Ubuntu 6310 Published by

The following updates has been released for Ubuntu Linux:

USN-3642-2: DPDK vulnerability
USN-3646-2: PHP vulnerabilities
USN-3648-1: curl vulnerabilities
USN-3649-1: QEMU vulnerabilities



USN-3642-2: DPDK vulnerability


==========================================================================
Ubuntu Security Notice USN-3642-2
May 16, 2018

dpdk vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10

Summary:

DPDK could be made to expose sensitive information over the network.

Software Description:
- dpdk: set of libraries for fast packet processing

Details:

USN-3642-1 fixed a vulnerability in DPDK. This update provides the
corresponding update for Ubuntu 17.10.

Original advisory details:

Maxime Coquelin discovered that DPDK incorrectly handled guest physical
ranges. A malicious guest could use this issue to possibly access sensitive
information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
dpdk 17.05.2-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3642-2
https://usn.ubuntu.com/usn/usn-3642-1
CVE-2018-1059

Package Information:
https://launchpad.net/ubuntu/+source/dpdk/17.05.2-0ubuntu1.1

USN-3646-2: PHP vulnerabilities



==========================================================================
Ubuntu Security Notice USN-3646-2
May 16, 2018

php5 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in PHP.

Software Description:
- php5: HTML-embedded scripting language interpreter

Details:

USN-3646-1 fixed a vulnerability in PHP. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 It was discovered that PHP incorrectly handled opcache access controls
 when configured to use PHP-FPM. A local user could possibly use this
 issue to obtain sensitive information from another user's PHP
 applications. (CVE-2018-10545)

 It was discovered that the PHP PHAR error pages incorrectly filtered
 certain data. A remote attacker could possibly use this issue to
 perform a reflected XSS attack. (CVE-2018-10547)

 It was discovered that PHP incorrectly handled LDAP. A malicious
 remote LDAP server could possibly use this issue to cause PHP to
 crash, resulting in a denial of service. (CVE-2018-10548)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  libapache2-mod-php5 5.3.10-1ubuntu3.31
  php5-cgi 5.3.10-1ubuntu3.31
  php5-cli 5.3.10-1ubuntu3.31
  php5-fpm 5.3.10-1ubuntu3.31

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3646-2
  https://usn.ubuntu.com/usn/usn-3646-1
  CVE-2018-10545, CVE-2018-10547, CVE-2018-10548

USN-3648-1: curl vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3648-1
May 16, 2018

curl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Dario Weisser discovered that curl incorrectly handled long FTP server
command replies. If a user or automated system were tricked into connecting
to a malicious FTP server, a remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS.
(CVE-2018-1000300)

Max Dymond discovered that curl incorrectly handled certain RTSP responses.
If a user or automated system were tricked into connecting to a malicious
server, a remote attacker could use this issue to cause curl to crash,
resulting in a denial of service, or possibly obtain sensitive information.
(CVE-2018-1000301)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
curl 7.58.0-2ubuntu3.1
libcurl3-gnutls 7.58.0-2ubuntu3.1
libcurl3-nss 7.58.0-2ubuntu3.1
libcurl4 7.58.0-2ubuntu3.1

Ubuntu 17.10:
curl 7.55.1-1ubuntu2.5
libcurl3 7.55.1-1ubuntu2.5
libcurl3-gnutls 7.55.1-1ubuntu2.5
libcurl3-nss 7.55.1-1ubuntu2.5

Ubuntu 16.04 LTS:
curl 7.47.0-1ubuntu2.8
libcurl3 7.47.0-1ubuntu2.8
libcurl3-gnutls 7.47.0-1ubuntu2.8
libcurl3-nss 7.47.0-1ubuntu2.8

Ubuntu 14.04 LTS:
curl 7.35.0-1ubuntu2.16
libcurl3 7.35.0-1ubuntu2.16
libcurl3-gnutls 7.35.0-1ubuntu2.16
libcurl3-nss 7.35.0-1ubuntu2.16

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3648-1
CVE-2018-1000300, CVE-2018-1000301, CVE-2018-1000303

Package Information:
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.1
https://launchpad.net/ubuntu/+source/curl/7.55.1-1ubuntu2.5
https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.8
https://launchpad.net/ubuntu/+source/curl/7.35.0-1ubuntu2.16

USN-3649-1: QEMU vulnerabilities


==========================================================================
Ubuntu Security Notice USN-3649-1
May 16, 2018

qemu vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:
- qemu: Machine emulator and virtualizer

Details:

Cyrille Chatras discovered that QEMU incorrectly handled certain PS2 values
during migration. An attacker could possibly use this issue to cause QEMU
to crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 18.04 LTS. (CVE-2017-16845)

Cyrille Chatras discovered that QEMU incorrectly handled multiboot. An
attacker could use this issue to cause QEMU to crash, resulting in a denial
of service, or possibly execute arbitrary code on the host. In the default
installation, when QEMU is used with libvirt, attackers would be isolated
by the libvirt AppArmor profile. (CVE-2018-7550)

Ross Lagerwall discovered that QEMU incorrectly handled the Cirrus VGA
device. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. This issue only
affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7858)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
qemu-system 1:2.11+dfsg-1ubuntu7.1
qemu-system-arm 1:2.11+dfsg-1ubuntu7.1
qemu-system-mips 1:2.11+dfsg-1ubuntu7.1
qemu-system-ppc 1:2.11+dfsg-1ubuntu7.1
qemu-system-s390x 1:2.11+dfsg-1ubuntu7.1
qemu-system-sparc 1:2.11+dfsg-1ubuntu7.1
qemu-system-x86 1:2.11+dfsg-1ubuntu7.1

Ubuntu 17.10:
qemu-system 1:2.10+dfsg-0ubuntu3.6
qemu-system-aarch64 1:2.10+dfsg-0ubuntu3.6
qemu-system-arm 1:2.10+dfsg-0ubuntu3.6
qemu-system-mips 1:2.10+dfsg-0ubuntu3.6
qemu-system-ppc 1:2.10+dfsg-0ubuntu3.6
qemu-system-s390x 1:2.10+dfsg-0ubuntu3.6
qemu-system-sparc 1:2.10+dfsg-0ubuntu3.6
qemu-system-x86 1:2.10+dfsg-0ubuntu3.6

Ubuntu 16.04 LTS:
qemu-system 1:2.5+dfsg-5ubuntu10.28
qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.28
qemu-system-arm 1:2.5+dfsg-5ubuntu10.28
qemu-system-mips 1:2.5+dfsg-5ubuntu10.28
qemu-system-ppc 1:2.5+dfsg-5ubuntu10.28
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.28
qemu-system-sparc 1:2.5+dfsg-5ubuntu10.28
qemu-system-x86 1:2.5+dfsg-5ubuntu10.28

Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.41
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.41
qemu-system-arm 2.0.0+dfsg-2ubuntu1.41
qemu-system-mips 2.0.0+dfsg-2ubuntu1.41
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.41
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.41
qemu-system-x86 2.0.0+dfsg-2ubuntu1.41

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3649-1
CVE-2017-16845, CVE-2018-7550, CVE-2018-7858

Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.1
https://launchpad.net/ubuntu/+source/qemu/1:2.10+dfsg-0ubuntu3.6
https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.28
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.41