Ubuntu security

USN-3576-1: libvirt vulnerabilities Ubuntu Security Notice USN-3576-1 20th February, 2018 libvirt vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in libvirt. Software description libvirt – Libvirt virtualization toolkit Details Vivian Zhang and Christoph Anton Mitterer discovered that libvirtincorrectly disabled password authentication when the VNC password was setto an empty string. A remote attacker could possibly use this issue tobypass authentication, contrary to expectations. This issue only affectedUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5008) Daniel P. Berrange discovered that libvirt incorrectly handled validatingSSL/TLS certificates. A remote attacker could possibly use this issue toobtain sensitive information. This issue only affected Ubuntu 17.10.(CVE-2017-1000256) Daniel P. Berrange and Peter Krempa discovered that libvirt incorrectlyhandled large QEMU replies. An attacker could possibly use this issue tocause [ more… ]

USN-3574-1: Bind vulnerability Ubuntu Security Notice USN-3574-1 19th February, 2018 bind9 vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary Bind could be made to crash if it received specially crafted network traffic. Software description bind9 – Internet Domain Name Server Details It was discovered that Bind incorrectly handled DNSSECvalidation. An attacker could possibly use this to cause a denialof service. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 12.04 LTS: bind9 1:9.8.1.dfsg.P1-4ubuntu0.25 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2018-5735 Source: USN-3574-1: Bind vulnerability

USN-3573-1: Quagga vulnerabilities Ubuntu Security Notice USN-3573-1 15th February, 2018 quagga vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in Quagga. Software description quagga – BGP/OSPF/RIP routing daemon Details It was discovered that a double-free vulnerability existed in theQuagga BGP daemon when processing certain forms of UPDATE message.A remote attacker could use this to cause a denial of service orpossibly execute arbitrary code. (CVE-2018-5379) It was discovered that the Quagga BGP daemon did not properly boundscheck the data sent with a NOTIFY to a peer. An attacker could use thisto expose sensitive information or possibly cause a denial of service.This issue only affected Ubuntu 17.10. (CVE-2018-5378) It was discovered that a table overrun vulnerability existed in theQuagga BGP daemon. An attacker in [ more… ]

USN-3572-1: FreeType vulnerability Ubuntu Security Notice USN-3572-1 14th February, 2018 freetype vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Summary FreeType could be made to crash if it opened a specially crafted file. Software description freetype – FreeType 2 is a font engine library Details It was discovered that FreeType incorrectly handled certain files.An attacker could possibly use this to cause a denial of service. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.10: libfreetype6 2.8-0.2ubuntu2.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. After a standard system update you need to restart your session to makeall the necessary changes. References CVE-2018-6942 Source: USN-3572-1: FreeType vulnerability

USN-3570-1: AdvanceCOMP vulnerability Ubuntu Security Notice USN-3570-1 14th February, 2018 advancecomp vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary AdvanceCOMP could be made to crash or run programs if it opened a specially crafted file. Software description advancecomp – collection of recompression utilities Details Joonun Jang discovered that AdvanceCOMP incorrectly handled certainmalformed zip files. If a user or automated system were tricked intoprocessing a specially crafted zip file, a remote attacker could causeAdvanceCOMP to crash, resulting in a denial of service, or possiblyexecute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.10: advancecomp 2.0-1ubuntu0.1 Ubuntu 16.04 LTS: advancecomp 1.20-1ubuntu0.1 Ubuntu 14.04 LTS: advancecomp 1.18-1ubuntu0.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a [ more… ]