Ubuntu Secutity Notices

Subscribe to Ubuntu Secutity Notices hírcsatorna
Recent content on Ubuntu security notices
Frissítve: 25 perc 37 másodperc
9 óra 45 perc

USN-4254-2: Linux kernel (Xenial HWE) vulnerabilities

linux-lts-xenial, linux-aws vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty
Details

USN-4254-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 ESM.

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615)

It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write access to /dev/video0 on a system with the vivid module loaded could possibly use this to gain administrative privileges. (CVE-2019-18683)

It was discovered that the btrfs file system in the Linux kernel did not properly validate metadata, leading to a NULL pointer dereference. An attacker could use this to specially craft a file system image that, when mounted, could cause a denial of service (system crash). (CVE-2019-18885)

It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex Driver for the Linux kernel. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19057)

It was discovered that the crypto subsystem in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19062)

It was discovered that the Realtek rtlwifi USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19063)

Dan Carpenter discovered that the AppleTalk networking subsystem of the Linux kernel did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-19227)

It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly handle ioctl requests to get emulated CPUID features. An attacker with access to /dev/kvm could use this to cause a denial of service (system crash). (CVE-2019-19332)

It was discovered that the B2C2 FlexCop USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15291)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
linux-image-4.4.0-1061-aws - 4.4.0-1061.65
linux-image-4.4.0-173-generic - 4.4.0-173.203~14.04.1
linux-image-4.4.0-173-generic-lpae - 4.4.0-173.203~14.04.1
linux-image-4.4.0-173-lowlatency - 4.4.0-173.203~14.04.1
linux-image-4.4.0-173-powerpc-e500mc - 4.4.0-173.203~14.04.1
linux-image-4.4.0-173-powerpc-smp - 4.4.0-173.203~14.04.1
linux-image-4.4.0-173-powerpc64-emb - 4.4.0-173.203~14.04.1
linux-image-4.4.0-173-powerpc64-smp - 4.4.0-173.203~14.04.1
linux-image-aws - 4.4.0.1061.62
linux-image-generic-lpae-lts-xenial - 4.4.0.173.152
linux-image-generic-lts-xenial - 4.4.0.173.152
linux-image-lowlatency-lts-xenial - 4.4.0.173.152
linux-image-powerpc-e500mc-lts-xenial - 4.4.0.173.152
linux-image-powerpc-smp-lts-xenial - 4.4.0.173.152
linux-image-powerpc64-emb-lts-xenial - 4.4.0.173.152
linux-image-powerpc64-smp-lts-xenial - 4.4.0.173.152
linux-image-virtual-lts-xenial - 4.4.0.173.152

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
9 óra 52 perc

USN-4258-1: Linux kernel vulnerabilities

linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-aws-5.0 - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-gke-5.0 - Linux kernel for Google Container Engine (GKE) systems
  • linux-oracle-5.0 - Linux kernel for Oracle Cloud systems
Details

It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15099)

It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write access to /dev/video0 on a system with the vivid module loaded could possibly use this to gain administrative privileges. (CVE-2019-18683)

It was discovered that the btrfs file system in the Linux kernel did not properly validate metadata, leading to a NULL pointer dereference. An attacker could use this to specially craft a file system image that, when mounted, could cause a denial of service (system crash). (CVE-2019-18885)

It was discovered that the crypto subsystem in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19050, CVE-2019-19062)

It was discovered that the RSI 91x WLAN device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19071)

It was discovered that the Broadcom Netxtreme HCA device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19077)

It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19078)

It was discovered that the Qualcomm IPC Router TUN device driver in the Linux kernel did not properly deallocate memory in certain situations. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19079)

It was discovered that the AMD GPU device drivers in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to possibly cause a denial of service (kernel memory exhaustion). (CVE-2019-19082)

Dan Carpenter discovered that the AppleTalk networking subsystem of the Linux kernel did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-19227)

Or Cohen discovered that the virtual console subsystem in the Linux kernel did not properly restrict writes to unimplemented vcsu (unicode) devices. A local attacker could possibly use this to cause a denial of service (system crash) or have other unspecified impacts. (CVE-2019-19252)

It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly handle ioctl requests to get emulated CPUID features. An attacker with access to /dev/kvm could use this to cause a denial of service (system crash). (CVE-2019-19332)

It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle certain conditions. An attacker could use this to specially craft an ext4 file system that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19767)

It was discovered that the B2C2 FlexCop USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15291)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-5.0.0-1010-oracle - 5.0.0-1010.15~18.04.1
linux-image-5.0.0-1024-aws - 5.0.0-1024.27~18.04.1
linux-image-5.0.0-1029-gcp - 5.0.0-1029.30~18.04.1
linux-image-5.0.0-1029-gke - 5.0.0-1029.30~18.04.1
linux-image-aws-edge - 5.0.0.1024.38
linux-image-gcp - 5.0.0.1029.33
linux-image-gke-5.0 - 5.0.0.1029.17
linux-image-oracle-edge - 5.0.0.1010.9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
10 óra 53 perc

USN-4253-2: Linux kernel (HWE) vulnerability

linux-hwe vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
Summary

he Linux kernel could be made to expose sensitive information.

Software Description
  • linux-hwe - Linux hardware enablement (HWE) kernel
Details

USN-4253-1 fixed vulnerabilities in the Linux kernel for Ubuntu 19.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 19.10 for Ubuntu 18.04 LTS.

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-5.3.0-28-generic - 5.3.0-28.30~18.04.1
linux-image-5.3.0-28-generic-lpae - 5.3.0-28.30~18.04.1
linux-image-5.3.0-28-lowlatency - 5.3.0-28.30~18.04.1
linux-image-generic-hwe-18.04 - 5.3.0.28.96
linux-image-generic-lpae-hwe-18.04 - 5.3.0.28.96
linux-image-lowlatency-hwe-18.04 - 5.3.0.28.96
linux-image-snapdragon-hwe-18.04 - 5.3.0.28.96
linux-image-virtual-hwe-18.04 - 5.3.0.28.96

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
11 óra 24 perc

USN-4255-2: Linux kernel (HWE) vulnerabilities

linux-hwe, linux-aws-hwe vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
Details

USN-4255-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615)

It was discovered that a race condition can lead to a use-after-free while destroying GEM contexts in the i915 driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-7053)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
linux-image-4.15.0-1058-aws - 4.15.0-1058.60~16.04.1
linux-image-4.15.0-76-generic - 4.15.0-76.86~16.04.1
linux-image-4.15.0-76-generic-lpae - 4.15.0-76.86~16.04.1
linux-image-4.15.0-76-lowlatency - 4.15.0-76.86~16.04.1
linux-image-aws-hwe - 4.15.0.1058.58
linux-image-generic-hwe-16.04 - 4.15.0.76.96
linux-image-generic-lpae-hwe-16.04 - 4.15.0.76.96
linux-image-lowlatency-hwe-16.04 - 4.15.0.76.96
linux-image-oem - 4.15.0.76.96
linux-image-virtual-hwe-16.04 - 4.15.0.76.96

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
2020. január 28.

USN-4257-1: OpenJDK vulnerabilities

openjdk-8, openjdk-lts vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in OpenJDK.

Software Description
  • openjdk-8 - Open Source Java implementation
  • openjdk-lts - Open Source Java implementation
Details

It was discovered that OpenJDK incorrectly handled exceptions during deserialization in BeanContextSupport. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2020-2583)

It was discovered that OpenJDK incorrectly validated properties of SASL messages included in Kerberos GSSAPI. An unauthenticated remote attacker with network access via Kerberos could possibly use this issue to insert, modify or obtain sensitive information. (CVE-2020-2590)

It was discovered that OpenJDK incorrectly validated URLs. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2020-2593)

It was discovered that OpenJDK Security component still used MD5 algorithm. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2020-2601)

It was discovered that OpenJDK incorrectly handled the application of serialization filters. An attacker could possibly use this issue to bypass the intended filter during serialization. (CVE-2020-2604)

Bo Zhang and Long Kuan discovered that OpenJDK incorrectly handled X.509 certificates. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-2654)

Bengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau Brostean and Robert Merget discovered that OpenJDK incorrectly handled CertificateVerify TLS handshake messages. A remote attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 11. (CVE-2020-2655)

It was discovered that OpenJDK incorrectly enforced the limit of datagram sockets that can be created by a code running within a Java sandbox. An attacker could possibly use this issue to bypass the sandbox restrictions causing a denial of service. This issue only affected OpenJDK 8. (CVE-2020-2659)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
openjdk-11-jdk - 11.0.6+10-1ubuntu1~19.10.1
openjdk-11-jre - 11.0.6+10-1ubuntu1~19.10.1
openjdk-11-jre-headless - 11.0.6+10-1ubuntu1~19.10.1
openjdk-11-jre-zero - 11.0.6+10-1ubuntu1~19.10.1
openjdk-8-jdk - 8u242-b08-0ubuntu3~19.10
openjdk-8-jre - 8u242-b08-0ubuntu3~19.10
openjdk-8-jre-headless - 8u242-b08-0ubuntu3~19.10
openjdk-8-jre-zero - 8u242-b08-0ubuntu3~19.10
Ubuntu 18.04 LTS
openjdk-11-jdk - 11.0.6+10-1ubuntu1~18.04.1
openjdk-11-jre - 11.0.6+10-1ubuntu1~18.04.1
openjdk-11-jre-headless - 11.0.6+10-1ubuntu1~18.04.1
openjdk-11-jre-zero - 11.0.6+10-1ubuntu1~18.04.1
openjdk-8-jdk - 8u242-b08-0ubuntu3~18.04
openjdk-8-jre - 8u242-b08-0ubuntu3~18.04
openjdk-8-jre-headless - 8u242-b08-0ubuntu3~18.04
openjdk-8-jre-zero - 8u242-b08-0ubuntu3~18.04
Ubuntu 16.04 LTS
openjdk-8-jdk - 8u242-b08-0ubuntu3~16.04
openjdk-8-jre - 8u242-b08-0ubuntu3~16.04
openjdk-8-jre-headless - 8u242-b08-0ubuntu3~16.04
openjdk-8-jre-jamvm - 8u242-b08-0ubuntu3~16.04
openjdk-8-jre-zero - 8u242-b08-0ubuntu3~16.04

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes.

References
2020. január 28.

USN-4236-3: Libgcrypt vulnerability

libgcrypt11 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

Libgcrypt could be made to expose sensitive information.

Software Description
  • libgcrypt11 - LGPL Crypto library
Details

USN-4236-1 fixed a vulnerability in Libgcrypt. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that Libgcrypt was susceptible to a ECDSA timing attack. An attacker could possibly use this attack to recover sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
libgcrypt11 - 1.5.3-2ubuntu4.6+esm1
Ubuntu 12.04 ESM
libgcrypt11 - 1.5.0-3ubuntu0.9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
2020. január 28.

USN-4256-1: Cyrus SASL vulnerability

cyrus-sasl2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

Cyrus SASL could be made to crash or execute arbitrary code if it received a specially crafted LDAP packet.

Software Description
  • cyrus-sasl2 - Cyrus Simple Authentication and Security Layer
Details

It was discovered that Cyrus SASL incorrectly handled certain LDAP packets. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
libsasl2-2 - 2.1.27+dfsg-1ubuntu0.1
Ubuntu 18.04 LTS
libsasl2-2 - 2.1.27~101-g0780600+dfsg-3ubuntu2.1
Ubuntu 16.04 LTS
libsasl2-2 - 2.1.26.dfsg1-14ubuntu0.2
Ubuntu 14.04 ESM
libsasl2-2 - 2.1.25.dfsg1-17ubuntu0.1~esm1
Ubuntu 12.04 ESM
libsasl2-2 - 2.1.25.dfsg1-3ubuntu0.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart services using SASL to effect the necessary changes.

References
2020. január 28.

USN-4255-1: Linux kernel vulnerabilities

linux, linux-aws, linux-oem vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-oem - Linux kernel for OEM processors
Details

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615)

It was discovered that a race condition can lead to a use-after-free while destroying GEM contexts in the i915 driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-7053)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-4.15.0-1058-aws - 4.15.0-1058.60
linux-image-4.15.0-1067-oem - 4.15.0-1067.77
linux-image-4.15.0-76-generic - 4.15.0-76.86
linux-image-4.15.0-76-generic-lpae - 4.15.0-76.86
linux-image-4.15.0-76-lowlatency - 4.15.0-76.86
linux-image-aws - 4.15.0.1058.59
linux-image-aws-lts-18.04 - 4.15.0.1058.59
linux-image-generic - 4.15.0.76.78
linux-image-generic-lpae - 4.15.0.76.78
linux-image-lowlatency - 4.15.0.76.78
linux-image-oem - 4.15.0.1067.71
linux-image-powerpc-e500mc - 4.15.0.76.78
linux-image-powerpc-smp - 4.15.0.76.78
linux-image-powerpc64-emb - 4.15.0.76.78
linux-image-powerpc64-smp - 4.15.0.76.78
linux-image-virtual - 4.15.0.76.78

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
2020. január 28.

USN-4254-1: Linux kernel vulnerabilities

linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in the Linux kernel.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi 2
  • linux-snapdragon - Linux kernel for Snapdragon processors
Details

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615)

It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write access to /dev/video0 on a system with the vivid module loaded could possibly use this to gain administrative privileges. (CVE-2019-18683)

It was discovered that the btrfs file system in the Linux kernel did not properly validate metadata, leading to a NULL pointer dereference. An attacker could use this to specially craft a file system image that, when mounted, could cause a denial of service (system crash). (CVE-2019-18885)

It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex Driver for the Linux kernel. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19057)

It was discovered that the crypto subsystem in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19062)

It was discovered that the Realtek rtlwifi USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19063)

Dan Carpenter discovered that the AppleTalk networking subsystem of the Linux kernel did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-19227)

It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly handle ioctl requests to get emulated CPUID features. An attacker with access to /dev/kvm could use this to cause a denial of service (system crash). (CVE-2019-19332)

It was discovered that the B2C2 FlexCop USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15291)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
linux-image-4.4.0-1065-kvm - 4.4.0-1065.72
linux-image-4.4.0-1101-aws - 4.4.0-1101.112
linux-image-4.4.0-1128-raspi2 - 4.4.0-1128.137
linux-image-4.4.0-1132-snapdragon - 4.4.0-1132.140
linux-image-4.4.0-173-generic - 4.4.0-173.203
linux-image-4.4.0-173-generic-lpae - 4.4.0-173.203
linux-image-4.4.0-173-lowlatency - 4.4.0-173.203
linux-image-4.4.0-173-powerpc-e500mc - 4.4.0-173.203
linux-image-4.4.0-173-powerpc-smp - 4.4.0-173.203
linux-image-4.4.0-173-powerpc64-emb - 4.4.0-173.203
linux-image-4.4.0-173-powerpc64-smp - 4.4.0-173.203
linux-image-aws - 4.4.0.1101.105
linux-image-generic - 4.4.0.173.181
linux-image-generic-lpae - 4.4.0.173.181
linux-image-kvm - 4.4.0.1065.65
linux-image-lowlatency - 4.4.0.173.181
linux-image-powerpc-e500mc - 4.4.0.173.181
linux-image-powerpc-smp - 4.4.0.173.181
linux-image-powerpc64-emb - 4.4.0.173.181
linux-image-powerpc64-smp - 4.4.0.173.181
linux-image-raspi2 - 4.4.0.1128.128
linux-image-snapdragon - 4.4.0.1132.124
linux-image-virtual - 4.4.0.173.181

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
2020. január 28.

USN-4253-1: Linux kernel vulnerability

linux, linux-aws vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
Summary

The Linux kernel could be made to expose sensitive information.

Software Description
  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
Details

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
linux-image-5.3.0-1010-aws - 5.3.0-1010.11
linux-image-5.3.0-29-generic - 5.3.0-29.31
linux-image-5.3.0-29-generic-lpae - 5.3.0-29.31
linux-image-5.3.0-29-lowlatency - 5.3.0-29.31
linux-image-5.3.0-29-snapdragon - 5.3.0-29.31
linux-image-aws - 5.3.0.1010.12
linux-image-generic - 5.3.0.29.33
linux-image-generic-lpae - 5.3.0.29.33
linux-image-lowlatency - 5.3.0.29.33
linux-image-virtual - 5.3.0.29.33

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References
2020. január 27.

USN-4252-2: tcpdump vulnerabilities

tcpdump vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

Several security issues were fixed in tcpdump.

Software Description
  • tcpdump - command-line network traffic analyzer
Details

USN-4252-1 fixed several vulnerabilities in tcpdump. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

Multiple security issues were discovered in tcpdump. A remote attacker could use these issues to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
tcpdump - 4.9.3-0ubuntu0.14.04.1+esm1
Ubuntu 12.04 ESM
tcpdump - 4.9.3-0ubuntu0.12.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References
2020. január 27.

USN-4252-1: tcpdump vulnerabilities

tcpdump vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in tcpdump.

Software Description
  • tcpdump - command-line network traffic analyzer
Details

Multiple security issues were discovered in tcpdump. A remote attacker could use these issues to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
tcpdump - 4.9.3-0ubuntu0.18.04.1
Ubuntu 16.04 LTS
tcpdump - 4.9.3-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References
2020. január 27.

USN-4251-1: Tomcat vulnerabilities

tomcat8 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in Tomcat.

Software Description
  • tomcat8 - Servlet and JSP engine
Details

It was discovered that Tomcat incorrectly handled the RMI registry when configured with the JMX Remote Lifecycle Listener. A local attacker could possibly use this issue to obtain credentials and gain complete control over the Tomcat instance. (CVE-2019-12418)

It was discovered that Tomcat incorrectly handled FORM authentication. A remote attacker could possibly use this issue to perform a session fixation attack. (CVE-2019-17563)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
libtomcat8-java - 8.0.32-1ubuntu1.11
tomcat8 - 8.0.32-1ubuntu1.11

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
2020. január 27.

USN-4250-1: MySQL vulnerabilities

mysql-5.7, mysql-8.0 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in MySQL.

Software Description
  • mysql-8.0 - MySQL database
  • mysql-5.7 - MySQL database
Details

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues.

MySQL has been updated to 8.0.19 in Ubuntu 19.10. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.29.

In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

Please see the following for more information: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-29.html https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-19.html https://www.oracle.com/security-alerts/cpujan2020.html

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
mysql-server-8.0 - 8.0.19-0ubuntu0.19.10.3
Ubuntu 18.04 LTS
mysql-server-5.7 - 5.7.29-0ubuntu0.18.04.1
Ubuntu 16.04 LTS
mysql-server-5.7 - 5.7.29-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary

References
2020. január 23.

USN-4230-2: ClamAV vulnerability

clamav vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

ClamAV could be made to crash if it opened a specially crafted file.

Software Description
  • clamav - Anti-virus utility for Unix
Details

USN-4230-1 fixed a vulnerability in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that ClamAV incorrectly handled certain MIME messages. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
clamav - 0.102.1+dfsg-0ubuntu0.14.04.1+esm1
Ubuntu 12.04 ESM
clamav - 0.102.1+dfsg-0ubuntu0.12.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References
2020. január 23.

USN-4233-2: GnuTLS update

gnutls28 update

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

USN-4233-1 marked SHA1 as untrusted in GnuTLS with no workaround.

Software Description
  • gnutls28 - GNU TLS library
Details

USN-4233-1 disabled SHA1 being used for digital signature operations in GnuTLS. In certain network environments, certificates using SHA1 may still be in use. This update adds the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1 priority strings that can be used to temporarily re-enable SHA1 until certificates can be replaced with a stronger algorithm.

Original advisory details:

As a security improvement, this update marks SHA1 as being untrusted for digital signature operations.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
libgnutls30 - 3.5.18-1ubuntu1.3
Ubuntu 16.04 LTS
libgnutls30 - 3.4.10-4ubuntu1.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
2020. január 23.

USN-4247-3: python-apt vulnerabilities

python-apt vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

Several security issues were fixed in python-apt.

Software Description
  • python-apt - Python interface to libapt-pkg
Details

USN-4247-1 fixed several vulnerabilities in python-apt. This update provides the corresponding updates for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. (CVE-2019-15795)

It was discovered that python-apt could install packages from untrusted repositories, contrary to expectations. (CVE-2019-15796)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
python-apt - 0.9.3.5ubuntu3+esm2
python3-apt - 0.9.3.5ubuntu3+esm2
Ubuntu 12.04 ESM
python-apt - 0.8.3ubuntu7.5
python3-apt - 0.8.3ubuntu7.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
2020. január 23.

USN-4249-1: e2fsprogs vulnerability

e2fsprogs vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

e2fsprogs could be made to execute arbitrary code if it was running in a crafted ext4 partition.

Software Description
  • e2fsprogs - ext2/ext3/ext4 file system utilities
Details

It was discovered that e2fsprogs incorrectly handled certain ext4 partitions. An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
e2fsprogs - 1.45.3-4ubuntu2.1
Ubuntu 19.04
e2fsprogs - 1.44.6-1ubuntu0.2
Ubuntu 18.04 LTS
e2fsprogs - 1.44.1-1ubuntu1.3
Ubuntu 16.04 LTS
e2fsprogs - 1.42.13-1ubuntu1.2
Ubuntu 14.04 ESM
e2fsprogs - 1.42.9-3ubuntu1.3+esm2
Ubuntu 12.04 ESM
e2fsprogs - 1.42-1ubuntu2.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
2020. január 23.

USN-4247-2: python-apt regression

python-apt regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.10
  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

USN-4247-1 introduced a regression in python-apt.

Software Description
  • python-apt - Python interface to libapt-pkg
Details

USN-4247-1 fixed vulnerabilities in python-apt. The updated packages caused a regression when attempting to upgrade to a new Ubuntu release. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. (CVE-2019-15795)

It was discovered that python-apt could install packages from untrusted repositories, contrary to expectations. (CVE-2019-15796)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10
python-apt - 1.9.0ubuntu1.3
python3-apt - 1.9.0ubuntu1.3
Ubuntu 19.04
python-apt - 1.8.5~ubuntu0.3
python3-apt - 1.8.5~ubuntu0.3
Ubuntu 18.04 LTS
python-apt - 1.6.5ubuntu0.2
python3-apt - 1.6.5ubuntu0.2
Ubuntu 16.04 LTS
python-apt - 1.1.0~beta1ubuntu0.16.04.8
python3-apt - 1.1.0~beta1ubuntu0.16.04.8

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References
2020. január 22.

USN-4246-1: zlib vulnerabilities

zlib vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in zlib

Software Description
  • zlib - Lossless data-compression library
Details

It was discovered that zlib incorrectly handled pointer arithmetic. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)

It was discovered that zlib incorrectly handled vectors involving left shifts of negative integers. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9842)

It was discovered that zlib incorrectly handled vectors involving big-endian CRC calculation. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9843)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
lib32z1 - 1:1.2.8.dfsg-2ubuntu4.3
lib64z1 - 1:1.2.8.dfsg-2ubuntu4.3
libn32z1 - 1:1.2.8.dfsg-2ubuntu4.3
libx32z1 - 1:1.2.8.dfsg-2ubuntu4.3
zlib1g - 1:1.2.8.dfsg-2ubuntu4.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References