Severity

Medium

Vendor

Canonical Ubuntu, libidn

Versions Affected

Canonical Ubuntu 14.04 LTS

Description

Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos Mavrogiannopoulos discovered that Libidn incorrectly handled invalid UTF-8 characters. A remote attacker could use this issue to cause Libidn to crash, resulting in a denial of service, or possibly disclose sensitive memory. (CVE-2015-2059)

Hanno Böck discovered that Libidn incorrectly handled certain input. A remote attacker could possibly use this issue to cause Libidn to crash, resulting in a denial of service. (CVE-2015-8948, CVE-2016-6262, CVE-2016-6261, CVE-2016-6263)

Affected Products and Versions

Severity is medium unless otherwise noted.

• Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.21 AND 3232.x versions prior to 3232.19 AND other versions prior to 3262.12 are vulnerable
• All versions of Cloud Foundry cflinuxfs2 prior to v.1.78.0

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry team has released patched BOSH stemcells 3146.21 and 3232.19 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.21 OR 3232.x versions to 3232.19
• The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.78.0 or later versions

Credit

Thijs Alkemade, Hanno Böck, Gustavo Grieco, Nikos Mavrogiannopoulos, and Daniel Stenberg

References

• http://www.ubuntu.com/usn/usn-3068-1/
• http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2059.html
• http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8948.html
• http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6261.html
• http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6262.html
• http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6263.html