SECURITY

USN-3169-3: Linux kernel (Raspberry Pi 2) vulnerabilities Ubuntu Security Notice USN-3169-3 11th January, 2017 linux-raspi2 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Summary Several security issues were fixed in the kernel. Software description linux-raspi2 – Linux kernel for Raspberry Pi 2 Details Baozeng Ding discovered a race condition that could lead to a use-after-free in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linuxkernel. A local attacker could use this to cause a denial of service(system crash). (CVE-2016-9794) Andrey Konovalov discovered that signed integer overflows existed in thesetsockopt() system call when handling the SO_SNDBUFFORCE andSO_RCVBUFFORCE options. A local attacker with the CAP_NET_ADMIN capabilitycould use this to cause a denial of service (system crash or memorycorruption). (CVE-2016-9793) Update instructions The problem can be corrected by updating your system to the following package [ more… ]

USN-3169-2: Linux kernel (Xenial HWE) vulnerabilities Ubuntu Security Notice USN-3169-2 11th January, 2017 linux-lts-xenial vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary Several security issues were fixed in the kernel. Software description linux-lts-xenial – Linux hardware enablement kernel from Xenial for Trusty Details USN-3169-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04LTS. This update provides the corresponding updates for the LinuxHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu14.04 LTS. Dmitry Vyukov discovered that the KVM implementation in the Linux kerneldid not properly initialize the Code Segment (CS) in certain error cases. Alocal attacker could use this to expose sensitive information (kernelmemory). (CVE-2016-9756) Andrey Konovalov discovered that signed integer overflows existed in thesetsockopt() system call when handling the SO_SNDBUFFORCE andSO_RCVBUFFORCE options. A local attacker with the CAP_NET_ADMIN capabilitycould use this [ more… ]

USN-3166-1: WebKitGTK+ vulnerabilities Ubuntu Security Notice USN-3166-1 10th January, 2017 webkit2gtk vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Summary Several security issues were fixed in WebKitGTK+. Software description webkit2gtk – JavaScript engine library from WebKitGTK+ – GObject introspection Details A large number of security issues were discovered in the WebKitGTK+ Web andJavaScript engines. If a user were tricked into viewing a maliciouswebsite, a remote attacker could exploit a variety of issues related to webbrowser security, including cross-site scripting attacks, denial of serviceattacks, and arbitrary code execution. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 16.04 LTS: libwebkit2gtk-4.0-37 2.14.2-0ubuntu0.16.04.1 libjavascriptcoregtk-4.0-18 2.14.2-0ubuntu0.16.04.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. This update uses a new upstream release, which includes additional bugfixes. After a standard [ more… ]