SECURITY

USN-2933-1: Exim vulnerabilities Ubuntu Security Notice USN-2933-1 15th March, 2016 exim4 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in Exim. Software description exim4 – Exim is a mail transport agent Details It was discovered that Exim incorrectly filtered environment variables whenused with the perl_startup configuration option. If the perl_startup optionwas enabled, a local attacker could use this issue to escalate theirprivileges to the root user. This issue has been fixed by having Exim cleanthe complete execution environment by default on startup, including anysubprocesses such as transports that call other programs. This change inbehaviour may break existing installations and can be adjusted by using twonew configuration options, keep_environment and add_environment.(CVE-2016-1531) Patrick William discovered that Exim incorrectly expanded mathematicalcomparisons twice. A local attacker [ more… ]

USN-2930-1: Linux kernel vulnerabilities Ubuntu Security Notice USN-2930-1 14th March, 2016 linux vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Summary Several security issues were fixed in the kernel. Software description linux – Linux kernel Details Ben Hawkes discovered that the Linux netfilter implementation did notcorrectly perform validation when handling IPT_SO_SET_REPLACE events. Alocal unprivileged attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code with administrativeprivileges. (CVE-2016-3134) Ben Hawkes discovered an integer overflow in the Linux netfilterimplementation. On systems running 32 bit kernels, a local unprivilegedattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code with administrative privileges.(CVE-2016-3135) Ralf Spenneberg discovered that the USB driver for Clie devices in theLinux kernel did not properly sanity check the endpoints reported by thedevice. An [ more… ]

USN-2932-1: Linux kernel (Vivid HWE) vulnerabilities Ubuntu Security Notice USN-2932-1 14th March, 2016 linux-lts-vivid vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary Several security issues were fixed in the kernel. Software description linux-lts-vivid – Linux hardware enablement kernel from Vivid for Trusty Details Ben Hawkes discovered that the Linux netfilter implementation did notcorrectly perform validation when handling IPT_SO_SET_REPLACE events. Alocal unprivileged attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code with administrativeprivileges. (CVE-2016-3134) It was discovered that the Linux kernel did not properly enforce rlimitsfor file descriptors sent over UNIX domain sockets. A local attacker coulduse this to cause a denial of service. (CVE-2013-4312) Ralf Spenneberg discovered that the USB driver for Clie devices in theLinux kernel did not properly sanity check the endpoints reported [ more… ]

USN-2929-2: Linux kernel (Trusty HWE) vulnerabilities Ubuntu Security Notice USN-2929-2 14th March, 2016 linux-lts-trusty vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary Several security issues were fixed in the kernel. Software description linux-lts-trusty – Linux hardware enablement kernel from Trusty for Precise Details Ben Hawkes discovered that the Linux netfilter implementation did notcorrectly perform validation when handling IPT_SO_SET_REPLACE events. Alocal unprivileged attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code with administrativeprivileges. (CVE-2016-3134) It was discovered that the Linux kernel did not properly enforce rlimitsfor file descriptors sent over UNIX domain sockets. A local attacker coulduse this to cause a denial of service. (CVE-2013-4312) Ralf Spenneberg discovered that the USB driver for Clie devices in theLinux kernel did not properly sanity check the endpoints reported [ more… ]

USN-2931-1: Linux kernel (Utopic HWE) vulnerabilities Ubuntu Security Notice USN-2931-1 14th March, 2016 linux-lts-utopic vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary Several security issues were fixed in the kernel. Software description linux-lts-utopic – Linux hardware enablement kernel from Utopic for Trusty Details Ben Hawkes discovered that the Linux netfilter implementation did notcorrectly perform validation when handling IPT_SO_SET_REPLACE events. Alocal unprivileged attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code with administrativeprivileges. (CVE-2016-3134) It was discovered that the Linux kernel did not properly enforce rlimitsfor file descriptors sent over UNIX domain sockets. A local attacker coulduse this to cause a denial of service. (CVE-2013-4312) It was discovered that a race condition existed when handling heartbeat-timeout events in the SCTP implementation of the Linux kernel. A [ more… ]