Ubuntu 6614 Published by

The following updates has been released for Ubuntu Linux:

USN-3998-1: Evolution Data Server vulnerability
USN-3999-1: GnuTLS vulnerabilities
USN-4000-1: Corosync vulnerability
USN-4001-1: libseccomp vulnerability
USN-4001-2: libseccomp vulnerability



USN-3998-1: Evolution Data Server vulnerability



=========================================================================
Ubuntu Security Notice USN-3998-1
May 30, 2019

evolution-data-server vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Evolution Data Server would sometimes display email content as encrypted
when it was not.

Software Description:
- evolution-data-server: Evolution suite data server

Details:

Marcus Brinkmann discovered that Evolution Data Server did not correctly
interpret the output from GPG when decrypting encrypted messages. Under
certain circumstances, this could result in displaying clear-text portions
of encrypted messages as though they were encrypted.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
evolution-data-server 3.28.5-0ubuntu0.18.04.2
evolution-data-server-common 3.28.5-0ubuntu0.18.04.2
libcamel-1.2-61 3.28.5-0ubuntu0.18.04.2
libebackend-1.2-10 3.28.5-0ubuntu0.18.04.2
libedataserver-1.2-23 3.28.5-0ubuntu0.18.04.2

Ubuntu 16.04 LTS:
evolution-data-server 3.18.5-1ubuntu1.2
evolution-data-server-common 3.18.5-1ubuntu1.2
libcamel-1.2-54 3.18.5-1ubuntu1.2
libebackend-1.2-10 3.18.5-1ubuntu1.2
libedataserver-1.2-21 3.18.5-1ubuntu1.2

After a standard system update you need to restart Evolution to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3998-1
CVE-2018-15587

Package Information:
https://launchpad.net/ubuntu/+source/evolution-data-server/3.28.5-0ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/evolution-data-server/3.18.5-1ubuntu1.2

USN-3999-1: GnuTLS vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3999-1
May 30, 2019

gnutls28 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in GnuTLS.

Software Description:
- gnutls28: GNU TLS library

Details:

Eyal Ronen, Kenneth G. Paterson, and Adi Shamir discovered that GnuTLS was
vulnerable to a timing side-channel attack known as the "Lucky Thirteen"
issue. A remote attacker could possibly use this issue to perform
plaintext-recovery attacks via analysis of timing data. This issue only
affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-10844,
CVE-2018-10845, CVE-2018-10846)

Tavis Ormandy discovered that GnuTLS incorrectly handled memory when
verifying certain X.509 certificates. A remote attacker could use this
issue to cause GnuTLS to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 18.10, and Ubuntu 19.04. (CVE-2019-3829)

It was discovered that GnuTLS incorrectly handled certain post-handshake
messages. A remote attacker could use this issue to cause GnuTLS to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 18.10 and Ubuntu 19.04. (CVE-2019-3836)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
libgnutls30 3.6.5-2ubuntu1.1

Ubuntu 18.10:
libgnutls30 3.6.4-2ubuntu1.2

Ubuntu 18.04 LTS:
libgnutls30 3.5.18-1ubuntu1.1

Ubuntu 16.04 LTS:
libgnutls30 3.4.10-4ubuntu1.5

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3999-1
CVE-2018-10844, CVE-2018-10845, CVE-2018-10846, CVE-2019-3829,
CVE-2019-3836

Package Information:
https://launchpad.net/ubuntu/+source/gnutls28/3.6.5-2ubuntu1.1
https://launchpad.net/ubuntu/+source/gnutls28/3.6.4-2ubuntu1.2
https://launchpad.net/ubuntu/+source/gnutls28/3.5.18-1ubuntu1.1
https://launchpad.net/ubuntu/+source/gnutls28/3.4.10-4ubuntu1.5


USN-4000-1: Corosync vulnerability


==========================================================================
Ubuntu Security Notice USN-4000-1
May 30, 2019

corosync vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Corosync could be made to crash or execute arbitrary code if it
received a specially crafted request.

Software Description:
- corosync: cluster engine daemon and utilities

Details:

It was discovered that Corosync incorrectly handled certain requests.
An attacker could possibly use this issue to cause a denial of service
or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  corosync 2.4.3-0ubuntu1.1
  libtotem-pg5 2.4.3-0ubuntu1.1

Ubuntu 16.04 LTS:
  corosync 2.3.5-3ubuntu2.3
  libtotem-pg5 2.3.5-3ubuntu2.3

After a standard system update you need to restart Corosync to make
all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-4000-1
  CVE-2018-1084

Package Information:
  https://launchpad.net/ubuntu/+source/corosync/2.4.3-0ubuntu1.1
  https://launchpad.net/ubuntu/+source/corosync/2.3.5-3ubuntu2.3

USN-4001-1: libseccomp vulnerability


=========================================================================
Ubuntu Security Notice USN-4001-1
May 30, 2019

libseccomp vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

libseccomp could allow unintended access to system calls.

Software Description:
- libseccomp: library for working with the Linux seccomp filter

Details:

Jann Horn discovered that libseccomp did not correctly generate 64-bit
syscall argument comparisons with arithmetic operators (LT, GT, LE, GE).
An attacker could use this to bypass intended access restrictions for
argument-filtered system calls.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
libseccomp2 2.4.1-0ubuntu0.19.04.3

Ubuntu 18.10:
libseccomp2 2.4.1-0ubuntu0.18.10.3

Ubuntu 18.04 LTS:
libseccomp2 2.4.1-0ubuntu0.18.04.2

Ubuntu 16.04 LTS:
libseccomp2 2.4.1-0ubuntu0.16.04.2

This update uses a new upstream release which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://usn.ubuntu.com/usn/usn-4001-1
CVE-2019-9893

Package Information:
https://launchpad.net/ubuntu/+source/libseccomp/2.4.1-0ubuntu0.19.04.3
https://launchpad.net/ubuntu/+source/libseccomp/2.4.1-0ubuntu0.18.10.3
https://launchpad.net/ubuntu/+source/libseccomp/2.4.1-0ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/libseccomp/2.4.1-0ubuntu0.16.04.2

USN-4001-2: libseccomp vulnerability


=========================================================================
Ubuntu Security Notice USN-4001-2
May 30, 2019

libseccomp vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM

Summary:

libseccomp could allow unintended access to system calls.

Software Description:
- libseccomp: library for working with the Linux seccomp filter

Details:

USN-4001-1 fixed a vulnerability in libseccomp. This update provides the
corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

Jann Horn discovered that libseccomp did not correctly generate 64-bit
syscall argument comparisons with arithmetic operators (LT, GT, LE, GE).
An attacker could use this to bypass intended access restrictions for
argument-filtered system calls.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
libseccomp2 2.4.1-0ubuntu0.14.04.2

This update uses a new upstream release which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://usn.ubuntu.com/usn/usn-4001-2
https://usn.ubuntu.com/usn/usn-4001-1
CVE-2019-9893