Home / mailings [USN-2950-2] libsoup update
Posted on 27 April 2016
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-2950-2
April 27, 2016
libsoup2.4 update
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 15.10
- Ubuntu 14.04 LTS
Summary:
This update fixes libsoup NTLM authentication.
Software Description:
- libsoup2.4: HTTP client/server library for GNOME
Details:
USN-2950-1 fixed vulnerabilities in Samba. The updated Samba packages
introduced a compatibility issue with NTLM authentication in libsoup. Thi=
s
update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Jouni Knuutinen discovered that Samba contained multiple flaws in the
DCE/RPC implementation. A remote attacker could use this issue to perfor=
m
a denial of service, downgrade secure connections by performing a man in=
the middle attack, or possibly execute arbitrary code. (CVE-2015-5370)
Stefan Metzmacher discovered that Samba contained multiple flaws in the=
NTLMSSP authentication implementation. A remote attacker could use this
issue to downgrade connections to plain text by performing a man in the
middle attack. (CVE-2016-2110)
Alberto Solino discovered that a Samba domain controller would establis=
h a
secure connection to a server with a spoofed computer name. A remote
attacker could use this issue to obtain sensitive information.
(CVE-2016-2111)
Stefan Metzmacher discovered that the Samba LDAP implementation did not=
enforce integrity protection. A remote attacker could use this issue to
hijack LDAP connections by performing a man in the middle attack.
(CVE-2016-2112)
Stefan Metzmacher discovered that Samba did not validate TLS certificat=
es.
A remote attacker could use this issue to spoof a Samba server.
(CVE-2016-2113)
Stefan Metzmacher discovered that Samba did not enforce SMB signing eve=
n if
configured to. A remote attacker could use this issue to perform a man i=
n
the middle attack. (CVE-2016-2114)
Stefan Metzmacher discovered that Samba did not enable integrity protec=
tion
for IPC traffic. A remote attacker could use this issue to perform a man=
in
the middle attack. (CVE-2016-2115)
Stefan Metzmacher discovered that Samba incorrectly handled the MS-SAMR=
and
MS-LSAD protocols. A remote attacker could use this flaw with a man in t=
he
middle attack to impersonate users and obtain sensitive information from=
the Security Account Manager database. This flaw is known as Badlock.
(CVE-2016-2118)
Samba has been updated to 4.3.8 in Ubuntu 14.04 LTS and Ubuntu 15.10.
Ubuntu 12.04 LTS has been updated to 3.6.25 with backported security fix=
es.
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes. Configuration changes m=
ay
be required in certain environments.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
libsoup2.4-1 2.52.2-1ubuntu0.1
Ubuntu 15.10:
libsoup2.4-1 2.50.0-2ubuntu0.1
Ubuntu 14.04 LTS:
libsoup2.4-1 2.44.2-1ubuntu2.1
In general, a standard system update will make all the necessary changes.=
References:
http://www.ubuntu.com/usn/usn-2950-2
http://www.ubuntu.com/usn/usn-2950-1
https://launchpad.net/bugs/1573494
Package Information:
https://launchpad.net/ubuntu/+source/libsoup2.4/2.52.2-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libsoup2.4/2.50.0-2ubuntu0.1
https://launchpad.net/ubuntu/+source/libsoup2.4/2.44.2-1ubuntu2.1
