SECURITY

USN-3512-1: OpenSSL vulnerabilities Ubuntu Security Notice USN-3512-1 11th December, 2017 openssl vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 17.04 Ubuntu 16.04 LTS Summary Several security issues were fixed in OpenSSL. Software description openssl – Secure Socket Layer (SSL) cryptographic library and tools Details David Benjamin discovered that OpenSSL did not correctly preventbuggy applications that ignore handshake errors from subsequently callingcertain functions. (CVE-2017-3737) It was discovered that OpenSSL incorrectly performed the x86_64 Montgomerymultiplication procedure. While unlikely, a remote attacker could possiblyuse this issue to recover private keys. (CVE-2017-3738) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.10: libssl1.0.0 1.0.2g-1ubuntu13.3 Ubuntu 17.04: libssl1.0.0 1.0.2g-1ubuntu11.4 Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.10 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. After a standard system update you need [ more… ]

USN-3507-2: Linux kernel (GCP) vulnerabilities Ubuntu Security Notice USN-3507-2 7th December, 2017 linux-gcp vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Summary Several security issues were fixed in the Linux kernel. Software description linux-gcp – Linux kernel for Google Cloud Platform (GCP) systems Details Mohamed Ghannam discovered that a use-after-free vulnerability existed inthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker coulduse this to cause a denial of service (system crash) or possibly executearbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not properly handle copy-on-write of transparent huge pages. A local attacker could use this to cause adenial of service (application crashes) or possibly gain administrativeprivileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative arrayimplementation in the Linux kernel sometimes did not properly handle [ more… ]