News

Friday, November 30, 2012

ubuntu-security-announce Digest, Vol 98, Issue 12

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1642-1] Lynx vulnerabilities (Jamie Strandboge)
2. [USN-1643-1] Perl vulnerabilities (Seth Arnold)
3. [USN-1430-5] mozilla-devscripts update (Micah Gersten)
4. [USN-1644-1] Linux kernel vulnerabilities (John Johansen)
5. [USN-1645-1] Linux kernel (OMAP4) vulnerabilities (John Johansen)
6. [USN-1646-1] Linux kernel vulnerabilities (John Johansen)


----------------------------------------------------------------------

Message: 1
Date: Thu, 29 Nov 2012 15:50:05 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1642-1] Lynx vulnerabilities
Message-ID: <50B7D88D.9060300@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1642-1
November 29, 2012

lynx-cur vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

Two security issues were fixed in Lynx.

Software Description:
- lynx-cur: Text-mode WWW Browser with NLS support

Details:

Dan Rosenberg discovered a heap-based buffer overflow in Lynx. If a user
were tricked into opening a specially crafted page, a remote attacker could
cause a denial of service via application crash, or possibly execute
arbitrary code as the user invoking the program. This issue only affected
Ubuntu 10.04 LTS. (CVE-2010-2810)

It was discovered that Lynx did not properly verify that an HTTPS
certificate was signed by a trusted certificate authority. This could allow
an attacker to perform a "man in the middle" (MITM) attack which would make
the user believe their connection is secure, but is actually being
monitored. This update changes the behavior of Lynx such that self-signed
certificates no longer validate. Users requiring the previous behavior can
use the 'FORCE_SSL_PROMPT' option in lynx.cfg. (CVE-2012-5821)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
lynx-cur 2.8.8dev.12-2ubuntu0.1

Ubuntu 12.04 LTS:
lynx-cur 2.8.8dev.9-2ubuntu0.12.04.1

Ubuntu 11.10:
lynx-cur 2.8.8dev.9-2ubuntu0.11.10.1

Ubuntu 10.04 LTS:
lynx-cur 2.8.8dev.2-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1642-1
CVE-2010-2810, CVE-2012-5821

Package Information:
https://launchpad.net/ubuntu/+source/lynx-cur/2.8.8dev.12-2ubuntu0.1
https://launchpad.net/ubuntu/+source/lynx-cur/2.8.8dev.9-2ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/lynx-cur/2.8.8dev.9-2ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/lynx-cur/2.8.8dev.2-1ubuntu0.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121129/628b18b6/attachment-0001.pgp>

------------------------------

Message: 2
Date: Thu, 29 Nov 2012 21:35:50 -0800
From: Seth Arnold <seth.arnold@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1643-1] Perl vulnerabilities
Message-ID: <20121130053550.GA15927@hunt>
Content-Type: text/plain; charset="us-ascii"

==========================================================================
Ubuntu Security Notice USN-1643-1
November 30, 2012

perl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Perl programs could be made to crash or run programs if they receive
specially crafted network traffic or other input.

Software Description:
- perl: Larry Wall's Practical Extraction and Report Language

Details:

It was discovered that the decode_xs function in the Encode module is
vulnerable to a heap-based buffer overflow via a crafted Unicode string.
An attacker could use this overflow to cause a denial of service.
(CVE-2011-2939)

It was discovered that the 'new' constructor in the Digest module is
vulnerable to an eval injection. An attacker could use this to execute
arbitrary code. (CVE-2011-3597)

It was discovered that Perl's 'x' string repeat operator is vulnerable
to a heap-based buffer overflow. An attacker could use this to execute
arbitrary code. (CVE-2012-5195)

Ryo Anazawa discovered that the CGI.pm module does not properly escape
newlines in Set-Cookie or P3P (Platform for Privacy Preferences Project)
headers. An attacker could use this to inject arbitrary headers into
responses from applications that use CGI.pm. (CVE-2012-5526)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
perl 5.14.2-13ubuntu0.1

Ubuntu 12.04 LTS:
perl 5.14.2-6ubuntu2.2

Ubuntu 11.10:
perl 5.12.4-4ubuntu0.1

Ubuntu 10.04 LTS:
perl 5.10.1-8ubuntu2.2

Ubuntu 8.04 LTS:
perl 5.8.8-12ubuntu0.7

Perl programs need to be restarted after a standard system update to
make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1643-1
CVE-2011-2939, CVE-2011-3597, CVE-2012-5195, CVE-2012-5526

Package Information:
https://launchpad.net/ubuntu/+source/perl/5.14.2-13ubuntu0.1
https://launchpad.net/ubuntu/+source/perl/5.14.2-6ubuntu2.2
https://launchpad.net/ubuntu/+source/perl/5.12.4-4ubuntu0.1
https://launchpad.net/ubuntu/+source/perl/5.10.1-8ubuntu2.2
https://launchpad.net/ubuntu/+source/perl/5.8.8-12ubuntu0.7

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121129/bbf33c12/attachment-0001.pgp>

------------------------------

Message: 3
Date: Thu, 29 Nov 2012 23:43:29 -0600
From: Micah Gersten <micah@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1430-5] mozilla-devscripts update
Message-ID: <50B84781.1070804@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1430-5
November 30, 2012

mozilla-devscripts update
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

Update to packaging tool for Thunderbird addons.

Software Description:
- mozilla-devscripts: Collection of dev scripts used by Ubuntu Mozilla packages

Details:

USN-1430-3 fixed vulnerabilities in Thunderbird. This update provides an
updated mozilla-devscripts which produces packaged addons compatible with
the latest thunderbird packaging.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
mozilla-devscripts 0.22ubuntu0.10.04.3

After a standard system update, any locally built Thunderbird addon
packages will need to be rebuilt with this version of mozilla-devscripts.

References:
http://www.ubuntu.com/usn/usn-1430-5
http://www.ubuntu.com/usn/usn-1430-1
http://www.ubuntu.com/usn/usn-1430-3, https://launchpad.net/bugs/995054

Package Information:
https://launchpad.net/ubuntu/+source/mozilla-devscripts/0.22ubuntu0.10.04.3




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121129/218aeab4/attachment-0001.pgp>

------------------------------

Message: 4
Date: Fri, 30 Nov 2012 00:07:51 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1644-1] Linux kernel vulnerabilities
Message-ID: <50B86957.6030309@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1644-1
November 30, 2012

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

Brad Spengler discovered a flaw in the Linux kernel's uname system call. An
unprivileged user could exploit this flaw to read kernel stack memory.
(CVE-2012-0957)

Rodrigo Freire discovered a flaw in the Linux kernel's TCP illinois
congestion control algorithm. A local attacker could use this to cause a
denial of service. (CVE-2012-4565)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-34-generic 3.2.0-34.53
linux-image-3.2.0-34-generic-pae 3.2.0-34.53
linux-image-3.2.0-34-highbank 3.2.0-34.53
linux-image-3.2.0-34-omap 3.2.0-34.53
linux-image-3.2.0-34-powerpc-smp 3.2.0-34.53
linux-image-3.2.0-34-powerpc64-smp 3.2.0-34.53
linux-image-3.2.0-34-virtual 3.2.0-34.53

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1644-1
CVE-2012-0957, CVE-2012-4565

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-34.53

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121130/26e02902/attachment-0001.pgp>

------------------------------

Message: 5
Date: Fri, 30 Nov 2012 00:38:03 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1645-1] Linux kernel (OMAP4) vulnerabilities
Message-ID: <50B8706B.205@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1645-1
November 30, 2012

linux-ti-omap4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

Brad Spengler discovered a flaw in the Linux kernel's uname system call. An
unprivileged user could exploit this flaw to read kernel stack memory.
(CVE-2012-0957)

Rodrigo Freire discovered a flaw in the Linux kernel's TCP illinois
congestion control algorithm. A local attacker could use this to cause a
denial of service. (CVE-2012-4565)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1422-omap4 3.2.0-1422.29

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1645-1
CVE-2012-0957, CVE-2012-4565

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1422.29

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121130/24e5913f/attachment-0001.pgp>

------------------------------

Message: 6
Date: Fri, 30 Nov 2012 00:56:45 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1646-1] Linux kernel vulnerabilities
Message-ID: <50B874CD.9040503@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1646-1
November 30, 2012

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

Brad Spengler discovered a flaw in the Linux kernel's uname system call. An
unprivileged user could exploit this flaw to read kernel stack memory.
(CVE-2012-0957)

Rodrigo Freire discovered a flaw in the Linux kernel's TCP illinois
congestion control algorithm. A local attacker could use this to cause a
denial of service. (CVE-2012-4565)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
linux-image-3.5.0-19-generic 3.5.0-19.30
linux-image-3.5.0-19-highbank 3.5.0-19.30
linux-image-3.5.0-19-omap 3.5.0-19.30
linux-image-3.5.0-19-powerpc-smp 3.5.0-19.30
linux-image-3.5.0-19-powerpc64-smp 3.5.0-19.30

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1646-1
CVE-2012-0957, CVE-2012-4565

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-19.30

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121130/01c43e74/attachment.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 98, Issue 12
********************************************************

No comments:

Blog Archive