Ubuntu 6591 Published by

The following updates has been released for Ubuntu Linux:

USN-4078-2: OpenLDAP vulnerabilities
USN-4100-1: KConfig and KDE libraries vulnerabilities
USN-4102-1: LibreOffice vulnerabilities



USN-4078-2: OpenLDAP vulnerabilities

=========================================================================
Ubuntu Security Notice USN-4078-2
August 19, 2019

openldap vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in OpenLDAP.

Software Description:
- openldap: OpenLDAP utilities

Details:

USN-4078-1 fixed several vulnerabilities in openldap. This update provides
the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that OpenLDAP incorrectly handled rootDN delegation. A
database administrator could use this issue to request authorization as an
identity from another database, contrary to expectations. (CVE-2019-13057)

It was discovered that OpenLDAP incorrectly handled SASL authentication and
session encryption. After a first SASL bind was completed, it was possible
to obtain access by performing simple binds, contrary to expectations.
(CVE-2019-13565)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
slapd 2.4.31-1+nmu2ubuntu8.5+esm1

Ubuntu 12.04 ESM:
slapd 2.4.28-1.1ubuntu4.9

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4078-2
https://usn.ubuntu.com/4078-1
CVE-2019-13057, CVE-2019-13565

USN-4100-1: KConfig and KDE libraries vulnerabilities

=========================================================================
Ubuntu Security Notice USN-4100-1
August 16, 2019

kconfig, kde4libs vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

KConfig and KDE libraries could be made to crash or run programs if it
opened a specially crafted file.

Software Description:
- kconfig: configuration settings framework for Qt
- kde4libs: KDE 4 core applications and libraries

Details:

It was discovered that KConfig and KDE libraries have a vulnerability
where an attacker could hide malicious code under desktop and
configuration files. (CVE-2019-14744)

It was discovered that KConfig allows remote attackers to write to
arbitrary files via a ../ in a filename in an archive file. (CVE-2016-6232)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
libkdecore5 4:4.14.38-0ubuntu6.1
libkf5configcore5 5.56.0-0ubuntu1.1

Ubuntu 18.04 LTS:
libkdecore5 4:4.14.38-0ubuntu3.1
libkf5configcore5 5.44.0-0ubuntu1.1

Ubuntu 16.04 LTS:
libkdecore5 4:4.14.16-0ubuntu3.3
libkf5configcore5 5.18.0-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4100-1
CVE-2016-6232, CVE-2019-14744

Package Information:
https://launchpad.net/ubuntu/+source/kconfig/5.56.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/kde4libs/4:4.14.38-0ubuntu6.1
https://launchpad.net/ubuntu/+source/kconfig/5.44.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/kde4libs/4:4.14.38-0ubuntu3.1
https://launchpad.net/ubuntu/+source/kconfig/5.18.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/kde4libs/4:4.14.16-0ubuntu3.3

USN-4102-1: LibreOffice vulnerabilities

==========================================================================
Ubuntu Security Notice USN-4102-1
August 19, 2019

libreoffice vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in LibreOffice.

Software Description:
- libreoffice: Office productivity suite

Details:

It was discovered that LibreOffice incorrectly handled LibreLogo scripts.
If a user were tricked into opening a specially crafted document, a remote
attacker could cause LibreOffice to execute arbitrary code. (CVE-2019-9850,
CVE-2019-9851)

It was discovered that LibreOffice incorrectly handled embedded scripts in
document files. If a user were tricked into opening a specially crafted
document, a remote attacker could possibly execute arbitrary code.
(CVE-2019-9852)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
libreoffice-core 1:6.2.6-0ubuntu0.19.04.1

Ubuntu 18.04 LTS:
libreoffice-core 1:6.0.7-0ubuntu0.18.04.9

Ubuntu 16.04 LTS:
libreoffice-core 1:5.1.6~rc2-0ubuntu1~xenial9

After a standard system update you need to restart LibreOffice to make all
the necessary changes.

References:
https://usn.ubuntu.com/4102-1
CVE-2019-9850, CVE-2019-9851, CVE-2019-9852

Package Information:
https://launchpad.net/ubuntu/+source/libreoffice/1:6.2.6-0ubuntu0.19.04.1
https://launchpad.net/ubuntu/+source/libreoffice/1:6.0.7-0ubuntu0.18.04.9
https://launchpad.net/ubuntu/+source/libreoffice/1:5.1.6~rc2-0ubuntu1~xenial9