News

Friday, March 30, 2012

ubuntu-security-announce Digest, Vol 90, Issue 18

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1412-1] Linux kernel vulnerability (Marc Deslauriers)
2. [USN-1413-1] Nova vulnerability (Tyler Hicks)
3. [USN-1197-8] ca-certificates-java regression (Marc Deslauriers)


----------------------------------------------------------------------

Message: 1
Date: Thu, 29 Mar 2012 11:41:18 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1412-1] Linux kernel vulnerability
Message-ID: <1333035678.22890.5.camel@mdlinux>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1412-1
March 29, 2012

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

Somnath Kotur discovered an error in the Linux kernel's VLAN (virtual lan)
and be2net drivers. An attacker on the local network could exploit this
flaw to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
linux-image-3.0.0-17-generic 3.0.0-17.30
linux-image-3.0.0-17-generic-pae 3.0.0-17.30
linux-image-3.0.0-17-omap 3.0.0-17.30
linux-image-3.0.0-17-powerpc 3.0.0-17.30
linux-image-3.0.0-17-powerpc-smp 3.0.0-17.30
linux-image-3.0.0-17-powerpc64-smp 3.0.0-17.30
linux-image-3.0.0-17-server 3.0.0-17.30
linux-image-3.0.0-17-virtual 3.0.0-17.30

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1412-1
CVE-2011-3347

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.0.0-17.30


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120329/dfd4c2f3/attachment-0001.pgp>

------------------------------

Message: 2
Date: Thu, 29 Mar 2012 11:19:03 -0500
From: Tyler Hicks <tyhicks@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1413-1] Nova vulnerability
Message-ID: <20120329161855.GA9711@boyd>
Content-Type: text/plain; charset="us-ascii"

==========================================================================
Ubuntu Security Notice USN-1413-1
March 29, 2012

nova vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10

Summary:

Nova log files could be made to exhaust storage resources.

Software Description:
- nova: OpenStack Compute cloud infrastructure

Details:

Dan Prince discovered that Nova did not properly perform input validation on
the length of server names. An authenticated attacker could issue requests
using long server names to exhaust the storage resources containing the Nova
API log file.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
python-nova 2011.3-0ubuntu6.5

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1413-1
CVE-2012-1585

Package Information:
https://launchpad.net/ubuntu/+source/nova/2011.3-0ubuntu6.5

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120329/ecdf8965/attachment-0001.pgp>

------------------------------

Message: 3
Date: Thu, 29 Mar 2012 13:16:46 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1197-8] ca-certificates-java regression
Message-ID: <1333041406.22890.14.camel@mdlinux>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1197-8
March 29, 2012

ca-certificates-java regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10

Summary:

USN-1197-7 introduced a regression in ca-certificates-java.

Software Description:
- ca-certificates-java: Common CA certificates (JKS keystore)

Details:

USN-1197-7 fixed a vulnerability in ca-certificates-java. The new package
broke upgrades from Ubuntu 11.04 to Ubuntu 11.10. This update fixes the
problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that Dutch Certificate Authority DigiNotar had
mis-issued multiple fraudulent certificates. These certificates could allow
an attacker to perform a "man in the middle" (MITM) attack which would make
the user believe their connection is secure, but is actually being
monitored.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
ca-certificates-java 20110912ubuntu3.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1197-8
http://www.ubuntu.com/usn/usn-1197-1
https://launchpad.net/bugs/967961

Package Information:
https://launchpad.net/ubuntu/+source/ca-certificates-java/20110912ubuntu3.2


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120329/95663bdc/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 90, Issue 18
********************************************************

No comments:

Blog Archive