Ubuntu security

USN-3089-1: Django vulnerability Ubuntu Security Notice USN-3089-1 27th September, 2016 python-django vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Django could be made to set arbitrary cookies. Software description python-django – High-level Python web development framework Details Sergey Bobrov discovered that Django incorrectly parsed cookies when beingused with Google Analytics. A remote attacker could possibly use this issueto set arbitrary cookies leading to a CSRF protection bypass. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 16.04 LTS: python3-django 1.8.7-1ubuntu5.2 python-django 1.8.7-1ubuntu5.2 Ubuntu 14.04 LTS: python-django 1.6.1-2ubuntu0.15 Ubuntu 12.04 LTS: python-django 1.3.1-4ubuntu1.21 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2016-7401 Source: USN-3089-1: Django [ more… ]

USN-3087-2: OpenSSL regression Ubuntu Security Notice USN-3087-2 23rd September, 2016 openssl regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary USN-3087-1 introduced a regression in OpenSSL. Software description openssl – Secure Socket Layer (SSL) cryptographic library and tools Details USN-3087-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2016-2182 wasincomplete and caused a regression when parsing certificates. This updatefixes the problem. We apologize for the inconvenience. Original advisory details: Shi Lei discovered that OpenSSL incorrectly handled the OCSP Status Request extension. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. (CVE-2016-6304) Guido Vranken discovered that OpenSSL used undefined behaviour when performing pointer arithmetic. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a [ more… ]

USN-3087-1: OpenSSL vulnerabilities Ubuntu Security Notice USN-3087-1 22nd September, 2016 openssl vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in OpenSSL. Software description openssl – Secure Socket Layer (SSL) cryptographic library and tools Details Shi Lei discovered that OpenSSL incorrectly handled the OCSP Status Requestextension. A remote attacker could possibly use this issue to cause memoryconsumption, resulting in a denial of service. (CVE-2016-6304) Guido Vranken discovered that OpenSSL used undefined behaviour whenperforming pointer arithmetic. A remote attacker could possibly use thisissue to cause OpenSSL to crash, resulting in a denial of service. Thisissue has only been addressed in Ubuntu 16.04 LTS in this update.(CVE-2016-2177) César Pereida, Billy Brumley, and Yuval Yarom discovered that OpenSSLdid not properly use constant-time operations when performing [ more… ]

USN-3076-1: Firefox vulnerabilities Ubuntu Security Notice USN-3076-1 22nd September, 2016 firefox vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Firefox could be made to crash or run programs as your login if it opened a malicious website. Software description firefox – Mozilla Open Source web browser Details Atte Kettunen discovered an out-of-bounds read when handling certainContent Security Policy (CSP) directives in some circumstances. If a userwere tricked in to opening a specially crafted website, an attacker couldpotentially exploit this to cause a denial of service via applicationcrash. (CVE-2016-2827) Christoph Diehl, Christian Holler, Gary Kwong, Nathan Froyd, Honza Bambas,Seth Fowler, Michael Smith, Andrew McCreight, Dan Minor, Byron Campen, JonCoppeard, Steve Fink, Tyson Smith, and Carsten Book discovered multiplememory safety issues in Firefox. If a user were tricked [ more… ]

USN-3073-1: Thunderbird vulnerabilities Ubuntu Security Notice USN-3073-1 22nd September, 2016 thunderbird vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Thunderbird could be made to crash or run programs as your login if it opened a malicious message. Software description thunderbird – Mozilla Open Source mail and newsgroup client Details Christian Holler, Carsten Book, Gary Kwong, Jesse Ruderman, AndrewMcCreight, and Phil Ringnalda discovered multiple memory safety issues inThunderbird. If a user were tricked in to opening a specially craftedmessage, an attacker could potentially exploit these to cause a denial ofservice via application crash, or execute arbitrary code. (CVE-2016-2836) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 16.04 LTS: thunderbird 1:45.3.0+build1-0ubuntu0.16.04.2 Ubuntu 14.04 LTS: thunderbird 1:45.3.0+build1-0ubuntu0.14.04.4 Ubuntu 12.04 LTS: [ more… ]