==========================================================================
Ubuntu Security Notice USN-2932-1
March 14, 2016
linux-lts-vivid vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
– linux-lts-vivid: Linux hardware enablement kernel from Vivid for Trusty
Details:
Ben Hawkes discovered that the Linux netfilter implementation did not
correctly perform validation when handling IPT_SO_SET_REPLACE events. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-3134)
It was discovered that the Linux kernel did not properly enforce rlimits
for file descriptors sent over UNIX domain sockets. A local attacker could
use this to cause a denial of service. (CVE-2013-4312)
Ralf Spenneberg discovered that the USB driver for Clie devices in the
Linux kernel did not properly sanity check the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2015-7566)
Ralf Spenneberg discovered that the usbvision driver in the Linux kernel
did not properly sanity check the interfaces and endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2015-7833)
It was discovered that a race condition existed when handling heartbeat-
timeout events in the SCTP implementation of the Linux kernel. A remote
attacker could use this to cause a denial of service. (CVE-2015-8767)
It was discovered that a race condition existed in the ioctl handler for
the TTY driver in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or expose sensitive information.
(CVE-2016-0723)
Andy Lutomirski discovered a race condition in the Linux kernel’s
translation lookaside buffer (TLB) handling of flush events. A local
attacker could use this to cause a denial of service or possibly leak
sensitive information. (CVE-2016-2069)
Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly
performed a double-free. A local attacker with physical access could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code with administrative privileges. (CVE-2016-2384)
Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA)
framework did not verify that a FIFO was attached to a client before
attempting to clear it. A local attacker could use this to cause a denial
of service (system crash). (CVE-2016-2543)
Dmitry Vyukov discovered that a race condition existed in the Advanced
Linux Sound Architecture (ALSA) framework between timer setup and closing
of the client, resulting in a use-after-free. A local attacker could use
this to cause a denial of service. (CVE-2016-2544)
Dmitry Vyukov discovered a race condition in the timer handling
implementation of the Advanced Linux Sound Architecture (ALSA) framework,
resulting in a use-after-free. A local attacker could use this to cause a
denial of service (system crash). (CVE-2016-2545)
Dmitry Vyukov discovered race conditions in the Advanced Linux Sound
Architecture (ALSA) framework’s timer ioctls leading to a use-after-free. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2016-2546)
Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA)
framework’s handling of high resolution timers did not properly manage its
data structures. A local attacker could use this to cause a denial of
service (system hang or crash) or possibly execute arbitrary code.
(CVE-2016-2547, CVE-2016-2548)
Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA)
framework’s handling of high resolution timers could lead to a deadlock
condition. A local attacker could use this to cause a denial of service
(system hang). (CVE-2016-2549)
Ralf Spenneberg discovered that the USB driver for Treo devices in the
Linux kernel did not properly sanity check the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2016-2782)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.19.0-56-generic 3.19.0-56.62~14.04.1
linux-image-3.19.0-56-generic-lpae 3.19.0-56.62~14.04.1
linux-image-3.19.0-56-lowlatency 3.19.0-56.62~14.04.1
linux-image-3.19.0-56-powerpc-e500mc 3.19.0-56.62~14.04.1
linux-image-3.19.0-56-powerpc-smp 3.19.0-56.62~14.04.1
linux-image-3.19.0-56-powerpc64-emb 3.19.0-56.62~14.04.1
linux-image-3.19.0-56-powerpc64-smp 3.19.0-56.62~14.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-2932-1
CVE-2013-4312, CVE-2015-7566, CVE-2015-7833, CVE-2015-8767,
CVE-2016-0723, CVE-2016-2069, CVE-2016-2384, CVE-2016-2543,
CVE-2016-2544, CVE-2016-2545, CVE-2016-2546, CVE-2016-2547,
CVE-2016-2548, CVE-2016-2549, CVE-2016-2782, CVE-2016-3134
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-vivid/3.19.0-56.62~14.04.1
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIcBAEBCgAGBQJW5vdFAAoJEC8Jno0AXoH0VRkP/2/UF/RJFeXp/l1jFTltLftz
vnk8nBdU/cfBDNBNEmGRUrnBxNiXQmvRNfqs7RZ0el0hDba+nIxiB8wrHGqz09JG
sRH2s9AuyMMDBRBJmvUT3X4eUr9us2Q7Z24tqE8TlC2beKlxFPr1GFgqxgHDYzk8
EYHOEzMQr4fo/UV2lhKz2xBk+lySk19SufVKSwEevVXlIzWaGFWm4rDRK5KaJeRC
HCULQtU8o85LzW7Fc9cMtyiU58vfkxMnI/Mho0CfiTxjhaDiXeSSU3lz80DqBc7w
o8FCDOAMlLcc1pc5def++yiK74O3OzZz1HfNoaMq1mZBGG0QGVu+tN73QiHdHXW9
16L2/AD8rzbcarCe7qLyBkAqjftRWusMiWeg8DNH0iMXm9nAk6XueFez74wi5Lqy
V2Y8YVottO+WPl2vbVdz8U1xyyCEv6Vq4WpFjcs4c7k4nnBfXIXHacx/aqoMoQm5
OdtndIN13NXmOyydVv5z0XPqe05poBPDHeNj1WVxSYt0OSmNa4s3bBXF+Vdf+Nr5
Y5khyhsu+cXm70EwBB96jLn7sJssVQ+yhKRciVuCK+6v00LVLDH6TJ83Mzs7d2t+
6924YLcKxwomn4O/Mik+7CDrBIo+vn/pWkpZfwY3I5SdL5xz9RihZTkAFG86mS7N
9vbdEM68gJHarze676tt
=oshj
—–END PGP SIGNATURE—–
—
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
==========================================================================
Ubuntu Security Notice USN-2931-1
March 14, 2016
linux-lts-utopic vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
– linux-lts-utopic: Linux hardware enablement kernel from Utopic for Trusty
Details:
Ben Hawkes discovered that the Linux netfilter implementation did not
correctly perform validation when handling IPT_SO_SET_REPLACE events. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-3134)
It was discovered that the Linux kernel did not properly enforce rlimits
for file descriptors sent over UNIX domain sockets. A local attacker could
use this to cause a denial of service. (CVE-2013-4312)
It was discovered that a race condition existed when handling heartbeat-
timeout events in the SCTP implementation of the Linux kernel. A remote
attacker could use this to cause a denial of service. (CVE-2015-8767)
Andy Lutomirski discovered a race condition in the Linux kernel’s
translation lookaside buffer (TLB) handling of flush events. A local
attacker could use this to cause a denial of service or possibly leak
sensitive information. (CVE-2016-2069)
Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly
performed a double-free. A local attacker with physical access could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code with administrative privileges. (CVE-2016-2384)
Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA)
framework did not verify that a FIFO was attached to a client before
attempting to clear it. A local attacker could use this to cause a denial
of service (system crash). (CVE-2016-2543)
Dmitry Vyukov discovered that a race condition existed in the Advanced
Linux Sound Architecture (ALSA) framework between timer setup and closing
of the client, resulting in a use-after-free. A local attacker could use
this to cause a denial of service. (CVE-2016-2544)
Dmitry Vyukov discovered a race condition in the timer handling
implementation of the Advanced Linux Sound Architecture (ALSA) framework,
resulting in a use-after-free. A local attacker could use this to cause a
denial of service (system crash). (CVE-2016-2545)
Dmitry Vyukov discovered race conditions in the Advanced Linux Sound
Architecture (ALSA) framework’s timer ioctls leading to a use-after-free. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2016-2546)
Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA)
framework’s handling of high resolution timers did not properly manage its
data structures. A local attacker could use this to cause a denial of
service (system hang or crash) or possibly execute arbitrary code.
(CVE-2016-2547, CVE-2016-2548)
Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA)
framework’s handling of high resolution timers could lead to a deadlock
condition. A local attacker could use this to cause a denial of service
(system hang). (CVE-2016-2549)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.16.0-67-generic 3.16.0-67.87~14.04.1
linux-image-3.16.0-67-generic-lpae 3.16.0-67.87~14.04.1
linux-image-3.16.0-67-lowlatency 3.16.0-67.87~14.04.1
linux-image-3.16.0-67-powerpc-e500mc 3.16.0-67.87~14.04.1
linux-image-3.16.0-67-powerpc-smp 3.16.0-67.87~14.04.1
linux-image-3.16.0-67-powerpc64-emb 3.16.0-67.87~14.04.1
linux-image-3.16.0-67-powerpc64-smp 3.16.0-67.87~14.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-2931-1
CVE-2013-4312, CVE-2015-8767, CVE-2016-2069, CVE-2016-2384,
CVE-2016-2543, CVE-2016-2544, CVE-2016-2545, CVE-2016-2546,
CVE-2016-2547, CVE-2016-2548, CVE-2016-2549, CVE-2016-3134
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-utopic/3.16.0-67.87~14.04.1
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIcBAEBCgAGBQJW5vc5AAoJEC8Jno0AXoH0QbIP/iGJ7CPqwpjhOGv2fn+SQcny
vspjFZx8JcqRSRFlYkOmg8QhYbeavuFxRvRsEVgvNe9HbU82L7ibos9RyVKXel2c
J8DfxQRY4tSWYWdalgIE4jetFNOzy3Wpkjk3LZCIlfZv4tD9HRCdq833/thqFaaD
91LgHI09uFQhjjaLW8ac1RNsz6E85gl0vcTZJi1nO+v5isqB6oYRpoBfdYh2gpb6
8HepCzVnJww3gaE0AY22op7JTcskr84gUqxEgipQ8DgWzWCS0uvlrePM2ETxF+Jc
xueqJeaz+Qd3fJbrSsJF48qjkZ32oF+fA+ItzFOcJGQuEQXB5EXgxQ+L+EPbbm/A
8X26qy3/lPhhcrYMg+XXIeTIqI0VPwxC0Vox/wDBYuOQFmRLs3fhsr2TkR8sZhaE
SnUiUWUJiOJyMrqEYFHSEGV1Bk7Lb2d6V8+lIHEi3jawqUT9tk9jEDvNTbKyWQgn
mRDsgJW1qEbEHbcPJNmBAyyS7rJahS/0twXVRXCJvRjJqOJF4Z0L1GbMwoULCFGE
a8cXs1IU4cWlYSyjaY+xifW3z7yXe2z/xwUkmC/JUZLrRcxQN2JSof5I1crcoFee
ksyrTAhGaeEu+34NRuic72iNp58mAPTVqi3Pbo2ULOx6ACGvVccGc2B2QMgjA8+8
U52jXk2rfGx4ggCSjzqt
=kamR
—–END PGP SIGNATURE—–
—
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
==========================================================================
Ubuntu Security Notice USN-2930-2
March 14, 2016
linux-lts-wily vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
– linux-lts-wily: Linux hardware enablement kernel from Wily for Trusty
Details:
Ben Hawkes discovered that the Linux netfilter implementation did not
correctly perform validation when handling IPT_SO_SET_REPLACE events. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-3134)
Ben Hawkes discovered an integer overflow in the Linux netfilter
implementation. On systems running 32 bit kernels, a local unprivileged
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code with administrative privileges.
(CVE-2016-3135)
Ralf Spenneberg discovered that the USB driver for Clie devices in the
Linux kernel did not properly sanity check the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2015-7566)
It was discovered that a race condition existed when handling heartbeat-
timeout events in the SCTP implementation of the Linux kernel. A remote
attacker could use this to cause a denial of service. (CVE-2015-8767)
It was discovered that a race condition existed in the ioctl handler for
the TTY driver in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or expose sensitive information.
(CVE-2016-0723)
Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly
performed a double-free. A local attacker with physical access could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code with administrative privileges. (CVE-2016-2384)
Ralf Spenneberg discovered that the USB driver for Treo devices in the
Linux kernel did not properly sanity check the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2016-2782)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-4.2.0-34-generic 4.2.0-34.39~14.04.1
linux-image-4.2.0-34-generic-lpae 4.2.0-34.39~14.04.1
linux-image-4.2.0-34-lowlatency 4.2.0-34.39~14.04.1
linux-image-4.2.0-34-powerpc-e500mc 4.2.0-34.39~14.04.1
linux-image-4.2.0-34-powerpc-smp 4.2.0-34.39~14.04.1
linux-image-4.2.0-34-powerpc64-emb 4.2.0-34.39~14.04.1
linux-image-4.2.0-34-powerpc64-smp 4.2.0-34.39~14.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-2930-2
http://www.ubuntu.com/usn/usn-2930-1
CVE-2015-7566, CVE-2015-8767, CVE-2016-0723, CVE-2016-2384,
CVE-2016-2782, CVE-2016-3134, CVE-2016-3135
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-wily/4.2.0-34.39~14.04.1
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIcBAEBCgAGBQJW5vcsAAoJEC8Jno0AXoH0flAP/12ccedkarjvvPjb2E/JmHus
J+hqOXmxheCboKFTJVFN9HQN02HM9wqZ0CE0CvWiaxlrrjD7qpHyfCMh05Fi+0Q9
0w8fhGj/K8tpaP1TxT2Tw0I2BnaZuDfz4VR7eyNPubxEs+Ox2+YR6O8FfDK0cuw4
wCkoG1MhFZMhIwyfWEq19Nv3oo0MdHw4yBJUyBPoGtoId8V8hpXKYoHLBOqJl7EJ
h6kO7Opr2aSfevLg4Tgabi9hxzm3Jc3acA3EDzAVKI0tpwngKY3jnBSRQqKqGDzH
ISOvGfMtUNPWcuZ26G7/E2pIv0e+7pP+SnBX97Ux2rdu79ki892Ev8VYII5pR5nb
1gPvx10df1Om8IQCGDP9c/UK5/uFcNQgWAi7/JHrLMHbDju8i0NfeZCIGsLYwgV8
uRW6QK9b/fQFoxKakDPX0NiXPbvyuzRHxwcNGvw8WDgZ76A+0boF3+3pOdc2BJ6q
6G01RFRJRoa0Nl0I59rV8Nvq3F2WzsOytF+qbHNLsDfEvCIyZIEoH1ipA/n2dM7s
FLiMQwxcrpQdkMCZl2zfD2cOPp9ptofhK/NMMCkvLyaqtkdz7oaFp/JX6TCFRuGe
vx3ILkoGQInf3vfCmYr/RJ1cbyvtgWe+OkBPxtTqmtSM/10fazeBFkDixLfOHZLG
8M7gbl1x2dL2O4mDjGux
=35tF
—–END PGP SIGNATURE—–
—
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
==========================================================================
Ubuntu Security Notice USN-2930-1
March 14, 2016
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 15.10
Summary:
Several security issues were fixed in the kernel.
Software Description:
– linux: Linux kernel
Details:
Ben Hawkes discovered that the Linux netfilter implementation did not
correctly perform validation when handling IPT_SO_SET_REPLACE events. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-3134)
Ben Hawkes discovered an integer overflow in the Linux netfilter
implementation. On systems running 32 bit kernels, a local unprivileged
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code with administrative privileges.
(CVE-2016-3135)
Ralf Spenneberg discovered that the USB driver for Clie devices in the
Linux kernel did not properly sanity check the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2015-7566)
It was discovered that a race condition existed when handling heartbeat-
timeout events in the SCTP implementation of the Linux kernel. A remote
attacker could use this to cause a denial of service. (CVE-2015-8767)
It was discovered that a race condition existed in the ioctl handler for
the TTY driver in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or expose sensitive information.
(CVE-2016-0723)
Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly
performed a double-free. A local attacker with physical access could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code with administrative privileges. (CVE-2016-2384)
Ralf Spenneberg discovered that the USB driver for Treo devices in the
Linux kernel did not properly sanity check the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2016-2782)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.10:
linux-image-4.2.0-34-generic 4.2.0-34.39
linux-image-4.2.0-34-generic-lpae 4.2.0-34.39
linux-image-4.2.0-34-lowlatency 4.2.0-34.39
linux-image-4.2.0-34-powerpc-e500mc 4.2.0-34.39
linux-image-4.2.0-34-powerpc-smp 4.2.0-34.39
linux-image-4.2.0-34-powerpc64-emb 4.2.0-34.39
linux-image-4.2.0-34-powerpc64-smp 4.2.0-34.39
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-2930-1
CVE-2015-7566, CVE-2015-8767, CVE-2016-0723, CVE-2016-2384,
CVE-2016-2782, CVE-2016-3134, CVE-2016-3135
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.2.0-34.39
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIcBAEBCgAGBQJW5vchAAoJEC8Jno0AXoH0mCkQALETZOkIfM3OKFRj1dswgGvm
UxEeek4YsnZRfduQALrdg0vPRhz8X+7b375q4tQiyhOXNb9/5Vazm/9wQ+qIoQtr
3rVqVX8tLfpTPz/F4sLlx1cLgKvrmexfEtda4hvhyLs4/70nrUwICTn5CQN4soDX
mpL9LacTAVl+l8kH30cxI0H79sqg9KiE0BFiUiKiKY3CGRHOS3pEYJuq/0CT1NYx
86otir4dg5YLTVIP3/Li+92uiscggpUm3IZ/xUtI78j/X/wYYkOTM+VM6R7QyNCl
eOiXElUaYyU5TqS9jR72nnzDZfHQb2MKHBIp9mPXr65gJ714+z0G6HchHFWcbPgQ
BTi1PVvYm57lEQUFzx2ocQ5ZQslENDOJOMpuJykmsqnzL3/FpwrX+A4bsuwIEE08
MYCoJjmuGgRh/EKsdsmALpmpVNFLdEn2zngWiKEVklXWkF9iXM11ziYy8niUHq8D
tA07Yy8hUPGriZrgkuj/FHI380buIiNZ5NJEx3pYReRer32p4s1PqOKT4HMYxuiA
0DTsMFQ3npYJXX3dW5sImZYJpFhbovvqQrOFXAsrAHOZOy//jlzLhXux0yWcHa+V
QoeA/AfPem3IobLrGMeQEC5e2b9pV245ZKWAy8xexDCe9311asY7yWGjTgPm1Ghw
mvJ01PnLTdE/EFrs1Oup
=42uH
—–END PGP SIGNATURE—–
—
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
==========================================================================
Ubuntu Security Notice USN-2929-2
March 14, 2016
linux-lts-trusty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
– linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise
Details:
Ben Hawkes discovered that the Linux netfilter implementation did not
correctly perform validation when handling IPT_SO_SET_REPLACE events. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-3134)
It was discovered that the Linux kernel did not properly enforce rlimits
for file descriptors sent over UNIX domain sockets. A local attacker could
use this to cause a denial of service. (CVE-2013-4312)
Ralf Spenneberg discovered that the USB driver for Clie devices in the
Linux kernel did not properly sanity check the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2015-7566)
Ralf Spenneberg discovered that the usbvision driver in the Linux kernel
did not properly sanity check the interfaces and endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2015-7833)
It was discovered that a race condition existed in the ioctl handler for
the TTY driver in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or expose sensitive information.
(CVE-2016-0723)
Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly
performed a double-free. A local attacker with physical access could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code with administrative privileges. (CVE-2016-2384)
Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA)
framework did not verify that a FIFO was attached to a client before
attempting to clear it. A local attacker could use this to cause a denial
of service (system crash). (CVE-2016-2543)
Dmitry Vyukov discovered that a race condition existed in the Advanced
Linux Sound Architecture (ALSA) framework between timer setup and closing
of the client, resulting in a use-after-free. A local attacker could use
this to cause a denial of service. (CVE-2016-2544)
Dmitry Vyukov discovered a race condition in the timer handling
implementation of the Advanced Linux Sound Architecture (ALSA) framework,
resulting in a use-after-free. A local attacker could use this to cause a
denial of service (system crash). (CVE-2016-2545)
Dmitry Vyukov discovered race conditions in the Advanced Linux Sound
Architecture (ALSA) framework’s timer ioctls leading to a use-after-free. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2016-2546)
Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA)
framework’s handling of high resolution timers did not properly manage its
data structures. A local attacker could use this to cause a denial of
service (system hang or crash) or possibly execute arbitrary code.
(CVE-2016-2547, CVE-2016-2548)
Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA)
framework’s handling of high resolution timers could lead to a deadlock
condition. A local attacker could use this to cause a denial of service
(system hang). (CVE-2016-2549)
Ralf Spenneberg discovered that the USB driver for Treo devices in the
Linux kernel did not properly sanity check the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2016-2782)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.13.0-83-generic 3.13.0-83.127~precise1
linux-image-3.13.0-83-generic-lpae 3.13.0-83.127~precise1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-2929-2
http://www.ubuntu.com/usn/usn-2929-1
CVE-2013-4312, CVE-2015-7566, CVE-2015-7833, CVE-2016-0723,
CVE-2016-2384, CVE-2016-2543, CVE-2016-2544, CVE-2016-2545,
CVE-2016-2546, CVE-2016-2547, CVE-2016-2548, CVE-2016-2549,
CVE-2016-2782, CVE-2016-3134
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-trusty/3.13.0-83.127~precise1
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIcBAEBCgAGBQJW5vVfAAoJEC8Jno0AXoH05KEP/2BEwTcsXyOW5LgnA5GOB+WD
04uvWKVqkVsSfdgV6bcGk8MHylCFXsK1mbaMx4nRYnUV0kNDCnibP8aoxoDGaHZ/
gCHhakLe1f19TR48H9khB/unEwiv0Fz9ZGtdBN7RHVWklju/LGY3Z0bkaM4QHANk
kSMAZlxHXVfldHWP6fABTWzt0+1SXfysol2lfEU0E1MoGHI+CYeB4B35Ta/TopS5
QUTWcC8QMc1lPb+gTyv7l2v9KPr2ujfa+XNY/u7lOnAA9AK7V1EgQrYaL/Ywblx/
xx9xcCVdpczcW7dSn8jNgchltT+q0teQThqg3Vc/CcRTFyz3VQRe2amkhLCfP7fl
OCtyroBAo+RuHiP4ClGf1J3OPRBrIe1P9y++qekjouILYPYhhHrhcvW5G39354+i
G7hy4erZKIyUm2u1wgvftVtQGbgTNRaLtFe8cpz20ycONjpd61hbNIXz3yVY3KSQ
z2B3+qQ5c4OyUvSzY2M3eZy6fHco5J8xO5dmocZLDPwC51cttl6EivQIXB9oxzQE
qBVqqdlcUrCgVpADAI/jTZVap9a9OC+ouIJ8lM0xqX1abS/2LySasVNyBIMrH+I1
aEp/qYhNUh5KfTFCG2a1Lxx1i9s/A4dcQdkzcxNgSsQKBHlrg3olp5EgabORhBno
RKaToEv6CbhlLdRF1Hud
=eFlS
—–END PGP SIGNATURE—–
—
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
==========================================================================
Ubuntu Security Notice USN-2929-1
March 14, 2016
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
– linux: Linux kernel
Details:
Ben Hawkes discovered that the Linux netfilter implementation did not
correctly perform validation when handling IPT_SO_SET_REPLACE events. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-3134)
It was discovered that the Linux kernel did not properly enforce rlimits
for file descriptors sent over UNIX domain sockets. A local attacker could
use this to cause a denial of service. (CVE-2013-4312)
Ralf Spenneberg discovered that the USB driver for Clie devices in the
Linux kernel did not properly sanity check the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2015-7566)
Ralf Spenneberg discovered that the usbvision driver in the Linux kernel
did not properly sanity check the interfaces and endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2015-7833)
It was discovered that a race condition existed in the ioctl handler for
the TTY driver in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or expose sensitive information.
(CVE-2016-0723)
Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly
performed a double-free. A local attacker with physical access could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code with administrative privileges. (CVE-2016-2384)
Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA)
framework did not verify that a FIFO was attached to a client before
attempting to clear it. A local attacker could use this to cause a denial
of service (system crash). (CVE-2016-2543)
Dmitry Vyukov discovered that a race condition existed in the Advanced
Linux Sound Architecture (ALSA) framework between timer setup and closing
of the client, resulting in a use-after-free. A local attacker could use
this to cause a denial of service. (CVE-2016-2544)
Dmitry Vyukov discovered a race condition in the timer handling
implementation of the Advanced Linux Sound Architecture (ALSA) framework,
resulting in a use-after-free. A local attacker could use this to cause a
denial of service (system crash). (CVE-2016-2545)
Dmitry Vyukov discovered race conditions in the Advanced Linux Sound
Architecture (ALSA) framework’s timer ioctls leading to a use-after-free. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2016-2546)
Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA)
framework’s handling of high resolution timers did not properly manage its
data structures. A local attacker could use this to cause a denial of
service (system hang or crash) or possibly execute arbitrary code.
(CVE-2016-2547, CVE-2016-2548)
Dmitry Vyukov discovered that the Advanced Linux Sound Architecture (ALSA)
framework’s handling of high resolution timers could lead to a deadlock
condition. A local attacker could use this to cause a denial of service
(system hang). (CVE-2016-2549)
Ralf Spenneberg discovered that the USB driver for Treo devices in the
Linux kernel did not properly sanity check the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2016-2782)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.13.0-83-generic 3.13.0-83.127
linux-image-3.13.0-83-generic-lpae 3.13.0-83.127
linux-image-3.13.0-83-lowlatency 3.13.0-83.127
linux-image-3.13.0-83-powerpc-e500 3.13.0-83.127
linux-image-3.13.0-83-powerpc-e500mc 3.13.0-83.127
linux-image-3.13.0-83-powerpc-smp 3.13.0-83.127
linux-image-3.13.0-83-powerpc64-emb 3.13.0-83.127
linux-image-3.13.0-83-powerpc64-smp 3.13.0-83.127
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-2929-1
CVE-2013-4312, CVE-2015-7566, CVE-2015-7833, CVE-2016-0723,
CVE-2016-2384, CVE-2016-2543, CVE-2016-2544, CVE-2016-2545,
CVE-2016-2546, CVE-2016-2547, CVE-2016-2548, CVE-2016-2549,
CVE-2016-2782, CVE-2016-3134
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-83.127
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIcBAEBCgAGBQJW5vVEAAoJEC8Jno0AXoH09G8QAKtqWPi5EPgvu+hXiHWuFrTr
Xkn2K2Rt/UsDhPB/2i5KRz22O8HpMuGB4+DbX92s5HUdXqddq8DOX2lK+rd6CdTr
GxBUdS6E14JxYYGXzek3PmPq5TBcrw87T6neTkr1ByzM+du5h9dNYHfCeeS12dqR
kbC1QVyJa5rWmiLDS0gcjZeWvlHN3bLiiUtlyJc8L35Fi3mLE2ksEhi7cvZWCG2g
Vqh0iDZosjO97NBmWM6+2BwiwkvGmzhlKs/n+tHBEBJDkXNxlxLL4HdYulE7jMgk
rzKcWkuSGI1rOvAtUgFKFOc9IHaSS5fzGyw9PM4IT+m0tSInfM3ei8TTvkCzsO5N
CjtZhb+XywgA/JdZs+HI7EX65rhcsE5k0OJcKHqJIT0CaVPUBDHI25yzbD59OOyA
TmDph9l8SNQgXsBaiNR8b6pFJpN+zchJ9F6tPF2/aj3NYT5KxJf6ujLEMHJ3dqqq
hFjUNgvtrmE91eYLw1dYcXtgV2feYc2F1H9xAjLTPQbcEyvMY5uaqqGtWkqgFK5W
rMhwRHyIEqd0bvyhVTK9Pbw94hhzNgwKoCEFTg++sGgVPlEYy7EJmh/Uhn+4vJPe
lyWjm/x/0qLWlpkclZjtHC5SdUd8i9WhpzKRlcbS/RXSWszEvWWfaZjwO5fNBj8a
RHBU3Ly2qthoX/twcvwN
=qDTx
—–END PGP SIGNATURE—–
—
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
==========================================================================
Ubuntu Security Notice USN-2928-2
March 14, 2016
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 12.04 LTS
Summary:
The system could be made to crash or run programs as an administrator
by someone with physical access.
Software Description:
– linux-ti-omap4: Linux kernel for OMAP4
Details:
Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly
performed a double-free. A local attacker with physical access could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code with administrative privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-1479-omap4 3.2.0-1479.105
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-2928-2
http://www.ubuntu.com/usn/usn-2928-1
CVE-2016-2384
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1479.105
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIcBAEBCgAGBQJW5vUaAAoJEC8Jno0AXoH0138P/iRjvofVI2KAjk7V9v/g9gJu
48EvRan9oxR8bfq1GT3eVoFh8NYlRSHdDYl2blgji+VcgstzaSf3OePWXWquoZlI
ywZD1GkvH0sAJyKAoI1RoYcA4BEpmQroey02mXjKjfXUBfBCB9+fgS1d4PnjLznI
6pHEIlaViT/QAxWaRhunzWz9FYNsdJAh3yVWADyCs18OZIB2boin5kUQPEt/fvMq
Pc9XbbsIdfo8Q5DYU1cDCNpOC//t1C5ysma3VGZUgFUIDKq4U9QYvVGSbYMitfyK
Yh0wMvcs/yOWCujKyOxtkgb1d1NeIv1QOLoe28cJSJK1wf159VWJCXcN2Zq08jzl
9nHarS03XWE8yRCajnw9P8c1s2D0uUBZ9PWmT6+xydWhh5VTJ9KuL41sd+8ocr3F
rq55ujYD1PWoG6nvuXXCkv7njVevujrZ1siKYMUVQwFaVxW9mQPsyjIcu+UOh6Hw
85+j8MtMVDvgRi1sQeblWVS5qIIttolShoM0dnD5lvGavHFmCgbJlrAeeXYBHElI
BlKLGvkaleXtvJcl4BjXSi65BWhKv/yNqJi4ATwLLv7Zv176lm10Zqf8+UCo4V/M
nLE9cux2sdaxxm8YUQ+BJCE+x8sEqHqoWf37AOhFJchVNF9eoOH4t4j56cJtqB8g
84LIILz7MM6t6P720X/g
=cfL0
—–END PGP SIGNATURE—–
—
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
==========================================================================
Ubuntu Security Notice USN-2928-1
March 14, 2016
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 12.04 LTS
Summary:
The system could be made to crash or run programs as an administrator by
someone with physical access.
Software Description:
– linux: Linux kernel
Details:
Andrey Konovalov discovered that the ALSA USB MIDI driver incorrectly
performed a double-free. A local attacker with physical access could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code with administrative privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-101-generic 3.2.0-101.141
linux-image-3.2.0-101-generic-pae 3.2.0-101.141
linux-image-3.2.0-101-highbank 3.2.0-101.141
linux-image-3.2.0-101-omap 3.2.0-101.141
linux-image-3.2.0-101-powerpc-smp 3.2.0-101.141
linux-image-3.2.0-101-powerpc64-smp 3.2.0-101.141
linux-image-3.2.0-101-virtual 3.2.0-101.141
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-2928-1
CVE-2016-2384
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-101.141
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIcBAEBCgAGBQJW5vUJAAoJEC8Jno0AXoH0xB4P/0So3Rb9ltB5toomzsbkT+f1
wizbDZj6jMa6Et4GchGaNhruObCJPoEG5ThkkGCeAEojrDuQa/Qt+hapkJuD5wHu
C2q035oKRrUMLNddYxXU47tW3/GI/c1gD2z/I/II00ZZRY4VAla8V0G1CzC2pKhC
ruYFOeJbBf4fFwizDFtqEDipJK7ICrb6fqX01QamXpoKUqJscs+m5Ye2Zw6juiFV
MlTfutYMUqwBC50Yre944eejcp6i7fH6nirFgLARd/u8SNd7oLXNWh3AesGuHuqW
zgUQhxL79nGdHkWWjIzQcDljT1psoDwfXvm4L8GDHw+hi0M5mybY2lEID5mAoKU3
/xOf5y7YbfnbDUop/pCOnu5jU9GaPvdnclVHFDOR5GTLnQrB9Ir9zWP7QV4SIE4Y
MUPEk/uXkhDj5e6ReOuIBNhkSiGI9k6ncg+v1WEuSA1BKqeauatKu4rzhEe6CW9J
jjnF1S/1XORM+MbsRKUXV/ofF0aFo3t03iW6Q8LCdgJyxvxB2kEjajmz0l8P1Dbx
tDn5imA/mLyKKa1S7cWNtfDXgYrXvbgDVxvaMpHKSRXDsVemsTuMU6zy7KKE3jx2
WTclmQyP9cKUpQBvXB/tr/dAlpZrn80Jl6auTjBFHp6xrv8WzicXQe+Dtcixzi3f
1bfuU7w+ZuwQbTeW+Ruk
=F8Mb
—–END PGP SIGNATURE—–
—