August marks the end of summer, and for many it’s vacation time before school starts and work goes into the autumn rush that leads up to the holiday season. Late August is also near the peak of hurricane season for those who live in or near the Gulf of Mexico, Caribbean, and Atlantic coast. As I write this, here in Texas we’ve just been through a wild and wooly week of storms that left our largest city (and the 4th largest in the United States) in a state of devastation.

My thoughts are with everyone in Houston and other coastal areas who are impacted, with a special nod to the many IT professionals in those areas who are struggling to implement disaster recovery plans that they may have thought they would never need.

This month’s roundup will be a bit more brief than usual, as my plate is very full. Luckily we have somewhat fewer than usual patches to deal with from some of our vendors, while the rest are running around the average number.

Apple

Apple seems to be following a one on/one off schedule, with no security updates issued in April, then seven large updates last May, none in June, a heavy slate in July, and now as of August 30, no new updates this month. Look out for a big load to come down the pike in September.

For more information about the previously issued patches and the vulnerabilities that they address, see the Apple Support web site at https://support.apple.com/en-us/HT201222

Adobe

Adobe issued four security updates this month. One, for Acrobat and Reader, was deemed important enough to release ahead of the usual schedule on August 3rd. The other three came out on Patch Tuesday as per their normal release cycle.

The August 3rd update details:

APSB17-24 Security Updates for Adobe Acrobat and Reader – This update for Windows and Mac is rated critical, with a priority rating of 2, and addresses 67 vulnerabilities, which include numerous memory corruption issues, use-after-free, heap overflow, type confusion, and security bypass vulnerabilities. The most serious could be exploited to accomplish remote code execution.

On August 8th (Patch Tuesday), Adobe issued the following:

APSB17-23 Security Updates for Adobe Flash Player – This update for Adobe Flash Player for Windows, Mac, Linux and Chrome OS is rated critical with a priority rating of 1, except for Adobe Flash Player Desktop Runtime for Linux, which is assigned priority rating 3. It addresses two vulnerabilities that include security bypass and type confusion. The latter could be exploited to accomplish remote code execution.

APSB17-26 Security Updates for Adobe Experience Manager – This update for Adobe Experience Manager, a content management platform for building websites, mobile apps and forms, addresses one important file type validation vulnerability and two information disclosure vulnerabilities that are rated moderate. It is assigned a priority rating of 2. Possible impacts are information disclosure and arbitrary code execution attacks.

APSB17-27 Security Updates for Adobe Digital Editions – This update for Adobe Digital Editions for Windows, Mac, iOS and Android is rated critical, with a priority rating of 2. It addresses three vulnerabilities that include a buffer overflow, memory corruption, and an XML External Entity Parsing vulnerability. The most serious of these could be exploited to accomplish remote code execution.

For more information about these vulnerabilities and updates, see Adobe’s Security Bulletins and Advisories website at https://helpx.adobe.com/security.html

Google

Google Chrome stable channel update 60.0.3112.113 for desktop, for Windows, Mac and Linux was announced on August 24.  As of this writing, this is the latest version and contains the most recent security updates. For more information, see the Google Chrome Releases blog at
https://chromereleases.googleblog.com/2017/08/stable-channel-update-for-desktop_24.html

Android security bulletin for August 2017 was published on August 7, and patches issued that address vulnerabilities in Media Framework, the most serious of which is designated as critical and could enable a remote attacker to execute arbitrary code in the context of a privileged process.

For more information, see the August security bulletin at
https://source.android.com/security/bulletin/2017-08-01

Oracle

Oracle normally releases security updates on a quarterly cycle, in January, April, July and October.  The next scheduled update is October 17. For more information, see
https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Mozilla

Mozilla released Firefox v55 with  twenty-nine security fixes on August 8. These include a large variety of vulnerability types, including five that are rated critical. The critical vulnerabilities include two memory safety bugs, two use-after-free issues, and an XUL injection vulnerability in the style editor in devtools. For more information, see https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/

Linux

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. As of the date of this writing (August 30), Ubuntu has issued 52 security advisories, which is about average but more than last month, which saw 43 updates. Many of them address multiple vulnerabilities and in some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates.

  • USN-3407-1: PyJWT vulnerability – 30th August 2017. It was discovered that a vulnerability in PyJWT doesn’t check invalid_strings properly for some public keys. A remote attacker could take advantage of a key confusion to craft JWTs from scratch.
  • USN-3406-2: Linux kernel (Trusty HWE) vulnerabilities – 29th August 2017. USN-3406-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM.
  • USN-3405-2: Linux kernel (Xenial HWE) vulnerabilities – 28th August 2017. USN-3405-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel.
  • USN-3404-2: Linux kernel (HWE) vulnerability – 28th August 2017. USN-3404-1 fixed a vulnerability in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. A reference count bug was discovered in the Linux kernel ipx protocol stack.
  • USN-3406-1: Linux kernel vulnerabilities – 28th August 2017. It was discovered that an out of bounds read vulnerability existed in the associative array implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information.  
  • USN-3405-1: Linux kernel vulnerabilities – 28th August 2017. It was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
  • USN-3404-1: Linux kernel vulnerability – 28th August 2017. A reference count bug was discovered in the Linux kernel ipx protocol stack. A local attacker could exploit this flaw to cause a denial of service or possibly other unspecified problems.
  • USN-3403-1: Ghostscript vulnerabilities – 28th August 2017. Kamil Frankowicz discovered that Ghostscript mishandles references. A remote attacker could use this to cause a denial of service. (CVE-2017-11714) Kim Gwan Yeong discovered that Ghostscript could allow a heap-based buffer over-read and application crash. A remote attacker could use a crafted document to cause a denial of service.
  • USN-3199-3: Python Crypto vulnerability – 28th August 2017. USN-3199-1 fixed a vulnerability in Python Crypto. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that the ALGnew function in block_templace.c in the Python Cryptography Toolkit contained a heap-based buffer overflow vulnerability. A remote attacker could use this flaw to execute arbitrary code.
  • USN-3402-1: PySAML2 vulnerability – 24th August 2017. It was discovered that PySAML2 incorrectly handled certain SAML XML requests and responses. A remote attacker could use this issue to read arbitrary files.
  • USN-3401-1: TeX Live vulnerability – 22nd August 2017. It was discovered that TeX Live incorrectly handled certain system commands. If a user were tricked into processing a specially crafted TeX file, a remote attacker could execute arbitrary code.
  • USN-3400-1: Augeas vulnerability – 21st August 2017. It was discovered that Augeas incorrectly handled certain strings. An attacker could use this issue to cause Augeas to crash, leading to a denial of service, or possibly execute arbitrary code.
  • USN-3399-1: cvs vulnerability – 21st August 2017. Hank Leininger discovered that cvs did not properly handle SSH for remote repositories. A remote attacker could use this to construct a cvs repository that when accessed could run arbitrary code with the privileges of the user.
  • USN-3398-1: graphite2 vulnerabilities – 21st August 2017. Holger Fuhrmannek and Tyson Smith discovered that graphite2 incorrectly handled certain malformed fonts. If a user or automated system were tricked into opening a specially-crafted font file, a remote attacker could use this issue to cause graphite2 to crash, resulting in a denial of service, or possibly execute arbitrary code.
  • USN-3397-1: strongSwan vulnerability – 21st August 2017. It was discovered that strongSwan incorrectly handled verifying specific RSA signatures. A remote attacker could use this issue to cause strongSwan to crash, resulting in a denial of service.
  • USN-3396-1: OpenJDK 7 vulnerabilities – 18th August 2017. It was discovered that the JPEGImageReader class in OpenJDK would incorrectly read unused image data. An attacker could use this to specially construct a jpeg image file that when opened by a Java application would cause a denial of service.  
  • USN-3391-3: Firefox regression – 17th August 2017. USN-3391-1 fixed vulnerabilities in Firefox. The update introduced a performance regression with WebExtensions. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox.
  • USN-3393-2: ClamAV vulnerabilities – 17th August 2017. USN-3393-1 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that ClamAV incorrectly handled parsing certain email messages. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service.
  • USN-3395-1: c-ares vulnerability – 17th August 2017. It was discovered that c-ares incorrectly handled certain NAPTR responses. A remote attacker could possibly use this issue to cause applications using c-ares to crash, resulting in a denial of service.
  • USN-3394-1: libmspack vulnerabilities – 17th August 2017. It was discovered that libmspack incorrectly handled certain malformed CHM files. A remote attacker could use this issue to cause libmspack to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-6419) It was discovered that libmspack incorrectly handled certain malformed CAB files.
  • USN-3393-1: ClamAV vulnerabilities – 17th August 2017. It was discovered that ClamAV incorrectly handled parsing certain email messages. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2017-6418) It was discovered that ClamAV incorrectly handled certain malformed CHM files.
  • USN-3391-2: Ubufox update – 16th August 2017. USN-3391-1 fixed vulnerabilities in Firefox. This update provides the corresponding update for Ubufox. Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to conduct cross-site scripting (XSS) attacks or bypass sandbox restrictions.
  • USN-3392-1: Linux kernel regression – 16th August 2017. USN-3378-1 fixed vulnerabilities in the Linux kernel. Unfortunately, a regression was introduced that prevented conntrack from working correctly in some situations. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Fan Wu and Shixiong Zhao discovered a race condition between notify events and vfs rename operations.
  • USN-3392-2: Linux kernel (Xenial HWE) regression – 16th August 2017. USN-3392-1 fixed a regression in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. USN-3378-2 fixed vulnerabilities in the Linux Hardware Enablement kernel. Unfortunately, a regression was introduced.
  • USN-3391-1: Firefox vulnerabilities – 15th August 2017. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to conduct cross-site scripting (XSS) attacks, bypass sandbox restrictions, obtain sensitive information, spoof the origin of modal alerts, bypass same origin restrictions, read uninitialized memory.
  • USN-3390-1: PostgreSQL vulnerabilities – 15th August 2017. Ben de Graaff, Jelte Fennema, and Jeroen van der Ham discovered that PostgreSQL allowed the use of empty passwords in some authentication methods, contrary to expected behaviour. A remote attacker could use an empty password to authenticate to servers that were believed to have password login disabled.
  • USN-3389-2: GD vulnerability – 14th August 2017. USN-3389-1 fixed a vulnerability in GD Graphics Library. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: A vulnerability was discovered in GD Graphics Library (aka libgd), as used in PHP that does not zero colorMap arrays before use.
  • USN-3389-1: GD vulnerability – 14th August 2017. A vulnerability was discovered in GD Graphics Library (aka libgd), as used in PHP that does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read bytes from the top of the stack.
  • USN-3388-1: Subversion vulnerabilities – 11th August 2017. Joern Schneeweisz discovered that Subversion did not properly handle host names in ‘svn+ssh://’ URLs. A remote attacker could use this to construct a subversion repository that when accessed could run arbitrary code with the privileges of the user.
  • USN-3387-1: Git vulnerability – 10th August 2017. Brian Neel, Joern Schneeweisz, and Jeff King discovered that Git did not properly handle host names in ‘ssh://’ URLs. A remote attacker could use this to construct a git repository that when accessed could run arbitrary code with the privileges of the user.
  • USN-3385-2: Linux kernel (Xenial HWE) vulnerabilities – 10th August 2017. USN-3385-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel.
  • USN-3386-2: Linux kernel (Trusty HWE) vulnerabilities – 10th August 2017. USN-3386-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM. Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel.
  • USN-3384-2: Linux kernel (HWE) vulnerabilities – 10th August 2017. USN-3384-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel.
  • USN-3386-1: Linux kernel vulnerabilities – 10th August 2017. Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. (CVE-2017-1000112) Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code in the Linux kernel.
  • USN-3385-1: Linux kernel vulnerabilities – 10th August 2017. Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. (CVE-2017-1000112) Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code in the Linux kernel.
  • USN-3384-1: Linux kernel vulnerabilities – 10th August 2017. Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. (CVE-2017-1000112) Andrey Konovalov discovered a race condition in AF_PACKET socket option handling code in the Linux kernel.
  • USN-3383-1: libsoup vulnerability – 10th August 2017. Aleksandar Nikolic discovered a stack based buffer overflow when handling chunked encoding. An attacker could use this to cause a denial of service or possibly execute arbitrary code.
  • USN-3382-1: PHP vulnerabilities – 10th August 2017. It was discovered that the PHP opcache created keys for files it cached based on their filepath. A local attacker could possibly use this issue in a shared hosting environment to obtain sensitive information. This issue only affected Ubuntu 14.04 LTS.
  • USN-3381-2: Linux kernel (Trusty HWE) vulnerabilities – 7th August 2017. USN-3381-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM.
  • USN-3381-1: Linux kernel vulnerabilities – 7th August 2017. Peter Pi discovered that the colormap handling for frame buffer devices in the Linux kernel contained an integer overflow. A local attacker could use this to disclose sensitive information (kernel memory). (CVE-2016-8405) It was discovered that the Linux kernel did not properly restrict RLIMIT_STACK size.
  • USN-3380-1: FreeRDP vulnerabilities – 7th August 2017. It was discovered that FreeRDP incorrectly handled certain width and height values. A malicious server could use this issue to cause FreeRDP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS.
  • USN-3379-1: Shotwell vulnerability – 7th August 2017. It was discovered that Shotwell is vulnerable to an information disclosure in the web publishing plugins resulting in potential password and oauth token plaintext transmission.
  • USN-3339-2: OpenVPN vulnerability – 7th August 2017. USN-3339-1 fixed several issues in OpenVPN. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Guido Vranken discovered that OpenVPN incorrectly handled an HTTP proxy with NTLM authentication. A remote attacker could use this issue to cause OpenVPN clients to crash, resulting in a denial of service.
  • USN-3212-4: LibTIFF vulnerabilities – 7th August 2017. USN-3212-1 fixed several issues in LibTIFF. This update provides a subset of corresponding update for Ubuntu 12.04 ESM. Mei Wang discovered a multiple integer overflows in LibTIFF which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image.
  • USN-3378-2: Linux kernel (Xenial HWE) vulnerabilities – 3rd August 2017. USN-3378-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.
  • USN-3377-2: Linux kernel (HWE) vulnerabilities – 3rd August 2017. USN-3377-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel.
  • USN-3378-1: Linux kernel vulnerabilities – 3rd August 2017. Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel. An unprivileged local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
  • USN-3377-1: Linux kernel vulnerabilities – 3rd August 2017. Fan Wu and Shixiong Zhao discovered a race condition between inotify events and vfs rename operations in the Linux kernel. An unprivileged local attacker could use this to cause a denial of service (system crash) or execute arbitrary code.
  • USN-3376-1: WebKitGTK+ vulnerabilities – 2nd August 2017. A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
  • USN-3375-1: LXC vulnerability – 2nd August 2017. It was discovered that LXC incorrectly handled the TIOCSTI ioctl. An attacker could possibly use this issue to escape LXC containers.
  • USN-3370-2: Apache HTTP Server vulnerability – 1st August 2017. USN-3370-1 fixed a vulnerability in Apache HTTP Server. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Robert Święcki discovered that the Apache HTTP Server mod_auth_digest module incorrectly cleared values when processing certain requests.
  • USN-3294-2: Bash vulnerability – 1st August 2017. USN-3294-1 fixed a vulnerability in Bash. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: It was discovered that Bash incorrectly handled the SHELLOPTS and PS4 environment variables. A local attacker could use this issue to execute arbitrary code with root privileges.