SECURITY

USN-3398-1: graphite2 vulnerabilities Ubuntu Security Notice USN-3398-1 21st August, 2017 graphite2 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary graphite2 could be made to crash or run programs if it opened a specially crafted font. Software description graphite2 – Font rendering engine for Complex Scripts Details Holger Fuhrmannek and Tyson Smith discovered that graphite2 incorrectlyhandled certain malformed fonts. If a user or automated system were trickedinto opening a specially-crafted font file, a remote attacker could usethis issue to cause graphite2 to crash, resulting in a denial of service,or possibly execute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.04: libgraphite2-3 1.3.10-0ubuntu0.17.04.1 Ubuntu 16.04 LTS: libgraphite2-3 1.3.10-0ubuntu0.16.04.1 Ubuntu 14.04 LTS: libgraphite2-3 1.3.10-0ubuntu0.14.04.1 To update your system, please [ more… ]

USN-3397-1: strongSwan vulnerability Ubuntu Security Notice USN-3397-1 21st August, 2017 strongswan vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary strongSwan could be made to crash or hang if it received specially crafted network traffic. Software description strongswan – IPsec VPN solution Details It was discovered that strongSwan incorrectly handled verifyingspecific RSA signatures. A remote attacker could use this issueto cause strongSwan to crash, resulting in a denial of service. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.04: libstrongswan 5.5.1-1ubuntu3.2 strongswan 5.5.1-1ubuntu3.2 Ubuntu 16.04 LTS: libstrongswan 5.3.5-1ubuntu3.4 strongswan 5.3.5-1ubuntu3.4 Ubuntu 14.04 LTS: libstrongswan 5.1.2-0ubuntu2.7 strongswan 5.1.2-0ubuntu2.7 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References [ more… ]

USN-3396-1: OpenJDK 7 vulnerabilities Ubuntu Security Notice USN-3396-1 18th August, 2017 openjdk-7 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary Several security issues were fixed in OpenJDK 7. Software description openjdk-7 – Open Source Java implementation Details It was discovered that the JPEGImageReader class in OpenJDK wouldincorrectly read unused image data. An attacker could use this to speciallyconstruct a jpeg image file that when opened by a Java application wouldcause a denial of service. (CVE-2017-10053) It was discovered that the JAR verifier in OpenJDK did not properly handlearchives containing files missing digests. An attacker could use this tomodify the signed contents of a JAR file. (CVE-2017-10067) It was discovered that integer overflows existed in the Hotspot componentof OpenJDK when generating range check loop predicates. An attacker coulduse this to specially construct an [ more… ]

USN-3391-3: Firefox regression Ubuntu Security Notice USN-3391-3 17th August, 2017 firefox regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary USN-3391-1 introduced a regression in Firefox. Software description firefox – Mozilla Open Source web browser Details USN-3391-1 fixed vulnerabilities in Firefox. The update introduced aperformance regression with WebExtensions. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to conduct cross-site scripting (XSS) attacks, bypass sandbox restrictions, obtain sensitive information, spoof the origin of modal alerts, bypass same origin restrictions, read uninitialized memory, cause a denial of service via program crash or hang, or execute arbitrary code. (CVE-2017-7753, CVE-2017-7779, CVE-2017-7780, [ more… ]