SECURITY

USN-3194-1: OpenJDK 7 vulnerabilities Ubuntu Security Notice USN-3194-1 8th February, 2017 openjdk-7 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in OpenJDK 7. Software description openjdk-7 – Open Source Java implementation Details Karthik Bhargavan and Gaetan Leurent discovered that the DES andTriple DES ciphers were vulnerable to birthday attacks. A remoteattacker could possibly use this flaw to obtain clear text data fromlong encrypted sessions. This update moves those algorithms to thelegacy algorithm set and causes them to be used only if no non-legacyalgorithms can be negotiated. (CVE-2016-2183) It was discovered that OpenJDK accepted ECSDA signatures usingnon-canonical DER encoding. An attacker could use this to modify orexpose sensitive data. (CVE-2016-5546) It was discovered that OpenJDK did not properly verify objectidentifier (OID) length when reading Distinguished [ more… ]

USN-3180-1: Oxide vulnerabilities Ubuntu Security Notice USN-3180-1 8th February, 2017 oxide-qt vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in Oxide. Software description oxide-qt – Web browser engine for Qt (QML plugin) Details Multiple vulnerabilities were discovered in Chromium. If a user weretricked in to opening a specially crafted website, an attacker couldpotentially exploit these to conduct cross-site scripting (XSS) attacks,read uninitialized memory, obtain sensitive information, spoof thewebview URL or other UI components, bypass same origin restrictions orother security restrictions, cause a denial of service via applicationcrash, or execute arbitrary code. (CVE-2017-5006, CVE-2017-5007,CVE-2017-5008, CVE-2017-5009, CVE-2017-5010, CVE-2017-5011, CVE-2017-5012,CVE-2017-5014, CVE-2017-5017, CVE-2017-5019, CVE-2017-5022, CVE-2017-5023,CVE-2017-5024, CVE-2017-5025, CVE-2017-5026) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 16.10: liboxideqtcore0 [ more… ]