The following updates has been released for Ubuntu Linux:
USN-3388-2: Subversion vulnerabilities
USN-3411-2: Bazaar vulnerability
USN-3425-2: Apache HTTP Server vulnerability
USN-3454-2: libffi vulnerability
USN-3462-1: Pacemaker vulnerabilities
USN-3388-2: Subversion vulnerabilities
USN-3411-2: Bazaar vulnerability
USN-3425-2: Apache HTTP Server vulnerability
USN-3454-2: libffi vulnerability
USN-3462-1: Pacemaker vulnerabilities
USN-3388-2: Subversion vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3388-2
October 24, 2017
subversion vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Subversion.
Software Description:
- subversion: Advanced version control system
Details:
USN-3388-1 fixed several vulnerabilities in Subversion. This update
provides the corresponding update for Ubuntu 12.04 ESM.
Ivan Zhakov discovered that Subversion did not properly handle
some requests. A remote attacker could use this to cause a
denial of service. (CVE-2016-2168)
Original advisory details:
Joern Schneeweisz discovered that Subversion did not properly handle
host names in 'svn+ssh://' URLs. A remote attacker could use this
to construct a subversion repository that when accessed could run
arbitrary code with the privileges of the user. (CVE-2017-9800)
Daniel Shahaf and James McCoy discovered that Subversion did not
properly verify realms when using Cyrus SASL authentication. A
remote attacker could use this to possibly bypass intended access
restrictions. (CVE-2016-2167)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
libapache2-svn 1.6.17dfsg-3ubuntu3.7
libsvn1 1.6.17dfsg-3ubuntu3.7
subversion 1.6.17dfsg-3ubuntu3.7
In general, a standard system update will make all the necessary
changes.
References:
https://www.ubuntu.com/usn/usn-3388-2
https://www.ubuntu.com/usn/usn-3388-1
CVE-2016-2167, CVE-2016-2168, CVE-2017-9800
USN-3411-2: Bazaar vulnerability
==========================================================================
Ubuntu Security Notice USN-3411-2
October 24, 2017
bzr vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Bazaar could be made run programs as your login if it opened a
specially crafted URL.
Software Description:
- bzr: easy to use distributed version control system
Details:
USN-3411-1 fixed a vulnerability in Bazaar. This update
provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Adam Collard discovered that Bazaar did not properly handle host names
in 'bzr+ssh://' URLs. A remote attacker could use this to construct
a bazaar repository URL that when accessed could run arbitrary code
with the privileges of the user.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
bzr 2.5.1-0ubuntu2.1
python-bzrlib 2.5.1-0ubuntu2.1
In general, a standard system update will make all the necessary
changes.
References:
https://www.ubuntu.com/usn/usn-3411-2
https://www.ubuntu.com/usn/usn-3411-1
CVE-2017-14176
USN-3425-2: Apache HTTP Server vulnerability
==========================================================================
Ubuntu Security Notice USN-3425-2
October 24, 2017
apache2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Apache HTTP Server could be made to expose sensitive information over
the network.
Software Description:
- apache2: Apache HTTP server
Details:
USN-3425-1 fixed a vulnerability in Apache HTTP Server. This update
provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Hanno Böck discovered that the Apache HTTP Server incorrectly handled
Limit directives in .htaccess files. In certain configurations, a
remote attacker could possibly use this issue to read arbitrary server
memory, including sensitive information. This issue is known as
Optionsbleed.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
apache2.2-bin 2.2.22-1ubuntu1.14
In general, a standard system update will make all the necessary
changes.
References:
https://www.ubuntu.com/usn/usn-3425-2
https://www.ubuntu.com/usn/usn-3425-1
CVE-2017-9798
USN-3454-2: libffi vulnerability
==========================================================================
Ubuntu Security Notice USN-3454-2
October 24, 2017
libffi vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
A security issue was fixed in libffi.
Software Description:
- libffi: Foreign Function Interface library (development files, 32bit)
Details:
USN-3454-1 fixed a vulnerability in libffi. This update
provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that libffi incorrectly enforced an executable Â
stack. An attacker could possibly use this issue, in combination with
another vulnerability, to facilitate executing arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
libffi6 3.0.11~rc1-5ubuntu0.1
In general, a standard system update will make all the necessary
changes.
References:
https://www.ubuntu.com/usn/usn-3454-2
https://www.ubuntu.com/usn/usn-3454-1
CVE-2017-1000376
USN-3462-1: Pacemaker vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3462-1
October 24, 2017
pacemaker vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Pacemaker.
Software Description:
- pacemaker: Cluster resource manager
Details:
Jan Pokorn and Alain Moulle discovered that Pacemaker incorrectly handled
the IPC interface. A local attacker could possibly use this issue to
execute arbitrary code with root privileges. (CVE-2016-7035)
Alain Moulle discovered that Pacemaker incorrectly handled authentication.
A remote attacker could possibly use this issue to shut down connections,
leading to a denial of service. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-7797)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
pacemaker 1.1.14-2ubuntu1.2
Ubuntu 14.04 LTS:
pacemaker 1.1.10+git20130802-1ubuntu2.4
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3462-1
CVE-2016-7035, CVE-2016-7797
Package Information:
https://launchpad.net/ubuntu/+source/pacemaker/1.1.14-2ubuntu1.2
https://launchpad.net/ubuntu/+source/pacemaker/1.1.10+git20130802-1ubuntu2.4
