Ubuntu Security Notices

Recent content on Ubuntu security notices

openjpeg2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS

Summary

Several security issues were fixed in OpenJPEG.

Software Description

  • openjpeg2 – JPEG 2000 image compression/decompression library

Details

It was discovered that OpenJPEG incorrectly handled certain PGX files. An
attacker could possibly use this issue to cause a denial of service or possibly
remote code execution. (CVE-2017-17480)

It was discovered that OpenJPEG incorrectly handled certain files. An attacker
could possibly use this issue to cause a denial of service. (CVE-2018-14423)

It was discovered that OpenJPEG incorrectly handled certain PNM files. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2018-18088)

It was discovered that OpenJPEG incorrectly handled certain BMP files. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2018-5785, CVE-2018-6616)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
libopenjp2-72.3.0-2build0.18.04.1
libopenjp3d72.3.0-2build0.18.04.1
libopenjpip72.3.0-2build0.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

libzstd vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS

Summary

Zstandard could be made to execute arbitrary code if it received
specially crafted input.

Software Description

  • libzstd – fast lossless compression algorithm – development files

Details

It was discovered that Zstandard incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
libzstd11.3.3+dfsg-2ubuntu1.1
zstd1.3.3+dfsg-2ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

giflib vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in GIFLIB.

Software Description

  • giflib – library for GIF images (utilities)

Details

It was discovered that GIFLIB incorrectly handled certain GIF files.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 18.04 LTS. (CVE-2016-3977)

It was discovered that GIFLIB incorrectly handled certain GIF files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2018-11490, CVE-2019-15133)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
giflib-tools5.1.4-3ubuntu0.1
libgif75.1.4-3ubuntu0.1
Ubuntu 18.04 LTS
giflib-tools5.1.4-2ubuntu0.1
libgif75.1.4-2ubuntu0.1
Ubuntu 16.04 LTS
giflib-tools5.1.4-0.3~16.04.1
libgif75.1.4-0.3~16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-4106-1: NLTK vulnerability

20 August 2019, 1:46 pm

NLTK vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

NLTK could be made to overwrite files.

Software Description

  • nltk – Python libraries for natural language processing

Details

Mike Salvatore discovered that NLTK mishandled crafted ZIP archives during
extraction. A remote attacker could use this vulnerability to write
arbitrary files to the filesystem

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
python-nltk3.4-1ubuntu0.1
python3-nltk3.4-1ubuntu0.1
Ubuntu 18.04 LTS
python-nltk3.2.5-1ubuntu0.1
python3-nltk3.2.5-1ubuntu0.1
Ubuntu 16.04 LTS
python-nltk3.1-1ubuntu0.1
python3-nltk3.1-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-4105-1: CUPS vulnerabilities

20 August 2019, 3:55 am

cups vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in CUPS.

Software Description

  • cups – Common UNIX Printing System™

Details

Stephan Zeisberg discovered that the CUPS SNMP backend incorrectly handled
encoded ASN.1 inputs. A remote attacker could possibly use this issue to
cause CUPS to crash by providing specially crafted network
traffic. (CVE-2019-8696, CVE-2019-8675)

It was discovered that CUPS did not properly handle client disconnection
events. A local attacker could possibly use this issue to cause a denial of
service or disclose memory from the CUPS server.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
cups2.2.10-4ubuntu2.1
Ubuntu 18.04 LTS
cups2.2.7-1ubuntu2.7
Ubuntu 16.04 LTS
cups2.1.3-4ubuntu0.10

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-4104-1: Nova vulnerability

19 August 2019, 11:17 pm

nova vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Nova could be made to expose sensitive information.

Software Description

  • nova – OpenStack Compute cloud infrastructure

Details

Donny Davis discovered that the Nova Compute service could return
configuration or other information in response to a failed API
request in some situations. A remote attacker could use this to expose
sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
nova-compute2:19.0.1-0ubuntu2.1
python3-nova2:19.0.1-0ubuntu2.1
Ubuntu 18.04 LTS
nova-compute2:17.0.10-0ubuntu2.1
python-nova2:17.0.10-0ubuntu2.1
Ubuntu 16.04 LTS
nova-compute2:13.1.4-0ubuntu4.5
python-nova2:13.1.4-0ubuntu4.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-4103-2: Docker vulnerability

19 August 2019, 5:09 pm

Docker vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Docker could be made to crash or run programs as your login.

Software Description

  • docker.io – Linux container runtime

Details

Jasiel Spelman discovered that a double free existed in the docker-credential-
helpers dependency of Docker. A local attacker could use this to cause a denial of service
(crash) or possibly execute arbitrary code.

Original advisory details:

Jasiel Spelman discovered that a double free existed in docker-credential-
helpers. A local attacker could use this to cause a denial of service
(crash) or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
docker.io18.09.7-0ubuntu1~19.04.5
Ubuntu 18.04 LTS
docker.io18.09.7-0ubuntu1~18.04.4
Ubuntu 16.04 LTS
docker.io18.09.7-0ubuntu1~16.04.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

docker-credential-helpers vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04

Summary

docker-credential-helpers could be made to crash or run programs as your login

Software Description

  • golang-github-docker-docker-credential-helpers – Use native stores to safeguard Docker credentials

Details

Jasiel Spelman discovered that a double free existed in docker-credential-
helpers. A local attacker could use this to cause a denial of service
(crash) or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
golang-docker-credential-helpers0.6.1-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

openldap vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM

Summary

Several security issues were fixed in OpenLDAP.

Software Description

  • openldap – OpenLDAP utilities

Details

USN-4078-1 fixed several vulnerabilities in openldap. This update provides
the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that OpenLDAP incorrectly handled rootDN delegation. A
database administrator could use this issue to request authorization as an
identity from another database, contrary to expectations. (CVE-2019-13057)

It was discovered that OpenLDAP incorrectly handled SASL authentication and
session encryption. After a first SASL bind was completed, it was possible
to obtain access by performing simple binds, contrary to expectations.
(CVE-2019-13565)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
slapd – 2.4.31-1+nmu2ubuntu8.5+esm1
Ubuntu 12.04 ESM
slapd – 2.4.28-1.1ubuntu4.9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

libreoffice vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in LibreOffice.

Software Description

  • libreoffice – Office productivity suite

Details

It was discovered that LibreOffice incorrectly handled LibreLogo scripts.
If a user were tricked into opening a specially crafted document, a remote
attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9850,
CVE-2019-9851)

It was discovered that LibreOffice incorrectly handled embedded scripts in
document files. If a user were tricked into opening a specially crafted
document, a remote attacker could possibly execute arbitrary code.
(CVE-2019-9852)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
libreoffice-core1:6.2.6-0ubuntu0.19.04.1
Ubuntu 18.04 LTS
libreoffice-core1:6.0.7-0ubuntu0.18.04.9
Ubuntu 16.04 LTS
libreoffice-core1:5.1.6~rc2-0ubuntu1~xenial9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart LibreOffice to make all
the necessary changes.

References