Ubuntu Secutity Notices

linux-lts-xenial, linux-aws vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux-aws - Linux kernel for Amazon Web Services (AWS) systems
• linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty

Details

USN-4254-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 ESM.

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615)

It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write access to /dev/video0 on a system with the vivid module loaded could possibly use this to gain administrative privileges. (CVE-2019-18683)

It was discovered that the btrfs file system in the Linux kernel did not properly validate metadata, leading to a NULL pointer dereference. An attacker could use this to specially craft a file system image that, when mounted, could cause a denial of service (system crash). (CVE-2019-18885)

It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex Driver for the Linux kernel. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19057)

It was discovered that the crypto subsystem in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19062)

It was discovered that the Realtek rtlwifi USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19063)

Dan Carpenter discovered that the AppleTalk networking subsystem of the Linux kernel did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-19227)

It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly handle ioctl requests to get emulated CPUID features. An attacker with access to /dev/kvm could use this to cause a denial of service (system crash). (CVE-2019-19332)

It was discovered that the B2C2 FlexCop USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15291)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM

linux-image-4.4.0-1061-aws - 4.4.0-1061.65

linux-image-4.4.0-173-generic - 4.4.0-173.203~14.04.1

linux-image-4.4.0-173-generic-lpae - 4.4.0-173.203~14.04.1

linux-image-4.4.0-173-lowlatency - 4.4.0-173.203~14.04.1

linux-image-4.4.0-173-powerpc-e500mc - 4.4.0-173.203~14.04.1

linux-image-4.4.0-173-powerpc-smp - 4.4.0-173.203~14.04.1

linux-image-4.4.0-173-powerpc64-emb - 4.4.0-173.203~14.04.1

linux-image-4.4.0-173-powerpc64-smp - 4.4.0-173.203~14.04.1

linux-image-aws - 4.4.0.1061.62

linux-image-generic-lpae-lts-xenial - 4.4.0.173.152

linux-image-generic-lts-xenial - 4.4.0.173.152

linux-image-lowlatency-lts-xenial - 4.4.0.173.152

linux-image-powerpc-e500mc-lts-xenial - 4.4.0.173.152

linux-image-powerpc-smp-lts-xenial - 4.4.0.173.152

linux-image-powerpc64-emb-lts-xenial - 4.4.0.173.152

linux-image-powerpc64-smp-lts-xenial - 4.4.0.173.152

linux-image-virtual-lts-xenial - 4.4.0.173.152

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• USN-4254-1
• CVE-2019-14615
• CVE-2019-15291
• CVE-2019-18683
• CVE-2019-18885
• CVE-2019-19057
• CVE-2019-19062
• CVE-2019-19063
• CVE-2019-19227
• CVE-2019-19332

linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux-aws-5.0 - Linux kernel for Amazon Web Services (AWS) systems
• linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
• linux-gke-5.0 - Linux kernel for Google Container Engine (GKE) systems
• linux-oracle-5.0 - Linux kernel for Oracle Cloud systems

Details

It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15099)

It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write access to /dev/video0 on a system with the vivid module loaded could possibly use this to gain administrative privileges. (CVE-2019-18683)

It was discovered that the btrfs file system in the Linux kernel did not properly validate metadata, leading to a NULL pointer dereference. An attacker could use this to specially craft a file system image that, when mounted, could cause a denial of service (system crash). (CVE-2019-18885)

It was discovered that the crypto subsystem in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19050, CVE-2019-19062)

It was discovered that the RSI 91x WLAN device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19071)

It was discovered that the Broadcom Netxtreme HCA device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19077)

It was discovered that the Atheros 802.11ac wireless USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19078)

It was discovered that the Qualcomm IPC Router TUN device driver in the Linux kernel did not properly deallocate memory in certain situations. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19079)

It was discovered that the AMD GPU device drivers in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to possibly cause a denial of service (kernel memory exhaustion). (CVE-2019-19082)

Dan Carpenter discovered that the AppleTalk networking subsystem of the Linux kernel did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-19227)

Or Cohen discovered that the virtual console subsystem in the Linux kernel did not properly restrict writes to unimplemented vcsu (unicode) devices. A local attacker could possibly use this to cause a denial of service (system crash) or have other unspecified impacts. (CVE-2019-19252)

It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly handle ioctl requests to get emulated CPUID features. An attacker with access to /dev/kvm could use this to cause a denial of service (system crash). (CVE-2019-19332)

It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle certain conditions. An attacker could use this to specially craft an ext4 file system that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19767)

It was discovered that the B2C2 FlexCop USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15291)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

linux-image-5.0.0-1010-oracle - 5.0.0-1010.15~18.04.1

linux-image-5.0.0-1024-aws - 5.0.0-1024.27~18.04.1

linux-image-5.0.0-1029-gcp - 5.0.0-1029.30~18.04.1

linux-image-5.0.0-1029-gke - 5.0.0-1029.30~18.04.1

linux-image-aws-edge - 5.0.0.1024.38

linux-image-gcp - 5.0.0.1029.33

linux-image-gke-5.0 - 5.0.0.1029.17

linux-image-oracle-edge - 5.0.0.1010.9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2019-15099
• CVE-2019-15291
• CVE-2019-18683
• CVE-2019-18885
• CVE-2019-19050
• CVE-2019-19062
• CVE-2019-19071
• CVE-2019-19077
• CVE-2019-19078
• CVE-2019-19079
• CVE-2019-19082
• CVE-2019-19227
• CVE-2019-19252
• CVE-2019-19332
• CVE-2019-19767

linux-hwe vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

he Linux kernel could be made to expose sensitive information.

Software Description

• linux-hwe - Linux hardware enablement (HWE) kernel

Details

USN-4253-1 fixed vulnerabilities in the Linux kernel for Ubuntu 19.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 19.10 for Ubuntu 18.04 LTS.

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

linux-image-5.3.0-28-generic - 5.3.0-28.30~18.04.1

linux-image-5.3.0-28-generic-lpae - 5.3.0-28.30~18.04.1

linux-image-5.3.0-28-lowlatency - 5.3.0-28.30~18.04.1

linux-image-generic-hwe-18.04 - 5.3.0.28.96

linux-image-generic-lpae-hwe-18.04 - 5.3.0.28.96

linux-image-lowlatency-hwe-18.04 - 5.3.0.28.96

linux-image-snapdragon-hwe-18.04 - 5.3.0.28.96

linux-image-virtual-hwe-18.04 - 5.3.0.28.96

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• USN-4253-1
• CVE-2019-14615

linux-hwe, linux-aws-hwe vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems
• linux-hwe - Linux hardware enablement (HWE) kernel

Details

USN-4255-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615)

It was discovered that a race condition can lead to a use-after-free while destroying GEM contexts in the i915 driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-7053)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

linux-image-4.15.0-1058-aws - 4.15.0-1058.60~16.04.1

linux-image-4.15.0-76-generic - 4.15.0-76.86~16.04.1

linux-image-4.15.0-76-generic-lpae - 4.15.0-76.86~16.04.1

linux-image-4.15.0-76-lowlatency - 4.15.0-76.86~16.04.1

linux-image-aws-hwe - 4.15.0.1058.58

linux-image-generic-hwe-16.04 - 4.15.0.76.96

linux-image-generic-lpae-hwe-16.04 - 4.15.0.76.96

linux-image-lowlatency-hwe-16.04 - 4.15.0.76.96

linux-image-oem - 4.15.0.76.96

linux-image-virtual-hwe-16.04 - 4.15.0.76.96

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• USN-4255-1
• CVE-2019-14615
• CVE-2020-7053

openjdk-8, openjdk-lts vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in OpenJDK.

Software Description

• openjdk-8 - Open Source Java implementation
• openjdk-lts - Open Source Java implementation

Details

It was discovered that OpenJDK incorrectly handled exceptions during deserialization in BeanContextSupport. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2020-2583)

It was discovered that OpenJDK incorrectly validated properties of SASL messages included in Kerberos GSSAPI. An unauthenticated remote attacker with network access via Kerberos could possibly use this issue to insert, modify or obtain sensitive information. (CVE-2020-2590)

It was discovered that OpenJDK incorrectly validated URLs. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2020-2593)

It was discovered that OpenJDK Security component still used MD5 algorithm. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2020-2601)

It was discovered that OpenJDK incorrectly handled the application of serialization filters. An attacker could possibly use this issue to bypass the intended filter during serialization. (CVE-2020-2604)

Bo Zhang and Long Kuan discovered that OpenJDK incorrectly handled X.509 certificates. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-2654)

Bengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau Brostean and Robert Merget discovered that OpenJDK incorrectly handled CertificateVerify TLS handshake messages. A remote attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 11. (CVE-2020-2655)

It was discovered that OpenJDK incorrectly enforced the limit of datagram sockets that can be created by a code running within a Java sandbox. An attacker could possibly use this issue to bypass the sandbox restrictions causing a denial of service. This issue only affected OpenJDK 8. (CVE-2020-2659)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10

openjdk-11-jdk - 11.0.6+10-1ubuntu1~19.10.1

openjdk-11-jre - 11.0.6+10-1ubuntu1~19.10.1

openjdk-11-jre-headless - 11.0.6+10-1ubuntu1~19.10.1

openjdk-11-jre-zero - 11.0.6+10-1ubuntu1~19.10.1

openjdk-8-jdk - 8u242-b08-0ubuntu3~19.10

openjdk-8-jre - 8u242-b08-0ubuntu3~19.10

openjdk-8-jre-headless - 8u242-b08-0ubuntu3~19.10

openjdk-8-jre-zero - 8u242-b08-0ubuntu3~19.10

Ubuntu 18.04 LTS

openjdk-11-jdk - 11.0.6+10-1ubuntu1~18.04.1

openjdk-11-jre - 11.0.6+10-1ubuntu1~18.04.1

openjdk-11-jre-headless - 11.0.6+10-1ubuntu1~18.04.1

openjdk-11-jre-zero - 11.0.6+10-1ubuntu1~18.04.1

openjdk-8-jdk - 8u242-b08-0ubuntu3~18.04

openjdk-8-jre - 8u242-b08-0ubuntu3~18.04

openjdk-8-jre-headless - 8u242-b08-0ubuntu3~18.04

openjdk-8-jre-zero - 8u242-b08-0ubuntu3~18.04

Ubuntu 16.04 LTS

openjdk-8-jdk - 8u242-b08-0ubuntu3~16.04

openjdk-8-jre - 8u242-b08-0ubuntu3~16.04

openjdk-8-jre-headless - 8u242-b08-0ubuntu3~16.04

openjdk-8-jre-jamvm - 8u242-b08-0ubuntu3~16.04

openjdk-8-jre-zero - 8u242-b08-0ubuntu3~16.04

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes.

References

• CVE-2020-2583
• CVE-2020-2590
• CVE-2020-2593
• CVE-2020-2601
• CVE-2020-2604
• CVE-2020-2654
• CVE-2020-2655
• CVE-2020-2659

libgcrypt11 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

Libgcrypt could be made to expose sensitive information.

Software Description

• libgcrypt11 - LGPL Crypto library

Details

USN-4236-1 fixed a vulnerability in Libgcrypt. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that Libgcrypt was susceptible to a ECDSA timing attack. An attacker could possibly use this attack to recover sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM

libgcrypt11 - 1.5.3-2ubuntu4.6+esm1

Ubuntu 12.04 ESM

libgcrypt11 - 1.5.0-3ubuntu0.9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-4236-1
• CVE-2019-13627

cyrus-sasl2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

Cyrus SASL could be made to crash or execute arbitrary code if it received a specially crafted LDAP packet.

Software Description

• cyrus-sasl2 - Cyrus Simple Authentication and Security Layer

Details

It was discovered that Cyrus SASL incorrectly handled certain LDAP packets. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10

libsasl2-2 - 2.1.27+dfsg-1ubuntu0.1

Ubuntu 18.04 LTS

libsasl2-2 - 2.1.27~101-g0780600+dfsg-3ubuntu2.1

Ubuntu 16.04 LTS

libsasl2-2 - 2.1.26.dfsg1-14ubuntu0.2

Ubuntu 14.04 ESM

libsasl2-2 - 2.1.25.dfsg1-17ubuntu0.1~esm1

Ubuntu 12.04 ESM

libsasl2-2 - 2.1.25.dfsg1-3ubuntu0.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart services using SASL to effect the necessary changes.

References

• CVE-2019-19906

linux, linux-aws, linux-oem vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux - Linux kernel
• linux-aws - Linux kernel for Amazon Web Services (AWS) systems
• linux-oem - Linux kernel for OEM processors

Details

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615)

It was discovered that a race condition can lead to a use-after-free while destroying GEM contexts in the i915 driver for the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-7053)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

linux-image-4.15.0-1058-aws - 4.15.0-1058.60

linux-image-4.15.0-1067-oem - 4.15.0-1067.77

linux-image-4.15.0-76-generic - 4.15.0-76.86

linux-image-4.15.0-76-generic-lpae - 4.15.0-76.86

linux-image-4.15.0-76-lowlatency - 4.15.0-76.86

linux-image-aws - 4.15.0.1058.59

linux-image-aws-lts-18.04 - 4.15.0.1058.59

linux-image-generic - 4.15.0.76.78

linux-image-generic-lpae - 4.15.0.76.78

linux-image-lowlatency - 4.15.0.76.78

linux-image-oem - 4.15.0.1067.71

linux-image-powerpc-e500mc - 4.15.0.76.78

linux-image-powerpc-smp - 4.15.0.76.78

linux-image-powerpc64-emb - 4.15.0.76.78

linux-image-powerpc64-smp - 4.15.0.76.78

linux-image-virtual - 4.15.0.76.78

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2019-14615
• CVE-2020-7053

linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux - Linux kernel
• linux-aws - Linux kernel for Amazon Web Services (AWS) systems
• linux-kvm - Linux kernel for cloud environments
• linux-raspi2 - Linux kernel for Raspberry Pi 2
• linux-snapdragon - Linux kernel for Snapdragon processors

Details

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information. (CVE-2019-14615)

It was discovered that a race condition existed in the Virtual Video Test Driver in the Linux kernel. An attacker with write access to /dev/video0 on a system with the vivid module loaded could possibly use this to gain administrative privileges. (CVE-2019-18683)

It was discovered that the btrfs file system in the Linux kernel did not properly validate metadata, leading to a NULL pointer dereference. An attacker could use this to specially craft a file system image that, when mounted, could cause a denial of service (system crash). (CVE-2019-18885)

It was discovered that multiple memory leaks existed in the Marvell WiFi-Ex Driver for the Linux kernel. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19057)

It was discovered that the crypto subsystem in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19062)

It was discovered that the Realtek rtlwifi USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19063)

Dan Carpenter discovered that the AppleTalk networking subsystem of the Linux kernel did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-19227)

It was discovered that the KVM hypervisor implementation in the Linux kernel did not properly handle ioctl requests to get emulated CPUID features. An attacker with access to /dev/kvm could use this to cause a denial of service (system crash). (CVE-2019-19332)

It was discovered that the B2C2 FlexCop USB device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15291)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

linux-image-4.4.0-1065-kvm - 4.4.0-1065.72

linux-image-4.4.0-1101-aws - 4.4.0-1101.112

linux-image-4.4.0-1128-raspi2 - 4.4.0-1128.137

linux-image-4.4.0-1132-snapdragon - 4.4.0-1132.140

linux-image-4.4.0-173-generic - 4.4.0-173.203

linux-image-4.4.0-173-generic-lpae - 4.4.0-173.203

linux-image-4.4.0-173-lowlatency - 4.4.0-173.203

linux-image-4.4.0-173-powerpc-e500mc - 4.4.0-173.203

linux-image-4.4.0-173-powerpc-smp - 4.4.0-173.203

linux-image-4.4.0-173-powerpc64-emb - 4.4.0-173.203

linux-image-4.4.0-173-powerpc64-smp - 4.4.0-173.203

linux-image-aws - 4.4.0.1101.105

linux-image-generic - 4.4.0.173.181

linux-image-generic-lpae - 4.4.0.173.181

linux-image-kvm - 4.4.0.1065.65

linux-image-lowlatency - 4.4.0.173.181

linux-image-powerpc-e500mc - 4.4.0.173.181

linux-image-powerpc-smp - 4.4.0.173.181

linux-image-powerpc64-emb - 4.4.0.173.181

linux-image-powerpc64-smp - 4.4.0.173.181

linux-image-raspi2 - 4.4.0.1128.128

linux-image-snapdragon - 4.4.0.1132.124

linux-image-virtual - 4.4.0.173.181

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2019-14615
• CVE-2019-15291
• CVE-2019-18683
• CVE-2019-18885
• CVE-2019-19057
• CVE-2019-19062
• CVE-2019-19063
• CVE-2019-19227
• CVE-2019-19332

linux, linux-aws vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.10

Summary

The Linux kernel could be made to expose sensitive information.

Software Description

• linux - Linux kernel
• linux-aws - Linux kernel for Amazon Web Services (AWS) systems

Details

It was discovered that the Linux kernel did not properly clear data structures on context switches for certain Intel graphics processors. A local attacker could use this to expose sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10

linux-image-5.3.0-1010-aws - 5.3.0-1010.11

linux-image-5.3.0-29-generic - 5.3.0-29.31

linux-image-5.3.0-29-generic-lpae - 5.3.0-29.31

linux-image-5.3.0-29-lowlatency - 5.3.0-29.31

linux-image-5.3.0-29-snapdragon - 5.3.0-29.31

linux-image-aws - 5.3.0.1010.12

linux-image-generic - 5.3.0.29.33

linux-image-generic-lpae - 5.3.0.29.33

linux-image-lowlatency - 5.3.0.29.33

linux-image-virtual - 5.3.0.29.33

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2019-14615

tcpdump vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

Several security issues were fixed in tcpdump.

Software Description

• tcpdump - command-line network traffic analyzer

Details

USN-4252-1 fixed several vulnerabilities in tcpdump. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

Multiple security issues were discovered in tcpdump. A remote attacker could use these issues to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM

tcpdump - 4.9.3-0ubuntu0.14.04.1+esm1

Ubuntu 12.04 ESM

tcpdump - 4.9.3-0ubuntu0.12.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References

• USN-4252-1
• CVE-2017-16808
• CVE-2018-10103
• CVE-2018-10105
• CVE-2018-14461
• CVE-2018-14462
• CVE-2018-14463
• CVE-2018-14464
• CVE-2018-14465
• CVE-2018-14466
• CVE-2018-14467
• CVE-2018-14468
• CVE-2018-14469
• CVE-2018-14470
• CVE-2018-14879
• CVE-2018-14880
• CVE-2018-14881
• CVE-2018-14882
• CVE-2018-16227
• CVE-2018-16228
• CVE-2018-16229
• CVE-2018-16230
• CVE-2018-16300
• CVE-2018-16451
• CVE-2018-16452
• CVE-2018-19519
• CVE-2019-1010220
• CVE-2019-15166
• CVE-2019-15167

tcpdump vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in tcpdump.

Software Description

• tcpdump - command-line network traffic analyzer

Details

Multiple security issues were discovered in tcpdump. A remote attacker could use these issues to cause tcpdump to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

tcpdump - 4.9.3-0ubuntu0.18.04.1

Ubuntu 16.04 LTS

tcpdump - 4.9.3-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References

• CVE-2017-16808
• CVE-2018-10103
• CVE-2018-10105
• CVE-2018-14461
• CVE-2018-14462
• CVE-2018-14463
• CVE-2018-14464
• CVE-2018-14465
• CVE-2018-14466
• CVE-2018-14467
• CVE-2018-14468
• CVE-2018-14469
• CVE-2018-14470
• CVE-2018-14879
• CVE-2018-14880
• CVE-2018-14881
• CVE-2018-14882
• CVE-2018-16227
• CVE-2018-16228
• CVE-2018-16229
• CVE-2018-16230
• CVE-2018-16300
• CVE-2018-16451
• CVE-2018-16452
• CVE-2018-19519
• CVE-2019-1010220
• CVE-2019-15166
• CVE-2019-15167

tomcat8 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in Tomcat.

Software Description

• tomcat8 - Servlet and JSP engine

Details

It was discovered that Tomcat incorrectly handled the RMI registry when configured with the JMX Remote Lifecycle Listener. A local attacker could possibly use this issue to obtain credentials and gain complete control over the Tomcat instance. (CVE-2019-12418)

It was discovered that Tomcat incorrectly handled FORM authentication. A remote attacker could possibly use this issue to perform a session fixation attack. (CVE-2019-17563)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

libtomcat8-java - 8.0.32-1ubuntu1.11

tomcat8 - 8.0.32-1ubuntu1.11

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-12418
• CVE-2019-17563

mysql-5.7, mysql-8.0 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in MySQL.

Software Description

• mysql-8.0 - MySQL database
• mysql-5.7 - MySQL database

Details

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues.

MySQL has been updated to 8.0.19 in Ubuntu 19.10. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.29.

In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

Please see the following for more information: https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-29.html https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-19.html https://www.oracle.com/security-alerts/cpujan2020.html

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10

mysql-server-8.0 - 8.0.19-0ubuntu0.19.10.3

Ubuntu 18.04 LTS

mysql-server-5.7 - 5.7.29-0ubuntu0.18.04.1

Ubuntu 16.04 LTS

mysql-server-5.7 - 5.7.29-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary

References

• CVE-2020-2570
• CVE-2020-2572
• CVE-2020-2573
• CVE-2020-2574
• CVE-2020-2577
• CVE-2020-2579
• CVE-2020-2584
• CVE-2020-2588
• CVE-2020-2589
• CVE-2020-2627
• CVE-2020-2660
• CVE-2020-2679
• CVE-2020-2686
• CVE-2020-2694

clamav vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

ClamAV could be made to crash if it opened a specially crafted file.

Software Description

• clamav - Anti-virus utility for Unix

Details

USN-4230-1 fixed a vulnerability in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that ClamAV incorrectly handled certain MIME messages. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM

clamav - 0.102.1+dfsg-0ubuntu0.14.04.1+esm1

Ubuntu 12.04 ESM

clamav - 0.102.1+dfsg-0ubuntu0.12.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References

• USN-4230-1
• CVE-2019-15961

gnutls28 update

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

USN-4233-1 marked SHA1 as untrusted in GnuTLS with no workaround.

Software Description

• gnutls28 - GNU TLS library

Details

USN-4233-1 disabled SHA1 being used for digital signature operations in GnuTLS. In certain network environments, certificates using SHA1 may still be in use. This update adds the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1 priority strings that can be used to temporarily re-enable SHA1 until certificates can be replaced with a stronger algorithm.

Original advisory details:

As a security improvement, this update marks SHA1 as being untrusted for digital signature operations.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

libgnutls30 - 3.5.18-1ubuntu1.3

Ubuntu 16.04 LTS

libgnutls30 - 3.4.10-4ubuntu1.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-4233-1
• LP: 1860656

python-apt vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

Several security issues were fixed in python-apt.

Software Description

• python-apt - Python interface to libapt-pkg

Details

USN-4247-1 fixed several vulnerabilities in python-apt. This update provides the corresponding updates for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. (CVE-2019-15795)

It was discovered that python-apt could install packages from untrusted repositories, contrary to expectations. (CVE-2019-15796)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM

python-apt - 0.9.3.5ubuntu3+esm2

python3-apt - 0.9.3.5ubuntu3+esm2

Ubuntu 12.04 ESM

python-apt - 0.8.3ubuntu7.5

python3-apt - 0.8.3ubuntu7.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-4247-1
• CVE-2019-15795
• CVE-2019-15796

e2fsprogs vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.10
• Ubuntu 19.04
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
• Ubuntu 14.04 ESM
• Ubuntu 12.04 ESM

Summary

e2fsprogs could be made to execute arbitrary code if it was running in a crafted ext4 partition.

Software Description

• e2fsprogs - ext2/ext3/ext4 file system utilities

Details

It was discovered that e2fsprogs incorrectly handled certain ext4 partitions. An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10

e2fsprogs - 1.45.3-4ubuntu2.1

Ubuntu 19.04

e2fsprogs - 1.44.6-1ubuntu0.2

Ubuntu 18.04 LTS

e2fsprogs - 1.44.1-1ubuntu1.3

Ubuntu 16.04 LTS

e2fsprogs - 1.42.13-1ubuntu1.2

Ubuntu 14.04 ESM

e2fsprogs - 1.42.9-3ubuntu1.3+esm2

Ubuntu 12.04 ESM

e2fsprogs - 1.42-1ubuntu2.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-5188

python-apt regression

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 19.10
• Ubuntu 19.04
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

USN-4247-1 introduced a regression in python-apt.

Software Description

• python-apt - Python interface to libapt-pkg

Details

USN-4247-1 fixed vulnerabilities in python-apt. The updated packages caused a regression when attempting to upgrade to a new Ubuntu release. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that python-apt would still use MD5 hashes to validate certain downloaded packages. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages. (CVE-2019-15795)

It was discovered that python-apt could install packages from untrusted repositories, contrary to expectations. (CVE-2019-15796)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.10

python-apt - 1.9.0ubuntu1.3

python3-apt - 1.9.0ubuntu1.3

Ubuntu 19.04

python-apt - 1.8.5~ubuntu0.3

python3-apt - 1.8.5~ubuntu0.3

Ubuntu 18.04 LTS

python-apt - 1.6.5ubuntu0.2

python3-apt - 1.6.5ubuntu0.2

Ubuntu 16.04 LTS

python-apt - 1.1.0~beta1ubuntu0.16.04.8

python3-apt - 1.1.0~beta1ubuntu0.16.04.8

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-4247-1
• LP: 1860606

zlib vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in zlib

Software Description

• zlib - Lossless data-compression library

Details

It was discovered that zlib incorrectly handled pointer arithmetic. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)

It was discovered that zlib incorrectly handled vectors involving left shifts of negative integers. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9842)

It was discovered that zlib incorrectly handled vectors involving big-endian CRC calculation. An attacker could use this issue to cause zlib to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9843)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

lib32z1 - 1:1.2.8.dfsg-2ubuntu4.3

lib64z1 - 1:1.2.8.dfsg-2ubuntu4.3

libn32z1 - 1:1.2.8.dfsg-2ubuntu4.3

libx32z1 - 1:1.2.8.dfsg-2ubuntu4.3

zlib1g - 1:1.2.8.dfsg-2ubuntu4.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2016-9840
• CVE-2016-9841
• CVE-2016-9842
• CVE-2016-9843