==========================================================================
Ubuntu Security Notice USN-2287-1
July 17, 2014

linux-lts-saucy vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
– linux-lts-saucy: Linux hardware enablement kernel from Saucy

Details:

Sasha Levin reported a flaw in the Linux kernel’s point-to-point protocol
(PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user
could exploit this flaw to gain administrative privileges. (CVE-2014-4943)

Michael S. Tsirkin discovered an information leak in the Linux kernel’s
segmentation of skbs when using the zerocopy feature of vhost-net. A local
attacker could exploit this flaw to gain potentially sensitive information
from kernel memory. (CVE-2014-0131)

A flaw was discovered in the Linux kernel’s audit subsystem when auditing
certain syscalls. A local attacker could exploit this flaw to obtain
potentially sensitive single-bit values from kernel memory or cause a
denial of service (OOPS). (CVE-2014-3917)

A flaw was discovered in the Linux kernel’s implementation of user
namespaces with respect to inode permissions. A local user could exploit
this flaw by creating a user namespace to gain administrative privileges.
(CVE-2014-4014)

Don Bailey discovered a flaw in the LZO decompress algorithm used by the
Linux kernel. An attacker could exploit this flaw to cause a denial of
service (memory corruption or OOPS). (CVE-2014-4608)

Don Bailey and Ludvig Strigeus discovered an integer overflow in the Linux
kernel’s implementation of the LZ4 decompression algorithm, when used by
code not complying with API limitations. An attacker could exploit this
flaw to cause a denial of service (memory corruption) or possibly other
unspecified impact. (CVE-2014-4611)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.11.0-26-generic 3.11.0-26.45~precise1
linux-image-3.11.0-26-generic-lpae 3.11.0-26.45~precise1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-2287-1
CVE-2014-0131, CVE-2014-3917, CVE-2014-4014, CVE-2014-4608,
CVE-2014-4611, CVE-2014-4943

Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-saucy/3.11.0-26.45~precise1

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIcBAEBCgAGBQJTxy7GAAoJEAUvNnAY1cPYlW4P/jq4wm/atitTGibxy3wdl7AT
Sb5XE+NGLbyhZ3QWavzQQfB6SOPOPwvyWAFwBPufVljLG//Zh+0ImUe6j8YD9llU
nJSSD9VCisiewwst+rdBvR099rnUcdsoyMPFCmJxtoh0zTGRwi5vLmYNEOEC0Cc8
GDVswoHzrQ1gwQiIuWTgWe7Cz8Cl4/oaYhwNu/AAEIH9ddJXVaen/JZNc8YvkxXm
s3eGtObrK+DfP1nUH4AVH8po9+eVJCaRMfie3JFPLuJKZjcrqrfkYnyocQRNvb3I
I3L0eygYEcrrthIOHqLdEw6HcUT/VBeffsrn21dV/jcVF/+Nk1KLCNCTI/VMfM2q
gnisgQMBA8mFsD4i9hoYIPPvmDzKR1GuI7QtGWhwVFq+o7onkRECdncnzdW7mBQ1
f1c8R3MAXfRVAAsGXhnxDF0uXWm2R+g8sVXI6D0SPCFNvc46yAFK7SQmjwIo0mCM
XS9rKFQYuXDFFLCJYgrAgJJ6H6XSbVrZ5ImGAOOq+UiawJchFrJxvWZpl3qQOWWV
ipyvYcmGIexK/L1Qn6r92O6f49U4z3ulCYZWdoUQ/axaWYfhNJz0VTt9DoA/QuVX
qO3+l38Wtb36hyJVN/CkHb8sjdyJMhVALRBT2qMm/w0wQBRySe1viu4C/zWmsAhy
XzyjHqZVNDP45tboRBKR
=THq4
—–END PGP SIGNATURE—–
—
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-2289-1
July 17, 2014

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 13.10

Summary:

Several security issues were fixed in the kernel.

Software Description:
– linux: Linux kernel

Details:

Sasha Levin reported a flaw in the Linux kernel’s point-to-point protocol
(PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user
could exploit this flaw to gain administrative privileges. (CVE-2014-4943)

Michael S. Tsirkin discovered an information leak in the Linux kernel’s
segmentation of skbs when using the zerocopy feature of vhost-net. A local
attacker could exploit this flaw to gain potentially sensitive information
from kernel memory. (CVE-2014-0131)

A flaw was discovered in the Linux kernel’s audit subsystem when auditing
certain syscalls. A local attacker could exploit this flaw to obtain
potentially sensitive single-bit values from kernel memory or cause a
denial of service (OOPS). (CVE-2014-3917)

A flaw was discovered in the Linux kernel’s implementation of user
namespaces with respect to inode permissions. A local user could exploit
this flaw by creating a user namespace to gain administrative privileges.
(CVE-2014-4014)

Don Bailey discovered a flaw in the LZO decompress algorithm used by the
Linux kernel. An attacker could exploit this flaw to cause a denial of
service (memory corruption or OOPS). (CVE-2014-4608)

Don Bailey and Ludvig Strigeus discovered an integer overflow in the Linux
kernel’s implementation of the LZ4 decompression algorithm, when used by
code not complying with API limitations. An attacker could exploit this
flaw to cause a denial of service (memory corruption) or possibly other
unspecified impact. (CVE-2014-4611)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
linux-image-3.11.0-26-generic 3.11.0-26.45
linux-image-3.11.0-26-generic-lpae 3.11.0-26.45

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-2289-1
CVE-2014-0131, CVE-2014-3917, CVE-2014-4014, CVE-2014-4608,
CVE-2014-4611, CVE-2014-4943

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.11.0-26.45

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIcBAEBCgAGBQJTxzBIAAoJEAUvNnAY1cPYVfoP/29wf1byp5Ypo1sNNyKoMz7k
/MakFMfWUhGSUBXJFfD857dE17TeQ93ls5tR2RrmWAB6OYL+9kdDYreCKgmu9hUN
80tjghagh4o2yH71s2yGNeKPpH5KkieFlawz7rZ483QQUsWuw/fbS92tyPRUUndx
1AxcwWk38TxEFYTGh9RR9+U1Uri906xzdAah9S5hMISSV+NKSVVSb8RYbAAbzJfu
tIc5uYw8qvbCEA870hGdYk427koTPVDdn7XsBEwttbwI2Nux2KLLNlcGKoNiF2lH
uPRy+PMedV6/RHK+XveHHgw8meT45yvlojWk7v2itY4Mn9rvG2e/hLtBladbrcDo
rghc7s1FEP2vtFP+UDayp9buy5hND1RYhw89++cL8Z93duYBnMZ+AlcLXoLzJj05
5bQ+cpLxaopAnPYbXqIC5jbSFHgPuIrkoucVkpRh2lZ8m4ldgz1XnbUxOOwjl3/K
2uK70QM6wS3NaQO0PmM3ry1PGkgvTvvmje4w+ITkKgE/sZB6V8RIMZmGKKCgBM0G
y9+xd8CPN56Mp1bt5aRSZPEIBDCVbwlap7k8VC2pa5NT7uZawQaQ3ktaufj1LXQX
7hwSZRDUsdmbMfmIpqw4qSjsh/mv7GaWVoyA6Btqrn1Vt3HbMYVxmA8f2Qqa94Et
9wSCLxGSfAWeAUrd9IHT
=yDL/
—–END PGP SIGNATURE—–
—
7e