Ubuntu 6588 Published by

The following updates has been released for Ubuntu Linux:

USN-3989-1: LibRaw vulnerabilities
USN-3990-1: urllib3 vulnerabilities
USN-3991-1: Firefox vulnerabilities



USN-3989-1: LibRaw vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3989-1
May 21, 2019

libraw vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in LibRaw.

Software Description:
- libraw: raw image decoder library

Details:

It was discovered that LibRaw incorrectly handled photo files. If a user or
automated system were tricked into processing a specially crafted photo
file, a remote attacker could cause applications linked against LibRaw to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
libraw16 0.18.13-1ubuntu0.1

Ubuntu 18.04 LTS:
libraw16 0.18.8-1ubuntu0.3

Ubuntu 16.04 LTS:
libraw15 0.17.1-1ubuntu0.5

After a standard system update you need to restart your session to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3989-1
CVE-2018-20337, CVE-2018-20363, CVE-2018-20364, CVE-2018-20365,
CVE-2018-5817, CVE-2018-5818, CVE-2018-5819

Package Information:
https://launchpad.net/ubuntu/+source/libraw/0.18.13-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libraw/0.18.8-1ubuntu0.3
https://launchpad.net/ubuntu/+source/libraw/0.17.1-1ubuntu0.5

USN-3990-1: urllib3 vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3990-1
May 21, 2019

python-urllib3 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in urllib3.

Software Description:
- python-urllib3: HTTP library with thread-safe connection pooling for Python

Details:

It was discovered that urllib3 incorrectly removed Authorization HTTP
headers when handled cross-origin redirects. This could result in
credentials being sent to unintended hosts. This issue only affected Ubuntu
16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-20060)

It was discovered that urllib3 incorrectly stripped certain characters from
requests. A remote attacker could use this issue to perform CRLF injection.
(CVE-2019-11236)

It was discovered that urllib3 incorrectly handled situations where a
desired set of CA certificates were specified. This could result in
certificates being accepted by the default CA certificates contrary to
expectations. This issue only affected Ubuntu 18.04 LTS, Ubuntu 18.10, and
Ubuntu 19.04. (CVE-2019-11324)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
python-urllib3 1.24.1-1ubuntu0.1
python3-urllib3 1.24.1-1ubuntu0.1

Ubuntu 18.10:
python-urllib3 1.22-1ubuntu0.18.10.1
python3-urllib3 1.22-1ubuntu0.18.10.1

Ubuntu 18.04 LTS:
python-urllib3 1.22-1ubuntu0.18.04.1
python3-urllib3 1.22-1ubuntu0.18.04.1

Ubuntu 16.04 LTS:
python-urllib3 1.13.1-2ubuntu0.16.04.3
python3-urllib3 1.13.1-2ubuntu0.16.04.3

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3990-1
CVE-2018-20060, CVE-2019-11236, CVE-2019-11324

Package Information:
https://launchpad.net/ubuntu/+source/python-urllib3/1.24.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/python-urllib3/1.22-1ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/python-urllib3/1.22-1ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/python-urllib3/1.13.1-2ubuntu0.16.04.3

USN-3991-1: Firefox vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3991-1
May 21, 2019

firefox vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the browser
UI, trick the user in to launching local executable binaries, obtain
sensitive information, conduct cross-site scripting (XSS) attacks, or
execute arbitrary code. (CVE-2019-11691, CVE-2019-11692, CVE-2019-11693,
CVE-2019-11695, CVE-2019-11696, CVE-2019-11699, CVE-2019-11701,
CVE-2019-7317, CVE-2019-9800, CVE-2019-9814, CVE-2019-9817, CVE-2019-9819,
CVE-2019-9820, CVE-2019-9821)

It was discovered that pressing certain key combinations could bypass
addon installation prompt delays. If a user opened a specially crafted
website, an attacker could potentially exploit this to trick them in to
installing a malicious extension. (CVE-2019-11697)

It was discovered that history data could be exposed via drag and drop
of hyperlinks to and from bookmarks. If a user were tricked in to dragging
a specially crafted hyperlink to the bookmark toolbar or sidebar, and
subsequently back in to the web content area, an attacker could
potentially exploit this to obtain sensitive information. (CVE-2019-11698)

A type confusion bug was discovered with object groups and UnboxedObjects.
If a user were tricked in to opening a specially crafted website after
enabling the UnboxedObjects feature, an attacker could potentially
exploit this to bypass security checks. (CVE-2019-9816)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
  firefox  67.0+build2-0ubuntu0.19.04.1

Ubuntu 18.10:
  firefox  67.0+build2-0ubuntu0.18.10.1

Ubuntu 18.04 LTS:
  firefox  67.0+build2-0ubuntu0.18.04.1

Ubuntu 16.04 LTS:
  firefox  67.0+build2-0ubuntu0.16.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-3991-1
  CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-11695,
  CVE-2019-11696, CVE-2019-11697, CVE-2019-11698, CVE-2019-11699,
  CVE-2019-11701, CVE-2019-7317, CVE-2019-9800, CVE-2019-9814,
  CVE-2019-9816, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820,
  CVE-2019-9821

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/67.0+build2-0ubuntu0.19.04.1
  https://launchpad.net/ubuntu/+source/firefox/67.0+build2-0ubuntu0.18.10.1
  https://launchpad.net/ubuntu/+source/firefox/67.0+build2-0ubuntu0.18.04.1
  https://launchpad.net/ubuntu/+source/firefox/67.0+build2-0ubuntu0.16.04.1