SECURITY

USN-3175-2: Firefox regression Ubuntu Security Notice USN-3175-2 6th February, 2017 firefox regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary USN-3175-1 introduced a regression in Firefox. Software description firefox – Mozilla Open Source web browser Details USN-3175-1 fixed vulnerabilities in Firefox. The update caused aregression on systems where the AppArmor profile for Firefox is set toenforce mode. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple memory safety issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374) JIT code allocation can allow a bypass of ASLR protections in some circumstances. If [ more… ]

USN-3192-1: Squid vulnerabilities Ubuntu Security Notice USN-3192-1 6th February, 2017 squid3 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Squid could be made to expose sensitive information over the network. Software description squid3 – Web proxy cache server Details Saulius Lapinskas discovered that Squid incorrectly handled processingHTTP conditional requests. A remote attacker could possibly use this issueto obtain sensitive information related to other clients' browsingsessions. (CVE-2016-10002) Felix Hassert discovered that Squid incorrectly handled certain HTTPRequest headers when using the Collapsed Forwarding feature. A remoteattacker could possibly use this issue to obtain sensitive informationrelated to other clients' browsing sessions. This issue only applied toUbuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10003) Update instructions The problem can be corrected by updating your system to the following package [ more… ]

USN-3191-1: WebKitGTK+ vulnerabilities Ubuntu Security Notice USN-3191-1 6th February, 2017 webkit2gtk vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Summary Several security issues were fixed in WebKitGTK+. Software description webkit2gtk – Web content engine library for GTK+ Details A large number of security issues were discovered in the WebKitGTK+ Web andJavaScript engines. If a user were tricked into viewing a maliciouswebsite, a remote attacker could exploit a variety of issues related to webbrowser security, including cross-site scripting attacks, denial of serviceattacks, and arbitrary code execution. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 16.10: libwebkit2gtk-4.0-37 2.14.3-0ubuntu0.16.10.1 libjavascriptcoregtk-4.0-18 2.14.3-0ubuntu0.16.10.1 Ubuntu 16.04 LTS: libwebkit2gtk-4.0-37 2.14.3-0ubuntu0.16.04.1 libjavascriptcoregtk-4.0-18 2.14.3-0ubuntu0.16.04.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. This update uses a new upstream release, which [ more… ]