SECURITY

USN-3566-2: PHP vulnerabilities php5 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 ESM Ubuntu 12.04 ESM Summary Several security issues were fixed in PHP. Software Description php5 – HTML-embedded scripting language interpreter Details USN-3566-1 fixed several vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information. (CVE-2018-20783) It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information or possibly cause a crash, resulting in a denial of service. (CVE-2019-11036) Original advisory details: It was discovered that PHP incorrectly handled memory when unserializing certain data. A remote attacker could use this issue to cause PHP to crash, resulting [ more… ]

USN-3991-1: Firefox vulnerabilities firefox vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.04 Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Firefox could be made to crash or run programs as your login if it opened a malicious website. Software Description firefox – Mozilla Open Source web browser Details Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the browser UI, trick the user in to launching local executable binaries, obtain sensitive information, conduct cross-site scripting (XSS) attacks, or execute arbitrary code. (CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-11695, CVE-2019-11696, CVE-2019-11699, CVE-2019-11701, CVE-2019-7317, CVE-2019-9800, CVE-2019-9814, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820, CVE-2019-9821) It was discovered that pressing certain key combinations could bypass addon installation prompt delays. If [ more… ]

USN-3990-1: urllib3 vulnerabilities python-urllib3 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.04 Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Several security issues were fixed in urllib3. Software Description python-urllib3 – HTTP library with thread-safe connection pooling for Python Details It was discovered that urllib3 incorrectly removed Authorization HTTP headers when handled cross-origin redirects. This could result in credentials being sent to unintended hosts. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-20060) It was discovered that urllib3 incorrectly stripped certain characters from requests. A remote attacker could use this issue to perform CRLF injection. (CVE-2019-11236) It was discovered that urllib3 incorrectly handled situations where a desired set of CA certificates were specified. This could result in certificates being accepted by the default CA certificates contrary to expectatons. [ more… ]

USN-3989-1: LibRaw vulnerabilities libraw vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Several security issues were fixed in LibRaw. Software Description libraw – raw image decoder library Details It was discovered that LibRaw incorrectly handled photo files. If a user or automated system were tricked into processing a specially crafted photo file, a remote attacker could cause applications linked against LibRaw to crash, resulting in a denial of service, or possibly execute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10 libraw16 – 0.18.13-1ubuntu0.1 Ubuntu 18.04 LTS libraw16 – 0.18.8-1ubuntu0.3 Ubuntu 16.04 LTS libraw15 – 0.17.1-1ubuntu0.5 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. After a standard system update you need to restart your session [ more… ]

USN-3985-2: libvirt update libvirt update A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 ESM Summary Several security issues were addressed in libvirt. Software Description libvirt – Libvirt virtualization toolkit Details Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12130) Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida [ more… ]