SECURITY

USN-3886-1: poppler vulnerabilities poppler vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in poppler. Software Description poppler – PDF rendering library Details It was discovered that poppler incorrectly handled certain PDF files. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-20551, CVE-2019-7310) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10 libpoppler79 – 0.68.0-0ubuntu1.5 poppler-utils – 0.68.0-0ubuntu1.5 Ubuntu 18.04 LTS libpoppler73 – 0.62.0-2ubuntu2.7 poppler-utils – 0.62.0-2ubuntu2.7 Ubuntu 16.04 LTS libpoppler58 – 0.41.0-0ubuntu1.12 poppler-utils – 0.41.0-0ubuntu1.12 Ubuntu 14.04 LTS libpoppler44 – 0.24.5-2ubuntu4.16 poppler-utils – 0.24.5-2ubuntu4.16 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. [ more… ]

USN-3878-3: Linux kernel regression linux, linux-hwe regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Summary USN-3878-1 introduced a regression in the Linux kernel. Software Description linux – Linux kernel linux-hwe – Linux hardware enablement (HWE) kernel Details USN-3878-1 fixed vulnerabilities in the Linux kernel. Unfortunately, that update introduced a regression that could prevent systems with certain graphics chipsets from booting. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that a race condition existed in the vsock address family implementation of the Linux kernel that could lead to a use-after-free condition. A local attacker in a guest virtual machine could use this to expose sensitive information (host machine kernel memory). (CVE-2018-14625) Cfir Cohen discovered that a use-after-free vulnerability existed in the KVM implementation of [ more… ]

USN-3878-2: Linux kernel (Azure) vulnerabilities linux-azure vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Summary Several security issues were fixed in the Linux kernel. Software Description linux-azure – Linux kernel for Microsoft Azure Cloud systems Details It was discovered that a race condition existed in the vsock address family implementation of the Linux kernel that could lead to a use-after-free condition. A local attacker in a guest virtual machine could use this to expose sensitive information (host machine kernel memory). (CVE-2018-14625) Cfir Cohen discovered that a use-after-free vulnerability existed in the KVM implementation of the Linux kernel, when handling interrupts in environments where nested virtualization is in use (nested KVM virtualization is not enabled by default in Ubuntu kernels). A local attacker in a guest VM could possibly use this to gain administrative privileges [ more… ]

USN-3871-5: Linux kernel (Azure) vulnerabilities linux-azure vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in the Linux kernel. Software Description linux-azure – Linux kernel for Microsoft Azure Cloud systems Details Wen Xu discovered that a use-after-free vulnerability existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10876, CVE-2018-10879) Wen Xu discovered that a buffer overflow existed in the ext4 filesystem implementation in the Linux kernel. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10877) [ more… ]

USN-3885-1: OpenSSH vulnerabilities openssh vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in OpenSSH. Software Description openssh – secure shell (SSH) for secure access to remote machines Details Harry Sintonen discovered multiple issus in the OpenSSH scp utility. If a user or automated system were tricked into connecting to an untrusted server, a remote attacker could possibly use these issues to write to arbitrary files, change directory permissions, and spoof client output. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10 openssh-client – 1:7.7p1-4ubuntu0.2 Ubuntu 18.04 LTS openssh-client – 1:7.6p1-4ubuntu0.2 Ubuntu 16.04 LTS openssh-client – 1:7.2p2-4ubuntu2.7 Ubuntu 14.04 LTS openssh-client – 1:6.6p1-2ubuntu2.12 To update your system, please follow these instructions: [ more… ]