SECURITY

USN-4367-2: Linux kernel regression linux regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 20.04 LTS Summary USN-4367-1 introduced a regression in the Linux kernel. Software Description linux – Linux kernel Details USN-4367-1 fixed vulnerabilities in the 5.4 Linux kernel. Unfortunately, that update introduced a regression in overlayfs. This update corrects the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377) It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability [ more… ]

USN-4369-2: Linux kernel regression linux, linux-raspi2, linux-raspi2-5.3 regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.10 Ubuntu 18.04 LTS Summary USN-4369-1 introduced a regression in the Linux kernel. Software Description linux – Linux kernel linux-raspi2 – Linux kernel for Raspberry Pi (V7) systems linux-raspi2-5.3 – Linux kernel for Raspberry Pi (V7) systems Details USN-4369-1 fixed vulnerabilities in the 5.3 Linux kernel. Unfortunately, that update introduced a regression in overlayfs. This update corrects the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377) Tristan Madani discovered that the [ more… ]

USN-4359-2: APT vulnerability apt vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 ESM Ubuntu 12.04 ESM Summary APT could be made to crash if it opened a specially crafted file. Software Description apt – Advanced front-end for dpkg Details USN-4359-1 fixed a vulnerability in APT. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM. Original advisory details: It was discovered that APT incorrectly handled certain filenames during package installation. If an attacker could provide a specially crafted package to be installed by the system administrator, this could cause APT to crash. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM apt – 1.0.1ubuntu2.24+esm1 Ubuntu 12.04 ESM apt – 0.8.16~exp12ubuntu10.29 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, [ more… ]

USN-4376-1: OpenSSL vulnerabilities openssl vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Several security issues were fixed in OpenSSL. Software Description openssl – Secure Socket Layer (SSL) cryptographic library and tools Details Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL incorrectly handled ECDSA signatures. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. (CVE-2019-1547) Matt Caswell discovered that OpenSSL incorrectly handled the random number generator (RNG). This may result in applications that use the fork() system call sharing the same RNG state between the parent and the child, contrary to expectations. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-1549) Guido Vranken discovered that OpenSSL [ more… ]

USN-4360-4: json-c vulnerability json-c vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 20.04 LTS Ubuntu 19.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 ESM Ubuntu 12.04 ESM Summary json-c could be made to execute arbitrary code if it received a specially crafted JSON file. Software Description json-c – JSON manipulation library Details USN-4360-1 fixed a vulnerability in json-c. The security fix introduced a memory leak that was reverted in USN-4360-2 and USN-4360-3. This update provides the correct fix update for CVE-2020-12762. Original advisory details: It was discovered that json-c incorrectly handled certain JSON files. An attacker could possibly use this issue to execute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS libjson-c4 – 0.13.1+dfsg-7ubuntu0.3 Ubuntu 19.10 libjson-c4 – 0.13.1+dfsg-4ubuntu0.3 Ubuntu 18.04 [ more… ]