SECURITY

USN-3171-1: LibVNCServer vulnerabilities Ubuntu Security Notice USN-3171-1 11th January, 2017 libvncserver vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in LibVNCServer. Software description libvncserver – vnc server library Details Josef Gajdusek discovered that the LibVNCServer client library incorrectlyhandled certain FrameBufferUpdate messages. If a user were tricked intoconnecting to a malicious server, an attacker could use this issue to causea denial of service, or possibly execute arbitrary code. (CVE-2016-9941,CVE-2016-9942) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 16.10: libvncserver1 0.9.10+dfsg-3ubuntu0.16.10.1 libvncclient1 0.9.10+dfsg-3ubuntu0.16.10.1 Ubuntu 16.04 LTS: libvncserver1 0.9.10+dfsg-3ubuntu0.16.04.1 libvncclient1 0.9.10+dfsg-3ubuntu0.16.04.1 Ubuntu 14.04 LTS: libvncserver0 0.9.9+dfsg-1ubuntu1.2 Ubuntu 12.04 LTS: libvncserver0 0.9.8.2-2ubuntu1.2 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a [ more… ]

USN-3169-1: Linux kernel vulnerabilities Ubuntu Security Notice USN-3169-1 11th January, 2017 linux vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Summary Several security issues were fixed in the kernel. Software description linux – Linux kernel Details Dmitry Vyukov discovered that the KVM implementation in the Linux kerneldid not properly initialize the Code Segment (CS) in certain error cases. Alocal attacker could use this to expose sensitive information (kernelmemory). (CVE-2016-9756) Andrey Konovalov discovered that signed integer overflows existed in thesetsockopt() system call when handling the SO_SNDBUFFORCE andSO_RCVBUFFORCE options. A local attacker with the CAP_NET_ADMIN capabilitycould use this to cause a denial of service (system crash or memorycorruption). (CVE-2016-9793) Baozeng Ding discovered a race condition that could lead to a use-after-free in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linuxkernel. A local attacker [ more… ]

USN-3168-2: Linux kernel (Trusty HWE) vulnerabilities Ubuntu Security Notice USN-3168-2 11th January, 2017 linux-lts-trusty vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary Several security issues were fixed in the kernel. Software description linux-lts-trusty – Linux hardware enablement kernel from Trusty for Precise Details USN-3168-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04LTS. This update provides the corresponding updates for the LinuxHardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu12.04 LTS. Dmitry Vyukov discovered that the KVM implementation in the Linux kerneldid not properly initialize the Code Segment (CS) in certain error cases. Alocal attacker could use this to expose sensitive information (kernelmemory). (CVE-2016-9756) Andrey Konovalov discovered that signed integer overflows existed in thesetsockopt() system call when handling the SO_SNDBUFFORCE andSO_RCVBUFFORCE options. A local attacker with the CAP_NET_ADMIN capabilitycould use this [ more… ]

USN-3168-1: Linux kernel vulnerabilities Ubuntu Security Notice USN-3168-1 11th January, 2017 linux vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary Several security issues were fixed in the kernel. Software description linux – Linux kernel Details Dmitry Vyukov discovered that the KVM implementation in the Linux kerneldid not properly initialize the Code Segment (CS) in certain error cases. Alocal attacker could use this to expose sensitive information (kernelmemory). (CVE-2016-9756) Andrey Konovalov discovered that signed integer overflows existed in thesetsockopt() system call when handling the SO_SNDBUFFORCE andSO_RCVBUFFORCE options. A local attacker with the CAP_NET_ADMIN capabilitycould use this to cause a denial of service (system crash or memorycorruption). (CVE-2016-9793) Baozeng Ding discovered a race condition that could lead to a use-after-free in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linuxkernel. A local attacker [ more… ]