Ubuntu 6300 Published by

The following updates has been released for Ubuntu Linux:

USN-4019-1: SQLite vulnerabilities
USN-4019-2: SQLite vulnerabilities
USN-4020-1: Firefox vulnerability
USN-4021-1: libvirt vulnerabilities
USN-4022-1: Gunicorn vulnerability
USN-4024-1: Evince update



USN-4019-1: SQLite vulnerabilities


=========================================================================
Ubuntu Security Notice USN-4019-1
June 19, 2019

sqlite3 vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in SQLite.

Software Description:
- sqlite3: C library that implements an SQL database engine

Details:

It was discovered that SQLite incorrectly handled certain SQL files.
An attacker could possibly use this issue to execute arbitrary code
or cause a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2017-2518, CVE-2017-2520)

It was discovered that SQLite incorrectly handled certain queries.
An attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-20505)

It was discovered that SQLite incorrectly handled certain queries.
An attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and
Ubuntu 18.10. (CVE-2018-20346, CVE-2018-20506)

It was discovered that SQLite incorrectly handled certain inputs.
An attacker could possibly use this issue to access sensitive information.
(CVE-2019-8457)

It was discovered that SQLite incorrectly handled certain queries.
An attacker could possibly use this issue to access sensitive information.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10.
(CVE-2019-9936)

It was discovered that SQLite incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS
and Ubuntu 18.10. (CVE-2019-9937)

It was discovered that SQLite incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 16.04 LTS. (CVE-2016-6153)

It was discovered that SQLite incorrectly handled certain databases.
An attacker could possibly use this issue to access sensitive information.
This issue only affected Ubuntu 16.04 LTS. (CVE-2017-10989)

It was discovered that SQLite incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 16.04 LTS. (CVE-2017-13685)

It was discovered that SQLite incorrectly handled certain queries.
An attacker could possibly use this issue to execute arbitrary code or
cause a denial of service. This issue only affected Ubuntu 16.04 LTS.
(CVE-2017-2519)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
libsqlite3-0 3.27.2-2ubuntu0.1
sqlite3 3.27.2-2ubuntu0.1

Ubuntu 18.10:
libsqlite3-0 3.24.0-1ubuntu0.1
sqlite3 3.24.0-1ubuntu0.1

Ubuntu 18.04 LTS:
libsqlite3-0 3.22.0-1ubuntu0.1
sqlite3 3.22.0-1ubuntu0.1

Ubuntu 16.04 LTS:
libsqlite3-0 3.11.0-1ubuntu1.2
sqlite3 3.11.0-1ubuntu1.2

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4019-1
CVE-2016-6153, CVE-2017-10989, CVE-2017-13685, CVE-2017-2518,
CVE-2017-2519, CVE-2017-2520, CVE-2018-20346, CVE-2018-20505,
CVE-2018-20506, CVE-2019-8457, CVE-2019-9936, CVE-2019-9937

Package Information:
https://launchpad.net/ubuntu/+source/sqlite3/3.27.2-2ubuntu0.1
https://launchpad.net/ubuntu/+source/sqlite3/3.24.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/sqlite3/3.22.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/sqlite3/3.11.0-1ubuntu1.2

USN-4019-2: SQLite vulnerabilities


=========================================================================
Ubuntu Security Notice USN-4019-2
June 19, 2019

sqlite3 vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in SQLite.

Software Description:
- sqlite3: C library that implements an SQL database engine

Details:

USN-4019-1 fixed several vulnerabilities in sqlite3. This update provides
the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM.

Original advisory details:

It was discovered that SQLite incorrectly handled certain SQL files.
An attacker could possibly use this issue to execute arbitrary code
or cause a denial of service. (CVE-2017-2518)

It was discovered that SQLite incorrectly handled certain queries.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2018-20346, CVE-2018-20506)

It was discovered that SQLite incorrectly handled certain inputs.
An attacker could possibly use this issue to access sensitive information.
(CVE-2019-8457)

It was discovered that SQLite incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2016-6153)

It was discovered that SQLite incorrectly handled certain databases.
An attacker could possibly use this issue to access sensitive information.
This issue only affected Ubuntu 14.04 LTS. (CVE-2017-10989)

It was discovered that SQLite incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2017-13685)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
libsqlite3-0 3.8.2-1ubuntu2.2+esm1
sqlite3 3.8.2-1ubuntu2.2+esm1

Ubuntu 12.04 ESM:
libsqlite3-0 3.7.9-2ubuntu1.3
sqlite3 3.7.9-2ubuntu1.3

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4019-2
https://usn.ubuntu.com/4019-1
CVE-2016-6153, CVE-2017-10989, CVE-2017-13685, CVE-2017-2518,
CVE-2018-20346, CVE-2018-20506, CVE-2019-8457

--AhhlLboLdkugWU4S
Content-Type: application/pgp-signature; name="signature.asc"



USN-4020-1: Firefox vulnerability


==========================================================================
Ubuntu Security Notice USN-4020-1
June 19, 2019

firefox vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

A type confusion bug was discovered in Firefox. If a user were tricked in
to opening a specially crafted website, an attacker could exploit this by
causing a denial of service, or executing arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
firefox 67.0.3+build1-0ubuntu0.19.04.1

Ubuntu 18.10:
firefox 67.0.3+build1-0ubuntu0.18.10.1

Ubuntu 18.04 LTS:
firefox 67.0.3+build1-0ubuntu0.18.04.1

Ubuntu 16.04 LTS:
firefox 67.0.3+build1-0ubuntu0.16.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
https://usn.ubuntu.com/4020-1
CVE-2019-11707

Package Information:

https://launchpad.net/ubuntu/+source/firefox/67.0.3+build1-0ubuntu0.19.04.1

https://launchpad.net/ubuntu/+source/firefox/67.0.3+build1-0ubuntu0.18.10.1

https://launchpad.net/ubuntu/+source/firefox/67.0.3+build1-0ubuntu0.18.04.1

https://launchpad.net/ubuntu/+source/firefox/67.0.3+build1-0ubuntu0.16.04.1


USN-4021-1: libvirt vulnerabilities


==========================================================================
Ubuntu Security Notice USN-4021-1
June 19, 2019

libvirt vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10

Summary:

Several security issues were fixed in libvirt.

Software Description:
- libvirt: Libvirt virtualization toolkit

Details:

Daniel P. Berrangé discovered that libvirt incorrectly handled socket
permissions. A local attacker could possibly use this issue to access
libvirt. (CVE-2019-10132)

It was discovered that libvirt incorrectly performed certain permission
checks. A remote attacker could possibly use this issue to access the
guest agent and cause a denial of service. This issue only affected Ubuntu
19.04. (CVE-2019-3886)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
libvirt-clients 5.0.0-1ubuntu2.3
libvirt-daemon 5.0.0-1ubuntu2.3
libvirt0 5.0.0-1ubuntu2.3

Ubuntu 18.10:
libvirt-clients 4.6.0-2ubuntu3.7
libvirt-daemon 4.6.0-2ubuntu3.7
libvirt0 4.6.0-2ubuntu3.7

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://usn.ubuntu.com/4021-1
CVE-2019-10132, CVE-2019-3886

Package Information:
https://launchpad.net/ubuntu/+source/libvirt/5.0.0-1ubuntu2.3
https://launchpad.net/ubuntu/+source/libvirt/4.6.0-2ubuntu3.7

USN-4022-1: Gunicorn vulnerability


==========================================================================
Ubuntu Security Notice USN-4022-1
June 19, 2019

Gunicorn vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

Gunicorn could allow cross-site scripting (XSS) attacks.

Software Description:
- gunicorn: Python HTTP/WSGI server

Details:

It was discovered that gunicorn improperly handled certain input. An attacker
could potentially use this issue execute a cross-site scripting (XSS) attack.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
gunicorn 19.4.5-1ubuntu1.1
gunicorn3 19.4.5-1ubuntu1.1
python-gunicorn 19.4.5-1ubuntu1.1
python3-gunicorn 19.4.5-1ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4022-1
CVE-2018-1000164

Package Information:
https://launchpad.net/ubuntu/+source/gunicorn/19.4.5-1ubuntu1.1


USN-4024-1: Evince update


=========================================================================
Ubuntu Security Notice USN-4024-1
June 19, 2019

evince update
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Use more restrictive AppArmor policy for Evince binaries.

Software Description:
- evince: Document viewer

Details:

As a security improvement, this update adjusts the AppArmor profile for the
Evince thumbnailer to reduce access to the system and adjusts the AppArmor
profile for Evince and Evince previewer to limit access to the DBus system
bus. Additionally adjust the evince abstraction to disallow writes on
parent directories of sensitive files.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
evince-common 3.28.4-0ubuntu1.2

Ubuntu 16.04 LTS:
evince-common 3.18.2-1ubuntu4.5

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4024-1
https://launchpad.net/bugs/1788929, https://launchpad.net/bugs/1794848

Package Information:
https://launchpad.net/ubuntu/+source/evince/3.28.4-0ubuntu1.2
https://launchpad.net/ubuntu/+source/evince/3.18.2-1ubuntu4.5