News

Loading...

Wednesday, February 29, 2012

ubuntu-security-announce Digest, Vol 89, Issue 18

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1378-1] PostgreSQL vulnerabilities (Marc Deslauriers)
2. [USN-1379-1] Linux kernel vulnerabilities (John Johansen)
3. [USN-1380-1] Linux kernel vulnerabilities (John Johansen)


----------------------------------------------------------------------

Message: 1
Date: Tue, 28 Feb 2012 12:03:48 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1378-1] PostgreSQL vulnerabilities
Message-ID: <1330448628.13979.10.camel@mdlinux>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1378-1
February 28, 2012

postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Several security issues were fixed in PostgreSQL.

Software Description:
- postgresql-9.1: Object-relational SQL database
- postgresql-8.4: Object-relational SQL database
- postgresql-8.3: Object-relational SQL database

Details:

It was discovered that PostgreSQL incorrectly checked permissions on
functions called by a trigger. An attacker could attach a trigger to a
table they owned and possibly escalate privileges. (CVE-2012-0866)

It was discovered that PostgreSQL incorrectly truncated SSL certificate
name checks to 32 characters. If a host name was exactly 32 characters,
this issue could be exploited by an attacker to spoof the SSL certificate.
This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04 and
Ubuntu 11.10. (CVE-2012-0867)

It was discovered that the PostgreSQL pg_dump utility incorrectly filtered
line breaks in object names. An attacker could create object names that
execute arbitrary SQL commands when a dump script is reloaded.
(CVE-2012-0868)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
postgresql-9.1 9.1.3-0ubuntu0.11.10

Ubuntu 11.04:
postgresql-8.4 8.4.11-0ubuntu0.11.04

Ubuntu 10.10:
postgresql-8.4 8.4.11-0ubuntu0.10.10

Ubuntu 10.04 LTS:
postgresql-8.4 8.4.11-0ubuntu0.10.04

Ubuntu 8.04 LTS:
postgresql-8.3 8.3.18-0ubuntu0.8.04

In general, a standard system update will make all the necessary changes.

This update uses a new upstream release, which includes additional bug
fixes.

References:
http://www.ubuntu.com/usn/usn-1378-1
CVE-2012-0866, CVE-2012-0867, CVE-2012-0868

Package Information:
https://launchpad.net/ubuntu/+source/postgresql-9.1/9.1.3-0ubuntu0.11.10
https://launchpad.net/ubuntu/+source/postgresql-8.4/8.4.11-0ubuntu0.11.04
https://launchpad.net/ubuntu/+source/postgresql-8.4/8.4.11-0ubuntu0.10.10
https://launchpad.net/ubuntu/+source/postgresql-8.4/8.4.11-0ubuntu0.10.04
https://launchpad.net/ubuntu/+source/postgresql-8.3/8.3.18-0ubuntu0.8.04


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120228/89f6b5dd/attachment-0001.pgp>

------------------------------

Message: 2
Date: Tue, 28 Feb 2012 15:54:06 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1379-1] Linux kernel vulnerabilities
Message-ID: <4F4D691E.8000205@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1379-1
February 28, 2012

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

Aristide Fattori and Roberto Paleari reported a flaw in the Linux kernel's
handling of IPv4 icmp packets. A remote user could exploit this to cause a
denial of service. (CVE-2011-1927)

A flaw was found in the Linux Ethernet bridge's handling of IGMP (Internet
Group Management Protocol) packets. An unprivileged local user could
exploit this flaw to crash the system. (CVE-2011-0716)

A flaw was discovered in the Linux kernel's AppArmor security interface
when invalid information was written to it. An unprivileged local user
could use this to cause a denial of service on the system. (CVE-2011-3619)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
linux-image-2.6.35-32-generic 2.6.35-32.66
linux-image-2.6.35-32-generic-pae 2.6.35-32.66
linux-image-2.6.35-32-omap 2.6.35-32.66
linux-image-2.6.35-32-powerpc 2.6.35-32.66
linux-image-2.6.35-32-powerpc-smp 2.6.35-32.66
linux-image-2.6.35-32-powerpc64-smp 2.6.35-32.66
linux-image-2.6.35-32-server 2.6.35-32.66
linux-image-2.6.35-32-versatile 2.6.35-32.66
linux-image-2.6.35-32-virtual 2.6.35-32.66

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1379-1
CVE-2011-0716, CVE-2011-1927, CVE-2011-3619

Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.35-32.66

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120228/39aa97f6/attachment-0001.pgp>

------------------------------

Message: 3
Date: Tue, 28 Feb 2012 17:30:21 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1380-1] Linux kernel vulnerabilities
Message-ID: <4F4D7FAD.2020407@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1380-1
February 29, 2012

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.04

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

The linux kernel did not properly account for PTE pages when deciding which
task to kill in out of memory conditions. A local, unprivileged could
exploit this flaw to cause a denial of service. (CVE-2011-2498)

A flaw was discovered in the TOMOYO LSM's handling of mount system calls.
An unprivileged user could oops the system causing a denial of service.
(CVE-2011-2518)

A bug was discovered in the Linux kernel's calculation of OOM (Out of
memory) scores, that would result in the wrong process being killed. A user
could use this to kill the process with the highest OOM score, even if that
process belongs to another user or the system. (CVE-2011-4097)

A flaw was found in the linux kernels IPv4 IGMP query processing. A remote
attacker could exploit this to cause a denial of service. (CVE-2012-0207)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.04:
linux-image-2.6.38-13-generic 2.6.38-13.56
linux-image-2.6.38-13-generic-pae 2.6.38-13.56
linux-image-2.6.38-13-omap 2.6.38-13.56
linux-image-2.6.38-13-powerpc 2.6.38-13.56
linux-image-2.6.38-13-powerpc-smp 2.6.38-13.56
linux-image-2.6.38-13-powerpc64-smp 2.6.38-13.56
linux-image-2.6.38-13-server 2.6.38-13.56
linux-image-2.6.38-13-versatile 2.6.38-13.56
linux-image-2.6.38-13-virtual 2.6.38-13.56

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1380-1
CVE-2011-2498, CVE-2011-2518, CVE-2011-4097, CVE-2012-0207

Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.38-13.56

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120228/c5764e83/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 89, Issue 18
********************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Blog Archive