The following updates has been released for Ubuntu Linux:
USN-3816-3: systemd regression
USN-3827-2: Samba vulnerabilities
USN-3828-1: WebKitGTK+ vulnerabilities
USN-3829-1: Git vulnerabilities
USN-3816-3: systemd regression
USN-3827-2: Samba vulnerabilities
USN-3828-1: WebKitGTK+ vulnerabilities
USN-3829-1: Git vulnerabilities
USN-3816-3: systemd regression
==========================================================================
Ubuntu Security Notice USN-3816-3
November 27, 2018
systemd regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
USN-3816-1 caused a regression in systemd-tmpfiles.
Software Description:
- systemd: system and service manager
Details:
USN-3816-1 fixed vulnerabilities in systemd. The fix for CVE-2018-6954
caused a regression in systemd-tmpfiles when running Ubuntu inside a
container on some older kernels. This issue only affected Ubuntu 16.04
LTS. In order to continue to support this configuration, the fixes for
CVE-2018-6954 have been reverted.
We apologize for the inconvenience.
Original advisory details:
Jann Horn discovered that unit_deserialize incorrectly handled status
messages
above a certain length. A local attacker could potentially exploit this via
NotifyAccess to inject arbitrary state across re-execution and obtain root
privileges. (CVE-2018-15686)
Jann Horn discovered a race condition in chown_one(). A local attacker
could potentially exploit this by setting arbitrary permissions on certain
files to obtain root privileges. This issue only affected Ubuntu 18.04 LTS
and Ubuntu 18.10. (CVE-2018-15687)
It was discovered that systemd-tmpfiles mishandled symlinks in
non-terminal path components. A local attacker could potentially exploit
this by gaining ownership of certain files to obtain root privileges. This
issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-6954)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
systemd 229-4ubuntu21.10
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3816-3
https://usn.ubuntu.com/usn/usn-3816-1
https://launchpad.net/bugs/1804847
Package Information:
https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu21.10
USN-3827-2: Samba vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3827-2
November 27, 2018
samba vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Samba.
Software Description:
- samba: SMB/CIFS file, print, and login server for Unix
Details:
USN-3827-1 fixed a vulnerability in samba. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Florian Stuelpner discovered that Samba incorrectly handled CNAME
records. A remote attacker could use this issue to cause Samba to
crash, resulting in a denial of service. (CVE-2018-14629)
Alex MacCuish discovered that Samba incorrectly handled memory when
configured to accept smart-card authentication. A remote attacker
could possibly use this issue to cause Samba to crash, resulting in a
denial of service. (CVE-2018-16841)
Garming Sam discovered that Samba incorrectly handled memory when
processing LDAP searches. A remote attacker could possibly use this
issue to cause Samba to crash, resulting in a denial of service.Â
(CVE-2018-16851)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
samba 2:3.6.25-0ubuntu0.12.04.16
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3827-2
https://usn.ubuntu.com/usn/usn-3827-1
CVE-2018-14629, CVE-2018-16841, CVE-2018-16851
USN-3828-1: WebKitGTK+ vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3828-1
November 27, 2018
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in WebKitGTK+.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
libjavascriptcoregtk-4.0-18 2.22.4-0ubuntu0.18.10.1
libwebkit2gtk-4.0-37 2.22.4-0ubuntu0.18.10.1
Ubuntu 18.04 LTS:
libjavascriptcoregtk-4.0-18 2.22.4-0ubuntu0.18.04.1
libwebkit2gtk-4.0-37 2.22.4-0ubuntu0.18.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3828-1
CVE-2018-4345, CVE-2018-4372, CVE-2018-4386
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.22.4-0ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.22.4-0ubuntu0.18.04.1
USN-3829-1: Git vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3829-1
November 27, 2018
git vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Git.
Software Description:
- git: fast, scalable, distributed revision control system
Details:
It was discovered that Git incorrectly handled layers of tree objects.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2017-15298)
It was discovered that Git incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10.
(CVE-2018-19486)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
git 1:2.19.1-1ubuntu1.1
Ubuntu 18.04 LTS:
git 1:2.17.1-1ubuntu0.4
Ubuntu 16.04 LTS:
git 1:2.7.4-0ubuntu1.6
Ubuntu 14.04 LTS:
git 1:1.9.1-1ubuntu0.10
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3829-1
CVE-2017-15298, CVE-2018-19486
Package Information:
https://launchpad.net/ubuntu/+source/git/1:2.19.1-1ubuntu1.1
https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu0.4
https://launchpad.net/ubuntu/+source/git/1:2.7.4-0ubuntu1.6
https://launchpad.net/ubuntu/+source/git/1:1.9.1-1ubuntu0.10
