SECURITY

USN-2903-2: NSS regression Ubuntu Security Notice USN-2903-2 23rd February, 2016 nss regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary USN-2903-1 introduced a regression in NSS. Software description nss – Network Security Service library Details USN-2903-1 fixed a vulnerability in NSS. An incorrect package versioningchange in Ubuntu 12.04 LTS caused a regression when building softwareagainst NSS. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Hanno Böck discovered that NSS incorrectly handled certain division functions, possibly leading to cryptographic weaknesses. (CVE-2016-1938) This update also refreshes the NSS package to version 3.21 which includes the latest CA certificate bundle, and removes the SPI CA. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 12.04 LTS: libnss3-dev 2:3.21-0ubuntu0.12.04.2 To update your system, please [ more… ]

USN-2912-1: libssh vulnerabilities Ubuntu Security Notice USN-2912-1 23rd February, 2016 libssh vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in libssh. Software description libssh – A tiny C SSH library Details Mariusz Ziulek discovered that libssh incorrectly handled certain packets.A remote attacker could possibly use this issue to cause libssh to crash,resulting in a denial of service.(CVE-2015-3146) Aris Adamantiadis discovered that libssh incorrectly generated ephemeralsecret keys of 128 bits instead of the recommended 1024 or 2048 bits whenusing the diffie-hellman-group1 and diffie-hellman-group14 methods. If aremote attacker were able to perform a man-in-the-middle attack, this flawcould be exploited to view sensitive information. (CVE-2016-0739) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 15.10: libssh-4 0.6.3-3ubuntu3.2 [ more… ]

USN-2905-1: Oxide vulnerability Ubuntu Security Notice USN-2905-1 23rd February, 2016 oxide-qt vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Summary Oxide could be made to bypass same-origin restrictions. Software description oxide-qt – Web browser engine library for Qt (QML plugin) Details A security issue was discovered in Chromium. If a user were tricked in toopening a specially crafted website, an attacker could potentially exploitthis to bypass same-origin restrictions or a sandbox protection mechanism.(CVE-2016-1629) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 15.10: liboxideqtcore0 1.12.7-0ubuntu0.15.10.1 Ubuntu 14.04 LTS: liboxideqtcore0 1.12.7-0ubuntu0.14.04.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2016-1629 Source: USN-2905-1: Oxide vulnerability