Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-1732-3] OpenSSL vulnerability (Marc Deslauriers)
2. [USN-1779-1] GNOME Online Accounts vulnerability
(Marc Deslauriers)
3. [USN-1780-1] Ruby vulnerability (Marc Deslauriers)
----------------------------------------------------------------------
Message: 1
Date: Mon, 25 Mar 2013 09:45:17 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1732-3] OpenSSL vulnerability
Message-ID: <515054ED.7020103@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1732-3
March 25, 2013
openssl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0169 and
CVE-2012-2686 was reverted in USN-1732-2 because of a regression. This
update restores the security fix, and includes an extra fix from upstream
to address the AES-NI regression. We apologize for the inconvenience.
Original advisory details:
Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as
used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.3
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.8
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1732-3
http://www.ubuntu.com/usn/usn-1732-1
CVE-2013-0169
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.3
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130325/42f1f977/attachment-0001.pgp>
------------------------------
Message: 2
Date: Mon, 25 Mar 2013 10:17:14 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1779-1] GNOME Online Accounts vulnerability
Message-ID: <51505C6A.5070303@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1779-1
March 25, 2013
gnome-online-accounts vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
GNOME Online Accounts could be made to expose sensitive information over
the network.
Software Description:
- gnome-online-accounts: GNOME Online Accounts
Details:
It was discovered that GNOME Online Accounts did not properly check SSL
certificates when configuring online accounts. If a remote attacker were
able to perform a man-in-the-middle attack, this flaw could be exploited to
alter or compromise credentials and confidential information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
gnome-online-accounts 3.6.0-0ubuntu1.1
libgoa-1.0-0 3.6.0-0ubuntu1.1
Ubuntu 12.04 LTS:
gnome-online-accounts 3.4.0-0ubuntu1.1
libgoa-1.0-0 3.4.0-0ubuntu1.1
Ubuntu 11.10:
gnome-online-accounts 3.2.1-0ubuntu1.1
libgoa-1.0-0 3.2.1-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1779-1
CVE-2013-0240, CVE-2013-1799
Package Information:
https://launchpad.net/ubuntu/+source/gnome-online-accounts/3.6.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/gnome-online-accounts/3.4.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/gnome-online-accounts/3.2.1-0ubuntu1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130325/e5e483dc/attachment-0001.pgp>
------------------------------
Message: 3
Date: Mon, 25 Mar 2013 13:50:46 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1780-1] Ruby vulnerability
Message-ID: <51508E76.8000106@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"
==========================================================================
Ubuntu Security Notice USN-1780-1
March 25, 2013
ruby1.8, ruby1.9.1 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Ruby could be made to hang if it received specially crafted input.
Software Description:
- ruby1.8: Object-oriented scripting language
- ruby1.9.1: Object-oriented scripting language
Details:
Ben Murphy discovered that the Ruby REXML library incorrectly handled XML
entity expansion. An attacker could use this flaw to cause Ruby to consume
large amounts of memory, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libruby1.8 1.8.7.358-4ubuntu0.2
libruby1.9.1 1.9.3.194-1ubuntu1.4
ruby1.8 1.8.7.358-4ubuntu0.2
ruby1.9.1 1.9.3.194-1ubuntu1.4
Ubuntu 12.04 LTS:
libruby1.8 1.8.7.352-2ubuntu1.2
libruby1.9.1 1.9.3.0-1ubuntu2.6
ruby1.8 1.8.7.352-2ubuntu1.2
ruby1.9.1 1.9.3.0-1ubuntu2.6
Ubuntu 11.10:
libruby1.8 1.8.7.352-2ubuntu0.3
ruby1.8 1.8.7.352-2ubuntu0.3
Ubuntu 10.04 LTS:
libruby1.8 1.8.7.249-2ubuntu0.3
ruby1.8 1.8.7.249-2ubuntu0.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1780-1
CVE-2013-1821
Package Information:
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.358-4ubuntu0.2
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.194-1ubuntu1.4
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.352-2ubuntu1.2
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.0-1ubuntu2.6
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.352-2ubuntu0.3
https://launchpad.net/ubuntu/+source/ruby1.8/1.8.7.249-2ubuntu0.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130325/a96e9880/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 102, Issue 13
*********************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2013
(149)
-
▼
March
(17)
- ubuntu-security-announce Digest, Vol 102, Issue 16
- ubuntu-security-announce Digest, Vol 102, Issue 15
- ubuntu-security-announce Digest, Vol 102, Issue 14
- ubuntu-security-announce Digest, Vol 102, Issue 13
- ubuntu-security-announce Digest, Vol 102, Issue 12
- ubuntu-security-announce Digest, Vol 102, Issue 11
- ubuntu-security-announce Digest, Vol 102, Issue 10
- ubuntu-security-announce Digest, Vol 102, Issue 9
- ubuntu-security-announce Digest, Vol 102, Issue 8
- ubuntu-security-announce Digest, Vol 102, Issue 7
- ubuntu-security-announce Digest, Vol 102, Issue 6
- Windows Server 2012 Hyper-V Security Features
- ubuntu-security-announce Digest, Vol 102, Issue 5
- ubuntu-security-announce Digest, Vol 102, Issue 4
- ubuntu-security-announce Digest, Vol 102, Issue 3
- ubuntu-security-announce Digest, Vol 102, Issue 2
- ubuntu-security-announce Digest, Vol 102, Issue 1
-
▼
March
(17)
No comments:
Post a Comment