Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1708-1] libvirt vulnerabilities (Marc Deslauriers)
2. [USN-1709-1] OpenStack Nova vulnerability (Jamie Strandboge)
3. [USN-1710-1] OpenStack Glance vulnerability (Jamie Strandboge)
----------------------------------------------------------------------
Message: 1
Date: Tue, 29 Jan 2013 11:41:56 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1708-1] libvirt vulnerabilities
Message-ID: <5107FBD4.7090308@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1708-1
January 29, 2013
libvirt vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
libvirt could be made to crash or run programs if it received specially
crafted network traffic.
Software Description:
- libvirt: Libvirt virtualization toolkit
Details:
Wenlong Huang discovered that libvirt incorrectly handled certain RPC
calls. A remote attacker could exploit this and cause libvirt to crash,
resulting in a denial of service. This issue only affected Ubuntu 12.04
LTS. (CVE-2012-4423)
Tingting Zheng discovered that libvirt incorrectly handled cleanup under
certain error conditions. A remote attacker could exploit this and cause
libvirt to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2013-0170)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libvirt-bin 0.9.13-0ubuntu12.2
libvirt0 0.9.13-0ubuntu12.2
Ubuntu 12.04 LTS:
libvirt-bin 0.9.8-2ubuntu17.7
libvirt0 0.9.8-2ubuntu17.7
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1708-1
CVE-2012-4423, CVE-2013-0170
Package Information:
https://launchpad.net/ubuntu/+source/libvirt/0.9.13-0ubuntu12.2
https://launchpad.net/ubuntu/+source/libvirt/0.9.8-2ubuntu17.7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130129/b88f7f01/attachment-0001.pgp>
------------------------------
Message: 2
Date: Tue, 29 Jan 2013 17:23:05 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1709-1] OpenStack Nova vulnerability
Message-ID: <510859D9.2040509@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1709-1
January 29, 2013
nova vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Nova volume could be made to expose volumes from other users.
Software Description:
- nova: OpenStack Compute cloud infrastructure
Details:
Phil Day discovered that nova-volume did not validate access to volumes. An
authenticated attacker could exploit this to bypass intended access
controls and boot from arbitrary volumes.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
nova-volume
2012.2.1+stable-20121212-a99a802e-0ubuntu1.1
python-nova
2012.2.1+stable-20121212-a99a802e-0ubuntu1.1
Ubuntu 12.04 LTS:
nova-volume
2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.1
python-nova
2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.1
Ubuntu 11.10:
nova-volume 2011.3-0ubuntu6.11
python-nova 2011.3-0ubuntu6.11
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1709-1
CVE-2013-0208
Package Information:
https://launchpad.net/ubuntu/+source/nova/2012.2.1+stable-20121212-a99a802e-0ubuntu1.1
https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.1
https://launchpad.net/ubuntu/+source/nova/2011.3-0ubuntu6.11
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130129/ea5ef9c5/attachment-0001.pgp>
------------------------------
Message: 3
Date: Tue, 29 Jan 2013 17:26:41 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1710-1] OpenStack Glance vulnerability
Message-ID: <51085AB1.7020005@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1710-1
January 29, 2013
glance vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Glance could be made to expose sensitive information over the network.
Software Description:
- glance: OpenStack Image Registry and Delivery Service
Details:
Dan Prince discovered an issue in Glance error reporting. An authenticated
attacker could exploit this to expose the Glance operator's Swift
credentials for a misconfigured or otherwise unusable Swift endpoint.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-glance 2012.2.1-0ubuntu1.1
Ubuntu 12.04 LTS:
python-glance 2012.1.3+stable~20120821-120fcf-0ubuntu1.3
Ubuntu 11.10:
python-glance 2011.3-0ubuntu4.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1710-1
CVE-2013-0212
Package Information:
https://launchpad.net/ubuntu/+source/glance/2012.2.1-0ubuntu1.1
https://launchpad.net/ubuntu/+source/glance/2012.1.3+stable~20120821-120fcf-0ubuntu1.3
https://launchpad.net/ubuntu/+source/glance/2011.3-0ubuntu4.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130129/d428883d/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 100, Issue 10
*********************************************************
Wednesday, January 30, 2013
Tuesday, January 29, 2013
ubuntu-security-announce Digest, Vol 100, Issue 9
Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1705-1] Libav vulnerabilities (Marc Deslauriers)
2. [USN-1706-1] FFmpeg vulnerabilities (Marc Deslauriers)
3. [USN-1707-1] libssh vulnerability (Marc Deslauriers)
----------------------------------------------------------------------
Message: 1
Date: Mon, 28 Jan 2013 09:28:51 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1705-1] Libav vulnerabilities
Message-ID: <51068B23.1050808@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1705-1
January 28, 2013
libav vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Libav could be made to crash or run programs as your login if it opened a
specially crafted file.
Software Description:
- libav: Multimedia player, server, encoder and transcoder
Details:
It was discovered that Libav incorrectly handled certain malformed media
files. If a user were tricked into opening a crafted media file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libavcodec53 6:0.8.5-0ubuntu0.12.10.1
libavformat53 6:0.8.5-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
libavcodec53 4:0.8.5-0ubuntu0.12.04.1
libavformat53 4:0.8.5-0ubuntu0.12.04.1
Ubuntu 11.10:
libavcodec53 4:0.7.6-0ubuntu0.11.10.3
libavformat53 4:0.7.6-0ubuntu0.11.10.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1705-1
CVE-2012-2783, CVE-2012-2791, CVE-2012-2797, CVE-2012-2798,
CVE-2012-2801, CVE-2012-2802, CVE-2012-2803, CVE-2012-2804,
CVE-2012-5144
Package Information:
https://launchpad.net/ubuntu/+source/libav/6:0.8.5-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/libav/4:0.8.5-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/libav/4:0.7.6-0ubuntu0.11.10.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130128/02ec99c2/attachment-0001.pgp>
------------------------------
Message: 2
Date: Mon, 28 Jan 2013 09:29:24 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1706-1] FFmpeg vulnerabilities
Message-ID: <51068B44.9050103@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1706-1
January 28, 2013
ffmpeg vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
FFmpeg could be made to crash or run programs as your login if it opened a
specially crafted file.
Software Description:
- ffmpeg: multimedia player, server and encoder
Details:
It was discovered that FFmpeg incorrectly handled certain malformed media
files. If a user were tricked into opening a crafted media file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
libavcodec52 4:0.5.9-0ubuntu0.10.04.3
libavformat52 4:0.5.9-0ubuntu0.10.04.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1706-1
CVE-2012-2783, CVE-2012-2803
Package Information:
https://launchpad.net/ubuntu/+source/ffmpeg/4:0.5.9-0ubuntu0.10.04.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130128/6774ca26/attachment-0001.pgp>
------------------------------
Message: 3
Date: Mon, 28 Jan 2013 12:49:46 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1707-1] libssh vulnerability
Message-ID: <5106BA3A.7050003@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1707-1
January 28, 2013
libssh vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
libssh could be made to crash if it received specially crafted network
traffic.
Software Description:
- libssh: A tiny C SSH library
Details:
Yong Chuan Koh discovered that libssh incorrectly handled certain
negotiation requests. A remote attacker could use this to cause libssh to
crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libssh-4 0.5.2-1ubuntu0.12.10.2
Ubuntu 12.04 LTS:
libssh-4 0.5.2-1ubuntu0.12.04.2
Ubuntu 11.10:
libssh-4 0.5.2-1ubuntu0.11.10.2
Ubuntu 10.04 LTS:
libssh-4 0.4.2-1ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1707-1
CVE-2013-0176
Package Information:
https://launchpad.net/ubuntu/+source/libssh/0.5.2-1ubuntu0.12.10.2
https://launchpad.net/ubuntu/+source/libssh/0.5.2-1ubuntu0.12.04.2
https://launchpad.net/ubuntu/+source/libssh/0.5.2-1ubuntu0.11.10.2
https://launchpad.net/ubuntu/+source/libssh/0.4.2-1ubuntu1.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130128/06e85e20/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 100, Issue 9
********************************************************
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1705-1] Libav vulnerabilities (Marc Deslauriers)
2. [USN-1706-1] FFmpeg vulnerabilities (Marc Deslauriers)
3. [USN-1707-1] libssh vulnerability (Marc Deslauriers)
----------------------------------------------------------------------
Message: 1
Date: Mon, 28 Jan 2013 09:28:51 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1705-1] Libav vulnerabilities
Message-ID: <51068B23.1050808@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1705-1
January 28, 2013
libav vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Libav could be made to crash or run programs as your login if it opened a
specially crafted file.
Software Description:
- libav: Multimedia player, server, encoder and transcoder
Details:
It was discovered that Libav incorrectly handled certain malformed media
files. If a user were tricked into opening a crafted media file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libavcodec53 6:0.8.5-0ubuntu0.12.10.1
libavformat53 6:0.8.5-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
libavcodec53 4:0.8.5-0ubuntu0.12.04.1
libavformat53 4:0.8.5-0ubuntu0.12.04.1
Ubuntu 11.10:
libavcodec53 4:0.7.6-0ubuntu0.11.10.3
libavformat53 4:0.7.6-0ubuntu0.11.10.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1705-1
CVE-2012-2783, CVE-2012-2791, CVE-2012-2797, CVE-2012-2798,
CVE-2012-2801, CVE-2012-2802, CVE-2012-2803, CVE-2012-2804,
CVE-2012-5144
Package Information:
https://launchpad.net/ubuntu/+source/libav/6:0.8.5-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/libav/4:0.8.5-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/libav/4:0.7.6-0ubuntu0.11.10.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130128/02ec99c2/attachment-0001.pgp>
------------------------------
Message: 2
Date: Mon, 28 Jan 2013 09:29:24 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1706-1] FFmpeg vulnerabilities
Message-ID: <51068B44.9050103@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1706-1
January 28, 2013
ffmpeg vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
FFmpeg could be made to crash or run programs as your login if it opened a
specially crafted file.
Software Description:
- ffmpeg: multimedia player, server and encoder
Details:
It was discovered that FFmpeg incorrectly handled certain malformed media
files. If a user were tricked into opening a crafted media file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
libavcodec52 4:0.5.9-0ubuntu0.10.04.3
libavformat52 4:0.5.9-0ubuntu0.10.04.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1706-1
CVE-2012-2783, CVE-2012-2803
Package Information:
https://launchpad.net/ubuntu/+source/ffmpeg/4:0.5.9-0ubuntu0.10.04.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130128/6774ca26/attachment-0001.pgp>
------------------------------
Message: 3
Date: Mon, 28 Jan 2013 12:49:46 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1707-1] libssh vulnerability
Message-ID: <5106BA3A.7050003@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1707-1
January 28, 2013
libssh vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
libssh could be made to crash if it received specially crafted network
traffic.
Software Description:
- libssh: A tiny C SSH library
Details:
Yong Chuan Koh discovered that libssh incorrectly handled certain
negotiation requests. A remote attacker could use this to cause libssh to
crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libssh-4 0.5.2-1ubuntu0.12.10.2
Ubuntu 12.04 LTS:
libssh-4 0.5.2-1ubuntu0.12.04.2
Ubuntu 11.10:
libssh-4 0.5.2-1ubuntu0.11.10.2
Ubuntu 10.04 LTS:
libssh-4 0.4.2-1ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1707-1
CVE-2013-0176
Package Information:
https://launchpad.net/ubuntu/+source/libssh/0.5.2-1ubuntu0.12.10.2
https://launchpad.net/ubuntu/+source/libssh/0.5.2-1ubuntu0.12.04.2
https://launchpad.net/ubuntu/+source/libssh/0.5.2-1ubuntu0.11.10.2
https://launchpad.net/ubuntu/+source/libssh/0.4.2-1ubuntu1.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130128/06e85e20/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 100, Issue 9
********************************************************
Thursday, January 17, 2013
ubuntu-security-announce Digest, Vol 100, Issue 7
Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1694-1] RPM vulnerability (Marc Deslauriers)
2. [USN-1695-1] RPM vulnerabilities (Marc Deslauriers)
3. [USN-1696-1] Linux kernel vulnerabilities (John Johansen)
4. [USN-1698-1] Linux kernel (OMAP4) vulnerabilities (John Johansen)
5. [USN-1699-1] Linux kernel vulnerabilities (John Johansen)
6. [USN-1700-1] Linux kernel (OMAP4) vulnerabilities (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 17 Jan 2013 11:14:45 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1694-1] RPM vulnerability
Message-ID: <50F82375.8070600@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1694-1
January 17, 2013
rpm vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
RPM could incorrectly validate package signatures.
Software Description:
- rpm: package manager for RPM
Details:
It was discovered that RPM incorrectly handled signature checking. An
attacker could create a specially-crafted rpm with an invalid signature
which could pass the signature validation check.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
rpm 4.10.0-4ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1694-1
CVE-2012-6088
Package Information:
https://launchpad.net/ubuntu/+source/rpm/4.10.0-4ubuntu0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130117/f9edf0e9/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 17 Jan 2013 16:53:13 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1695-1] RPM vulnerabilities
Message-ID: <50F872C9.7040002@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1695-1
January 17, 2013
rpm vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
RPM could be made to crash or run programs if it opened a specially crafted
package file.
Software Description:
- rpm: package manager for RPM
Details:
It was discovered that RPM incorrectly handled certain package headers. If
a user or automated system were tricked into installing a specially crafted
RPM package, an attacker could cause RPM to crash, resulting in a denial of
service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
rpm 4.9.1.1-1ubuntu0.1
Ubuntu 11.10:
rpm 4.9.0-7ubuntu0.1
Ubuntu 10.04 LTS:
rpm 4.7.2-1lubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1695-1
CVE-2011-3378, CVE-2012-0060, CVE-2012-0061, CVE-2012-0815
Package Information:
https://launchpad.net/ubuntu/+source/rpm/4.9.1.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/rpm/4.9.0-7ubuntu0.1
https://launchpad.net/ubuntu/+source/rpm/4.7.2-1lubuntu0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130117/b8a3c825/attachment-0001.pgp>
------------------------------
Message: 3
Date: Thu, 17 Jan 2013 19:27:38 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1696-1] Linux kernel vulnerabilities
Message-ID: <50F8C12A.2000807@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1696-1
January 18, 2013
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Jon Howell reported a flaw in the Linux kernel's KVM (Kernel-based virtual
machine) subsystem's handling of the XSAVE CPU feature. On hosts without the
XSAVE CPU feature, using qemu userspace, an unprivileged local attacker could
exploit this flaw to crash the system. (CVE-2012-4461)
A flaw was discovered in the Linux kernel's handling of script execution
when module loading is enabled. A local attacker could exploit this flaw to
cause a leak of kernel stack contents. (CVE-2012-4530)
Florian Weimer discovered that hypervkvpd, which is distributed in the
Linux kernel, was not correctly validating source addresses of netlink
packets. An untrusted local user can cause a denial of service by causing
hypervkvpd to exit. (CVE-2012-5532)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-36-generic 3.2.0-36.57
linux-image-3.2.0-36-generic-pae 3.2.0-36.57
linux-image-3.2.0-36-highbank 3.2.0-36.57
linux-image-3.2.0-36-omap 3.2.0-36.57
linux-image-3.2.0-36-powerpc-smp 3.2.0-36.57
linux-image-3.2.0-36-powerpc64-smp 3.2.0-36.57
linux-image-3.2.0-36-virtual 3.2.0-36.57
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1696-1
CVE-2012-4461, CVE-2012-4530, CVE-2012-5532
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-36.57
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130117/00facfa6/attachment-0001.pgp>
------------------------------
Message: 4
Date: Thu, 17 Jan 2013 19:51:48 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1698-1] Linux kernel (OMAP4) vulnerabilities
Message-ID: <50F8C6D4.1010603@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1698-1
January 18, 2013
linux-ti-omap4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
A flaw was discovered in the Linux kernel's handling of script execution
when module loading is enabled. A local attacker could exploit this flaw to
cause a leak of kernel stack contents. (CVE-2012-4530)
Florian Weimer discovered that hypervkvpd, which is distributed in the
Linux kernel, was not correctly validating source addresses of netlink
packets. An untrusted local user can cause a denial of service by causing
hypervkvpd to exit. (CVE-2012-5532)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-1424-omap4 3.2.0-1424.32
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1698-1
CVE-2012-4530, CVE-2012-5532
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1424.32
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130117/31b885d7/attachment-0001.pgp>
------------------------------
Message: 5
Date: Thu, 17 Jan 2013 20:05:27 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1699-1] Linux kernel vulnerabilities
Message-ID: <50F8CA07.7000202@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1699-1
January 18, 2013
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Jon Howell reported a flaw in the Linux kernel's KVM (Kernel-based virtual
machine) subsystem's handling of the XSAVE CPU feature. On hosts without the
XSAVE CPU feature, using qemu userspace, an unprivileged local attacker could
exploit this flaw to crash the system. (CVE-2012-4461)
A flaw was discovered in the Linux kernel's handling of script execution
when module loading is enabled. A local attacker could exploit this flaw to
cause a leak of kernel stack contents. (CVE-2012-4530)
Florian Weimer discovered that hypervkvpd, which is distributed in the
Linux kernel, was not correctly validating source addresses of netlink
packets. An untrusted local user can cause a denial of service by causing
hypervkvpd to exit. (CVE-2012-5532)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-22-generic 3.5.0-22.34
linux-image-3.5.0-22-highbank 3.5.0-22.34
linux-image-3.5.0-22-omap 3.5.0-22.34
linux-image-3.5.0-22-powerpc-smp 3.5.0-22.34
linux-image-3.5.0-22-powerpc64-smp 3.5.0-22.34
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1699-1
CVE-2012-4461, CVE-2012-4530, CVE-2012-5532
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-22.34
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130117/2906c804/attachment-0001.pgp>
------------------------------
Message: 6
Date: Thu, 17 Jan 2013 20:22:53 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1700-1] Linux kernel (OMAP4) vulnerabilities
Message-ID: <50F8CE1D.4070603@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1700-1
January 18, 2013
linux-ti-omap4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
A flaw was discovered in the Linux kernel's handling of script execution
when module loading is enabled. A local attacker could exploit this flaw to
cause a leak of kernel stack contents. (CVE-2012-4530)
Florian Weimer discovered that hypervkvpd, which is distributed in the
Linux kernel, was not correctly validating source addresses of netlink
packets. An untrusted local user can cause a denial of service by causing
hypervkvpd to exit. (CVE-2012-5532)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-217-omap4 3.5.0-217.25
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1700-1
CVE-2012-4530, CVE-2012-5532
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-217.25
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130117/5ba44d0e/attachment.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 100, Issue 7
********************************************************
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1694-1] RPM vulnerability (Marc Deslauriers)
2. [USN-1695-1] RPM vulnerabilities (Marc Deslauriers)
3. [USN-1696-1] Linux kernel vulnerabilities (John Johansen)
4. [USN-1698-1] Linux kernel (OMAP4) vulnerabilities (John Johansen)
5. [USN-1699-1] Linux kernel vulnerabilities (John Johansen)
6. [USN-1700-1] Linux kernel (OMAP4) vulnerabilities (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 17 Jan 2013 11:14:45 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1694-1] RPM vulnerability
Message-ID: <50F82375.8070600@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1694-1
January 17, 2013
rpm vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
RPM could incorrectly validate package signatures.
Software Description:
- rpm: package manager for RPM
Details:
It was discovered that RPM incorrectly handled signature checking. An
attacker could create a specially-crafted rpm with an invalid signature
which could pass the signature validation check.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
rpm 4.10.0-4ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1694-1
CVE-2012-6088
Package Information:
https://launchpad.net/ubuntu/+source/rpm/4.10.0-4ubuntu0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130117/f9edf0e9/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 17 Jan 2013 16:53:13 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1695-1] RPM vulnerabilities
Message-ID: <50F872C9.7040002@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1695-1
January 17, 2013
rpm vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
RPM could be made to crash or run programs if it opened a specially crafted
package file.
Software Description:
- rpm: package manager for RPM
Details:
It was discovered that RPM incorrectly handled certain package headers. If
a user or automated system were tricked into installing a specially crafted
RPM package, an attacker could cause RPM to crash, resulting in a denial of
service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
rpm 4.9.1.1-1ubuntu0.1
Ubuntu 11.10:
rpm 4.9.0-7ubuntu0.1
Ubuntu 10.04 LTS:
rpm 4.7.2-1lubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1695-1
CVE-2011-3378, CVE-2012-0060, CVE-2012-0061, CVE-2012-0815
Package Information:
https://launchpad.net/ubuntu/+source/rpm/4.9.1.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/rpm/4.9.0-7ubuntu0.1
https://launchpad.net/ubuntu/+source/rpm/4.7.2-1lubuntu0.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130117/b8a3c825/attachment-0001.pgp>
------------------------------
Message: 3
Date: Thu, 17 Jan 2013 19:27:38 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1696-1] Linux kernel vulnerabilities
Message-ID: <50F8C12A.2000807@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1696-1
January 18, 2013
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Jon Howell reported a flaw in the Linux kernel's KVM (Kernel-based virtual
machine) subsystem's handling of the XSAVE CPU feature. On hosts without the
XSAVE CPU feature, using qemu userspace, an unprivileged local attacker could
exploit this flaw to crash the system. (CVE-2012-4461)
A flaw was discovered in the Linux kernel's handling of script execution
when module loading is enabled. A local attacker could exploit this flaw to
cause a leak of kernel stack contents. (CVE-2012-4530)
Florian Weimer discovered that hypervkvpd, which is distributed in the
Linux kernel, was not correctly validating source addresses of netlink
packets. An untrusted local user can cause a denial of service by causing
hypervkvpd to exit. (CVE-2012-5532)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-36-generic 3.2.0-36.57
linux-image-3.2.0-36-generic-pae 3.2.0-36.57
linux-image-3.2.0-36-highbank 3.2.0-36.57
linux-image-3.2.0-36-omap 3.2.0-36.57
linux-image-3.2.0-36-powerpc-smp 3.2.0-36.57
linux-image-3.2.0-36-powerpc64-smp 3.2.0-36.57
linux-image-3.2.0-36-virtual 3.2.0-36.57
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1696-1
CVE-2012-4461, CVE-2012-4530, CVE-2012-5532
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-36.57
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130117/00facfa6/attachment-0001.pgp>
------------------------------
Message: 4
Date: Thu, 17 Jan 2013 19:51:48 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1698-1] Linux kernel (OMAP4) vulnerabilities
Message-ID: <50F8C6D4.1010603@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1698-1
January 18, 2013
linux-ti-omap4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
A flaw was discovered in the Linux kernel's handling of script execution
when module loading is enabled. A local attacker could exploit this flaw to
cause a leak of kernel stack contents. (CVE-2012-4530)
Florian Weimer discovered that hypervkvpd, which is distributed in the
Linux kernel, was not correctly validating source addresses of netlink
packets. An untrusted local user can cause a denial of service by causing
hypervkvpd to exit. (CVE-2012-5532)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-1424-omap4 3.2.0-1424.32
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1698-1
CVE-2012-4530, CVE-2012-5532
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1424.32
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130117/31b885d7/attachment-0001.pgp>
------------------------------
Message: 5
Date: Thu, 17 Jan 2013 20:05:27 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1699-1] Linux kernel vulnerabilities
Message-ID: <50F8CA07.7000202@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1699-1
January 18, 2013
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Jon Howell reported a flaw in the Linux kernel's KVM (Kernel-based virtual
machine) subsystem's handling of the XSAVE CPU feature. On hosts without the
XSAVE CPU feature, using qemu userspace, an unprivileged local attacker could
exploit this flaw to crash the system. (CVE-2012-4461)
A flaw was discovered in the Linux kernel's handling of script execution
when module loading is enabled. A local attacker could exploit this flaw to
cause a leak of kernel stack contents. (CVE-2012-4530)
Florian Weimer discovered that hypervkvpd, which is distributed in the
Linux kernel, was not correctly validating source addresses of netlink
packets. An untrusted local user can cause a denial of service by causing
hypervkvpd to exit. (CVE-2012-5532)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-22-generic 3.5.0-22.34
linux-image-3.5.0-22-highbank 3.5.0-22.34
linux-image-3.5.0-22-omap 3.5.0-22.34
linux-image-3.5.0-22-powerpc-smp 3.5.0-22.34
linux-image-3.5.0-22-powerpc64-smp 3.5.0-22.34
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1699-1
CVE-2012-4461, CVE-2012-4530, CVE-2012-5532
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-22.34
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130117/2906c804/attachment-0001.pgp>
------------------------------
Message: 6
Date: Thu, 17 Jan 2013 20:22:53 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1700-1] Linux kernel (OMAP4) vulnerabilities
Message-ID: <50F8CE1D.4070603@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1700-1
January 18, 2013
linux-ti-omap4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
A flaw was discovered in the Linux kernel's handling of script execution
when module loading is enabled. A local attacker could exploit this flaw to
cause a leak of kernel stack contents. (CVE-2012-4530)
Florian Weimer discovered that hypervkvpd, which is distributed in the
Linux kernel, was not correctly validating source addresses of netlink
packets. An untrusted local user can cause a denial of service by causing
hypervkvpd to exit. (CVE-2012-5532)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-217-omap4 3.5.0-217.25
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1700-1
CVE-2012-4530, CVE-2012-5532
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-217.25
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130117/5ba44d0e/attachment.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 100, Issue 7
********************************************************
Subscribe to:
Posts (Atom)