ubuntu-security-announce Digest, Vol 95, Issue 13

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1544-1] ImageMagick vulnerability (Jamie Strandboge)
2. [USN-1545-1] Nova vulnerability (Jamie Strandboge)


----------------------------------------------------------------------

Message: 1
Date: Wed, 22 Aug 2012 10:24:54 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1544-1] ImageMagick vulnerability
Message-ID: <1345649094.12519.7.camel@localhost>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1544-1
August 22, 2012

imagemagick vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS

Summary:

ImageMagick could be made to crash or run programs as your login if it
opened a specially crafted file.

Software Description:
- imagemagick: Image manipulation programs and library

Details:

Tom Lane discovered that ImageMagick would not always properly allocate
memory. If a user or automated system using ImageMagick were tricked into
opening a specially crafted PNG image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
imagemagick 8:6.6.9.7-5ubuntu3.2
libmagick++4 8:6.6.9.7-5ubuntu3.2

Ubuntu 11.10:
imagemagick 8:6.6.0.4-3ubuntu1.2
libmagick++3 8:6.6.0.4-3ubuntu1.2

Ubuntu 11.04:
imagemagick 7:6.6.2.6-1ubuntu4.2
libmagick++3 7:6.6.2.6-1ubuntu4.2

Ubuntu 10.04 LTS:
imagemagick 7:6.5.7.8-1ubuntu1.3
libmagick++2 7:6.5.7.8-1ubuntu1.3

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1544-1
CVE-2012-3437

Package Information:
https://launchpad.net/ubuntu/+source/imagemagick/8:6.6.9.7-5ubuntu3.2
https://launchpad.net/ubuntu/+source/imagemagick/8:6.6.0.4-3ubuntu1.2
https://launchpad.net/ubuntu/+source/imagemagick/7:6.6.2.6-1ubuntu4.2
https://launchpad.net/ubuntu/+source/imagemagick/7:6.5.7.8-1ubuntu1.3


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120822/a5632c78/attachment-0001.pgp>

------------------------------

Message: 2
Date: Wed, 22 Aug 2012 14:20:39 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1545-1] Nova vulnerability
Message-ID: <1345663239.3151.0.camel@localhost>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1545-1
August 22, 2012

nova vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10

Summary:

Nova could be made to overwrite or corrupt arbitrary files in the compute
host file system.

Software Description:
- nova: OpenStack Compute cloud infrastructure

Details:

Padraig Brady discovered that the fix for CVE-2012-3361 was incomplete and
an authenticated user could still corrupt arbitrary files on the host
running Nova. A remote attacker could use this to cause a denial of service
or possibly gain privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
python-nova 2012.1+stable~20120612-3ee026e-0ubuntu1.3

Ubuntu 11.10:
python-nova 2011.3-0ubuntu6.10

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1545-1
CVE-2012-3447

Package Information:
https://launchpad.net/ubuntu/+source/nova/2012.1+stable~20120612-3ee026e-0ubuntu1.3
https://launchpad.net/ubuntu/+source/nova/2011.3-0ubuntu6.10


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120822/8375f9c4/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 95, Issue 13
********************************************************