The following updates has been released for Ubuntu Linux:
USN-3957-3: MariaDB vulnerabilities
USN-4008-2: AppArmor update
USN-4009-1: PHP vulnerabilities
USN-4009-2: PHP vulnerabilities
USN-4010-1: Exim vulnerability
USN-3957-3: MariaDB vulnerabilities
USN-4008-2: AppArmor update
USN-4009-1: PHP vulnerabilities
USN-4009-2: PHP vulnerabilities
USN-4010-1: Exim vulnerability
USN-3957-3: MariaDB vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3957-3
June 05, 2019
mariadb-10.1 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in MariaDB.
Software Description:
- mariadb-10.1: MariaDB database
Details:
USN-3957-1 fixed multiple vulnerabilities in MySQL. This update
provides the
corresponding fixes for CVE-2019-2614 and CVE-2019-2627 in MariaDB
10.1.
Ubuntu 18.04 LTS has been updated to MariaDB 10.1.40.
In addition to security fixes, the updated package contain bug fixes,
new
features, and possibly incompatible changes.
Please see the following for more information:
https://mariadb.com/kb/en/library/mariadb-10140-changelog/
https://mariadb.com/kb/en/library/mariadb-10140-release-notes/
Original advisory details:
Multiple security issues were discovered in MySQL and this update
includes
a new upstream MySQL version to fix these issues.
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 18.10, and Ubuntu 19.04
have
been updated to MySQL 5.7.26.
In addition to security fixes, the updated packages contain bug fixes,
new
features, and possibly incompatible changes.
Please see the following for more information:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-26.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
mariadb-server 1:10.1.40-0ubuntu0.18.04.1
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/3957-3
https://usn.ubuntu.com/3957-1
CVE-2019-2614, CVE-2019-2627
Package Information:
https://launchpad.net/ubuntu/+source/mariadb-10.1/1:10.1.40-0ubuntu0.18.04.1
USN-4008-2: AppArmor update
==========================================================================
Ubuntu Security Notice USN-4008-2
June 05, 2019
apparmor update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several policy updates were made for running under the recently updated
Linux kernel.
Software Description:
- apparmor: Linux security system
Details:
USN-4008-1 fixed multiple security issues in the Linux kernel. This
update
provides the corresponding changes to AppArmor policy for correctly
operating under the Linux kernel with fixes for CVE-2019-11190. Without
these changes, some profile transitions may be unintentionally denied
due
to missing mmap ('m') rules.
Original advisory details:
Robert ÅwiÄcki discovered that the Linux kernel did not properly apply
Address Space Layout Randomization (ASLR) in some situations for
setuid elf
binaries. A local attacker could use this to improve the chances of
exploiting an existing vulnerability in a setuid elf binary.
(CVE-2019-11190)
It was discovered that a null pointer dereference vulnerability
existed in
the LSI Logic MegaRAID driver in the Linux kernel. A local attacker
could
use this to cause a denial of service (system crash). (CVE-2019-11810)
It was discovered that a race condition leading to a use-after-free
existed
in the Reliable Datagram Sockets (RDS) protocol implementation in the
Linux
kernel. The RDS protocol is blacklisted by default in Ubuntu. If
enabled, a
local attacker could use this to cause a denial of service (system
crash)
or possibly execute arbitrary code. (CVE-2019-11815)
Federico Manuel Bento discovered that the Linux kernel did not
properly
apply Address Space Layout Randomization (ASLR) in some situations for
setuid a.out binaries. A local attacker could use this to improve the
chances of exploiting an existing vulnerability in a setuid a.out
binary.
(CVE-2019-11191)
As a hardening measure, this update disables a.out support.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
apparmor-profiles 2.10.95-0ubuntu2.11
python3-apparmor 2.10.95-0ubuntu2.11
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/4008-2
https://usn.ubuntu.com/4008-1
CVE-2019-11190
Package Information:
https://launchpad.net/ubuntu/+source/apparmor/2.10.95-0ubuntu2.11
USN-4009-1: PHP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4009-1
June 05, 2019
php7.0, php7.2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in PHP.
Software Description:
- php7.2: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter
Details:
It was discovered that PHP incorrectly handled certain exif tags in images.
A remote attacker could use this issue to cause PHP to crash, resulting in
a denial of service, or possibly obtain sensitive information.
(CVE-2019-11036)
It was discovered that PHP incorrectly decoding certain MIME headers. A
remote attacker could possibly use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2019-11039)
It was discovered that PHP incorrectly handled certain exif tags in images.
A remote attacker could use this issue to cause PHP to crash, resulting in
a denial of service, or possibly execute arbitrary code. (CVE-2019-11040)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.04:
libapache2-mod-php7.2 7.2.19-0ubuntu0.19.04.1
php7.2-cgi 7.2.19-0ubuntu0.19.04.1
php7.2-cli 7.2.19-0ubuntu0.19.04.1
php7.2-fpm 7.2.19-0ubuntu0.19.04.1
Ubuntu 18.10:
libapache2-mod-php7.2 7.2.19-0ubuntu0.18.10.1
php7.2-cgi 7.2.19-0ubuntu0.18.10.1
php7.2-cli 7.2.19-0ubuntu0.18.10.1
php7.2-fpm 7.2.19-0ubuntu0.18.10.1
Ubuntu 18.04 LTS:
libapache2-mod-php7.2 7.2.19-0ubuntu0.18.04.1
php7.2-cgi 7.2.19-0ubuntu0.18.04.1
php7.2-cli 7.2.19-0ubuntu0.18.04.1
php7.2-fpm 7.2.19-0ubuntu0.18.04.1
Ubuntu 16.04 LTS:
libapache2-mod-php7.0 7.0.33-0ubuntu0.16.04.5
php7.0-cgi 7.0.33-0ubuntu0.16.04.5
php7.0-cli 7.0.33-0ubuntu0.16.04.5
php7.0-fpm 7.0.33-0ubuntu0.16.04.5
In Ubuntu 18.04 LTS, Ubuntu 18.10, and Ubuntu 19.04, this update uses a new
upstream release, which includes additional bug fixes.
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4009-1
CVE-2019-11036, CVE-2019-11039, CVE-2019-11040
Package Information:
https://launchpad.net/ubuntu/+source/php7.2/7.2.19-0ubuntu0.19.04.1
https://launchpad.net/ubuntu/+source/php7.2/7.2.19-0ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/php7.2/7.2.19-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/php7.0/7.0.33-0ubuntu0.16.04.5
USN-4009-2: PHP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4009-2
June 05, 2019
php5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in PHP.
Software Description:
- php5: HTML-embedded scripting language interpreter
Details:
USN-4009-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.
Original advisory details:
It was discovered that PHP incorrectly decoding certain MIME headers.
A remote attacker could possibly use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2019-11039)
It was discovered that PHP incorrectly handled certain exif tags in
images. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2019-11040)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.29+esm3
php5-cgi 5.5.9+dfsg-1ubuntu4.29+esm3
php5-cli 5.5.9+dfsg-1ubuntu4.29+esm3
php5-fpm 5.5.9+dfsg-1ubuntu4.29+esm3
Ubuntu 12.04 ESM:
libapache2-mod-php5 5.3.10-1ubuntu3.37
php5-cgi 5.3.10-1ubuntu3.37
php5-cli 5.3.10-1ubuntu3.37
php5-fpm 5.3.10-1ubuntu3.37
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/4009-2
https://usn.ubuntu.com/4009-1
CVE-2019-11039, CVE-2019-11040
USN-4010-1: Exim vulnerability
==========================================================================
Ubuntu Security Notice USN-4010-1
June 05, 2019
exim4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
Summary:
Exim could be made to run commands if it received specially crafted network
traffic.
Software Description:
- exim4: Exim is a mail transport agent
Details:
It was discovered that Exim incorrectly handled certain decoding
operations. A remote attacker could possibly use this issue to execute
arbitrary commands.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
exim4-daemon-heavy 4.91-6ubuntu1.1
exim4-daemon-light 4.91-6ubuntu1.1
Ubuntu 18.04 LTS:
exim4-daemon-heavy 4.90.1-1ubuntu1.2
exim4-daemon-light 4.90.1-1ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4010-1
CVE-2019-10149
Package Information:
https://launchpad.net/ubuntu/+source/exim4/4.91-6ubuntu1.1
https://launchpad.net/ubuntu/+source/exim4/4.90.1-1ubuntu1.2
