bind9 - 1:9.8.1.dfsg.P1-4ubuntu0.30

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LSN-0067-1: Kernel Live Patch Security Notice

1 week ago
Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-oem - Linux kernel for OEM systems
Details

It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494)

Update instructions

The problem can be corrected by updating your kernel livepatch to the following versions:

Ubuntu 18.04 LTS
aws - 67.1
azure - 67.1
gcp - 67.1
generic - 67.1
lowlatency - 67.1
oem - 67.1
Ubuntu 16.04 LTS
aws - 67.1
generic - 67.1
lowlatency - 67.1
Support Information

Kernels older than the levels listed below do not receive livepatch updates. If you are running a kernel version earlier than the one listed below, please upgrade your kernel as soon as possible.

Ubuntu 18.04 LTS
linux - 4.15.0-69
linux-aws - 4.15.0-1054
linux-azure - 5.0.0-1025
linux-gcp - 5.0.0-1025
linux-oem - 4.15.0-1063
Ubuntu 20.04 LTS
linux - 5.4.0-26
linux-aws - 5.4.0-1009
linux-azure - 5.4.0-1010
linux-gcp - 5.4.0-1009
linux-oem - 5.4.0-26
Ubuntu 16.04 LTS
linux - 4.4.0-168
linux-aws - 4.4.0-1098
linux-azure - 4.15.0-1063
linux-hwe - 4.15.0-69
Ubuntu 14.04 ESM
linux-lts-xenial - 4.4.0-168
References

USN-4364-1: Linux kernel vulnerabilities

1 week 1 day ago
linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi (V7) systems
  • linux-snapdragon - Linux kernel for Qualcomm Snapdragon processors
  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty
Details

It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19060)

It was discovered that the vhost net driver in the Linux kernel contained a stack buffer overflow. A local attacker with the ability to perform ioctl() calls on /dev/vhost-net could use this to cause a denial of service (system crash). (CVE-2020-10942)

It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494)

It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565)

It was discovered that the OV51x USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11608)

It was discovered that the STV06XX USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11609)

It was discovered that the Xirlink C-It USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11668)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
linux-image-4.4.0-1071-kvm - 4.4.0-1071.78
linux-image-4.4.0-1107-aws - 4.4.0-1107.118
linux-image-4.4.0-1133-raspi2 - 4.4.0-1133.142
linux-image-4.4.0-1137-snapdragon - 4.4.0-1137.145
linux-image-4.4.0-179-generic - 4.4.0-179.209
linux-image-4.4.0-179-generic-lpae - 4.4.0-179.209
linux-image-4.4.0-179-lowlatency - 4.4.0-179.209
linux-image-4.4.0-179-powerpc-e500mc - 4.4.0-179.209
linux-image-4.4.0-179-powerpc-smp - 4.4.0-179.209
linux-image-4.4.0-179-powerpc64-emb - 4.4.0-179.209
linux-image-4.4.0-179-powerpc64-smp - 4.4.0-179.209
linux-image-aws - 4.4.0.1107.111
linux-image-generic - 4.4.0.179.187
linux-image-generic-lpae - 4.4.0.179.187
linux-image-kvm - 4.4.0.1071.71
linux-image-lowlatency - 4.4.0.179.187
linux-image-powerpc-e500mc - 4.4.0.179.187
linux-image-powerpc-smp - 4.4.0.179.187
linux-image-powerpc64-emb - 4.4.0.179.187
linux-image-powerpc64-smp - 4.4.0.179.187
linux-image-raspi2 - 4.4.0.1133.133
linux-image-snapdragon - 4.4.0.1137.129
linux-image-virtual - 4.4.0.179.187
Ubuntu 14.04 ESM
linux-image-4.4.0-1067-aws - 4.4.0-1067.71
linux-image-4.4.0-179-generic - 4.4.0-179.209~14.04.1+signed1
linux-image-4.4.0-179-generic-lpae - 4.4.0-179.209~14.04.1
linux-image-4.4.0-179-lowlatency - 4.4.0-179.209~14.04.1+signed1
linux-image-4.4.0-179-powerpc-e500mc - 4.4.0-179.209~14.04.1
linux-image-4.4.0-179-powerpc-smp - 4.4.0-179.209~14.04.1
linux-image-4.4.0-179-powerpc64-emb - 4.4.0-179.209~14.04.1
linux-image-4.4.0-179-powerpc64-smp - 4.4.0-179.209~14.04.1
linux-image-aws - 4.4.0.1067.68
linux-image-generic-lpae-lts-xenial - 4.4.0.179.158
linux-image-generic-lts-xenial - 4.4.0.179.158
linux-image-lowlatency-lts-xenial - 4.4.0.179.158
linux-image-powerpc-e500mc-lts-xenial - 4.4.0.179.158
linux-image-powerpc-smp-lts-xenial - 4.4.0.179.158
linux-image-powerpc64-emb-lts-xenial - 4.4.0.179.158
linux-image-powerpc64-smp-lts-xenial - 4.4.0.179.158
linux-image-virtual-lts-xenial - 4.4.0.179.158

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-4368-1: Linux kernel vulnerabilities

1 week 1 day ago
linux-gke-5.0, linux-oem-osp1 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-gke-5.0 - Linux kernel for Google Container Engine (GKE) systems
  • linux-oem-osp1 - Linux kernel for OEM systems
Details

Tristan Madani discovered that the file locking implementation in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service or expose sensitive information. (CVE-2019-19769)

It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494)

It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565)

It was discovered that the OV51x USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11608)

It was discovered that the STV06XX USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11609)

It was discovered that the Xirlink C-It USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11668)

David Gibson discovered that the Linux kernel on Power9 CPUs did not properly save and restore Authority Mask registers state in some situations. A local attacker in a guest VM could use this to cause a denial of service (host system crash). (CVE-2020-11669)

It was discovered that the block layer in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-12657)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-5.0.0-1037-gke - 5.0.0-1037.38
linux-image-5.0.0-1052-oem-osp1 - 5.0.0-1052.57
linux-image-gke-5.0 - 5.0.0.1037.25
linux-image-oem-osp1 - 5.0.0.1052.55

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

USN-4366-1: Exim vulnerability

1 week 1 day ago
exim4 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM
Summary

Exim could be made to access sensitive information or bypass authentication if it received a specially crafted input.

Software Description
  • exim4 - Exim is a mail transport agent
Details

It was discovered that Exim incorrectly handled certain inputs. An remote attacker could possibly use this issue to access sensitive information or authentication bypass.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
exim4-base - 4.93-13ubuntu1.1
exim4-daemon-heavy - 4.93-13ubuntu1.1
exim4-daemon-light - 4.93-13ubuntu1.1
Ubuntu 19.10
exim4-base - 4.92.1-1ubuntu3.1
exim4-daemon-heavy - 4.92.1-1ubuntu3.1
exim4-daemon-light - 4.92.1-1ubuntu3.1
Ubuntu 18.04 LTS
exim4-base - 4.90.1-1ubuntu1.5
exim4-daemon-heavy - 4.90.1-1ubuntu1.5
exim4-daemon-light - 4.90.1-1ubuntu1.5
Ubuntu 16.04 LTS
exim4-base - 4.86.2-2ubuntu2.6
exim4-daemon-heavy - 4.86.2-2ubuntu2.6
exim4-daemon-light - 4.86.2-2ubuntu2.6
Ubuntu 14.04 ESM
exim4-base - 4.82-3ubuntu2.4+esm2
exim4-daemon-heavy - 4.82-3ubuntu2.4+esm2
exim4-daemon-light - 4.82-3ubuntu2.4+esm2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-4365-1: Bind vulnerabilities

1 week 1 day ago
bind9 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in Bind.

Software Description
  • bind9 - Internet Domain Name Server
Details

Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Bind incorrectly limited certain fetches. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service, or possibly use Bind to perform a reflection attack. (CVE-2020-8616)

Tobias Klein discovered that Bind incorrectly handled checking TSIG validity. A remote attacker could use this issue to cause Bind to crash, resulting in a denial of service, or possibly perform other attacks. (CVE-2020-8617)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
bind9 - 1:9.16.1-0ubuntu2.1
Ubuntu 19.10
bind9 - 1:9.11.5.P4+dfsg-5.1ubuntu2.2
Ubuntu 18.04 LTS
bind9 - 1:9.11.3+dfsg-1ubuntu1.12
Ubuntu 16.04 LTS
bind9 - 1:9.10.3.dfsg.P4-8ubuntu1.16

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-4362-1: DPDK vulnerabilities

1 week 2 days ago
dpdk vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in DPDK.

Software Description
  • dpdk - set of libraries for fast packet processing
Details

It was discovered that DPDK incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2020-10722, CVE-2020-10723, CVE-2020-10724, CVE-2020-10725, CVE-2020-10726)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
dpdk - 19.11.1-0ubuntu1.1
Ubuntu 19.10
dpdk - 18.11.5-0ubuntu0.19.10.2
Ubuntu 18.04 LTS
dpdk - 17.11.9-0ubuntu18.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-4361-1: Dovecot vulnerabilities

1 week 2 days ago
dovecot vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
Summary

Several security issues were fixed in Dovecot.

Software Description
  • dovecot - IMAP and POP3 email server
Details

Philippe Antoine discovered that Dovecot incorrectly handled certain data. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-10957, CVE-2020-10967)

Philippe Antoine discovered that Dovecot incorrectly handled certain data. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2020-10958)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
dovecot-core - 1:2.3.7.2-1ubuntu3.1
Ubuntu 19.10
dovecot-core - 1:2.3.4.1-5ubuntu3.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-4360-2: json-c regression

1 week 5 days ago
json-c regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

USN-4360-1 introduced a regression in json-c.

Software Description
  • json-c - JSON manipulation library
Details

USN-4360-1 fixed a vulnerability in json-c. The security fix introduced a memory leak in some scenarios. This update reverts the security fix pending further investigation.

We apologize for the inconvenience.

Original advisory details:

It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libjson-c4 - 0.13.1+dfsg-7ubuntu0.2
Ubuntu 19.10
libjson-c4 - 0.13.1+dfsg-4ubuntu0.2
Ubuntu 18.04 LTS
libjson-c3 - 0.12.1-1.3ubuntu0.2
Ubuntu 16.04 LTS
libjson-c2 - 0.11-4ubuntu2.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-4360-3: json-c regression

1 week 5 days ago
json-c regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

USN-4360-1 introduced a regression in json-c.

Software Description
  • json-c - JSON manipulation library
Details

USN-4360-1 fixed a vulnerability in json-c. The security fix introduced a memory leak in some scenarios. This update reverts the security fix pending further investigation.

We apologize for the inconvenience.

Original advisory details:

It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
libjson-c2 - 0.11-3ubuntu1.2+esm2
libjson0 - 0.11-3ubuntu1.2+esm2
Ubuntu 12.04 ESM
libjson0 - 0.9-1ubuntu1.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
Checked
18 minutes 47 seconds ago
Recent content on Ubuntu security notices
Subscribe to Ubuntu feed
Categrory