SECURITY

USN-3041-1: Oxide vulnerabilities Ubuntu Security Notice USN-3041-1 5th August, 2016 oxide-qt vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in Oxide. Software description oxide-qt – Web browser engine for Qt (QML plugin) Details Multiple security issues were discovered in Chromium. If a user weretricked in to opening a specially crafted website, an attacker couldpotentially exploit these to read uninitialized memory, cause a denialof service (application crash) or execute arbitrary code. (CVE-2016-1705) It was discovered that the PPAPI implementation does not validate theorigin of IPC messages to the plugin broker process. A remote attackercould potentially exploit this to bypass sandbox protection mechanisms.(CVE-2016-1706) It was discovered that Blink does not prevent window creation by adeferred frame. A remote attacker could potentially exploit this to bypasssame origin [ more… ]

USN-3044-1: Firefox vulnerabilities Ubuntu Security Notice USN-3044-1 5th August, 2016 firefox vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Firefox could be made to crash or run programs as your login if it opened a malicious website. Software description firefox – Mozilla Open Source web browser Details Gustavo Grieco discovered an out-of-bounds read during XML parsing insome circumstances. If a user were tricked in to opening a speciallycrafted website, an attacker could potentially exploit this to cause adenial of service via application crash, or obtain sensitive information.(CVE-2016-0718) Toni Huttunen discovered that once a favicon is requested from a site,the remote server can keep the network connection open even after the pageis closed. A remote attacked could potentially exploit this to trackusers, resulting in information disclosure. (CVE-2016-2830) [ more… ]

USN-3047-1: QEMU vulnerabilities Ubuntu Security Notice USN-3047-1 4th August, 2016 qemu, qemu-kvm vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in QEMU. Software description qemu – Machine emulator and virtualizer qemu-kvm – Machine emulator and virtualizer Details Li Qiang discovered that QEMU incorrectly handled 53C9X Fast SCSIcontroller emulation. A privileged attacker inside the guest could use thisissue to cause QEMU to crash, resulting in a denial of service, or possiblyexecute arbitrary code on the host. In the default installation, when QEMUis used with libvirt, attackers would be isolated by the libvirt AppArmorprofile. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.(CVE-2016-4439, CVE-2016-4441, CVE-2016-5238, CVE-2016-5338, CVE-2016-6351) Li Qiang and Qinghao Tang discovered that QEMU incorrectly handled theVMWare VGA module. [ more… ]