SECURITY

USN-3380-1: FreeRDP vulnerabilities Ubuntu Security Notice USN-3380-1 7th August, 2017 freerdp vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in FreeRDP. Software description freerdp – RDP client for Windows Terminal Services Details It was discovered that FreeRDP incorrectly handled certain width and heightvalues. A malicious server could use this issue to cause FreeRDP to crash,resulting in a denial of service, or possibly execute arbitrary code. Thisissue only applied to Ubuntu 14.04 LTS. (CVE-2014-0250) It was discovered that FreeRDP incorrectly handled certain values in aScope List. A malicious server could use this issue to cause FreeRDP tocrash, resulting in a denial of service, or possibly execute arbitrarycode. (CVE-2014-0791) Tyler Bohan discovered that FreeRDP incorrectly handled certain lengthvalues. A malicious server could use this [ more… ]

USN-3379-1: Shotwell vulnerability Ubuntu Security Notice USN-3379-1 7th August, 2017 shotwell vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Shotwell could be made to expose sensitive information over the network. Software description shotwell – digital photo organizer Details It was discovered that Shotwell is vulnerable to an information disclosurein the web publishing plugins resulting in potential password and oauth tokenplaintext transmission. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.04: shotwell 0.22.0+git20160108.r1.f2fb1f7-0ubuntu3.1 shotwell-common 0.22.0+git20160108.r1.f2fb1f7-0ubuntu3.1 Ubuntu 16.04 LTS: shotwell 0.22.0+git20160108.r1.f2fb1f7-0ubuntu1.1 shotwell-common 0.22.0+git20160108.r1.f2fb1f7-0ubuntu1.1 Ubuntu 14.04 LTS: shotwell 0.18.0-0ubuntu4.5 shotwell-common 0.18.0-0ubuntu4.5 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2017-1000024 Source: USN-3379-1: Shotwell vulnerability

USN-3339-2: OpenVPN vulnerability Ubuntu Security Notice USN-3339-2 7th August, 2017 openvpn vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary Several security issues were fixed in OpenVPN. Software description openvpn – virtual private network software Details USN-3339-1 fixed several issues in OpenVPN. This updateprovides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Guido Vranken discovered that OpenVPN incorrectly handled an HTTP proxy with NTLM authentication. A remote attacker could use this issue to cause OpenVPN clients to crash, resulting in a denial of service, or possibly expose sensitive memory contents. (CVE-2017-7520) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 12.04 LTS: openvpn 2.2.1-8ubuntu1.5 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the [ more… ]

USN-3212-4: LibTIFF vulnerabilities Ubuntu Security Notice USN-3212-4 7th August, 2017 tiff vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. Software description tiff – Tag Image File Format (TIFF) library Details USN-3212-1 fixed several issues in LibTIFF. This updateprovides a subset of corresponding update for Ubuntu 12.04 ESM. Mei Wang discovered a multiple integer overflows in LibTIFF whichallows remote attackers to cause a denial of service (crash) orexecute arbitrary code via a crafted TIFF image, which triggersan out-of-bounds write. (CVE-2016-3945) It was discovered that LibTIFF is vulnerable to a heap bufferoverflow in the resulting in DoS or code executionvia a crafted BitsPerSample value. (CVE-2017-5225) Original advisory details: It was discovered that LibTIFF incorrectly handled [ more… ]