SECURITY

USN-3260-1: Firefox vulnerabilities Ubuntu Security Notice USN-3260-1 21st April, 2017 firefox vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Firefox could be made to crash or run programs as your login if it opened a malicious website. Software description firefox – Mozilla Open Source web browser Details Multiple security issues were discovered in Firefox. If a user weretricked in to opening a specially crafted website, an attacker couldpotentially exploit these to read uninitialized memory, obtain sensitiveinformation, spoof the addressbar contents or other UI elements, escapethe sandbox to read local files, conduct cross-site scripting (XSS)attacks, cause a denial of service via application crash, or executearbitrary code. (CVE-2017-5429, CVE-2017-5430, CVE-2017-5432,CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437,CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442,CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447,CVE-2017-5448, CVE-2017-5449, CVE-2017-5451, CVE-2017-5453, CVE-2017-5454,CVE-2017-5455, CVE-2017-5456, [ more… ]

USN-3263-1: FreeType vulnerability Ubuntu Security Notice USN-3263-1 20th April, 2017 freetype vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary FreeType could be made to crash or run programs if it opened a specially crafted font file. Software description freetype – FreeType 2 is a font engine library Details It was discovered that a heap-based buffer overflow existed in theFreeType library. If a user were tricked into using a speciallycrafted font file, a remote attacker could cause FreeType to crash,resulting in a denial of service, or possibly execute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.04: libfreetype6 2.6.3-3ubuntu2.1 Ubuntu 16.10: libfreetype6 2.6.3-3ubuntu1.2 Ubuntu 16.04 LTS: libfreetype6 2.6.1-0.1ubuntu2.2 Ubuntu 14.04 LTS: libfreetype6 [ more… ]

USN-3262-1: curl vulnerability Ubuntu Security Notice USN-3262-1 20th April, 2017 curl vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Summary Applications using curl could allow unintended access over the network. Software description curl – HTTP, HTTPS, and FTP client and client libraries Details It was discovered that curl incorrectly handled client certificates whenresuming a TLS session. A remote attacker could use this to hijack apreviously authenticated connection. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.04: libcurl3-nss 7.52.1-4ubuntu1.1 curl 7.52.1-4ubuntu1.1 libcurl3-gnutls 7.52.1-4ubuntu1.1 libcurl3 7.52.1-4ubuntu1.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2017-7468 Source: USN-3262-1: curl vulnerability

USN-3261-1: QEMU vulnerabilities Ubuntu Security Notice USN-3261-1 20th April, 2017 qemu vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in QEMU. Software description qemu – Machine emulator and virtualizer Details Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPUdevice. An attacker inside the guest could use this issue to cause QEMU tocrash, resulting in a denial of service. This issue only affected Ubuntu16.04 LTS and Ubuntu 16.10. (CVE-2016-10028, CVE-2016-10029) Li Qiang discovered that QEMU incorrectly handled the 6300esb watchdog. Aprivileged attacker inside the guest could use this issue to cause QEMU tocrash, resulting in a denial of service. (CVE-2016-10155) Li Qiang discovered that QEMU incorrectly handled the i.MX Fast EthernetController. A privileged attacker inside the guest could use this issue tocause [ more… ]