Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1752-1] GnuTLS vulnerability (Marc Deslauriers)
2. [USN-1753-1] DBus-GLib vulnerability (Marc Deslauriers)
----------------------------------------------------------------------
Message: 1
Date: Wed, 27 Feb 2013 08:54:12 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1752-1] GnuTLS vulnerability
Message-ID: <512E1004.6050902@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1752-1
February 27, 2013
gnutls13, gnutls26 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
GnuTLS could be made to expose sensitive information over the network.
Software Description:
- gnutls26: GNU TLS library
- gnutls13: GNU TLS library
Details:
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in GnuTLS was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libgnutls26 2.12.14-5ubuntu4.2
Ubuntu 12.04 LTS:
libgnutls26 2.12.14-5ubuntu3.2
Ubuntu 11.10:
libgnutls26 2.10.5-1ubuntu3.3
Ubuntu 10.04 LTS:
libgnutls26 2.8.5-2ubuntu0.3
Ubuntu 8.04 LTS:
libgnutls13 2.0.4-1ubuntu2.9
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1752-1
CVE-2013-1619
Package Information:
https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu4.2
https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.2
https://launchpad.net/ubuntu/+source/gnutls26/2.10.5-1ubuntu3.3
https://launchpad.net/ubuntu/+source/gnutls26/2.8.5-2ubuntu0.3
https://launchpad.net/ubuntu/+source/gnutls13/2.0.4-1ubuntu2.9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130227/1d33aa28/attachment-0001.pgp>
------------------------------
Message: 2
Date: Wed, 27 Feb 2013 14:05:56 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1753-1] DBus-GLib vulnerability
Message-ID: <512E5914.8080205@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1753-1
February 27, 2013
dbus-glib vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
An attacker could send crafted input to applications using DBus-GLib and
possibly escalate privileges.
Software Description:
- dbus-glib: simple interprocess messaging system
Details:
Sebastian Krahmer and Bastien Nocera discovered that DBus-GLib did not
properly validate the message sender when the "NameOwnerChanged" signal was
received. A local attacker could possibly use this issue to escalate their
privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libdbus-glib-1-2 0.100-1ubuntu0.1
Ubuntu 12.04 LTS:
libdbus-glib-1-2 0.98-1ubuntu1.1
Ubuntu 11.10:
libdbus-glib-1-2 0.94-4ubuntu0.1
Ubuntu 10.04 LTS:
libdbus-glib-1-2 0.84-1ubuntu0.3
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1753-1
CVE-2013-0292
Package Information:
https://launchpad.net/ubuntu/+source/dbus-glib/0.100-1ubuntu0.1
https://launchpad.net/ubuntu/+source/dbus-glib/0.98-1ubuntu1.1
https://launchpad.net/ubuntu/+source/dbus-glib/0.94-4ubuntu0.1
https://launchpad.net/ubuntu/+source/dbus-glib/0.84-1ubuntu0.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130227/83663c79/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 15
*********************************************************
Thursday, February 28, 2013
Wednesday, February 27, 2013
ubuntu-security-announce Digest, Vol 101, Issue 14
Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1750-1] Linux kernel vulnerabilities (John Johansen)
2. [USN-1751-1] Linux kernel (OMAP4) vulnerability (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Tue, 26 Feb 2013 09:59:58 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1750-1] Linux kernel vulnerabilities
Message-ID: <512CF81E.7080005@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1750-1
February 26, 2013
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Brad Spengler discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-25-generic 3.5.0-25.39
linux-image-3.5.0-25-highbank 3.5.0-25.39
linux-image-3.5.0-25-omap 3.5.0-25.39
linux-image-3.5.0-25-powerpc-smp 3.5.0-25.39
linux-image-3.5.0-25-powerpc64-smp 3.5.0-25.39
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1750-1
CVE-2013-1763
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-25.39
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130226/21b487fd/attachment-0001.pgp>
------------------------------
Message: 2
Date: Tue, 26 Feb 2013 23:30:12 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1751-1] Linux kernel (OMAP4) vulnerability
Message-ID: <512DB604.7090808@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1751-1
February 27, 2013
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Mathias Krause discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-220-omap4 3.5.0-220.29
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1751-1
CVE-2013-1763
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-220.29
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130226/155263e2/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 14
*********************************************************
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1750-1] Linux kernel vulnerabilities (John Johansen)
2. [USN-1751-1] Linux kernel (OMAP4) vulnerability (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Tue, 26 Feb 2013 09:59:58 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1750-1] Linux kernel vulnerabilities
Message-ID: <512CF81E.7080005@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1750-1
February 26, 2013
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Brad Spengler discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-25-generic 3.5.0-25.39
linux-image-3.5.0-25-highbank 3.5.0-25.39
linux-image-3.5.0-25-omap 3.5.0-25.39
linux-image-3.5.0-25-powerpc-smp 3.5.0-25.39
linux-image-3.5.0-25-powerpc64-smp 3.5.0-25.39
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1750-1
CVE-2013-1763
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-25.39
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130226/21b487fd/attachment-0001.pgp>
------------------------------
Message: 2
Date: Tue, 26 Feb 2013 23:30:12 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1751-1] Linux kernel (OMAP4) vulnerability
Message-ID: <512DB604.7090808@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1751-1
February 27, 2013
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Mathias Krause discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-220-omap4 3.5.0-220.29
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1751-1
CVE-2013-1763
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-220.29
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130226/155263e2/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 14
*********************************************************
Tuesday, February 26, 2013
ubuntu-security-announce Digest, Vol 101, Issue 13
Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1746-1] Pidgin vulnerabilities (Marc Deslauriers)
2. [USN-1747-1] Transmission vulnerability (Marc Deslauriers)
3. [USN-1748-1] Thunderbird vulnerabilities (Jamie Strandboge)
4. [USN-1749-1] Linux kernel (Quantal HWE) vulnerability
(John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Mon, 25 Feb 2013 09:27:02 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1746-1] Pidgin vulnerabilities
Message-ID: <512B74B6.4060404@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1746-1
February 25, 2013
pidgin vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Pidgin.
Software Description:
- pidgin: graphical multi-protocol instant messaging client for X
Details:
Chris Wysopal discovered that Pidgin incorrectly handled file transfers in
the MXit protocol handler. A remote attacker could use this issue to create
or overwrite arbitrary files. This issue only affected Ubuntu 11.10,
Ubuntu 12.04 LTS and Ubuntu 12.10. (CVE-2013-0271)
It was discovered that Pidgin incorrectly handled long HTTP headers in the
MXit protocol handler. A malicious remote server could use this issue to
execute arbitrary code. (CVE-2013-0272)
It was discovered that Pidgin incorrectly handled long user IDs in the
Sametime protocol handler. A malicious remote server could use this issue
to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-0273)
It was discovered that Pidgin incorrectly handled long strings when
processing UPnP responses. A remote attacker could use this issue to cause
Pidgin to crash, resulting in a denial of service. (CVE-2013-0274)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libpurple0 1:2.10.6-0ubuntu2.2
pidgin 1:2.10.6-0ubuntu2.2
Ubuntu 12.04 LTS:
libpurple0 1:2.10.3-0ubuntu1.3
pidgin 1:2.10.3-0ubuntu1.3
Ubuntu 11.10:
libpurple0 1:2.10.0-0ubuntu2.2
pidgin 1:2.10.0-0ubuntu2.2
Ubuntu 10.04 LTS:
libpurple0 1:2.6.6-1ubuntu4.6
pidgin 1:2.6.6-1ubuntu4.6
After a standard system update you need to restart Pidgin to make all the
necessary changes.
References:
http://www.ubuntu.com/usn/usn-1746-1
CVE-2013-0271, CVE-2013-0272, CVE-2013-0273, CVE-2013-0274
Package Information:
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.6-0ubuntu2.2
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.3-0ubuntu1.3
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.0-0ubuntu2.2
https://launchpad.net/ubuntu/+source/pidgin/1:2.6.6-1ubuntu4.6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130225/806b171f/attachment-0001.pgp>
------------------------------
Message: 2
Date: Mon, 25 Feb 2013 10:15:08 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1747-1] Transmission vulnerability
Message-ID: <512B7FFC.509@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1747-1
February 25, 2013
transmission vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Transmission could be made to crash or run programs if it received
specially crafted network traffic.
Software Description:
- transmission: lightweight BitTorrent client
Details:
It was discovered that Transmission incorrectly handled certain micro
transport protocol packets. A remote attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
transmission-common 2.61-0ubuntu2.2
Ubuntu 12.04 LTS:
transmission-common 2.51-0ubuntu1.3
Ubuntu 11.10:
transmission-common 2.33-0ubuntu2.1
After a standard system update you need to restart Transmission to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1747-1
CVE-2012-6129
Package Information:
https://launchpad.net/ubuntu/+source/transmission/2.61-0ubuntu2.2
https://launchpad.net/ubuntu/+source/transmission/2.51-0ubuntu1.3
https://launchpad.net/ubuntu/+source/transmission/2.33-0ubuntu2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130225/0a58e827/attachment-0001.pgp>
------------------------------
Message: 3
Date: Mon, 25 Feb 2013 18:09:48 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1748-1] Thunderbird vulnerabilities
Message-ID: <512BFD4C.9060907@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1748-1
February 25, 2013
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Bobby Holley discovered vulnerabilities in Chrome Object Wrappers (COW) and
System Only Wrappers (SOW). If a user were tricked into opening a specially
crafted page and had scripting enabled, a remote attacker could exploit
this to bypass security protections to obtain sensitive information or
potentially execute code with the privileges of the user invoking
Thunderbird. (CVE-2013-0773)
Frederik Braun discovered that Thunderbird made the location of the active
browser profile available to JavaScript workers. Scripting for Thunderbird
is disabled by default in Ubuntu. (CVE-2013-0774)
A use-after-free vulnerability was discovered in Thunderbird. An attacker
could potentially exploit this to execute code with the privileges of the
user invoking Thunderbird if scripting were enabled. (CVE-2013-0775)
Michal Zalewski discovered that Thunderbird would not always show the
correct address when cancelling a proxy authentication prompt. A remote
attacker could exploit this to conduct URL spoofing and phishing attacks
if scripting were enabled.
(CVE-2013-0776)
Abhishek Arya discovered several problems related to memory handling. If
the user were tricked into opening a specially crafted page, an attacker
could possibly exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of the user invoking
Thunderbird. (CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780,
CVE-2013-0781, CVE-2013-0782)
Olli Pettay, Christoph Diehl, Gary Kwong, Jesse Ruderman, Andrew McCreight,
Joe Drew, Wayne Mery, Alon Zakai, Christian Holler, Gary Kwong, Luke
Wagner, Terrence Cole, Timothy Nikkel, Bill McCloskey, and Nicolas Pierron
discovered multiple memory safety issues affecting Thunderbird. If a user
had scripting enabled and was tricked into opening a specially crafted
page, an attacker could possibly exploit these to cause a denial of service
via application crash. (CVE-2013-0783, CVE-2013-0784)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
thunderbird 17.0.3+build1-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
thunderbird 17.0.3+build1-0ubuntu0.12.04.1
Ubuntu 11.10:
thunderbird 17.0.3+build1-0ubuntu0.11.10.1
Ubuntu 10.04 LTS:
thunderbird 17.0.3+build1-0ubuntu0.10.04.1
After a standard system update you need to restart Thunderbird to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1748-1
CVE-2013-0773, CVE-2013-0774, CVE-2013-0775, CVE-2013-0776,
CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780,
CVE-2013-0781, CVE-2013-0782, CVE-2013-0783, CVE-2013-0784,
https://launchpad.net/bugs/1131110
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.10.04.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130225/59734b59/attachment-0001.pgp>
------------------------------
Message: 4
Date: Tue, 26 Feb 2013 01:19:31 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1749-1] Linux kernel (Quantal HWE) vulnerability
Message-ID: <512C7E23.9050801@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1749-1
February 26, 2013
linux-lts-quantal vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal
Details:
Brad Spengler discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.5.0-25-generic 3.5.0-25.39~precise1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1749-1
CVE-2013-1763
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-25.39~precise1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130226/90432693/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 13
*********************************************************
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1746-1] Pidgin vulnerabilities (Marc Deslauriers)
2. [USN-1747-1] Transmission vulnerability (Marc Deslauriers)
3. [USN-1748-1] Thunderbird vulnerabilities (Jamie Strandboge)
4. [USN-1749-1] Linux kernel (Quantal HWE) vulnerability
(John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Mon, 25 Feb 2013 09:27:02 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1746-1] Pidgin vulnerabilities
Message-ID: <512B74B6.4060404@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1746-1
February 25, 2013
pidgin vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Pidgin.
Software Description:
- pidgin: graphical multi-protocol instant messaging client for X
Details:
Chris Wysopal discovered that Pidgin incorrectly handled file transfers in
the MXit protocol handler. A remote attacker could use this issue to create
or overwrite arbitrary files. This issue only affected Ubuntu 11.10,
Ubuntu 12.04 LTS and Ubuntu 12.10. (CVE-2013-0271)
It was discovered that Pidgin incorrectly handled long HTTP headers in the
MXit protocol handler. A malicious remote server could use this issue to
execute arbitrary code. (CVE-2013-0272)
It was discovered that Pidgin incorrectly handled long user IDs in the
Sametime protocol handler. A malicious remote server could use this issue
to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-0273)
It was discovered that Pidgin incorrectly handled long strings when
processing UPnP responses. A remote attacker could use this issue to cause
Pidgin to crash, resulting in a denial of service. (CVE-2013-0274)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libpurple0 1:2.10.6-0ubuntu2.2
pidgin 1:2.10.6-0ubuntu2.2
Ubuntu 12.04 LTS:
libpurple0 1:2.10.3-0ubuntu1.3
pidgin 1:2.10.3-0ubuntu1.3
Ubuntu 11.10:
libpurple0 1:2.10.0-0ubuntu2.2
pidgin 1:2.10.0-0ubuntu2.2
Ubuntu 10.04 LTS:
libpurple0 1:2.6.6-1ubuntu4.6
pidgin 1:2.6.6-1ubuntu4.6
After a standard system update you need to restart Pidgin to make all the
necessary changes.
References:
http://www.ubuntu.com/usn/usn-1746-1
CVE-2013-0271, CVE-2013-0272, CVE-2013-0273, CVE-2013-0274
Package Information:
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.6-0ubuntu2.2
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.3-0ubuntu1.3
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.0-0ubuntu2.2
https://launchpad.net/ubuntu/+source/pidgin/1:2.6.6-1ubuntu4.6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130225/806b171f/attachment-0001.pgp>
------------------------------
Message: 2
Date: Mon, 25 Feb 2013 10:15:08 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1747-1] Transmission vulnerability
Message-ID: <512B7FFC.509@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1747-1
February 25, 2013
transmission vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Transmission could be made to crash or run programs if it received
specially crafted network traffic.
Software Description:
- transmission: lightweight BitTorrent client
Details:
It was discovered that Transmission incorrectly handled certain micro
transport protocol packets. A remote attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
transmission-common 2.61-0ubuntu2.2
Ubuntu 12.04 LTS:
transmission-common 2.51-0ubuntu1.3
Ubuntu 11.10:
transmission-common 2.33-0ubuntu2.1
After a standard system update you need to restart Transmission to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1747-1
CVE-2012-6129
Package Information:
https://launchpad.net/ubuntu/+source/transmission/2.61-0ubuntu2.2
https://launchpad.net/ubuntu/+source/transmission/2.51-0ubuntu1.3
https://launchpad.net/ubuntu/+source/transmission/2.33-0ubuntu2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130225/0a58e827/attachment-0001.pgp>
------------------------------
Message: 3
Date: Mon, 25 Feb 2013 18:09:48 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1748-1] Thunderbird vulnerabilities
Message-ID: <512BFD4C.9060907@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1748-1
February 25, 2013
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Bobby Holley discovered vulnerabilities in Chrome Object Wrappers (COW) and
System Only Wrappers (SOW). If a user were tricked into opening a specially
crafted page and had scripting enabled, a remote attacker could exploit
this to bypass security protections to obtain sensitive information or
potentially execute code with the privileges of the user invoking
Thunderbird. (CVE-2013-0773)
Frederik Braun discovered that Thunderbird made the location of the active
browser profile available to JavaScript workers. Scripting for Thunderbird
is disabled by default in Ubuntu. (CVE-2013-0774)
A use-after-free vulnerability was discovered in Thunderbird. An attacker
could potentially exploit this to execute code with the privileges of the
user invoking Thunderbird if scripting were enabled. (CVE-2013-0775)
Michal Zalewski discovered that Thunderbird would not always show the
correct address when cancelling a proxy authentication prompt. A remote
attacker could exploit this to conduct URL spoofing and phishing attacks
if scripting were enabled.
(CVE-2013-0776)
Abhishek Arya discovered several problems related to memory handling. If
the user were tricked into opening a specially crafted page, an attacker
could possibly exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of the user invoking
Thunderbird. (CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780,
CVE-2013-0781, CVE-2013-0782)
Olli Pettay, Christoph Diehl, Gary Kwong, Jesse Ruderman, Andrew McCreight,
Joe Drew, Wayne Mery, Alon Zakai, Christian Holler, Gary Kwong, Luke
Wagner, Terrence Cole, Timothy Nikkel, Bill McCloskey, and Nicolas Pierron
discovered multiple memory safety issues affecting Thunderbird. If a user
had scripting enabled and was tricked into opening a specially crafted
page, an attacker could possibly exploit these to cause a denial of service
via application crash. (CVE-2013-0783, CVE-2013-0784)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
thunderbird 17.0.3+build1-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
thunderbird 17.0.3+build1-0ubuntu0.12.04.1
Ubuntu 11.10:
thunderbird 17.0.3+build1-0ubuntu0.11.10.1
Ubuntu 10.04 LTS:
thunderbird 17.0.3+build1-0ubuntu0.10.04.1
After a standard system update you need to restart Thunderbird to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1748-1
CVE-2013-0773, CVE-2013-0774, CVE-2013-0775, CVE-2013-0776,
CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780,
CVE-2013-0781, CVE-2013-0782, CVE-2013-0783, CVE-2013-0784,
https://launchpad.net/bugs/1131110
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.10.04.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130225/59734b59/attachment-0001.pgp>
------------------------------
Message: 4
Date: Tue, 26 Feb 2013 01:19:31 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1749-1] Linux kernel (Quantal HWE) vulnerability
Message-ID: <512C7E23.9050801@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1749-1
February 26, 2013
linux-lts-quantal vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal
Details:
Brad Spengler discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.5.0-25-generic 3.5.0-25.39~precise1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1749-1
CVE-2013-1763
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-25.39~precise1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130226/90432693/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 13
*********************************************************
Friday, February 22, 2013
ubuntu-security-announce Digest, Vol 101, Issue 12
Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1744-1] Linux kernel vulnerability (John Johansen)
2. [USN-1745-1] Linux kernel (OMAP4) vulnerability (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 21 Feb 2013 21:43:15 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1744-1] Linux kernel vulnerability
Message-ID: <51270573.9000202@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1744-1
February 22, 2013
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-25-generic 3.5.0-25.38
linux-image-3.5.0-25-highbank 3.5.0-25.38
linux-image-3.5.0-25-omap 3.5.0-25.38
linux-image-3.5.0-25-powerpc-smp 3.5.0-25.38
linux-image-3.5.0-25-powerpc64-smp 3.5.0-25.38
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1744-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-25.38
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/82e40285/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 21 Feb 2013 21:48:59 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1745-1] Linux kernel (OMAP4) vulnerability
Message-ID: <512706CB.8010608@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1745-1
February 22, 2013
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-220-omap4 3.5.0-220.28
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1745-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-220.28
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/dc6c93c0/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 12
*********************************************************
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1744-1] Linux kernel vulnerability (John Johansen)
2. [USN-1745-1] Linux kernel (OMAP4) vulnerability (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 21 Feb 2013 21:43:15 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1744-1] Linux kernel vulnerability
Message-ID: <51270573.9000202@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1744-1
February 22, 2013
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-25-generic 3.5.0-25.38
linux-image-3.5.0-25-highbank 3.5.0-25.38
linux-image-3.5.0-25-omap 3.5.0-25.38
linux-image-3.5.0-25-powerpc-smp 3.5.0-25.38
linux-image-3.5.0-25-powerpc64-smp 3.5.0-25.38
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1744-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-25.38
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/82e40285/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 21 Feb 2013 21:48:59 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1745-1] Linux kernel (OMAP4) vulnerability
Message-ID: <512706CB.8010608@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1745-1
February 22, 2013
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-220-omap4 3.5.0-220.28
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1745-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-220.28
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/dc6c93c0/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 12
*********************************************************
Thursday, February 21, 2013
ubuntu-security-announce Digest, Vol 101, Issue 11
Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1738-1] Linux kernel (Oneiric backport) vulnerability
(John Johansen)
2. [USN-1739-1] Linux kernel vulnerability (John Johansen)
3. [USN-1740-1] Linux kernel (OMAP4) vulnerability (John Johansen)
4. [USN-1741-1] Linux kernel vulnerability (John Johansen)
5. [USN-1742-1] Linux kernel (OMAP4) vulnerability (John Johansen)
6. [USN-1743-1] Linux kernel (Quantal HWE) vulnerability
(John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 21 Feb 2013 20:05:31 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1738-1] Linux kernel (Oneiric backport) vulnerability
Message-ID: <5126EE8B.4080301@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1738-1
February 22, 2013
linux-lts-backport-oneiric vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-lts-backport-oneiric: Linux kernel backport from Oneiric
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-3.0.0-31-generic 3.0.0-31.49~lucid1
linux-image-3.0.0-31-generic-pae 3.0.0-31.49~lucid1
linux-image-3.0.0-31-server 3.0.0-31.49~lucid1
linux-image-3.0.0-31-virtual 3.0.0-31.49~lucid1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1738-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-backport-oneiric/3.0.0-31.49~lucid1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/c80e9d32/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 21 Feb 2013 20:33:06 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1739-1] Linux kernel vulnerability
Message-ID: <5126F502.9040700@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1739-1
February 22, 2013
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
linux-image-3.0.0-31-generic 3.0.0-31.49
linux-image-3.0.0-31-generic-pae 3.0.0-31.49
linux-image-3.0.0-31-omap 3.0.0-31.49
linux-image-3.0.0-31-powerpc 3.0.0-31.49
linux-image-3.0.0-31-powerpc-smp 3.0.0-31.49
linux-image-3.0.0-31-powerpc64-smp 3.0.0-31.49
linux-image-3.0.0-31-server 3.0.0-31.49
linux-image-3.0.0-31-virtual 3.0.0-31.49
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1739-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.0.0-31.49
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/32f000c9/attachment-0001.pgp>
------------------------------
Message: 3
Date: Thu, 21 Feb 2013 20:53:06 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1740-1] Linux kernel (OMAP4) vulnerability
Message-ID: <5126F9B2.1030503@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1740-1
February 22, 2013
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
linux-image-3.0.0-1221-omap4 3.0.0-1221.35
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1740-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.0.0-1221.35
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/ef04b54f/attachment-0001.pgp>
------------------------------
Message: 4
Date: Thu, 21 Feb 2013 21:08:39 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1741-1] Linux kernel vulnerability
Message-ID: <5126FD57.8020301@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1741-1
February 22, 2013
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-38-generic 3.2.0-38.61
linux-image-3.2.0-38-generic-pae 3.2.0-38.61
linux-image-3.2.0-38-highbank 3.2.0-38.61
linux-image-3.2.0-38-omap 3.2.0-38.61
linux-image-3.2.0-38-powerpc-smp 3.2.0-38.61
linux-image-3.2.0-38-powerpc64-smp 3.2.0-38.61
linux-image-3.2.0-38-virtual 3.2.0-38.61
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1741-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-38.61
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/d621952b/attachment-0001.pgp>
------------------------------
Message: 5
Date: Thu, 21 Feb 2013 21:17:59 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1742-1] Linux kernel (OMAP4) vulnerability
Message-ID: <5126FF87.2020105@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1742-1
February 22, 2013
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-1426-omap4 3.2.0-1426.35
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1742-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1426.35
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/6c7ee874/attachment-0001.pgp>
------------------------------
Message: 6
Date: Thu, 21 Feb 2013 21:24:35 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1743-1] Linux kernel (Quantal HWE) vulnerability
Message-ID: <51270113.2080008@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1743-1
February 22, 2013
linux-lts-quantal vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.5.0-25-generic 3.5.0-25.38~precise1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1743-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-25.38~precise1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/52164783/attachment.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 11
*********************************************************
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1738-1] Linux kernel (Oneiric backport) vulnerability
(John Johansen)
2. [USN-1739-1] Linux kernel vulnerability (John Johansen)
3. [USN-1740-1] Linux kernel (OMAP4) vulnerability (John Johansen)
4. [USN-1741-1] Linux kernel vulnerability (John Johansen)
5. [USN-1742-1] Linux kernel (OMAP4) vulnerability (John Johansen)
6. [USN-1743-1] Linux kernel (Quantal HWE) vulnerability
(John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 21 Feb 2013 20:05:31 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1738-1] Linux kernel (Oneiric backport) vulnerability
Message-ID: <5126EE8B.4080301@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1738-1
February 22, 2013
linux-lts-backport-oneiric vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-lts-backport-oneiric: Linux kernel backport from Oneiric
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-3.0.0-31-generic 3.0.0-31.49~lucid1
linux-image-3.0.0-31-generic-pae 3.0.0-31.49~lucid1
linux-image-3.0.0-31-server 3.0.0-31.49~lucid1
linux-image-3.0.0-31-virtual 3.0.0-31.49~lucid1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1738-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-backport-oneiric/3.0.0-31.49~lucid1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/c80e9d32/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 21 Feb 2013 20:33:06 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1739-1] Linux kernel vulnerability
Message-ID: <5126F502.9040700@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1739-1
February 22, 2013
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
linux-image-3.0.0-31-generic 3.0.0-31.49
linux-image-3.0.0-31-generic-pae 3.0.0-31.49
linux-image-3.0.0-31-omap 3.0.0-31.49
linux-image-3.0.0-31-powerpc 3.0.0-31.49
linux-image-3.0.0-31-powerpc-smp 3.0.0-31.49
linux-image-3.0.0-31-powerpc64-smp 3.0.0-31.49
linux-image-3.0.0-31-server 3.0.0-31.49
linux-image-3.0.0-31-virtual 3.0.0-31.49
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1739-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.0.0-31.49
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/32f000c9/attachment-0001.pgp>
------------------------------
Message: 3
Date: Thu, 21 Feb 2013 20:53:06 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1740-1] Linux kernel (OMAP4) vulnerability
Message-ID: <5126F9B2.1030503@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1740-1
February 22, 2013
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.10:
linux-image-3.0.0-1221-omap4 3.0.0-1221.35
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1740-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.0.0-1221.35
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/ef04b54f/attachment-0001.pgp>
------------------------------
Message: 4
Date: Thu, 21 Feb 2013 21:08:39 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1741-1] Linux kernel vulnerability
Message-ID: <5126FD57.8020301@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1741-1
February 22, 2013
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-38-generic 3.2.0-38.61
linux-image-3.2.0-38-generic-pae 3.2.0-38.61
linux-image-3.2.0-38-highbank 3.2.0-38.61
linux-image-3.2.0-38-omap 3.2.0-38.61
linux-image-3.2.0-38-powerpc-smp 3.2.0-38.61
linux-image-3.2.0-38-powerpc64-smp 3.2.0-38.61
linux-image-3.2.0-38-virtual 3.2.0-38.61
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1741-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-38.61
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/d621952b/attachment-0001.pgp>
------------------------------
Message: 5
Date: Thu, 21 Feb 2013 21:17:59 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1742-1] Linux kernel (OMAP4) vulnerability
Message-ID: <5126FF87.2020105@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1742-1
February 22, 2013
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-1426-omap4 3.2.0-1426.35
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1742-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1426.35
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/6c7ee874/attachment-0001.pgp>
------------------------------
Message: 6
Date: Thu, 21 Feb 2013 21:24:35 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1743-1] Linux kernel (Quantal HWE) vulnerability
Message-ID: <51270113.2080008@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1743-1
February 22, 2013
linux-lts-quantal vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.5.0-25-generic 3.5.0-25.38~precise1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1743-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-25.38~precise1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/52164783/attachment.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 11
*********************************************************
ubuntu-security-announce Digest, Vol 101, Issue 10
Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1732-1] OpenSSL vulnerabilities (Marc Deslauriers)
2. [USN-1733-1] Ruby vulnerabilities (Marc Deslauriers)
3. [USN-1734-1] OpenStack Nova vulnerability (Jamie Strandboge)
4. [USN-1735-1] OpenJDK vulnerabilities (Jamie Strandboge)
5. [USN-1736-1] Linux kernel vulnerability (John Johansen)
6. [USN-1737-1] Linux kernel (EC2) vulnerability (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 21 Feb 2013 09:10:44 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1732-1] OpenSSL vulnerabilities
Message-ID: <51262AE4.9010007@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1732-1
February 21, 2013
openssl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
Several security issues were fixed in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Stephen Henson discovered that OpenSSL incorrectly performed signature
verification for OCSP responses. A remote attacker could use this issue to
cause OpenSSL to crash, resulting in a denial of service. (CVE-2013-0166)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.1
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.6
Ubuntu 11.10:
libssl1.0.0 1.0.0e-2ubuntu4.7
Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.14
Ubuntu 8.04 LTS:
libssl0.9.8 0.9.8g-4ubuntu3.20
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1732-1
CVE-2012-2686, CVE-2013-0166, CVE-2013-0169
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.1
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.6
https://launchpad.net/ubuntu/+source/openssl/1.0.0e-2ubuntu4.7
https://launchpad.net/ubuntu/+source/openssl/0.9.8k-7ubuntu8.14
https://launchpad.net/ubuntu/+source/openssl/0.9.8g-4ubuntu3.20
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/27e2d573/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 21 Feb 2013 09:11:22 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1733-1] Ruby vulnerabilities
Message-ID: <51262B0A.2020501@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1733-1
February 21, 2013
ruby1.9.1 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby1.9.1: Interpreter of object-oriented scripting language Ruby
Details:
Jean-Philippe Aumasson discovered that Ruby incorrectly generated
predictable hash values. An attacker could use this issue to generate hash
collisions and cause a denial of service. (CVE-2012-5371)
Evgeny Ermakov discovered that documentation generated by rdoc is
vulnerable to a cross-site scripting issue. With cross-site scripting
vulnerabilities, if a user were tricked into viewing a specially crafted
page, a remote attacker could exploit this to modify the contents, or steal
confidential data, within the same domain. (CVE-2013-0256)
Thomas Hollstegge and Ben Murphy discovered that the JSON implementation
in Ruby incorrectly handled certain crafted documents. An attacker could
use this issue to cause a denial of service or bypass certain protection
mechanisms. (CVE-2013-0269)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libruby1.9.1 1.9.3.194-1ubuntu1.3
ruby1.9.1 1.9.3.194-1ubuntu1.3
Ubuntu 12.04 LTS:
libruby1.9.1 1.9.3.0-1ubuntu2.5
ruby1.9.1 1.9.3.0-1ubuntu2.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1733-1
CVE-2012-5371, CVE-2013-0256, CVE-2013-0269
Package Information:
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-1ubuntu1.3
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.0-1ubuntu2.5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/3ab98223/attachment-0001.pgp>
------------------------------
Message: 3
Date: Thu, 21 Feb 2013 14:26:32 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1734-1] OpenStack Nova vulnerability
Message-ID: <512682F8.9040101@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1734-1
February 21, 2013
nova vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Nova could be made to crash if it received specially crafted input.
Software Description:
- nova: OpenStack Compute cloud infrastructure
Details:
Joshua Harlow discovered that Nova would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Nova API to
cause a denial of service via resource exhaustion. (CVE-2013-1664)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-nova
2012.2.1+stable-20121212-a99a802e-0ubuntu1.2
Ubuntu 12.04 LTS:
python-nova
2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2
Ubuntu 11.10:
python-nova 2011.3-0ubuntu6.12
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1734-1
CVE-2013-1664
Package Information:
https://launchpad.net/ubuntu/+source/nova/2012.2.1+stable-20121212-a99a802e-0ubuntu1.2
https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2
https://launchpad.net/ubuntu/+source/nova/2011.3-0ubuntu6.12
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/0370c83f/attachment-0001.pgp>
------------------------------
Message: 4
Date: Thu, 21 Feb 2013 17:37:21 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1735-1] OpenJDK vulnerabilities
Message-ID: <5126AFB1.2010400@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1735-1
February 21, 2013
openjdk-6, openjdk-7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in OpenJDK.
Software Description:
- openjdk-7: Open Source Java implementation
- openjdk-6: Open Source Java implementation
Details:
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. This issue only affected Ubuntu 12.10. (CVE-2013-1484)
A data integrity vulnerability was discovered in the OpenJDK JRE. This
issue only affected Ubuntu 12.10. (CVE-2013-1485)
Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to cause a denial of service. (CVE-2013-1486, CVE-2013-1487)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
icedtea-7-jre-cacao 7u15-2.3.7-0ubuntu1~12.10
icedtea-7-jre-jamvm 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre-headless 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre-lib 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre-zero 7u15-2.3.7-0ubuntu1~12.10
Ubuntu 12.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.3-0ubuntu1~12.04
icedtea-6-jre-jamvm 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre-headless 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre-lib 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre-zero 6b27-1.12.3-0ubuntu1~12.04
Ubuntu 11.10:
icedtea-6-jre-cacao 6b27-1.12.3-0ubuntu1~11.10
icedtea-6-jre-jamvm 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre-headless 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre-lib 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre-zero 6b27-1.12.3-0ubuntu1~11.10
Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre-headless 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre-lib 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre-zero 6b27-1.12.3-0ubuntu1~10.04
This update uses a new upstream release which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1735-1
CVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486,
CVE-2013-1487
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u15-2.3.7-0ubuntu1~12.10
https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.3-0ubuntu1~12.04
https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.3-0ubuntu1~11.10
https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.3-0ubuntu1~10.04
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/08734e64/attachment-0001.pgp>
------------------------------
Message: 5
Date: Thu, 21 Feb 2013 18:45:58 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1736-1] Linux kernel vulnerability
Message-ID: <5126DBE6.6000200@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1736-1
February 22, 2013
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-45-386 2.6.32-45.104
linux-image-2.6.32-45-generic 2.6.32-45.104
linux-image-2.6.32-45-generic-pae 2.6.32-45.104
linux-image-2.6.32-45-ia64 2.6.32-45.104
linux-image-2.6.32-45-lpia 2.6.32-45.104
linux-image-2.6.32-45-powerpc 2.6.32-45.104
linux-image-2.6.32-45-powerpc-smp 2.6.32-45.104
linux-image-2.6.32-45-powerpc64-smp 2.6.32-45.104
linux-image-2.6.32-45-preempt 2.6.32-45.104
linux-image-2.6.32-45-server 2.6.32-45.104
linux-image-2.6.32-45-sparc64 2.6.32-45.104
linux-image-2.6.32-45-sparc64-smp 2.6.32-45.104
linux-image-2.6.32-45-versatile 2.6.32-45.104
linux-image-2.6.32-45-virtual 2.6.32-45.104
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1736-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.32-45.104
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/10d8e620/attachment-0001.pgp>
------------------------------
Message: 6
Date: Thu, 21 Feb 2013 19:47:22 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1737-1] Linux kernel (EC2) vulnerability
Message-ID: <5126EA4A.3060308@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1737-1
February 22, 2013
linux-ec2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-ec2: Linux kernel for EC2
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-350-ec2 2.6.32-350.61
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1737-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-350.61
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/f1fd3283/attachment.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 10
*********************************************************
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1732-1] OpenSSL vulnerabilities (Marc Deslauriers)
2. [USN-1733-1] Ruby vulnerabilities (Marc Deslauriers)
3. [USN-1734-1] OpenStack Nova vulnerability (Jamie Strandboge)
4. [USN-1735-1] OpenJDK vulnerabilities (Jamie Strandboge)
5. [USN-1736-1] Linux kernel vulnerability (John Johansen)
6. [USN-1737-1] Linux kernel (EC2) vulnerability (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 21 Feb 2013 09:10:44 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1732-1] OpenSSL vulnerabilities
Message-ID: <51262AE4.9010007@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1732-1
February 21, 2013
openssl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
Several security issues were fixed in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Stephen Henson discovered that OpenSSL incorrectly performed signature
verification for OCSP responses. A remote attacker could use this issue to
cause OpenSSL to crash, resulting in a denial of service. (CVE-2013-0166)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.1
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.6
Ubuntu 11.10:
libssl1.0.0 1.0.0e-2ubuntu4.7
Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.14
Ubuntu 8.04 LTS:
libssl0.9.8 0.9.8g-4ubuntu3.20
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1732-1
CVE-2012-2686, CVE-2013-0166, CVE-2013-0169
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.1
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.6
https://launchpad.net/ubuntu/+source/openssl/1.0.0e-2ubuntu4.7
https://launchpad.net/ubuntu/+source/openssl/0.9.8k-7ubuntu8.14
https://launchpad.net/ubuntu/+source/openssl/0.9.8g-4ubuntu3.20
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/27e2d573/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 21 Feb 2013 09:11:22 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1733-1] Ruby vulnerabilities
Message-ID: <51262B0A.2020501@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1733-1
February 21, 2013
ruby1.9.1 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby1.9.1: Interpreter of object-oriented scripting language Ruby
Details:
Jean-Philippe Aumasson discovered that Ruby incorrectly generated
predictable hash values. An attacker could use this issue to generate hash
collisions and cause a denial of service. (CVE-2012-5371)
Evgeny Ermakov discovered that documentation generated by rdoc is
vulnerable to a cross-site scripting issue. With cross-site scripting
vulnerabilities, if a user were tricked into viewing a specially crafted
page, a remote attacker could exploit this to modify the contents, or steal
confidential data, within the same domain. (CVE-2013-0256)
Thomas Hollstegge and Ben Murphy discovered that the JSON implementation
in Ruby incorrectly handled certain crafted documents. An attacker could
use this issue to cause a denial of service or bypass certain protection
mechanisms. (CVE-2013-0269)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libruby1.9.1 1.9.3.194-1ubuntu1.3
ruby1.9.1 1.9.3.194-1ubuntu1.3
Ubuntu 12.04 LTS:
libruby1.9.1 1.9.3.0-1ubuntu2.5
ruby1.9.1 1.9.3.0-1ubuntu2.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1733-1
CVE-2012-5371, CVE-2013-0256, CVE-2013-0269
Package Information:
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-1ubuntu1.3
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.0-1ubuntu2.5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/3ab98223/attachment-0001.pgp>
------------------------------
Message: 3
Date: Thu, 21 Feb 2013 14:26:32 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1734-1] OpenStack Nova vulnerability
Message-ID: <512682F8.9040101@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1734-1
February 21, 2013
nova vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Nova could be made to crash if it received specially crafted input.
Software Description:
- nova: OpenStack Compute cloud infrastructure
Details:
Joshua Harlow discovered that Nova would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Nova API to
cause a denial of service via resource exhaustion. (CVE-2013-1664)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-nova
2012.2.1+stable-20121212-a99a802e-0ubuntu1.2
Ubuntu 12.04 LTS:
python-nova
2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2
Ubuntu 11.10:
python-nova 2011.3-0ubuntu6.12
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1734-1
CVE-2013-1664
Package Information:
https://launchpad.net/ubuntu/+source/nova/2012.2.1+stable-20121212-a99a802e-0ubuntu1.2
https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2
https://launchpad.net/ubuntu/+source/nova/2011.3-0ubuntu6.12
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/0370c83f/attachment-0001.pgp>
------------------------------
Message: 4
Date: Thu, 21 Feb 2013 17:37:21 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1735-1] OpenJDK vulnerabilities
Message-ID: <5126AFB1.2010400@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1735-1
February 21, 2013
openjdk-6, openjdk-7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in OpenJDK.
Software Description:
- openjdk-7: Open Source Java implementation
- openjdk-6: Open Source Java implementation
Details:
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. This issue only affected Ubuntu 12.10. (CVE-2013-1484)
A data integrity vulnerability was discovered in the OpenJDK JRE. This
issue only affected Ubuntu 12.10. (CVE-2013-1485)
Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to cause a denial of service. (CVE-2013-1486, CVE-2013-1487)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
icedtea-7-jre-cacao 7u15-2.3.7-0ubuntu1~12.10
icedtea-7-jre-jamvm 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre-headless 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre-lib 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre-zero 7u15-2.3.7-0ubuntu1~12.10
Ubuntu 12.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.3-0ubuntu1~12.04
icedtea-6-jre-jamvm 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre-headless 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre-lib 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre-zero 6b27-1.12.3-0ubuntu1~12.04
Ubuntu 11.10:
icedtea-6-jre-cacao 6b27-1.12.3-0ubuntu1~11.10
icedtea-6-jre-jamvm 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre-headless 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre-lib 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre-zero 6b27-1.12.3-0ubuntu1~11.10
Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre-headless 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre-lib 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre-zero 6b27-1.12.3-0ubuntu1~10.04
This update uses a new upstream release which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1735-1
CVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486,
CVE-2013-1487
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u15-2.3.7-0ubuntu1~12.10
https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.3-0ubuntu1~12.04
https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.3-0ubuntu1~11.10
https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.3-0ubuntu1~10.04
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/08734e64/attachment-0001.pgp>
------------------------------
Message: 5
Date: Thu, 21 Feb 2013 18:45:58 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1736-1] Linux kernel vulnerability
Message-ID: <5126DBE6.6000200@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1736-1
February 22, 2013
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-45-386 2.6.32-45.104
linux-image-2.6.32-45-generic 2.6.32-45.104
linux-image-2.6.32-45-generic-pae 2.6.32-45.104
linux-image-2.6.32-45-ia64 2.6.32-45.104
linux-image-2.6.32-45-lpia 2.6.32-45.104
linux-image-2.6.32-45-powerpc 2.6.32-45.104
linux-image-2.6.32-45-powerpc-smp 2.6.32-45.104
linux-image-2.6.32-45-powerpc64-smp 2.6.32-45.104
linux-image-2.6.32-45-preempt 2.6.32-45.104
linux-image-2.6.32-45-server 2.6.32-45.104
linux-image-2.6.32-45-sparc64 2.6.32-45.104
linux-image-2.6.32-45-sparc64-smp 2.6.32-45.104
linux-image-2.6.32-45-versatile 2.6.32-45.104
linux-image-2.6.32-45-virtual 2.6.32-45.104
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1736-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.32-45.104
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/10d8e620/attachment-0001.pgp>
------------------------------
Message: 6
Date: Thu, 21 Feb 2013 19:47:22 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1737-1] Linux kernel (EC2) vulnerability
Message-ID: <5126EA4A.3060308@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1737-1
February 22, 2013
linux-ec2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-ec2: Linux kernel for EC2
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-350-ec2 2.6.32-350.61
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1737-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-350.61
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/f1fd3283/attachment.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 10
*********************************************************
ubuntu-security-announce Digest, Vol 101, Issue 9
Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1730-1] OpenStack Keystone vulnerabilities (Jamie Strandboge)
2. [USN-1731-1] OpenStack Cinder vulnerability (Jamie Strandboge)
----------------------------------------------------------------------
Message: 1
Date: Wed, 20 Feb 2013 18:15:39 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1730-1] OpenStack Keystone vulnerabilities
Message-ID: <5125672B.8060201@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1730-1
February 20, 2013
keystone vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Keystone could be made to crash or expose sensitive information over the
network.
Software Description:
- keystone: OpenStack identity service
Details:
Nathanael Burton discovered that Keystone did not properly verify disabled
users. An authenticated but disabled user would continue to have access
rights that were removed. (CVE-2013-0282)
Jonathan Murray discovered that Keystone would allow XML entity processing.
A remote unauthenticated attacker could exploit this to cause a denial of
service via resource exhaustion. Authenticated users could also use this to
view arbitrary files on the Keystone server. (CVE-2013-1664, CVE-2013-1665)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-keystone 2012.2.1-0ubuntu1.2
Ubuntu 12.04 LTS:
python-keystone 2012.1+stable~20120824-a16a0ab9-0ubuntu2.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1730-1
CVE-2013-0282, CVE-2013-1664, CVE-2013-1665
Package Information:
https://launchpad.net/ubuntu/+source/keystone/2012.2.1-0ubuntu1.2
https://launchpad.net/ubuntu/+source/keystone/2012.1+stable~20120824-a16a0ab9-0ubuntu2.5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130220/4a246e79/attachment-0001.pgp>
------------------------------
Message: 2
Date: Wed, 20 Feb 2013 20:41:40 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1731-1] OpenStack Cinder vulnerability
Message-ID: <51258964.4090400@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1731-1
February 21, 2013
cinder vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
Cinder could be made to crash if it received specially crafted input.
Software Description:
- cinder: Cinder storage service - api server
Details:
Stuart Stent discovered that Cinder would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Cinder API to
cause a denial of service via resource exhaustion. (CVE-2013-1664)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-cinder 2012.2.1-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1731-1
CVE-2013-1664
Package Information:
https://launchpad.net/ubuntu/+source/cinder/2012.2.1-0ubuntu1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130220/31ae218e/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 9
********************************************************
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1730-1] OpenStack Keystone vulnerabilities (Jamie Strandboge)
2. [USN-1731-1] OpenStack Cinder vulnerability (Jamie Strandboge)
----------------------------------------------------------------------
Message: 1
Date: Wed, 20 Feb 2013 18:15:39 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1730-1] OpenStack Keystone vulnerabilities
Message-ID: <5125672B.8060201@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1730-1
February 20, 2013
keystone vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Keystone could be made to crash or expose sensitive information over the
network.
Software Description:
- keystone: OpenStack identity service
Details:
Nathanael Burton discovered that Keystone did not properly verify disabled
users. An authenticated but disabled user would continue to have access
rights that were removed. (CVE-2013-0282)
Jonathan Murray discovered that Keystone would allow XML entity processing.
A remote unauthenticated attacker could exploit this to cause a denial of
service via resource exhaustion. Authenticated users could also use this to
view arbitrary files on the Keystone server. (CVE-2013-1664, CVE-2013-1665)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-keystone 2012.2.1-0ubuntu1.2
Ubuntu 12.04 LTS:
python-keystone 2012.1+stable~20120824-a16a0ab9-0ubuntu2.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1730-1
CVE-2013-0282, CVE-2013-1664, CVE-2013-1665
Package Information:
https://launchpad.net/ubuntu/+source/keystone/2012.2.1-0ubuntu1.2
https://launchpad.net/ubuntu/+source/keystone/2012.1+stable~20120824-a16a0ab9-0ubuntu2.5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130220/4a246e79/attachment-0001.pgp>
------------------------------
Message: 2
Date: Wed, 20 Feb 2013 20:41:40 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1731-1] OpenStack Cinder vulnerability
Message-ID: <51258964.4090400@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1731-1
February 21, 2013
cinder vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
Cinder could be made to crash if it received specially crafted input.
Software Description:
- cinder: Cinder storage service - api server
Details:
Stuart Stent discovered that Cinder would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Cinder API to
cause a denial of service via resource exhaustion. (CVE-2013-1664)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-cinder 2012.2.1-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1731-1
CVE-2013-1664
Package Information:
https://launchpad.net/ubuntu/+source/cinder/2012.2.1-0ubuntu1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130220/31ae218e/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 9
********************************************************
Wednesday, February 20, 2013
ubuntu-security-announce Digest, Vol 101, Issue 8
Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1729-1] Firefox vulnerabilities (Jamie Strandboge)
----------------------------------------------------------------------
Message: 1
Date: Tue, 19 Feb 2013 21:42:00 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1729-1] Firefox vulnerabilities
Message-ID: <51244608.6010601@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1729-1
February 20, 2013
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it opened a
malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Olli Pettay, Christoph Diehl, Gary Kwong, Jesse Ruderman, Andrew McCreight,
Joe Drew, Wayne Mery, Alon Zakai, Christian Holler, Gary Kwong, Luke
Wagner, Terrence Cole, Timothy Nikkel, Bill McCloskey, and Nicolas Pierron
discovered multiple memory safety issues affecting Firefox. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application crash.
(CVE-2013-0783, CVE-2013-0784)
Atte Kettunen discovered that Firefox could perform an out-of-bounds read
while rendering GIF format images. An attacker could exploit this to crash
Firefox. (CVE-2013-0772)
Boris Zbarsky discovered that Firefox did not properly handle some wrapped
WebIDL objects. If the user were tricked into opening a specially crafted
page, an attacker could possibly exploit this to cause a denial of service
via application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2013-0765)
Bobby Holley discovered vulnerabilities in Chrome Object Wrappers (COW) and
System Only Wrappers (SOW). If a user were tricked into opening a specially
crafted page, a remote attacker could exploit this to bypass security
protections to obtain sensitive information or potentially execute code
with the privileges of the user invoking Firefox. (CVE-2013-0773)
Frederik Braun that Firefox made the location of the active browser profile
available to JavaScript workers. (CVE-2013-0774)
A use-after-free vulnerability was discovered in Firefox. An attacker could
potentially exploit this to execute code with the privileges of the user
invoking Firefox. (CVE-2013-0775)
Michal Zalewski discovered that Firefox would not always show the correct
address when cancelling a proxy authentication prompt. A remote attacker
could exploit this to conduct URL spoofing and phishing attacks.
(CVE-2013-0776)
Abhishek Arya discovered several problems related to memory handling. If
the user were tricked into opening a specially crafted page, an attacker
could possibly exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of the user invoking
Firefox. (CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780,
CVE-2013-0781, CVE-2013-0782)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
firefox 19.0+build1-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
firefox 19.0+build1-0ubuntu0.12.04.1
Ubuntu 11.10:
firefox 19.0+build1-0ubuntu0.11.10.1
Ubuntu 10.04 LTS:
firefox 19.0+build1-0ubuntu0.10.04.1
After a standard system update you need to restart Firefox to make all the
necessary changes.
References:
http://www.ubuntu.com/usn/usn-1729-1
CVE-2013-0765, CVE-2013-0772, CVE-2013-0773, CVE-2013-0774,
CVE-2013-0775, CVE-2013-0776, CVE-2013-0777, CVE-2013-0778,
CVE-2013-0779, CVE-2013-0780, CVE-2013-0781, CVE-2013-0782,
CVE-2013-0783, CVE-2013-0784, https://launchpad.net/bugs/1128883
Package Information:
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.10.04.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130219/75571fc1/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 8
********************************************************
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1729-1] Firefox vulnerabilities (Jamie Strandboge)
----------------------------------------------------------------------
Message: 1
Date: Tue, 19 Feb 2013 21:42:00 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1729-1] Firefox vulnerabilities
Message-ID: <51244608.6010601@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1729-1
February 20, 2013
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it opened a
malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Olli Pettay, Christoph Diehl, Gary Kwong, Jesse Ruderman, Andrew McCreight,
Joe Drew, Wayne Mery, Alon Zakai, Christian Holler, Gary Kwong, Luke
Wagner, Terrence Cole, Timothy Nikkel, Bill McCloskey, and Nicolas Pierron
discovered multiple memory safety issues affecting Firefox. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application crash.
(CVE-2013-0783, CVE-2013-0784)
Atte Kettunen discovered that Firefox could perform an out-of-bounds read
while rendering GIF format images. An attacker could exploit this to crash
Firefox. (CVE-2013-0772)
Boris Zbarsky discovered that Firefox did not properly handle some wrapped
WebIDL objects. If the user were tricked into opening a specially crafted
page, an attacker could possibly exploit this to cause a denial of service
via application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2013-0765)
Bobby Holley discovered vulnerabilities in Chrome Object Wrappers (COW) and
System Only Wrappers (SOW). If a user were tricked into opening a specially
crafted page, a remote attacker could exploit this to bypass security
protections to obtain sensitive information or potentially execute code
with the privileges of the user invoking Firefox. (CVE-2013-0773)
Frederik Braun that Firefox made the location of the active browser profile
available to JavaScript workers. (CVE-2013-0774)
A use-after-free vulnerability was discovered in Firefox. An attacker could
potentially exploit this to execute code with the privileges of the user
invoking Firefox. (CVE-2013-0775)
Michal Zalewski discovered that Firefox would not always show the correct
address when cancelling a proxy authentication prompt. A remote attacker
could exploit this to conduct URL spoofing and phishing attacks.
(CVE-2013-0776)
Abhishek Arya discovered several problems related to memory handling. If
the user were tricked into opening a specially crafted page, an attacker
could possibly exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of the user invoking
Firefox. (CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780,
CVE-2013-0781, CVE-2013-0782)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
firefox 19.0+build1-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
firefox 19.0+build1-0ubuntu0.12.04.1
Ubuntu 11.10:
firefox 19.0+build1-0ubuntu0.11.10.1
Ubuntu 10.04 LTS:
firefox 19.0+build1-0ubuntu0.10.04.1
After a standard system update you need to restart Firefox to make all the
necessary changes.
References:
http://www.ubuntu.com/usn/usn-1729-1
CVE-2013-0765, CVE-2013-0772, CVE-2013-0773, CVE-2013-0774,
CVE-2013-0775, CVE-2013-0776, CVE-2013-0777, CVE-2013-0778,
CVE-2013-0779, CVE-2013-0780, CVE-2013-0781, CVE-2013-0782,
CVE-2013-0783, CVE-2013-0784, https://launchpad.net/bugs/1128883
Package Information:
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.10.04.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130219/75571fc1/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 8
********************************************************
Tuesday, February 19, 2013
ubuntu-security-announce Digest, Vol 101, Issue 7
Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1727-1] Boost vulnerability (Marc Deslauriers)
2. [USN-1728-1] Linux kernel (EC2) vulnerability (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Mon, 18 Feb 2013 08:44:44 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1727-1] Boost vulnerability
Message-ID: <5122304C.40001@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1727-1
February 18, 2013
boost1.49 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
Boost incorrectly validated certain UTF-8 sequences.
Software Description:
- boost1.49: C++ representation of time duration, time point, and clocks
Details:
It was discovered that the Boost.Locale library incorrectly validated some
invalid UTF-8 sequences. An attacker could possibly use this issue to
bypass input validation in certain applications.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libboost-locale1.49.0 1.49.0-3.1ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1727-1
CVE-2013-0252
Package Information:
https://launchpad.net/ubuntu/+source/boost1.49/1.49.0-3.1ubuntu1.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130218/de5771fc/attachment-0001.pgp>
------------------------------
Message: 2
Date: Mon, 18 Feb 2013 21:03:43 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1728-1] Linux kernel (EC2) vulnerability
Message-ID: <512307AF.4020808@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1728-1
February 19, 2013
linux-ec2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-ec2: Linux kernel for EC2
Details:
Andrew Cooper of Citrix reported a Xen stack corruption in the Linux
kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest
kernel to crash, or operate erroneously.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-350-ec2 2.6.32-350.60
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1728-1
CVE-2013-0190
Package Information:
https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-350.60
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130218/65d3afac/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 7
********************************************************
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1727-1] Boost vulnerability (Marc Deslauriers)
2. [USN-1728-1] Linux kernel (EC2) vulnerability (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Mon, 18 Feb 2013 08:44:44 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1727-1] Boost vulnerability
Message-ID: <5122304C.40001@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1727-1
February 18, 2013
boost1.49 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
Boost incorrectly validated certain UTF-8 sequences.
Software Description:
- boost1.49: C++ representation of time duration, time point, and clocks
Details:
It was discovered that the Boost.Locale library incorrectly validated some
invalid UTF-8 sequences. An attacker could possibly use this issue to
bypass input validation in certain applications.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libboost-locale1.49.0 1.49.0-3.1ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1727-1
CVE-2013-0252
Package Information:
https://launchpad.net/ubuntu/+source/boost1.49/1.49.0-3.1ubuntu1.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130218/de5771fc/attachment-0001.pgp>
------------------------------
Message: 2
Date: Mon, 18 Feb 2013 21:03:43 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1728-1] Linux kernel (EC2) vulnerability
Message-ID: <512307AF.4020808@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1728-1
February 19, 2013
linux-ec2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-ec2: Linux kernel for EC2
Details:
Andrew Cooper of Citrix reported a Xen stack corruption in the Linux
kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest
kernel to crash, or operate erroneously.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-350-ec2 2.6.32-350.60
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1728-1
CVE-2013-0190
Package Information:
https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-350.60
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130218/65d3afac/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 7
********************************************************
Subscribe to:
Posts (Atom)