SECURITY

USN-4113-1: Apache HTTP Server vulnerabilities apache2 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.04 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Several security issues were fixed in Apache. Software Description apache2 – Apache HTTP server Details Stefan Eissing discovered that the HTTP/2 implementation in Apache did not properly handle upgrade requests from HTTP/1.1 to HTTP/2 in some situations. A remote attacker could use this to cause a denial of service (daemon crash). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-0197) Craig Young discovered that a memory overwrite error existed in Apache when performing HTTP/2 very early pushes in some situations. A remote attacker could use this to cause a denial of service (daemon crash). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-10081) Craig Young discovered that a read-after-free [ more… ]

USN-4112-1: Ceph vulnerability ceph vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.04 Ubuntu 18.04 LTS Summary Ceph could be made to crash if it received specially crafted network traffic. Software Description ceph – distributed storage and file system Details Abhishek Lekshmanan discovered that the RADOS gateway implementation in Ceph did not handle client disconnects properly in some situations. A remote attacker could use this to cause a denial of service. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04 ceph – 13.2.6-0ubuntu0.19.04.3 radosgw – 13.2.6-0ubuntu0.19.04.3 Ubuntu 18.04 LTS ceph – 12.2.12-0ubuntu0.18.04.2 radosgw – 12.2.12-0ubuntu0.18.04.2 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2019-10222 Source: USN-4112-1: Ceph vulnerability

USN-4111-1: Ghostscript vulnerabilities ghostscript vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.04 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary Ghostscript could be made to access arbitrary files if it opened a specially crafted file. Software Description ghostscript – PostScript and PDF interpreter Details Hiroki Matsukuma discovered that the PDF interpreter in Ghostscript did not properly restrict privileged calls when ‘-dSAFER’ restrictions were in effect. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use this issue to access arbitrary files. (CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04 ghostscript – 9.26~dfsg+0-0ubuntu7.3 libgs9 – 9.26~dfsg+0-0ubuntu7.3 Ubuntu 18.04 LTS ghostscript – 9.26~dfsg+0-0ubuntu0.18.04.11 libgs9 – 9.26~dfsg+0-0ubuntu0.18.04.11 Ubuntu 16.04 LTS ghostscript – 9.26~dfsg+0-0ubuntu0.16.04.11 libgs9 [ more… ]

USN-4110-4: Dovecot regression dovecot regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 ESM Ubuntu 12.04 ESM Summary USN-4110-1 introduced a regression in Dovecot. Software Description dovecot – IMAP and POP3 email server Details USN-4110-1 fixed a vulnerability in Dovecot. The update introduced a regression causing a wrong check. This update fixes the problem for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. We apologize for the inconvenience. Original advisory details: Nick Roessler and Rafi Rubin discovered that Dovecot incorrectly handled certain data. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM dovecot-core – 1:2.2.9-1ubuntu2.6+esm2 Ubuntu 12.04 ESM dovecot-core – 1:2.0.19-0ubuntu2.8 To update your system, please follow these instructions: [ more… ]

USN-4110-3: Dovecot regression Dovecot regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 19.04 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Summary USN-4110-1 introduced a regression in Dovecot. Software Description dovecot – IMAP and POP3 email server Details USN-4110-1 fixed a vulnerability in Dovecot. The update introduced a regression causing a wrong check. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Nick Roessler and Rafi Rubin discovered that Dovecot incorrectly handled certain data. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04 dovecot-core – 1:2.3.4.1-1ubuntu2.4 Ubuntu 18.04 LTS dovecot-core – 1:2.2.33.2-1ubuntu4.5 Ubuntu 16.04 LTS dovecot-core – 1:2.2.22-1ubuntu2.12 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. [ more… ]