SECURITY

USN-3911-2: file regression file regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary USN-3911-1 introduced a regression in file. Software Description file – Tool to determine file types Details USN-3911-1 fixed vulnerabilities in file. One of the backported security fixes introduced a regression that caused the interpreter string to be truncated. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that file incorrectly handled certain malformed ELF files. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS file – 1:5.32-2ubuntu0.4 libmagic1 – 1:5.32-2ubuntu0.4 Ubuntu 16.04 LTS file – 1:5.25-2ubuntu1.4 libmagic1 – 1:5.25-2ubuntu1.4 To update your system, [ more… ]

USN-4356-1: Squid vulnerabilities squid, squid3 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 20.04 LTS Ubuntu 19.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Several security issues were fixed in Squid. Software Description squid – Web proxy cache server squid3 – Web proxy cache server Details Jeriko One discovered that Squid incorrectly handled certain Edge Side Includes (ESI) responses. A malicious remote server could cause Squid to crash, possibly poison the cache, or possibly execute arbitrary code. (CVE-2019-12519, CVE-2019-12521) It was discovered that Squid incorrectly handled the hostname parameter to cachemgr.cgi when certain browsers are used. A remote attacker could possibly use this issue to inject HTML or invalid characters in the hostname parameter. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 19.10. (CVE-2019-18860) Clément Berthaux and Florian Guilbert discovered that [ more… ]

USN-4355-1: PulseAudio vulnerability pulseaudio vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 20.04 LTS Ubuntu 19.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary PulseAudio could allow unintended access to snap packages. Software Description pulseaudio – PulseAudio sound server Details PulseAudio in Ubuntu contains additional functionality to mediate audio recording for snap packages and it was discovered that this functionality did not mediate PulseAudio module unloading. An attacker-controlled snap with only the audio-playback interface connected could exploit this to bypass access controls and record audio. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS pulseaudio – 1:13.99.1-1ubuntu3.2 Ubuntu 19.10 pulseaudio – 1:13.0-1ubuntu1.2 Ubuntu 18.04 LTS pulseaudio – 1:11.1-1ubuntu7.7 Ubuntu 16.04 LTS pulseaudio – 1:8.0-0ubuntu3.12 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. After a standard [ more… ]

USN-4353-2: Firefox regression firefox regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 20.04 LTS Ubuntu 19.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary USN-4353-1 caused a regression in Firefox. Software Description firefox – Mozilla Open Source web browser Details USN-4353-1 fixed vulnerabilities in Firefox. The update caused a regression that impaired the functionality of some addons. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, bypass security restrictions, spoof the URL bar, or execute arbitrary code. (CVE-2020-6831, CVE-2020-12387, CVE-2020-12390, CVE-2020-12391, CVE-2020-12394, CVE-2020-12395, CVE-2020-12396) It was discovered that the Devtools’ ‘Copy as cURL’ feature did not properly HTTP POST data of [ more… ]

USN-4354-1: Mailman vulnerability mailman vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Mailman could be made to inject arbitrary content in the login page if it received a specially crafted input. Software Description mailman – Web-based mailing list manager (legacy branch) Details It was discovered that Mailman incorrectly handled certain inputs. An attacker could possibly use this issue to inject arbitrary content in the login page. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS mailman – 1:2.1.26-1ubuntu0.2 Ubuntu 16.04 LTS mailman – 1:2.1.20-1ubuntu0.5 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2020-12108 Source: USN-4354-1: Mailman vulnerability