The following updates has been released for Ubuntu Linux:
USN-3707-2: NTP vulnerabilities
USN-3866-1: Ghostscript vulnerability
USN-3867-1: MySQL vulnerabilities
USN-3707-2: NTP vulnerabilities
USN-3866-1: Ghostscript vulnerability
USN-3867-1: MySQL vulnerabilities
USN-3707-2: NTP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3707-2
January 23, 2019
ntp vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in NTP.
Software Description:
- ntp: Network Time Protocol daemon and utility programs
Details:
USN-3707-1 and USN-3349-1 fixed several vulnerabilities in NTP. This
update provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Miroslav Lichvar discovered that NTP incorrectly handled certain
spoofed addresses when performing rate limiting. A remote attacker
could possibly use this issue to perform a denial of service.
(CVE-2016-7426)
Matthew Van Gundy discovered that NTP incorrectly handled certain
crafted broadcast mode packets. A remote attacker could possibly use
this issue to perform a denial of service.Â
(CVE-2016-7427, CVE-2016-7428)
Matthew Van Gundy discovered that NTP incorrectly handled certain
control mode packets. A remote attacker could use this issue to set or
unset traps. (CVE-2016-9310)
Matthew Van Gundy discovered that NTP incorrectly handled the trap
service. A remote attacker could possibly use this issue to cause NTP
to crash, resulting in a denial of service. (CVE-2016-9311)
It was discovered that the NTP legacy DPTS refclock driver incorrectly
handled the /dev/datum device. A local attacker could possibly use
this issue to cause a denial of service. (CVE-2017-6462)
It was discovered that NTP incorrectly handled certain invalid
settings in a :config directive. A remote authenticated user could
possibly use this issue to cause NTP to crash, resulting in a denial
of service. (CVE-2017-6463)
Michael Macnair discovered that NTP incorrectly handled certain
responses. A remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2018-7183)
Miroslav Lichvar discovered that NTP incorrectly handled certain
zero-origin timestamps. A remote attacker could possibly use this
issue to cause a denial of service. (CVE-2018-7185)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
ntp 1:4.2.6.p3+dfsg-1ubuntu3.12
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3707-2
https://usn.ubuntu.com/usn/usn-3707-1
CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-9310,
CVE-2016-9311, CVE-2017-6462, CVE-2017-6463, CVE-2018-7183,
CVE-2018-7185
USN-3866-1: Ghostscript vulnerability
==========================================================================
Ubuntu Security Notice USN-3866-1
January 23, 2019
ghostscript vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Ghostscript could be made to crash, access files, or run programs if it
opened a specially crafted file.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
Tavis Ormandy discovered that Ghostscript incorrectly handled certain
PostScript files. If a user or automated system were tricked into
processing a specially crafted file, a remote attacker could possibly use
this issue to access arbitrary files, execute arbitrary code, or cause a
denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
ghostscript 9.26~dfsg+0-0ubuntu0.18.10.4
libgs9 9.26~dfsg+0-0ubuntu0.18.10.4
Ubuntu 18.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.18.04.4
libgs9 9.26~dfsg+0-0ubuntu0.18.04.4
Ubuntu 16.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.16.04.4
libgs9 9.26~dfsg+0-0ubuntu0.16.04.4
Ubuntu 14.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.14.04.4
libgs9 9.26~dfsg+0-0ubuntu0.14.04.4
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3866-1
CVE-2019-6116
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.10.4
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.04.4
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.16.04.4
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.14.04.4
USN-3867-1: MySQL vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3867-1
January 23, 2019
mysql-5.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.7: MySQL database
Details:
Multiple security issues were discovered in MySQL and this update includes
a new upstream MySQL version to fix these issues.
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 18.10 have been updated to
MySQL 5.7.25.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-25.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
mysql-server-5.7 5.7.25-0ubuntu0.18.10.2
Ubuntu 18.04 LTS:
mysql-server-5.7 5.7.25-0ubuntu0.18.04.2
Ubuntu 16.04 LTS:
mysql-server-5.7 5.7.25-0ubuntu0.16.04.2
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3867-1
CVE-2019-2420, CVE-2019-2434, CVE-2019-2455, CVE-2019-2481,
CVE-2019-2482, CVE-2019-2486, CVE-2019-2503, CVE-2019-2507,
CVE-2019-2510, CVE-2019-2528, CVE-2019-2529, CVE-2019-2531,
CVE-2019-2532, CVE-2019-2534, CVE-2019-2537
Package Information:
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.25-0ubuntu0.18.10.2
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.25-0ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.25-0ubuntu0.16.04.2
