SECURITY

USN-3918-1: Firefox vulnerabilities firefox vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Several security issues were fixed in Firefox. Software Description firefox – Mozilla Open Source web browser Details Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, denial of service via successive FTP authorization prompts or modal alerts, trick the user with confusing permission request prompts, obtain sensitive information, conduct social engineering attacks, or execute arbitrary code. (CVE-2019-9788, CVE-2019-9789, CVE-2019-9790, CVE-2019-9791, CVE-2019-9792, CVE-2019-9795, CVE-2019-9796, CVE-2019-9797, CVE-2019-9799, CVE-2019-9802, CVE-2019-9805, CVE-2019-9806, CVE-2019-9807, CVE-2019-9808, CVE-2019-9809) A mechanism was discovered that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations [ more… ]

USN-3917-1: snapd vulnerability snapd vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary An intended access restriction in snapd could be bypassed by strict mode snaps on 64 bit architectures. Software Description snapd – Daemon and tooling that enable snap packages Details The snapd default seccomp filter for strict mode snaps blocks the use of the ioctl() system call when used with TIOCSTI as the second argument to the system call. Jann Horn discovered that this restriction could be circumvented on 64 bit architectures. A malicious snap could exploit this to bypass intended access restrictions to insert characters into the terminal’s input queue. On Ubuntu, snapd typically will have already automatically refreshed itself to snapd 2.37.4 which is unaffected. Update instructions The problem can be [ more… ]

USN-3913-1: P7ZIP vulnerabilities p7zip vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Summary p7zip could be made to crash or run programs as your login if it opened a specially crafted file. Software Description p7zip – 7z file archiver with high compression ratio Details It was discovered that p7zip did not correctly handle certain malformed archives. If a user or automated system were tricked into processing a specially crafted archive with p7zip, then p7zip could be made to crash, possibly leading to abitrary code execution. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS p7zip – 9.20.1~dfsg.1-4.2ubuntu0.1 p7zip-full – 9.20.1~dfsg.1-4.2ubuntu0.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2016-2335 [ more… ]

USN-3915-1: Ghostscript vulnerabilities ghostscript vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in Ghostscript. Software Description ghostscript – PostScript and PDF interpreter Details It was discovered that Ghostscript incorrectly handled certain PostScript files. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use this issue to access arbitrary files, execute arbitrary code, or cause a denial of service. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10 ghostscript – 9.26~dfsg+0-0ubuntu0.18.10.8 libgs9 – 9.26~dfsg+0-0ubuntu0.18.10.8 Ubuntu 18.04 LTS ghostscript – 9.26~dfsg+0-0ubuntu0.18.04.8 libgs9 – 9.26~dfsg+0-0ubuntu0.18.04.8 Ubuntu 16.04 LTS ghostscript – 9.26~dfsg+0-0ubuntu0.16.04.8 libgs9 – 9.26~dfsg+0-0ubuntu0.16.04.8 Ubuntu 14.04 LTS ghostscript – 9.26~dfsg+0-0ubuntu0.14.04.8 libgs9 – 9.26~dfsg+0-0ubuntu0.14.04.8 [ more… ]

USN-3914-1: NTFS-3G vulnerability ntfs-3g vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary NTFS-3G could be made to crash or potentially run programs as an administrator if executed with specially crafted arguments. Software Description ntfs-3g – read/write NTFS driver for FUSE Details A heap buffer overflow was discovered in NTFS-3G when executing it with a relative mount point path that is too long. A local attacker could potentially exploit this to execute arbitrary code as the administrator. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10 ntfs-3g – 1:2017.3.23-2ubuntu0.18.10.1 Ubuntu 18.04 LTS ntfs-3g – 1:2017.3.23-2ubuntu0.18.04.1 Ubuntu 16.04 LTS ntfs-3g – 1:2015.3.14AR.1-1ubuntu0.2 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all [ more… ]