Ubuntu 6586 Published by

The following updates has been released for Ubuntu Linux:

USN-3476-2: postgresql-common vulnerabilities
USN-3477-2: Firefox regression
USN-3493-1: Exim vulnerability
USN-3494-1: XML::LibXML vulnerability
USN-3495-1: OptiPNG vulnerability



USN-3476-2: postgresql-common vulnerabilities



==========================================================================
Ubuntu Security Notice USN-3476-2
November 27, 2017

postgresql-common vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

postgresql-common could be made to overwrite files as the
administrator.

Software Description:
- postgresql-common: PostgreSQL database-cluster manager

Details:

USN-3476-1 fixed two vulnerabilities in postgresql-common. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 Dawid Golunski discovered that the postgresql-common pg_ctlcluster
 script incorrectly handled symlinks. A local attacker could possibly
 use this issue to escalate privileges. (CVE-2016-1255)

 It was discovered that the postgresql-common helper scripts
 incorrectly handled symlinks. A local attacker could possibly use this
 issue to escalate privileges. (CVE-2017-8806)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  postgresql-common 129ubuntu1.2

In general, a standard system update will make all the necessary
changes.

References:
  https://www.ubuntu.com/usn/usn-3476-2
  https://www.ubuntu.com/usn/usn-3476-1
  CVE-2016-1255, CVE-2017-8806

USN-3477-2: Firefox regression


==========================================================================
Ubuntu Security Notice USN-3477-2
November 27, 2017

firefox regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

USN-3477-1 caused a regression in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

USN-3477-1 fixed vulnerabilities in Firefox. The update caused search
suggestions to not be displayed when performing Google searches from the
search bar. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, read uninitialized
memory, obtain sensitive information, bypass same-origin restrictions,
bypass CSP protections, bypass mixed content blocking, spoof the
addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827,
CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833,
CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)

It was discovered that javascript: URLs pasted in to the addressbar
would be executed instead of being blocked in some circumstances. If a
user were tricked in to copying a specially crafted URL in to the
addressbar, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2017-7839)

It was discovered that exported bookmarks do not strip script elements
from user-supplied tags. If a user were tricked in to adding specially
crafted tags to bookmarks, exporting them and then opening the resulting
HTML file, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2017-7840)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
firefox 57.0+build4-0ubuntu0.17.10.6

Ubuntu 17.04:
firefox 57.0+build4-0ubuntu0.17.04.6

Ubuntu 16.04 LTS:
firefox 57.0+build4-0ubuntu0.16.04.6

Ubuntu 14.04 LTS:
firefox 57.0+build4-0ubuntu0.14.04.5

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3477-2
https://www.ubuntu.com/usn/usn-3477-1
https://launchpad.net/bugs/1733970

Package Information:
https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.17.10.6
https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.17.04.6
https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.16.04.6
https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.14.04.5

USN-3493-1: Exim vulnerability


==========================================================================
Ubuntu Security Notice USN-3493-1
November 27, 2017

exim4 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 17.04

Summary:

Exim could be made to crash or run programs if it received specially
crafted network traffic.

Software Description:
- exim4: Exim is a mail transport agent

Details:

It was discovered that Exim incorrectly handled memory in the ESMTP
CHUNKING extension. A remote attacker could use this issue to cause Exim to
crash, resulting in a denial of service, or possibly execute arbitrary
code. The default compiler options for affected releases should reduce the
vulnerability to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
exim4-daemon-heavy 4.89-5ubuntu1.1
exim4-daemon-light 4.89-5ubuntu1.1

Ubuntu 17.04:
exim4-daemon-heavy 4.88-5ubuntu1.2
exim4-daemon-light 4.88-5ubuntu1.2

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3493-1
CVE-2017-16943

Package Information:
https://launchpad.net/ubuntu/+source/exim4/4.89-5ubuntu1.1
https://launchpad.net/ubuntu/+source/exim4/4.88-5ubuntu1.2

USN-3494-1: XML::LibXML vulnerability


==========================================================================
Ubuntu Security Notice USN-3494-1
November 27, 2017

libxml-libxml-perl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

XML::LibXML could be made to crash or run programs if it processed
specially crafted input.

Software Description:
- libxml-libxml-perl: Perl interface to the libxml2 library

Details:

It was discovered that XML::LibXML incorrectly handled memory when
processing a replaceChild call. A remote attacker could possibly use this
issue to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
libxml-libxml-perl 2.0128+dfsg-3ubuntu0.1

Ubuntu 17.04:
libxml-libxml-perl 2.0128+dfsg-1ubuntu0.1

Ubuntu 16.04 LTS:
libxml-libxml-perl 2.0123+dfsg-1ubuntu0.1

Ubuntu 14.04 LTS:
libxml-libxml-perl 2.0108+dfsg-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3494-1
CVE-2017-10672

Package Information:
https://launchpad.net/ubuntu/+source/libxml-libxml-perl/2.0128+dfsg-3ubuntu0.1
https://launchpad.net/ubuntu/+source/libxml-libxml-perl/2.0128+dfsg-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libxml-libxml-perl/2.0123+dfsg-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libxml-libxml-perl/2.0108+dfsg-1ubuntu0.2

USN-3495-1: OptiPNG vulnerability


==========================================================================
Ubuntu Security Notice USN-3495-1
November 27, 2017

optipng vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

OptiPNG could be made to crash or run programs as your login if it opened a
specially crafted file.

Software Description:
- optipng: advanced PNG (Portable Network Graphics) optimizer

Details:

It was discovered that OptiPNG incorrectly handled memory. A remote
attacker could use this issue with a specially crafted image file to cause
OptiPNG to crash, resulting in a denial of service, or possibly execute
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
optipng 0.7.6-1ubuntu0.17.10.1

Ubuntu 17.04:
optipng 0.7.6-1ubuntu0.17.04.1

Ubuntu 16.04 LTS:
optipng 0.7.6-1ubuntu0.16.04.1

Ubuntu 14.04 LTS:
optipng 0.6.4-1ubuntu0.14.04.2

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3495-1
CVE-2017-1000229

Package Information:
https://launchpad.net/ubuntu/+source/optipng/0.7.6-1ubuntu0.17.10.1
https://launchpad.net/ubuntu/+source/optipng/0.7.6-1ubuntu0.17.04.1
https://launchpad.net/ubuntu/+source/optipng/0.7.6-1ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/optipng/0.6.4-1ubuntu0.14.04.2