ubuntu-security-announce Digest, Vol 104, Issue 15

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1844-1] Linux kernel vulnerability (John Johansen)
2. [USN-1845-1] Linux kernel (Quantal HWE) vulnerability
(John Johansen)
3. [USN-1846-1] Linux kernel vulnerability (John Johansen)
4. [USN-1847-1] Linux kernel vulnerability (John Johansen)
5. [USN-1849-1] Linux kernel (Raring HWE) vulnerability
(John Johansen)


----------------------------------------------------------------------

Message: 1
Date: Thu, 30 May 2013 16:58:29 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1844-1] Linux kernel vulnerability
Message-ID: <51A7E7A5.6010200@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1844-1
May 30, 2013

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

The system could be made to crash or run programs as an administrator if
it received specially crafted network traffic.

Software Description:
- linux: Linux kernel

Details:

Kees Cook discovered a flaw in the Linux kernel's iSCSI subsystem. A remote
unauthenticated attacker could exploit this flaw to cause a denial of
service (system crash) or potentially gain administrative privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-45-generic 3.2.0-45.70
linux-image-3.2.0-45-generic-pae 3.2.0-45.70
linux-image-3.2.0-45-highbank 3.2.0-45.70
linux-image-3.2.0-45-omap 3.2.0-45.70
linux-image-3.2.0-45-powerpc-smp 3.2.0-45.70
linux-image-3.2.0-45-powerpc64-smp 3.2.0-45.70
linux-image-3.2.0-45-virtual 3.2.0-45.70

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1844-1
CVE-2013-2850

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-45.70

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130530/5770cfb1/attachment-0001.pgp>

------------------------------

Message: 2
Date: Thu, 30 May 2013 16:59:07 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1845-1] Linux kernel (Quantal HWE) vulnerability
Message-ID: <51A7E7CB.5070403@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1845-1
May 30, 2013

linux-lts-quantal vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

The system could be made to crash or run programs as an administrator if
it received specially crafted network traffic.

Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal

Details:

Kees Cook discovered a flaw in the Linux kernel's iSCSI subsystem. A remote
unauthenticated attacker could exploit this flaw to cause a denial of
service (system crash) or potentially gain administrative privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.5.0-32-generic 3.5.0-32.53~precise1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1845-1
CVE-2013-2850

Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-32.53~precise1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130530/296d8f5e/attachment-0001.pgp>

------------------------------

Message: 3
Date: Thu, 30 May 2013 16:59:47 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1846-1] Linux kernel vulnerability
Message-ID: <51A7E7F3.8000703@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1846-1
May 30, 2013

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

The system could be made to crash or run programs as an administrator if
it received specially crafted network traffic.

Software Description:
- linux: Linux kernel

Details:

Kees Cook discovered a flaw in the Linux kernel's iSCSI subsystem. A remote
unauthenticated attacker could exploit this flaw to cause a denial of
service (system crash) or potentially gain administrative privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
linux-image-3.5.0-32-generic 3.5.0-32.53
linux-image-3.5.0-32-highbank 3.5.0-32.53
linux-image-3.5.0-32-omap 3.5.0-32.53
linux-image-3.5.0-32-powerpc-smp 3.5.0-32.53
linux-image-3.5.0-32-powerpc64-smp 3.5.0-32.53

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1846-1
CVE-2013-2850

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-32.53

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130530/ae39fd62/attachment-0001.pgp>

------------------------------

Message: 4
Date: Thu, 30 May 2013 17:00:22 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1847-1] Linux kernel vulnerability
Message-ID: <51A7E816.4000201@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1847-1
May 30, 2013

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04

Summary:

The system could be made to crash or run programs as an administrator if
it received specially crafted network traffic.

Software Description:
- linux: Linux kernel

Details:

Kees Cook discovered a flaw in the Linux kernel's iSCSI subsystem. A remote
unauthenticated attacker could exploit this flaw to cause a denial of
service (system crash) or potentially gain administrative privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
linux-image-3.8.0-23-generic 3.8.0-23.34

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1847-1
CVE-2013-2850

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.8.0-23.34

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130530/d1d38e92/attachment-0001.pgp>

------------------------------

Message: 5
Date: Thu, 30 May 2013 22:04:08 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1849-1] Linux kernel (Raring HWE) vulnerability
Message-ID: <51A82F48.80902@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1849-1
May 31, 2013

linux-lts-raring vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

The system could be made to crash or run programs as an administrator if
it received specially crafted network traffic.

Software Description:
- linux-lts-raring: Linux hardware enablement kernel from Raring

Details:

Kees Cook discovered a flaw in the Linux kernel's iSCSI subsystem. A remote
unauthenticated attacker could exploit this flaw to cause a denial of
service (system crash) or potentially gain administrative privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.8.0-23-generic 3.8.0-23.34~precise1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1849-1
CVE-2013-2094

Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-raring/3.8.0-23.34~precise1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130530/0466cff2/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 104, Issue 15
*********************************************************

ubuntu-security-announce Digest, Vol 104, Issue 14

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1842-1] KDE-Libs vulnerability (Jamie Strandboge)
2. [USN-1843-1] GnuTLS vulnerability (Marc Deslauriers)
3. [USN-1838-1] Linux kernel (OMAP4) vulnerabilities (John Johansen)


----------------------------------------------------------------------

Message: 1
Date: Wed, 29 May 2013 08:23:04 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1842-1] KDE-Libs vulnerability
Message-ID: <51A60138.1040600@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1842-1
May 29, 2013

kde4libs vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

KDE-Libs could be made to expose web credentials.

Software Description:
- kde4libs: KDE 4 core applications and libraries

Details:

It was discovered that KIO would sometimes display web authentication
credentials under certain error conditions. If a user were tricked into
opening a specially crafted web page, an attacker could potentially exploit
this to expose confidential information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
libkio5 4:4.10.2-0ubuntu2.2

Ubuntu 12.10:
libkio5 4:4.9.5-0ubuntu0.2

Ubuntu 12.04 LTS:
libkio5 4:4.8.5-0ubuntu0.2

After a standard system update you need to restart any applications that
use KIO from KDE-Libs, such as Konqueror, to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1842-1
CVE-2013-2074

Package Information:
https://launchpad.net/ubuntu/+source/kde4libs/4:4.10.2-0ubuntu2.2
https://launchpad.net/ubuntu/+source/kde4libs/4:4.9.5-0ubuntu0.2
https://launchpad.net/ubuntu/+source/kde4libs/4:4.8.5-0ubuntu0.2




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130529/4d08bfd6/attachment-0001.pgp>

------------------------------

Message: 2
Date: Wed, 29 May 2013 14:20:38 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1843-1] GnuTLS vulnerability
Message-ID: <51A646F6.6030909@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1843-1
May 29, 2013

gnutls26 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

GnuTLS could be made to crash if it received specially crafted network
traffic.

Software Description:
- gnutls26: GNU TLS library

Details:

It was discovered that GnuTLS incorrectly handled certain padding bytes. A
remote attacker could use this flaw to cause an application using GnuTLS to
crash, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
libgnutls26 2.12.23-1ubuntu1.1

Ubuntu 12.10:
libgnutls26 2.12.14-5ubuntu4.3

Ubuntu 12.04 LTS:
libgnutls26 2.12.14-5ubuntu3.4

Ubuntu 10.04 LTS:
libgnutls26 2.8.5-2ubuntu0.4

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1843-1
CVE-2013-2116

Package Information:
https://launchpad.net/ubuntu/+source/gnutls26/2.12.23-1ubuntu1.1
https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu4.3
https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.4
https://launchpad.net/ubuntu/+source/gnutls26/2.8.5-2ubuntu0.4


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130529/a96e137e/attachment-0001.pgp>

------------------------------

Message: 3
Date: Thu, 30 May 2013 02:17:33 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1838-1] Linux kernel (OMAP4) vulnerabilities
Message-ID: <51A7192D.2050008@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1838-1
May 30, 2013

linux-ti-omap4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

An flaw was discovered in the Linux kernel's perf_events interface. A local
user could exploit this flaw to escalate privileges on the system.
(CVE-2013-2094)

A buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet
driver for the Linux kernel. A local user could exploit this flaw to cause
a denial of service (crash the system) or potentially escalate privileges
on the system. (CVE-2013-1929)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
linux-image-3.5.0-225-omap4 3.5.0-225.36

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1838-1
CVE-2013-1929, CVE-2013-2094

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-225.36

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130530/02ae54df/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 104, Issue 14
*********************************************************

ubuntu-security-announce Digest, Vol 104, Issue 13

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1839-1] Linux kernel (OMAP4) vulnerabilities (John Johansen)
2. [USN-1841-1] Tomcat vulnerabilities (Marc Deslauriers)
3. [USN-1831-2] OpenStack Nova regression (Jamie Strandboge)


----------------------------------------------------------------------

Message: 1
Date: Tue, 28 May 2013 05:21:19 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1839-1] Linux kernel (OMAP4) vulnerabilities
Message-ID: <51A4A13F.5040800@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1839-1
May 28, 2013

linux-ti-omap4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

A flaw was discovered in the Linux kernel's perf_events interface. A local
user could exploit this flaw to escalate privileges on the system.
(CVE-2013-2094)

Andy Lutomirski discover an error in the Linux kernel's credential handling
on unix sockets. A local user could exploit this flaw to gain
administrative privileges. (CVE-2013-1979)

A buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet
driver for the Linux kernel. A local user could exploit this flaw to cause
a denial of service (crash the system) or potentially escalate privileges
on the system. (CVE-2013-1929)

A flaw was discovered in the Linux kernel's ftrace subsystem interface. A
local user could exploit this flaw to cause a denial of service (system
crash). (CVE-2013-3301)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1432-omap4 3.2.0-1432.41

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1839-1
CVE-2013-1929, CVE-2013-1979, CVE-2013-2094, CVE-2013-3301

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1432.41

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130528/33abb403/attachment-0001.pgp>

------------------------------

Message: 2
Date: Tue, 28 May 2013 13:28:29 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1841-1] Tomcat vulnerabilities
Message-ID: <51A4E93D.5040404@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1841-1
May 28, 2013

tomcat6, tomcat7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in Tomcat.

Software Description:
- tomcat7: Servlet and JSP engine
- tomcat6: Servlet and JSP engine

Details:

It was discovered that Tomcat incorrectly handled certain requests
submitted using chunked transfer encoding. A remote attacker could use this
flaw to cause the Tomcat server to stop responding, resulting in a denial
of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2012-3544)

It was discovered that Tomcat incorrectly handled certain authentication
requests. A remote attacker could possibly use this flaw to inject a
request that would get executed with a victim's credentials. This issue
only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS, and Ubuntu 12.10.
(CVE-2013-2067)

It was discovered that Tomcat sometimes exposed elements of a previous
request to the current request. This could allow a remote attacker to
possibly obtain sensitive information. This issue only affected Ubuntu
12.10 and Ubuntu 13.04. (CVE-2013-2071)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
libtomcat7-java 7.0.35-1~exp2ubuntu1.1

Ubuntu 12.10:
libtomcat7-java 7.0.30-0ubuntu1.2

Ubuntu 12.04 LTS:
libtomcat6-java 6.0.35-1ubuntu3.3

Ubuntu 10.04 LTS:
libtomcat6-java 6.0.24-2ubuntu1.13

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1841-1
CVE-2012-3544, CVE-2013-2067, CVE-2013-2071

Package Information:
https://launchpad.net/ubuntu/+source/tomcat7/7.0.35-1~exp2ubuntu1.1
https://launchpad.net/ubuntu/+source/tomcat7/7.0.30-0ubuntu1.2
https://launchpad.net/ubuntu/+source/tomcat6/6.0.35-1ubuntu3.3
https://launchpad.net/ubuntu/+source/tomcat6/6.0.24-2ubuntu1.13


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130528/c929aa6d/attachment-0001.pgp>

------------------------------

Message: 3
Date: Tue, 28 May 2013 22:26:57 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1831-2] OpenStack Nova regression
Message-ID: <51A57581.2000604@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1831-2
May 29, 2013

nova regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

USN-1831-1 introduced a regression in OpenStack Nova.

Software Description:
- nova: OpenStack Compute cloud infrastructure

Details:

USN-1831-1 fixed a vulnerability in OpenStack Nova. The upstream fix
introduced a regression where instances using uncached QCOW2 images would
fail to start. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Loganathan Parthipan discovered that Nova did not verify the size of QCOW2
instance storage. An authenticated attacker could exploit this to cause a
denial of service by creating an image with a large virtual size with
little data, then filling the virtual disk.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
python-nova 2012.2.3-0ubuntu2.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1831-2
http://www.ubuntu.com/usn/usn-1831-1
https://launchpad.net/bugs/1183606

Package Information:
https://launchpad.net/ubuntu/+source/nova/2012.2.3-0ubuntu2.2




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130528/d46e18bb/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 104, Issue 13
*********************************************************

ubuntu-security-announce Digest, Vol 104, Issue 12

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1833-1] Linux kernel vulnerabilities (John Johansen)
2. [USN-1834-1] Linux kernel (Quantal HWE) vulnerabilities
(John Johansen)
3. [USN-1835-1] Linux kernel vulnerabilities (John Johansen)
4. [USN-1836-1] Linux kernel (OMAP4) vulnerabilities (John Johansen)
5. [USN-1837-1] Linux kernel vulnerabilities (John Johansen)


----------------------------------------------------------------------

Message: 1
Date: Fri, 24 May 2013 02:02:45 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1833-1] Linux kernel vulnerabilities
Message-ID: <519F2CB5.4030106@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1833-1
May 24, 2013

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

Andy Lutomirski discover an error in the Linux kernel's credential handling
on unix sockets. A local user could exploit this flaw to gain
administrative privileges. (CVE-2013-1979)

A buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet
driver for the Linux kernel. A local user could exploit this flaw to cause
a denial of service (crash the system) or potentially escalate privileges
on the system. (CVE-2013-1929)

A flaw was discovered in the Linux kernel's ftrace subsystem interface. A
local user could exploit this flaw to cause a denial of service (system
crash). (CVE-2013-3301)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-44-generic 3.2.0-44.69
linux-image-3.2.0-44-generic-pae 3.2.0-44.69
linux-image-3.2.0-44-highbank 3.2.0-44.69
linux-image-3.2.0-44-omap 3.2.0-44.69
linux-image-3.2.0-44-powerpc-smp 3.2.0-44.69
linux-image-3.2.0-44-powerpc64-smp 3.2.0-44.69
linux-image-3.2.0-44-virtual 3.2.0-44.69

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1833-1
CVE-2013-1929, CVE-2013-1979, CVE-2013-3301

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-44.69

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130524/99b9b68c/attachment-0001.pgp>

------------------------------

Message: 2
Date: Fri, 24 May 2013 02:51:11 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1834-1] Linux kernel (Quantal HWE) vulnerabilities
Message-ID: <519F380F.7020707@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1834-1
May 24, 2013

linux-lts-quantal vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal

Details:

A buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet
driver for the Linux kernel. A local user could exploit this flaw to cause
a denial of service (crash the system) or potentially escalate privileges
on the system. (CVE-2013-1929)

A flaw was discovered in the Linux kernel's ftrace subsystem interface. A
local user could exploit this flaw to cause a denial of service (system
crash). (CVE-2013-3301)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.5.0-31-generic 3.5.0-31.52~precise1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1834-1
CVE-2013-1929, CVE-2013-3301

Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-31.52~precise1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130524/4d471c5a/attachment-0001.pgp>

------------------------------

Message: 3
Date: Fri, 24 May 2013 02:51:50 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1835-1] Linux kernel vulnerabilities
Message-ID: <519F3836.4060407@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1835-1
May 24, 2013

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

A buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet
driver for the Linux kernel. A local user could exploit this flaw to cause
a denial of service (crash the system) or potentially escalate privileges
on the system. (CVE-2013-1929)

A flaw was discovered in the Linux kernel's ftrace subsystem interface. A
local user could exploit this flaw to cause a denial of service (system
crash). (CVE-2013-3301)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
linux-image-3.5.0-31-generic 3.5.0-31.52
linux-image-3.5.0-31-highbank 3.5.0-31.52
linux-image-3.5.0-31-omap 3.5.0-31.52
linux-image-3.5.0-31-powerpc-smp 3.5.0-31.52
linux-image-3.5.0-31-powerpc64-smp 3.5.0-31.52

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1835-1
CVE-2013-1929, CVE-2013-3301

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-31.52

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130524/df120a0c/attachment-0001.pgp>

------------------------------

Message: 4
Date: Fri, 24 May 2013 02:52:29 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1836-1] Linux kernel (OMAP4) vulnerabilities
Message-ID: <519F385D.50703@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1836-1
May 24, 2013

linux-ti-omap4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

An flaw was discovered in the Linux kernel's perf_events interface. A local
user could exploit this flaw to escalate privileges on the system.
(CVE-2013-2094)

A buffer overflow vulnerability was discovered in the Broadcom tg3 ethernet
driver for the Linux kernel. A local user could exploit this flaw to cause
a denial of service (crash the system) or potentially escalate privileges
on the system. (CVE-2013-1929)

A flaw was discovered in the Linux kernel's ftrace subsystem interface. A
local user could exploit this flaw to cause a denial of service (system
crash). (CVE-2013-3301)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
linux-image-3.5.0-225-omap4 3.5.0-225.36

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1836-1
CVE-2013-1929, CVE-2013-2094, CVE-2013-3301

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-225.36

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130524/086bae32/attachment-0001.pgp>

------------------------------

Message: 5
Date: Fri, 24 May 2013 02:55:10 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1837-1] Linux kernel vulnerabilities
Message-ID: <519F38FE.50208@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1837-1
May 24, 2013

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

An information leak was discovered in the Linux kernel's crypto API. A
local user could exploit this flaw to examine potentially sensitive
information from the kernel's stack memory. (CVE-2013-3076)

An information leak was discovered in the Linux kernel's rcvmsg path for
ATM (Asynchronous Transfer Mode). A local user could exploit this flaw to
examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3222)

An information leak was discovered in the Linux kernel's recvmsg path for
ax25 address family. A local user could exploit this flaw to examine
potentially sensitive information from the kernel's stack memory.
(CVE-2013-3223)

An information leak was discovered in the Linux kernel's recvmsg path for
the bluetooth address family. A local user could exploit this flaw to
examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3224)

An information leak was discovered in the Linux kernel's bluetooth rfcomm
protocol support. A local user could exploit this flaw to examine
potentially sensitive information from the kernel's stack memory.
(CVE-2013-3225)

An information leak was discovered in the Linux kernel's bluetooth SCO
sockets implementation. A local user could exploit this flaw to examine
potentially sensitive information from the kernel's stack memory.
(CVE-2013-3226)

An information leak was discovered in the Linux kernel's CAIF protocol
implementation. A local user could exploit this flaw to examine potentially
sensitive information from the kernel's stack memory. (CVE-2013-3227)

An information leak was discovered in the Linux kernel's IRDA (infrared)
support subsystem. A local user could exploit this flaw to examine
potentially sensitive information from the kernel's stack memory.
(CVE-2013-3228)

An information leak was discovered in the Linux kernel's s390 - z/VM
support. A local user could exploit this flaw to examine potentially
sensitive information from the kernel's stack memory. (CVE-2013-3229)

An information leak was discovered in the Linux kernel's l2tp (Layer Two
Tunneling Protocol) implementation. A local user could exploit this flaw to
examine potentially sensitive information from the kernel's stack memory.
(CVE-2013-3230)

An information leak was discovered in the Linux kernel's llc (Logical Link
Layer 2) support. A local user could exploit this flaw to examine
potentially sensitive information from the kernel's stack memory.
(CVE-2013-3231)

An information leak was discovered in the Linux kernel's nfc (near field
communication) support. A local user could exploit this flaw to examine
potentially sensitive information from the kernel's stack memory.
(CVE-2013-3233)

An information leak was discovered in the Linux kernel's Rose X.25 protocol
layer. A local user could exploit this flaw to examine potentially
sensitive information from the kernel's stack memory. (CVE-2013-3234)

An information leak was discovered in the Linux kernel's TIPC (Transparent
Inter Process Communication) protocol implementation. A local user could
exploit this flaw to examine potentially sensitive information from the
kernel's stack memory. (CVE-2013-3235)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
linux-image-3.8.0-22-generic 3.8.0-22.33

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1837-1
CVE-2013-3076, CVE-2013-3222, CVE-2013-3223, CVE-2013-3224,
CVE-2013-3225, CVE-2013-3226, CVE-2013-3227, CVE-2013-3228,
CVE-2013-3229, CVE-2013-3230, CVE-2013-3231, CVE-2013-3233,
CVE-2013-3234, CVE-2013-3235

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.8.0-22.33

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130524/a8a172cf/attachment.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 104, Issue 12
*********************************************************

ubuntu-security-announce Digest, Vol 104, Issue 11

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1832-1] LibTIFF vulnerabilities (Marc Deslauriers)


----------------------------------------------------------------------

Message: 1
Date: Tue, 21 May 2013 12:58:56 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1832-1] LibTIFF vulnerabilities
Message-ID: <519BA7D0.7050805@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1832-1
May 21, 2013

tiff vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.

Software Description:
- tiff: Tag Image File Format (TIFF) library

Details:

Emmanuel Bouillon discovered that LibTIFF incorrectly handled certain
malformed images when using the tiff2pdf tool. If a user or automated
system were tricked into opening a specially crafted TIFF image, a remote
attacker could crash the application, leading to a denial of service, or
possibly execute arbitrary code with user privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
libtiff5 4.0.2-4ubuntu2.1

Ubuntu 12.10:
libtiff5 4.0.2-1ubuntu2.2

Ubuntu 12.04 LTS:
libtiff4 3.9.5-2ubuntu1.5

Ubuntu 10.04 LTS:
libtiff4 3.9.2-2ubuntu0.13

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1832-1
CVE-2013-1960, CVE-2013-1961

Package Information:
https://launchpad.net/ubuntu/+source/tiff/4.0.2-4ubuntu2.1
https://launchpad.net/ubuntu/+source/tiff/4.0.2-1ubuntu2.2
https://launchpad.net/ubuntu/+source/tiff/3.9.5-2ubuntu1.5
https://launchpad.net/ubuntu/+source/tiff/3.9.2-2ubuntu0.13


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130521/f8962a21/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 104, Issue 11
*********************************************************

ubuntu-security-announce Digest, Vol 104, Issue 10

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1829-1] Linux kernel (EC2) vulnerabilities (John Johansen)
2. [USN-1830-1] OpenStack Keystone vulnerability (Jamie Strandboge)
3. [USN-1831-1] OpenStack Nova vulnerability (Jamie Strandboge)


----------------------------------------------------------------------

Message: 1
Date: Thu, 16 May 2013 13:08:13 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1829-1] Linux kernel (EC2) vulnerabilities
Message-ID: <51953CAD.1070704@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1829-1
May 16, 2013

linux-ec2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-ec2: Linux kernel for EC2

Details:

Mathias Krause discovered an information leak in the Linux kernel's ISO
9660 CDROM file system driver. A local user could exploit this flaw to
examine some of the kernel's heap memory. (CVE-2012-6549)

Mathias Krause discovered a flaw in xfrm_user in the Linux kernel. A local
attacker with NET_ADMIN capability could potentially exploit this flaw to
escalate privileges. (CVE-2013-1826)

A buffer overflow was discovered in the Linux Kernel's USB subsystem for
devices reporting the cdc-wdm class. A specially crafted USB device when
plugged-in could cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2013-1860)

An information leak was discovered in the Linux kernel's /dev/dvb device. A
local user could exploit this flaw to obtain sensitive information from the
kernel's stack memory. (CVE-2013-1928)

An information leak in the Linux kernel's dcb netlink interface was
discovered. A local user could obtain sensitive information by examining
kernel stack memory. (CVE-2013-2634)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
linux-image-2.6.32-352-ec2 2.6.32-352.65

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1829-1
CVE-2012-6549, CVE-2013-1826, CVE-2013-1860, CVE-2013-1928,
CVE-2013-2634

Package Information:
https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-352.65

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130516/1653b0ba/attachment-0001.pgp>

------------------------------

Message: 2
Date: Thu, 16 May 2013 18:55:19 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1830-1] OpenStack Keystone vulnerability
Message-ID: <519571E7.1070504@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1830-1
May 16, 2013

keystone vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Keystone would allow unintended access over the network.

Software Description:
- keystone: OpenStack identity service

Details:

Sam Stoelinga discovered that Keystone would not immediately invalidate
tokens when deleting users via the v2 API. A deleted user would be able to
continue to use resources until the token lifetime expired.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
python-keystone 1:2013.1-0ubuntu1.1

Ubuntu 12.10:
python-keystone
2012.2.3+stable-20130206-82c87e56-0ubuntu2.1

Ubuntu 12.04 LTS:
python-keystone
2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1830-1
CVE-2013-2059

Package Information:
https://launchpad.net/ubuntu/+source/keystone/1:2013.1-0ubuntu1.1

https://launchpad.net/ubuntu/+source/keystone/2012.2.3+stable-20130206-82c87e56-0ubuntu2.1

https://launchpad.net/ubuntu/+source/keystone/2012.1.3+stable-20130423-f48dd0fc-0ubuntu1.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130516/68799590/attachment-0001.pgp>

------------------------------

Message: 3
Date: Thu, 16 May 2013 18:59:53 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1831-1] OpenStack Nova vulnerability
Message-ID: <519572F9.4070107@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"


==========================================================================
Ubuntu Security Notice USN-1831-1
May 16, 2013

nova vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Nova could be made to crash the system if instances used a specially
crafted image.

Software Description:
- nova: OpenStack Compute cloud infrastructure

Details:

Loganathan Parthipan discovered that Nova did not verify the size of QCOW2
instance storage. An authenticated attacker could exploit this to cause a
denial of service by creating an image with a large virtual size with
little data, then filling the virtual disk.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
python-nova 1:2013.1-0ubuntu2.1

Ubuntu 12.10:
python-nova 2012.2.3-0ubuntu2.1

Ubuntu 12.04 LTS:
python-nova
2012.1.3+stable-20130423-e52e6912-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1831-1
CVE-2013-2096

Package Information:
https://launchpad.net/ubuntu/+source/nova/1:2013.1-0ubuntu2.1
https://launchpad.net/ubuntu/+source/nova/2012.2.3-0ubuntu2.1

https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20130423-e52e6912-0ubuntu1.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130516/d8d4cccf/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 104, Issue 10
*********************************************************

ubuntu-security-announce Digest, Vol 104, Issue 9

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1824-1] Linux kernel vulnerabilities (John Johansen)
2. [USN-1825-1] Linux kernel vulnerability (John Johansen)
3. [USN-1826-1] Linux kernel vulnerability (John Johansen)
4. [USN-1827-1] Linux kernel vulnerability (John Johansen)
5. [USN-1828-1] Linux kernel (Quantal HWE) vulnerability
(John Johansen)


----------------------------------------------------------------------

Message: 1
Date: Wed, 15 May 2013 10:22:15 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1824-1] Linux kernel vulnerabilities
Message-ID: <5193C447.2010903@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1824-1
May 15, 2013

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

Mathias Krause discovered an information leak in the Linux kernel's ISO
9660 CDROM file system driver. A local user could exploit this flaw to
examine some of the kernel's heap memory. (CVE-2012-6549)

Mathias Krause discovered a flaw in xfrm_user in the Linux kernel. A local
attacker with NET_ADMIN capability could potentially exploit this flaw to
escalate privileges. (CVE-2013-1826)

A buffer overflow was discovered in the Linux Kernel's USB subsystem for
devices reporting the cdc-wdm class. A specially crafted USB device when
plugged-in could cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2013-1860)

An information leak was discovered in the Linux kernel's /dev/dvb device. A
local user could exploit this flaw to obtain sensitive information from the
kernel's stack memory. (CVE-2013-1928)

An information leak in the Linux kernel's dcb netlink interface was
discovered. A local user could obtain sensitive information by examining
kernel stack memory. (CVE-2013-2634)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
linux-image-2.6.32-47-386 2.6.32-47.109
linux-image-2.6.32-47-generic 2.6.32-47.109
linux-image-2.6.32-47-generic-pae 2.6.32-47.109
linux-image-2.6.32-47-ia64 2.6.32-47.109
linux-image-2.6.32-47-lpia 2.6.32-47.109
linux-image-2.6.32-47-powerpc 2.6.32-47.109
linux-image-2.6.32-47-powerpc-smp 2.6.32-47.109
linux-image-2.6.32-47-powerpc64-smp 2.6.32-47.109
linux-image-2.6.32-47-preempt 2.6.32-47.109
linux-image-2.6.32-47-server 2.6.32-47.109
linux-image-2.6.32-47-sparc64 2.6.32-47.109
linux-image-2.6.32-47-sparc64-smp 2.6.32-47.109
linux-image-2.6.32-47-versatile 2.6.32-47.109
linux-image-2.6.32-47-virtual 2.6.32-47.109

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1824-1
CVE-2012-6549, CVE-2013-1826, CVE-2013-1860, CVE-2013-1928,
CVE-2013-2634

Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.32-47.109

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130515/6008ee62/attachment-0001.pgp>

------------------------------

Message: 2
Date: Wed, 15 May 2013 18:47:04 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1825-1] Linux kernel vulnerability
Message-ID: <51943A98.8000105@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1825-1
May 16, 2013

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux: Linux kernel

Details:

An flaw was discovered in the Linux kernel's perf_events interface. A local
user could exploit this flaw to escalate privileges on the system.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-43-generic 3.2.0-43.68
linux-image-3.2.0-43-generic-pae 3.2.0-43.68
linux-image-3.2.0-43-highbank 3.2.0-43.68
linux-image-3.2.0-43-omap 3.2.0-43.68
linux-image-3.2.0-43-powerpc-smp 3.2.0-43.68
linux-image-3.2.0-43-powerpc64-smp 3.2.0-43.68
linux-image-3.2.0-43-virtual 3.2.0-43.68

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1825-1
CVE-2013-2094

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-43.68

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130515/ea4023e6/attachment-0001.pgp>

------------------------------

Message: 3
Date: Wed, 15 May 2013 18:54:51 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1826-1] Linux kernel vulnerability
Message-ID: <51943C6B.3060100@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1826-1
May 16, 2013

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux: Linux kernel

Details:

An flaw was discovered in the Linux kernel's perf_events interface. A local
user could exploit this flaw to escalate privileges on the system.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
linux-image-3.5.0-30-generic 3.5.0-30.51
linux-image-3.5.0-30-highbank 3.5.0-30.51
linux-image-3.5.0-30-omap 3.5.0-30.51
linux-image-3.5.0-30-powerpc-smp 3.5.0-30.51
linux-image-3.5.0-30-powerpc64-smp 3.5.0-30.51

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1826-1
CVE-2013-2094

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-30.51

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130515/7c3738d4/attachment-0001.pgp>

------------------------------

Message: 4
Date: Wed, 15 May 2013 19:10:03 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1827-1] Linux kernel vulnerability
Message-ID: <51943FFB.7040800@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1827-1
May 16, 2013

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux: Linux kernel

Details:

An flaw was discovered in the Linux kernel's perf_events interface. A local
user could exploit this flaw to escalate privileges on the system.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
linux-image-3.8.0-21-generic 3.8.0-21.32

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1827-1
CVE-2013-2094

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.8.0-21.32

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130515/fdcc3d8c/attachment-0001.pgp>

------------------------------

Message: 5
Date: Wed, 15 May 2013 19:16:29 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1828-1] Linux kernel (Quantal HWE) vulnerability
Message-ID: <5194417D.4060705@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1828-1
May 16, 2013

linux-lts-quantal vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal

Details:

An flaw was discovered in the Linux kernel's perf_events interface. A local
user could exploit this flaw to escalate privileges on the system.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.5.0-30-generic 3.5.0-30.51~precise1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1828-1
CVE-2013-2094

Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-30.51~precise1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130515/86a8d4d1/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 104, Issue 9
********************************************************

ubuntu-security-announce Digest, Vol 104, Issue 8

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-1822-1] Firefox vulnerabilities (Chris Coulson)
2. [USN-1823-1] Thunderbird vulnerabilities (Chris Coulson)


----------------------------------------------------------------------

Message: 1
Date: Tue, 14 May 2013 21:20:13 +0100
From: Chris Coulson <chris.coulson@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1822-1] Firefox vulnerabilities
Message-ID: <51929C7D.9040804@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1822-1
May 14, 2013

firefox vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

Multiple memory safety issues were discovered in Firefox. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Firefox.
(CVE-2013-0801, CVE-2013-1669)

Cody Crews discovered that some constructors could be used to bypass
restrictions enforced by their Chrome Object Wrapper (COW). An attacker
could exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2013-1670)

It was discovered that the file input element could expose the full local
path under certain conditions. An attacker could potentially exploit this
to steal sensitive information. (CVE-2013-1671)

A use-after-free was discovered when resizing video content whilst it is
playing. An attacker could potentially exploit this to execute code with
the privileges of the user invoking Firefox. (CVE-2013-1674)

It was discovered that some DOMSVGZoomEvent functions could be used
without being properly initialized, which could lead to information
leakage. (CVE-2013-1675)

Abhishek Arya discovered multiple memory safety issues in Firefox. If
the user were tricked into opening a specially crafted page, an attacker
could possibly exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of the user
invoking Firefox. (CVE-2013-1676, CVE-2013-1677, CVE-2013-1678,
CVE-2013-1679, CVE-2013-1680, CVE-2013-1681)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
firefox 21.0+build2-0ubuntu0.13.04.2

Ubuntu 12.10:
firefox 21.0+build2-0ubuntu0.12.10.2

Ubuntu 12.04 LTS:
firefox 21.0+build2-0ubuntu0.12.04.3

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1822-1
CVE-2013-0801, CVE-2013-1669, CVE-2013-1670, CVE-2013-1671,
CVE-2013-1674, CVE-2013-1675, CVE-2013-1676, CVE-2013-1677,
CVE-2013-1678, CVE-2013-1679, CVE-2013-1680, CVE-2013-1681,
https://launchpad.net/bugs/1178277

Package Information:
https://launchpad.net/ubuntu/+source/firefox/21.0+build2-0ubuntu0.13.04.2
https://launchpad.net/ubuntu/+source/firefox/21.0+build2-0ubuntu0.12.10.2
https://launchpad.net/ubuntu/+source/firefox/21.0+build2-0ubuntu0.12.04.3



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130514/a093e68e/attachment-0001.pgp>

------------------------------

Message: 2
Date: Tue, 14 May 2013 22:58:27 +0100
From: Chris Coulson <chris.coulson@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1823-1] Thunderbird vulnerabilities
Message-ID: <5192B383.2060502@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-1823-1
May 14, 2013

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Multiple memory safety issues were discovered in Thunderbird. If the user
were tricked into opening a specially crafted message with scripting
enabled, an attacker could possibly exploit these to cause a denial of
service via application crash, or potentially execute code with the
privileges of the user invoking Thunderbird. (CVE-2013-0801,
CVE-2013-1669)

Cody Crews discovered that some constructors could be used to bypass
restrictions enforced by their Chrome Object Wrapper (COW). If a user had
scripting enabled, an attacker could exploit this to conduct cross-site
scripting (XSS) attacks. (CVE-2013-1670)

A use-after-free was discovered when resizing video content whilst it is
playing. If a user had scripting enabled, an attacker could potentially
exploit this to execute code with the privileges of the user invoking
Thunderbird. (CVE-2013-1674)

It was discovered that some DOMSVGZoomEvent functions could be used
without being properly initialized, which could lead to information
leakage. (CVE-2013-1675)

Abhishek Arya discovered multiple memory safety issues in Thunderbird. If
the user were tricked into opening a specially crafted message, an
attacker could possibly exploit these to cause a denial of service via
application crash, or potentially execute code with the privileges of
the user invoking Thunderbird. (CVE-2013-1676, CVE-2013-1677,
CVE-2013-1678, CVE-2013-1679, CVE-2013-1680, CVE-2013-1681)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
thunderbird 17.0.6+build1-0ubuntu0.13.04.1

Ubuntu 12.10:
thunderbird 17.0.6+build1-0ubuntu0.12.10.1

Ubuntu 12.04 LTS:
thunderbird 17.0.6+build1-0ubuntu0.12.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1823-1
CVE-2013-0801, CVE-2013-1669, CVE-2013-1670, CVE-2013-1674,
CVE-2013-1675, CVE-2013-1676, CVE-2013-1677, CVE-2013-1678,
CVE-2013-1679, CVE-2013-1680, CVE-2013-1681, https://launchpad.net/bugs/1178649

Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/17.0.6+build1-0ubuntu0.13.04.1
https://launchpad.net/ubuntu/+source/thunderbird/17.0.6+build1-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/thunderbird/17.0.6+build1-0ubuntu0.12.04.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20130514/7cd19255/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 104, Issue 8
********************************************************