Ubuntu security

USN-2916-1: Perl vulnerabilities Ubuntu Security Notice USN-2916-1 2nd March, 2016 perl vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in Perl. Software description perl – Practical Extraction and Report Language Details It was discovered that Perl incorrectly handled certain regular expressionswith an invalid backreference. An attacker could use this issue to causePerl to crash, resulting in a denial of service, or possibly executearbitrary code. (CVE-2013-7422) Markus Vervier discovered that Perl incorrectly handled nesting in theData::Dumper module. An attacker could use this issue to cause Perl toconsume memory and crash, resulting in a denial of service. (CVE-2014-4330) Stephane Chazelas discovered that Perl incorrectly handled duplicateenvironment variables. An attacker could possibly use this issue to bypassthe taint protection mechanism. (CVE-2016-2381) Update instructions The problem [ more… ]

USN-2915-1: Django vulnerabilities Ubuntu Security Notice USN-2915-1 1st March, 2016 python-django vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in Django. Software description python-django – High-level Python web development framework Details Mark Striemer discovered that Django incorrectly handled user-suppliedredirect URLs containing basic authentication credentials. A remoteattacker could possibly use this issue to perform a cross-site scriptingattack or a malicious redirect. (CVE-2016-2512) Sjoerd Job Postmus discovered that Django incorrectly handled timing whendoing password hashing operations. A remote attacker could possibly usethis issue to perform user enumeration. (CVE-2016-2513) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 15.10: python3-django 1.7.9-1ubuntu5.2 python-django 1.7.9-1ubuntu5.2 Ubuntu 14.04 LTS: python-django 1.6.1-2ubuntu0.12 Ubuntu 12.04 LTS: python-django 1.3.1-4ubuntu1.20 To update your system, [ more… ]

USN-2914-1: OpenSSL vulnerabilities Ubuntu Security Notice USN-2914-1 1st March, 2016 openssl vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 15.10 Ubuntu 14.04 LTS Ubuntu 12.04 LTS Summary Several security issues were fixed in OpenSSL. Software description openssl – Secure Socket Layer (SSL) cryptographic library and tools Details Yuval Yarom, Daniel Genkin, and Nadia Heninger discovered that OpenSSL wasvulnerable to a side-channel attack on modular exponentiation. On certainCPUs, a local attacker could possibly use this issue to recover RSA keys.This flaw is known as CacheBleed. (CVE-2016-0702) Adam Langley discovered that OpenSSL incorrectly handled memory whenparsing DSA private keys. A remote attacker could use this issue to causeOpenSSL to crash, resulting in a denial of service, or possibly executearbitrary code. (CVE-2016-0705) Guido Vranken discovered that OpenSSL incorrectly handled hex digitcalculation in the BN_hex2bn function. A remote attacker [ more… ]

USN-2908-5: Linux kernel (Wily HWE) regression Ubuntu Security Notice USN-2908-5 27th February, 2016 linux-lts-wily regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary USN-2908-2 introduced a regression in the Ubuntu 15.10 Linux kernel backported to Ubuntu 14.04 LTS. Software description linux-lts-wily – Linux hardware enablement kernel from Wily for Trusty Details USN-2908-2 fixed vulnerabilities in the Ubuntu 15.10 Linux kernelbackported to Ubuntu 14.04 LTS. An incorrect locking fix caused aregression that broke graphics displays for Ubuntu 14.04 LTS guestsrunning the Ubuntu 15.10 backport kernel within VMWare virtualmachines. This update fixes the problem. We apologize for the inconvenience. Original advisory details: halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. (CVE-2016-1576) halfdog discovered that OverlayFS [ more… ]

USN-2909-2: Linux kernel (Utopic HWE) regression Ubuntu Security Notice USN-2909-2 27th February, 2016 linux-lts-utopic regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary USN-2909-1 introduced a regression in the Ubuntu 14.10 Linux kernel backported to Ubuntu 14.04 LTS. Software description linux-lts-utopic – Linux hardware enablement kernel from Utopic for Trusty Details USN-2909-1 fixed vulnerabilities in the Ubuntu 14.10 Linux kernelbackported to Ubuntu 14.04 LTS. An incorrect locking fix caused aregression that broke graphics displays for Ubuntu 14.04 LTS guestsrunning the Ubuntu 14.10 backport kernel within VMWare virtualmachines. This update fixes the problem. We apologize for the inconvenience. Original advisory details: halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges. (CVE-2016-1576) halfdog discovered that OverlayFS [ more… ]