ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1229-1] PostgreSQL vulnerability (Marc Deslauriers)
2. [USN-1230-1] Quassel vulnerability (Tyler Hicks)
----------------------------------------------------------------------
Message: 1
Date: Thu, 13 Oct 2011 09:24:02 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1229-1] PostgreSQL vulnerability
Message-ID: <1318512242.16204.2.camel@mdlinux>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-1229-1
October 13, 2011
postgresql-8.3, postgresql-8.4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
PostgreSQL incorrectly handled blowfish passwords.
Software Description:
- postgresql-8.4: Object-relational SQL database
- postgresql-8.3: Object-relational SQL database
Details:
It was discovered that the blowfish algorithm in the pgcrypto module
incorrectly handled certain 8-bit characters, resulting in the password
hashes being easier to crack than expected. An attacker who could obtain
the password hashes would be able to recover the plaintext with less
effort.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
postgresql-8.4 8.4.9-0ubuntu0.11.04
Ubuntu 10.10:
postgresql-8.4 8.4.9-0ubuntu0.10.10
Ubuntu 10.04 LTS:
postgresql-8.4 8.4.9-0ubuntu0.10.04
Ubuntu 8.04 LTS:
postgresql-8.3 8.3.16-0ubuntu0.8.04
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1229-1
CVE-2011-2483
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-8.4/8.4.9-0ubuntu0.11.04
https://launchpad.net/ubuntu/+source/postgresql-8.4/8.4.9-0ubuntu0.10.10
https://launchpad.net/ubuntu/+source/postgresql-8.4/8.4.9-0ubuntu0.10.04
https://launchpad.net/ubuntu/+source/postgresql-8.3/8.3.16-0ubuntu0.8.04
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20111013/197a327e/attachment-0001.pgp>
------------------------------
Message: 2
Date: Fri, 14 Oct 2011 01:20:52 -0500
From: Tyler Hicks <tyhicks@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1230-1] Quassel vulnerability
Message-ID: <20111014062052.GB11899@boyd>
Content-Type: text/plain; charset="us-ascii"
==========================================================================
Ubuntu Security Notice USN-1230-1
October 14, 2011
quassel vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
An unprivileged user could read files in the data and logging directories,
including an automatically generated SSL certificate, used by the quasselcore
daemon.
Software Description:
- quassel: KDE/Qt-based IRC client
Details:
Felix Geyer discovered that the quassel-core post installation script created
data and logging directories which were readable by all users. The post
installation script also generated a certificate, in the data directory, which
was readable by all users.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
quassel-core 0.7.2-0ubuntu2.3
Ubuntu 10.10:
quassel-core 0.7.1-0ubuntu1.2
Ubuntu 10.04 LTS:
quassel-core 0.6.1-0ubuntu1.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1230-1
https://launchpad.net/bugs/846922
Package Information:
https://launchpad.net/ubuntu/+source/quassel/0.7.2-0ubuntu2.3
https://launchpad.net/ubuntu/+source/quassel/0.7.1-0ubuntu1.2
https://launchpad.net/ubuntu/+source/quassel/0.6.1-0ubuntu1.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20111014/bfc1bfbe/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 85, Issue 7
*******************************************************
No comments:
Post a Comment