Ubuntu 6586 Published by

The following security updates has been released for Ubuntu Linux:

USN-3602-1: LibTIFF vulnerabilities
USN-3603-1: Paramiko vulnerability
USN-3603-2: Paramiko vulnerability



USN-3602-1: LibTIFF vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3602-1
March 20, 2018

tiff vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.

Software Description:
- tiff: Tag Image File Format (TIFF) library

Details:

It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
libtiff-tools 4.0.6-1ubuntu0.3
libtiff5 4.0.6-1ubuntu0.3

Ubuntu 14.04 LTS:
libtiff-tools 4.0.3-7ubuntu0.8
libtiff5 4.0.3-7ubuntu0.8

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3602-1
CVE-2016-10266, CVE-2016-10267, CVE-2016-10268, CVE-2016-10269,
CVE-2016-10371, CVE-2017-10688, CVE-2017-11335, CVE-2017-12944,
CVE-2017-13726, CVE-2017-13727, CVE-2017-18013, CVE-2017-7592,
CVE-2017-7593, CVE-2017-7594, CVE-2017-7595, CVE-2017-7596,
CVE-2017-7597, CVE-2017-7598, CVE-2017-7599, CVE-2017-7600,
CVE-2017-7601, CVE-2017-7602, CVE-2017-9403, CVE-2017-9404,
CVE-2017-9815, CVE-2017-9936, CVE-2018-5784

Package Information:
https://launchpad.net/ubuntu/+source/tiff/4.0.6-1ubuntu0.3
https://launchpad.net/ubuntu/+source/tiff/4.0.3-7ubuntu0.8

USN-3603-1: Paramiko vulnerability



=========================================================================
Ubuntu Security Notice USN-3603-1
March 20, 2018

paramiko vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Paramiko could be made to run programs if it received specially
crafted network traffic.

Software Description:
- paramiko: Python SSH2 library

Details:

Matthijs Kooijman discovered that Paramiko's SSH server implementation
did not properly require authentication before processing requests. An
unauthenticated remote attacker could possibly use this to execute
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
python-paramiko 2.0.0-1ubuntu0.1
python3-paramiko 2.0.0-1ubuntu0.1

Ubuntu 16.04 LTS:
python-paramiko 1.16.0-1ubuntu0.1
python3-paramiko 1.16.0-1ubuntu0.1

Ubuntu 14.04 LTS:
python-paramiko 1.10.1-1git1ubuntu0.1

After a standard system update you need to restart any applications
using Paramiko's server implementation to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3603-1
CVE-2018-7750

Package Information:
https://launchpad.net/ubuntu/+source/paramiko/2.0.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/paramiko/1.16.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/paramiko/1.10.1-1git1ubuntu0.1

USN-3603-2: Paramiko vulnerability



=========================================================================
Ubuntu Security Notice USN-3603-2
March 20, 2018

paramiko vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Paramiko could be made to run programs if it received specially
crafted network traffic.

Software Description:
- paramiko: Make ssh v2 connections with Python

Details:

USN-3603-1 fixed a vulnerability in Paramiko. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Matthijs Kooijman discovered that Paramiko's SSH server implementation
did not properly require authentication before processing requests. An
unauthenticated remote attacker could possibly use this to execute
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
python-paramiko 1.7.7.1-2ubuntu1.1

After a standard system update you need to restart any applications
using Paramiko's server implementation to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3603-2
https://usn.ubuntu.com/usn/usn-3603-1
CVE-2018-7750