SECURITY

USN-2935-2: PAM regression Ubuntu Security Notice USN-2935-2 16th March, 2016 pam regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary USN-2935-1 introduced a regression in PAM. Software description pam – Pluggable Authentication Modules Details USN-2935-1 fixed vulnerabilities in PAM. The updates contained a packagingchange that prevented upgrades in certain multiarch environments. Thisupdate fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the PAM pam_userdb module incorrectly used a case-insensitive method when comparing hashed passwords. A local attacker could possibly use this issue to make brute force attacks easier. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2013-7041) Sebastian Krahmer discovered that the PAM pam_timestamp module incorrectly performed filtering. A local attacker could use this issue to create arbitrary files, [ more… ]

USN-2935-1: PAM vulnerabilities Ubuntu Security Notice USN-2935-1 16th March, 2016 pam vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in PAM. Software description pam – Pluggable Authentication Modules Details It was discovered that the PAM pam_userdb module incorrectly used acase-insensitive method when comparing hashed passwords. A local attackercould possibly use this issue to make brute force attacks easier. Thisissue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2013-7041) Sebastian Krahmer discovered that the PAM pam_timestamp module incorrectlyperformed filtering. A local attacker could use this issue to createarbitrary files, or possibly bypass authentication. This issue onlyaffected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2583) Sebastien Macke discovered that the PAM pam_unix module incorrectly handledlarge passwords. A local attacker could possibly use this [ more… ]

USN-2930-3: Linux kernel (Raspberry Pi 2) vulnerabilities Ubuntu Security Notice USN-2930-3 16th March, 2016 linux-raspi2 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Summary Several security issues were fixed in the kernel. Software description linux-raspi2 – Linux kernel for Raspberry Pi 2 Details Ben Hawkes discovered that the Linux netfilter implementation did notcorrectly perform validation when handling IPT_SO_SET_REPLACE events. Alocal unprivileged attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code with administrativeprivileges. (CVE-2016-3134) Ben Hawkes discovered an integer overflow in the Linux netfilterimplementation. On systems running 32 bit kernels, a local unprivilegedattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code with administrative privileges.(CVE-2016-3135) Ralf Spenneberg discovered that the USB driver for Clie devices in theLinux kernel did not properly sanity [ more… ]