SECURITY

USN-3391-1: Firefox vulnerabilities Ubuntu Security Notice USN-3391-1 15th August, 2017 firefox vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Firefox could be made to crash or run programs as your login if it opened a malicious website. Software description firefox – Mozilla Open Source web browser Details Multiple security issues were discovered in Firefox. If a user weretricked in to opening a specially crafted website, an attacker couldpotentially exploit these to conduct cross-site scripting (XSS) attacks,bypass sandbox restrictions, obtain sensitive information, spoof theorigin of modal alerts, bypass same origin restrictions, readuninitialized memory, cause a denial of service via program crash or hang,or execute arbitrary code. (CVE-2017-7753, CVE-2017-7779, CVE-2017-7780,CVE-2017-7781, CVE-2017-7783, CVE-2017-7784, CVE-2017-7785, CVE-2017-7786,CVE-2017-7787, CVE-2017-7788, CVE-2017-7789, CVE-2017-7791, CVE-2017-7792,CVE-2017-7794, CVE-2017-7797, CVE-2017-7798, CVE-2017-7799, CVE-2017-7800,CVE-2017-7801, CVE-2017-7802, CVE-2017-7803, CVE-2017-7806, CVE-2017-7807,CVE-2017-7808, CVE-2017-7809) Update instructions [ more… ]

USN-3390-1: PostgreSQL vulnerabilities Ubuntu Security Notice USN-3390-1 15th August, 2017 postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in PostgreSQL. Software description postgresql-9.3 – Object-relational SQL database postgresql-9.5 – Object-relational SQL database postgresql-9.6 – object-relational SQL database Details Ben de Graaff, Jelte Fennema, and Jeroen van der Ham discovered thatPostgreSQL allowed the use of empty passwords in some authenticationmethods, contrary to expected behaviour. A remote attacker could use anempty password to authenticate to servers that were believed to havepassword login disabled. (CVE-2017-7546) Jeff Janes discovered that PostgreSQL incorrectly handled thepg_user_mappings catalog view. A remote attacker without server privilegescould possibly use this issue to obtain certain passwords. (CVE-2017-7547) Chapman Flack discovered that PostgreSQL incorrectly handled lo_put()permissions. A remote attacker could [ more… ]