Ubuntu 6587 Published by

The following updates has been released for Ubuntu Linux:

USN-3388-2: Subversion vulnerabilities
USN-3411-2: Bazaar vulnerability
USN-3425-2: Apache HTTP Server vulnerability
USN-3454-2: libffi vulnerability
USN-3462-1: Pacemaker vulnerabilities



USN-3388-2: Subversion vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3388-2
October 24, 2017

subversion vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in Subversion.

Software Description:
- subversion: Advanced version control system

Details:

USN-3388-1 fixed several vulnerabilities in Subversion. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Ivan Zhakov discovered that Subversion did not properly handle
some requests. A remote attacker could use this to cause a
denial of service. (CVE-2016-2168)

Original advisory details:

 Joern Schneeweisz discovered that Subversion did not properly handle
 host names in 'svn+ssh://' URLs. A remote attacker could use this
 to construct a subversion repository that when accessed could run
 arbitrary code with the privileges of the user. (CVE-2017-9800)

 Daniel Shahaf and James McCoy discovered that Subversion did not
 properly verify realms when using Cyrus SASL authentication. A
 remote attacker could use this to possibly bypass intended access
 restrictions. (CVE-2016-2167)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  libapache2-svn 1.6.17dfsg-3ubuntu3.7
  libsvn1 1.6.17dfsg-3ubuntu3.7
  subversion 1.6.17dfsg-3ubuntu3.7

In general, a standard system update will make all the necessary
changes.

References:
  https://www.ubuntu.com/usn/usn-3388-2
  https://www.ubuntu.com/usn/usn-3388-1
  CVE-2016-2167, CVE-2016-2168, CVE-2017-9800


USN-3411-2: Bazaar vulnerability



==========================================================================
Ubuntu Security Notice USN-3411-2
October 24, 2017

bzr vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Bazaar could be made run programs as your login if it opened a
specially crafted URL.

Software Description:
- bzr: easy to use distributed version control system

Details:

USN-3411-1 fixed a vulnerability in Bazaar. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 Adam Collard discovered that Bazaar did not properly handle host names
 in 'bzr+ssh://' URLs. A remote attacker could use this to construct
 a bazaar repository URL that when accessed could run arbitrary code
 with the privileges of the user.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  bzr 2.5.1-0ubuntu2.1
  python-bzrlib 2.5.1-0ubuntu2.1

In general, a standard system update will make all the necessary
changes.

References:
  https://www.ubuntu.com/usn/usn-3411-2
  https://www.ubuntu.com/usn/usn-3411-1
  CVE-2017-14176

USN-3425-2: Apache HTTP Server vulnerability



==========================================================================
Ubuntu Security Notice USN-3425-2
October 24, 2017

apache2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Apache HTTP Server could be made to expose sensitive information over
the network.

Software Description:
- apache2: Apache HTTP server

Details:

USN-3425-1 fixed a vulnerability in Apache HTTP Server. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 Hanno Böck discovered that the Apache HTTP Server incorrectly handled
 Limit directives in .htaccess files. In certain configurations, a
 remote attacker could possibly use this issue to read arbitrary server
 memory, including sensitive information. This issue is known as
 Optionsbleed.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  apache2.2-bin 2.2.22-1ubuntu1.14

In general, a standard system update will make all the necessary
changes.

References:
  https://www.ubuntu.com/usn/usn-3425-2
  https://www.ubuntu.com/usn/usn-3425-1
  CVE-2017-9798


USN-3454-2: libffi vulnerability


==========================================================================
Ubuntu Security Notice USN-3454-2
October 24, 2017

libffi vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

A security issue was fixed in libffi.

Software Description:
- libffi: Foreign Function Interface library (development files, 32bit)

Details:

USN-3454-1 fixed a vulnerability in libffi. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 It was discovered that libffi incorrectly enforced an executable  
 stack. An attacker could possibly use this issue, in combination with
 another vulnerability, to facilitate executing arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  libffi6 3.0.11~rc1-5ubuntu0.1

In general, a standard system update will make all the necessary
changes.

References:
  https://www.ubuntu.com/usn/usn-3454-2
  https://www.ubuntu.com/usn/usn-3454-1
  CVE-2017-1000376

USN-3462-1: Pacemaker vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3462-1
October 24, 2017

pacemaker vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Pacemaker.

Software Description:
- pacemaker: Cluster resource manager

Details:

Jan Pokorn and Alain Moulle discovered that Pacemaker incorrectly handled
the IPC interface. A local attacker could possibly use this issue to
execute arbitrary code with root privileges. (CVE-2016-7035)

Alain Moulle discovered that Pacemaker incorrectly handled authentication.
A remote attacker could possibly use this issue to shut down connections,
leading to a denial of service. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-7797)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
pacemaker 1.1.14-2ubuntu1.2

Ubuntu 14.04 LTS:
pacemaker 1.1.10+git20130802-1ubuntu2.4

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3462-1
CVE-2016-7035, CVE-2016-7797

Package Information:
https://launchpad.net/ubuntu/+source/pacemaker/1.1.14-2ubuntu1.2
https://launchpad.net/ubuntu/+source/pacemaker/1.1.10+git20130802-1ubuntu2.4