Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1708-1] libvirt vulnerabilities (Marc Deslauriers)
2. [USN-1709-1] OpenStack Nova vulnerability (Jamie Strandboge)
3. [USN-1710-1] OpenStack Glance vulnerability (Jamie Strandboge)
----------------------------------------------------------------------
Message: 1
Date: Tue, 29 Jan 2013 11:41:56 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1708-1] libvirt vulnerabilities
Message-ID: <5107FBD4.7090308@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1708-1
January 29, 2013
libvirt vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
libvirt could be made to crash or run programs if it received specially
crafted network traffic.
Software Description:
- libvirt: Libvirt virtualization toolkit
Details:
Wenlong Huang discovered that libvirt incorrectly handled certain RPC
calls. A remote attacker could exploit this and cause libvirt to crash,
resulting in a denial of service. This issue only affected Ubuntu 12.04
LTS. (CVE-2012-4423)
Tingting Zheng discovered that libvirt incorrectly handled cleanup under
certain error conditions. A remote attacker could exploit this and cause
libvirt to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2013-0170)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libvirt-bin 0.9.13-0ubuntu12.2
libvirt0 0.9.13-0ubuntu12.2
Ubuntu 12.04 LTS:
libvirt-bin 0.9.8-2ubuntu17.7
libvirt0 0.9.8-2ubuntu17.7
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1708-1
CVE-2012-4423, CVE-2013-0170
Package Information:
https://launchpad.net/ubuntu/+source/libvirt/0.9.13-0ubuntu12.2
https://launchpad.net/ubuntu/+source/libvirt/0.9.8-2ubuntu17.7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130129/b88f7f01/attachment-0001.pgp>
------------------------------
Message: 2
Date: Tue, 29 Jan 2013 17:23:05 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1709-1] OpenStack Nova vulnerability
Message-ID: <510859D9.2040509@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1709-1
January 29, 2013
nova vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Nova volume could be made to expose volumes from other users.
Software Description:
- nova: OpenStack Compute cloud infrastructure
Details:
Phil Day discovered that nova-volume did not validate access to volumes. An
authenticated attacker could exploit this to bypass intended access
controls and boot from arbitrary volumes.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
nova-volume
2012.2.1+stable-20121212-a99a802e-0ubuntu1.1
python-nova
2012.2.1+stable-20121212-a99a802e-0ubuntu1.1
Ubuntu 12.04 LTS:
nova-volume
2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.1
python-nova
2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.1
Ubuntu 11.10:
nova-volume 2011.3-0ubuntu6.11
python-nova 2011.3-0ubuntu6.11
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1709-1
CVE-2013-0208
Package Information:
https://launchpad.net/ubuntu/+source/nova/2012.2.1+stable-20121212-a99a802e-0ubuntu1.1
https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.1
https://launchpad.net/ubuntu/+source/nova/2011.3-0ubuntu6.11
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130129/ea5ef9c5/attachment-0001.pgp>
------------------------------
Message: 3
Date: Tue, 29 Jan 2013 17:26:41 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1710-1] OpenStack Glance vulnerability
Message-ID: <51085AB1.7020005@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1710-1
January 29, 2013
glance vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Glance could be made to expose sensitive information over the network.
Software Description:
- glance: OpenStack Image Registry and Delivery Service
Details:
Dan Prince discovered an issue in Glance error reporting. An authenticated
attacker could exploit this to expose the Glance operator's Swift
credentials for a misconfigured or otherwise unusable Swift endpoint.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-glance 2012.2.1-0ubuntu1.1
Ubuntu 12.04 LTS:
python-glance 2012.1.3+stable~20120821-120fcf-0ubuntu1.3
Ubuntu 11.10:
python-glance 2011.3-0ubuntu4.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1710-1
CVE-2013-0212
Package Information:
https://launchpad.net/ubuntu/+source/glance/2012.2.1-0ubuntu1.1
https://launchpad.net/ubuntu/+source/glance/2012.1.3+stable~20120821-120fcf-0ubuntu1.3
https://launchpad.net/ubuntu/+source/glance/2011.3-0ubuntu4.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130129/d428883d/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 100, Issue 10
*********************************************************
News
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment