IT News

Willkommen auf der Seite mit Neuigkeiten und Informationen des aktuellen Monates rund um die Thematik der IT, IT-Sicherheit und meinem eigenen kleinen Webprojekt.

Hier finden Sie eine kleine Auswahl an externen Feeds wieder mit denen sich nicht nur Administratoren aus den Welten von Microsoft® und Linux® beschäftigen sollten, zudem spezifisch zu Ubuntu und Kubuntu.

Ebenfalls haben Sie die Möglichkeit die aktuellen Nachrichten über die Veröffentlichung neuer Artikel
unter HowTo's, ... zu meiner Webseite mittels einem Feedreader zu abonieren im Format RSS 2.0 und im Nachrichtenarchiv in den Listen der News herum zu stöbern.

D.R.G.

September 2020

Keine Nachrichten in diesem Zeitraum vorhanden.

IT-Security | Golem

September 2020

Phishing: Feature in Google App Engine hilft Kriminellen

Eine Web-App kann in Googles App Engine unter vielen URLs erreicht werden. Kriminelle nutzen dies für ihre Zwecke. (Phishing, Virus)

Weiterlesen …

Jobs: Unternehmen können offene IT-Stellen immer schwerer besetzen

Gleichzeitig steigt aber auch die Anzahl der Ausbildungs- und Studienplätze für IT-Jobs. (Arbeit, Security)

Weiterlesen …

Sicherheitslücke: Mobiler Firefox-Browser führte Befehle aus dem WLAN aus

Im gleichen WLAN konnten Angreifer den mobilen Firefox-Browser unter Android beliebige Webseiten oder andere Apps öffnen lassen - ohne Nutzerinteraktion. (Firefox, WLAN)

Weiterlesen …

Ransomware: Hunderttausende Passdaten von Reisenden veröffentlicht

Bei einem Ransomware-Angriff auf die argentinische Einwanderungsbehörde wurden Passdaten kopiert. Rund 12.000 Betroffene stammen aus Deutschland. (Ransomware, Datenschutz)

Weiterlesen …

Apple Pay: EU will Apple zur Freigabe von NFC-Chip bringen

Neue Regeln der EU-Kommission könnten Apple dazu zwingen, seinen NFC-Chip für Entwickler freizugeben - etwa für drahtlose Zahlungen. (Apple, NFC)

Weiterlesen …

Hisilicon: Vielzahl kritischer Lücken in Huawei-Encodern

Standardpasswort, Telnet-Zugang und weitere kritische Lücken finden sich in den Video-Geräten. Huawei sieht seine Kunden verantwortlich. (IoT, H.264)

Weiterlesen …

Zwischenzertifikate: Zertifikatswechsel bei Let's Encrypt steht an

Bisher war das Let's-Encrypt-Zwischenzertifikat von Identrust signiert. Das wird sich bald ändern. Von Hanno Böck (Let's Encrypt, Technologie)

Weiterlesen …

Corona-Gästeliste: Gesundheitsbehörden auf der Suche nach Darth Vader

Nach mehreren Corona-Fällen in einer Kneipe suchen die Behörden rund 100 Personen, die falsche Angaben auf der Kontaktliste gemacht haben. (Coronavirus, Datenschutz)

Weiterlesen …

Todesfall: Citrix-Sicherheitslücke ermöglichte Angriff auf Krankenhaus

Ein Ransomware-Angriff auf die Uniklinik Düsseldorf, der zu einem Todesfall führte, erfolgte über die "Shitrix" genannte Lücke in Citrix-Geräten (Citrix, Netzwerk)

Weiterlesen …

Gesetz gegen Hasskriminalität: Bundespräsident soll verfassungsrechtliche Bedenken haben

Nach einem Urteil des Bundesverfassungsgerichts zur Bestandsdatenauskunft könnte auch das Gesetz gegen Hasskriminalität verfassungswidrig sein. (Netzwerkdurchsetzungsgesetz, Datenschutz)

Weiterlesen …

Datenleck: Windeln.de lässt Kundendaten ungeschützt im Internet

Eine Datenbank mit 6,4 TByte an Kundendaten ließ der Onlineshop für Babyprodukte ungesichert im Internet. (Datenleck, Datenschutz)

Weiterlesen …

Regierungsbericht: IT-Konsolidierung des Bundes könnte scheitern

Die Neuausstattung der IT-Systeme von Bundesbehörden wird durch interne Widerständen, Personalmangel und schlechter Netzverbindung verzögert. (Bundesregierung, Security)

Weiterlesen …

Nach Hacker-Angriff: Ermittlungen wegen fahrlässiger Tötung

Infolge eines Hacker-Angriffs auf die Düsseldorfer Uniklinik ist es zu einem Todesfall gekommen. (Ransomware, Server)

Weiterlesen …

Sicherheitslücke: Treffen sich zwei Bluetooth-Geräte, das eine ist gespooft

Bei einem Reconnect müssen sich Bluetooth-Geräte nicht zwangsweise authentifizieren. Ein Forscherteam konnte sich so als ein BLE-Gerät ausgeben. (Bluetooth, Android)

Weiterlesen …

Onefuzz: Microsoft legt eigene Fuzzing-Werkzeuge offen

Die Software Onefuzz nutzt Microsoft für Edge oder Windows und soll sich in einer CI/CD-Pipeline einsetzen lassen. (Microsoft, Applikationen)

Weiterlesen …

Gaia-X, Apple Pay, Venus: Sonst noch was?

Was am 15. September 2020 neben den großen Meldungen sonst noch passiert ist, in aller Kürze. (Kurznews, SAP)

Weiterlesen …

Bund, Länder und Kommunen: Bitkom fordert digitale Wahlen

Nach Problemen mit Briefwahlunterlagen in Nordrhein-Westfalen fordert der Bitkom zeitgemäße Alternativen - diese sind jedoch umstritten. (Software, CCC)

Weiterlesen …

Sicherheitslücke: Mit acht Nullen zum Active-Directory-Admin

Die Sicherheitslücke Zerologon nutzt einen Fehler in Netlogon aus und involviert die Zahl Null auf kreative Weise - um Passwörter zu ändern. (Sicherheitslücke, Applikationen)

Weiterlesen …

Überwachung: Ende-zu-Ende-Verschlüsselung versus Uploadfilter

Die EU-Kommission möchte die E2E-Verschlüsselung von Messengern wie Whatsapp mit Uploadfiltern aushebeln. Das gefährdet unsere Demokratie. Ein IMHO von Moritz Tremmel (Ende-zu-Ende-Verschlüsselung, Vorratsdatenspeicherung)

Weiterlesen …

Xhamster und Co.: Malware wird wieder stärker über Pornoseiten verteilt

Gleich zwei Malvertising-Netzwerke nutzen laut Malwarebytes Sicherheitslücken obsoleter Programme aus: Adobe Flash und Internet Explorer. (Malware, Virus)

Weiterlesen …

BLURtooth: Sicherheitslücke ermöglicht MITM-Angriffe auf Bluetooth

Mit einer Blurtooth genannten Sicherheitslücke lassen sich unter bestimmten Bedingungen die Schlüssel einer Bluetooth-Verbindung austauschen. (Bluetooth, Datenschutz)

Weiterlesen …

Bundestag: Neue Regeln gegen Abmahnmissbrauch verabschiedet

Das neue Gesetz soll vor allem kleine Unternehmen vor Abzocke mit Abmahnungen schützen, beispielsweise beim Verstoß gegen die DSGVO. (Abmahnung, Datenschutz)

Weiterlesen …

Diffie-Hellman-Seitenkanal: Raccoon-Angriff auf TLS betrifft nur Wenige

Forscher zeigen eine bislang unbekannte Schwäche im TLS-Protokoll, die praktischen Risiken sind aber sehr gering. (TLS, Verschlüsselung)

Weiterlesen …

Windows 10: Hintergrundbilder ermöglichen Stehlen von Accountdaten

Angepasste Windows-10-Designs können auf Hintergrundbilder im Netz zugreifen. Dies lässt sich nutzen, um Accountdaten in Hashes abzugreifen. (Windows 10, Server)

Weiterlesen …

Digitaler Nachlass: Facebook muss Erben direkten Zugang zu Account geben

15.000 PDF-Seiten reichen nicht: Die Erben einer 15-Jährigen müssen laut BGH genauso auf ihr Facebook-Konto zugreifen dürfen wie das Mädchen selbst. (Facebook, Soziales Netz)

Weiterlesen …

Bittorent v2: Libtorrent vollzieht Wechsel weg von SHA-1

Die freie Libtorrent-Bibliothek implementiert das Bittorent-Protokoll in Version 2. Die wichtigste Neuerung: SHA-256 statt SHA-1. (Bittorrent, P2P)

Weiterlesen …

Linux: Keine Eile beim Schließen einer Kernel-Sicherheitslücke

Mit einem Buffer Overflow im Linux-Kernel lässt sich ein System durch lokale Nutzer zum Absturz bringen, eine Rechteausweitung ist wohl möglich. (Linux-Kernel, Linux)

Weiterlesen …

Linux-Kernel: Fehlende Diskussionen können Sicherheitslücken preisgeben

Das Verhalten bei der Integration von Patches in den Linux-Kernel kann Verdacht erwecken und dabei Sicherheitslücken aufdecken. (Linux-Kernel, Linux)

Weiterlesen …

Ciscos Jabber-Client: Code-Ausführung per Chat-Nachricht

Cisco hat eine Sicherheitslücke in seinem Jabber-Client für Windows geschlossen. Diese hat Angreifern ermöglicht, per Textnachricht Code auszuführen. (Jabber, Instant Messenger)

Weiterlesen …

Nach Facebook-Kritik: Apple verschiebt Maßnahmen für mehr Privatsphäre

Die Anti-Tracking-Technik soll in iOS 14 eingebaut und im kommenden Jahr von Apple aktiviert werden. Zuvor hat es Kritik von Facebook gegeben. (Apple, Datenschutz)

Weiterlesen …

Krypto-Messenger: Threema soll Open Source werden

Das Team des Krypto-Messengers bekommt Unterstützung von einer Investmentfirma und will Threema künftig als Open Source bereitstellen. (Threema, Instant Messenger)

Weiterlesen …

Armorlock: WD zeigt SSDs mit eigener Open-Source-Verschlüsselung

Nach offenen RISC-V-Kernen und Hardware-Security bietet Western Digital auch externe SSDs mit eigener App-Verschlüsselung an. (Western Digital, Verschlüsselung)

Weiterlesen …

Polizei: Unberechtigte Datenabfragen in Sachsen-Anhalt

24 Ermittlungsverfahren wegen missbräuchlicher Datenabfragen durch Polizisten gab es seit 2016 in Sachsen-Anhalt. Genaue Kontrolle ist schwierig. (Polizei, Datenschutz)

Weiterlesen …

Wordpress: Sicherheitsproblem bei Dateiverwaltungs-Plugin

Bei älteren Versionen von File Manager lässt sich Schadcode auf Wordpress-Seiten einschleusen. Angreifer nutzen die Lücke aktiv aus. (Wordpress, Sicherheitslücke)

Weiterlesen …

Virtual Reality: Oculus stellt Verkauf von Headsets in Deutschland ein

In Deutschland verkauft Oculus seine Rift- und Quests-Headsets nicht mehr - möglicherweise wegen Datenaustausch mit Facebook. (Oculus, Soziales Netz)

Weiterlesen …

Trotz Cloud Act: Telefónica/O2 vertraut sein 5G-Kernnetz Amazon an

Der Mobilfunkbetreiber Telefónica Deutschland setzt bei seinem 5G-Kernnetz auf Server in Deutschland. Doch die gehören Amazon aus den USA. (AWS, Microsoft)

Weiterlesen …

Cz.nic: Open Source Hardware-Firewall Turris Shield verfügbar

Der Open Source Router Turris Omnia und Mox bietet mit dem Shield nun auch eine Firewall-Appliance für daheim oder das Büro. (Router, Netzwerk)

Weiterlesen …

Norwegen: E-Mail-Accounts von Abgeordneten gehackt

E-Mails einige Abgeordneter des norwegischen Parlaments wurden offenbar gehackt. Das genaue Ausmaß des Datenabflusses ist bisher unklar. (Hacker, Security)

Weiterlesen …

IOS XR: Offene Sicherheitslücken bei Cisco-Routern

Zwei Sicherheitslücken und noch keine Updates: Cisco hat Probleme bei IOS XR entdeckt. Bisher gibt es nur provisorische Abhilfe. (Cisco, Netzwerk)

Weiterlesen …

Systemprogrammierung: Rust im Linux-Kernel hat viele Probleme

Die Linux-Community diskutiert konkrete Umsetzungsideen für Kernel-Module in Rust. In Details zeigen sich aber viele Schwierigkeiten. (Linux-Kernel, Programmiersprache)

Weiterlesen …

IT-Security | Heise

September 2020

Uniklinik Düsseldorf: Ransomware "DoppelPaymer" soll hinter dem Angriff stecken

Die Verantwortlichen für den Angriff auf die Uniklinik sitzen laut Justizministerium möglicherweise in Russland. Die Ermittlungen und Aufräumarbeiten dauern an.

Weiterlesen …

Sicherheitsupdates: Gefährliche Lücken bedrohen Citrix ADC, Gateway und SD-WAN

Angreifer könnten verschiedene Citrix-Produkte attackieren und im schlimmsten Fall eigene Befehle ausführen.

Weiterlesen …

Activision-Accounts: Nutzer berichten von großem Datenleck

Nutzerberichten zufolge wurden die Zugangsdaten von mindestens 500.000 Usern geleakt. Activision dementierte das.

Weiterlesen …

Google App Engine: Redirect-Feature begünstigt Phishing und Malware-Verbreitung

Googles Cloud-Anwendungsplattform App Engine bietet Kriminellen beim Generieren schädlicher Links viel Freiraum, den diese im Zuge aktiver Angriffe auskosten.

Weiterlesen …

Zerologon-Lücke in Windows Server: US-Regierung hat vier Tage Zeit zum Patchen

Die Cybersecurity and Infrastructure Security Agency hat aufgrund einer kritischen Windows-Server-Lücke eine Notfall-Richtlinie verhängt.

Weiterlesen …

heise-Angebot: storage2day 2020 online: Einstand mit dem Storage Security & Backup Day

Mit dem Storage Security & Backup Day beginnt die Online-Thementagreihe der storage2day 2020. Storage-Trends und -Lösungen sowie der Ceph Day folgen.

Weiterlesen …

Google Chrome bekommt Funktion für leichtere Änderung des Passworts

Kompromittierte Passwörter lassen sich in Chrome künftig leichter ändern, Entwickler können für betroffene Nutzer eine Weiterleitung einbauen.

Weiterlesen …

l+f: Das Rätsel der fehlenden 9en

Eine (vermutlich) echte Spionagegeschichte ...

Weiterlesen …

Phishing: Gefälschte Netflix-E-Mails im Umlauf

Immer wieder landen betrügerische E-Mails im Posteingang. Wer momentan Mails vom Streaminganbieter Netflix bekommt, sollte besonders gut hinschauen.

Weiterlesen …

Cyber-Angriff auf Uniklinik: "Alles richtig gemacht"

Die Uniklinik Düsseldorf meint, sie treffe keinerlei Schuld am Ausfall ihrer IT.

Weiterlesen …

DDoS-Angriffe auf Tutanota gehen weiter: Im Visier, die DNS-Anbieter

Während vergangenes Wochenende der Mail-Anbieter Tutanota Ziel von DDoS-Angriffen war, richtete sich eine erneute Attacke gegen DNS-Anbieter.

Weiterlesen …

Remote-Lücke aus WordPress-Plugin "Discount Rules for WooCommerce" beseitigt

Wer das Plugin erst vor ein paar Wochen aktualisiert hat, sollte den Update-Prozess nochmals anwerfen: Die Entwickler haben eine weitere Lücke geschlossen.

Weiterlesen …

Backdoors in Video-Encodern auf Huawei-Chips entdeckt - Ursprung unbekannt

Ein Sicherheitsforscher ist auf mehrere kritische Sicherheitslücken gestoßen, die Software-Video-Encoder angreifbar machen.

Weiterlesen …

Twitter mahnt Politiker und Journalisten zur Verwendung sicherer Passwörter

Twitter will Angriffe auf Konten von Politikern, Institutionen und Journalisten vor der US-Wahl im November verhindern und trifft präventive Maßnahmen.

Weiterlesen …

Argentinische Einwanderungsbehörde: Ransomware-Gang leakte Passdaten

Nach einem Ransomware-Angriff verweigerte die argentinische Einwanderungsbehörde die Lösegeldzahlung. Passdaten, auch von 12.000 Deutschen, landeten im Netz.

Weiterlesen …

Sicherheitsupdates: Drupal-Websites könnten Schadcode in Browser schießen

Mit dem CMS Drupal erstellte Websites sind über kritische Sicherheitslücken angreifbar.

Weiterlesen …

Cyber-Angriff auf Uniklinik Düsseldorf: #Shitrix schlug zu

Die Erpresser kamen über eine Sicherheitslücke im VPN-Gateway – wahrscheinlich schon vor Monaten.

Weiterlesen …

Schadcode per Word-Datei: Microsoft flickt Office für Mac

Microsoft hat die macOS-Version seiner Office-Suite aktualisiert. Die Updates schließen Schwachstellen, die das Ausführen von Schadcode ermöglichen.

Weiterlesen …

Kritische Schadcode-Lücke in Trend Micro ServerProtect bedroht Linux

Aufgrund einer Schwachstelle könnte die Schutzsoftware ServerProtect for Linux Angreifer nicht ausreichend abwehren.

Weiterlesen …

Sicherheitsupdates VMware: Angreifer könnten virtuelle Maschinen abschießen

Die VMware-Entwickler haben mehrere Sicherheitslücken in Fusion, Horizon Client, Player und Workstation geschlossen. Einige Updates stehen aber noch aus.

Weiterlesen …

Hackerangriff auf Uniklinik Düsseldorf: Ermittlungen wegen fahrlässiger Tötung

Der IT-Ausfall an der Uniklinik geht tatsächlich auf einen Hackerangriff zurück. Die Erpresser zogen sich zurück. Es wird wegen eines Todesfalls ermittelt.

Weiterlesen …

Empfehlungen: Die NSA rät zu UEFI und Secure Boot

Wenn Angreifer Computer schon vor dem Windows-Start drangsalieren, hat das fatale Folgen und AV-Software ist oft machtlos. Die NSA gibt Tipps zur Absicherung.

Weiterlesen …

IBM: Sicherheitsupdates für zahlreiche Produkte verfügbar

Seit Anfang voriger Woche hat IBM eine ganze Reihe von Lücken aus seinem Produktportfolio beseitigt – darunter einige mit hohem bis kritischem Schweregrad.

Weiterlesen …

Schadcode-Lücken in Nitro Pro PDF geschlossen

Es sind wichtige Sicherheitsupdates für die PDF-Anwendung Nitro Pro erschienen.

Weiterlesen …

Update seit August verfügbar: Forscher coden Exploits für Windows Server-Lücke

Die mit dem CVSS-Score 10 bewertete Lücke CVE-2020-1472 in Windows Server kann mittels "Zerologon" ausgenutzt werden. Nutzer sollten jetzt updaten.

Weiterlesen …

IT-Ausfall an Uniklinik Düsseldorf betrifft immer mehr Patienten

Der IT-Ausfall an der Uniklinik Düsseldorf hat gravierende Folgen für immer mehr Patienten. Experten gehen von einem Hackerangriff aus.

Weiterlesen …

Shitrix-Nachwehen: Citrix-Systeme mit unbemerkten Backdoors

Auf Citrix ADC und Netscaler Gateways sind offenbar über die Shitrix-Lücke Anfang des Jahres Backdoors installiert worden, durch die Ransomware gelangen kann.

Weiterlesen …

Notfallpatch für Adobe Media Encoder verfügbar

Angreifer könnten Media Encoder von Adobe attackieren und Informationen leaken.

Weiterlesen …

Erfolgreiche Angriffskampagne trifft Online-Shops auf Basis von Magento 1

Der Support für Version 1.x der Onlineshop-Software Magento endete im Juni 2020. Eine aktuelle "Magecart"-Angriffskampagne zielt nun auf veraltete Shops.

Weiterlesen …

Sicherheitsupdates: Root-Lücke bedroht Firewalls von Palo Alto

Eine kritische Lücke im Betriebssystem PAN-OS gefährdet Firewalls aus dem Hause Palo Alto.

Weiterlesen …

Immer dasselbe Passwort: Hacker hatten 2016 Zugriff auf Trumps Twitter-Account

Drei niederländische Hacker hatten im Oktober 2016 kurzzeitig Zugriff auf Trumps Twitter-Account. Das haben sie nun öffentlich gemacht.

Weiterlesen …

Videokonferenzsoftware Zoom jetzt mit Zwei-Faktor-Authentifizierung

Die Entwickler von Zoom haben den Log-in-Prozess sicherer gestaltet. Accounts sind so besser geschützt.

Weiterlesen …

Bluetooth anfällig für Angriffe auf Schlüssel – irgendwie

Das CERT/CC und die Bluetooth-Standardisierer warnen vor Blurtooth – knausern aber mit Informationen zur entdeckten Schwachstelle.

Weiterlesen …

Neue FIDO2-Schlüssel mit NFC und Fingerabdruckscanner

Die Auswahl wächst: Neue FIDO2-Authenticator zum sicheren Einloggen mit und ohne Passwort sind jetzt lieferbar. Darunter der lange angekündigte Yubikey 5C NFC.

Weiterlesen …

Sicherheitsupdate: Fünf Sicherheitslücken in Chrome geschlossen

Google hat die abgesicherte Version 85.0.4183.102 des Webbrowsers Chrome veröffentlicht.

Weiterlesen …

Patchday: Viele Sicherheitsflicken für verschiedene Android-Komponenten

Google hat jede Menge Sicherheitslücken in Android geschlossen. Betroffen sind unter anderem der Fingerabdrucksensor und die Kamera.

Weiterlesen …

Windows-Sicherheit: Microsofts Security Compliance Toolkit 1.0 erschienen

Das Security Compliance Toolkit umfasst in der neuen Version 1.0 mehrere Programme zum Verwalten der Sicherheitsrichtlinien von Windows-Clients und -Servern.

Weiterlesen …

EU-Kommission: Mit Hashabgleich und TPM gegen Ende-zu-Ende-Verschlüsselung

Experten zeigen im Auftrag der EU-Kommission Ansätze auf, um Material zu sexuellem Kindesmissbrauch in durchgängig verschlüsselter Kommunikation aufzudecken.

Weiterlesen …

AMD-Serverprozessor Epyc lässt sich mit Servern "verdongeln"

Die Funktion Platform Secure Boot (PSB) bindet AMD-Epyc-Prozessoren an bestimmte Mainboards; sie booten in Servern anderer Hersteller dann nicht mehr.

Weiterlesen …

Cyberwehr-Projektleiter über die Hilfshotline für Unternehmen

Vorfallsannahme, Analyse, Bild – und weiteres Vorgehen: So läuft es bei der Cyberwehr, einem kostenlosen Hilfsangebot für kleine Unternehmen.

Weiterlesen …

"Cyberwehr" gestartet: 24-Stunden Hilfshotline für Unternehmen

Kleine und mittelständische Unternehmen können sich bei Cyberangriffen in Baden-Württemberg rund um die Uhr an eine kostenlose Hilfshotline wenden.

Weiterlesen …

Patchday: Gefährliche Lücke in Intels Fernwartung Active Management Technology

Der Halbleiterhersteller Intel hat unter anderem abgesicherte Treiber und BIOS-Versionen veröffentlicht.

Weiterlesen …

Schwerwiegende Computerprobleme an Berliner Gerichten

Vor einem Jahr legte Emotet das Berliner Kammergericht lahm. Nun gibt es an Berliner Gerichten erneut IT-Probleme.

Weiterlesen …

Patchday: Angreifer könnten unberechtigt auf SAP-Software zugreifen

Der Hersteller von betriebswirtschaftlicher Software hat Sicherheitsupdates für unter anderem kritische Lücken veröffentlicht.

Weiterlesen …

Patchday: Adobe schließt kritische Schadcode-Lücken in InDesign & Co.

Es gibt wichtige Sicherheitsupdates für Experience Manager, Framemaker und InDesign.

Weiterlesen …

Patchday: Von Angreifern präparierte Websites könnten Windows gefährlich werden

Microsoft hat Sicherheitsupdates für mehrere Produkte veröffentlicht und über 120 Sicherheitslücken geschlossen.

Weiterlesen …

l+f: Viren-Scanner versus Antifa

Die Scanner von Avast und AVG halten eine Ausgabe der Tageszeitung taz für einen Trojaner.

Weiterlesen …

Angst vor Hackern aus China: Trump will Cybersicherheit im Weltraum erhöhen

Betreiber von Satelliten und Raumschiffen sollen ihre Systeme laut Trumps Anordnung besser vor Hackerangriffen und elektronischen Störmaßnahmen schützen.

Weiterlesen …

Risikofaktor Mensch: BSI lädt zum IT-Grundschutztag ein

Zum online veranstalteten IT-Grundschutztag des Bundesamts für Sicherheit in der Informationstechnik können sich Interessierte noch anmelden.

Weiterlesen …

CCC deckt erneut Schwachstellen in Corona-Listen auf

Mitglieder des Chaos Computer Clubs fanden mehrere Sicherheitslücken, eine vorhandene Verschlüsselung der Daten verhinderte aber Schlimmeres.

Weiterlesen …

"Hör mir besser zu!!!": Bitcoin-Erpressermails mit Bombendrohungen

Das Landeskriminalamt warnt vor der Zunahme von Erpressermails, in denen Bombendrohungen ausgesprochen werden. Es gab bereits Evakuierungen.

Weiterlesen …

Hacker erbeuten Kredikartendaten aus Warner-Music-Group-Shops

Es gab Sicherheitsvorfälle in mehreren Onlineshops des Major-Labels Warner Music Group.

Weiterlesen …

Messenger: Threema soll Open Source werden

Eine Beteiligungsgesellschaft steigt bei Threema ein. Die Entwickler versprechen Kontinuität und wollen bald den Code vollständig offenlegen.

Weiterlesen …

CPU-Sicherheitslücken: Windows-10-Updates mit neuem Intel-Microcode

Der Patch KB4558130 für Windows 10 (Version 2004) migriert einige Probleme im Zusammenhang mit Spectre – auch bei Core-i-1000-Prozessoren.

Weiterlesen …

Sicherheitslücke im WordPress-Plugin File Manager öffnet Websites für Angreifer

Durch eine Schwachstelle in File Manager sind rund 700.000 WordPress-Websties potenziell gefährdet. Angreifer attackieren derzeit gezielt Seiten.

Weiterlesen …

Cisco Sicherheitsupdates: Jabber + präparierte Nachricht = Schadcode

Cisco hat Sicherheitsupdates für unter anderem Jabber, IOS XR und Webex Meetings veröffentlicht.

Weiterlesen …

Malware: Immer mehr infizierte MS-Office-Dateien

Laut dem IT-Security-Anbieter SonicWall missbrauchen Kriminelle derzeit auffallend oft Office-Dateien zum Verbreiten von Schadsoftware.

Weiterlesen …

Qnap-NAS gegen vielfältige Attacken abgesichert

Angreifer könnten Netzwerkspeicher (NAS) von Qnap attackieren und im schlimmsten Fall Schadcode ausführen. Sicherheitsupdates sind verfügbar.

Weiterlesen …

Verschlüsselung: TLS-1.3-Fauxpas gefährdet Embedded-Systeme mit wolfSSL

Aus Sicherheitsgründen sollten Admins die TLS-Programmbibliothek wolfSSL auf den aktuellen Stand bringen.

Weiterlesen …

heise-Angebot: Online-Workshops: Systematische Sicherheit mit dem IT-Grundschutz des BSI

Lernen Sie, wie man mithilfe des IT-Grundschutzes des BSI IT-Systeme systematisch absichert, und erwerben Sie optional das Zertifikat Grundschutz-Praktiker.

Weiterlesen …

Nextcloud integriert Virenschutz von Kaspersky

Unternehmen können ihre Nextcloud-Instanz von nun an mit Kasperskys Scan Engine ausstatten. So soll sich Malware nicht von einem Client zum nächsten ausbreiten.

Weiterlesen …

Sicherheitsupdates: Schutzsoftware von Trend Micro kann PCs gefährden

Es gibt wichtige Sicherheitspatches für Trend Micro Apex One und OfficeScan XG.

Weiterlesen …

Jetzt patchen! Angriffe auf drei Jahre alte Lücke in NAS von Qnap

Aufgrund von aktuellen Attacken sollten Besitzer eines Netzwerkspeichers (NAS) von Qnap sicherstellen, dass die aktuelle Firmware-Version installiert ist.

Weiterlesen …

Warten auf Sicherheitspatches: Angreifer attackieren Router von Cisco

Bislang gibt der Netzwerkausrüster Cisco nur Tipps, wie Admins die Aussicht auf erfolgreiche Attacken auf Router minimieren können.

Weiterlesen …

IT-Security | Microsoft®

September 2020

Keine Nachrichten in diesem Zeitraum vorhanden.

IT-Security | "The Hacker News"

September 2020

Unsecured Microsoft Bing Server Exposed Users' Search Queries and Location

A back-end server associated with Microsoft Bing exposed sensitive data of the search engine's mobile application users, including search queries, device details, and GPS coordinates, among others. The logging database, however, doesn't include any personal details such as names or addresses. The data leak, discovered by Ata Hakcil of WizCase on September 12, is a massive 6.5TB cache of log

Weiterlesen …

British Hacker Sentenced to 5 Years for Blackmailing U.S. Companies

A UK man who threatened to publicly release stolen confidential information unless the victims agreed to fulfill his digital extortion demands has finally pleaded guilty on Monday at U.S. federal district court in St. Louis, Missouri. Nathan Francis Wyatt , 39, who is a key member of the infamous international hacking group 'The Dark Overlord,' has been sentenced to five years in prison and

Weiterlesen …

A Patient Dies After Ransomware Attack Paralyzes German Hospital Systems

German authorities last week disclosed that a ransomware attack on the University Hospital of Düsseldorf (UKD) caused a failure of IT systems, resulting in the death of a woman who had to be sent to another hospital that was 20 miles away. The incident marks the first recorded casualty as a consequence of cyberattacks on critical healthcare facilities, which has ramped up in recent months. The

Weiterlesen …

U.S. Treasury Sanctions Hacking Group Backed by Iranian Intelligence

The U.S. government on Thursday imposed sweeping sanctions against an Iranian threat actor backed by the country's Ministry of Intelligence and Security (MOIS) for carrying out malware campaigns targeting Iranian dissidents, journalists, and international companies in the telecom and travel sectors. According to the U.S. Treasury and the Federal Bureau of Investigation (FBI), the sanctions target

Weiterlesen …

A Bug Could Let Attackers Hijack Firefox for Android via Wi-Fi Network

Dear Android users, if you use the Firefox web browser on your smartphones, make sure it has been updated to version 80 or the latest available version on the Google Play Store. ESET security researcher Lukas Stefanko yesterday tweeted an alert demonstrating the exploitation of a recently disclosed high-risk remote command execution vulnerability affecting the Firefox app for Android. Discovered

Weiterlesen …

Researchers Uncover 6-Year Cyber Espionage Campaign Targeting Iranian Dissidents

Capping off a busy week of charges and sanctions against Iranian hackers, a new research offers insight into what's a six-year-long ongoing surveillance campaign targeting Iranian expats and dissidents with an intention to pilfer sensitive information. The threat actor, suspected to be of Iranian origin, is said to have orchestrated the campaign with at least two different moving parts — one for

Weiterlesen …

Android 11 — 5 New Security and Privacy Features You Need to Know

After a long wait and months of beta testing, Google last week finally released Android 11, the latest version of the Android mobile operating system—with features offering billions of its users more control over their data security and privacy. Android security is always a hot topic and almost always for the wrong reason, including Google's failure to prevent malicious apps from being

Weiterlesen …

2 Hackers Charged for Defacing Sites after U.S. Airstrike Killed Iranian General

The US Department of Justice (DoJ) on Tuesday indicted two hackers for their alleged involvement in defacing several websites in the country following the assassination of Iranian major general Qasem Soleimani earlier this January. Behzad Mohammadzadeh (aka Mrb3hz4d), 19, and Marwan Abusrour (aka Mrwn007), 25, have been charged with conspiracy to commit intentional damage to a protected

Weiterlesen …

Zenscrape: A Simple Web Scraping Solution for Penetration Testers

Did you ever try extracting any information from any website? Well, if you have then you have surely enacted web scraping functions without even knowing it! To put in simpler terms, Web scraping, or also known as web data extraction, is the process of recouping or sweeping data from web-pages. It is a much faster and easier process of retrieving data without undergoing the time-consuming

Weiterlesen …

U.S. Announces Charges Against 2 Russian and 2 Iranian Hackers

Immediately after revealing criminal charges against 5 Chinese and 2 Malaysian hackers, the United States government yesterday also made two separate announcements charging two Iranian and two Russian hackers and added them to the FBI's most-wanted list. The two Russian nationals—Danil Potekhin and Dmitrii Karasavidi—are accused of stealing $16.8 million worth of cryptocurrencies in a series of

Weiterlesen …

FBI adds 5 Chinese APT41 hackers to its Cyber's Most Wanted List

The United States government today announced charges against 5 alleged members of a Chinese state-sponsored hacking group and 2 Malaysian hackers that are responsible for hacking more than 100 companies throughout the world. Named as APT41 and also known as 'Barium,' 'Winnti, 'Wicked Panda,' and 'Wicked Spider,' the cyber-espionage group has been operating since at least 2012 and is not just

Weiterlesen …

New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption

A group of researchers has detailed a new timing vulnerability in Transport Layer Security (TLS) protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions. Dubbed "Raccoon Attack," the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used

Weiterlesen …

New Report Explains COVID-19's Impact on Cyber Security

Most cybersecurity professionals fully anticipated that cybercriminals would leverage the fear and confusion surrounding the Covid-19 pandemic in their cyberattacks. Of course, malicious emails would contain subjects relating to Covid-19, and malicious downloads would be Covid-19 related. This is how cybercriminals operate. Any opportunity to maximize effectiveness, no matter how contemptible

Weiterlesen …

Report: 97% of Cybersecurity Companies Have Leaked Data on the Dark Web

In a new report into the global cybersecurity industry's exposure on the Dark Web this year, global application security company, ImmuniWeb, uncovered that 97% of leading cybersecurity companies have data leaks or other security incidents exposed on the Dark Web, while on average, there are over 4,000 stolen credentials and other sensitive data exposed per cybersecurity company. Even the

Weiterlesen …

CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies

The US Cybersecurity and Infrastructure Security Agency (CISA) issued a new advisory on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. "CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information

Weiterlesen …

New Linux Malware Steals Call Details from VoIP Softswitch Systems

Cybersecurity researchers have discovered an entirely new kind of Linux malware dubbed "CDRThief" that targets voice over IP (VoIP) softswitches in an attempt to steal phone call metadata. "The primary goal of the malware is to exfiltrate various private data from a compromised softswitch, including call detail records (CDR)," ESET researchers said in a Thursday analysis. "To steal this

Weiterlesen …

New Unpatched Bluetooth Flaw Lets Hackers Easily Target Nearby Devices

Bluetooth SIG—an organization that oversees the development of Bluetooth standards—today issued a statement informing users and vendors of a newly reported unpatched vulnerability that potentially affects hundreds of millions of devices worldwide. Discovered independently by two separate teams of academic researchers, the flaw resides in the Cross-Transport Key Derivation (CTKD) of devices

Weiterlesen …

Hackers Stole $5.4 Million From Eterbase Cryptocurrency Exchange

Cybercriminals successfully plundered another digital cryptocurrency exchange. European cryptocurrency exchange Eterbase this week disclosed a massive breach of its network by an unknown group of hackers who stole cryptocurrencies worth 5.4 million dollars. Eterbase, which has now entered maintenance mode until the security issue is resolved, described itself as Europe's Premier Digital Asset

Weiterlesen …

A Successful Self-Service Password Reset (SSPR) Project Requires User Adoption

IT help desks everywhere are having to adjust to the 'new normal' of supporting mainly remote workers. This is a major shift away from visiting desks across the office and helping ones with traditional IT support processes. Many reasons end-users may contact the helpdesk. However, password related issues are arguably the most common. Since the onset of the global pandemic that began earlier

Weiterlesen …

Cynet Takes Cyber Threat Protection Automation to the Next Level with Incident Engine

We have all heard of the "cybersecurity skills gap" — firms' inability to hire and retain high-level cybersecurity talent. I see this gap manifesting in two ways. First, companies that want to hire cybersecurity talent simply cannot find candidates with sufficient skills. Second, companies that cannot afford specialized cybersecurity talent and therefore lack the necessary skills to

Weiterlesen …

Cybercriminals Are Using Legit Cloud Monitoring Tools As Backdoor

A cybercrime group that has previously struck Docker and Kubernetes cloud environments has evolved to repurpose genuine cloud monitoring tools as a backdoor to carry out malicious attacks, according to new research. "To our knowledge, this is the first time attackers have been caught using legitimate third party software to target cloud infrastructure," Israeli cybersecurity firm Intezer said

Weiterlesen …

Microsoft Releases September 2020 Security Patches For 129 Flaws

As part of this month's Patch Tuesday, Microsoft today released a fresh batch of security updates to fix a total of 129 newly discovered security vulnerabilities affecting various versions of its Windows operating systems and related software. Of the 129 bugs spanning its various products — Microsoft Windows, Edge browser, Internet Explorer, ChakraCore, SQL Server, Exchange Server, Office,

Weiterlesen …

Japan, France, New Zealand Warn of Sudden Uptick in Emotet Trojan Attacks

Cybersecurity agencies across Asia and Europe have issued multiple security alerts regarding the resurgence of email-based Emotet malware attacks targeting businesses in France, Japan, and New Zealand. "The emails contain malicious attachments or links that the receiver is encouraged to download," New Zealand's Computer Emergency Response Team (CERT) said. "These links and attachments may

Weiterlesen …

New PIN Verification Bypass Flaw Affects Visa Contactless Payments

Even as Visa issued a warning about a new JavaScript web skimmer known as Baka, cybersecurity researchers have uncovered an authentication flaw in the company's EMV enabled payment cards that permits cybercriminals to obtain funds and defraud cardholders as well as merchants illicitly. The research, published by a group of academics from the ETH Zurich, is a PIN bypass attack that allows the

Weiterlesen …

SMB Cybersecurity Catching Up to Enterprise… But the Human Element Still a Major Concern

Cyberattacks on small to medium-sized businesses (SMBs) are continuing at a relentless pace, with the vast majority of data breaches coming from outside the organization. Some believe hackers are aggressively targeting these smaller firms because they believe SMBs lack adequate resources and enterprise-grade security tools, making them easier prey than larger businesses. A new report from

Weiterlesen …

Evilnum hackers targeting financial firms with a new Python-based RAT

An adversary known for targeting the fintech sector at least since 2018 has switched up its tactics to include a new Python-based remote access Trojan (RAT) that can steal passwords, documents, browser cookies, email credentials, and other sensitive information. In an analysis published by Cybereason researchers yesterday, the Evilnum group has not only tweaked its infection chain but has

Weiterlesen …

(Live) Webinar – XDR and Beyond with Autonomous Breach Protection

Anyone paying attention to the cybersecurity technology market has heard the term XDR - Extended Detection and Response. XDR is a new technology approach that combines multiple protection technologies into a single platform. All the analyst firms are writing about it, and many of the top cybersecurity companies are actively moving into this space. Why is XDR receiving all the buzz? Combining

Weiterlesen …

Cisco Jabber Bug Could Let Hackers Target Windows Systems Remotely

Networking equipment maker Cisco has released a new version of its Jabber video conferencing and messaging app for Windows that includes patches for multiple vulnerabilities—which, if exploited, could allow an authenticated, remote attacker to execute arbitrary code. The flaws, which were uncovered by Norwegian cybersecurity firm Watchcom during a pentest, affect all currently supported

Weiterlesen …

New Web-Based Credit Card Stealer Uses Telegram Messenger to Exfiltrate Data

Cybercriminal groups are constantly evolving to find new ways to pilfer financial information, and the latest trick in their arsenal is to leverage the messaging app Telegram to their benefit. In what's a new tactic adopted by Magecart groups, the encrypted messaging service is being used to send stolen payment details from compromised websites back to the attackers. "For threat actors, this

Weiterlesen …

Maximum Lifespan of SSL/TLS Certificates is 398 Days Starting Today

Starting today, the lifespan of new TLS certificates will be limited to 398 days, a little over a year, from the previous maximum certificate lifetime of 27 months (825 days). In a move that's meant to boost security, Apple, Google, and Mozilla are set to reject publicly rooted digital certificates in their respective web browsers that expire more than 13 months (or 398 days) from their

Weiterlesen …

Cisco Issues Warning Over IOS XR Zero-Day Flaw Being Targeted in the Wild

Cisco has warned of an active zero-day vulnerability in its router software that's being exploited in the wild and could allow a remote, authenticated attacker to carry out memory exhaustion attacks on an affected device. "An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device," Cisco said in an advisory posted over the weekend. "A successful

Weiterlesen …

IT-Security | Ubuntu

September 2020

USN-4528-1: Ceph vulnerabilities

ceph vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in Ceph.

Software Description

  • ceph - distributed storage and file system

Details

Adam Mohammed discovered that Ceph incorrectly handled certain CORS ExposeHeader tags. A remote attacker could possibly use this issue to preform an HTTP header injection attack. (CVE-2020-10753)

Lei Cao discovered that Ceph incorrectly handled certain POST requests with invalid tagging XML. A remote attacker could possibly use this issue to cause Ceph to crash, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2020-12059)

Robin H. Johnson discovered that Ceph incorrectly handled certain S3 requests. A remote attacker could possibly use this issue to perform a XSS attack. (CVE-2020-1760)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
ceph - 12.2.13-0ubuntu0.18.04.4
ceph-base - 12.2.13-0ubuntu0.18.04.4
ceph-common - 12.2.13-0ubuntu0.18.04.4
Ubuntu 16.04 LTS
ceph - 10.2.11-0ubuntu0.16.04.3
ceph-common - 10.2.11-0ubuntu0.16.04.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4526-1: Linux kernel vulnerabilities

linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the Linux kernel.

Software Description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure-4.15 - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp-4.15 - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-gke-4.15 - Linux kernel for Google Container Engine (GKE) systems
  • linux-oem - Linux kernel for OEM systems
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi2 - Linux kernel for Raspberry Pi (V8) systems
  • linux-snapdragon - Linux kernel for Qualcomm Snapdragon processors
  • linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel

Details

It was discovered that the AMD Cryptographic Coprocessor device driver in the Linux kernel did not properly deallocate memory in some situations. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-18808)

It was discovered that the Conexant 23885 TV card device driver for the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19054)

It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19061)

It was discovered that the AMD Audio Coprocessor driver for the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker with the ability to load modules could use this to cause a denial of service (memory exhaustion). (CVE-2019-19067)

It was discovered that the Atheros HTC based wireless driver in the Linux kernel did not properly deallocate in certain error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19073, CVE-2019-19074)

It was discovered that the F2FS file system in the Linux kernel did not properly perform bounds checking in some situations, leading to an out-of- bounds read. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-9445)

It was discovered that the VFIO PCI driver in the Linux kernel did not properly handle attempts to access disabled memory spaces. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-12888)

It was discovered that the cgroup v2 subsystem in the Linux kernel did not properly perform reference counting in some situations, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2020-14356)

It was discovered that the state of network RNG in the Linux kernel was potentially observable. A remote attacker could use this to expose sensitive information. (CVE-2020-16166)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-4.15.0-1054-oracle - 4.15.0-1054.58

Weiterlesen …

USN-4527-1: Linux kernel vulnerabilities

linux, linux-aws, linux-lts-xenial, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the Linux kernel.

Software Description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-raspi2 - Linux kernel for Raspberry Pi (V8) systems
  • linux-snapdragon - Linux kernel for Qualcomm Snapdragon processors
  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty

Details

It was discovered that the Conexant 23885 TV card device driver for the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19054)

It was discovered that the Atheros HTC based wireless driver in the Linux kernel did not properly deallocate in certain error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19073, CVE-2019-19074)

Yue Haibing discovered that the Linux kernel did not properly handle reference counting in sysfs for network devices in some situations. A local attacker could possibly use this to cause a denial of service. (CVE-2019-20811)

It was discovered that the F2FS file system in the Linux kernel did not properly perform bounds checking in some situations, leading to an out-of- bounds read. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-9445)

It was discovered that the F2FS file system in the Linux kernel did not properly validate xattr meta data in some situations, leading to an out-of- bounds read. An attacker could use this to construct a malicious F2FS image that, when mounted, could expose sensitive information (kernel memory). (CVE-2019-9453)

It was discovered that the F2FS file system implementation in the Linux kernel did not properly perform bounds checking on xattrs in some situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2020-0067)

It was discovered that the NFS client implementation in the Linux kernel did not properly perform bounds checking before copying security labels in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-25212)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
linux-image-4.4.0-1114-aws - 4.4.0-1114.127
linux-image-4.4.0-1139-raspi2 - 4.4.0-1139.148
linux-image-4.4.0-1143-snapdragon - 4.4.0-1143.152
linux-image-4.4.0-190-generic - 4.4.0-190.220
linux-image-4.4.0-190-generic-lpae - 4.4.0-190.220
linux-image-4.4.0-190-lowlatency - 4.4.0-190.220
linux-image-4.4.0-190-powerpc-e500mc -

Weiterlesen …

USN-4525-1: Linux kernel vulnerabilities

linux, linux-azure, linux-gcp, linux-oracle vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

  • linux - Linux kernel
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-oracle - Linux kernel for Oracle Cloud systems

Details

It was discovered that the AMD Cryptographic Coprocessor device driver in the Linux kernel did not properly deallocate memory in some situations. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-18808)

It was discovered that the Conexant 23885 TV card device driver for the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19054)

It was discovered that the VFIO PCI driver in the Linux kernel did not properly handle attempts to access disabled memory spaces. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-12888)

It was discovered that the state of network RNG in the Linux kernel was potentially observable. A remote attacker could use this to expose sensitive information. (CVE-2020-16166)

It was discovered that the NFS client implementation in the Linux kernel did not properly perform bounds checking before copying security labels in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-25212)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
linux-image-5.4.0-1025-gcp - 5.4.0-1025.25
linux-image-5.4.0-1025-oracle - 5.4.0-1025.25
linux-image-5.4.0-1026-azure - 5.4.0-1026.26
linux-image-5.4.0-48-generic - 5.4.0-48.52
linux-image-5.4.0-48-generic-lpae - 5.4.0-48.52
linux-image-5.4.0-48-lowlatency - 5.4.0-48.52
linux-image-azure - 5.4.0.1026.25
linux-image-gcp - 5.4.0.1025.22
linux-image-generic - 5.4.0.48.51
linux-image-generic-lpae - 5.4.0.48.51
linux-image-gke - 5.4.0.1025.22
linux-image-lowlatency - 5.4.0.48.51
linux-image-oem - 5.4.0.48.51
linux-image-oem-osp1 - 5.4.0.48.51
linux-image-oracle - 5.4.0.1025.22
linux-image-virtual - 5.4.0.48.51

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, l

Weiterlesen …

USN-4524-1: TNEF vulnerabilities

tnef vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

TNEF could be made to crash or write arbitrary files to the filesystem.

Software Description

  • tnef - Tool to unpack MIME application/ms-tnef attachments

Details

Paul Dreik discovered that TNEF incorrectly handled filenames. If a user were tricked into opening a specially crafted email attachment, an attacker could possibly use this issue to write arbitrary files to the filesystem or cause TNEF crash, resulting in a denial of service. (CVE-2019-18849)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
tnef - 1.4.9-1+deb8u4build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4523-1: LibOFX vulnerability

libofx vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

LibOFX could be made to crash.

Software Description

  • libofx - client-side implementation of Open Financial Exchange specification

Details

It was discovered that LibOFX did not properly check for errors in certain situations, leading to a NULL pointer dereference. A remote attacker could use this issue to cause a denial of service attack. (CVE-2019-9656)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
libofx-dev - 1:0.9.10-1+deb8u2build0.16.04.1
libofx6 - 1:0.9.10-1+deb8u2build0.16.04.1
ofx - 1:0.9.10-1+deb8u2build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4522-1: noVNC vulnerability

novnc vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

noVNC could be made to execute arbitrary code.

Software Description

  • novnc - HTML5 VNC client - daemon and programs

Details

It was discovered that noVNC did not properly manage certain messages, resulting in the remote VNC server injecting arbitrary HTML into the noVNC web page. An attacker could use this issue to conduct cross-site scripting (XSS) attacks. (CVE-2017-18635)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
novnc - 1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1build0.16.04.1
python-novnc - 1:0.4+dfsg+1+20131010+gitf68af8af3d-4+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4521-1: pam_tacplus vulnerability

libpam-tacplus vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

pam_tacplus could be made to expose sensitive information.

Software Description

  • libpam-tacplus - PAM module for using TACACS+ as an authentication service

Details

It was discovered that pam_tacplus did not properly manage shared secrets if DEBUG loglevel and journald are used. A remote attacker could use this issue to expose sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libpam-tacplus - 1.3.8-2+deb8u1build0.20.04.1
Ubuntu 18.04 LTS
libpam-tacplus - 1.3.8-2+deb8u1build0.18.04.1
Ubuntu 16.04 LTS
libpam-tacplus - 1.3.8-2+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4520-1: Exim SpamAssassin vulnerability

sa-exim vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

Exim SpamAssassin could be made to execute aribitrary code if it received crafted .cf files/rules.

Software Description

  • sa-exim - SpamAssassin filter for Exim

Details

It was discovered that Exim SpamAssassin does not properly handle configuration strings. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-19920)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
sa-exim - 4.2.1-14+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4519-1: PulseAudio vulnerability

pulseaudio vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

PulseAudio could be made to crash or run programs as your login if it received specially crafted input.

Software Description

  • pulseaudio - PulseAudio sound server

Details

Ratchanan Srirattanamet discovered that an Ubuntu-specific patch caused PulseAudio to incorrectly handle memory under certain error conditions in the Bluez 5 module. An attacker could use this issue to cause PulseAudio to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-15710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
libpulse-mainloop-glib0 - 1:8.0-0ubuntu3.14
libpulse0 - 1:8.0-0ubuntu3.14
pulseaudio - 1:8.0-0ubuntu3.14
pulseaudio-module-bluetooth - 1:8.0-0ubuntu3.14
pulseaudio-utils - 1:8.0-0ubuntu3.14

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4517-1: Email-Address-List vulnerability

libemail-address-list-perl vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Email-Address-List could be made to remotely exhaust resources if it received specially crafted email data.

Software Description

  • libemail-address-list-perl - RFC close address list parsing

Details

It was discovered that Email-Address-List does not properly parse email addresses during email-ingestion. A remote attacker could use this issue to cause an algorithmic complexity attack, resulting in a denial of service. (CVE-2018-18898)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
libemail-address-list-perl - 0.05-1+deb9u1build0.18.04.1
Ubuntu 16.04 LTS
libemail-address-list-perl - 0.05-1+deb9u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4518-1: xawtv vulnerability

xawtv vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

xawtv could be made to expose sensitive information and escalate user privileges if it received specially crafted input.

Software Description

  • xawtv - X11 program for watching TV

Details

Matthias Gerstner discovered that xawtv incorrectly handled opening files. A local attacker could possibly use this issue to open and write to arbitrary files and escalate privileges. (CVE-2020-13696)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
alevtd - 3.103-3+deb8u1build0.16.04.1
fbtv - 3.103-3+deb8u1build0.16.04.1
pia - 3.103-3+deb8u1build0.16.04.1
radio - 3.103-3+deb8u1build0.16.04.1
scantv - 3.103-3+deb8u1build0.16.04.1
streamer - 3.103-3+deb8u1build0.16.04.1
ttv - 3.103-3+deb8u1build0.16.04.1
v4l-conf - 3.103-3+deb8u1build0.16.04.1
webcam - 3.103-3+deb8u1build0.16.04.1
xawtv - 3.103-3+deb8u1build0.16.04.1
xawtv-plugin-qt - 3.103-3+deb8u1build0.16.04.1
xawtv-plugins - 3.103-3+deb8u1build0.16.04.1
xawtv-tools - 3.103-3+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4516-1: GnuPG vulnerability

gnupg2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS

Summary

GnuPG could be made to expose sensitive information.

Software Description

  • gnupg2 - GNU privacy guard - a free PGP replacement

Details

It was discovered that GnuPG signatures could be forged when the SHA-1 algorithm is being used. This update removes validating signatures based on SHA-1 that were generated after 2019-01-19. In environments where this is still required, a new option –allow-weak-key-signatures can be used to revert this behaviour.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
gnupg - 2.2.4-1ubuntu1.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4515-1: Pure-FTPd vulnerability

pure-ftpd vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

Pure-FTPd could be made to expose sensitive information if it recieved specially crafted input.

Software Description

  • pure-ftpd - Secure and efficient FTP server

Details

Antonio Norales discovered that Pure-FTPd incorrectly handled directory aliases. An attacker could possibly use this issue to access sensitive information. (CVE-2020-9274)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
pure-ftpd - 1.0.36-3.2+deb8u1build0.16.04.1
pure-ftpd-common - 1.0.36-3.2+deb8u1build0.16.04.1
pure-ftpd-ldap - 1.0.36-3.2+deb8u1build0.16.04.1
pure-ftpd-mysql - 1.0.36-3.2+deb8u1build0.16.04.1
pure-ftpd-postgresql - 1.0.36-3.2+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4514-1: libproxy vulnerability

libproxy vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

libproxy could be made to crash if it received a specially crafted PAC file.

Software Description

  • libproxy - automatic proxy configuration management library

Details

It was discovered that libproxy incorrectly handled certain PAC files. An attacker could possibly use this issue to cause a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libproxy1v5 - 0.4.15-10ubuntu1.1
Ubuntu 18.04 LTS
libproxy1v5 - 0.4.15-1ubuntu0.1
Ubuntu 16.04 LTS
libproxy1v5 - 0.4.11-5ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make all the necessary changes.

References

Weiterlesen …

USN-4513-1: apng2gif vulnerability

apng2gif vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

apng2gif could be made to expose sensitive information if it opened a specifically crafted APNG file.

Software Description

  • apng2gif - tool for converting APNG images to animated GIF format

Details

Dileep Kumar Jallepalli discovered that apng2gif incorrectly handled loading APNG files. An attacker could exploit this with a crafted APNG file to access sensitive information. (CVE-2017-6960)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
apng2gif - 1.5-3+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4510-2: Samba vulnerability

samba vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM

Summary

Samba would allow unintended access to files over the network.

Software Description

  • samba - SMB/CIFS file, print, and login server for Unix

Details

USN-4510-1 fixed a vulnerability in Samba. This update provides the corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

Tom Tervoort discovered that the Netlogon protocol implemented by Samba incorrectly handled the authentication scheme. A remote attacker could use this issue to forge an authentication token and steal the credentials of the domain admin.

This update fixes the issue by changing the "server schannel" setting to default to "yes", instead of "auto", which will force a secure netlogon channel. This may result in compatibility issues with older devices. A future update may allow a finer-grained control over this setting.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
samba - 2:4.3.11+dfsg-0ubuntu0.14.04.20+esm9

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4512-1: util-linux vulnerability

util-linux vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS

Summary

util-linux could be made to run programs when performing bash completion.

Software Description

  • util-linux - miscellaneous system utilities

Details

It was discovered that the umount bash completion script shipped in util-linux incorrectly handled certain mountpoints. If a local attacker were able to create arbitrary mountpoints, another user could be tricked into executing arbitrary code when attempting to run the umount command with bash completion.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
util-linux - 2.31.1-0.4ubuntu3.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4511-1: QEMU vulnerability

qemu vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

QEMU could be made to crash or run programs.

Software Description

  • qemu - Machine emulator and virtualizer

Details

Ziming Zhang, Xiao Wei, Gonglei Arei, and Yanyu Zhang discovered that QEMU incorrectly handled certain USB packets. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
qemu - 1:4.2-3ubuntu6.6
qemu-system - 1:4.2-3ubuntu6.6
qemu-system-arm - 1:4.2-3ubuntu6.6
qemu-system-mips - 1:4.2-3ubuntu6.6
qemu-system-ppc - 1:4.2-3ubuntu6.6
qemu-system-s390x - 1:4.2-3ubuntu6.6
qemu-system-sparc - 1:4.2-3ubuntu6.6
qemu-system-x86 - 1:4.2-3ubuntu6.6
qemu-system-x86-microvm - 1:4.2-3ubuntu6.6
qemu-system-x86-xen - 1:4.2-3ubuntu6.6
Ubuntu 18.04 LTS
qemu - 1:2.11+dfsg-1ubuntu7.32
qemu-system - 1:2.11+dfsg-1ubuntu7.32
qemu-system-arm - 1:2.11+dfsg-1ubuntu7.32
qemu-system-mips - 1:2.11+dfsg-1ubuntu7.32
qemu-system-ppc - 1:2.11+dfsg-1ubuntu7.32
qemu-system-s390x - 1:2.11+dfsg-1ubuntu7.32
qemu-system-sparc - 1:2.11+dfsg-1ubuntu7.32
qemu-system-x86 -

Weiterlesen …

USN-4510-1: Samba vulnerability

samba vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Samba would allow unintended access to files over the network.

Software Description

  • samba - SMB/CIFS file, print, and login server for Unix

Details

Tom Tervoort discovered that the Netlogon protocol implemented by Samba incorrectly handled the authentication scheme. A remote attacker could use this issue to forge an authentication token and steal the credentials of the domain admin.

This update fixes the issue by changing the "server schannel" setting to default to "yes", instead of "auto", which will force a secure netlogon channel. This may result in compatibility issues with older devices. A future update may allow a finer-grained control over this setting.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
samba - 2:4.7.6+dfsg~ubuntu-0ubuntu2.19
Ubuntu 16.04 LTS
samba - 2:4.3.11+dfsg-0ubuntu0.16.04.30

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4509-1: Perl DBI module vulnerabilities

libdbi-perl vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM

Summary

Several security issues were fixed in Perl DBI module.

Software Description

  • libdbi-perl - Perl Database Interface (DBI)

Details

It was discovered that Perl DBI module incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. (CVE-2013-7490)

It was discovered that Perl DBI module incorrectly handled certain files. An attacker could possibly use this issue to expose sensitive information. (CVE-2014-10401)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
libdbi-perl - 1.630-1ubuntu0.1~esm4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4508-1: StoreBackup vulnerability

storebackup vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

StoreBackup could be made to stop executing or generate a race condition if it received a lock file in the default location.

Software Description

  • storebackup - fancy compressing managing checksumming deduplicating hard-linkin

Details

It was discovered that StoreBackup did not properly manage lock files. A local attacker could use this issue to cause a denial of service or escalate privileges and run arbitrary code. (CVE-2020-7040)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
storebackup - 3.2.1-1+deb8u1build0.20.04.1
Ubuntu 18.04 LTS
storebackup - 3.2.1-1+deb8u1build0.18.04.1
Ubuntu 16.04 LTS
storebackup - 3.2.1-1+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4507-1: ncmpc vulnerability

ncmpc vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

ncmpc could be made to crash if it received a long chat message.

Software Description

  • ncmpc - ncurses-based audio player

Details

It was discovered that ncmpc incorrectly handled long chat messages. A remote attacker could possibly exploit this with a crafted chat message, causing ncmpc to crash, resulting in a denial of service. (CVE-2018-9240)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
ncmpc - 0.24-1+deb8u1build0.16.04.1
ncmpc-lyrics - 0.24-1+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart ncmpc to make all the necessary changes.

References

Weiterlesen …

USN-4506-1: MCabber vulnerability

mcabber vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

MCabber could be made to modify the roster and intercept messages if it received specially crafted XMPP packets.

Software Description

  • mcabber - small Jabber (XMPP) console client

Details

It was discovered that MCabber does not properly manage roster pushes. An attacker could possibly use this issue to remotely perform man-in-the-middle attacks. (CVE-2016-9928).

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
mcabber - 0.10.2-1+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4505-1: PHPMailer vulnerability

libphp-phpmailer vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS

Summary

Attachments with specially crafted filenames could bypass filename-based mail attachment filters.

Software Description

  • libphp-phpmailer - full featured email transfer class for PHP

Details

Elar Lang discovered that PHPMailer did not properly escape double quote characters in filenames. A remote attacker could possibly exploit this with a crafted filename to bypass attachment filters that are based on matching filename extensions. (CVE-2020-13625)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
libphp-phpmailer - 5.2.14+dfsg-2.3+deb9u2build0.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4504-1: OpenSSL vulnerabilities

openssl, openssl1.0 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software Description

  • openssl1.0 - Secure Socket Layer (SSL) cryptographic library and tools
  • openssl - Secure Socket Layer (SSL) cryptographic library and tools

Details

Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky discovered that certain Diffie-Hellman ciphersuites in the TLS specification and implemented by OpenSSL contained a flaw. A remote attacker could possibly use this issue to eavesdrop on encrypted communications. This was fixed in this update by removing the insecure ciphersuites from OpenSSL. (CVE-2020-1968)

Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL incorrectly handled ECDSA signatures. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1547)

Guido Vranken discovered that OpenSSL incorrectly performed the x86_64 Montgomery squaring procedure. While unlikely, a remote attacker could possibly use this issue to recover private keys. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1551)

Bernd Edlinger discovered that OpenSSL incorrectly handled certain decryption functions. In certain scenarios, a remote attacker could possibly use this issue to perform a padding oracle attack and decrypt traffic. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1563)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
libssl1.0.0 - 1.0.2n-1ubuntu5.4
Ubuntu 16.04 LTS
libssl1.0.0 - 1.0.2g-1ubuntu4.17

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

Weiterlesen …

USN-4502-1: websocket-extensions vulnerability

ruby-websocket-extensions vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

websocket-extensions could be made to exhaust the server’s capacity to process incoming requests if it received specially crafted requests.

Software Description

  • ruby-websocket-extensions - Generic extension manager for WebSocket connections

Details

It was discovered that websocket-extensions does not properly parse special headers. A remote attacker could use this issue to cause regex backtracking, resulting in a denial of service. (CVE-2020-7663)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
ruby-websocket-extensions - 0.1.2-1+deb9u1build0.20.04.1
Ubuntu 18.04 LTS
ruby-websocket-extensions - 0.1.2-1+deb9u1build0.18.04.1
Ubuntu 16.04 LTS
ruby-websocket-extensions - 0.1.2-1+deb9u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4503-1: Perl DBI module vulnerability

libdbi-perl vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM

Summary

Perl DBI module could be made to execute arbitrary code if it received a specially manipulated call.

Software Description

  • libdbi-perl - Perl Database Interface (DBI)

Details

It was discovered that Perl DBI module incorrectly handled certain calls. An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
libdbi-perl - 1.640-1ubuntu0.1
Ubuntu 16.04 LTS
libdbi-perl - 1.634-1ubuntu0.1
Ubuntu 14.04 ESM
libdbi-perl - 1.630-1ubuntu0.1~esm1
Ubuntu 12.04 ESM
libdbi-perl - 1.616-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4501-1: LuaJIT vulnerability

luajit vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

LuaJIT could be made crash or expose sensitive information if it received specially crafted input.

Software Description

  • luajit - Just in time compiler for Lua programming language version 5.1

Details

It was discovered that an out-of-bounds read existed in LuaJIT. An attacker could use this to cause a denial of service (application crash) or possibly expose sensitive information. (CVE-2020-15890)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
libluajit-5.1-2 - 2.0.4+dfsg-1+deb9u1build0.16.04.1
libluajit-5.1-common - 2.0.4+dfsg-1+deb9u1build0.16.04.1
libluajit-5.1-dev - 2.0.4+dfsg-1+deb9u1build0.16.04.1
luajit - 2.0.4+dfsg-1+deb9u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4500-1: bsdiff vulnerabilities

bsdiff vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

bsdiff could be made to crash or run programs as your login if it opened a specially crafted file.

Software Description

  • bsdiff - generate/apply a patch between two binary files

Details

It was discovered that bsdiff mishandled certain input. If a user were tricked into opening a malicious file, an attacker could cause bsdiff to crash or potentially execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
bsdiff - 4.3-15+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4498-1: Loofah vulnerability

ruby-loofah vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

Loofah could be made to perform XSS attacks if a crafted SVG element is republished

Software Description

  • ruby-loofah - manipulation and transformation of HTML/XML documents and fragments

Details

It was discovered that Loofah does not properly sanitize JavaScript in sanitized output. An attacker could possibly use this issue to perform XSS attacks. (CVE-2019-15587)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
ruby-loofah - 2.0.3-2+deb9u3build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4499-1: MilkyTracker vulnerabilities

MilkyTracker vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

MilkyTracker could be made to crash or run programs as your login if it opened a specially crafted file.

Software Description

  • milkytracker - music creation tool inspired by Fast Tracker 2

Details

It was discovered that MilkyTracker did not properly handle certain input. If a user were tricked into opening a malicious file, an attacker could cause MilkyTracker to crash or potentially execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
milkytracker - 0.90.85+dfsg-2.2+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4497-1: OpenJPEG vulnerabilities

OpenJPEG vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in OpenJPEG.

Software Description

  • openjpeg2 - Open-source JPEG 2000 codec written in C language

Details

It was discovered that OpenJPEG incorrectly handled certain image files. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-9112)

It was discovered that OpenJPEG did not properly handle certain input. If OpenJPEG were supplied with specially crafted input, it could be made to crash or potentially execute arbitrary code. (CVE-2018-20847, CVE-2018-21010, CVE-2020-6851, CVE-2020-8112, CVE-2020-15389)

It was discovered that OpenJPEG incorrectly handled certain BMP files. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2019-12973)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
libopenjp2-7 - 2.1.2-1.1+deb9u5build0.16.04.1
libopenjp2-tools - 2.1.2-1.1+deb9u5build0.16.04.1
libopenjp3d-tools - 2.1.2-1.1+deb9u5build0.16.04.1
libopenjp3d7 - 2.1.2-1.1+deb9u5build0.16.04.1
libopenjpip-dec-server - 2.1.2-1.1+deb9u5build0.16.04.1
libopenjpip-server - 2.1.2-1.1+deb9u5build0.16.04.1
libopenjpip-viewer - 2.1.2-1.1+deb9u5build0.16.04.1
libopenjpip7 - 2.1.2-1.1+deb9u5build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4496-1: Apache XML-RPC vulnerability

Apache XML-RPC vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Apache XML-RPC could be made to execute arbitrary code if it received specially crafted data by a malicious XML-RPC server.

Software Description

  • libxmlrpc3-java - XML-RPC implementation in Java

Details

It was discovered that Apache XML-RPC (aka ws-xmlrpc) does not properly deserialize untrusted data. An attacker could possibly use this issue to execute arbitrary code. (CVE-2019-17570)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
libxmlrpc3-client-java - 3.1.3-9+deb10u1build0.18.04.1
libxmlrpc3-common-java - 3.1.3-9+deb10u1build0.18.04.1
libxmlrpc3-server-java - 3.1.3-9+deb10u1build0.18.04.1
Ubuntu 16.04 LTS
libxmlrpc3-client-java - 3.1.3-7+deb8u1build0.16.04.1
libxmlrpc3-common-java - 3.1.3-7+deb8u1build0.16.04.1
libxmlrpc3-server-java - 3.1.3-7+deb8u1build0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4495-1: Apache Log4j vulnerability

Apache Log4j vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS

Summary

Apache Log4j could be made to remotely execute arbitrary code if it received specially crafted log data.

Software Description

  • apache-log4j1.2 - Java-based open-source logging tool

Details

It was discovered that Apache Log4j does not properly deserialize untrusted data. An attacker could possibly use this issue to remotely execute arbitrary code. (CVE-2019-17571)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
liblog4j1.2-java - 1.2.17-8+deb10u1build0.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4494-1: GUPnP vulnerability

gupnp vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS

Summary

gupnp could be made to expose sensitive information or perform network attacks if it received specially crafted network traffic.

Software Description

  • gupnp - framework for creating UPnP devices and control points

Details

It was discovered that GUPnP incorrectly handled certain subscription requests. A remote attacker could possibly use this issue to exfiltrate data or use GUPnP to perform DDoS attacks.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libgupnp-1.2-0 - 1.2.3-0ubuntu0.20.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

Weiterlesen …

USN-4493-1: cryptsetup vulnerability

cryptsetup vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS

Summary

cryptsetup could be made to execute arbitrary code if it received a specially crafted input.

Software Description

  • cryptsetup - disk encryption support - startup scripts

Details

It was discovered that cryptsetup incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
cryptsetup - 2:2.2.2-3ubuntu2.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

LSN-0071-1: Kernel Live Patch Security Notice

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 20.04 LTS

Summary

A security issue was fixed in the 4.15 kernel. This issue affects the 5.4 kernel as well, but a livepatch is not yet available. While work is continuing to develop livepatches for all affected kernels, due to the severity of the issue, we are releasing patches as they become ready.

Software Description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-oem - Linux kernel for OEM systems

Details

Or Cohen discovered that the AF_PACKET implementation in the Linux kernel did not properly perform bounds checking in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2020-14386)

Update instructions

The problem can be corrected by updating your kernel livepatch to the following versions:

Ubuntu 18.04 LTS
aws - 71.1
generic - 71.1
lowlatency - 71.1
oem - 71.1

A mitigation is available if your kernel is affected, did not yet receive a livepatch, and rebooting into the most recently released kernel is not practical. If your system does not require the use of unprivileged user namespaces, you may disable them and mitigate the problem using the following command:

sudo sysctl kernel.unprivileged_userns_clone=0 

Support Information

Kernels older than the levels listed below do not receive livepatch updates. If you are running a kernel version earlier than the one listed below, please upgrade your kernel as soon as possible.

Ubuntu 18.04 LTS
linux-aws - 4.15.0-1054
linux-oem - 4.15.0-1063
linux - 4.15.0-69
Ubuntu 16.04 LTS
linux-azure - 4.15.0-1063

References

Weiterlesen …

USN-4488-2: X.Org X Server vulnerabilities

xorg-server vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM

Summary

Several security issues were fixed in X.Org X Server.

Software Description

  • xorg-server - X.Org X11 server

Details

USN-4488-1 fixed several vulnerabilities in X.Org. This update provides the corresponding update and also the update from USN-4490-1 for Ubuntu 14.04 ESM.

Original advisory details:

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the input extension protocol. A local attacker could possibly use this issue to escalate privileges. (CVE-2020-14346)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly initialized memory. A local attacker could possibly use this issue to obtain sensitive information. (CVE-2020-14347)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the XkbSelectEvents function. A local attacker could possibly use this issue to escalate privileges. (CVE-2020-14361)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the XRecordRegisterClients function. A local attacker could possibly use this issue to escalate privileges. (CVE-2020-14362)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the XkbSetNames function. A local attacker could possibly use this issue to escalate privileges. (CVE-2020-14345)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
xserver-xorg-core - 2:1.15.1-0ubuntu2.11+esm2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

Weiterlesen …

USN-4491-1: GnuTLS vulnerability

gnutls28 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS

Summary

GnuTLS could be made to crash or run programs if it received specially crafted network traffic.

Software Description

  • gnutls28 - GNU TLS library

Details

It was discovered that GnuTLS incorrectly handled certain alerts when being used with TLS 1.3 servers. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libgnutls30 - 3.6.13-2ubuntu1.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4487-2: libx11 vulnerabilities

libx11 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM
  • Ubuntu 12.04 ESM

Summary

Several security issues were fixed in libx11.

Software Description

  • libx11 - None

Details

USN-4487-1 fixed several vulnerabilities in libx11. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM.

Original advisory details:

Todd Carson discovered that libx11 incorrectly handled certain memory operations. A local attacker could possibly use this issue to escalate privileges. (CVE-2020-14344)

Jayden Rivers discovered that libx11 incorrectly handled locales. A local attacker could possibly use this issue to escalate privileges. (CVE-2020-14363)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
libx11-6 - 2:1.6.2-1ubuntu2.1+esm1
Ubuntu 12.04 ESM
libx11-6 - 2:1.4.99.1-0ubuntu2.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

Weiterlesen …

USN-4490-1: X.Org X Server vulnerability

xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

X.Org X Server could be made to crash or run programs if it received specially crafted input.

Software Description

  • xorg-server - X.Org X11 server
  • xorg-server-hwe-18.04 - X.Org X11 server
  • xorg-server-hwe-16.04 - X.Org X11 server

Details

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the XkbSetNames function. A local attacker could possibly use this issue to escalate privileges.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
xserver-xorg-core - 2:1.20.8-2ubuntu2.4
Ubuntu 18.04 LTS
xserver-xorg-core - 2:1.19.6-1ubuntu4.6
xserver-xorg-core-hwe-18.04 - 2:1.20.8-2ubuntu2.2~18.04.3
Ubuntu 16.04 LTS
xserver-xorg-core - 2:1.18.4-0ubuntu0.10
xserver-xorg-core-hwe-16.04 - 2:1.19.6-1ubuntu4.1~16.04.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

Weiterlesen …

USN-4489-1: Linux kernel vulnerability

linux, linux-aws, linux-aws-5.3, linux-aws-5.4, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke-4.15, linux-gke-5.0, linux-gke-5.3, linux-hwe, linux-hwe-5.4, linux-kvm, linux-oem, linux-oem-osp1, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-raspi2, linux-raspi2-5.3, linux-snapdragon vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM

Summary

The system could be made to crash or run programs as an administrator.

Software Description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi - Linux kernel for Raspberry Pi (V8) systems
  • linux-aws-5.3 - Linux kernel for Amazon Web Services (AWS) systems
  • linux-aws-5.4 - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure-4.15 - Linux kernel for Microsoft Azure Cloud systems
  • linux-azure-5.4 - Linux kernel for Microsoft Azure cloud systems
  • linux-gcp-4.15 - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-gcp-5.4 - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-gke-4.15 - Linux kernel for Google Container Engine (GKE) systems
  • linux-gke-5.0 - Linux kernel for Google Container Engine (GKE) systems
  • linux-gke-5.3 - Linux kernel for Google Container Engine (GKE) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
  • linux-hwe-5.4 - Linux hardware enablement (HWE) kernel
  • linux-oem - Linux kernel for OEM systems
  • linux-oem-osp1 - Linux kernel for OEM systems
  • linux-oracle-5.4 - Linux kernel for Oracle Cloud systems
  • linux-raspi-5.4 - Linux kernel for Raspberry Pi (V8) systems
  • linux-raspi2 - Linux kernel for Raspberry Pi (V8) systems
  • linux-raspi2-5.3 - Linux kernel for Raspberry Pi (V8) systems
  • linux-snapdragon - Linux kernel for Qualcomm Snapdragon processors
  • linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems

Details

Or Cohen discovered that the AF_PACKET implementation in the Linux kernel did not properly perform bounds checking in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
linux-image-5.4.0-1018-raspi - 5.4.0-1018.20
linux-image-5.4.0-1024-aws - 5.4.0-1024.24
linux-image-5.4.0-1024-gcp - 5.4.0-1024.24
linux-image-5.4.0-1024-oracle - 5.4.0-1024.24
linux-image-5.4.0-1025-azure - 5.4.0-1025.25
linux-image-5.4.0-47-generic - 5.4.0-47.51

Weiterlesen …

USN-4474-2: Firefox regressions

firefox regressions

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

USN-4474-1 caused some minor regressions in Firefox.

Software Description

  • firefox - Mozilla Open Source web browser

Details

USN-4474-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, trick the user in to installing a malicious extension, spoof the URL bar, leak sensitive information between origins, or execute arbitrary code. (CVE-2020-15664, CVE-2020-15665, CVE-2020-15666, CVE-2020-15670)

It was discovered that NSS incorrectly handled certain signatures. An attacker could possibly use this issue to expose sensitive information. (CVE-2020-12400, CVE-2020-12401, CVE-2020-6829)

A data race was discovered when importing certificate information in to the trust store. An attacker could potentially exploit this to cause an unspecified impact. (CVE-2020-15668)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
firefox - 80.0.1+build1-0ubuntu0.20.04.1
Ubuntu 18.04 LTS
firefox - 80.0.1+build1-0ubuntu0.18.04.1
Ubuntu 16.04 LTS
firefox - 80.0.1+build1-0ubuntu0.16.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make all the necessary changes.

References

Weiterlesen …

USN-4485-1: Linux kernel vulnerabilities

linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the Linux kernel.

Software Description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure-4.15 - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp-4.15 - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-gke-4.15 - Linux kernel for Google Container Engine (GKE) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oem - Linux kernel for OEM systems
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi2 - Linux kernel for Raspberry Pi (V8) systems
  • linux-snapdragon - Linux kernel for Qualcomm Snapdragon processors
  • linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel

Details

Timothy Michaud discovered that the i915 graphics driver in the Linux kernel did not properly validate user memory locations for the i915_gem_execbuffer2_ioctl. A local attacker could possibly use this to cause a denial of service or execute arbitrary code. (CVE-2018-20669)

It was discovered that the Kvaser CAN/USB driver in the Linux kernel did not properly initialize memory in certain situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-19947)

Chuhong Yuan discovered that go7007 USB audio device driver in the Linux kernel did not properly deallocate memory in some failure conditions. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-20810)

It was discovered that the elf handling code in the Linux kernel did not initialize memory before using it in certain situations. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2020-10732)

It was discovered that the Linux kernel did not correctly apply Speculative Store Bypass Disable (SSBD) mitigations in certain situations. A local attacker could possibly use this to expose sensitive information. (CVE-2020-10766)

It was discovered that the Linux kernel did not correctly apply Indirect Branch Predictor Barrier (IBPB) mitigations in certain situations. A local attacker could possibly use this to expose sensitive information. (CVE-2020-10767)

It was discovered that the Linux kernel could incorrectly enable Indirect Branch Speculation after it has been disabled for a process via a prctl() call. A local attacker could possibly use this to expose sensitive information. (CVE-2020-10768)

Luca Bruno discovered that the zram module in the Linux kernel did not properly restrict unprivileged users from accessing the hot_add sysfs file. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2020-10781)

It was discovered that the XFS file system implementation in the Linux kernel did not properly validate meta data in some circumstances. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service. (CVE-2020-12655)

It was discovered that the bcache subsystem in the Linux kernel did not properly release a lock in some error conditions. A local attacker could possibly use this to cause a denial of service. (CVE-2020-12771)

It was discovered that the Virtual Terminal keyboard driver in the Linux kernel contained an integer overflow. A local atta

Weiterlesen …

USN-4483-1: Linux kernel vulnerabilities

linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-oracle - Linux kernel for Oracle Cloud systems
  • linux-raspi - Linux kernel for Raspberry Pi (V8) systems
  • linux-aws-5.4 - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure-5.4 - Linux kernel for Microsoft Azure cloud systems
  • linux-gcp-5.4 - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-hwe-5.4 - Linux hardware enablement (HWE) kernel
  • linux-oracle-5.4 - Linux kernel for Oracle Cloud systems
  • linux-raspi-5.4 - Linux kernel for Raspberry Pi (V8) systems

Details

Chuhong Yuan discovered that go7007 USB audio device driver in the Linux kernel did not properly deallocate memory in some failure conditions. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-20810)

Fan Yang discovered that the mremap implementation in the Linux kernel did not properly handle DAX Huge Pages. A local attacker with access to DAX storage could use this to gain administrative privileges. (CVE-2020-10757)

It was discovered that the Linux kernel did not correctly apply Speculative Store Bypass Disable (SSBD) mitigations in certain situations. A local attacker could possibly use this to expose sensitive information. (CVE-2020-10766)

It was discovered that the Linux kernel did not correctly apply Indirect Branch Predictor Barrier (IBPB) mitigations in certain situations. A local attacker could possibly use this to expose sensitive information. (CVE-2020-10767)

It was discovered that the Linux kernel could incorrectly enable Indirect Branch Speculation after it has been disabled for a process via a prctl() call. A local attacker could possibly use this to expose sensitive information. (CVE-2020-10768)

Luca Bruno discovered that the zram module in the Linux kernel did not properly restrict unprivileged users from accessing the hot_add sysfs file. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2020-10781)

It was discovered that the XFS file system implementation in the Linux kernel did not properly validate meta data in some circumstances. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service. (CVE-2020-12655)

It was discovered that the bcache subsystem in the Linux kernel did not properly release a lock in some error conditions. A local attacker could possibly use this to cause a denial of service. (CVE-2020-12771)

It was discovered that the Virtual Terminal keyboard driver in the Linux kernel contained an integer overflow. A local attacker could possibly use this to have an unspecified impact. (CVE-2020-13974)

It was discovered that the cgroup v2 subsystem in the Linux kernel did not properly perform reference counting in some situations, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2020-14356)

Kyungtae Kim discovered that the USB testing driver in the Linux kernel did not properly deallocate memory on disconnect events. A physically proximate attacker could use this to cause a denial of service (memory exhaustion). (CVE-2020-15393)

It was discov

Weiterlesen …

USN-4449-2: Apport vulnerabilities

apport vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 14.04 ESM

Summary

Several security issues were fixed in Apport.

Software Description

  • apport - automatically generate crash reports for debugging

Details

USN-4449-1 fixed several vulnerabilities in Apport. This update provides the corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

Ryota Shiga working with Trend Micro´s Zero Day Initiative, discovered that Apport incorrectly dropped privileges when making certain D-Bus calls. A local attacker could use this issue to read arbitrary files. (CVE-2020-11936)

Seong-Joong Kim discovered that Apport incorrectly parsed configuration files. A local attacker could use this issue to cause Apport to crash, resulting in a denial of service. (CVE-2020-15701)

Ryota Shiga working with Trend Micro´s Zero Day Initiative, discovered that Apport incorrectly implemented certain checks. A local attacker could use this issue to escalate privileges and run arbitrary code. (CVE-2020-15702)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 ESM
apport - 2.14.1-0ubuntu3.29+esm5
python-apport - 2.14.1-0ubuntu3.29+esm5
python3-apport - 2.14.1-0ubuntu3.29+esm5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4488-1: X.Org X Server vulnerabilities

xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in X.Org X Server.

Software Description

  • xorg-server - X.Org X11 server
  • xorg-server-hwe-18.04 - X.Org X11 server
  • xorg-server-hwe-16.04 - X.Org X11 server

Details

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the input extension protocol. A local attacker could possibly use this issue to escalate privileges. (CVE-2020-14346)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly initialized memory. A local attacker could possibly use this issue to obtain sensitive information. (CVE-2020-14347)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the XkbSelectEvents function. A local attacker could possibly use this issue to escalate privileges. (CVE-2020-14361)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled the XRecordRegisterClients function. A local attacker could possibly use this issue to escalate privileges. (CVE-2020-14362)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
xserver-xorg-core - 2:1.20.8-2ubuntu2.3
Ubuntu 18.04 LTS
xserver-xorg-core - 2:1.19.6-1ubuntu4.5
xserver-xorg-core-hwe-18.04 - 2:1.20.8-2ubuntu2.2~18.04.2
Ubuntu 16.04 LTS
xserver-xorg-core - 2:1.18.4-0ubuntu0.9
xserver-xorg-core-hwe-16.04 - 2:1.19.6-1ubuntu4.1~16.04.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

Weiterlesen …

USN-4487-1: libx11 vulnerabilities

libx11 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in libx11.

Software Description

  • libx11 - None

Details

Todd Carson discovered that libx11 incorrectly handled certain memory operations. A local attacker could possibly use this issue to escalate privileges. (CVE-2020-14344)

Jayden Rivers discovered that libx11 incorrectly handled locales. A local attacker could possibly use this issue to escalate privileges. (CVE-2020-14363)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libx11-6 - 2:1.6.9-2ubuntu1.1
Ubuntu 18.04 LTS
libx11-6 - 2:1.6.4-3ubuntu0.3
Ubuntu 16.04 LTS
libx11-6 - 2:1.6.3-1ubuntu2.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

Weiterlesen …

USN-4484-1: Linux kernel vulnerability

linux-hwe, linux-aws-5.3, linux-gke-5.3, linux-raspi2-5.3 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS

Summary

The system could be made to crash or run programs as an administrator.

Software Description

  • linux-aws-5.3 - Linux kernel for Amazon Web Services (AWS) systems
  • linux-gke-5.3 - Linux kernel for Google Container Engine (GKE) systems
  • linux-hwe - Linux hardware enablement (HWE) kernel
  • linux-raspi2-5.3 - Linux kernel for Raspberry Pi (V8) systems

Details

It was discovered that the cgroup v2 subsystem in the Linux kernel did not properly perform reference counting in some situations, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service or possibly gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
linux-image-5.3.0-1032-raspi2 - 5.3.0-1032.34
linux-image-5.3.0-1034-aws - 5.3.0-1034.36
linux-image-5.3.0-1034-gke - 5.3.0-1034.36
linux-image-5.3.0-66-generic - 5.3.0-66.60
linux-image-5.3.0-66-lowlatency - 5.3.0-66.60
linux-image-aws - 5.3.0.1034.33
linux-image-gke-5.3 - 5.3.0.1034.19
linux-image-gkeop-5.3 - 5.3.0.66.123
linux-image-raspi2-hwe-18.04 - 5.3.0.1032.22

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

Weiterlesen …

USN-4486-1: Linux kernel vulnerability

linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM

Summary

The Linux kernel could be made to crash if it mounted a malicious XFS file system.

Software Description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-kvm - Linux kernel for cloud environments
  • linux-raspi2 - Linux kernel for Raspberry Pi (V8) systems
  • linux-snapdragon - Linux kernel for Qualcomm Snapdragon processors
  • linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty

Details

Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS
linux-image-4.4.0-1079-kvm - 4.4.0-1079.86
linux-image-4.4.0-1113-aws - 4.4.0-1113.126
linux-image-4.4.0-1138-raspi2 - 4.4.0-1138.147
linux-image-4.4.0-1142-snapdragon - 4.4.0-1142.151
linux-image-4.4.0-189-generic - 4.4.0-189.219
linux-image-4.4.0-189-generic-lpae - 4.4.0-189.219
linux-image-4.4.0-189-lowlatency - 4.4.0-189.219
linux-image-4.4.0-189-powerpc-e500mc - 4.4.0-189.219
linux-image-4.4.0-189-powerpc-smp - 4.4.0-189.219
linux-image-4.4.0-189-powerpc64-emb - 4.4.0-189.219
linux-image-4.4.0-189-powerpc64-smp - 4.4.0-189.219
linux-image-aws - 4.4.0.1113.118
linux-image-generic - 4.4.0.189.195
linux-image-generic-lpae - 4.4.0.189.195
linux-image-kvm - 4.4.0.1079.77
linux-image-lowlatency - 4.4.0.189.195
linux-image-powerpc-e500mc - 4.4.0.189.195
linux-image-powerpc-smp - 4.4.0.189.195
linux-image-powerpc64-emb - 4.4.0.189.195
linux-image-powerpc64-smp - 4.4.0.189.195
linux-image-raspi2 - 4.4.0.1138.138
linux-image-snapdragon - 4.4.0.1142.134
linux-image-virtual - 4.4.0.189.195
Ubuntu 14.04 ESM
linux-image-4.4.0-1077-aws - 4.4.0-1077.81
linux-image-4.4.0-189-generic - 4.4.0-189.219~14.04.1
linux-image-4.4.0-189-generic-lpae - 4.4.0-189.219~14.04.1

Weiterlesen …

USN-4482-1: Ark vulnerability

ark vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS

Summary

Ark could be made to write files as your login if it opened a specially crafted file.

Software Description

  • ark - archive utility

Details

Fabian Vogt discovered that Ark incorrectly handled symbolic links in tar archive files. An attacker could use this to construct a malicious tar archive that, when opened, would create files outside the extraction directory.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
ark - 4:19.12.3-0ubuntu1.2
Ubuntu 18.04 LTS
ark - 4:17.12.3-0ubuntu1.2
Ubuntu 16.04 LTS
ark - 4:15.12.3-0ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4481-1: FreeRDP vulnerabilities

freerdp2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS

Summary

Several security issues were fixed in FreeRDP.

Software Description

  • freerdp2 - RDP client for Windows Terminal Services

Details

It was discovered that FreeRDP incorrectly handled certain memory operations. A remote attacker could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
libfreerdp-client2-2 - 2.2.0+dfsg1-0ubuntu0.20.04.1
libfreerdp-server2-2 - 2.2.0+dfsg1-0ubuntu0.20.04.1
libfreerdp2-2 - 2.2.0+dfsg1-0ubuntu0.20.04.1
Ubuntu 18.04 LTS
libfreerdp-client2-2 - 2.2.0+dfsg1-0ubuntu0.18.04.1
libfreerdp-server2-2 - 2.2.0+dfsg1-0ubuntu0.18.04.1
libfreerdp2-2 - 2.2.0+dfsg1-0ubuntu0.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4471-2: Net-SNMP regression

net-snmp regression

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 ESM

Summary

USN-4471-1 introduced a regression in Net-SNMP.

Software Description

  • net-snmp - SNMP (Simple Network Management Protocol) server and applications

Details

USN-4471-1 fixed a vulnerability in Net-SNMP. The updated introduced a regression making nsExtendCacheTime not settable. This update fixes the problem adding the cacheTime feature flag.

Original advisory details:

Tobias Neitzel discovered that Net-SNMP incorrectly handled certain symlinks. An attacker could possibly use this issue to access sensitive information. (CVE-2020-15861)

It was discovered that Net-SNMP incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-15862)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
libsnmp-base - 5.7.3+dfsg-1.8ubuntu3.6
libsnmp-perl - 5.7.3+dfsg-1.8ubuntu3.6
libsnmp30 - 5.7.3+dfsg-1.8ubuntu3.6
snmpd - 5.7.3+dfsg-1.8ubuntu3.6
Ubuntu 16.04 LTS
libsnmp-base - 5.7.3+dfsg-1ubuntu4.6
libsnmp-perl - 5.7.3+dfsg-1ubuntu4.6
libsnmp30 - 5.7.3+dfsg-1ubuntu4.6
snmpd - 5.7.3+dfsg-1ubuntu4.6
Ubuntu 14.04 ESM
libsnmp-base - 5.7.2~dfsg-8.1ubuntu3.3+esm2
libsnmp-perl - 5.7.2~dfsg-8.1ubuntu3.3+esm2
libsnmp30 - 5.7.2~dfsg-8.1ubuntu3.3+esm2
snmpd - 5.7.2~dfsg-8.1ubuntu3.3+esm2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart snmpd to make all the necessary changes.

References

Weiterlesen …

USN-4480-1: OpenStack Keystone vulnerabilities

keystone vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS

Summary

Several security issues were fixed in OpenStack Keystone.

Software Description

  • keystone - OpenStack identity service

Details

It was discovered that OpenStack Keystone incorrectly handled EC2 credentials. An authenticated attacker with a limited scope could possibly create EC2 credentials with escalated permissions. (CVE-2020-12689, CVE-2020-12691)

It was discovered that OpenStack Keystone incorrectly handled the list of roles provided with OAuth1 access tokens. An authenticated user could possibly end up with more role assignments than intended. (CVE-2020-12690)

It was discovered that OpenStack Keystone incorrectly handled EC2 signature TTL checks. A remote attacker could possibly use this issue to reuse Authorization headers. (CVE-2020-12692)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
keystone - 2:13.0.4-0ubuntu1
python-keystone - 2:13.0.4-0ubuntu1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

USN-4479-1: Django vulnerabilities

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS

Summary

Several security issues were fixed in Django.

Software Description

  • python-django - High-level Python web development framework

Details

It was discovered that Django, when used with Python 3.7 or higher, incorrectly handled directory permissions. A local attacker could possibly use this issue to obtain sensitive information, or escalate permissions.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04 LTS
python3-django - 2:2.2.12-1ubuntu0.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Weiterlesen …

Linux® | Kubuntu

September 2020

Keine Nachrichten in diesem Zeitraum vorhanden.

Linux® | Ubuntu

September 2020

The Expandables – snapcraft extensions and the secret code

If you’re a snap developer, you know that snap development is terribly easy. Or rather complex and difficult. Depending on your application code and requirements, it can take a lot of effort putting together the snapcraft.yaml file from which you will build your snap. One of our goals is to make snap development practically easier […]

Weiterlesen …

Design and Web team summary – 16th September 2020

The web team here at Canonical run two-week iterations. Here are some of the highlights of our completed work from this iteration. Web squad Our Web Squad develops and maintains most of Canonical’s promotional sites like ubuntu.com, canonical.com and more. CloudNative Days Tokyo 2020 This year will see a lot of physical events move to […]

Weiterlesen …

Security corner: snap interface & snap connections

One of the defining features of snaps is their strong security. Snaps are designed to run isolated from the underlying system, with granular control and access to specific resources made possible through a mechanism of interfaces. Think of it as a virtual USB cable – an interface connects a plug with a slot. Security and […]

Weiterlesen …

An Introduction to Testing Robot Code

The myriad of different fields that make up robotics makes QA practices difficult to settle on. Field testing is the go-to, since a functioning robot is often proof enough that a system is working. But online tests are slow. The physical environment must be set up. The entire system has to be in a workable […]

Weiterlesen …

An Introduction to Testing Robot Code

The myriad of different fields that make up robotics makes QA practices difficult to settle on. Field testing is the go-to, since a functioning robot is often proof enough that a system is working. But online tests are slow. The physical environment must be set up. The entire system has to be in a workable […]

Weiterlesen …

The State of Robotics – August 2020

So that’s the summer gone (hopefully, that heat was awful). Or winter if that’s where you are. Seasons change and so does the state of robotics. Fortunately, that’s what we’re here for. Before we get into it, as ever, If you’re working on any robotics projects that you’d like us to talk about, be sure […]

Weiterlesen …

Snap! Collaborate and listen!

You’d think we would be running out of terrible/great (delete as applicable) 80’s songs to try and shoehorn into the titles of these blog posts. Turns out, not quite yet! “How can I help?” is a phrase often used in Open Source projects by enthusiastic users and developers. There are a lot of moving parts […]

Weiterlesen …

Snap! Collaborate and listen!

You’d think we would be running out of terrible/great (delete as applicable) 80s songs to try and shoehorn into the titles of these blog posts. Turns out, not quite yet! “How can I help?” is a phrase often used in Open Source projects by enthusiastic users and developers. There are a lot of moving parts […]

Weiterlesen …

Snap! Collaborate and listen!

You’d think we would be running out of terrible/great (delete as applicable) 80s songs to try and shoehorn into the titles of these blog posts. Turns out, not quite yet! “How can I help?” is a phrase often used in Open Source projects by enthusiastic users and developers. There are a lot of moving parts […]

Weiterlesen …

How Aldo’s passion for artificial intelligence and machine learning led to a role at Canonical

Canonical is the company behind Ubuntu, but who are the people behind Canonical? This blog is the second in a series getting to know some of the different employees that make up our company.  For today’s blog, we spoke with Aldo Martinez, a member of our US-based team. Aldo’s passion for artificial intelligence and machine […]

Weiterlesen …

WSLConf returns this week with worldwide sessions

WSLConf returns this week, on September 9th and/or 10th, depending on where you are in the world. WSLConf is the community conference for Windows Subsystem for Linux, WSL. Sessions are planned to reach the growing WSL community around the world. Presenters are joining from Japan, Spain, the US, Brazil, Switzerland, France, and the UK. WSLConf […]

Weiterlesen …

How Canonical remotely delivers and supports customer cloud deployments

The widespread shift to remote working in response to the COVID-19 pandemic has been a disruptive change for countless businesses; some 13% of organisations say they have faced major disruption (1). But at Canonical, remote working has long been the status quo for many of our teams. In spite of the challenging circumstances in which […]

Weiterlesen …

Tutorial: Getting Started with ROS

ROS, the Robot Operating System, is the platform of choice for robot development. However, the breadth and depth of existing documentation can be daunting for the ROS beginner. Where should you start learning about ROS 2 on Ubuntu? All robots based on ROS and ROS 2 are programmed using five simple but core constructs: Nodes […]

Weiterlesen …

Design and Web team summary – 2nd September 2020

The web team here at Canonical run two week iterations. Here are some of the highlights of our completed work from this iteration. Web squad Our Web Squad develops and maintains most of Canonical’s promotional sites like ubuntu.com, canonical.com and more. Update the data privacy Brand new confidentiality privacy notice page from the legal team. […]

Weiterlesen …

HP Z series on Ubuntu – AI development on enterprise workstations, now in your remote office

Today, HP announced the launch of its Z series of laptops and workstations certified with Ubuntu 20.04 LTS, the latest additions to their popular professional workstation line. Made to drive AI and machine learning and with hardware that is also suited to 3D and virtual reality development, the Z series is an ideal enterprise workstation […]

Weiterlesen …

Canonical at KubeCon EU 2020: our first virtual KubeCon experience

Another great KubeCon has recently come to an end – which is nothing less than what we expected. After all, that’s why Canonical and Ubuntu have been consistently present at KubeCon & CloudNativeCon EU, to connect with the community. This year, we showcased Canonical’s conformant, interoperable, multi-cloud Kubernetes through our two Kubernetes distributions – Charmed […]

Weiterlesen …

Microsoft® | TechNet

September 2020

Keine Nachrichten in diesem Zeitraum vorhanden.

Automatisch generiert