Ubuntu 6588 Published by

The following security updates has been released for Ubuntu Linux:

USN-3863-1: APT vulnerability
USN-3863-2: APT vulnerability
USN-3864-1: LibTIFF vulnerabilities
USN-3865-1: poppler vulnerabilities



USN-3863-1: APT vulnerability


==========================================================================
Ubuntu Security Notice USN-3863-1
January 22, 2019

apt vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

An attacker could trick APT into installing altered packages.

Software Description:
- apt: Advanced front-end for dpkg

Details:

Max Justicz discovered that APT incorrectly handled certain parameters
during redirects. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could potentially be used to install
altered packages.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
apt 1.7.0ubuntu0.1

Ubuntu 18.04 LTS:
apt 1.6.6ubuntu0.1

Ubuntu 16.04 LTS:
apt 1.2.29ubuntu0.1

Ubuntu 14.04 LTS:
apt 1.0.1ubuntu2.19

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3863-1
CVE-2019-3462

Package Information:
https://launchpad.net/ubuntu/+source/apt/1.7.0ubuntu0.1
https://launchpad.net/ubuntu/+source/apt/1.6.6ubuntu0.1
https://launchpad.net/ubuntu/+source/apt/1.2.29ubuntu0.1
https://launchpad.net/ubuntu/+source/apt/1.0.1ubuntu2.19


USN-3863-2: APT vulnerability


==========================================================================
Ubuntu Security Notice USN-3863-2
January 22, 2019

apt vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

An attacker could trick APT into installing altered packages.

Software Description:
- apt: Advanced front-end for dpkg

Details:

USN-3863-1 fixed a vulnerability in APT. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 Max Justicz discovered that APT incorrectly handled certain parameters
 during redirects. If a remote attacker were able to perform a
 man-in-the-middle attack, this flaw could potentially be used to
 install altered packages.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  apt 0.8.16~exp12ubuntu10.28

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3863-2
  https://usn.ubuntu.com/usn/usn-3863-1
  CVE-2019-3462

USN-3864-1: LibTIFF vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3864-1
January 22, 2019

tiff vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.

Software Description:
- tiff: Tag Image File Format (TIFF) library

Details:

It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
libtiff-tools 4.0.9-6ubuntu0.1
libtiff5 4.0.9-6ubuntu0.1

Ubuntu 18.04 LTS:
libtiff-tools 4.0.9-5ubuntu0.1
libtiff5 4.0.9-5ubuntu0.1

Ubuntu 16.04 LTS:
libtiff-tools 4.0.6-1ubuntu0.5
libtiff5 4.0.6-1ubuntu0.5

Ubuntu 14.04 LTS:
libtiff-tools 4.0.3-7ubuntu0.10
libtiff5 4.0.3-7ubuntu0.10

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3864-1
CVE-2018-10963, CVE-2018-17100, CVE-2018-17101, CVE-2018-18557,
CVE-2018-18661, CVE-2018-7456, CVE-2018-8905

Package Information:
https://launchpad.net/ubuntu/+source/tiff/4.0.9-6ubuntu0.1
https://launchpad.net/ubuntu/+source/tiff/4.0.9-5ubuntu0.1
https://launchpad.net/ubuntu/+source/tiff/4.0.6-1ubuntu0.5
https://launchpad.net/ubuntu/+source/tiff/4.0.3-7ubuntu0.10

USN-3865-1: poppler vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3865-1
January 22, 2019

poppler vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in poppler.

Software Description:
- poppler: PDF rendering library

Details:

It was discovered that poppler incorrectly handled certain PDF files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2018-20481, CVE-2018-20650)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
libpoppler79 0.68.0-0ubuntu1.4
poppler-utils 0.68.0-0ubuntu1.4

Ubuntu 18.04 LTS:
libpoppler73 0.62.0-2ubuntu2.6
poppler-utils 0.62.0-2ubuntu2.6

Ubuntu 16.04 LTS:
libpoppler58 0.41.0-0ubuntu1.11
poppler-utils 0.41.0-0ubuntu1.11

Ubuntu 14.04 LTS:
libpoppler44 0.24.5-2ubuntu4.15
poppler-utils 0.24.5-2ubuntu4.15

In general, a standard system update will make all the necessary
changes.

References:
https://usn.ubuntu.com/usn/usn-3865-1
CVE-2018-20481, CVE-2018-20650

Package Information:
https://launchpad.net/ubuntu/+source/poppler/0.68.0-0ubuntu1.4
https://launchpad.net/ubuntu/+source/poppler/0.62.0-2ubuntu2.6
https://launchpad.net/ubuntu/+source/poppler/0.41.0-0ubuntu1.11
https://launchpad.net/ubuntu/+source/poppler/0.24.5-2ubuntu4.15