ubuntu-security-announce Digest, Vol 102, Issue 16

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1783-1] Bind vulnerability (Marc Deslauriers)


----------------------------------------------------------------------

Message: 1
Date: Fri, 29 Mar 2013 09:03:04 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1783-1] Bind vulnerability
Message-ID: <51559108.8040101@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1783-1
March 29, 2013

bind9 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

Bind could be made to consume memory or crash if it received specially
crafted network traffic.

Software Description:
- bind9: Internet Domain Name Server

Details:

Matthew Horsfall discovered that Bind incorrectly handled regular
expression checking. A remote attacker could use this flaw to cause Bind to
consume an excessive amount of memory, possibly resulting in a denial of
service. This issue was corrected by disabling RDATA regular expression
syntax checking.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
bind9 1:9.8.1.dfsg.P1-4.2ubuntu3.2
libdns81 1:9.8.1.dfsg.P1-4.2ubuntu3.2

Ubuntu 12.04 LTS:
bind9 1:9.8.1.dfsg.P1-4ubuntu0.6
libdns81 1:9.8.1.dfsg.P1-4ubuntu0.6

Ubuntu 11.10:
bind9 1:9.7.3.dfsg-1ubuntu4.6
libdns69 1:9.7.3.dfsg-1ubuntu4.6

Ubuntu 10.04 LTS:
bind9 1:9.7.0.dfsg.P1-1ubuntu0.9
libdns64 1:9.7.0.dfsg.P1-1ubuntu0.9

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1783-1
CVE-2013-2266

Package Information:
https://launchpad.net/ubuntu/+source/bind9/1:9.8.1.dfsg.P1-4.2ubuntu3.2
https://launchpad.net/ubuntu/+source/bind9/1:9.8.1.dfsg.P1-4ubuntu0.6
https://launchpad.net/ubuntu/+source/bind9/1:9.7.3.dfsg-1ubuntu4.6
https://launchpad.net/ubuntu/+source/bind9/1:9.7.0.dfsg.P1-1ubuntu0.9


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130329/13fbe940/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 102, Issue 16
*********************************************************

ubuntu-security-announce Digest, Vol 102, Issue 15

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1782-1] libxml2 vulnerability (Marc Deslauriers)
2. Ubuntu 8.04 (Hardy Heron) reaches End of Life on May 9 2013
(Adam Conrad)
3. Ubuntu 10.04 (Lucid Lynx) Desktop reaches End of Life on May
9 2013 (Adam Conrad)
4. Ubuntu 11.10 (Oneiric Ocelot) reaches End of Life on May 9
2013 (Adam Conrad)


----------------------------------------------------------------------

Message: 1
Date: Thu, 28 Mar 2013 10:23:12 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1782-1] libxml2 vulnerability
Message-ID: <51545250.3030407@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1782-1
March 28, 2013

libxml2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

libxml2 could be made to hang if it received specially crafted input.

Software Description:
- libxml2: GNOME XML library

Details:

It was discovered that libxml2 incorrectly handled XML entity expansion.
An attacker could use this flaw to cause libxml2 to consume large amounts
of resources, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libxml2 2.8.0+dfsg1-5ubuntu2.2

Ubuntu 12.04 LTS:
libxml2 2.7.8.dfsg-5.1ubuntu4.4

Ubuntu 11.10:
libxml2 2.7.8.dfsg-4ubuntu0.6

Ubuntu 10.04 LTS:
libxml2 2.7.6.dfsg-1ubuntu1.8

Ubuntu 8.04 LTS:
libxml2 2.6.31.dfsg-2ubuntu1.12

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1782-1
CVE-2013-0338

Package Information:
https://launchpad.net/ubuntu/+source/libxml2/2.8.0+dfsg1-5ubuntu2.2
https://launchpad.net/ubuntu/+source/libxml2/2.7.8.dfsg-5.1ubuntu4.4
https://launchpad.net/ubuntu/+source/libxml2/2.7.8.dfsg-4ubuntu0.6
https://launchpad.net/ubuntu/+source/libxml2/2.7.6.dfsg-1ubuntu1.8
https://launchpad.net/ubuntu/+source/libxml2/2.6.31.dfsg-2ubuntu1.12


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130328/414087cc/attachment-0001.pgp>

------------------------------

Message: 2
Date: Fri, 29 Mar 2013 00:12:06 -0600
From: Adam Conrad <adconrad@ubuntu.com>
To: ubuntu-announce@lists.ubuntu.com
Cc: ubuntu-security-announce@lists.ubuntu.com
Subject: Ubuntu 8.04 (Hardy Heron) reaches End of Life on May 9 2013
Message-ID: <20130329061206.GY29056@0c3.net>
Content-Type: text/plain; charset=us-ascii

Ubuntu announced its 8.04 (Hardy Heron) release almost 5 years ago,
on April 24, 2008. As with the earlier LTS releases, Ubuntu committed
to ongoing security and critical fixes for a period of 5 years. The
support period is now nearing its end and Ubuntu 8.04 will reach end
of life on Thursday, May 9th. At that time, Ubuntu Security Notices
will no longer include information or updated packages for Ubuntu 8.04.

The supported upgrade path from Ubuntu 8.04 is via Ubuntu 10.04.
Users are encouraged to evaluate and upgrade to our latest 12.04 LTS
release via 10.04. Instructions and caveats for the upgrades may be
found at https://help.ubuntu.com/community/LucidUpgrades and
https://help.ubuntu.com/community/PreciseUpgrades. Ubuntu 10.04 and
12.04 continue to be actively supported with security updates and
select high-impact bug fixes. All announcements of official security
updates for Ubuntu releases are sent to the ubuntu-security-announce
mailing list, information about which may be found at
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce.

Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customise or alter their software in order to meet their needs.

On behalf of the Ubuntu Release Team,

Adam Conrad



------------------------------

Message: 3
Date: Fri, 29 Mar 2013 00:12:59 -0600
From: Adam Conrad <adconrad@ubuntu.com>
To: ubuntu-announce@lists.ubuntu.com
Cc: ubuntu-security-announce@lists.ubuntu.com
Subject: Ubuntu 10.04 (Lucid Lynx) Desktop reaches End of Life on May
9 2013
Message-ID: <20130329061259.GZ29056@0c3.net>
Content-Type: text/plain; charset=us-ascii

Ubuntu announced its 10.04 (Lucid Lynx) release almost 3 years ago,
on April 29, 2010. As with the earlier LTS releases, Ubuntu committed
to ongoing security and critical fixes for a period of 3 years on the
desktop. The support period is now nearing its end and Ubuntu 10.04
Desktop will reach end of life on Thursday, May 9th. At that time,
Ubuntu Security Notices will no longer include information or updated
packages for Ubuntu 10.04 Desktop. Ubuntu 10.04 Server continues to
be supported for another 2 years.

The supported upgrade path from Ubuntu 10.04 is via Ubuntu 12.04.
Instructions and caveats for the upgrade may be found at
https://help.ubuntu.com/community/PreciseUpgrades. Ubuntu 12.04
continues to be actively supported with security updates and
select high-impact bug fixes. All announcements of official security
updates for Ubuntu releases are sent to the ubuntu-security-announce
mailing list, information about which may be found at
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce.

Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customise or alter their software in order to meet their needs.

On behalf of the Ubuntu Release Team,

Adam Conrad



------------------------------

Message: 4
Date: Fri, 29 Mar 2013 00:11:09 -0600
From: Adam Conrad <adconrad@ubuntu.com>
To: ubuntu-announce@lists.ubuntu.com
Cc: ubuntu-security-announce@lists.ubuntu.com
Subject: Ubuntu 11.10 (Oneiric Ocelot) reaches End of Life on May 9
2013
Message-ID: <20130329061109.GX29056@0c3.net>
Content-Type: text/plain; charset=us-ascii

Ubuntu announced its 11.10 (Oneiric Ocelot) release almost 18 months
ago, on October 13, 2011. As with the earlier releases, Ubuntu
committed to ongoing security and critical fixes for a period of 18
months. The support period is now nearing its end and Ubuntu 11.10
will reach end of life on Thursday, May 9th. At that time, Ubuntu
Security Notices will no longer include information or updated
packages for Ubuntu 11.10.

The supported upgrade path from Ubuntu 11.10 is via Ubuntu 12.04.
Instructions and caveats for the upgrade may be found at
https://help.ubuntu.com/community/PreciseUpgrades. Ubuntu 12.04
continues to be actively supported with security updates and
select high-impact bug fixes. All announcements of official security
updates for Ubuntu releases are sent to the ubuntu-security-announce
mailing list, information about which may be found at
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce.

Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customise or alter their software in order to meet their needs.

On behalf of the Ubuntu Release Team,

Adam Conrad



------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 102, Issue 15
*********************************************************

ubuntu-security-announce Digest, Vol 102, Issue 14

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1781-1] Linux kernel (OMAP4) vulnerabilities (John Johansen)


----------------------------------------------------------------------

Message: 1
Date: Tue, 26 Mar 2013 07:51:58 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1781-1] Linux kernel (OMAP4) vulnerabilities
Message-ID: <5151B60E.4040106@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1781-1
March 26, 2013

linux-ti-omap4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

Andrew Jones discovered a flaw with the xen_iret function in Linux kernel's
Xen virtualizeation. In the 32-bit Xen paravirt platform an unprivileged
guest OS user could exploit this flaw to cause a denial of service (crash
the system) or gain guest OS privilege. (CVE-2013-0228)

A flaw was reported in the permission checks done by the Linux kernel for
/dev/cpu/*/msr. A local root user with all capabilities dropped could
exploit this flaw to execute code with full root capabilities.
(CVE-2013-0268)

A flaw was discovered in the Linux kernel's vhost driver used to accelerate
guest networking in KVM based virtual machines. A privileged guest user
could exploit this flaw to crash the host system. (CVE-2013-0311)

A flaw was discovered in the Extended Verification Module (EVM) of the
Linux kernel. An unprivileged local user code exploit this flaw to cause a
denial of service (system crash). (CVE-2013-0313)

An information leak was discovered in the Linux kernel's Bluetooth stack
when HIDP (Human Interface Device Protocol) support is enabled. A local
unprivileged user could exploit this flaw to cause an information leak from
the kernel. (CVE-2013-0349)

A flaw was discovered in the Edgeort USB serial converter driver when the
device is disconnected while it is in use. A local user could exploit this
flaw to cause a denial of service (system crash). (CVE-2013-1774)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1427-omap4 3.2.0-1427.36

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1781-1
CVE-2013-0228, CVE-2013-0268, CVE-2013-0311, CVE-2013-0313,
CVE-2013-0349, CVE-2013-1774

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1427.36

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130326/896026d0/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 102, Issue 14
*********************************************************

ubuntu-security-announce Digest, Vol 102, Issue 13

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1732-3] OpenSSL vulnerability (Marc Deslauriers)
2. [USN-1779-1] GNOME Online Accounts vulnerability
(Marc Deslauriers)
3. [USN-1780-1] Ruby vulnerability (Marc Deslauriers)


----------------------------------------------------------------------

Message: 1
Date: Mon, 25 Mar 2013 09:45:17 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1732-3] OpenSSL vulnerability
Message-ID: <515054ED.7020103@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1732-3
March 25, 2013

openssl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0169 and
CVE-2012-2686 was reverted in USN-1732-2 because of a regression. This
update restores the security fix, and includes an extra fix from upstream
to address the AES-NI regression. We apologize for the inconvenience.

Original advisory details:

Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as
used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.3

Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.8

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1732-3
http://www.ubuntu.com/usn/usn-1732-1
CVE-2013-0169

Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.3
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.8


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130325/42f1f977/attachment-0001.pgp>

------------------------------

Message: 2
Date: Mon, 25 Mar 2013 10:17:14 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1779-1] GNOME Online Accounts vulnerability
Message-ID: <51505C6A.5070303@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1779-1
March 25, 2013

gnome-online-accounts vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10

Summary:

GNOME Online Accounts could be made to expose sensitive information over
the network.

Software Description:
- gnome-online-accounts: GNOME Online Accounts

Details:

It was discovered that GNOME Online Accounts did not properly check SSL
certificates when configuring online accounts. If a remote attacker were
able to perform a man-in-the-middle attack, this flaw could be exploited to
alter or compromise credentials and confidential information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
gnome-online-accounts 3.6.0-0ubuntu1.1
libgoa-1.0-0 3.6.0-0ubuntu1.1

Ubuntu 12.04 LTS:
gnome-online-accounts 3.4.0-0ubuntu1.1
libgoa-1.0-0 3.4.0-0ubuntu1.1

Ubuntu 11.10:
gnome-online-accounts 3.2.1-0ubuntu1.1
libgoa-1.0-0 3.2.1-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1779-1
CVE-2013-0240, CVE-2013-1799

Package Information:

https://launchpad.net/ubuntu/+source/gnome-online-accounts/3.6.0-0ubuntu1.1

https://launchpad.net/ubuntu/+source/gnome-online-accounts/3.4.0-0ubuntu1.1

https://launchpad.net/ubuntu/+source/gnome-online-accounts/3.2.1-0ubuntu1.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130325/e5e483dc/attachment-0001.pgp>

------------------------------

Message: 3
Date: Mon, 25 Mar 2013 13:50:46 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1780-1] Ruby vulnerability
Message-ID: <51508E76.8000106@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1780-1
March 25, 2013

ruby1.8, ruby1.9.1 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

Ruby could be made to hang if it received specially crafted input.

Software Description:
- ruby1.8: Object-oriented scripting language
- ruby1.9.1: Object-oriented scripting language

Details:

Ben Murphy discovered that the Ruby REXML library incorrectly handled XML
entity expansion. An attacker could use this flaw to cause Ruby to consume
large amounts of memory, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libruby1.8 1.8.7.358-4ubuntu0.2
libruby1.9.1 1.9.3.194-1ubuntu1.4
ruby1.8 1.8.7.358-4ubuntu0.2
ruby1.9.1 1.9.3.194-1ubuntu1.4

Ubuntu 12.04 LTS:
libruby1.8 1.8.7.352-2ubuntu1.2
libruby1.9.1 1.9.3.0-1ubuntu2.6
ruby1.8 1.8.7.352-2ubuntu1.2
ruby1.9.1 1.9.3.0-1ubuntu2.6

Ubuntu 11.10:
libruby1.8 1.8.7.352-2ubuntu0.3
ruby1.8 1.8.7.352-2ubuntu0.3

Ubuntu 10.04 LTS:
libruby1.8 1.8.7.249-2ubuntu0.3
ruby1.8 1.8.7.249-2ubuntu0.3

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1780-1
CVE-2013-1821

Package Information:
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.358-4ubuntu0.2
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-1ubuntu1.4
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.352-2ubuntu1.2
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.0-1ubuntu2.6
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.352-2ubuntu0.3
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.249-2ubuntu0.3


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130325/a96e9880/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 102, Issue 13
*********************************************************

ubuntu-security-announce Digest, Vol 102, Issue 12

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1775-1] Linux kernel vulnerabilities (John Johansen)
2. [USN-1776-1] Linux kernel (EC2) vulnerabilities (John Johansen)
3. [USN-1778-1] Linux kernel (OMAP4) vulnerabilities (John Johansen)


----------------------------------------------------------------------

Message: 1
Date: Fri, 22 Mar 2013 16:18:47 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1775-1] Linux kernel vulnerabilities
Message-ID: <514CE6D7.7030607@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1775-1
March 22, 2013

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

A flaw was reported in the permission checks done by the Linux kernel for
/dev/cpu/*/msr. A local root user with all capabilities dropped could
exploit this flaw to execute code with full root capabilities.
(CVE-2013-0268)

A flaw was discovered in the Linux kernels handling of memory ranges with
PROT_NONE when transparent hugepages are in use. An unprivileged local user
could exploit this flaw to cause a denial of service (crash the system).
(CVE-2013-0309)

A flaw was discovered on the Linux kernel's VFAT filesystem driver when a
disk is mounted with the utf8 option (this is the default on Ubuntu). On a
system where disks/images can be auto-mounted or a FAT filesystem is
mounted an unprivileged user can exploit the flaw to gain root privileges.
(CVE-2013-1773)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
linux-image-2.6.32-46-386 2.6.32-46.105
linux-image-2.6.32-46-generic 2.6.32-46.105
linux-image-2.6.32-46-generic-pae 2.6.32-46.105
linux-image-2.6.32-46-ia64 2.6.32-46.105
linux-image-2.6.32-46-lpia 2.6.32-46.105
linux-image-2.6.32-46-powerpc 2.6.32-46.105
linux-image-2.6.32-46-powerpc-smp 2.6.32-46.105
linux-image-2.6.32-46-powerpc64-smp 2.6.32-46.105
linux-image-2.6.32-46-preempt 2.6.32-46.105
linux-image-2.6.32-46-server 2.6.32-46.105
linux-image-2.6.32-46-sparc64 2.6.32-46.105
linux-image-2.6.32-46-sparc64-smp 2.6.32-46.105
linux-image-2.6.32-46-versatile 2.6.32-46.105
linux-image-2.6.32-46-virtual 2.6.32-46.105

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1775-1
CVE-2013-0268, CVE-2013-0309, CVE-2013-1773

Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.32-46.105

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130322/e634a05d/attachment-0001.pgp>

------------------------------

Message: 2
Date: Fri, 22 Mar 2013 16:25:38 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1776-1] Linux kernel (EC2) vulnerabilities
Message-ID: <514CE872.1020409@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1776-1
March 22, 2013

linux-ec2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-ec2: Linux kernel for EC2

Details:

A flaw was reported in the permission checks done by the Linux kernel for
/dev/cpu/*/msr. A local root user with all capabilities dropped could
exploit this flaw to execute code with full root capabilities.
(CVE-2013-0268)

A flaw was discovered in the Linux kernels handling of memory ranges with
PROT_NONE when transparent hugepages are in use. An unprivileged local user
could exploit this flaw to cause a denial of service (crash the system).
(CVE-2013-0309)

A flaw was discovered on the Linux kernel's VFAT filesystem driver when a
disk is mounted with the utf8 option (this is the default on Ubuntu). On a
system where disks/images can be auto-mounted or a FAT filesystem is
mounted an unprivileged user can exploit the flaw to gain root privileges.
(CVE-2013-1773)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
linux-image-2.6.32-351-ec2 2.6.32-351.62

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1776-1
CVE-2013-0268, CVE-2013-0309, CVE-2013-1773

Package Information:
https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-351.62

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130322/1b27692f/attachment-0001.pgp>

------------------------------

Message: 3
Date: Fri, 22 Mar 2013 16:39:20 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1778-1] Linux kernel (OMAP4) vulnerabilities
Message-ID: <514CEBA8.3060105@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1778-1
March 22, 2013

linux-ti-omap4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

Andrew Jones discovered a flaw with the xen_iret function in Linux kernel's
Xen virtualizeation. In the 32-bit Xen paravirt platform an unprivileged
guest OS user could exploit this flaw to cause a denial of service (crash
the system) or gain guest OS privilege. (CVE-2013-0228)

A flaw was reported in the permission checks done by the Linux kernel for
/dev/cpu/*/msr. A local root user with all capabilities dropped could
exploit this flaw to execute code with full root capabilities.
(CVE-2013-0268)

A flaw was discovered in the Linux kernel's vhost driver used to accelerate
guest networking in KVM based virtual machines. A privileged guest user
could exploit this flaw to crash the host system. (CVE-2013-0311)

An information leak was discovered in the Linux kernel's Bluetooth stack
when HIDP (Human Interface Device Protocol) support is enabled. A local
unprivileged user could exploit this flaw to cause an information leak from
the kernel. (CVE-2013-0349)

A flaw was discovered on the Linux kernel's VFAT filesystem driver when a
disk is mounted with the utf8 option (this is the default on Ubuntu). On a
system where disks/images can be auto-mounted or a FAT filesystem is
mounted an unprivileged user can exploit the flaw to gain root privileges.
(CVE-2013-1773)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
linux-image-3.0.0-1222-omap4 3.0.0-1222.36

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1778-1
CVE-2013-0228, CVE-2013-0268, CVE-2013-0311, CVE-2013-0349,
CVE-2013-1773

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.0.0-1222.36

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130322/7dacd28c/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 102, Issue 12
*********************************************************

ubuntu-security-announce Digest, Vol 102, Issue 11

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1773-1] ClamAV vulnerabilities (Marc Deslauriers)
2. [USN-1774-1] Linux kernel (OMAP4) vulnerabilities (John Johansen)


----------------------------------------------------------------------

Message: 1
Date: Thu, 21 Mar 2013 08:29:54 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1773-1] ClamAV vulnerabilities
Message-ID: <514AFD42.20107@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1773-1
March 21, 2013

clamav vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in ClamAV.

Software Description:
- clamav: Anti-virus utility for Unix

Details:

Felix Groebert, Mateusz Jurczyk and Gynvael Coldwind discovered multiple
security issues with ClamAV. An attacker could use these issues to cause
ClamAV to crash, resulting in a denial of service, or possibly execute
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
clamav 0.97.7+dfsg-1ubuntu0.12.10.1
clamav-daemon 0.97.7+dfsg-1ubuntu0.12.10.1
libclamav6 0.97.7+dfsg-1ubuntu0.12.10.1

Ubuntu 12.04 LTS:
clamav 0.97.7+dfsg-1ubuntu0.12.04.1
clamav-daemon 0.97.7+dfsg-1ubuntu0.12.04.1
libclamav6 0.97.7+dfsg-1ubuntu0.12.04.1

Ubuntu 11.10:
clamav 0.97.7+dfsg-1ubuntu0.11.10.1
clamav-daemon 0.97.7+dfsg-1ubuntu0.11.10.1
libclamav6 0.97.7+dfsg-1ubuntu0.11.10.1

Ubuntu 10.04 LTS:
clamav 0.97.7+dfsg-1ubuntu0.10.04.1
clamav-daemon 0.97.7+dfsg-1ubuntu0.10.04.1
libclamav6 0.97.7+dfsg-1ubuntu0.10.04.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1773-1
https://launchpad.net/bugs/1157385

Package Information:
https://launchpad.net/ubuntu/+source/clamav/0.97.7+dfsg-1ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/clamav/0.97.7+dfsg-1ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/clamav/0.97.7+dfsg-1ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/clamav/0.97.7+dfsg-1ubuntu0.10.04.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130321/0ae7094c/attachment-0001.pgp>

------------------------------

Message: 2
Date: Thu, 21 Mar 2013 06:14:57 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1774-1] Linux kernel (OMAP4) vulnerabilities
Message-ID: <514B07D1.3050007@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1774-1
March 21, 2013

linux-ti-omap4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

Andrew Cooper of Citrix reported a Xen stack corruption in the Linux
kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest
kernel to crash, or operate erroneously. (CVE-2013-0190)

A failure to validate input was discovered in the Linux kernel's Xen
netback (network backend) driver. A user in a guest OS may exploit this
flaw to cause a denial of service to the guest OS and other guest domains.
(CVE-2013-0216)

A memory leak was discovered in the Linux kernel's Xen netback (network
backend) driver. A user in a guest OS could trigger this flaw to cause a
denial of service on the system. (CVE-2013-0217)

A flaw was discovered in the Linux kernel Xen PCI backend driver. If a PCI
device is assigned to the guest OS, the guest OS could exploit this flaw to
cause a denial of service on the host. (CVE-2013-0231)

Tommi Rantala discovered a flaw in the a flaw the Linux kernels handling of
datagrams packets when the MSG_PEEK flag is specified. An unprivileged
local user could exploit this flaw to cause a denial of service (system
hang). (CVE-2013-0290)

A flaw was discovered in the Linux kernel's vhost driver used to accelerate
guest networking in KVM based virtual machines. A privileged guest user
could exploit this flaw to crash the host system. (CVE-2013-0311)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
linux-image-3.5.0-221-omap4 3.5.0-221.31

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1774-1
CVE-2013-0190, CVE-2013-0216, CVE-2013-0217, CVE-2013-0231,
CVE-2013-0290, CVE-2013-0311

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-221.31

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130321/125b8037/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 102, Issue 11
*********************************************************

ubuntu-security-announce Digest, Vol 102, Issue 10

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1771-1] OpenStack Nova vulnerabilities (Jamie Strandboge)
2. [USN-1772-1] OpenStack Keystone vulnerability (Jamie Strandboge)


----------------------------------------------------------------------

Message: 1
Date: Wed, 20 Mar 2013 15:30:32 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1771-1] OpenStack Nova vulnerabilities
Message-ID: <514A1C68.8040000@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1771-1
March 20, 2013

nova vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10

Summary:

Two security issues were fixed in Nova.

Software Description:
- nova: OpenStack Compute cloud infrastructure

Details:

Loganathan Parthipan discovered that Nova did not properly validate VNC
tokens after an instance was deleted. An authenticated attacker could
exploit this to access other virtual machines under certain circumstances.
This issue did not affect Ubuntu 11.10. (CVE-2013-0335)

Vish Ishaya discovered that Nova did not always enforce quotas on fixed
IPs. An authenticated attacker could exploit this to cause a denial of
service via resource consumption. Nova will now enforce a quota limit of
10 fixed IPs per instance, which is configurable via 'quota_fixed_ips'
in /etc/nova/nova.conf. (CVE-2013-1838)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
python-nova
2012.2.1+stable-20121212-a99a802e-0ubuntu1.4

Ubuntu 12.04 LTS:
python-nova
2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.4

Ubuntu 11.10:
python-nova 2011.3-0ubuntu6.13

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1771-1
CVE-2013-0335, CVE-2013-1838

Package Information:

https://launchpad.net/ubuntu/+source/nova/2012.2.1+stable-20121212-a99a802e-0ubuntu1.4

https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20120827-4d2a4afe-0ubuntu1.4
https://launchpad.net/ubuntu/+source/nova/2011.3-0ubuntu6.13




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130320/e18fdf88/attachment-0001.pgp>

------------------------------

Message: 2
Date: Wed, 20 Mar 2013 15:55:03 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1772-1] OpenStack Keystone vulnerability
Message-ID: <514A2227.3060101@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1772-1
March 20, 2013

keystone vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

Under certain configurations, Keystone would allow unintended access over
the network.

Software Description:
- keystone: OpenStack identity service

Details:

Guang Yee discovered that Keystone would not always perform all
verification checks when configured to use PKI. If the keystone server was
configured to use PKI and services or users requested online verification,
an attacker could potentially exploit this to bypass revocation checks.
Keystone uses UUID tokens by default in Ubuntu.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
python-keystone 2012.2.1-0ubuntu1.3

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1772-1
CVE-2013-1865

Package Information:
https://launchpad.net/ubuntu/+source/keystone/2012.2.1-0ubuntu1.3




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130320/33cb5a7c/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 102, Issue 10
*********************************************************

ubuntu-security-announce Digest, Vol 102, Issue 9

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1770-1] Perl vulnerability (Marc Deslauriers)


----------------------------------------------------------------------

Message: 1
Date: Tue, 19 Mar 2013 14:23:38 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1770-1] Perl vulnerability
Message-ID: <5148AD2A.1000308@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1770-1
March 19, 2013

perl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Perl could be made to stop responding if it received specially crafted
input.

Software Description:
- perl: Practical Extraction and Report Language

Details:

Yves Orton discovered that Perl incorrectly handled hashing when using
user-provided hash keys. An attacker could use this flaw to perform a
denial of service attack against software written in Perl.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
perl 5.14.2-13ubuntu0.2

Ubuntu 12.04 LTS:
perl 5.14.2-6ubuntu2.3

Ubuntu 11.10:
perl 5.12.4-4ubuntu0.2

Ubuntu 10.04 LTS:
perl 5.10.1-8ubuntu2.3

Ubuntu 8.04 LTS:
perl 5.8.8-12ubuntu0.8

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1770-1
CVE-2013-1667

Package Information:
https://launchpad.net/ubuntu/+source/perl/5.14.2-13ubuntu0.2
https://launchpad.net/ubuntu/+source/perl/5.14.2-6ubuntu2.3
https://launchpad.net/ubuntu/+source/perl/5.12.4-4ubuntu0.2
https://launchpad.net/ubuntu/+source/perl/5.10.1-8ubuntu2.3
https://launchpad.net/ubuntu/+source/perl/5.8.8-12ubuntu0.8


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130319/7f8cdc7b/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 102, Issue 9
********************************************************

ubuntu-security-announce Digest, Vol 102, Issue 8

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1765-1] Apache HTTP Server vulnerabilities (Marc Deslauriers)
2. [USN-1766-1] pam-xdg-support vulnerability (Marc Deslauriers)
3. [USN-1767-1] Linux kernel vulnerabilities (John Johansen)
4. [USN-1768-1] Linux kernel (Quantal HWE) vulnerabilities
(John Johansen)
5. [USN-1769-1] Linux kernel vulnerabilities (John Johansen)


----------------------------------------------------------------------

Message: 1
Date: Mon, 18 Mar 2013 09:37:48 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1765-1] Apache HTTP Server vulnerabilities
Message-ID: <514718AC.4090400@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1765-1
March 18, 2013

apache2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Several security issues were fixed in the Apache HTTP Server.

Software Description:
- apache2: Apache HTTP server

Details:

Niels Heinen discovered that multiple modules incorrectly sanitized certain
strings, which could result in browsers becoming vulnerable to cross-site
scripting attacks when processing the output. With cross-site scripting
vulnerabilities, if a user were tricked into viewing server output during a
crafted server request, a remote attacker could exploit this to modify the
contents, or steal confidential data (such as passwords), within the same
domain. (CVE-2012-3499, CVE-2012-4558)

It was discovered that the mod_proxy_ajp module incorrectly handled error
states. A remote attacker could use this issue to cause the server to stop
responding, resulting in a denial of service. This issue only applied to
Ubuntu 8.04 LTS, Ubuntu 10.04 LTS and Ubuntu 11.10. (CVE-2012-4557)

It was discovered that the apache2ctl script shipped in Ubuntu packages
incorrectly created the lock directory. A local attacker could possibly use
this issue to gain privileges. The symlink protections in Ubuntu 11.10 and
later should reduce this vulnerability to a denial of service.
(CVE-2013-1048)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
apache2.2-common 2.2.22-6ubuntu2.2

Ubuntu 12.04 LTS:
apache2.2-common 2.2.22-1ubuntu1.3

Ubuntu 11.10:
apache2.2-common 2.2.20-1ubuntu1.4

Ubuntu 10.04 LTS:
apache2.2-common 2.2.14-5ubuntu8.11

Ubuntu 8.04 LTS:
apache2.2-common 2.2.8-1ubuntu0.25

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1765-1
CVE-2012-3499, CVE-2012-4557, CVE-2012-4558, CVE-2013-1048

Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.2.22-6ubuntu2.2
https://launchpad.net/ubuntu/+source/apache2/2.2.22-1ubuntu1.3
https://launchpad.net/ubuntu/+source/apache2/2.2.20-1ubuntu1.4
https://launchpad.net/ubuntu/+source/apache2/2.2.14-5ubuntu8.11
https://launchpad.net/ubuntu/+source/apache2/2.2.8-1ubuntu0.25


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130318/44ff4163/attachment-0001.pgp>

------------------------------

Message: 2
Date: Mon, 18 Mar 2013 13:19:33 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1766-1] pam-xdg-support vulnerability
Message-ID: <51474CA5.2000507@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1766-1
March 18, 2013

pam-xdg-support vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

pam-xdg-support could be made to run programs as an administrator.

Software Description:
- pam-xdg-support: PAM module for XDG_RUNTIME_DIR support

Details:

Zbigniew Tenerowicz and Sebastian Krzyszkowiak discovered that
pam-xdg-support incorrectly handled the PATH environment variable. A local
attacker could use this issue in combination with sudo to possibly escalate
privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libpam-xdg-support 0.2-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1766-1
CVE-2013-1052

Package Information:
https://launchpad.net/ubuntu/+source/pam-xdg-support/0.2-0ubuntu1.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130318/2e32cf9a/attachment-0001.pgp>

------------------------------

Message: 3
Date: Mon, 18 Mar 2013 14:45:29 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1767-1] Linux kernel vulnerabilities
Message-ID: <51478AF9.3030907@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1767-1
March 18, 2013

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

Andrew Cooper of Citrix reported a Xen stack corruption in the Linux
kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest
kernel to crash, or operate erroneously. (CVE-2013-0190)

A failure to validate input was discovered in the Linux kernel's Xen
netback (network backend) driver. A user in a guest OS may exploit this
flaw to cause a denial of service to the guest OS and other guest domains.
(CVE-2013-0216)

A memory leak was discovered in the Linux kernel's Xen netback (network
backend) driver. A user in a guest OS could trigger this flaw to cause a
denial of service on the system. (CVE-2013-0217)

Andrew Jones discovered a flaw with the xen_iret function in Linux kernel's
Xen virtualizeation. In the 32-bit Xen paravirt platform an unprivileged
guest OS user could exploit this flaw to cause a denial of service (crash
the system) or gain guest OS privilege. (CVE-2013-0228)

A flaw was discovered in the Linux kernel Xen PCI backend driver. If a PCI
device is assigned to the guest OS, the guest OS could exploit this flaw to
cause a denial of service on the host. (CVE-2013-0231)

A flaw was reported in the permission checks done by the Linux kernel for
/dev/cpu/*/msr. A local root user with all capabilities dropped could
exploit this flaw to execute code with full root capabilities.
(CVE-2013-0268)

A flaw was discovered in the Linux kernel's vhost driver used to accelerate
guest networking in KVM based virtual machines. A privileged guest user
could exploit this flaw to crash the host system. (CVE-2013-0311)

A flaw was discovered in the Extended Verification Module (EVM) of the
Linux kernel. An unprivileged local user code exploit this flaw to cause a
denial of service (system crash). (CVE-2013-0313)

An information leak was discovered in the Linux kernel's Bluetooth stack
when HIDP (Human Interface Device Protocol) support is enabled. A local
unprivileged user could exploit this flaw to cause an information leak from
the kernel. (CVE-2013-0349)

A flaw was discovered in the Edgeort USB serial converter driver when the
device is disconnected while it is in use. A local user could exploit this
flaw to cause a denial of service (system crash). (CVE-2013-1774)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-39-generic 3.2.0-39.62
linux-image-3.2.0-39-generic-pae 3.2.0-39.62
linux-image-3.2.0-39-highbank 3.2.0-39.62
linux-image-3.2.0-39-omap 3.2.0-39.62
linux-image-3.2.0-39-powerpc-smp 3.2.0-39.62
linux-image-3.2.0-39-powerpc64-smp 3.2.0-39.62
linux-image-3.2.0-39-virtual 3.2.0-39.62

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1767-1
CVE-2013-0190, CVE-2013-0216, CVE-2013-0217, CVE-2013-0228,
CVE-2013-0231, CVE-2013-0268, CVE-2013-0311, CVE-2013-0313,
CVE-2013-0349, CVE-2013-1774

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-39.62

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130318/18757364/attachment-0001.pgp>

------------------------------

Message: 4
Date: Mon, 18 Mar 2013 14:53:49 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1768-1] Linux kernel (Quantal HWE) vulnerabilities
Message-ID: <51478CED.2010808@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1768-1
March 18, 2013

linux-lts-quantal vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal

Details:

Andrew Cooper of Citrix reported a Xen stack corruption in the Linux
kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest
kernel to crash, or operate erroneously. (CVE-2013-0190)

A failure to validate input was discovered in the Linux kernel's Xen
netback (network backend) driver. A user in a guest OS may exploit this
flaw to cause a denial of service to the guest OS and other guest domains.
(CVE-2013-0216)

A memory leak was discovered in the Linux kernel's Xen netback (network
backend) driver. A user in a guest OS could trigger this flaw to cause a
denial of service on the system. (CVE-2013-0217)

A flaw was discovered in the Linux kernel Xen PCI backend driver. If a PCI
device is assigned to the guest OS, the guest OS could exploit this flaw to
cause a denial of service on the host. (CVE-2013-0231)

A flaw was reported in the permission checks done by the Linux kernel for
/dev/cpu/*/msr. A local root user with all capabilities dropped could
exploit this flaw to execute code with full root capabilities.
(CVE-2013-0268)

Tommi Rantala discovered a flaw in the a flaw the Linux kernels handling of
datagrams packets when the MSG_PEEK flag is specified. An unprivileged
local user could exploit this flaw to cause a denial of service (system
hang). (CVE-2013-0290)

A flaw was discovered in the Linux kernel's vhost driver used to accelerate
guest networking in KVM based virtual machines. A privileged guest user
could exploit this flaw to crash the host system. (CVE-2013-0311)

A flaw was discovered in the Extended Verification Module (EVM) of the
Linux kernel. An unprivileged local user code exploit this flaw to cause a
denial of service (system crash). (CVE-2013-0313)

An information leak was discovered in the Linux kernel's Bluetooth stack
when HIDP (Human Interface Device Protocol) support is enabled. A local
unprivileged user could exploit this flaw to cause an information leak from
the kernel. (CVE-2013-0349)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.5.0-26-generic 3.5.0-26.42~precise1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1768-1
CVE-2013-0190, CVE-2013-0216, CVE-2013-0217, CVE-2013-0231,
CVE-2013-0268, CVE-2013-0290, CVE-2013-0311, CVE-2013-0313,
CVE-2013-0349

Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-26.42~precise1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130318/926f7b40/attachment-0001.pgp>

------------------------------

Message: 5
Date: Mon, 18 Mar 2013 15:04:34 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1769-1] Linux kernel vulnerabilities
Message-ID: <51478F72.8010307@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1769-1
March 18, 2013

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

Andrew Cooper of Citrix reported a Xen stack corruption in the Linux
kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest
kernel to crash, or operate erroneously. (CVE-2013-0190)

A failure to validate input was discovered in the Linux kernel's Xen
netback (network backend) driver. A user in a guest OS may exploit this
flaw to cause a denial of service to the guest OS and other guest domains.
(CVE-2013-0216)

A memory leak was discovered in the Linux kernel's Xen netback (network
backend) driver. A user in a guest OS could trigger this flaw to cause a
denial of service on the system. (CVE-2013-0217)

A flaw was discovered in the Linux kernel Xen PCI backend driver. If a PCI
device is assigned to the guest OS, the guest OS could exploit this flaw to
cause a denial of service on the host. (CVE-2013-0231)

A flaw was reported in the permission checks done by the Linux kernel for
/dev/cpu/*/msr. A local root user with all capabilities dropped could
exploit this flaw to execute code with full root capabilities.
(CVE-2013-0268)

Tommi Rantala discovered a flaw in the a flaw the Linux kernels handling of
datagrams packets when the MSG_PEEK flag is specified. An unprivileged
local user could exploit this flaw to cause a denial of service (system
hang). (CVE-2013-0290)

A flaw was discovered in the Linux kernel's vhost driver used to accelerate
guest networking in KVM based virtual machines. A privileged guest user
could exploit this flaw to crash the host system. (CVE-2013-0311)

A flaw was discovered in the Extended Verification Module (EVM) of the
Linux kernel. An unprivileged local user code exploit this flaw to cause a
denial of service (system crash). (CVE-2013-0313)

An information leak was discovered in the Linux kernel's Bluetooth stack
when HIDP (Human Interface Device Protocol) support is enabled. A local
unprivileged user could exploit this flaw to cause an information leak from
the kernel. (CVE-2013-0349)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
linux-image-3.5.0-26-generic 3.5.0-26.42
linux-image-3.5.0-26-highbank 3.5.0-26.42
linux-image-3.5.0-26-omap 3.5.0-26.42
linux-image-3.5.0-26-powerpc-smp 3.5.0-26.42
linux-image-3.5.0-26-powerpc64-smp 3.5.0-26.42

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1769-1
CVE-2013-0190, CVE-2013-0216, CVE-2013-0217, CVE-2013-0231,
CVE-2013-0268, CVE-2013-0290, CVE-2013-0311, CVE-2013-0313,
CVE-2013-0349

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-26.42

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130318/ddea3b9c/attachment.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 102, Issue 8
********************************************************

ubuntu-security-announce Digest, Vol 102, Issue 7

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1762-1] APT vulnerability (Marc Deslauriers)
2. [USN-1763-1] NSS vulnerability (Jamie Strandboge)
3. [USN-1763-2] NSPR update (Jamie Strandboge)
4. [USN-1764-1] OpenStack Glance vulnerability (Jamie Strandboge)


----------------------------------------------------------------------

Message: 1
Date: Thu, 14 Mar 2013 09:50:56 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1762-1] APT vulnerability
Message-ID: <5141D5C0.9050900@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1762-1
March 14, 2013

apt vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10

Summary:

An attacker could trick APT into installing altered packages.

Software Description:
- apt: Advanced front-end for dpkg

Details:

Ansgar Burchardt discovered that APT incorrectly handled repositories that
use InRelease files. The default Ubuntu repositories do not use InRelease
files, so this issue only affected third-party repositories. If a remote
attacker were able to perform a man-in-the-middle attack, this flaw could
potentially be used to install altered packages.

This update corrects the issue by disabling InRelease file support
completely.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
apt 0.9.7.5ubuntu5.4

Ubuntu 12.04 LTS:
apt 0.8.16~exp12ubuntu10.10

Ubuntu 11.10:
apt 0.8.16~exp5ubuntu13.7

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1762-1
CVE-2013-1051

Package Information:
https://launchpad.net/ubuntu/+source/apt/0.9.7.5ubuntu5.4
https://launchpad.net/ubuntu/+source/apt/0.8.16~exp12ubuntu10.10
https://launchpad.net/ubuntu/+source/apt/0.8.16~exp5ubuntu13.7


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130314/2908e24a/attachment-0001.pgp>

------------------------------

Message: 2
Date: Thu, 14 Mar 2013 14:28:16 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1763-1] NSS vulnerability
Message-ID: <514224D0.9000307@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1763-1
March 14, 2013

nss vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

NSS could be made to expose sensitive information over the network.

Software Description:
- nss: Network Security Service library

Details:

Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in NSS was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libnss3 3.14.3-0ubuntu0.12.10.1

Ubuntu 12.04 LTS:
libnss3 3.14.3-0ubuntu0.12.04.1

Ubuntu 11.10:
libnss3 3.14.3-0ubuntu0.11.10.1

Ubuntu 10.04 LTS:
libnss3-1d 3.14.3-0ubuntu0.10.04.1

After a standard system update you need to restart any applications that
use NSS, such as Evolution and Chromium, to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1763-1
CVE-2013-1620

Package Information:
https://launchpad.net/ubuntu/+source/nss/3.14.3-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/nss/3.14.3-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/nss/3.14.3-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/nss/3.14.3-0ubuntu0.10.04.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130314/6511ece2/attachment-0001.pgp>

------------------------------

Message: 3
Date: Thu, 14 Mar 2013 14:44:39 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1763-2] NSPR update
Message-ID: <514228A7.40203@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1763-2
March 14, 2013

nspr update
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

NSPR update to work with the new NSS.

Software Description:
- nspr: NetScape Portable Runtime Library

Details:

USN-1763-1 fixed a vulnerability in NSS. This update provides the NSPR
needed to use the new NSS.

Original advisory details:

Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in NSS was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libnspr4 4.9.5-0ubuntu0.12.10.1

Ubuntu 12.04 LTS:
libnspr4 4.9.5-0ubuntu0.12.04.1

Ubuntu 11.10:
libnspr4 4.9.5-0ubuntu0.11.10.1

Ubuntu 10.04 LTS:
libnspr4-0d 4.9.5-0ubuntu0.10.04.1

After a standard system update you need to restart any applications that
use NSPR, such as Evolution and Chromium, to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1763-2
http://www.ubuntu.com/usn/usn-1763-1
https://launchpad.net/bugs/1155295

Package Information:
https://launchpad.net/ubuntu/+source/nspr/4.9.5-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/nspr/4.9.5-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/nspr/4.9.5-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/nspr/4.9.5-0ubuntu0.10.04.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130314/f0a28146/attachment-0001.pgp>

------------------------------

Message: 4
Date: Thu, 14 Mar 2013 20:29:05 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1764-1] OpenStack Glance vulnerability
Message-ID: <51427961.6090705@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1764-1
March 14, 2013

glance vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Glance could be made to expose sensitive information over the network.

Software Description:
- glance: OpenStack Image Registry and Delivery Service

Details:

Stuart McLaren discovered an issue with Glance v1 API requests. An
authenticated attacker could exploit this to expose the Glance operator's
Swift and/or S3 credentials via the response headers when requesting a
cached image.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
python-glance 2012.2.1-0ubuntu1.2

Ubuntu 12.04 LTS:
python-glance 2012.1.3+stable~20120821-120fcf-0ubuntu1.5

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1764-1
CVE-2013-1840

Package Information:
https://launchpad.net/ubuntu/+source/glance/2012.2.1-0ubuntu1.2

https://launchpad.net/ubuntu/+source/glance/2012.1.3+stable~20120821-120fcf-0ubuntu1.5




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130314/6513bf0d/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 102, Issue 7
********************************************************