The following updates has been released for Ubuntu Linux:
USN-3989-1: LibRaw vulnerabilities
USN-3990-1: urllib3 vulnerabilities
USN-3991-1: Firefox vulnerabilities
USN-3989-1: LibRaw vulnerabilities
USN-3990-1: urllib3 vulnerabilities
USN-3991-1: Firefox vulnerabilities
USN-3989-1: LibRaw vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3989-1
May 21, 2019
libraw vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in LibRaw.
Software Description:
- libraw: raw image decoder library
Details:
It was discovered that LibRaw incorrectly handled photo files. If a user or
automated system were tricked into processing a specially crafted photo
file, a remote attacker could cause applications linked against LibRaw to
crash, resulting in a denial of service, or possibly execute arbitrary
code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
libraw16 0.18.13-1ubuntu0.1
Ubuntu 18.04 LTS:
libraw16 0.18.8-1ubuntu0.3
Ubuntu 16.04 LTS:
libraw15 0.17.1-1ubuntu0.5
After a standard system update you need to restart your session to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3989-1
CVE-2018-20337, CVE-2018-20363, CVE-2018-20364, CVE-2018-20365,
CVE-2018-5817, CVE-2018-5818, CVE-2018-5819
Package Information:
https://launchpad.net/ubuntu/+source/libraw/0.18.13-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libraw/0.18.8-1ubuntu0.3
https://launchpad.net/ubuntu/+source/libraw/0.17.1-1ubuntu0.5
USN-3990-1: urllib3 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3990-1
May 21, 2019
python-urllib3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in urllib3.
Software Description:
- python-urllib3: HTTP library with thread-safe connection pooling for Python
Details:
It was discovered that urllib3 incorrectly removed Authorization HTTP
headers when handled cross-origin redirects. This could result in
credentials being sent to unintended hosts. This issue only affected Ubuntu
16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-20060)
It was discovered that urllib3 incorrectly stripped certain characters from
requests. A remote attacker could use this issue to perform CRLF injection.
(CVE-2019-11236)
It was discovered that urllib3 incorrectly handled situations where a
desired set of CA certificates were specified. This could result in
certificates being accepted by the default CA certificates contrary to
expectations. This issue only affected Ubuntu 18.04 LTS, Ubuntu 18.10, and
Ubuntu 19.04. (CVE-2019-11324)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.04:
python-urllib3 1.24.1-1ubuntu0.1
python3-urllib3 1.24.1-1ubuntu0.1
Ubuntu 18.10:
python-urllib3 1.22-1ubuntu0.18.10.1
python3-urllib3 1.22-1ubuntu0.18.10.1
Ubuntu 18.04 LTS:
python-urllib3 1.22-1ubuntu0.18.04.1
python3-urllib3 1.22-1ubuntu0.18.04.1
Ubuntu 16.04 LTS:
python-urllib3 1.13.1-2ubuntu0.16.04.3
python3-urllib3 1.13.1-2ubuntu0.16.04.3
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3990-1
CVE-2018-20060, CVE-2019-11236, CVE-2019-11324
Package Information:
https://launchpad.net/ubuntu/+source/python-urllib3/1.24.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/python-urllib3/1.22-1ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/python-urllib3/1.22-1ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/python-urllib3/1.13.1-2ubuntu0.16.04.3
USN-3991-1: Firefox vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3991-1
May 21, 2019
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the browser
UI, trick the user in to launching local executable binaries, obtain
sensitive information, conduct cross-site scripting (XSS) attacks, or
execute arbitrary code. (CVE-2019-11691, CVE-2019-11692, CVE-2019-11693,
CVE-2019-11695, CVE-2019-11696, CVE-2019-11699, CVE-2019-11701,
CVE-2019-7317, CVE-2019-9800, CVE-2019-9814, CVE-2019-9817, CVE-2019-9819,
CVE-2019-9820, CVE-2019-9821)
It was discovered that pressing certain key combinations could bypass
addon installation prompt delays. If a user opened a specially crafted
website, an attacker could potentially exploit this to trick them in to
installing a malicious extension. (CVE-2019-11697)
It was discovered that history data could be exposed via drag and drop
of hyperlinks to and from bookmarks. If a user were tricked in to dragging
a specially crafted hyperlink to the bookmark toolbar or sidebar, and
subsequently back in to the web content area, an attacker could
potentially exploit this to obtain sensitive information. (CVE-2019-11698)
A type confusion bug was discovered with object groups and UnboxedObjects.
If a user were tricked in to opening a specially crafted website after
enabling the UnboxedObjects feature, an attacker could potentially
exploit this to bypass security checks. (CVE-2019-9816)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.04:
firefox 67.0+build2-0ubuntu0.19.04.1
Ubuntu 18.10:
firefox 67.0+build2-0ubuntu0.18.10.1
Ubuntu 18.04 LTS:
firefox 67.0+build2-0ubuntu0.18.04.1
Ubuntu 16.04 LTS:
firefox 67.0+build2-0ubuntu0.16.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3991-1
CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-11695,
CVE-2019-11696, CVE-2019-11697, CVE-2019-11698, CVE-2019-11699,
CVE-2019-11701, CVE-2019-7317, CVE-2019-9800, CVE-2019-9814,
CVE-2019-9816, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820,
CVE-2019-9821
Package Information:
https://launchpad.net/ubuntu/+source/firefox/67.0+build2-0ubuntu0.19.04.1
https://launchpad.net/ubuntu/+source/firefox/67.0+build2-0ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/firefox/67.0+build2-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/firefox/67.0+build2-0ubuntu0.16.04.1
