SECURITY

USN-3450-1: Open vSwitch vulnerabilities Ubuntu Security Notice USN-3450-1 11th October, 2017 openvswitch vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Summary Several security issues were fixed in Open vSwitch. Software description openvswitch – Ethernet virtual switch Details Bhargava Shastry discovered that Open vSwitch incorrectly handled certainOFP messages. A remote attacker could possibly use this issue to causeOpen vSwitch to crash, resulting in a denial of service. (CVE-2017-9214) It was discovered that Open vSwitch incorrectly handled certain OpenFlowrole messages. A remote attacker could possibly use this issue to causeOpen vSwitch to crash, resulting in a denial of service. (CVE-2017-9263) It was discovered that Open vSwitch incorrectly handled certain malformedpackets. A remote attacker could possibly use this issue to cause OpenvSwitch to crash, resulting in a denial of service. This issue onlyaffected Ubuntu [ more… ]

USN-3449-1: OpenStack Nova vulnerabilities Ubuntu Security Notice USN-3449-1 11th October, 2017 nova vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary Several security issues were fixed in OpenStack Nova. Software description nova – OpenStack Compute cloud infrastructure Details George Shuklin discovered that OpenStack Nova incorrectly handled themigration process. A remote authenticated user could use this issue toconsume resources, resulting in a denial of service. (CVE-2015-3241) George Shuklin and Tushar Patil discovered that OpenStack Nova incorrectlyhandled deleting instances. A remote authenticated user could use thisissue to consume disk resources, resulting in a denial of service.(CVE-2015-3280) It was discovered that OpenStack Nova incorrectly limited qemu-img calls. Aremote authenticated user could use this issue to consume resources,resulting in a denial of service. (CVE-2015-5162) Matthew Booth discovered that OpenStack Nova incorrectly handled snapshots.A remote authenticated user could [ more… ]

USN-3448-1: OpenStack Keystone vulnerability Ubuntu Security Notice USN-3448-1 11th October, 2017 keystone vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Summary OpenStack Keystone would allow unintended access over the network. Software description keystone – OpenStack identity service Details Boris Bobrov discovered that OpenStack Keystone incorrectly handledfederation mapping when there are rules in which group-based assignmentsare not used. A remote authenticated user may receive all the rolesassigned to a project regardless of the federation mapping, contrary toexpectations. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 16.04 LTS: keystone 2:9.3.0-0ubuntu3.1 python-keystone 2:9.3.0-0ubuntu3.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2017-2673 Source: USN-3448-1: OpenStack Keystone vulnerability

USN-3436-1: Thunderbird vulnerabilities Ubuntu Security Notice USN-3436-1 11th October, 2017 thunderbird vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in Thunderbird. Software description thunderbird – Mozilla Open Source mail and newsgroup client Details Multiple security issues were discovered in Thunderbird. If a user weretricked in to opening a specially crafted website in a browsing-likecontext, an attacker could potentially exploit these to read uninitializedmemory, bypass phishing and malware protection, conduct cross-sitescripting (XSS) attacks, cause a denial of service via application crash,or execute arbitrary code. (CVE-2017-7793, CVE-2017-7810, CVE-2017-7814,CVE-2017-7818, CVE-2017-7819, CVE-2017-7823, CVE-2017-7824) Martin Thomson discovered that NSS incorrectly generated handshake hashes.A remote attacker could potentially exploit this to cause a denial ofservice via application crash, or execute arbitrary code. (CVE-2017-7805) Update instructions The problem can [ more… ]