Ubuntu Security Notice 2320-1 - A use-after-free was discovered in the websockets implementation in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash. An issue was discovered in the Public Key Pinning implementation in Chromium. An attacker could potentially exploit this to obtain sensitive information. Various other issues were also addressed.
803dcbfcc1350f593726e36e66951407044c506c9079c1e3816df02135c1d9b2
============================================================================
Ubuntu Security Notice USN-2320-1
August 20, 2014
oxide-qt vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Oxide.
Software Description:
- oxide-qt: Web browser engine library for Qt (QML plugin)
Details:
A use-after-free was discovered in the websockets implementation in Blink.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
renderer crash. (CVE-2014-3165)
An issue was discovered in the Public Key Pinning implementation in
Chromium. An attacker could potentially exploit this to obtain sensitive
information. (CVE-2014-3166)
Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash or execute arbitrary code with the privileges of the user invoking
the program. (CVE-2014-3167)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
liboxideqtcore0 1.0.5-0ubuntu0.14.04.1
oxideqt-codecs 1.0.5-0ubuntu0.14.04.1
oxideqt-codecs-extra 1.0.5-0ubuntu0.14.04.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2320-1
CVE-2014-3165, CVE-2014-3166, CVE-2014-3167, https://launchpad.net/bugs/1356372
Package Information:
https://launchpad.net/ubuntu/+source/oxide-qt/1.0.5-0ubuntu0.14.04.1