The following updates has been released for Ubuntu Linux:
USN-3913-1: P7ZIP vulnerabilities
USN-3915-1: Ghostscript vulnerabilities
USN-3917-1: snapd vulnerability
USN-3918-1: Firefox vulnerabilities
USN-3913-1: P7ZIP vulnerabilities
USN-3915-1: Ghostscript vulnerabilities
USN-3917-1: snapd vulnerability
USN-3918-1: Firefox vulnerabilities
USN-3913-1: P7ZIP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3913-1
March 21, 2019
p7zip vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
p7zip could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- p7zip: 7z file archiver with high compression ratio
Details:
It was discovered that p7zip did not correctly handle certain malformed
archives. If a user or automated system were tricked into processing a specially
crafted archive with p7zip, then p7zip could be made to crash, possibly leading
to abitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
p7zip 9.20.1~dfsg.1-4.2ubuntu0.1
p7zip-full 9.20.1~dfsg.1-4.2ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3913-1
CVE-2016-2335, CVE-2017-17969
Package Information:
https://launchpad.net/ubuntu/+source/p7zip/9.20.1~dfsg.1-4.2ubuntu0.1
USN-3915-1: Ghostscript vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3915-1
March 21, 2019
ghostscript vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Ghostscript.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
It was discovered that Ghostscript incorrectly handled certain PostScript
files. If a user or automated system were tricked into processing a
specially crafted file, a remote attacker could possibly use this issue to
access arbitrary files, execute arbitrary code, or cause a denial of
service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
ghostscript 9.26~dfsg+0-0ubuntu0.18.10.8
libgs9 9.26~dfsg+0-0ubuntu0.18.10.8
Ubuntu 18.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.18.04.8
libgs9 9.26~dfsg+0-0ubuntu0.18.04.8
Ubuntu 16.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.16.04.8
libgs9 9.26~dfsg+0-0ubuntu0.16.04.8
Ubuntu 14.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.14.04.8
libgs9 9.26~dfsg+0-0ubuntu0.14.04.8
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3915-1
CVE-2019-3835, CVE-2019-3838
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.10.8
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.04.8
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.16.04.8
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.14.04.8
USN-3917-1: snapd vulnerability
=========================================================================
Ubuntu Security Notice USN-3917-1
March 21, 2019
snapd vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
An intended access restriction in snapd could be bypassed by strict mode
snaps on 64 bit architectures.
Software Description:
- snapd: Daemon and tooling that enable snap packages
Details:
The snapd default seccomp filter for strict mode snaps blocks the use of
the ioctl() system call when used with TIOCSTI as the second argument to
the system call. Jann Horn discovered that this restriction could be
circumvented on 64 bit architectures. A malicious snap could exploit this
to bypass intended access restrictions to insert characters into the
terminal's input queue. On Ubuntu, snapd typically will have already
automatically refreshed itself to snapd 2.37.4 which is unaffected.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
snapd 2.37.4+18.10.1
Ubuntu 18.04 LTS:
snapd 2.37.4+18.04.1
Ubuntu 16.04 LTS:
snapd 2.37.4ubuntu0.1
Ubuntu 14.04 LTS:
snapd 2.37.4~14.04.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3917-1
CVE-2019-7303, https://launchpad.net/bugs/1812973
Package Information:
https://launchpad.net/ubuntu/+source/snapd/2.37.4+18.10.1
https://launchpad.net/ubuntu/+source/snapd/2.37.4+18.04.1
https://launchpad.net/ubuntu/+source/snapd/2.37.4ubuntu0.1
https://launchpad.net/ubuntu/+source/snapd/2.37.4~14.04.1
USN-3918-1: Firefox vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3918-1
March 21, 2019
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Firefox.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, denial of service via successive FTP authorization prompts or modal
alerts, trick the user with confusing permission request prompts, obtain
sensitive information, conduct social engineering attacks, or execute
arbitrary code. (CVE-2019-9788, CVE-2019-9789, CVE-2019-9790,
CVE-2019-9791, CVE-2019-9792, CVE-2019-9795, CVE-2019-9796, CVE-2019-9797,
CVE-2019-9799, CVE-2019-9802, CVE-2019-9805, CVE-2019-9806, CVE-2019-9807,
CVE-2019-9808, CVE-2019-9809)
A mechanism was discovered that removes some bounds checking for string,
array, or typed array accesses if Spectre mitigations have been disabled.
If a user were tricked in to opening a specially crafted website with
Spectre mitigations disabled, an attacker could potentially exploit this
to cause a denial of service, or execute arbitrary code. (CVE-2019-9793)
It was discovered that Upgrade-Insecure-Requests was incorrectly enforced
for same-origin navigation. An attacker could potentially exploit this to
conduct man-in-the-middle (MITM) attacks. (CVE-2019-9803)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
firefox 66.0+build3-0ubuntu0.18.10.1
Ubuntu 18.04 LTS:
firefox 66.0+build3-0ubuntu0.18.04.1
Ubuntu 16.04 LTS:
firefox 66.0+build3-0ubuntu0.16.04.2
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3918-1
CVE-2019-9788, CVE-2019-9789, CVE-2019-9790, CVE-2019-9791,
CVE-2019-9792, CVE-2019-9793, CVE-2019-9795, CVE-2019-9796,
CVE-2019-9797, CVE-2019-9799, CVE-2019-9802, CVE-2019-9803,
CVE-2019-9805, CVE-2019-9806, CVE-2019-9807, CVE-2019-9808,
CVE-2019-9809
Package Information:
https://launchpad.net/ubuntu/+source/firefox/66.0+build3-0ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/firefox/66.0+build3-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/firefox/66.0+build3-0ubuntu0.16.04.2
