Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1732-1] OpenSSL vulnerabilities (Marc Deslauriers)
2. [USN-1733-1] Ruby vulnerabilities (Marc Deslauriers)
3. [USN-1734-1] OpenStack Nova vulnerability (Jamie Strandboge)
4. [USN-1735-1] OpenJDK vulnerabilities (Jamie Strandboge)
5. [USN-1736-1] Linux kernel vulnerability (John Johansen)
6. [USN-1737-1] Linux kernel (EC2) vulnerability (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 21 Feb 2013 09:10:44 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1732-1] OpenSSL vulnerabilities
Message-ID: <51262AE4.9010007@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1732-1
February 21, 2013
openssl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
Several security issues were fixed in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Stephen Henson discovered that OpenSSL incorrectly performed signature
verification for OCSP responses. A remote attacker could use this issue to
cause OpenSSL to crash, resulting in a denial of service. (CVE-2013-0166)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.1
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.6
Ubuntu 11.10:
libssl1.0.0 1.0.0e-2ubuntu4.7
Ubuntu 10.04 LTS:
libssl0.9.8 0.9.8k-7ubuntu8.14
Ubuntu 8.04 LTS:
libssl0.9.8 0.9.8g-4ubuntu3.20
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1732-1
CVE-2012-2686, CVE-2013-0166, CVE-2013-0169
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.1
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.6
https://launchpad.net/ubuntu/+source/openssl/1.0.0e-2ubuntu4.7
https://launchpad.net/ubuntu/+source/openssl/0.9.8k-7ubuntu8.14
https://launchpad.net/ubuntu/+source/openssl/0.9.8g-4ubuntu3.20
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/27e2d573/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 21 Feb 2013 09:11:22 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1733-1] Ruby vulnerabilities
Message-ID: <51262B0A.2020501@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1733-1
February 21, 2013
ruby1.9.1 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby1.9.1: Interpreter of object-oriented scripting language Ruby
Details:
Jean-Philippe Aumasson discovered that Ruby incorrectly generated
predictable hash values. An attacker could use this issue to generate hash
collisions and cause a denial of service. (CVE-2012-5371)
Evgeny Ermakov discovered that documentation generated by rdoc is
vulnerable to a cross-site scripting issue. With cross-site scripting
vulnerabilities, if a user were tricked into viewing a specially crafted
page, a remote attacker could exploit this to modify the contents, or steal
confidential data, within the same domain. (CVE-2013-0256)
Thomas Hollstegge and Ben Murphy discovered that the JSON implementation
in Ruby incorrectly handled certain crafted documents. An attacker could
use this issue to cause a denial of service or bypass certain protection
mechanisms. (CVE-2013-0269)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libruby1.9.1 1.9.3.194-1ubuntu1.3
ruby1.9.1 1.9.3.194-1ubuntu1.3
Ubuntu 12.04 LTS:
libruby1.9.1 1.9.3.0-1ubuntu2.5
ruby1.9.1 1.9.3.0-1ubuntu2.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1733-1
CVE-2012-5371, CVE-2013-0256, CVE-2013-0269
Package Information:
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-1ubuntu1.3
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.0-1ubuntu2.5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/3ab98223/attachment-0001.pgp>
------------------------------
Message: 3
Date: Thu, 21 Feb 2013 14:26:32 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1734-1] OpenStack Nova vulnerability
Message-ID: <512682F8.9040101@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1734-1
February 21, 2013
nova vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Nova could be made to crash if it received specially crafted input.
Software Description:
- nova: OpenStack Compute cloud infrastructure
Details:
Joshua Harlow discovered that Nova would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Nova API to
cause a denial of service via resource exhaustion. (CVE-2013-1664)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-nova
2012.2.1+stable-20121212-a99a802e-0ubuntu1.2
Ubuntu 12.04 LTS:
python-nova
2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2
Ubuntu 11.10:
python-nova 2011.3-0ubuntu6.12
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1734-1
CVE-2013-1664
Package Information:
https://launchpad.net/ubuntu/+source/nova/2012.2.1+stable-20121212-a99a802e-0ubuntu1.2
https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.2
https://launchpad.net/ubuntu/+source/nova/2011.3-0ubuntu6.12
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/0370c83f/attachment-0001.pgp>
------------------------------
Message: 4
Date: Thu, 21 Feb 2013 17:37:21 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1735-1] OpenJDK vulnerabilities
Message-ID: <5126AFB1.2010400@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1735-1
February 21, 2013
openjdk-6, openjdk-7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in OpenJDK.
Software Description:
- openjdk-7: Open Source Java implementation
- openjdk-6: Open Source Java implementation
Details:
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. This issue only affected Ubuntu 12.10. (CVE-2013-1484)
A data integrity vulnerability was discovered in the OpenJDK JRE. This
issue only affected Ubuntu 12.10. (CVE-2013-1485)
Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to cause a denial of service. (CVE-2013-1486, CVE-2013-1487)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
icedtea-7-jre-cacao 7u15-2.3.7-0ubuntu1~12.10
icedtea-7-jre-jamvm 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre-headless 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre-lib 7u15-2.3.7-0ubuntu1~12.10
openjdk-7-jre-zero 7u15-2.3.7-0ubuntu1~12.10
Ubuntu 12.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.3-0ubuntu1~12.04
icedtea-6-jre-jamvm 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre-headless 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre-lib 6b27-1.12.3-0ubuntu1~12.04
openjdk-6-jre-zero 6b27-1.12.3-0ubuntu1~12.04
Ubuntu 11.10:
icedtea-6-jre-cacao 6b27-1.12.3-0ubuntu1~11.10
icedtea-6-jre-jamvm 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre-headless 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre-lib 6b27-1.12.3-0ubuntu1~11.10
openjdk-6-jre-zero 6b27-1.12.3-0ubuntu1~11.10
Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre-headless 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre-lib 6b27-1.12.3-0ubuntu1~10.04
openjdk-6-jre-zero 6b27-1.12.3-0ubuntu1~10.04
This update uses a new upstream release which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1735-1
CVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486,
CVE-2013-1487
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u15-2.3.7-0ubuntu1~12.10
https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.3-0ubuntu1~12.04
https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.3-0ubuntu1~11.10
https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.3-0ubuntu1~10.04
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/08734e64/attachment-0001.pgp>
------------------------------
Message: 5
Date: Thu, 21 Feb 2013 18:45:58 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1736-1] Linux kernel vulnerability
Message-ID: <5126DBE6.6000200@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1736-1
February 22, 2013
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-45-386 2.6.32-45.104
linux-image-2.6.32-45-generic 2.6.32-45.104
linux-image-2.6.32-45-generic-pae 2.6.32-45.104
linux-image-2.6.32-45-ia64 2.6.32-45.104
linux-image-2.6.32-45-lpia 2.6.32-45.104
linux-image-2.6.32-45-powerpc 2.6.32-45.104
linux-image-2.6.32-45-powerpc-smp 2.6.32-45.104
linux-image-2.6.32-45-powerpc64-smp 2.6.32-45.104
linux-image-2.6.32-45-preempt 2.6.32-45.104
linux-image-2.6.32-45-server 2.6.32-45.104
linux-image-2.6.32-45-sparc64 2.6.32-45.104
linux-image-2.6.32-45-sparc64-smp 2.6.32-45.104
linux-image-2.6.32-45-versatile 2.6.32-45.104
linux-image-2.6.32-45-virtual 2.6.32-45.104
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1736-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.32-45.104
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/10d8e620/attachment-0001.pgp>
------------------------------
Message: 6
Date: Thu, 21 Feb 2013 19:47:22 -0800
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1737-1] Linux kernel (EC2) vulnerability
Message-ID: <5126EA4A.3060308@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1737-1
February 22, 2013
linux-ec2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-ec2: Linux kernel for EC2
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-350-ec2 2.6.32-350.61
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1737-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-350.61
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130221/f1fd3283/attachment.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 101, Issue 10
*********************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2013
(149)
-
▼
February
(15)
- ubuntu-security-announce Digest, Vol 101, Issue 15
- ubuntu-security-announce Digest, Vol 101, Issue 14
- ubuntu-security-announce Digest, Vol 101, Issue 13
- ubuntu-security-announce Digest, Vol 101, Issue 12
- ubuntu-security-announce Digest, Vol 101, Issue 11
- ubuntu-security-announce Digest, Vol 101, Issue 10
- ubuntu-security-announce Digest, Vol 101, Issue 9
- ubuntu-security-announce Digest, Vol 101, Issue 8
- ubuntu-security-announce Digest, Vol 101, Issue 7
- ubuntu-security-announce Digest, Vol 101, Issue 6
- ubuntu-security-announce Digest, Vol 101, Issue 5
- ubuntu-security-announce Digest, Vol 101, Issue 4
- ubuntu-security-announce Digest, Vol 101, Issue 3
- ubuntu-security-announce Digest, Vol 101, Issue 2
- ubuntu-security-announce Digest, Vol 101, Issue 1
-
▼
February
(15)
No comments:
Post a Comment