Ubuntu security

USN-3476-1: postgresql-common vulnerabilities Ubuntu Security Notice USN-3476-1 9th November, 2017 postgresql-common vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary postgresql-common could be made to overwrite files as the administrator. Software description postgresql-common – PostgreSQL database-cluster manager Details Dawid Golunski discovered that the postgresql-common pg_ctlcluster scriptincorrectly handled symlinks. A local attacker could possibly use thisissue to escalate privileges. This issue only affected Ubuntu 14.04 LTS andUbuntu 16.04 LTS. (CVE-2016-1255) It was discovered that the postgresql-common helper scripts incorrectlyhandled symlinks. A local attacker could possibly use this issue toescalate privileges. (CVE-2017-8806) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.10: postgresql-common 184ubuntu1.1 Ubuntu 17.04: postgresql-common 179ubuntu0.1 Ubuntu 16.04 LTS: postgresql-common 173ubuntu0.1 Ubuntu 14.04 LTS: postgresql-common 154ubuntu1.1 To update [ more… ]

USN-3346-3: Bind vulnerabilities Ubuntu Security Notice USN-3346-3 8th November, 2017 bind9 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.04 LTS Summary Bind could be made to serve incorrect information or expose sensitive information over the network. Software description bind9 – Internet Domain Name Server Details USN-3346-1 and USN-3346-2 fixed two vulnerabilities in Bind and a regression,respectively. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Clément Berthaux discovered that Bind did not correctly check TSIG authentication for zone update requests. An attacker could use this to improperly perform zone updates. (CVE-2017-3143) Clément Berthaux discovered that Bind did not correctly check TSIG authentication for zone transfer requests. An attacker could use this to improperly transfer entire zones. (CVE-2017-3142) In addition, this update adds the new root zone key signing key (KSK). [ more… ]

USN-3473-1: OpenJDK 8 vulnerabilities Ubuntu Security Notice USN-3473-1 8th November, 2017 openjdk-8 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 17.04 Ubuntu 16.04 LTS Summary Several security issues were fixed in OpenJDK 8. Software description openjdk-8 – Open Source Java implementation Details It was discovered that the Smart Card IO subsystem in OpenJDK did notproperly maintain state. An attacker could use this to specially constructan untrusted Java application or applet to gain access to a smart card,bypassing sandbox restrictions. (CVE-2017-10274) Gaston Traberg discovered that the Serialization component of OpenJDK didnot properly limit the amount of memory allocated when performingdeserializations. An attacker could use this to cause a denial of service(memory exhaustion). (CVE-2017-10281) It was discovered that the Remote Method Invocation (RMI) component inOpenJDK did not properly handle unreferenced objects. An attacker could usethis [ more… ]

USN-3475-1: OpenSSL vulnerabilities Ubuntu Security Notice USN-3475-1 6th November, 2017 openssl vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in OpenSSL. Software description openssl – Secure Socket Layer (SSL) cryptographic library and tools Details It was discovered that OpenSSL incorrectly parsed the IPAddressFamilyextension in X.509 certificates, resulting in an erroneous display of thecertificate in text format. (CVE-2017-3735) It was discovered that OpenSSL incorrectly performed the x86_64 Montgomerysquaring procedure. While unlikely, a remote attacker could possibly usethis issue to recover private keys. This issue only applied to Ubuntu 16.04LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-3736) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.10: libssl1.0.0 1.0.2g-1ubuntu13.2 Ubuntu 17.04: libssl1.0.0 1.0.2g-1ubuntu11.3 Ubuntu 16.04 [ more… ]

USN-3474-1: Liblouis vulnerability Ubuntu Security Notice USN-3474-1 6th November, 2017 liblouis vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary Liblouis could be made to crash or run programs as your login if it opened a specially crafted file. Software description liblouis – Braille translation library – utilities Details Raphael Sanchez Prudencio discovered that Liblouis incorrectly handled certain files.If a user were tricked into opening a crafted file, an attacker could possibly use thisto cause a denial of service or potentially execute arbitrary code. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 14.04 LTS: liblouis2 2.5.3-2ubuntu1.2 liblouis-bin 2.5.3-2ubuntu1.2 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2014-8184 Source: USN-3474-1: Liblouis [ more… ]