SECURITY

USN-3117-1: GD library vulnerabilities Ubuntu Security Notice USN-3117-1 1st November, 2016 libgd2 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary The GD library could be made to crash or run programs if it processed a specially crafted image file. Software description libgd2 – GD Graphics Library Details Ibrahim El-Sayed discovered that the GD library incorrectly handled certainmalformed Tiff images. If a user or automated system were tricked intoprocessing a specially crafted Tiff image, an attacker could cause a denialof service. (CVE-2016-6911) Ke Liu discovered that the GD library incorrectly handled certain integerswhen processing WebP images. If a user or automated system were trickedinto processing a specially crafted WebP image, an attacker could cause adenial of service, or possibly execute arbitrary code. This issue onlyapplied [ more… ]

USN-3116-1: DBus vulnerabilities Ubuntu Security Notice USN-3116-1 1st November, 2016 dbus vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in DBus. Software description dbus – simple interprocess messaging system Details It was discovered that DBus incorrectly validated the source ofActivationFailure signals. A local attacker could use this issue to cause adenial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu14.04 LTS. (CVE-2015-0245) It was discovered that DBus incorrectly handled certain format strings. Alocal attacker could use this issue to cause a denial of service, orpossibly execute arbitrary code. This issue is only exposed to unprivilegedusers when the fix for CVE-2015-0245 is not applied, hence this issue isonly likely to affect Ubuntu 12.04 LTS and Ubuntu 14.04 [ more… ]

USN-3115-1: Django vulnerabilities Ubuntu Security Notice USN-3115-1 1st November, 2016 python-django vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in Django. Software description python-django – High-level Python web development framework Details Marti Raudsepp discovered that Django incorrectly used a hardcoded passwordwhen running tests on an Oracle database. A remote attacker could possiblyconnect to the database while the tests are running and prevent the testuser with the hardcoded password from being removed. (CVE-2016-9013) Aymeric Augustin discovered that Django incorrectly validated hosts whenbeing run with the debug setting enabled. A remote attacker could possiblyuse this issue to perform DNS rebinding attacks. (CVE-2016-9014) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 16.10: python3-django [ more… ]