News

Thursday, November 20, 2008

ubuntu-security-announce Digest, Vol 50, Issue 7

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-674-1] HPLIP vulnerabilities (Marc Deslauriers)


----------------------------------------------------------------------

Message: 1
Date: Wed, 19 Nov 2008 15:36:02 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Subject: [USN-674-1] HPLIP vulnerabilities
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <1227126962.8216.12.camel@mdlinux.technorage.com>
Content-Type: text/plain; charset="us-ascii"

===========================================================
Ubuntu Security Notice USN-674-1 November 19, 2008
hplip vulnerabilities
CVE-2008-2940, CVE-2008-2941
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
hplip 0.9.7-4ubuntu1.1

Ubuntu 7.10:
hplip 2.7.7.dfsg.1-0ubuntu5.1

Ubuntu 8.04 LTS:
hplip 2.8.2-0ubuntu8.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that the hpssd tool of hplip did not validate
privileges in the alert-mailing function. A local attacker could
exploit this to gain privileges and send e-mail messages from the
account of the hplip user. This update alters hplip behaviour by
preventing users from setting alerts and by moving alert configuration
to a root-controlled /etc/hp/alerts.conf file. (CVE-2008-2940)

It was discovered that the hpssd tool of hplip did not correctly
handle certain commands. A local attacker could use a specially
crafted packet to crash hpssd, leading to a denial of service.
(CVE-2008-2941)


Updated packages for Ubuntu 6.06 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1.diff.gz
Size/MD5: 226218 b1befe142df70e2be0aacca378bff4c6
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1.dsc
Size/MD5: 805 44d5c87af34218551c39719f0d902ec6
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7.orig.tar.gz
Size/MD5: 9705231 d2ee27d7c347f549306a880561c5030a

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_0.9.7-4ubuntu1.1_all.deb
Size/MD5: 6318286 e92776a847c4dccb78e46e040cc4f37c
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-ppds_0.9.7-4ubuntu1.1_all.deb
Size/MD5: 391422 94a290c3c58d7cfde62719871a4206cb

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.1.7+0.9.7-4ubuntu1.1_amd64.deb
Size/MD5: 296914 7c2b35446a74ace8600ebd7bc0bcf7ff
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1_amd64.deb
Size/MD5: 479454 07cbfe505c55c27c12220c8f18d6e4f0

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.1.7+0.9.7-4ubuntu1.1_i386.deb
Size/MD5: 280204 e3941e3f4fdb6c0d6ad16d50de90b469
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1_i386.deb
Size/MD5: 461862 11e44e329aff35e9684ee0761c44d8ee

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.1.7+0.9.7-4ubuntu1.1_powerpc.deb
Size/MD5: 299864 ad75271b2f55cc54f58410788e884d26
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1_powerpc.deb
Size/MD5: 486720 84acd213608e444cd108511579f6e19f

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.1.7+0.9.7-4ubuntu1.1_sparc.deb
Size/MD5: 280186 ab1b58f5fb3fa17ece320035716498fa
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1_sparc.deb
Size/MD5: 464572 1f2f60151bc92e6cdc7da921e53f35e2

Updated packages for Ubuntu 7.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1.diff.gz
Size/MD5: 149557 1adc73a32fbce24a03682309f23d6a50
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1.dsc
Size/MD5: 1064 180d4951171a12dc0b4e6b51963261ae
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1.orig.tar.gz
Size/MD5: 14361049 ae5165d46413db8119979f5b3345f7a5

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_2.7.7.dfsg.1-0ubuntu5.1_all.deb
Size/MD5: 6897850 1cab82d64fedbb70076f1434d475d273
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-doc_2.7.7.dfsg.1-0ubuntu5.1_all.deb
Size/MD5: 4146758 7bf2d5554996cc17c60258de446eb8c6
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-gui_2.7.7.dfsg.1-0ubuntu5.1_all.deb
Size/MD5: 117522 85cd5e8a8d8ba35e7140a41fdc379c7c
http://security.ubuntu.com/ubuntu/pool/universe/h/hplip/hpijs-ppds_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_all.deb
Size/MD5: 479918 c545f959d38b34dc32a93adc73461615

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_amd64.deb
Size/MD5: 341468 79cb90ac94af0792c0f9e2089a60db64
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_amd64.deb
Size/MD5: 769990 cf835a70a0fa51078b80ad190ab1cec7
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_amd64.deb
Size/MD5: 302976 162ce78f2534152bd0e2ed33051619a2

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_i386.deb
Size/MD5: 334576 dd39560300fdda88c16a252b46ef2b7b
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_i386.deb
Size/MD5: 747196 36d127560c5eba40354698a0eef1777a
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_i386.deb
Size/MD5: 290354 df91f0e8b2d97b2aca110f3541952044

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_lpia.deb
Size/MD5: 337694 43391f12453f206b9f225e081e669417
http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_lpia.deb
Size/MD5: 925968 72d12b2e01a56317ed133fe9d4461191
http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_lpia.deb
Size/MD5: 290174 2543c28b0990cddae6edd78988465b4c

powerpc architecture (Apple Macintosh G3/G4/G5):

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_powerpc.deb
Size/MD5: 348144 2635fbbe0d26218e328e5a65f6739ee1
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_powerpc.deb
Size/MD5: 784396 db9c4e4175812910e690b6d93c78c484
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_powerpc.deb
Size/MD5: 319062 fa76d41aeb82c0bd14565aa7046d3673

sparc architecture (Sun SPARC/UltraSPARC):

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_sparc.deb
Size/MD5: 332584 0871e23022a68750c75c8354e887e064
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_sparc.deb
Size/MD5: 717140 8034edab3f572315e082918033eb41ef
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_sparc.deb
Size/MD5: 289462 53750500e86a4179592d9ee97def4770

Updated packages for Ubuntu 8.04 LTS:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1.diff.gz
Size/MD5: 77238 6b40ac2c31a1751ba48997077ca2c9dc
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1.dsc
Size/MD5: 1317 b66ad37ff2a0bdd9b7cb903e9887fe50
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2.orig.tar.gz
Size/MD5: 14195737 ea57b92483622d3eae359994c5fd3dc3

Architecture independent packages:

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs-ppds_2.8.2+2.8.2-0ubuntu8.1_all.deb
Size/MD5: 1529318 c5a1b517bc403570513f27a1f15341b8
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_2.8.2-0ubuntu8.1_all.deb
Size/MD5: 7019114 8f55c60778ef6f7e075803152a313496
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-doc_2.8.2-0ubuntu8.1_all.deb
Size/MD5: 4167440 2cdbd923c549fe09c8436ff36bf73a1a
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-gui_2.8.2-0ubuntu8.1_all.deb
Size/MD5: 128378 d4f8e634314c25160cee0bc44b6c55eb

amd64 architecture (Athlon64, Opteron, EM64T Xeon):

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_amd64.deb
Size/MD5: 382262 5c2e135b7ea35a6202d0b087820a84e5
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_amd64.deb
Size/MD5: 811692 2babafedcd53a956049591f84d6b5664
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_amd64.deb
Size/MD5: 320852 3709f156c5528d77d70584da2385812b

i386 architecture (x86 compatible Intel/AMD):

http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_i386.deb
Size/MD5: 374220 e8c891f92d1219bdfa178a8eb533215f
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_i386.deb
Size/MD5: 788090 79b9fb3adfe38464311e6689ff634c35
http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_i386.deb
Size/MD5: 308622 64477942b624ef3cf98921e3535cc473

lpia architecture (Low Power Intel Architecture):

http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_lpia.deb
Size/MD5: 377036 984d300fa15fef7eb813e6e280034a16
http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_lpia.deb
Size/MD5: 794452 7bbf76dce03cee5b2ba7363cfecb5f70
http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_lpia.deb
Size/MD5: 307612 47ae3e6082e1dff01384e8834a959ee6

powerpc architecture (Apple Macintosh G3/G4/G5):

http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_powerpc.deb
Size/MD5: 388358 197034b9a89bfa7f403ed908f010cb2b
http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_powerpc.deb
Size/MD5: 824638 01210ff766c493113fb780f6b52ce047
http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_powerpc.deb
Size/MD5: 336824 c97c1e1e8a8f328bc611ec46214aca74

sparc architecture (Sun SPARC/UltraSPARC):

http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_sparc.deb
Size/MD5: 371516 0db0e7f4c0e10948819fdc3ca509e19f
http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_sparc.deb
Size/MD5: 755764 1529e25d7ee099815219ac63e12a2949
http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_sparc.deb
Size/MD5: 306928 8e4e046d41c6f0efe22ce02409b90666


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20081119/a9defb1f/attachment-0001.pgp

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 50, Issue 7
*******************************************************

No comments:

Blog Archive