Ubuntu 6574 Published by

The following updates has been released for Ubuntu Linux:

USN-3938-1: systemd vulnerability
USN-3939-1: Samba vulnerability
USN-3939-2: Samba vulnerability
USN-3940-1: ClamAV vulnerabilities
USN-3940-2: ClamAV vulnerabilities
USN-3941-1: Lua vulnerability
USN-3942-1: OpenJDK 7 vulnerability



USN-3938-1: systemd vulnerability


==========================================================================
Ubuntu Security Notice USN-3938-1
April 08, 2019

systemd vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

The systemd PAM module could be used to gain additional PolicyKit
privileges.

Software Description:
- systemd: system and service manager

Details:

Jann Horn discovered that pam_systemd created logind sessions using some
parameters from the environment. A local attacker could exploit this in
order to spoof the active session and gain additional PolicyKit
privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
  libpam-systemd 239-7ubuntu10.12

Ubuntu 18.04 LTS:
  libpam-systemd  237-3ubuntu10.19

Ubuntu 16.04 LTS:
  libpam-systemd  229-4ubuntu21.21

Ubuntu 14.04 LTS:
  libpam-systemd  204-5ubuntu20.31

In general, a standard system update will make all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-3938-1
  CVE-2019-3842

Package Information:
  https://launchpad.net/ubuntu/+source/systemd/239-7ubuntu10.12
  https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.19
  https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu21.21
  https://launchpad.net/ubuntu/+source/systemd/204-5ubuntu20.31

USN-3939-1: Samba vulnerability


==========================================================================
Ubuntu Security Notice USN-3939-1
April 08, 2019

samba vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Samba could be made to create files in unexpected locations.

Software Description:
- samba: SMB/CIFS file, print, and login server for Unix

Details:

Michael Hanselmann discovered that Samba incorrectly handled registry
files. A remote attacker could possibly use this issue to create new
registry files outside of the share, contrary to expectations.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
libsmbclient 2:4.8.4+dfsg-2ubuntu2.3
samba 2:4.8.4+dfsg-2ubuntu2.3

Ubuntu 18.04 LTS:
libsmbclient 2:4.7.6+dfsg~ubuntu-0ubuntu2.9
samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.9

Ubuntu 16.04 LTS:
libsmbclient 2:4.3.11+dfsg-0ubuntu0.16.04.19
samba 2:4.3.11+dfsg-0ubuntu0.16.04.19

Ubuntu 14.04 LTS:
libsmbclient 2:4.3.11+dfsg-0ubuntu0.14.04.20
samba 2:4.3.11+dfsg-0ubuntu0.14.04.20

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3939-1
CVE-2019-3880

Package Information:
https://launchpad.net/ubuntu/+source/samba/2:4.8.4+dfsg-2ubuntu2.3
https://launchpad.net/ubuntu/+source/samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.9
https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.19
https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.14.04.20

USN-3939-2: Samba vulnerability


==========================================================================
Ubuntu Security Notice USN-3939-2
April 08, 2019

samba vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Samba could be made to create files in unexpected locations.

Software Description:
- samba: SMB/CIFS file, print, and login server for Unix

Details:

USN-3939-1 fixed a vulnerability in Samba. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 Michael Hanselmann discovered that Samba incorrectly handled registry
 files. A remote attacker could possibly use this issue to create new
 registry files outside of the share, contrary to expectations.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  libsmbclient 2:3.6.25-0ubuntu0.12.04.17
  samba 2:3.6.25-0ubuntu0.12.04.17

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3939-2
  https://usn.ubuntu.com/usn/usn-3939-1
  CVE-2019-3880

USN-3940-1: ClamAV vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3940-1
April 08, 2019

clamav vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in ClamAV.

Software Description:
- clamav: Anti-virus utility for Unix

Details:

It was discovered that ClamAV incorrectly handled scanning certain PDF
documents. A remote attacker could possibly use this issue to cause ClamAV
to crash, resulting in a denial of service. (CVE-2019-1787)

It was discovered that ClamAV incorrectly handled scanning certain OLE2
files. A remote attacker could use this issue to cause ClamAV to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2019-1788)

It was discovered that ClamAV incorrectly handled scanning certain PE
files. A remote attacker could possibly use this issue to cause ClamAV to
crash, resulting in a denial of service. (CVE-2019-1789)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
clamav 0.100.3+dfsg-0ubuntu0.18.10.1

Ubuntu 18.04 LTS:
clamav 0.100.3+dfsg-0ubuntu0.18.04.1

Ubuntu 16.04 LTS:
clamav 0.100.3+dfsg-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
clamav 0.100.3+dfsg-0ubuntu0.14.04.1

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://usn.ubuntu.com/usn/usn-3940-1
CVE-2019-1787, CVE-2019-1788, CVE-2019-1789

Package Information:
https://launchpad.net/ubuntu/+source/clamav/0.100.3+dfsg-0ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/clamav/0.100.3+dfsg-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/clamav/0.100.3+dfsg-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/clamav/0.100.3+dfsg-0ubuntu0.14.04.1

USN-3940-2: ClamAV vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3940-2
April 08, 2019

clamav vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in ClamAV.

Software Description:
- clamav: Anti-virus utility for Unix

Details:

USN-3940-1 fixed several vulnerabilities in ClamAV. This update
provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 It was discovered that ClamAV incorrectly handled scanning certain PDF
 documents. A remote attacker could possibly use this issue to cause
 ClamAV to crash, resulting in a denial of service. (CVE-2019-1787)

 It was discovered that ClamAV incorrectly handled scanning certain
 OLE2 files. A remote attacker could use this issue to cause ClamAV to
 crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2019-1788)

 It was discovered that ClamAV incorrectly handled scanning certain PE
 files. A remote attacker could possibly use this issue to cause ClamAV
 to crash, resulting in a denial of service. (CVE-2019-1789)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  clamav 0.100.3+dfsg-1ubuntu0.12.04.1

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3940-2
  https://usn.ubuntu.com/usn/usn-3940-1
  CVE-2019-1787, CVE-2019-1788, CVE-2019-1789

USN-3941-1: Lua vulnerability


==========================================================================
Ubuntu Security Notice USN-3941-1
April 08, 2019

lua5.3 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Lua could be made to crash if it received a specially crafted script.

Software Description:
- lua5.3: Simple, extensible, embeddable programming language

Details:

Fady Othman discovered that Lua incorrectly handled certain scripts.
An attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
  lua5.3 5.3.3-1ubuntu0.18.10.1

Ubuntu 18.04 LTS:
  lua5.3 5.3.3-1ubuntu0.18.04.1

Ubuntu 16.04 LTS:
  lua5.3 5.3.1-1ubuntu2.1

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3941-1
  CVE-2019-6706

Package Information:
  https://launchpad.net/ubuntu/+source/lua5.3/5.3.3-1ubuntu0.18.10.1
  https://launchpad.net/ubuntu/+source/lua5.3/5.3.3-1ubuntu0.18.04.1
  https://launchpad.net/ubuntu/+source/lua5.3/5.3.1-1ubuntu2.1

USN-3942-1: OpenJDK 7 vulnerability


=========================================================================
Ubuntu Security Notice USN-3942-1
April 09, 2019

openjdk-7 vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

Java applets or applications could be made to expose sensitive
information.

Software Description:
- openjdk-7: Open Source Java implementation

Details:

It was discovered that a memory disclosure issue existed in the OpenJDK
Library subsystem. An attacker could use this to expose sensitive
information and possibly bypass Java sandbox restrictions.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
icedtea-7-jre-jamvm 7u211-2.6.17-0ubuntu0.1
openjdk-7-jdk 7u211-2.6.17-0ubuntu0.1
openjdk-7-jre 7u211-2.6.17-0ubuntu0.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3942-1
CVE-2019-2422

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u211-2.6.17-0ubuntu0.1