Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1604-1] MoinMoin vulnerabilities (Marc Deslauriers)
2. [USN-1605-1] Quagga vulnerability (Marc Deslauriers)
3. [USN-1606-1] Linux kernel vulnerabilities (John Johansen)
4. [USN-1607-1] Linux kernel vulnerabilities (John Johansen)
5. [USN-1608-1] Firefox vulnerabilities (Micah Gersten)
6. [USN-1609-1] Linux kernel (OMAP4) vulnerability (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 11 Oct 2012 08:29:45 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1604-1] MoinMoin vulnerabilities
Message-ID: <5076BBB9.4030205@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1604-1
October 11, 2012
moin vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in MoinMoin.
Software Description:
- moin: Collaborative hypertext environment
Details:
It was discovered that MoinMoin did not properly sanitize certain input,
resulting in a cross-site scripting (XSS) vulnerability. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data, within the same
domain. (CVE-2011-1058)
It was discovered that MoinMoin incorrectly handled group names that
contain virtual group names such as "All", "Known" or "Trusted". This could
result in a remote user having incorrect permissions. (CVE-2012-4404)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
python-moinmoin 1.9.3-1ubuntu2.1
Ubuntu 11.10:
python-moinmoin 1.9.3-1ubuntu1.11.10.1
Ubuntu 11.04:
python-moinmoin 1.9.3-1ubuntu1.11.04.1
Ubuntu 10.04 LTS:
python-moinmoin 1.9.2-2ubuntu3.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1604-1
CVE-2011-1058, CVE-2012-4404
Package Information:
https://launchpad.net/ubuntu/+source/moin/1.9.3-1ubuntu2.1
https://launchpad.net/ubuntu/+source/moin/1.9.3-1ubuntu1.11.10.1
https://launchpad.net/ubuntu/+source/moin/1.9.3-1ubuntu1.11.04.1
https://launchpad.net/ubuntu/+source/moin/1.9.2-2ubuntu3.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121011/051e25bd/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 11 Oct 2012 14:16:10 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1605-1] Quagga vulnerability
Message-ID: <50770CEA.1090004@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1605-1
October 11, 2012
quagga vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Quagga could be made to crash if it received specially crafted network
traffic.
Software Description:
- quagga: BGP/OSPF/RIP routing daemon
Details:
It was discovered that Quagga incorrectly handled certain malformed
messages. A remote attacker could use this flaw to cause Quagga to crash,
resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
quagga 0.99.20.1-0ubuntu0.12.04.3
Ubuntu 11.10:
quagga 0.99.20.1-0ubuntu0.11.10.3
Ubuntu 11.04:
quagga 0.99.20.1-0ubuntu0.11.04.3
Ubuntu 10.04 LTS:
quagga 0.99.20.1-0ubuntu0.10.04.3
After a standard system update you need to restart Quagga to make all the
necessary changes.
References:
http://www.ubuntu.com/usn/usn-1605-1
CVE-2012-1820
Package Information:
https://launchpad.net/ubuntu/+source/quagga/0.99.20.1-0ubuntu0.12.04.3
https://launchpad.net/ubuntu/+source/quagga/0.99.20.1-0ubuntu0.11.10.3
https://launchpad.net/ubuntu/+source/quagga/0.99.20.1-0ubuntu0.11.04.3
https://launchpad.net/ubuntu/+source/quagga/0.99.20.1-0ubuntu0.10.04.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121011/858500d4/attachment-0001.pgp>
------------------------------
Message: 3
Date: Thu, 11 Oct 2012 12:01:58 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1606-1] Linux kernel vulnerabilities
Message-ID: <507717A6.80004@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1606-1
October 11, 2012
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
A flaw was found in how the Linux kernel's KVM (Kernel-based Virtual
Machine) subsystem handled MSI (Message Signaled Interrupts). A local
unprivileged user could exploit this flaw to cause a denial of service or
potentially elevate privileges. (CVE-2012-2137)
A flaw was found in how the Linux kernel passed the replacement session
keyring to a child process. An unprivileged local user could exploit this
flaw to cause a denial of service (panic). (CVE-2012-2745)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-44-386 2.6.32-44.98
linux-image-2.6.32-44-generic 2.6.32-44.98
linux-image-2.6.32-44-generic-pae 2.6.32-44.98
linux-image-2.6.32-44-ia64 2.6.32-44.98
linux-image-2.6.32-44-lpia 2.6.32-44.98
linux-image-2.6.32-44-powerpc 2.6.32-44.98
linux-image-2.6.32-44-powerpc-smp 2.6.32-44.98
linux-image-2.6.32-44-powerpc64-smp 2.6.32-44.98
linux-image-2.6.32-44-preempt 2.6.32-44.98
linux-image-2.6.32-44-server 2.6.32-44.98
linux-image-2.6.32-44-sparc64 2.6.32-44.98
linux-image-2.6.32-44-sparc64-smp 2.6.32-44.98
linux-image-2.6.32-44-versatile 2.6.32-44.98
linux-image-2.6.32-44-virtual 2.6.32-44.98
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1606-1
CVE-2012-2137, CVE-2012-2745
Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.32-44.98
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121011/80d011c0/attachment-0001.pgp>
------------------------------
Message: 4
Date: Thu, 11 Oct 2012 12:28:37 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1607-1] Linux kernel vulnerabilities
Message-ID: <50771DE5.5060408@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1607-1
October 11, 2012
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Vadim Ponomarev discovered a flaw in the Linux kernel causing a reference
leak when PID namespaces are used. A remote attacker could exploit this
flaw causing a denial of service. (CVE-2012-2127)
A flaw was found in how the Linux kernel's KVM (Kernel-based Virtual
Machine) subsystem handled MSI (Message Signaled Interrupts). A local
unprivileged user could exploit this flaw to cause a denial of service or
potentially elevate privileges. (CVE-2012-2137)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
linux-image-3.0.0-26-generic 3.0.0-26.43
linux-image-3.0.0-26-generic-pae 3.0.0-26.43
linux-image-3.0.0-26-omap 3.0.0-26.43
linux-image-3.0.0-26-powerpc 3.0.0-26.43
linux-image-3.0.0-26-powerpc-smp 3.0.0-26.43
linux-image-3.0.0-26-powerpc64-smp 3.0.0-26.43
linux-image-3.0.0-26-server 3.0.0-26.43
linux-image-3.0.0-26-virtual 3.0.0-26.43
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1607-1
CVE-2012-2127, CVE-2012-2137
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.0.0-26.43
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121011/e4c09b8d/attachment-0001.pgp>
------------------------------
Message: 5
Date: Thu, 11 Oct 2012 15:26:58 -0500
From: Micah Gersten <micah@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1608-1] Firefox vulnerabilities
Message-ID: <50772B92.1000909@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-1608-1
October 11, 2012
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Firefox.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
It was discovered that the browser engine used in Firefox contained a
memory corruption flaw. If a user were tricked into opening a specially
crafted web page, a remote attacker could cause Firefox to crash or
potentially execute arbitrary code as the user invoking the program.
(CVE-2012-4191)
It was discovered that Firefox allowed improper access to the Location
object. An attacker could exploit this to obtain sensitive information.
(CVE-2012-4192)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
firefox 16.0.1+build1-0ubuntu0.12.04.1
Ubuntu 11.10:
firefox 16.0.1+build1-0ubuntu0.11.10.1
Ubuntu 11.04:
firefox 16.0.1+build1-0ubuntu0.11.04.1
Ubuntu 10.04 LTS:
firefox 16.0.1+build1-0ubuntu0.10.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1608-1
CVE-2012-4191, CVE-2012-4192, https://launchpad.net/bugs/1065285
Package Information:
https://launchpad.net/ubuntu/+source/firefox/16.0.1+build1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/firefox/16.0.1+build1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/firefox/16.0.1+build1-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/firefox/16.0.1+build1-0ubuntu0.10.04.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121011/26d2713d/attachment-0001.pgp>
------------------------------
Message: 6
Date: Fri, 12 Oct 2012 02:54:29 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1609-1] Linux kernel (OMAP4) vulnerability
Message-ID: <5077E8D5.8010304@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1609-1
October 12, 2012
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
A flaw was found in how the Linux kernel's KVM (Kernel-based Virtual
Machine) subsystem handled MSI (Message Signaled Interrupts). A local
unprivileged user could exploit this flaw to cause a denial of service or
potentially elevate privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
linux-image-3.0.0-1216-omap4 3.0.0-1216.29
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1609-1
CVE-2012-2137
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.0.0-1216.29
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121012/863abf92/attachment.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 97, Issue 8
*******************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2012
(533)
-
▼
October
(19)
- ubuntu-security-announce Digest, Vol 97, Issue 19
- ubuntu-security-announce Digest, Vol 97, Issue 18
- ubuntu-security-announce Digest, Vol 97, Issue 17
- ubuntu-security-announce Digest, Vol 97, Issue 16
- ubuntu-security-announce Digest, Vol 97, Issue 15
- ubuntu-security-announce Digest, Vol 97, Issue 14
- ubuntu-security-announce Digest, Vol 97, Issue 13
- ubuntu-security-announce Digest, Vol 97, Issue 12
- ubuntu-security-announce Digest, Vol 97, Issue 11
- ubuntu-security-announce Digest, Vol 97, Issue 10
- ubuntu-security-announce Digest, Vol 97, Issue 9
- ubuntu-security-announce Digest, Vol 97, Issue 8
- ubuntu-security-announce Digest, Vol 97, Issue 7
- ubuntu-security-announce Digest, Vol 97, Issue 6
- ubuntu-security-announce Digest, Vol 97, Issue 5
- ubuntu-security-announce Digest, Vol 97, Issue 4
- ubuntu-security-announce Digest, Vol 97, Issue 3
- ubuntu-security-announce Digest, Vol 97, Issue 2
- ubuntu-security-announce Digest, Vol 97, Issue 1
-
▼
October
(19)
No comments:
Post a Comment