ubuntu-usn

USN-3853-1: GnuPG vulnerability gnupg2 vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Summary GnuPG could allow unintended access to network services. Software Description gnupg2 – GNU privacy guard – a free PGP replacement Details Ben Fuhrmannek discovered that GnuPG incorrectly handled Web Key Directory lookups. A remote attacker could possibly use this issue to cause a denial of service, or perform Cross-Site Request Forgery attacks. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10 gnupg – 2.2.8-3ubuntu1.1 gpg-wks-client – 2.2.8-3ubuntu1.1 Ubuntu 18.04 LTS gnupg – 2.2.4-1ubuntu1.2 gpg-wks-client – 2.2.4-1ubuntu1.2 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2018-1000858 Source: USN-3853-1: GnuPG vulnerability

USN-3852-1: Exiv2 vulnerabilities exiv2 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in Exiv2. Software Description exiv2 – EXIF/IPTC/XMP metadata manipulation tool Details It was discovered that Exiv2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. CVE-2017-9239 only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-11591, CVE-2017-11683, CVE-2017-14859, CVE-2017-14862, CVE-2017-14864, CVE-2017-17669, CVE-2017-9239, CVE-2018-16336, CVE-2018-1758) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10 exiv2 – 0.25-4ubuntu0.1 libexiv2-14 – 0.25-4ubuntu0.1 Ubuntu 18.04 LTS exiv2 – 0.25-3.1ubuntu0.18.04.2 libexiv2-14 – 0.25-3.1ubuntu0.18.04.2 Ubuntu 16.04 LTS exiv2 – 0.25-2.1ubuntu16.04.3 libexiv2-14 – 0.25-2.1ubuntu16.04.3 Ubuntu 14.04 LTS exiv2 – 0.23-1ubuntu2.2 libexiv2-12 – 0.23-1ubuntu2.2 To update your system, [ more… ]

USN-3851-1: Django vulnerability python-django vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Django could be made to expose spoofed information over the network. Software Description python-django – High-level Python web development framework Details It was discovered that Django incorrectly handled the default 404 page. A remote attacker could use this issue to spoof content using a malicious URL. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10 python-django – 1:1.11.15-1ubuntu1.1 python3-django – 1:1.11.15-1ubuntu1.1 Ubuntu 18.04 LTS python-django – 1:1.11.11-1ubuntu1.2 python3-django – 1:1.11.11-1ubuntu1.2 Ubuntu 16.04 LTS python-django – 1.8.7-1ubuntu5.7 python3-django – 1.8.7-1ubuntu5.7 Ubuntu 14.04 LTS python-django – 1.6.11-0ubuntu1.3 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all [ more… ]

USN-3850-1: NSS vulnerabilities nss vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 18.10 Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in NSS. Software Description nss – Network Security Service library Details Keegan Ryan discovered that NSS incorrectly handled ECDSA key generation. A local attacker could possibly use this issue to perform a cache-timing attack and recover private ECDSA keys. (CVE-2018-0495) It was discovered that NSS incorrectly handled certain v2-compatible ClientHello messages. A remote attacker could possibly use this issue to perform a replay attack. (CVE-2018-12384) It was discovered that NSS incorrectly handled certain padding oracles. A remote attacker could possibly use this issue to perform a variant of the Bleichenbacher attack. (CVE-2018-12404) Update instructions The problem can be corrected by updating your system to the following package [ more… ]

USN-3848-2: Linux kernel (Xenial HWE) vulnerabilities linux-lts-xenial, linux-aws vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary Several security issues were fixed in the Linux kernel. Software Description linux-aws – Linux kernel for Amazon Web Services (AWS) systems linux-lts-xenial – Linux hardware enablement kernel from Xenial for Trusty Details USN-3848-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that a double free existed in the AMD GPIO driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18174) It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in [ more… ]