Ubuntu 6590 Published by

The following updates has been released for Ubuntu Linux:

USN-3729-1: libxcursor vulnerability
USN-3730-1: LXC vulnerability
USN-3731-1: LFTP vulnerability
USN-3731-2: LFTP vulnerability
USN-3732-1: Linux kernel vulnerability
USN-3732-2: Linux kernel (HWE) vulnerability



USN-3729-1: libxcursor vulnerability


==========================================================================
Ubuntu Security Notice USN-3729-1
August 06, 2018

libxcursor vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

libxcursor could be made to crash or run programs if it opened a
specially crafted file.

Software Description:
- libxcursor: X11 cursor management library

Details:

It was discovered that libxcursor incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
  libxcursor1 1:1.1.14-1ubuntu0.16.04.2

Ubuntu 14.04 LTS:
  libxcursor1 1:1.1.14-1ubuntu0.14.04.2

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-3729-1
  CVE-2015-9262

Package Information:
  https://launchpad.net/ubuntu/+source/libxcursor/1:1.1.14-1ubuntu0.16.04.2
  https://launchpad.net/ubuntu/+source/libxcursor/1:1.1.14-1ubuntu0.14.04.2

USN-3730-1: LXC vulnerability


==========================================================================
Ubuntu Security Notice USN-3730-1
August 06, 2018

lxc vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

LXC would allow unintended access to files.

Software Description:
- lxc: Linux Containers userspace tools

Details:

Matthias Gerstner discovered that LXC incorrectly handled the lxc-user-nic
utility. A local attacker could possibly use this issue to open arbitrary
files.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
lxc 3.0.1-0ubuntu1~18.04.2

After a standard system update you need to restart LXC containers to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3730-1
CVE-2018-6556

Package Information:
https://launchpad.net/ubuntu/+source/lxc/3.0.1-0ubuntu1~18.04.2

USN-3731-1: LFTP vulnerability


==========================================================================
Ubuntu Security Notice USN-3731-1
August 06, 2018

lftp vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

LFTP could be made to crash if it received specially crafted file.

Software Description:
- lftp: Sophisticated command-line FTP/HTTP/BitTorrent client programs

Details:

It was discovered that LFTP incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  lftp 4.8.1-1ubuntu0.1

Ubuntu 16.04 LTS:
  lftp 4.6.3a-1ubuntu0.1

Ubuntu 14.04 LTS:
  lftp 4.4.13-1ubuntu0.1

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3731-1
  CVE-2018-10196

Package Information:
  https://launchpad.net/ubuntu/+source/lftp/4.8.1-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/lftp/4.6.3a-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/lftp/4.4.13-1ubuntu0.1

USN-3731-2: LFTP vulnerability


==========================================================================
Ubuntu Security Notice USN-3731-2
August 06, 2018

lftp vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

LFTP could be made to crash if it received specially crafted file.

Software Description:
- lftp: Sophisticated command-line FTP/HTTP client programs

Details:

USN-3731-1 fixed a vulnerability in LFTP. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 It was discovered that LFTP incorrectly handled certain files.
 An attacker could possibly use this issue to cause a denial of
service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  lftp 4.3.3-1ubuntu0.1

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3731-2
  https://usn.ubuntu.com/usn/usn-3731-1
  CVE-2018-10916

USN-3732-1: Linux kernel vulnerability


=========================================================================
Ubuntu Security Notice USN-3732-1
August 06, 2018

linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem,
linux-raspi2 vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

The system could be made unavailable if it received specially crafted
network traffic.

Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oem: Linux kernel for OEM processors
- linux-raspi2: Linux kernel for Raspberry Pi 2

Details:

Juha-Matti Tilli discovered that the TCP implementation in the Linux kernel
performed algorithmically expensive operations in some situations when
handling incoming packets. A remote attacker could use this to cause a
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
linux-image-4.15.0-1013-oem 4.15.0-1013.16
linux-image-4.15.0-1015-gcp 4.15.0-1015.15
linux-image-4.15.0-1017-aws 4.15.0-1017.17
linux-image-4.15.0-1017-kvm 4.15.0-1017.17
linux-image-4.15.0-1018-raspi2 4.15.0-1018.19
linux-image-4.15.0-1019-azure 4.15.0-1019.19
linux-image-4.15.0-30-generic 4.15.0-30.32
linux-image-4.15.0-30-generic-lpae 4.15.0-30.32
linux-image-4.15.0-30-lowlatency 4.15.0-30.32
linux-image-4.15.0-30-snapdragon 4.15.0-30.32
linux-image-aws 4.15.0.1017.17
linux-image-azure 4.15.0.1019.19
linux-image-azure-edge 4.15.0.1019.19
linux-image-gcp 4.15.0.1015.17
linux-image-generic 4.15.0.30.32
linux-image-generic-lpae 4.15.0.30.32
linux-image-gke 4.15.0.1015.17
linux-image-kvm 4.15.0.1017.17
linux-image-lowlatency 4.15.0.30.32
linux-image-oem 4.15.0.1013.15
linux-image-raspi2 4.15.0.1018.16
linux-image-snapdragon 4.15.0.30.32

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3732-1
CVE-2018-5390

Package Information:
https://launchpad.net/ubuntu/+source/linux/4.15.0-30.32
https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1017.17
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1019.19
https://launchpad.net/ubuntu/+source/linux-gcp/4.15.0-1015.15
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1017.17
https://launchpad.net/ubuntu/+source/linux-oem/4.15.0-1013.16
https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1018.19

USN-3732-2: Linux kernel (HWE) vulnerability


=========================================================================
Ubuntu Security Notice USN-3732-2
August 06, 2018

linux-hwe, linux-azure, linux-gcp vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

The system could be made unavailable if it received specially crafted
network traffic.

Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel

Details:

USN-3732-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu
16.04 LTS.

Juha-Matti Tilli discovered that the TCP implementation in the Linux kernel
performed algorithmically expensive operations in some situations when
handling incoming packets. A remote attacker could use this to cause a
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
linux-image-4.15.0-1015-gcp 4.15.0-1015.15~16.04.1
linux-image-4.15.0-1019-azure 4.15.0-1019.19~16.04.1
linux-image-4.15.0-30-generic 4.15.0-30.32~16.04.1
linux-image-4.15.0-30-generic-lpae 4.15.0-30.32~16.04.1
linux-image-4.15.0-30-lowlatency 4.15.0-30.32~16.04.1
linux-image-azure 4.15.0.1019.25
linux-image-gcp 4.15.0.1015.27
linux-image-generic-hwe-16.04 4.15.0.30.52
linux-image-generic-lpae-hwe-16.04 4.15.0.30.52
linux-image-gke 4.15.0.1015.27
linux-image-lowlatency-hwe-16.04 4.15.0.30.52

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3732-2
https://usn.ubuntu.com/usn/usn-3732-1
CVE-2018-5390

Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1019.19~16.04.1
https://launchpad.net/ubuntu/+source/linux-gcp/4.15.0-1015.15~16.04.1
https://launchpad.net/ubuntu/+source/linux-hwe/4.15.0-30.32~16.04.1