星球

RSS | RDF | ATOM

USN-3078-1: MySQL vulnerability

2016/9/19 12:55:43 | Ubuntu security notices

Ubuntu Security Notice USN-3078-1


13th September, 2016


mysql-5.5, mysql-5.7 vulnerability


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 16.04 LTS


  • Ubuntu 14.04 LTS


  • Ubuntu 12.04 LTS





Summary


MySQL could be made to run programs as an administrator.





Software description





  • mysql-5.5
    - MySQL database







  • mysql-5.7
    - MySQL database







Details


Dawid Golunski discovered that MySQL incorrectly handled configuration
files. A remote attacker could possibly use this issue to execute arbitrary
code with root privileges.



MySQL has been updated to 5.5.52 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
Ubuntu 16.04 LTS has been updated to MySQL 5.7.15.



In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.



Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-51.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-14.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 16.04 LTS:




mysql-server-5.7

5.7.15-0ubuntu0.16.04.1





Ubuntu 14.04 LTS:




mysql-server-5.5

5.5.52-0ubuntu0.14.04.1





Ubuntu 12.04 LTS:




mysql-server-5.5

5.5.52-0ubuntu0.12.04.1






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


In general, a standard system update will make all the necessary changes.





References




CVE-2016-6662


USN-3079-1: WebKitGTK+ vulnerabilities

2016/9/19 12:55:43 | Ubuntu security notices

Ubuntu Security Notice USN-3079-1


14th September, 2016


webkit2gtk vulnerabilities


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 16.04 LTS





Summary


Several security issues were fixed in WebKitGTK+.





Software description





  • webkit2gtk
    - JavaScript engine library from WebKitGTK+ - GObject introspection







Details


A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 16.04 LTS:




libwebkit2gtk-4.0-37

2.12.5-0ubuntu0.16.04.1






libjavascriptcoregtk-4.0-18

2.12.5-0ubuntu0.16.04.1






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.





References




CVE-2016-1854,

CVE-2016-1856,

CVE-2016-1857,

CVE-2016-1858,

CVE-2016-1859,

CVE-2016-4583,

CVE-2016-4585,

CVE-2016-4586,

CVE-2016-4588,

CVE-2016-4589,

CVE-2016-4590,

CVE-2016-4591,

CVE-2016-4622,

CVE-2016-4623,

CVE-2016-4624,

CVE-2016-4651


USN-3080-1: Python Imaging Library vulnerabilities

2016/9/19 12:55:43 | Ubuntu security notices

Ubuntu Security Notice USN-3080-1


15th September, 2016


python-imaging vulnerabilities


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 12.04 LTS





Summary


Python Imaging Libary could be made to crash if it received specially crafted
input or opened a specially crafted file.





Software description





  • python-imaging
    - Python Imaging Library







Details


Eric Soroos discovered that the Python Imaging Library incorrectly handled
certain malformed FLI or PhotoCD files. A remote attacker could use this
issue to cause Python Imaging Library to crash, resulting in a denial of
service. (CVE-2016-0775, CVE-2016-2533)



Andrew Drake discovered that the Python Imaging Libray incorrectly validated
input. A remote attacker could use this to cause Python Imaging Library to
crash, resulting in a denial of service. (CVE-2014-3589)



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 12.04 LTS:




python-imaging

1.1.7-4ubuntu0.12.04.2






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


In general, a standard system update will make all the necessary changes.





References




CVE-2014-3589,

CVE-2016-0775,

CVE-2016-2533


USN-3077-1: OpenJDK 6 vulnerabilities

2016/9/14 0:54:26 | Ubuntu security notices

Ubuntu Security Notice USN-3077-1


12th September, 2016


openjdk-6 vulnerabilities


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 12.04 LTS





Summary


Several security issues were fixed in OpenJDK 6.





Software description





  • openjdk-6
    - Open Source Java implementation







Details


A vulnerability was discovered in the OpenJDK JRE related to data
integrity. An attacker could exploit this to expose sensitive data over the
network or possibly execute arbitrary code. (CVE-2016-3458)



Multiple vulnerabilities were discovered in the OpenJDK JRE related
to availability. An attacker could exploit these to cause a denial
of service. (CVE-2016-3500, CVE-2016-3508)



A vulnerability was discovered in the OpenJDK JRE related to information
disclosure. An attacker could exploit this to expose sensitive data over
the network. (CVE-2016-3550)



A vulnerability was discovered in the OpenJDK JRE related to information
disclosure, data integrity, and availability. An attacker could exploit
this to cause a denial of service, expose sensitive data over the network,
or possibly execute arbitrary code. (CVE-2016-3606)



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 12.04 LTS:




icedtea-6-jre-cacao

6b40-1.13.12-0ubuntu0.12.04.1






icedtea-6-jre-jamvm

6b40-1.13.12-0ubuntu0.12.04.1






openjdk-6-jre

6b40-1.13.12-0ubuntu0.12.04.1






openjdk-6-jre-headless

6b40-1.13.12-0ubuntu0.12.04.1






openjdk-6-jre-zero

6b40-1.13.12-0ubuntu0.12.04.1






openjdk-6-jre-lib

6b40-1.13.12-0ubuntu0.12.04.1






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.





References




CVE-2016-3458,

CVE-2016-3500,

CVE-2016-3508,

CVE-2016-3550,

CVE-2016-3606


USN-3074-1: File Roller vulnerability

2016/9/10 0:04:48 | Ubuntu security notices

Ubuntu Security Notice USN-3074-1


8th September, 2016


file-roller vulnerability


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 16.04 LTS


  • Ubuntu 14.04 LTS





Summary


File Roller could be made to delete files.





Software description





  • file-roller
    - archive manager for GNOME









Details


It was discovered that File Roller incorrectly handled symlinks. If a user were
tricked into extracting a specially-crafted archive, an attacker could delete
files outside of the extraction directory.



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 16.04 LTS:




file-roller

3.16.5-0ubuntu1.2





Ubuntu 14.04 LTS:




file-roller

3.10.2.1-0ubuntu4.2






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


In general, a standard system update will make all the necessary changes.





References




CVE-2016-7162,

LP: 1171236


USN-3075-1: Imlib2 vulnerabilities

2016/9/10 0:04:48 | Ubuntu security notices

Ubuntu Security Notice USN-3075-1


8th September, 2016


imlib2 vulnerabilities


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 16.04 LTS


  • Ubuntu 14.04 LTS


  • Ubuntu 12.04 LTS





Summary


Several security issues were fixed in Imlib2.





Software description





  • imlib2
    - Image manipulation and rendering library











Details


Jakub Wilk discovered an out of bounds read in the GIF loader
implementation in Imlib2. An attacker could use this to cause a
denial of service (application crash) or possibly obtain sensitive
information. (CVE-2016-3994)



Yuriy M. Kaminskiy discovered an off-by-one error when handling
coordinates in Imlib2. An attacker could use this to cause a denial of
service (application crash). (CVE-2016-3993)



Yuriy M. Kaminskiy discovered that integer overflows existed in Imlib2
when handling images with large dimensions. An attacker could use
this to cause a denial of service (memory exhaustion or application
crash). (CVE-2014-9771, CVE-2016-4024)



Kevin Ryde discovered that the ellipse drawing code in Imlib2 would
attempt to divide by zero when drawing a 2x1 ellipse. An attacker
could use this to cause a denial of service (application crash).
(CVE-2011-5326)



It was discovered that Imlib2 did not properly handled GIF images
without colormaps. An attacker could use this to cause a denial of
service (application crash). This issue only affected Ubuntu 12.04 LTS
and Ubuntu 14.04 LTS. (CVE-2014-9762)



It was discovered that Imlib2 did not properly handle some PNM images,
leading to a division by zero. An attacker could use this to cause
a denial of service (application crash). This issue only affected
Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-9763)



It was discovered that Imlib2 did not properly handle error conditions
when loading some GIF images. An attacker could use this to cause
a denial of service (application crash). This issue only affected
Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-9764)



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 16.04 LTS:




libimlib2

1.4.7-1ubuntu0.1





Ubuntu 14.04 LTS:




libimlib2

1.4.6-2ubuntu0.1





Ubuntu 12.04 LTS:




libimlib2

1.4.4-1ubuntu0.1






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


After a standard system update you will need to restart applications
that make use of Imlib2 to make all the necessary changes.





References




CVE-2011-5326,

CVE-2014-9762,

CVE-2014-9763,

CVE-2014-9764,

CVE-2014-9771,

CVE-2016-3993,

CVE-2016-3994,

CVE-2016-4024


USN-3067-1: HarfBuzz vulnerabilities

2016/9/2 17:08:07 | Ubuntu security notices

Ubuntu Security Notice USN-3067-1


24th August, 2016


harfbuzz vulnerabilities


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 16.04 LTS


  • Ubuntu 14.04 LTS





Summary


HarfBuzz could be made to crash or run programs as your login if it
processed specially crafted data.





Software description





  • harfbuzz
    - OpenType text shaping engine









Details


Kostya Serebryany discovered that HarfBuzz incorrectly handled memory. A
remote attacker could use this issue to cause HarfBuzz to crash, resulting
in a denial of service, or possibly execute arbitrary code. (CVE-2015-8947)



It was discovered that HarfBuzz incorrectly handled certain length checks.
A remote attacker could use this issue to cause HarfBuzz to crash,
resulting in a denial of service, or possibly execute arbitrary code.
This issue only applied to Ubuntu 16.04 LTS. (CVE-2016-2052)



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 16.04 LTS:




libharfbuzz0b

1.0.1-1ubuntu0.1





Ubuntu 14.04 LTS:




libharfbuzz0b

0.9.27-1ubuntu1.1






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


After a standard system update you need to restart your session to make
all the necessary changes.





References




CVE-2015-8947,

CVE-2016-2052


USN-3068-1: Libidn vulnerabilities

2016/9/2 17:08:07 | Ubuntu security notices

Ubuntu Security Notice USN-3068-1


24th August, 2016


libidn vulnerabilities


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 16.04 LTS


  • Ubuntu 14.04 LTS


  • Ubuntu 12.04 LTS





Summary


Several security issues were fixed in Libidn.





Software description





  • libidn
    - implementation of IETF IDN specifications











Details


Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos
Mavrogiannopoulos discovered that Libidn incorrectly handled invalid UTF-8
characters. A remote attacker could use this issue to cause Libidn to
crash, resulting in a denial of service, or possibly disclose sensitive
memory. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2015-2059)



Hanno Böck discovered that Libidn incorrectly handled certain input. A
remote attacker could possibly use this issue to cause Libidn to crash,
resulting in a denial of service. (CVE-2015-8948, CVE-2016-6262,
CVE-2016-6261, CVE-2016-6263)



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 16.04 LTS:




libidn11

1.32-3ubuntu1.1





Ubuntu 14.04 LTS:




libidn11

1.28-1ubuntu2.1





Ubuntu 12.04 LTS:




libidn11

1.23-2ubuntu0.1






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


In general, a standard system update will make all the necessary changes.





References




CVE-2015-2059,

CVE-2015-8948,

CVE-2016-6261,

CVE-2016-6262,

CVE-2016-6263


USN-3069-1: Eye of GNOME vulnerability

2016/9/2 17:08:07 | Ubuntu security notices

Ubuntu Security Notice USN-3069-1


25th August, 2016


eog vulnerability


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 16.04 LTS


  • Ubuntu 14.04 LTS


  • Ubuntu 12.04 LTS





Summary


Eye of GNOME could be made to crash or run programs as your login if it
opened a specially crafted image.





Software description





  • eog
    - Eye of GNOME graphics viewer program











Details


It was discovered that Eye of GNOME incorrectly handled certain invalid
UTF-8 strings. If a user were tricked into opening a specially-crafted
image, a remote attacker could use this issue to cause Eye of GNOME to
crash, resulting in a denial of service, or possibly execute arbitrary
code.



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 16.04 LTS:




eog

3.18.2-1ubuntu2.1





Ubuntu 14.04 LTS:




eog

3.10.2-0ubuntu5.2





Ubuntu 12.04 LTS:




eog

3.4.2-0ubuntu1.3






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


In general, a standard system update will make all the necessary changes.





References




CVE-2016-6855


USN-3070-1: Linux kernel vulnerabilities

2016/9/2 17:08:07 | Ubuntu security notices

Ubuntu Security Notice USN-3070-1


29th August, 2016


linux vulnerabilities


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 16.04 LTS





Summary


Several security issues were fixed in the kernel.





Software description





  • linux
    - Linux kernel







Details


A missing permission check when settings ACLs was discovered in nfsd. A
local user could exploit this flaw to gain access to any file by setting an
ACL. (CVE-2016-1237)



Kangjie Lu discovered an information leak in the Reliable Datagram Sockets
(RDS) implementation in the Linux kernel. A local attacker could use this
to obtain potentially sensitive information from kernel memory.
(CVE-2016-5244)



James Patrick-Evans discovered that the airspy USB device driver in the
Linux kernel did not properly handle certain error conditions. An attacker
with physical access could use this to cause a denial of service (memory
consumption). (CVE-2016-5400)



Yue Cao et al discovered a flaw in the TCP implementation's handling of
challenge acks in the Linux kernel. A remote attacker could use this to
cause a denial of service (reset connection) or inject content into an TCP
stream. (CVE-2016-5696)



Pengfei Wang discovered a race condition in the MIC VOP driver in the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash) or obtain potentially sensitive information from kernel
memory. (CVE-2016-5728)



Cyril Bur discovered that on PowerPC platforms, the Linux kernel mishandled
transactional memory state on exec(). A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2016-5828)



It was discovered that a heap based buffer overflow existed in the USB HID
driver in the Linux kernel. A local attacker could use this cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2016-5829)



It was discovered that the OverlayFS implementation in the Linux kernel did
not properly verify dentry state before proceeding with unlink and rename
operations. A local attacker could use this to cause a denial of service
(system crash). (CVE-2016-6197)



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 16.04 LTS:




linux-image-4.4.0-36-generic-lpae

4.4.0-36.55






linux-image-4.4.0-36-powerpc64-smp

4.4.0-36.55






linux-image-4.4.0-36-powerpc-e500mc

4.4.0-36.55






linux-image-4.4.0-36-powerpc64-emb

4.4.0-36.55






linux-image-4.4.0-36-lowlatency

4.4.0-36.55






linux-image-4.4.0-36-generic

4.4.0-36.55






linux-image-4.4.0-36-powerpc-smp

4.4.0-36.55






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


After a standard system update you need to reboot your computer to make
all the necessary changes.



ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.





References




CVE-2016-1237,

CVE-2016-5244,

CVE-2016-5400,

CVE-2016-5696,

CVE-2016-5728,

CVE-2016-5828,

CVE-2016-5829,

CVE-2016-6197