Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1465-2] Ubuntu One storage protocol update (Marc Deslauriers)
2. [USN-1465-1] Ubuntu One Client vulnerability (Marc Deslauriers)
3. [USN-1464-1] Ubuntu Single Sign On Client vulnerability
(Marc Deslauriers)
4. [USN-1463-1] Firefox vulnerabilities (Micah Gersten)
5. [USN-1465-3] Ubuntu One Client regression (Jamie Strandboge)
6. [USN-1466-1] Nova vulnerability (Steve Beattie)
----------------------------------------------------------------------
Message: 1
Date: Wed, 06 Jun 2012 09:50:30 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1465-2] Ubuntu One storage protocol update
Message-ID: <1338990630.29605.139.camel@mdlinux>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-1465-2
June 06, 2012
ubuntuone-storage-protocol update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Fraudulent security certificates could allow sensitive information to
be exposed when accessing the Internet.
Software Description:
- ubuntuone-storage-protocol: Python library for Ubuntu One file storage and sharing service
Details:
USN-1465-1 fixed a vulnerability in the Ubuntu One Client. This update adds
a required fix to the Ubuntu One storage protocol library.
Original advisory details:
It was discovered that the Ubuntu One Client incorrectly validated server
certificates when using HTTPS connections. If a remote attacker were able
to perform a man-in-the-middle attack, this flaw could be exploited to
alter or compromise confidential information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
python-ubuntuone-storageprotocol 3.0.0-0ubuntu1.1
Ubuntu 11.10:
python-ubuntuone-storageprotocol 2.0.1-0ubuntu1.1
Ubuntu 11.04:
python-ubuntuone-storageprotocol 1.6.1-0ubuntu1.2
Ubuntu 10.04 LTS:
python-ubuntuone-storageprotocol 1.2.0-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1465-2
http://www.ubuntu.com/usn/usn-1465-1
CVE-2011-4409
Package Information:
https://launchpad.net/ubuntu/+source/ubuntuone-storage-protocol/3.0.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/ubuntuone-storage-protocol/2.0.1-0ubuntu1.1
https://launchpad.net/ubuntu/+source/ubuntuone-storage-protocol/1.6.1-0ubuntu1.2
https://launchpad.net/ubuntu/+source/ubuntuone-storage-protocol/1.2.0-0ubuntu1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120606/bf71a788/attachment-0001.pgp>
------------------------------
Message: 2
Date: Wed, 06 Jun 2012 09:50:07 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1465-1] Ubuntu One Client vulnerability
Message-ID: <1338990607.29605.138.camel@mdlinux>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-1465-1
June 06, 2012
ubuntuone-client vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Fraudulent security certificates could allow sensitive information to
be exposed when accessing the Internet.
Software Description:
- ubuntuone-client: Ubuntu One client
Details:
It was discovered that the Ubuntu One Client incorrectly validated server
certificates when using HTTPS connections. If a remote attacker were able
to perform a man-in-the-middle attack, this flaw could be exploited to
alter or compromise confidential information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
python-ubuntuone-client 3.0.0-0ubuntu1.1
Ubuntu 11.10:
python-ubuntuone-client 2.0.1-0ubuntu1.1
Ubuntu 11.04:
python-ubuntuone-client 1.6.2-0ubuntu2.1
Ubuntu 10.04 LTS:
python-ubuntuone-client 1.2.2-0ubuntu2.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1465-1
CVE-2011-4409
Package Information:
https://launchpad.net/ubuntu/+source/ubuntuone-client/3.0.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/ubuntuone-client/2.0.1-0ubuntu1.1
https://launchpad.net/ubuntu/+source/ubuntuone-client/1.6.2-0ubuntu2.1
https://launchpad.net/ubuntu/+source/ubuntuone-client/1.2.2-0ubuntu2.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120606/c82c0487/attachment-0001.pgp>
------------------------------
Message: 3
Date: Wed, 06 Jun 2012 09:49:36 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1464-1] Ubuntu Single Sign On Client vulnerability
Message-ID: <1338990576.29605.137.camel@mdlinux>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-1464-1
June 06, 2012
ubuntu-sso-client vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
Summary:
Fraudulent security certificates could allow sensitive information to
be exposed when accessing the Internet.
Software Description:
- ubuntu-sso-client: Ubuntu Single Sign-On client
Details:
It was discovered that the Ubuntu Single Sign On Client incorrectly
validated server certificates when using HTTPS connections. If a remote
attacker were able to perform a man-in-the-middle attack, this flaw could
be exploited to alter or compromise confidential information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
ubuntu-sso-client 1.4.1-0ubuntu1.1
Ubuntu 11.04:
ubuntu-sso-client 1.2.1-0ubuntu2.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1464-1
CVE-2011-4408
Package Information:
https://launchpad.net/ubuntu/+source/ubuntu-sso-client/1.4.1-0ubuntu1.1
https://launchpad.net/ubuntu/+source/ubuntu-sso-client/1.2.1-0ubuntu2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120606/d6517cab/attachment-0001.pgp>
------------------------------
Message: 4
Date: Wed, 06 Jun 2012 11:35:21 -0500
From: Micah Gersten <micah@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1463-1] Firefox vulnerabilities
Message-ID: <4FCF86C9.5070105@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1463-1
June 06, 2012
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Firefox.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew
McCreight, Olli Pettay, Boris Zbarsky, and Brian Bondy discovered memory
safety issues affecting Firefox. If the user were tricked into opening a
specially crafted page, an attacker could possibly exploit these to cause a
denial of service via application crash, or potentially execute code with
the privileges of the user invoking Firefox. (CVE-2012-1937, CVE-2012-1938)
It was discovered that Mozilla's WebGL implementation exposed a bug in
certain NVIDIA graphics drivers. The impact of this issue has not been
disclosed at this time. (CVE-2011-3101)
Adam Barth discovered that certain inline event handlers were not being
blocked properly by the Content Security Policy's (CSP) inline-script
blocking feature. Web applications relying on this feature of CSP to
protect against cross-site scripting (XSS) were not fully protected. With
cross-site scripting vulnerabilities, if a user were tricked into viewing a
specially crafted page, a remote attacker could exploit this to modify the
contents, or steal confidential data, within the same domain.
(CVE-2012-1944)
Paul Stone discovered that a viewed HTML page hosted on a Windows or Samba
share could load Windows shortcut files (.lnk) in the same share. These
shortcut files could then link to arbitrary locations on the local file
system of the individual loading the HTML page. An attacker could
potentially use this vulnerability to show the contents of these linked
files or directories in an iframe, resulting in information disclosure.
(CVE-2012-1945)
Arthur Gerkis discovered a use-after-free vulnerability while
replacing/inserting a node in a document. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit this
to cause a denial of service via application crash, or potentially execute
code with the privileges of the user invoking Firefox. (CVE-2012-1946)
Kaspar Brand discovered a vulnerability in how the Network Security
Services (NSS) ASN.1 decoder handles zero length items. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash.
(CVE-2012-0441)
Abhishek Arya discovered two buffer overflow and one use-after-free
vulnerabilities. If the user were tricked into opening a specially crafted
page, an attacker could possibly exploit these to cause a denial of service
via application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
firefox 13.0+build1-0ubuntu0.12.04.1
Ubuntu 11.10:
firefox 13.0+build1-0ubuntu0.11.10.1
Ubuntu 11.04:
firefox 13.0+build1-0ubuntu0.11.04.1
Ubuntu 10.04 LTS:
firefox 13.0+build1-0ubuntu0.10.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1463-1
CVE-2011-3101, CVE-2012-0441, CVE-2012-1937, CVE-2012-1938,
CVE-2012-1940, CVE-2012-1941, CVE-2012-1944, CVE-2012-1945,
CVE-2012-1946, CVE-2012-1947, https://launchpad.net/bugs/1007495
Package Information:
https://launchpad.net/ubuntu/+source/firefox/13.0+build1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/firefox/13.0+build1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/firefox/13.0+build1-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/firefox/13.0+build1-0ubuntu0.10.04.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120606/01798db6/attachment-0001.pgp>
------------------------------
Message: 5
Date: Wed, 06 Jun 2012 15:18:05 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1465-3] Ubuntu One Client regression
Message-ID: <1339013885.12453.0.camel@localhost>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-1465-3
June 06, 2012
ubuntuone-client regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
Fraudulent security certificates could allow sensitive information to
be exposed when accessing the Internet.
Software Description:
- ubuntuone-client: Ubuntu One client
Details:
USN-1465-1 fixed vulnerabilities in Ubuntu One Client. The update failed to
install on certain Ubuntu 10.04 LTS systems that had a legacy Python 2.5
package installed. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the Ubuntu One Client incorrectly validated server
certificates when using HTTPS connections. If a remote attacker were able
to perform a man-in-the-middle attack, this flaw could be exploited to
alter or compromise confidential information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
python-ubuntuone-client 1.2.2-0ubuntu2.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1465-3
http://www.ubuntu.com/usn/usn-1465-1
CVE-2011-4409
Package Information:
https://launchpad.net/ubuntu/+source/ubuntuone-client/1.2.2-0ubuntu2.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120606/f3474c95/attachment-0001.pgp>
------------------------------
Message: 6
Date: Wed, 6 Jun 2012 13:50:55 -0700
From: Steve Beattie <sbeattie@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1466-1] Nova vulnerability
Message-ID: <20120606205055.GB8667@nxnw.org>
Content-Type: text/plain; charset="us-ascii"
==========================================================================
Ubuntu Security Notice USN-1466-1
June 06, 2012
nova vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Nova could be prevented from applying security group policy.
Software Description:
- nova: OpenStack Compute cloud infrastructure
Details:
It was discovered that, when defining security groups in Nova using
the EC2 or OS APIs, specifying the network protocol (e.g. 'TCP') in
the incorrect case would cause the security group to not be applied
correctly. An attacker could use this to bypass Nova security group
restrictions.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
python-nova 2012.1-0ubuntu2.2
Ubuntu 11.10:
python-nova 2011.3-0ubuntu6.7
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1466-1
CVE-2012-2654
Package Information:
https://launchpad.net/ubuntu/+source/nova/2012.1-0ubuntu2.2
https://launchpad.net/ubuntu/+source/nova/2011.3-0ubuntu6.7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120606/68ec39d7/attachment.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 93, Issue 4
*******************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2012
(533)
-
▼
June
(88)
- ubuntu-security-announce Digest, Vol 93, Issue 19
- Verdict on Google Nexus 7 tablet
- ubuntu-security-announce Digest, Vol 93, Issue 18
- Nikon J1 Camera + Apple iPad 16GB Bundle $899, Kli...
- ubuntu-security-announce Digest, Vol 93, Issue 17
- Latest hacker dump looks like Comcast, AT&T data
- Chrome comes to iPad, iPhone
- New Android OS and tablet at Google I/O
- ubuntu-security-announce Digest, Vol 93, Issue 16
- Confirmation: Your ZDNet newsletter selections
- Panasonic ST50 crowned CNET's new Editors' Choice
- Hands on with the Google Nexus 7
- The Strands of Your Identity Web
- HP AMD QUAD 17.3-inch LED Laptop $430, Alpine Swis...
- ubuntu-security-announce Digest, Vol 93, Issue 15
- What's next for Android?
- More tough cams
- Those sneaky teens: What they're really up to online
- The best Android tablet display yet
- Asus X Core i3 16-inch Laptop $400, Nikon D7000 Bu...
- Apply for an Honorary Bachelors, Masters, or Docto...
- Facebook hires former Apple design manager
- Tesla Model S for the win
- Air vs. Pro: Which 13-inch MacBook?
- Dell Inspiron 14z Core i5 $530, Scratch and Dent i...
- ubuntu-security-announce Digest, Vol 93, Issue 14
- New Xbox on track for 2013?
- A big week for Microsoft
- How to browse sensitive subjects without being tra...
- ubuntu-security-announce Digest, Vol 93, Issue 13
- Will people care about a universal Smart TV interf...
- Microsoft unveils Windows Phone 8
- pls revert
- Samsung 50-inch LED TV $830, Samsung 46-inch 3D TV...
- ubuntu-security-announce Digest, Vol 93, Issue 12
- Meet Microsoft's Surface tablet
- ubuntu-security-announce Digest, Vol 93, Issue 11
- The toughest act to follow
- TechEd 2012: Windows 8 and MBAM 2.0 Bring Enhanced...
- Join us for Microsoft's mystery event
- business partner needed
- Samsung 60-inch 3D Plasma and Blu-ray Player / Gla...
- ubuntu-security-announce Digest, Vol 93, Issue 10
- SEC spooked by Facebook's pre-IPO mobile numbers
- Hype-busting Apple Maps
- Verdict on the 2012 Chevy Volt
- Home Depot Father's Day Sale Up to 50% off, HP dv6...
- ubuntu-security-announce Digest, Vol 93, Issue 9
- E3 2012 wrap-up; why you shouldn't preoorder games
- Apple's WWDC touts new iOS 6 features
- Is the iPhone fragmented?
- AVG spreads its mobile shield
- ubuntu-security-announce Digest, Vol 93, Issue 8
- CNET review: Retina MacBook Pro is king
- Samsung wins accidental burn-in test
- New 15-inch Retina MacBook Pro with Core i7, Apple...
- ubuntu-security-announce Digest, Vol 93, Issue 7
- ubuntu-security-announce Digest, Vol 93, Issue 6
- What iOS 6 hints about iPhone 5
- ubuntu-security-announce Digest, Vol 93, Issue 5
- Topsy-turvy: Entry dSLRs and advanced compacts
- The big news from WWDC
- What the password leaks mean to you (FAQ)
- Element 50-inch LCD TV w/JBL Soundbar $500, Kennet...
- Security tweaks, PDFs herald new Firefox builds
- Google doubles down on 3D in Earth
- Canon T4i: It's all about the video
- Panda Pal High-Powered Mini Speaker $17, Dell Insp...
- World's first 13-inch tablet
- Windows Phone's presence steadily grows
- LinkedIn updates apps in response to privacy concerns
- Panasonic VT50 is the company's best TV. Ever.
- ubuntu-security-announce Digest, Vol 93, Issue 4
- Getting to know the Wii U
- ubuntu-security-announce Digest, Vol 93, Issue 3
- Google Analytics Product Update: Content Experimen...
- Five unanswered questions about Nintendo's Wii U
- ubuntu-security-announce Digest, Vol 93, Issue 2
- Xbox throws down gauntlet to Apple TV (and Wii U)
- Sony HX9V vs. HX30V: Which camera should you buy?
- Microsoft ticks off advertisers with IE10 'Do Not ...
- Dell XPS 14z Core i5 $750, Hampton Bay 52-inch Cei...
- Novell Client 2 SP2 for Windows (IR3) released
- Microsoft ticks off advertisers with IE10 'Do Not ...
- Open season for convertibles
- Windows 8 Release Preview hands-on
- Dell Core i7 16-inch Laptop + Xbox 360 for Student...
- ubuntu-security-announce Digest, Vol 93, Issue 1
-
▼
June
(88)
No comments:
Post a Comment