The following updates has been released for Ubuntu Linux:
USN-3436-1: Thunderbird vulnerabilities
USN-3446-1: OpenStack Glance vulnerabilities
USN-3447-1: OpenStack Horizon vulnerability
USN-3448-1: OpenStack Keystone vulnerability
USN-3449-1: OpenStack Nova vulnerabilities
USN-3450-1: Open vSwitch vulnerabilities
USN-3451-1: OpenStack Swift vulnerabilities
USN-3436-1: Thunderbird vulnerabilities
USN-3446-1: OpenStack Glance vulnerabilities
USN-3447-1: OpenStack Horizon vulnerability
USN-3448-1: OpenStack Keystone vulnerability
USN-3449-1: OpenStack Nova vulnerabilities
USN-3450-1: Open vSwitch vulnerabilities
USN-3451-1: OpenStack Swift vulnerabilities
USN-3436-1: Thunderbird vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3436-1
October 11, 2017
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing-like
context, an attacker could potentially exploit these to read uninitialized
memory, bypass phishing and malware protection, conduct cross-site
scripting (XSS) attacks, cause a denial of service via application crash,
or execute arbitrary code. (CVE-2017-7793, CVE-2017-7810, CVE-2017-7814,
CVE-2017-7818, CVE-2017-7819, CVE-2017-7823, CVE-2017-7824)
Martin Thomson discovered that NSS incorrectly generated handshake hashes.
A remote attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-7805)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
thunderbird 1:52.4.0+build1-0ubuntu0.17.04.2
Ubuntu 16.04 LTS:
thunderbird 1:52.4.0+build1-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
thunderbird 1:52.4.0+build1-0ubuntu0.14.04.2
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3436-1
CVE-2017-7793, CVE-2017-7805, CVE-2017-7810, CVE-2017-7814,
CVE-2017-7818, CVE-2017-7819, CVE-2017-7823, CVE-2017-7824
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:52.4.0+build1-0ubuntu0.17.04.2
https://launchpad.net/ubuntu/+source/thunderbird/1:52.4.0+build1-0ubuntu0.16.04.2
https://launchpad.net/ubuntu/+source/thunderbird/1:52.4.0+build1-0ubuntu0.14.04.2
USN-3446-1: OpenStack Glance vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3446-1
October 11, 2017
glance vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in OpenStack Glance.
Software Description:
- glance: OpenStack Image Registry and Delivery Service
Details:
Hemanth Makkapati discovered that OpenStack Glance incorrectly handled
access restrictions. A remote authenticated user could use this issue to
change the status of images, contrary to access restrictions.
(CVE-2015-5251)
Mike Fedosin and Alexei Galkin discovered that OpenStack Glance incorrectly
handled the storage quota. A remote authenticated user could use this issue
to consume disk resources, leading to a denial of service. (CVE-2015-5286)
Erno Kuvaja discovered that OpenStack Glance incorrectly handled the
show_multiple_locations option. When show_multiple_locations is enabled,
a remote authenticated user could change an image status and upload new
image data. (CVE-2016-0757)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
glance-common 1:2014.1.5-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3446-1
CVE-2015-5251, CVE-2015-5286, CVE-2016-0757
Package Information:
https://launchpad.net/ubuntu/+source/glance/1:2014.1.5-0ubuntu1.1
USN-3447-1: OpenStack Horizon vulnerability
==========================================================================
Ubuntu Security Notice USN-3447-1
October 11, 2017
horizon vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
OpenStack Horizon could be made to expose sensitive information over the
network.
Software Description:
- horizon: Web interface for OpenStack cloud infrastructure
Details:
Beth Lancaster and Brandon Sawyers discovered that OpenStack Horizon was
incorrect protected against cross-site scripting (XSS) attacks. A remote
authenticated user could use this issue to inject web script or HTML in
a dashboard form.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
openstack-dashboard 1:2014.1.5-0ubuntu2.1
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3447-1
CVE-2016-4428
Package Information:
https://launchpad.net/ubuntu/+source/horizon/1:2014.1.5-0ubuntu2.1
USN-3448-1: OpenStack Keystone vulnerability
==========================================================================
Ubuntu Security Notice USN-3448-1
October 11, 2017
keystone vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
OpenStack Keystone would allow unintended access over the network.
Software Description:
- keystone: OpenStack identity service
Details:
Boris Bobrov discovered that OpenStack Keystone incorrectly handled
federation mapping when there are rules in which group-based assignments
are not used. A remote authenticated user may receive all the roles
assigned to a project regardless of the federation mapping, contrary to
expectations.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
keystone 2:9.3.0-0ubuntu3.1
python-keystone 2:9.3.0-0ubuntu3.1
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3448-1
CVE-2017-2673
Package Information:
https://launchpad.net/ubuntu/+source/keystone/2:9.3.0-0ubuntu3.1
USN-3449-1: OpenStack Nova vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3449-1
October 11, 2017
nova vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in OpenStack Nova.
Software Description:
- nova: OpenStack Compute cloud infrastructure
Details:
George Shuklin discovered that OpenStack Nova incorrectly handled the
migration process. A remote authenticated user could use this issue to
consume resources, resulting in a denial of service. (CVE-2015-3241)
George Shuklin and Tushar Patil discovered that OpenStack Nova incorrectly
handled deleting instances. A remote authenticated user could use this
issue to consume disk resources, resulting in a denial of service.
(CVE-2015-3280)
It was discovered that OpenStack Nova incorrectly limited qemu-img calls. A
remote authenticated user could use this issue to consume resources,
resulting in a denial of service. (CVE-2015-5162)
Matthew Booth discovered that OpenStack Nova incorrectly handled snapshots.
A remote authenticated user could use this issue to read arbitrary files.
(CVE-2015-7548)
Sreekumar S. and Suntao discovered that OpenStack Nova incorrectly applied
security group changes. A remote attacker could possibly use this issue to
bypass intended restriction changes by leveraging an instance that was
running when the change was made. (CVE-2015-7713)
Matt Riedemann discovered that OpenStack Nova incorrectly handled logging.
A local attacker could possibly use this issue to obtain sensitive
information from log files. (CVE-2015-8749)
Matthew Booth discovered that OpenStack Nova incorrectly handled certain
qcow2 headers. A remote authenticated user could possibly use this issue to
read arbitrary files. (CVE-2016-2140)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
python-nova 1:2014.1.5-0ubuntu1.7
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3449-1
CVE-2015-3241, CVE-2015-3280, CVE-2015-5162, CVE-2015-7548,
CVE-2015-7713, CVE-2015-8749, CVE-2016-2140
Package Information:
https://launchpad.net/ubuntu/+source/nova/1:2014.1.5-0ubuntu1.7
USN-3450-1: Open vSwitch vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3450-1
October 11, 2017
openvswitch vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Open vSwitch.
Software Description:
- openvswitch: Ethernet virtual switch
Details:
Bhargava Shastry discovered that Open vSwitch incorrectly handled certain
OFP messages. A remote attacker could possibly use this issue to cause
Open vSwitch to crash, resulting in a denial of service. (CVE-2017-9214)
It was discovered that Open vSwitch incorrectly handled certain OpenFlow
role messages. A remote attacker could possibly use this issue to cause
Open vSwitch to crash, resulting in a denial of service. (CVE-2017-9263)
It was discovered that Open vSwitch incorrectly handled certain malformed
packets. A remote attacker could possibly use this issue to cause Open
vSwitch to crash, resulting in a denial of service. This issue only
affected Ubuntu 17.04. (CVE-2017-9264)
It was discovered that Open vSwitch incorrectly handled group mod OpenFlow
messages. A remote attacker could possibly use this issue to cause Open
vSwitch to crash, resulting in a denial of service. (CVE-2017-9265)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
openvswitch-common 2.6.1-0ubuntu5.1
Ubuntu 16.04 LTS:
openvswitch-common 2.5.2-0ubuntu0.16.04.2
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3450-1
CVE-2017-9214, CVE-2017-9263, CVE-2017-9264, CVE-2017-9265
Package Information:
https://launchpad.net/ubuntu/+source/openvswitch/2.6.1-0ubuntu5.1
https://launchpad.net/ubuntu/+source/openvswitch/2.5.2-0ubuntu0.16.04.2
USN-3451-1: OpenStack Swift vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3451-1
October 11, 2017
swift vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in OpenStack Swift.
Software Description:
- swift: OpenStack distributed virtual object store
Details:
It was discovered that OpenStack Swift incorrectly handled tempurls. A
remote authenticated user in possession of a tempurl key authorized for PUT
could retrieve other objects in the same Swift account. (CVE-2015-5223)
Romain Le Disez and Ãrjan Persson discovered that OpenStack Swift
incorrectly closed client connections. A remote attacker could possibly use
this issue to consume resources, resulting in a denial of service.
(CVE-2016-0737, CVE-2016-0738)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
python-swift 1.13.1-0ubuntu1.5
swift 1.13.1-0ubuntu1.5
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3451-1
CVE-2015-5223, CVE-2016-0737, CVE-2016-0738
Package Information:
https://launchpad.net/ubuntu/+source/swift/1.13.1-0ubuntu1.5