Ubuntu 6586 Published by

The following updates has been released for Ubuntu Linux:

USN-3436-1: Thunderbird vulnerabilities
USN-3446-1: OpenStack Glance vulnerabilities
USN-3447-1: OpenStack Horizon vulnerability
USN-3448-1: OpenStack Keystone vulnerability
USN-3449-1: OpenStack Nova vulnerabilities
USN-3450-1: Open vSwitch vulnerabilities
USN-3451-1: OpenStack Swift vulnerabilities



USN-3436-1: Thunderbird vulnerabilities

==========================================================================
Ubuntu Security Notice USN-3436-1
October 11, 2017

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing-like
context, an attacker could potentially exploit these to read uninitialized
memory, bypass phishing and malware protection, conduct cross-site
scripting (XSS) attacks, cause a denial of service via application crash,
or execute arbitrary code. (CVE-2017-7793, CVE-2017-7810, CVE-2017-7814,
CVE-2017-7818, CVE-2017-7819, CVE-2017-7823, CVE-2017-7824)

Martin Thomson discovered that NSS incorrectly generated handshake hashes.
A remote attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-7805)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
thunderbird 1:52.4.0+build1-0ubuntu0.17.04.2

Ubuntu 16.04 LTS:
thunderbird 1:52.4.0+build1-0ubuntu0.16.04.2

Ubuntu 14.04 LTS:
thunderbird 1:52.4.0+build1-0ubuntu0.14.04.2

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3436-1
CVE-2017-7793, CVE-2017-7805, CVE-2017-7810, CVE-2017-7814,
CVE-2017-7818, CVE-2017-7819, CVE-2017-7823, CVE-2017-7824

Package Information:

https://launchpad.net/ubuntu/+source/thunderbird/1:52.4.0+build1-0ubuntu0.17.04.2

https://launchpad.net/ubuntu/+source/thunderbird/1:52.4.0+build1-0ubuntu0.16.04.2

https://launchpad.net/ubuntu/+source/thunderbird/1:52.4.0+build1-0ubuntu0.14.04.2

USN-3446-1: OpenStack Glance vulnerabilities

==========================================================================
Ubuntu Security Notice USN-3446-1
October 11, 2017

glance vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in OpenStack Glance.

Software Description:
- glance: OpenStack Image Registry and Delivery Service

Details:

Hemanth Makkapati discovered that OpenStack Glance incorrectly handled
access restrictions. A remote authenticated user could use this issue to
change the status of images, contrary to access restrictions.
(CVE-2015-5251)

Mike Fedosin and Alexei Galkin discovered that OpenStack Glance incorrectly
handled the storage quota. A remote authenticated user could use this issue
to consume disk resources, leading to a denial of service. (CVE-2015-5286)

Erno Kuvaja discovered that OpenStack Glance incorrectly handled the
show_multiple_locations option. When show_multiple_locations is enabled,
a remote authenticated user could change an image status and upload new
image data. (CVE-2016-0757)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
glance-common 1:2014.1.5-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3446-1
CVE-2015-5251, CVE-2015-5286, CVE-2016-0757

Package Information:
https://launchpad.net/ubuntu/+source/glance/1:2014.1.5-0ubuntu1.1

USN-3447-1: OpenStack Horizon vulnerability


==========================================================================
Ubuntu Security Notice USN-3447-1
October 11, 2017

horizon vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

OpenStack Horizon could be made to expose sensitive information over the
network.

Software Description:
- horizon: Web interface for OpenStack cloud infrastructure

Details:

Beth Lancaster and Brandon Sawyers discovered that OpenStack Horizon was
incorrect protected against cross-site scripting (XSS) attacks. A remote
authenticated user could use this issue to inject web script or HTML in
a dashboard form.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
openstack-dashboard 1:2014.1.5-0ubuntu2.1

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3447-1
CVE-2016-4428

Package Information:
https://launchpad.net/ubuntu/+source/horizon/1:2014.1.5-0ubuntu2.1


USN-3448-1: OpenStack Keystone vulnerability


==========================================================================
Ubuntu Security Notice USN-3448-1
October 11, 2017

keystone vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

OpenStack Keystone would allow unintended access over the network.

Software Description:
- keystone: OpenStack identity service

Details:

Boris Bobrov discovered that OpenStack Keystone incorrectly handled
federation mapping when there are rules in which group-based assignments
are not used. A remote authenticated user may receive all the roles
assigned to a project regardless of the federation mapping, contrary to
expectations.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
keystone 2:9.3.0-0ubuntu3.1
python-keystone 2:9.3.0-0ubuntu3.1

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3448-1
CVE-2017-2673

Package Information:
https://launchpad.net/ubuntu/+source/keystone/2:9.3.0-0ubuntu3.1

USN-3449-1: OpenStack Nova vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3449-1
October 11, 2017

nova vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in OpenStack Nova.

Software Description:
- nova: OpenStack Compute cloud infrastructure

Details:

George Shuklin discovered that OpenStack Nova incorrectly handled the
migration process. A remote authenticated user could use this issue to
consume resources, resulting in a denial of service. (CVE-2015-3241)

George Shuklin and Tushar Patil discovered that OpenStack Nova incorrectly
handled deleting instances. A remote authenticated user could use this
issue to consume disk resources, resulting in a denial of service.
(CVE-2015-3280)

It was discovered that OpenStack Nova incorrectly limited qemu-img calls. A
remote authenticated user could use this issue to consume resources,
resulting in a denial of service. (CVE-2015-5162)

Matthew Booth discovered that OpenStack Nova incorrectly handled snapshots.
A remote authenticated user could use this issue to read arbitrary files.
(CVE-2015-7548)

Sreekumar S. and Suntao discovered that OpenStack Nova incorrectly applied
security group changes. A remote attacker could possibly use this issue to
bypass intended restriction changes by leveraging an instance that was
running when the change was made. (CVE-2015-7713)

Matt Riedemann discovered that OpenStack Nova incorrectly handled logging.
A local attacker could possibly use this issue to obtain sensitive
information from log files. (CVE-2015-8749)

Matthew Booth discovered that OpenStack Nova incorrectly handled certain
qcow2 headers. A remote authenticated user could possibly use this issue to
read arbitrary files. (CVE-2016-2140)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
python-nova 1:2014.1.5-0ubuntu1.7

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3449-1
CVE-2015-3241, CVE-2015-3280, CVE-2015-5162, CVE-2015-7548,
CVE-2015-7713, CVE-2015-8749, CVE-2016-2140

Package Information:
https://launchpad.net/ubuntu/+source/nova/1:2014.1.5-0ubuntu1.7

USN-3450-1: Open vSwitch vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3450-1
October 11, 2017

openvswitch vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.04
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Open vSwitch.

Software Description:
- openvswitch: Ethernet virtual switch

Details:

Bhargava Shastry discovered that Open vSwitch incorrectly handled certain
OFP messages. A remote attacker could possibly use this issue to cause
Open vSwitch to crash, resulting in a denial of service. (CVE-2017-9214)

It was discovered that Open vSwitch incorrectly handled certain OpenFlow
role messages. A remote attacker could possibly use this issue to cause
Open vSwitch to crash, resulting in a denial of service. (CVE-2017-9263)

It was discovered that Open vSwitch incorrectly handled certain malformed
packets. A remote attacker could possibly use this issue to cause Open
vSwitch to crash, resulting in a denial of service. This issue only
affected Ubuntu 17.04. (CVE-2017-9264)

It was discovered that Open vSwitch incorrectly handled group mod OpenFlow
messages. A remote attacker could possibly use this issue to cause Open
vSwitch to crash, resulting in a denial of service. (CVE-2017-9265)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
openvswitch-common 2.6.1-0ubuntu5.1

Ubuntu 16.04 LTS:
openvswitch-common 2.5.2-0ubuntu0.16.04.2

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3450-1
CVE-2017-9214, CVE-2017-9263, CVE-2017-9264, CVE-2017-9265

Package Information:
https://launchpad.net/ubuntu/+source/openvswitch/2.6.1-0ubuntu5.1
https://launchpad.net/ubuntu/+source/openvswitch/2.5.2-0ubuntu0.16.04.2

USN-3451-1: OpenStack Swift vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3451-1
October 11, 2017

swift vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in OpenStack Swift.

Software Description:
- swift: OpenStack distributed virtual object store

Details:

It was discovered that OpenStack Swift incorrectly handled tempurls. A
remote authenticated user in possession of a tempurl key authorized for PUT
could retrieve other objects in the same Swift account. (CVE-2015-5223)

Romain Le Disez and Örjan Persson discovered that OpenStack Swift
incorrectly closed client connections. A remote attacker could possibly use
this issue to consume resources, resulting in a denial of service.
(CVE-2016-0737, CVE-2016-0738)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
python-swift 1.13.1-0ubuntu1.5
swift 1.13.1-0ubuntu1.5

In general, a standard system update will make all the necessary changes.

References:
https://www.ubuntu.com/usn/usn-3451-1
CVE-2015-5223, CVE-2016-0737, CVE-2016-0738

Package Information:
https://launchpad.net/ubuntu/+source/swift/1.13.1-0ubuntu1.5