Ubuntu 6589 Published by

The following updates has been released for Ubuntu Linux:

USN-3902-2: PHP vulnerabilities
USN-3906-1: LibTIFF vulnerabilities
USN-3907-1: WALinuxAgent vulnerability
USN-3908-1: Linux kernel vulnerability



USN-3902-2: PHP vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3902-2
March 12, 2019

php5 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in PHP.

Software Description:
- php5: HTML-embedded scripting language interpreter

Details:

USN-3902-1 fixed a vulnerability in PHP. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 It was discovered that the PHP XML-RPC module incorrectly handled
 decoding XML data. A remote attacker could possibly use this issue to
 cause PHP to crash, resulting in a denial of service. (CVE-2019-9020,
 CVE-2019-9024)

 It was discovered that the PHP PHAR module incorrectly handled certain
 filenames. A remote attacker could possibly use this issue to cause
 PHP to crash, resulting in a denial of service. (CVE-2019-9021)

 It was discovered that PHP incorrectly handled mbstring regular
 expressions. A remote attacker could possibly use this issue to cause
 PHP to crash, resulting in a denial of service. (CVE-2019-9023)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  libapache2-mod-php5 5.3.10-1ubuntu3.33
  php5-cgi 5.3.10-1ubuntu3.33
  php5-cli 5.3.10-1ubuntu3.33
  php5-fpm 5.3.10-1ubuntu3.33
  php5-xmlrpc 5.3.10-1ubuntu3.33

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3902-2
  https://usn.ubuntu.com/usn/usn-3902-1
  CVE-2019-9020, CVE-2019-9021, CVE-2019-9023, CVE-2019-9024

USN-3906-1: LibTIFF vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3906-1
March 12, 2019

tiff vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.

Software Description:
- tiff: Tag Image File Format (TIFF) library

Details:

It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
libtiff-tools 4.0.9-6ubuntu0.2
libtiff5 4.0.9-6ubuntu0.2

Ubuntu 18.04 LTS:
libtiff-tools 4.0.9-5ubuntu0.2
libtiff5 4.0.9-5ubuntu0.2

Ubuntu 16.04 LTS:
libtiff-tools 4.0.6-1ubuntu0.6
libtiff5 4.0.6-1ubuntu0.6

Ubuntu 14.04 LTS:
libtiff-tools 4.0.3-7ubuntu0.11
libtiff5 4.0.3-7ubuntu0.11

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3906-1
CVE-2018-10779, CVE-2018-12900, CVE-2018-17000, CVE-2018-19210,
CVE-2019-6128, CVE-2019-7663

Package Information:
https://launchpad.net/ubuntu/+source/tiff/4.0.9-6ubuntu0.2
https://launchpad.net/ubuntu/+source/tiff/4.0.9-5ubuntu0.2
https://launchpad.net/ubuntu/+source/tiff/4.0.6-1ubuntu0.6
https://launchpad.net/ubuntu/+source/tiff/4.0.3-7ubuntu0.11

USN-3907-1: WALinuxAgent vulnerability


==========================================================================
Ubuntu Security Notice USN-3907-1
March 12, 2019

walinuxagent vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

WALinuxAgent could be made to expose sensitive information.

Software Description:
- walinuxagent: Windows Azure Linux Agent

Details:

It was discovered that WALinuxAgent created swap files with incorrect
permissions. A local attacker could possibly use this issue to obtain
sensitive information from the swap file.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
walinuxagent 2.2.32-0ubuntu1~18.10.2

Ubuntu 18.04 LTS:
walinuxagent 2.2.32-0ubuntu1~18.04.2

Ubuntu 16.04 LTS:
walinuxagent 2.2.32-0ubuntu1~16.04.2

Ubuntu 14.04 LTS:
walinuxagent 2.2.32-0ubuntu1~14.04.2

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3907-1
CVE-2019-0804

Package Information:
https://launchpad.net/ubuntu/+source/walinuxagent/2.2.32-0ubuntu1~18.10.2
https://launchpad.net/ubuntu/+source/walinuxagent/2.2.32-0ubuntu1~18.04.2
https://launchpad.net/ubuntu/+source/walinuxagent/2.2.32-0ubuntu1~16.04.2
https://launchpad.net/ubuntu/+source/walinuxagent/2.2.32-0ubuntu1~14.04.2

USN-3908-1: Linux kernel vulnerability


=========================================================================
Ubuntu Security Notice USN-3908-1
March 12, 2019

linux vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux: Linux kernel

Details:

Jann Horn discovered a race condition in the fork() system call in the
Linux kernel. A local attacker could use this to gain access to services
that cache authorizations.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
linux-image-3.13.0-166-generic 3.13.0-166.216
linux-image-3.13.0-166-generic-lpae 3.13.0-166.216
linux-image-3.13.0-166-lowlatency 3.13.0-166.216
linux-image-3.13.0-166-powerpc-e500 3.13.0-166.216
linux-image-3.13.0-166-powerpc-e500mc 3.13.0-166.216
linux-image-3.13.0-166-powerpc-smp 3.13.0-166.216
linux-image-3.13.0-166-powerpc64-emb 3.13.0-166.216
linux-image-3.13.0-166-powerpc64-smp 3.13.0-166.216
linux-image-generic 3.13.0.166.177
linux-image-generic-lpae 3.13.0.166.177
linux-image-lowlatency 3.13.0.166.177
linux-image-powerpc-e500 3.13.0.166.177
linux-image-powerpc-e500mc 3.13.0.166.177
linux-image-powerpc-smp 3.13.0.166.177
linux-image-powerpc64-emb 3.13.0.166.177
linux-image-powerpc64-smp 3.13.0.166.177
linux-image-virtual 3.13.0.166.177

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3908-1
CVE-2019-6133

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-166.216