SECURITY

No Image

USN-3936-1: AdvanceCOMP vulnerability

2019-04-04 KENNETH 0

USN-3936-1: AdvanceCOMP vulnerability advancecomp vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary AdvanceCOMP could be made to run arbitrary code if it opened a specially crafted file. Software Description advancecomp – collection of recompression utilities Details It was discovered that AdvanceCOMP incorrectly handled certain PNG files. An attacker could possibly use this issue to execute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10 advancecomp – 2.1-1ubuntu0.18.10.1 Ubuntu 18.04 LTS advancecomp – 2.1-1ubuntu0.18.04.1 Ubuntu 16.04 LTS advancecomp – 1.20-1ubuntu0.2 Ubuntu 14.04 LTS advancecomp – 1.18-1ubuntu0.2 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2019-9210 Source: USN-3936-1: AdvanceCOMP vulnerability

No Image

USN-3935-1: BusyBox vulnerabilities

2019-04-03 KENNETH 0

USN-3935-1: BusyBox vulnerabilities busybox vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in BusyBox. Software Description busybox – Tiny utilities for small and embedded systems Details Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar archives. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could overwrite arbitrary files outside of the current directory. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325) Mathias Krause discovered that BusyBox incorrectly handled kernel module loading restrictions. A local attacker could possibly use this issue to bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-9645) It was discovered that BusyBox incorrectly handled certain ZIP archives. If a [ more… ]

No Image

USN-3934-1: PolicyKit vulnerability

2019-04-03 KENNETH 0

USN-3934-1: PolicyKit vulnerability policykit-1 vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary PolicyKit could allow unintended access. Software Description policykit-1 – framework for managing administrative policies and privileges Details It was discovered that PolicyKit incorrectly relied on the fork() system call in the Linux kernel being atomic. A local attacker could possibly use this issue to gain access to services that have cached authorizations. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10 libpolkit-backend-1-0 – 0.105-21ubuntu0.4 policykit-1 – 0.105-21ubuntu0.4 Ubuntu 18.04 LTS libpolkit-backend-1-0 – 0.105-20ubuntu0.18.04.5 policykit-1 – 0.105-20ubuntu0.18.04.5 Ubuntu 16.04 LTS libpolkit-backend-1-0 – 0.105-14.1ubuntu0.5 policykit-1 – 0.105-14.1ubuntu0.5 Ubuntu 14.04 LTS libpolkit-backend-1-0 – 0.105-4ubuntu3.14.04.6 policykit-1 – 0.105-4ubuntu3.14.04.6 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. [ more… ]

Microsoft Bounty Program Updates: Faster bounty review, faster payments, and higher rewards

2019-04-03 KENNETH 0

Microsoft Bounty Program Updates: Faster bounty review, faster payments, and higher rewards In 2018 The Microsoft Bounty Program awarded over $2,000,000 to encourage and reward external security research in key technologies to protect our customers. Building on that success, we are excited to announce a number of improvements in our bounty programs to better serve the security research community.   Faster bounty review – As of January 2019, the Cloud, Windows, and Azure DevOps programs now award bounties upon completion of reproduction and assessment of each submission, rather than waiting until the final fix has been determined. Shortening the time from submission to award determination is just one way we will get bounty rewards to researchers faster.     Faster bounty payments, with more payment options – Once a vulnerability submission has successfully qualified for bounty award, we want to ensure payments happen [ more… ]

No Image

USN-3933-2: Linux kernel (Trusty HWE) vulnerabilities

2019-04-03 KENNETH 0

USN-3933-2: Linux kernel (Trusty HWE) vulnerabilities linux-lts-trusty vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 ESM Summary Several security issues were fixed in the Linux kernel. Software Description linux-lts-trusty – Linux hardware enablement kernel from Trusty for Precise ESM Details USN-3933-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. It was discovered that an information leak vulnerability existed in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could possibly expose sensitive information (kernel memory). (CVE-2017-1000410) It was discovered that the USB serial device driver in the Linux kernel did not properly validate baud rate settings when debugging is enabled. A local attacker could use this to cause [ more… ]