Aggregator

USN-3957-2: MariaDB vulnerabilities

13 hours 3 minutes ago
MariaDB vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
Summary

Several security issues were fixed in MariaDB.

Software Description
  • mariadb-5.5 - MariaDB database
Details

USN-3957-1 fixed multiple vulnerabilities in MySQL. This update addresses some of them in MariaDB 5.5.

Ubuntu 14.04 LTS has been updated to MariaDB 5.5.64.

In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

Please see the following for more information: https://mariadb.com/kb/en/library/mariadb-5564-changelog/ https://mariadb.com/kb/en/library/mariadb-5564-release-notes/

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
mariadb-server - 5.5.64-1ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References

USN-3977-2: Intel Microcode update

1 day 10 hours ago
intel-microcode update

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM
Summary

The system could be made to expose sensitive information.

Software Description
  • intel-microcode - Processor microcode for Intel CPUs
Details

USN-3977-1 provided mitigations for Microarchitectural Data Sampling (MDS) vulnerabilities in Intel Microcode for a large number of Intel processor families. This update provides the corresponding updated microcode mitigations for Intel Cherry Trail and Bay Trail processor families.

Original advisory details:

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12130)

Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that memory previously stored in microarchitectural load ports of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12127)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Berk Sunar, Frank Piessens, and Yuval Yarom discovered that memory previously stored in microarchitectural store buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2018-12126)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Volodrmyr Pikhur, Moritz Lipp, Michael Schwarz, Daniel Gruss, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that uncacheable memory previously stored in microarchitectural buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11091)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
intel-microcode - 3.20190514.0ubuntu0.19.04.3
Ubuntu 18.10
intel-microcode - 3.20190514.0ubuntu0.18.10.2
Ubuntu 18.04 LTS
intel-microcode - 3.20190514.0ubuntu0.18.04.3
Ubuntu 16.04 LTS
intel-microcode - 3.20190514.0ubuntu0.16.04.2
Ubuntu 14.04 ESM
intel-microcode - 3.20190514.0ubuntu0.14.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

mod_http2-1.15.0-1.fc28

1 day 15 hours ago
Code cleanups and Simplifications: * in stream instance and main connection output handling for a common strategy in h2/h2c versions of the protocol. Stream instances are kept in one place which will make future optimizations in state handling easier. * Discarding idea of re-using bucket beams and let them live for one request only. Removing design/implementation overhead of never used features. Making mutexes nested, removing optional lock code no longer necessary.

mod_http2-1.15.0-1.fc30

1 day 15 hours ago
Code cleanups and Simplifications: * in stream instance and main connection output handling for a common strategy in h2/h2c versions of the protocol. Stream instances are kept in one place which will make future optimizations in state handling easier. * Discarding idea of re-using bucket beams and let them live for one request only. Removing design/implementation overhead of never used features. Making mutexes nested, removing optional lock code no longer necessary.

mod_http2-1.15.0-1.fc29

1 day 15 hours ago
Code cleanups and Simplifications: * in stream instance and main connection output handling for a common strategy in h2/h2c versions of the protocol. Stream instances are kept in one place which will make future optimizations in state handling easier. * Discarding idea of re-using bucket beams and let them live for one request only. Removing design/implementation overhead of never used features. Making mutexes nested, removing optional lock code no longer necessary.

USN-3993-2: curl vulnerability

1 day 15 hours ago
curl vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

curl could be made to crash if it received a specially crafted data.

Software Description
  • curl - HTTP, HTTPS, and FTP client and client libraries
Details

USN-3993-1 fixed a vulnerability in curl. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

It was discovered that curl incorrectly handled memory when receiving data from a TFTP server. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-5436)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
curl - 7.35.0-1ubuntu2.20+esm2
libcurl3 - 7.35.0-1ubuntu2.20+esm2
libcurl3-gnutls - 7.35.0-1ubuntu2.20+esm2
libcurl3-nss - 7.35.0-1ubuntu2.20+esm2
Ubuntu 12.04 ESM
curl - 7.22.0-3ubuntu4.26
libcurl3 - 7.22.0-3ubuntu4.26
libcurl3-gnutls - 7.22.0-3ubuntu4.26
libcurl3-nss - 7.22.0-3ubuntu4.26

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3993-1: curl vulnerabilities

1 day 18 hours ago
curl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
Summary

Several security issues were fixed in curl.

Software Description
  • curl - HTTP, HTTPS, and FTP client and client libraries
Details

Wenchao Li discovered that curl incorrectly handled memory in the curl_url_set() function. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.04. (CVE-2019-5435)

It was discovered that curl incorrectly handled memory when receiving data from a TFTP server. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-5436)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
curl - 7.64.0-2ubuntu1.1
libcurl3-gnutls - 7.64.0-2ubuntu1.1
libcurl3-nss - 7.64.0-2ubuntu1.1
libcurl4 - 7.64.0-2ubuntu1.1
Ubuntu 18.10
curl - 7.61.0-1ubuntu2.4
libcurl3-gnutls - 7.61.0-1ubuntu2.4
libcurl3-nss - 7.61.0-1ubuntu2.4
libcurl4 - 7.61.0-1ubuntu2.4
Ubuntu 18.04 LTS
curl - 7.58.0-2ubuntu3.7
libcurl3-gnutls - 7.58.0-2ubuntu3.7
libcurl3-nss - 7.58.0-2ubuntu3.7
libcurl4 - 7.58.0-2ubuntu3.7
Ubuntu 16.04 LTS
curl - 7.47.0-1ubuntu2.13
libcurl3 - 7.47.0-1ubuntu2.13
libcurl3-gnutls - 7.47.0-1ubuntu2.13
libcurl3-nss - 7.47.0-1ubuntu2.13

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

USN-3992-1: WebKitGTK+ vulnerabilities

1 day 18 hours ago
webkit2gtk vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 19.04
  • Ubuntu 18.10
  • Ubuntu 18.04 LTS
Summary

Several security issues were fixed in WebKitGTK+.

Software Description
  • webkit2gtk - Web content engine library for GTK+
Details

A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04
libjavascriptcoregtk-4.0-18 - 2.24.2-0ubuntu0.19.04.1
libwebkit2gtk-4.0-37 - 2.24.2-0ubuntu0.19.04.1
Ubuntu 18.10
libjavascriptcoregtk-4.0-18 - 2.24.2-0ubuntu0.18.10.1
libwebkit2gtk-4.0-37 - 2.24.2-0ubuntu0.18.10.1
Ubuntu 18.04 LTS
libjavascriptcoregtk-4.0-18 - 2.24.2-0ubuntu0.18.04.1
libwebkit2gtk-4.0-37 - 2.24.2-0ubuntu0.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK+, such as Epiphany, to make all the necessary changes.

References

USN-3566-2: PHP vulnerabilities

1 day 19 hours ago
php5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM
Summary

Several security issues were fixed in PHP.

Software Description
  • php5 - HTML-embedded scripting language interpreter
Details

USN-3566-1 fixed several vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information. (CVE-2018-20783)

It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information or possibly cause a crash, resulting in a denial of service. (CVE-2019-11036)

Original advisory details:

It was discovered that PHP incorrectly handled memory when unserializing certain data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 ESM. (CVE-2017-12933)

It was discovered that PHP incorrectly handled locale length. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 ESM. (CVE-2017-11362)

It was discovered that PHP incorrectly handled certain stream metadata. A remote attacker could possibly use this issue to set arbitrary metadata. This issue only affected Ubuntu 12.04 ESM. (CVE-2016-10712)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
libapache2-mod-php5 - 5.5.9+dfsg-1ubuntu4.29+esm2
php5-cgi - 5.5.9+dfsg-1ubuntu4.29+esm2
php5-cli - 5.5.9+dfsg-1ubuntu4.29+esm2
php5-fpm - 5.5.9+dfsg-1ubuntu4.29+esm2
Ubuntu 12.04 ESM
libapache2-mod-php5 - 5.3.10-1ubuntu3.36
php5-cgi - 5.3.10-1ubuntu3.36
php5-cli - 5.3.10-1ubuntu3.36
php5-fpm - 5.3.10-1ubuntu3.36

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

libvirt-4.1.0-7.fc28

1 day 21 hours ago
Fix systemd socket permissions (CVE-2019-10132) The virtlockd-admin.socket, virtlogd-admin.sock, virtlockd.socket & virtlogd.socket units must be restarted, if currently running. THis can be done with a host reboot or systemctl commands.

libvirt-4.7.0-4.fc29

1 day 21 hours ago
Fix systemd socket permissions (CVE-2019-10132) The virtlockd-admin.socket, virtlogd-admin.sock, virtlockd.socket & virtlogd.socket units must be restarted, if currently running. This can be done with a host reboot or systemctl commands.

libvirt-5.1.0-6.fc30

1 day 21 hours ago
Fix systemd socket permissions (CVE-2019-10132) The virtlockd-admin.socket, virtlogd-admin.sock, virtlockd.socket & virtlogd.socket units must be restarted, if currently running. This can be done with a host reboot or systemctl commands.