SECURITY

USN-3366-2: OpenJDK 8 regression Ubuntu Security Notice USN-3366-2 31st July, 2017 openjdk-8 regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Summary USN 3366-1 introduced a regression in OpenJDK 8. Software description openjdk-8 – Open Source Java implementation Details USN-3366-1 fixed vulnerabilities in OpenJDK 8. Unfortunately, thatupdate introduced a regression that caused some valid JAR files tofail validation. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the JPEGImageReader class in OpenJDK would incorrectly read unused image data. An attacker could use this to specially construct a jpeg image file that when opened by a Java application would cause a denial of service. (CVE-2017-10053) It was discovered that the JAR verifier in OpenJDK did not properly handle archives containing files missing digests. An attacker [ more… ]

USN-3363-2: ImageMagick regression Ubuntu Security Notice USN-3363-2 31st July, 2017 imagemagick regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary USN-3363-1 caused a regression in ImageMagick. Software description imagemagick – Image manipulation programs and library Details USN-3363-1 fixed vulnerabilities in ImageMagick. The update caused aregression for certain users when processing images. The problematicpatch has been reverted pending further investigation. We apologize for the inconvenience. Original advisory details: It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. Update instructions The problem can be corrected by updating your system to [ more… ]

USN-3374-1: RabbitMQ vulnerability Ubuntu Security Notice USN-3374-1 31st July, 2017 rabbitmq-server vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary RabbitMQ could allow unintended access to network services. Software description rabbitmq-server – AMQP server written in Erlang Details It was discovered that RabbitMQ incorrectly handled MQTT (MQ TelemetryTransport) authentication. A remote attacker could use this issue toauthenticate successfully with an existing username by omitting thepassword. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 16.04 LTS: rabbitmq-server 3.5.7-1ubuntu0.16.04.2 Ubuntu 14.04 LTS: rabbitmq-server 3.2.4-1ubuntu0.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2016-9877 Source: USN-3374-1: RabbitMQ vulnerability

USN-3373-1: Apache HTTP Server vulnerabilities Ubuntu Security Notice USN-3373-1 31st July, 2017 apache2 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary Several security issues were fixed in Apache HTTP Server. Software description apache2 – Apache HTTP server Details Emmanuel Dreyfus discovered that third-party modules using theap_get_basic_auth_pw() function outside of the authentication phase maylead to authentication requirements being bypassed. This update adds a newap_get_basic_auth_components() function for use by third-party modules.(CVE-2017-3167) Vasileios Panopoulos discovered that the Apache mod_ssl module may crashwhen third-party modules call ap_hook_process_connection() during an HTTPrequest to an HTTPS port. (CVE-2017-3169) Javier Jiménez discovered that the Apache HTTP Server incorrectly handledparsing certain requests. A remote attacker could possibly use this issueto cause the Apache HTTP Server to crash, resulting in a denial of service.(CVE-2017-7668) ChenQin and Hanno Böck discovered that the Apache [ more… ]