Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1443-1] Update Manager vulnerabilities (Marc Deslauriers)
2. [USN-1444-1] BackupPC vulnerability (Jamie Strandboge)
3. [USN-1445-1] Linux kernel vulnerabilities (John Johansen)
4. [USN-1445-1] Linux kernel vulnerabilities (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 17 May 2012 14:51:39 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1443-1] Update Manager vulnerabilities
Message-ID: <1337280699.20410.136.camel@mdlinux>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-1443-1
May 17, 2012
update-manager vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
Summary:
Update Manager could expose sensitive information in certain circumstances.
Software Description:
- update-manager: GNOME application that manages apt updates
Details:
It was discovered that Update Manager created system state archive files
with incorrect permissions when upgrading releases. A local user could
possibly use this to read repository credentials. (CVE-2012-0948)
Felix Geyer discovered that the Update Manager Apport hook incorrectly
uploaded certain system state archive files to Launchpad when reporting
bugs. This could possibly result in repository credentials being included
in public bug reports. (CVE-2012-0949)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
update-manager-core 1:0.156.14.4
Ubuntu 11.10:
update-manager-core 1:0.152.25.11
Ubuntu 11.04:
update-manager-core 1:0.150.5.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1443-1
CVE-2012-0948, CVE-2012-0949
Package Information:
https://launchpad.net/ubuntu/+source/update-manager/1:0.156.14.4
https://launchpad.net/ubuntu/+source/update-manager/1:0.152.25.11
https://launchpad.net/ubuntu/+source/update-manager/1:0.150.5.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120517/78d77bda/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 17 May 2012 17:48:11 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1444-1] BackupPC vulnerability
Message-ID: <1337294891.12413.38.camel@localhost>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-1444-1
May 17, 2012
backuppc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
BackupPC could be made to expose sensitive information over the network.
Software Description:
- backuppc: high-performance, enterprise-grade system for backing up PCs
Details:
It was discovered that BackupPC did not properly sanitize its input when
processing RestoreFile error messages, resulting in a cross-site
scripting (XSS) vulnerability. With cross-site scripting vulnerabilities,
if a user were tricked into viewing server output during a crafted server
request, a remote attacker could exploit this to modify the contents, or
steal confidential data, within the same domain.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
backuppc 3.2.1-2ubuntu1.1
Ubuntu 11.10:
backuppc 3.2.1-1ubuntu1.2
Ubuntu 11.04:
backuppc 3.2.0-3ubuntu4.3
Ubuntu 10.04 LTS:
backuppc 3.1.0-9ubuntu1.3
Ubuntu 8.04 LTS:
backuppc 3.0.0-4ubuntu1.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1444-1
CVE-2011-5081
Package Information:
https://launchpad.net/ubuntu/+source/backuppc/3.2.1-2ubuntu1.1
https://launchpad.net/ubuntu/+source/backuppc/3.2.1-1ubuntu1.2
https://launchpad.net/ubuntu/+source/backuppc/3.2.0-3ubuntu4.3
https://launchpad.net/ubuntu/+source/backuppc/3.1.0-9ubuntu1.3
https://launchpad.net/ubuntu/+source/backuppc/3.0.0-4ubuntu1.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120517/1b731576/attachment-0001.pgp>
------------------------------
Message: 3
Date: Thu, 17 May 2012 17:38:04 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1445-1] Linux kernel vulnerabilities
Message-ID: <4FB599EC.4070801@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1445-1
May 18, 2012
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
A flaw was found in the Linux's kernels ext4 file system when mounted with
a journal. A local, unprivileged user could exploit this flaw to cause a
denial of service. (CVE-2011-4086)
A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual
cpu setup. An unprivileged local user could exploit this flaw to crash the
system leading to a denial of service. (CVE-2012-1601)
Steve Grubb reported a flaw with Linux fscaps (file system base
capabilities) when used to increase the permissions of a process. For
application on which fscaps are in use a local attacker can disable address
space randomization to make attacking the process with raised privileges
easier. (CVE-2012-2123)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-41-386 2.6.32-41.89
linux-image-2.6.32-41-generic 2.6.32-41.89
linux-image-2.6.32-41-generic-pae 2.6.32-41.89
linux-image-2.6.32-41-ia64 2.6.32-41.89
linux-image-2.6.32-41-lpia 2.6.32-41.89
linux-image-2.6.32-41-powerpc 2.6.32-41.89
linux-image-2.6.32-41-powerpc-smp 2.6.32-41.89
linux-image-2.6.32-41-powerpc64-smp 2.6.32-41.89
linux-image-2.6.32-41-preempt 2.6.32-41.89
linux-image-2.6.32-41-server 2.6.32-41.89
linux-image-2.6.32-41-sparc64 2.6.32-41.89
linux-image-2.6.32-41-sparc64-smp 2.6.32-41.89
linux-image-2.6.32-41-versatile 2.6.32-41.89
linux-image-2.6.32-41-virtual 2.6.32-41.89
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1445-1
CVE-2011-4086, CVE-2012-1601, CVE-2012-2123
Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.32-41.89
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120517/ec73720e/attachment-0001.pgp>
------------------------------
Message: 4
Date: Thu, 17 May 2012 18:32:48 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1445-1] Linux kernel vulnerabilities
Message-ID: <4FB5A6C0.7030303@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1445-1
May 18, 2012
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
A flaw was found in the Linux's kernels ext4 file system when mounted with
a journal. A local, unprivileged user could exploit this flaw to cause a
denial of service. (CVE-2011-4086)
A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual
cpu setup. An unprivileged local user could exploit this flaw to crash the
system leading to a denial of service. (CVE-2012-1601)
Steve Grubb reported a flaw with Linux fscaps (file system base
capabilities) when used to increase the permissions of a process. For
application on which fscaps are in use a local attacker can disable address
space randomization to make attacking the process with raised privileges
easier. (CVE-2012-2123)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-41-386 2.6.32-41.89
linux-image-2.6.32-41-generic 2.6.32-41.89
linux-image-2.6.32-41-generic-pae 2.6.32-41.89
linux-image-2.6.32-41-ia64 2.6.32-41.89
linux-image-2.6.32-41-lpia 2.6.32-41.89
linux-image-2.6.32-41-powerpc 2.6.32-41.89
linux-image-2.6.32-41-powerpc-smp 2.6.32-41.89
linux-image-2.6.32-41-powerpc64-smp 2.6.32-41.89
linux-image-2.6.32-41-preempt 2.6.32-41.89
linux-image-2.6.32-41-server 2.6.32-41.89
linux-image-2.6.32-41-sparc64 2.6.32-41.89
linux-image-2.6.32-41-sparc64-smp 2.6.32-41.89
linux-image-2.6.32-41-versatile 2.6.32-41.89
linux-image-2.6.32-41-virtual 2.6.32-41.89
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1445-1
CVE-2011-4086, CVE-2012-1601, CVE-2012-2123
Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.32-41.89
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120517/eea99c4e/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 92, Issue 9
*******************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2012
(533)
-
▼
May
(89)
- The impending fall of RIM
- E3 2012 preview
- ThinkPad X230: Top ultraportable for business
- Behind the 'Flame' malware spying on Mideast compu...
- Google Analytics - Reminder, advertise on Google w...
- LG spills more beans on OLED TV
- Chromebox: Worth the $330 risk?
- Sharp 60-inch AQUOS 3-D WiFi TV $1400, Callaway Di...
- ubuntu-security-announce Digest, Vol 92, Issue 15
- CNET's Top 5 Top 5 tech videos
- Seagate Barracuda 2TB HD $100, ZAGG Mobile Accesso...
- ubuntu-security-announce Digest, Vol 92, Issue 14
- Visually splashy Google+ for Android catches up to...
- Brian Cooley takes us inside VW tech
- Global Galaxy S 3: Ferrari of Android
- HP Core i7 16-inch Blu-ray Laptop $750, HP 27-inch...
- ubuntu-security-announce Digest, Vol 92, Issue 13
- Diablo III; when will the new consoles arrive?
- Samsung Galaxy S III fever keeps rising
- Yahoo browser is good, no kidding
- Proposed NY ban on anonymous posts comes under fire
- ubuntu-security-announce Digest, Vol 92, Issue 12
- Is this the best LCD of 2012?
- Best Android 4.0 phones you can buy
- You have been selected in scammed victims compensa...
- Frigidaire Stainless Steel 4-Appliance Bundle $200...
- ubuntu-security-announce Digest, Vol 92, Issue 11
- Weirdly, speakers in a bag are cool
- ubuntu-security-announce Digest, Vol 92, Issue 10
- Sony's two new entry-level ILCs
- VW's ace in the quest for domination? Tech
- FBI 'looking at' law making Web sites wiretap-read...
- Wenger SwissGear Laptop Backpack $45, Patio Furnit...
- Nasdaq hitch mars Facebook's big day
- Aston Martin Vantage V8 lets James Bond down
- Facebook shares jump, fall, and rise again
- Abercrombie & Fitch up to 50%-off Short Sale, J. C...
- ubuntu-security-announce Digest, Vol 92, Issue 9
- Max Payne 3 reviewed; The 404 interviews "Indie Ga...
- Verizon kills unlimited data, expands its 4G LTE
- Sony's new all-around Alpha
- Flashback makers missed out on their payday, Syman...
- ubuntu-security-announce Digest, Vol 92, Issue 8
- Readers pick their favorite home theater and audio...
- Gadgets for new graduates
- Szul Emeral Jewelry Sale Up to 89%-off, Neiman Mar...
- ubuntu-security-announce Digest, Vol 92, Issue 7
- World's lightest 14-incher?
- Canon 5D Mark III: full-frame powerhouse
- Ouch, the new Samsung tablet is worse
- Adobe users must pay for security upgrades
- Refurb LG 47-inch 3D "Connected" HDTV $700, Refurb...
- i need a business partner from Asia
- I have an investment plan
- Nokia launches Reading app for Lumia smartphone users
- Toyota unveils RAV4 electric SUV
- Tablets so thin they're barely there
- Seiko Pulsar Chronograph Watch $55, Home Depot 10%...
- Black Ops 2, Max Payne 3 launch trailers
- CTIA 2012 hits the ground running
- HTC Evo 4G LTE: Stunning, not 4G
- Democrats to employers: Stop asking for Facebook p...
- Apple HDTV: The rumor that refuses to die
- Best graduation gifts under $500
- 60-inch Sharp AQUOS Quattron $1649, North Face, Pa...
- Siri, is this really Apple's HDTV?
- ubuntu-security-announce Digest, Vol 92, Issue 6
- New malware strain locks up computers unless ranso...
- The future of cell phones
- ASUS Core i3 14-inch Laptop $330, Old Navy Shoe Sa...
- i need a business partner
- ubuntu-security-announce Digest, Vol 92, Issue 5
- Yahoo tells Facebook of 16 more patents it could l...
- The hybrid premium
- Galaxy S III vs. the competition
- Dell Inspiron 15 Core i3 $379, Levi's Up to 85%-of...
- ubuntu-security-announce Digest, Vol 92, Issue 4
- The Walking Dead video game; $99 Xbox 360?
- RIM overhauls its OS with BlackBerry 10
- Best smartphones for under $100
- U.K.'s SOCA Web site targeted in DDoS attack
- ubuntu-security-announce Digest, Vol 92, Issue 3
- Panasonic's good for plasma, but LCD?
- Spotify releases its iPad app
- Keurig B130 w 18-pack K-cups $60, Husky 252-Piece ...
- ubuntu-security-announce Digest, Vol 92, Issue 2
- Big Jambox: Yes, size matters
- ubuntu-security-announce Digest, Vol 92, Issue 1
- Google Analytics Product Update: Social Measuremen...
-
▼
May
(89)
No comments:
Post a Comment