Ubuntu security

USN-3271-1: Libxslt vulnerabilities Ubuntu Security Notice USN-3271-1 27th April, 2017 libxslt vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in Libxslt. Software description libxslt – XSLT processing library Details Holger Fuhrmannek discovered an integer overflow in thexsltAddTextString() function in Libxslt. An attacker could usethis to craft a malicious document that, when opened, could cause adenial of service (application crash) or possible execute arbitrarycode. (CVE-2017-5029) Nicolas Gregoire discovered that Libxslt mishandled namespacenodes. An attacker could use this to craft a malicious document that,when opened, could cause a denial of service (application crash)or possibly execute arbtrary code. This issue only affected Ubuntu16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1683) Sebastian Apelt discovered that a use-after-error existed in [ more… ]

USN-3270-1: NSS vulnerabilities Ubuntu Security Notice USN-3270-1 27th April, 2017 nss vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in NSS. Software description nss – Network Security Service library Details Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DESciphers were vulnerable to birthday attacks. A remote attacker couldpossibly use this flaw to obtain clear text data from long encryptedsessions. This update causes NSS to limit use of the same symmetric key.(CVE-2016-2183) It was discovered that NSS incorrectly handled Base64 decoding. A remoteattacker could use this flaw to cause NSS to crash, resulting in a denialof service, or possibly execute arbitrary code. (CVE-2017-5461) This update refreshes the NSS package to version 3.28.4 which includesthe latest CA certificate bundle. [ more… ]

USN-3269-1: MySQL vulnerabilities Ubuntu Security Notice USN-3269-1 27th April, 2017 mysql-5.5, mysql-5.7 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in MySQL. Software description mysql-5.5 – MySQL database mysql-5.7 – MySQL database Details Multiple security issues were discovered in MySQL and this update includesnew upstream MySQL versions to fix these issues. MySQL has been updated to 5.5.55 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS,Ubuntu 16.10 and Ubuntu 17.04 have been updated to MySQL 5.7.18. In addition to security fixes, the updated packages contain bug fixes,new features, and possibly incompatible changes. Please see the following for more information:http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-55.htmlhttp://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-18.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.04: mysql-server-5.7 5.7.18-0ubuntu0.17.04.1 Ubuntu 16.10: mysql-server-5.7 [ more… ]

USN-3267-1: Samba vulnerability Ubuntu Security Notice USN-3267-1 25th April, 2017 samba vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Summary Samba could be made to expose sensitive information over the network. Software description samba – SMB/CIFS file, print, and login server for Unix Details Jann Horn discovered that Samba incorrectly handled symlinks. Anauthenticated remote attacker could use this issue to access files on theserver outside of the exported directories. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.04: samba 2:4.5.8+dfsg-0ubuntu0.17.04.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. This update uses a new upstream release, which includes additional bugfixes. In general, a standard system update will make all the necessarychanges. References CVE-2017-2619 Source: USN-3267-1: Samba vulnerability

USN-3268-1: QEMU vulnerabilities Ubuntu Security Notice USN-3268-1 25th April, 2017 qemu vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Summary Several security issues were fixed in QEMU. Software description qemu – Machine emulator and virtualizer Details Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPUdevice. An attacker inside the guest could use this issue to cause QEMU tocrash, resulting in a denial of service. (CVE-2016-10028) It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. Aprivileged attacker inside the guest could use this issue to cause QEMU tocrash, resulting in a denial of service. (CVE-2016-8667) Jann Horn discovered that QEMU incorrectly handled VirtFS directorysharing. A privileged attacker inside the guest could use this issue toaccess files on the host file system outside of the shared directory andpossibly escalate their privileges. In the [ more… ]