News

Loading...

Tuesday, February 28, 2012

ubuntu-security-announce Digest, Vol 89, Issue 17

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1375-1] httplib2 vulnerability (Marc Deslauriers)
2. [USN-1376-1] libxml2 vulnerability (Jamie Strandboge)
3. [USN-1377-1] Ruby vulnerabilities (Tyler Hicks)


----------------------------------------------------------------------

Message: 1
Date: Mon, 27 Feb 2012 08:30:44 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1375-1] httplib2 vulnerability
Message-ID: <1330349444.10627.237.camel@mdlinux>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1375-1
February 27, 2012

python-httplib2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

httplib2 could be made to expose sensitive information over the network.

Software Description:
- python-httplib2: comprehensive HTTP client library written for Python

Details:

The httplib2 Python library earlier than version 0.7.0 did not perform any
server certificate validation when using HTTPS connections. If a remote
attacker were able to perform a man-in-the-middle attack, this flaw could
be exploited to alter or compromise confidential information in
applications that used the httplib2 library.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
python-httplib2 0.7.2-1ubuntu2~0.11.10.1
python3-httplib2 0.7.2-1ubuntu2~0.11.10.1

Ubuntu 11.04:
python-httplib2 0.7.2-1ubuntu2~0.11.04.1
python3-httplib2 0.7.2-1ubuntu2~0.11.04.1

Ubuntu 10.10:
python-httplib2 0.7.2-1ubuntu2~0.10.10.1
python3-httplib2 0.7.2-1ubuntu2~0.10.10.1

Ubuntu 10.04 LTS:
python-httplib2 0.7.2-1ubuntu2~0.10.04.1

In general, a standard system update will make all the necessary changes.

This update uses a new upstream release, which includes additional bug
fixes.

References:
http://www.ubuntu.com/usn/usn-1375-1
https://launchpad.net/bugs/882030

Package Information:
https://launchpad.net/ubuntu/+source/python-httplib2/0.7.2-1ubuntu2~0.11.10.1
https://launchpad.net/ubuntu/+source/python-httplib2/0.7.2-1ubuntu2~0.11.04.1
https://launchpad.net/ubuntu/+source/python-httplib2/0.7.2-1ubuntu2~0.10.10.1
https://launchpad.net/ubuntu/+source/python-httplib2/0.7.2-1ubuntu2~0.10.04.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120227/9e0900f7/attachment-0001.pgp>

------------------------------

Message: 2
Date: Mon, 27 Feb 2012 17:50:08 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1376-1] libxml2 vulnerability
Message-ID: <1330386608.14588.33.camel@localhost>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1376-1
February 27, 2012

libxml2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

libxml2 could be made to cause a denial of service by consuming excessive
CPU resources.

Software Description:
- libxml2: GNOME XML library

Details:

Juraj Somorovsky discovered that libxml2 was vulnerable to hash table
collisions. If a user or application linked against libxml2 were tricked
into opening a specially crafted XML file, an attacker could cause a
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
libxml2 2.7.8.dfsg-4ubuntu0.2

Ubuntu 11.04:
libxml2 2.7.8.dfsg-2ubuntu0.3

Ubuntu 10.10:
libxml2 2.7.7.dfsg-4ubuntu0.4

Ubuntu 10.04 LTS:
libxml2 2.7.6.dfsg-1ubuntu1.4

Ubuntu 8.04 LTS:
libxml2 2.6.31.dfsg-2ubuntu1.8

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1376-1
CVE-2012-0841

Package Information:
https://launchpad.net/ubuntu/+source/libxml2/2.7.8.dfsg-4ubuntu0.2
https://launchpad.net/ubuntu/+source/libxml2/2.7.8.dfsg-2ubuntu0.3
https://launchpad.net/ubuntu/+source/libxml2/2.7.7.dfsg-4ubuntu0.4
https://launchpad.net/ubuntu/+source/libxml2/2.7.6.dfsg-1ubuntu1.4
https://launchpad.net/ubuntu/+source/libxml2/2.6.31.dfsg-2ubuntu1.8


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120227/725cb38c/attachment-0001.pgp>

------------------------------

Message: 3
Date: Mon, 27 Feb 2012 21:36:12 -0600
From: Tyler Hicks <tyhicks@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1377-1] Ruby vulnerabilities
Message-ID: <20120228033611.GB4527@boyd>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1377-1
February 28, 2012

ruby1.8 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in ruby1.8.

Software Description:
- ruby1.8: Interpreter of object-oriented scripting language Ruby 1.8

Details:

Drew Yao discovered that the WEBrick HTTP server was vulnerable to cross-site
scripting attacks when displaying error pages. A remote attacker could use this
flaw to run arbitrary web script. (CVE-2010-0541)

Drew Yao discovered that Ruby's BigDecimal module did not properly allocate
memory on 64-bit platforms. An attacker could use this flaw to cause a denial
of service or possibly execute arbitrary code with user privileges.
(CVE-2011-0188)

Nicholas Jefferson discovered that the FileUtils.remove_entry_secure method in
Ruby did not properly remove non-empty directories. An attacker could use this
flaw to possibly delete arbitrary files. (CVE-2011-1004)

It was discovered that Ruby incorrectly allowed untainted strings to be
modified in protective safe levels. An attacker could use this flaw to bypass
intended access restrictions. (CVE-2011-1005)

Eric Wong discovered that Ruby does not properly reseed its pseudorandom number
generator when creating child processes. An attacker could use this flaw to
gain knowledge of the random numbers used in other Ruby child processes.
(CVE-2011-2686)

Eric Wong discovered that the SecureRandom module in Ruby did not properly seed
its pseudorandom number generator. An attacker could use this flaw to gain
knowledge of the random numbers used by another Ruby process with the same
process ID number. (CVE-2011-2705)

Alexander Klink and Julian W?lde discovered that Ruby computed hash values
without restricting the ability to trigger hash collisions predictably. A
remote attacker could cause a denial of service by crafting values used in hash
tables. (CVE-2011-4815)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
libruby1.8 1.8.7.352-2ubuntu0.1
ruby1.8 1.8.7.352-2ubuntu0.1

Ubuntu 11.04:
libruby1.8 1.8.7.302-2ubuntu0.1
ruby1.8 1.8.7.302-2ubuntu0.1

Ubuntu 10.10:
libruby1.8 1.8.7.299-2ubuntu0.1
ruby1.8 1.8.7.299-2ubuntu0.1

Ubuntu 10.04 LTS:
libruby1.8 1.8.7.249-2ubuntu0.1
ruby1.8 1.8.7.249-2ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1377-1
CVE-2010-0541, CVE-2011-0188, CVE-2011-1004, CVE-2011-1005,
CVE-2011-2686, CVE-2011-2705, CVE-2011-4815

Package Information:
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.352-2ubuntu0.1
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.302-2ubuntu0.1
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.299-2ubuntu0.1
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.249-2ubuntu0.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120227/d6d05004/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 89, Issue 17
********************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Blog Archive