SECURITY

USN-4224-1: Django vulnerability python-django vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.10 Ubuntu 19.04 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Django accounts could be hijacked through password reset requests. Software Description python-django – High-level Python web development framework Details Simon Charette discovered that the password reset functionality in Django used a Unicode case insensitive query to retrieve accounts associated with an email address. An attacker could possibly use this to obtain password reset tokens and hijack accounts. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 19.10 python-django – 1:1.11.22-1ubuntu1.1 python3-django – 1:1.11.22-1ubuntu1.1 Ubuntu 19.04 python-django – 1:1.11.20-1ubuntu0.3 python3-django – 1:1.11.20-1ubuntu0.3 Ubuntu 18.04 LTS python-django – 1:1.11.11-1ubuntu1.6 python3-django – 1:1.11.11-1ubuntu1.6 Ubuntu 16.04 LTS python-django – 1.8.7-1ubuntu5.11 python3-django – 1.8.7-1ubuntu5.11 To update your system, please follow [ more… ]

USN-4223-1: OpenJDK vulnerabilities openjdk-8, openjdk-lts vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.10 Ubuntu 19.04 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Several security issues were fixed in OpenJDK. Software Description openjdk-lts – Open Source Java implementation openjdk-8 – Open Source Java implementation Details Jan Jancar, Petr Svenda, and Vladimir Sedlacek discovered that a side- channel vulnerability existed in the ECDSA implementation in OpenJDK. An Attacker could use this to expose sensitive information. (CVE-2019-2894) It was discovered that the Socket implementation in OpenJDK did not properly restrict the creation of subclasses with a custom Socket implementation. An attacker could use this to specially create a Java class that could possibly bypass Java sandbox restrictions. (CVE-2019-2945) Rob Hamm discovered that the Kerberos implementation in OpenJDK did not properly handle proxy credentials. An attacker could possibly [ more… ]

USN-4222-1: GraphicsMagick vulnerabilities graphicsmagick vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Summary Several security issues were fixed in GraphicsMagick. Software Description graphicsmagick – collection of image processing tools Details It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS graphicsmagick – 1.3.23-1ubuntu0.3 libgraphicsmagick++-q16-12 – 1.3.23-1ubuntu0.3 libgraphicsmagick-q16-3 – 1.3.23-1ubuntu0.3 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2017-11638 CVE-2017-11641 CVE-2017-11642 CVE-2017-11643 CVE-2017-12935 CVE-2017-12936 CVE-2017-12937 CVE-2017-13063 CVE-2017-13064 CVE-2017-13065 CVE-2017-13134 CVE-2017-13737 CVE-2017-13775 CVE-2017-13776 CVE-2017-13777 Source: USN-4222-1: GraphicsMagick vulnerabilities

USN-4216-2: Firefox vulnerabilities firefox vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Summary Firefox could be made to crash or run programs as your login if it opened a malicious website. Software Description firefox – Mozilla Open Source web browser Details USN-4216-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, or execute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS firefox – 71.0+build5-0ubuntu0.16.04.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. After a standard system update [ more… ]

USN-4214-2: RabbitMQ vulnerability librabbitmq vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary RabbitMQ could be made to execute arbitrary code if it received a specially crafted input. Software Description librabbitmq – Command-line utilities for interacting with AMQP servers Details USN-4214-1 fixed a vulnerability in RabbitMQ. This update provides the corresponding updates for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: It was discovered that RabbitMQ incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS amqp-tools – 0.8.0-1ubuntu0.18.04.2 librabbitmq4 – 0.8.0-1ubuntu0.18.04.2 Ubuntu 16.04 LTS amqp-tools – 0.7.1-1ubuntu0.2 librabbitmq-dev – 0.7.1-1ubuntu0.2 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard [ more… ]