ubuntu-security-announce Digest, Vol 101, Issue 10

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1732-1] OpenSSL vulnerabilities (Marc Deslauriers)
2. [USN-1733-1] Ruby vulnerabilities (Marc Deslauriers)
3. [USN-1734-1] OpenStack Nova vulnerability (Jamie Strandboge)
4. [USN-1735-1] OpenJDK vulnerabilities (Jamie Strandboge)
5. [USN-1736-1] Linux kernel vulnerability (John Johansen)
6. [USN-1737-1] Linux kernel (EC2) vulnerability (John Johansen)


----------------------------------------------------------------------

Message: 1
Date: Thu, 21 Feb 2013 09:10:44 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1732-1] OpenSSL vulnerabilities
Message-ID: <51262AE4.9010007@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1732-1
February 21, 2013

openssl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)

Stephen Henson discovered that OpenSSL incorrectly performed signature
verification for OCSP responses. A remote attacker could use this issue to
cause OpenSSL to crash, resulting in a denial of service. (CVE-2013-0166)

Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.1

Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.6

Ubuntu 11.10:
libssl1.0.0 1.0.0e-2ubuntu4.7

Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.14

Ubuntu 8.04 LTS:
libssl0.9.8 0.9.8g-4ubuntu3.20

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1732-1
CVE-2012-2686, CVE-2013-0166, CVE-2013-0169

Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.1
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.6
https://launchpad.net/ubuntu/+source/openssl/1.0.0e-2ubuntu4.7
https://launchpad.net/ubuntu/+source/openssl/0.9.8k-7ubuntu8.14
https://launchpad.net/ubuntu/+source/openssl/0.9.8g-4ubuntu3.20


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/27e2d573/attachment-0001.pgp>

------------------------------

Message: 2
Date: Thu, 21 Feb 2013 09:11:22 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1733-1] Ruby vulnerabilities
Message-ID: <51262B0A.2020501@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1733-1
February 21, 2013

ruby1.9.1 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Ruby.

Software Description:
- ruby1.9.1: Interpreter of object-oriented scripting language Ruby

Details:

Jean-Philippe Aumasson discovered that Ruby incorrectly generated
predictable hash values. An attacker could use this issue to generate hash
collisions and cause a denial of service. (CVE-2012-5371)

Evgeny Ermakov discovered that documentation generated by rdoc is
vulnerable to a cross-site scripting issue. With cross-site scripting
vulnerabilities, if a user were tricked into viewing a specially crafted
page, a remote attacker could exploit this to modify the contents, or steal
confidential data, within the same domain. (CVE-2013-0256)

Thomas Hollstegge and Ben Murphy discovered that the JSON implementation
in Ruby incorrectly handled certain crafted documents. An attacker could
use this issue to cause a denial of service or bypass certain protection
mechanisms. (CVE-2013-0269)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libruby1.9.1 1.9.3.194-1ubuntu1.3
ruby1.9.1 1.9.3.194-1ubuntu1.3

Ubuntu 12.04 LTS:
libruby1.9.1 1.9.3.0-1ubuntu2.5
ruby1.9.1 1.9.3.0-1ubuntu2.5

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1733-1
CVE-2012-5371, CVE-2013-0256, CVE-2013-0269

Package Information:
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-1ubuntu1.3
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.0-1ubuntu2.5


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/3ab98223/attachment-0001.pgp>

------------------------------

Message: 3
Date: Thu, 21 Feb 2013 14:26:32 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1734-1] OpenStack Nova vulnerability
Message-ID: <512682F8.9040101@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1734-1
February 21, 2013

nova vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10

Summary:

Nova could be made to crash if it received specially crafted input.

Software Description:
- nova: OpenStack Compute cloud infrastructure

Details:

Joshua Harlow discovered that Nova would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Nova API to
cause a denial of service via resource exhaustion. (CVE-2013-1664)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
python-nova
2012.2.1+stable-20121212-a99a802e-0ubuntu1.2

Ubuntu 12.04 LTS:
python-nova
2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2

Ubuntu 11.10:
python-nova 2011.3-0ubuntu6.12

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1734-1
CVE-2013-1664

Package Information:

https://launchpad.net/ubuntu/+source/nova/2012.2.1+stable-20121212-a99a802e-0ubuntu1.2

https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2
https://launchpad.net/ubuntu/+source/nova/2011.3-0ubuntu6.12




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/0370c83f/attachment-0001.pgp>

------------------------------

Message: 4
Date: Thu, 21 Feb 2013 17:37:21 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1735-1] OpenJDK vulnerabilities
Message-ID: <5126AFB1.2010400@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1735-1
February 21, 2013

openjdk-6, openjdk-7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in OpenJDK.

Software Description:
- openjdk-7: Open Source Java implementation
- openjdk-6: Open Source Java implementation

Details:

Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)

A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. This issue only affected Ubuntu 12.10. (CVE-2013-1484)

A data integrity vulnerability was discovered in the OpenJDK JRE. This
issue only affected Ubuntu 12.10. (CVE-2013-1485)

Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to cause a denial of service. (CVE-2013-1486, CVE-2013-1487)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
icedtea-7-jre-cacao 7u15-2.3.7-0ubuntu1~12.10
icedtea-7-jre-jamvm 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre-headless 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre-lib 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre-zero 7u15-2.3.7-0ubuntu1~12.10

Ubuntu 12.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.3-0ubuntu1~12.04
icedtea-6-jre-jamvm 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre-headless 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre-lib 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre-zero 6b27-1.12.3-0ubuntu1~12.04

Ubuntu 11.10:
icedtea-6-jre-cacao 6b27-1.12.3-0ubuntu1~11.10
icedtea-6-jre-jamvm 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre-headless 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre-lib 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre-zero 6b27-1.12.3-0ubuntu1~11.10

Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre-headless 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre-lib 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre-zero 6b27-1.12.3-0ubuntu1~10.04

This update uses a new upstream release which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1735-1
CVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486,
CVE-2013-1487

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u15-2.3.7-0ubuntu1~12.10
https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.3-0ubuntu1~12.04
https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.3-0ubuntu1~11.10
https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.3-0ubuntu1~10.04




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/08734e64/attachment-0001.pgp>

------------------------------

Message: 5
Date: Thu, 21 Feb 2013 18:45:58 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1736-1] Linux kernel vulnerability
Message-ID: <5126DBE6.6000200@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1736-1
February 22, 2013

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux: Linux kernel

Details:

Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
linux-image-2.6.32-45-386 2.6.32-45.104
linux-image-2.6.32-45-generic 2.6.32-45.104
linux-image-2.6.32-45-generic-pae 2.6.32-45.104
linux-image-2.6.32-45-ia64 2.6.32-45.104
linux-image-2.6.32-45-lpia 2.6.32-45.104
linux-image-2.6.32-45-powerpc 2.6.32-45.104
linux-image-2.6.32-45-powerpc-smp 2.6.32-45.104
linux-image-2.6.32-45-powerpc64-smp 2.6.32-45.104
linux-image-2.6.32-45-preempt 2.6.32-45.104
linux-image-2.6.32-45-server 2.6.32-45.104
linux-image-2.6.32-45-sparc64 2.6.32-45.104
linux-image-2.6.32-45-sparc64-smp 2.6.32-45.104
linux-image-2.6.32-45-versatile 2.6.32-45.104
linux-image-2.6.32-45-virtual 2.6.32-45.104

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1736-1
CVE-2013-0871

Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.32-45.104

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/10d8e620/attachment-0001.pgp>

------------------------------

Message: 6
Date: Thu, 21 Feb 2013 19:47:22 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1737-1] Linux kernel (EC2) vulnerability
Message-ID: <5126EA4A.3060308@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1737-1
February 22, 2013

linux-ec2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux-ec2: Linux kernel for EC2

Details:

Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
linux-image-2.6.32-350-ec2 2.6.32-350.61

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1737-1
CVE-2013-0871

Package Information:
https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-350.61

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/f1fd3283/attachment.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 101, Issue 10
*********************************************************