Ubuntu security

USN-3480-2: Apport regressions Ubuntu Security Notice USN-3480-2 20th November, 2017 apport regressions A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 17.04 Ubuntu 16.04 LTS Summary USN-3480-1 introduced regressions in Apport. Software description apport – automatically generate crash reports for debugging Details USN-3480-1 fixed vulnerabilities in Apport. The fix for CVE-2017-14177introduced a regression in the ability to handle crashes for users thatconfigured their systems to use the Upstart init system in Ubuntu 16.04LTS and Ubuntu 17.04. The fix for CVE-2017-14180 temporarily disabledcrash forwarding to containers. This update addresses the problems. We apologize for the inconvenience. Original advisory details: Sander Bos discovered that Apport incorrectly handled core dumps for setuid binaries. A local attacker could use this issue to perform a denial of service via resource exhaustion or possibly gain root privileges. (CVE-2017-14177) Sander Bos discovered [ more… ]

USN-3483-1: procmail vulnerability Ubuntu Security Notice USN-3483-1 20th November, 2017 procmail vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary formail could be made to crash or run programs if it processed specially crafted mail. Software description procmail – Versatile e-mail processor Details Jakub Wilk discovered that the formail tool incorrectly handled certainmalformed mail messages. An attacker could use this flaw to cause formailto crash, resulting in a denial of service, or possibly execute arbitrarycode. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.10: procmail 3.22-25ubuntu0.17.10.1 Ubuntu 17.04: procmail 3.22-25ubuntu0.17.04.1 Ubuntu 16.04 LTS: procmail 3.22-25ubuntu0.16.04.1 Ubuntu 14.04 LTS: procmail 3.22-21ubuntu0.2 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make [ more… ]

USN-3482-1: ipsec-tools vulnerability Ubuntu Security Notice USN-3482-1 16th November, 2017 ipsec-tools vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary ipsec-tools could be made to crash if it received specially crafted network traffic. Software description ipsec-tools – IPsec tools for Linux Details It was discovered that racoon, the ipsec-tools IKE daemon, incorrectlyhandled certain ISAKMP fragments. A remote attacker could use this issue tocause racoon to crash, resulting in a denial of service. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 12.04 LTS: racoon 1:0.8.0-9ubuntu1.2 ipsec-tools 1:0.8.0-9ubuntu1.2 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2016-10396 Source: USN-3482-1: ipsec-tools vulnerability

USN-3477-1: Firefox vulnerabilities Ubuntu Security Notice USN-3477-1 16th November, 2017 firefox vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Firefox could be made to crash or run programs as your login if it opened a malicious website. Software description firefox – Mozilla Open Source web browser Details Multiple security issues were discovered in Firefox. If a user weretricked in to opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, read uninitializedmemory, obtain sensitive information, bypass same-origin restrictions,bypass CSP protections, bypass mixed content blocking, spoof theaddressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827,CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833,CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842) It was discovered that javascript: URLs pasted in to the addressbarwould be executed instead of being blocked in some [ more… ]

USN-3481-1: WebKitGTK+ vulnerabilities Ubuntu Security Notice USN-3481-1 16th November, 2017 webkit2gtk vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 17.04 Ubuntu 16.04 LTS Summary Several security issues were fixed in WebKitGTK+. Software description webkit2gtk – Web content engine library for GTK+ Details A large number of security issues were discovered in the WebKitGTK+ Web andJavaScript engines. If a user were tricked into viewing a maliciouswebsite, a remote attacker could exploit a variety of issues related to webbrowser security, including cross-site scripting attacks, denial of serviceattacks, and arbitrary code execution. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.10: libwebkit2gtk-4.0-37 2.18.3-0ubuntu0.17.10.1 libjavascriptcoregtk-4.0-18 2.18.3-0ubuntu0.17.10.1 Ubuntu 17.04: libwebkit2gtk-4.0-37 2.18.3-0ubuntu0.17.04.1 libjavascriptcoregtk-4.0-18 2.18.3-0ubuntu0.17.04.1 Ubuntu 16.04 LTS: libwebkit2gtk-4.0-37 2.18.3-0ubuntu0.16.04.1 libjavascriptcoregtk-4.0-18 2.18.3-0ubuntu0.16.04.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. [ more… ]