Ubuntu 6590 Published by

The following updates has been released for Ubuntu Linux:

USN-3707-2: NTP vulnerabilities
USN-3866-1: Ghostscript vulnerability
USN-3867-1: MySQL vulnerabilities



USN-3707-2: NTP vulnerabilities

==========================================================================
Ubuntu Security Notice USN-3707-2
January 23, 2019

ntp vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in NTP.

Software Description:
- ntp: Network Time Protocol daemon and utility programs

Details:

USN-3707-1 and USN-3349-1 fixed several vulnerabilities in NTP. This
update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 Miroslav Lichvar discovered that NTP incorrectly handled certain
 spoofed addresses when performing rate limiting. A remote attacker
 could possibly use this issue to perform a denial of service.
 (CVE-2016-7426)

 Matthew Van Gundy discovered that NTP incorrectly handled certain
 crafted broadcast mode packets. A remote attacker could possibly use
 this issue to perform a denial of service. 
 (CVE-2016-7427, CVE-2016-7428)

 Matthew Van Gundy discovered that NTP incorrectly handled certain
 control mode packets. A remote attacker could use this issue to set or
 unset traps. (CVE-2016-9310)

 Matthew Van Gundy discovered that NTP incorrectly handled the trap
 service. A remote attacker could possibly use this issue to cause NTP
 to crash, resulting in a denial of service. (CVE-2016-9311)

 It was discovered that the NTP legacy DPTS refclock driver incorrectly
 handled the /dev/datum device. A local attacker could possibly use
 this issue to cause a denial of service. (CVE-2017-6462)

 It was discovered that NTP incorrectly handled certain invalid
 settings in a :config directive. A remote authenticated user could
 possibly use this issue to cause NTP to crash, resulting in a denial
 of service. (CVE-2017-6463)

 Michael Macnair discovered that NTP incorrectly handled certain
 responses. A remote attacker could possibly use this issue to execute
 arbitrary code. (CVE-2018-7183)

 Miroslav Lichvar discovered that NTP incorrectly handled certain
 zero-origin timestamps. A remote attacker could possibly use this
 issue to cause a denial of service. (CVE-2018-7185)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  ntp 1:4.2.6.p3+dfsg-1ubuntu3.12

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3707-2
  https://usn.ubuntu.com/usn/usn-3707-1
  CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-9310,
  CVE-2016-9311, CVE-2017-6462, CVE-2017-6463, CVE-2018-7183,
  CVE-2018-7185

USN-3866-1: Ghostscript vulnerability


==========================================================================
Ubuntu Security Notice USN-3866-1
January 23, 2019

ghostscript vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Ghostscript could be made to crash, access files, or run programs if it
opened a specially crafted file.

Software Description:
- ghostscript: PostScript and PDF interpreter

Details:

Tavis Ormandy discovered that Ghostscript incorrectly handled certain
PostScript files. If a user or automated system were tricked into
processing a specially crafted file, a remote attacker could possibly use
this issue to access arbitrary files, execute arbitrary code, or cause a
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
ghostscript 9.26~dfsg+0-0ubuntu0.18.10.4
libgs9 9.26~dfsg+0-0ubuntu0.18.10.4

Ubuntu 18.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.18.04.4
libgs9 9.26~dfsg+0-0ubuntu0.18.04.4

Ubuntu 16.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.16.04.4
libgs9 9.26~dfsg+0-0ubuntu0.16.04.4

Ubuntu 14.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.14.04.4
libgs9 9.26~dfsg+0-0ubuntu0.14.04.4

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3866-1
CVE-2019-6116

Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.10.4
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.04.4
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.16.04.4
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.14.04.4

USN-3867-1: MySQL vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3867-1
January 23, 2019

mysql-5.7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in MySQL.

Software Description:
- mysql-5.7: MySQL database

Details:

Multiple security issues were discovered in MySQL and this update includes
a new upstream MySQL version to fix these issues.

Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 18.10 have been updated to
MySQL 5.7.25.

In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-25.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
mysql-server-5.7 5.7.25-0ubuntu0.18.10.2

Ubuntu 18.04 LTS:
mysql-server-5.7 5.7.25-0ubuntu0.18.04.2

Ubuntu 16.04 LTS:
mysql-server-5.7 5.7.25-0ubuntu0.16.04.2

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://usn.ubuntu.com/usn/usn-3867-1
CVE-2019-2420, CVE-2019-2434, CVE-2019-2455, CVE-2019-2481,
CVE-2019-2482, CVE-2019-2486, CVE-2019-2503, CVE-2019-2507,
CVE-2019-2510, CVE-2019-2528, CVE-2019-2529, CVE-2019-2531,
CVE-2019-2532, CVE-2019-2534, CVE-2019-2537

Package Information:
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.25-0ubuntu0.18.10.2
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.25-0ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.25-0ubuntu0.16.04.2