ubuntu-security-announce Digest, Vol 99, Issue 8

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1589-2] GNU C Library regression (Marc Deslauriers)
2. [USN-1666-1] Aptdaemon vulnerability (Marc Deslauriers)
3. [USN-1667-1] bogofilter vulnerability (Marc Deslauriers)
4. [USN-1668-1] Apport update (Jamie Strandboge)


----------------------------------------------------------------------

Message: 1
Date: Mon, 17 Dec 2012 09:17:18 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1589-2] GNU C Library regression
Message-ID: <50CF296E.6030004@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1589-2
December 17, 2012

glibc regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 8.04 LTS

Summary:

USN-1589-1 exposed a regression in the GNU C Library floating point parser.

Software Description:
- glibc: GNU C Library

Details:

USN-1589-1 fixed vulnerabilities in the GNU C Library. One of the updates
exposed a regression in the floating point parser. This update fixes the
problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that positional arguments to the printf() family
of functions were not handled properly in the GNU C Library. An
attacker could possibly use this to cause a stack-based buffer
overflow, creating a denial of service or possibly execute arbitrary
code. (CVE-2012-3404, CVE-2012-3405, CVE-2012-3406)
It was discovered that multiple integer overflows existed in the
strtod(), strtof() and strtold() functions in the GNU C Library. An
attacker could possibly use this to trigger a stack-based buffer
overflow, creating a denial of service or possibly execute arbitrary
code. (CVE-2012-3480)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 8.04 LTS:
libc6 2.7-10ubuntu8.3

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1589-2
http://www.ubuntu.com/usn/usn-1589-1
CVE-2012-3480

Package Information:
https://launchpad.net/ubuntu/+source/glibc/2.7-10ubuntu8.3


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121217/976aed3d/attachment-0001.pgp>

------------------------------

Message: 2
Date: Mon, 17 Dec 2012 09:17:36 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1666-1] Aptdaemon vulnerability
Message-ID: <50CF2980.2090001@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1666-1
December 17, 2012

aptdaemon vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10

Summary:

Aptdaemon could be tricked into installing arbitrary PPA GPG keys.

Software Description:
- aptdaemon: transaction based package management service

Details:

It was discovered that Aptdaemon incorrectly validated PPA GPG keys when
importing from a keyserver. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to install altered
package repository GPG keys.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
aptdaemon 0.43+bzr805-0ubuntu7

Ubuntu 11.10:
aptdaemon 0.43+bzr697-0ubuntu1.3

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1666-1
CVE-2012-0962

Package Information:
https://launchpad.net/ubuntu/+source/aptdaemon/0.43+bzr805-0ubuntu7
https://launchpad.net/ubuntu/+source/aptdaemon/0.43+bzr697-0ubuntu1.3


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121217/6698e3f1/attachment-0001.pgp>

------------------------------

Message: 3
Date: Mon, 17 Dec 2012 11:17:00 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1667-1] bogofilter vulnerability
Message-ID: <50CF457C.2040004@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1667-1
December 17, 2012

bogofilter vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

bogofilter could be made to crash or run programs if it processed a
specially crafted email.

Software Description:
- bogofilter: a fast Bayesian spam filter

Details:

Julius Plenz discovered that bogofilter incorrectly handled certain
invalid base64 code. By sending a specially crafted email, a remote
attacker could exploit this and cause bogofilter to crash, resulting in a
denial of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
bogofilter-bdb 1.2.1-0ubuntu1.2
bogofilter-sqlite 1.2.1-0ubuntu1.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1667-1
CVE-2012-5468

Package Information:
https://launchpad.net/ubuntu/+source/bogofilter/1.2.1-0ubuntu1.2


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121217/66ce53a9/attachment-0001.pgp>

------------------------------

Message: 4
Date: Mon, 17 Dec 2012 17:33:48 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1668-1] Apport update
Message-ID: <50CFABDC.80309@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1668-1
December 17, 2012

apport update
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

A hardening measure was added to apport.

Software Description:
- apport: automatically generate crash reports for debugging

Details:

Dan Rosenberg discovered that an application running under an AppArmor
profile that allowed unconfined execution of apport-bug could escape
confinement by calling apport-bug with a crafted environment. While not a
vulnerability in apport itself, this update mitigates the issue by
sanitizing certain variables in the apport-bug shell script.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
apport 2.0.1-0ubuntu15.1

Ubuntu 11.10:
apport 1.23-0ubuntu4.1

Ubuntu 10.04 LTS:
apport 1.13.3-0ubuntu2.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1668-1
https://launchpad.net/bugs/1045986

Package Information:
https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu15.1
https://launchpad.net/ubuntu/+source/apport/1.23-0ubuntu4.1
https://launchpad.net/ubuntu/+source/apport/1.13.3-0ubuntu2.2




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20121217/727d4e78/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 99, Issue 8
*******************************************************