ubuntu-usn

USN-3561-1: libvirt update Ubuntu Security Notice USN-3561-1 7th February, 2018 libvirt update A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Spectre mitigations were added to libvirt. Software description libvirt – Libvirt virtualization toolkit Details It was discovered that microprocessors utilizing speculative executionand branch prediction may allow unauthorized memory reads via sidechannelattacks. This flaw is known as Spectre. An attacker in the guest could usethis to expose sensitive guest information, including kernel memory. This update allows libvirt to expose new CPU features added by microcodeupdates to guests. On amd64 and i386, new CPU models that match the updatedmicrocode features were added with an -IBRS suffix. Certain environmentswill require guests to be switched manually to the new CPU models aftermicrocode updates have been applied to the host. Update instructions The [ more… ]

USN-3560-1: QEMU update Ubuntu Security Notice USN-3560-1 7th February, 2018 qemu update A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Spectre mitigations were added to QEMU. Software description qemu – Machine emulator and virtualizer Details It was discovered that microprocessors utilizing speculative executionand branch prediction may allow unauthorized memory reads via sidechannelattacks. This flaw is known as Spectre. An attacker in the guest could usethis to expose sensitive guest information, including kernel memory. This update allows QEMU to expose new CPU features added by microcodeupdates to guests on amd64, i386, and s390x. On amd64 and i386, new CPUmodels that match the updated microcode features were added with an -IBRSsuffix. Certain environments will require guests to be switched manually tothe new CPU models after microcode updates have been applied [ more… ]

USN-3559-1: Django vulnerabilities Ubuntu Security Notice USN-3559-1 7th February, 2018 python-django vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Summary Several security issues were fixed in Django. Software description python-django – High-level Python web development framework Details It was discovered that Django incorrectly handled certain requests.An attacker could possibly use this to access sensitive information.(CVE-2017-12794, CVE-2018-6188) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.10: python3-django 1:1.11.4-1ubuntu1.1 python-django 1:1.11.4-1ubuntu1.1 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2017-12794, CVE-2018-6188 Source: USN-3559-1: Django vulnerabilities

USN-3557-1: Squid vulnerabilities Ubuntu Security Notice USN-3557-1 5th February, 2018 squid3 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in Squid. Software description squid3 – Web proxy cache server Details Mathias Fischer discovered that Squid incorrectly handled certain longstrings in headers. A malicious remote server could possibly cause Squid tocrash, resulting in a denial of service. This issue was only addressed inUbuntu 16.04 LTS. (CVE-2016-2569) William Lima discovered that Squid incorrectly handled XML parsing whenprocessing Edge Side Includes (ESI). A malicious remote server couldpossibly cause Squid to crash, resulting in a denial of service. This issuewas only addressed in Ubuntu 16.04 LTS. (CVE-2016-2570) Alex Rousskov discovered that Squid incorrectly handled response-parsingfailures. A malicious remote server could possibly cause Squid to crash,resulting in [ more… ]

USN-3558-1: systemd vulnerabilities Ubuntu Security Notice USN-3558-1 5th February, 2018 systemd vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Ubuntu 14.04 LTS Summary Several security issues were fixed in systemd. Software description systemd – system and service manager Details Karim Hossen & Thomas Imbert and Nelson William Gamazo Sanchezindependently discovered that systemd-resolved incorrectly handled certainDNS responses. A remote attacker could possibly use this issue to causesystemd to temporarily stop responding, resulting in a denial of service.This issue only affected Ubuntu 16.04 LTS. (CVE-2017-15908) It was discovered that systemd incorrectly handled automounted volumes. Alocal attacker could possibly use this issue to cause applications to hang,resulting in a denial of service. (CVE-2018-1049) Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 16.04 LTS: systemd 229-4ubuntu21.1 Ubuntu 14.04 [ more… ]