WINDOWS CENTER: October 2013

Wednesday, October 30, 2013

ubuntu-security-announce Digest, Vol 109, Issue 9

Friday, October 25, 2013

ubuntu-security-announce Digest, Vol 109, Issue 8

Wednesday, October 23, 2013

ubuntu-security-announce Digest, Vol 109, Issue 7

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."

Today's Topics:

1. [USN-2000-1] Nova vulnerabilities (Jamie Strandboge)
2. [USN-2001-1] Swift vulnerability (Jamie Strandboge)
3. [USN-2003-1] Glance vulnerability (Jamie Strandboge)
4. [USN-2004-1] python-glanceclient vulnerability (Jamie Strandboge)
5. [USN-2005-1] Cinder vulnerabilities (Jamie Strandboge)
6. [USN-2002-1] Keystone vulnerabilities (Jamie Strandboge)

----------------------------------------------------------------------

Message: 1
Date: Wed, 23 Oct 2013 15:42:36 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2000-1] Nova vulnerabilities
Message-ID: <526834BC.1040702@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2000-1
October 23, 2013

nova vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Nova could be made to crash if it received specially crafted network
requests.

Software Description:
- nova: OpenStack Compute cloud infrastructure

Details:

It was discovered that Nova did not properly enforce the is_public property
when determining flavor access. An authenticated attacker could exploit
this to obtain sensitive information in private flavors. This issue only
affected Ubuntu 12.10 and 13.10. (CVE-2013-2256, CVE-2013-4278)

Grant Murphy discovered that Nova would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Nova API to
cause a denial of service via resource exhaustion. This issue only
affected Ubuntu 13.10. (CVE-2013-4179)

Vishvananda Ishaya discovered that Nova inefficiently handled network
security group updates when Nova was configured to use nova-network. An
authenticated attacker could exploit this to cause a denial of service.
(CVE-2013-4185)

Jaroslav Henner discovered that Nova did not properly handle certain inputs
to the instance console when Nova was configured to use Apache Qpid. An
authenticated attacker could exploit this to cause a denial of service on
the compute node running the instance. By default, Ubuntu uses RabbitMQ
instead of Qpid. (CVE-2013-4261)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
python-nova 1:2013.1.3-0ubuntu1.1

Ubuntu 12.10:
python-nova 2012.2.4-0ubuntu3.1

Ubuntu 12.04 LTS:
python-nova 2012.1.3+stable-20130423-e52e6912-0ubuntu1.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2000-1
CVE-2013-2256, CVE-2013-4179, CVE-2013-4185, CVE-2013-4261,
CVE-2013-4278

Package Information:
https://launchpad.net/ubuntu/+source/nova/1:2013.1.3-0ubuntu1.1
https://launchpad.net/ubuntu/+source/nova/2012.2.4-0ubuntu3.1

https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20130423-e52e6912-0ubuntu1.2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131023/20ab42e2/attachment-0001.pgp>

------------------------------

Message: 2
Date: Wed, 23 Oct 2013 15:41:56 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2001-1] Swift vulnerability
Message-ID: <52683494.7090202@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2001-1
October 23, 2013

swift vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Swift could cause the system to crash if it received specially crafted
requests over the network.

Software Description:
- swift: OpenStack distributed virtual object store

Details:

Peter Portante discovered that Swift did not properly handle requests with
old X-Timestamp values. An authenticated attacker could exploit this to
cause a denial of service via disk consumption.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
python-swift 1.8.0-0ubuntu1.3

Ubuntu 12.10:
python-swift 1.7.4-0ubuntu2.3

Ubuntu 12.04 LTS:
python-swift 1.4.8-0ubuntu2.3

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2001-1
CVE-2013-4155

Package Information:
https://launchpad.net/ubuntu/+source/swift/1.8.0-0ubuntu1.3
https://launchpad.net/ubuntu/+source/swift/1.7.4-0ubuntu2.3
https://launchpad.net/ubuntu/+source/swift/1.4.8-0ubuntu2.3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131023/3fa173ce/attachment-0001.pgp>

------------------------------

Message: 3
Date: Wed, 23 Oct 2013 15:45:27 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2003-1] Glance vulnerability
Message-ID: <52683567.2080804@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2003-1
October 23, 2013

glance vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10

Summary:

Glance could be made to expose sensitive information over the network
under certain circumstances.

Software Description:
- glance: OpenStack Image Registry and Delivery Service

Details:

Stuart McLaren discovered that Glance did not properly enforce the
'download_image' policy for cached images. An authenticated user could
exploit this to obtain sensitive information in an image protected by this
setting.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
python-glance 1:2013.1.3-0ubuntu1.1

Ubuntu 12.10:
python-glance 2012.2.4-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2003-1
CVE-2013-4428

Package Information:
https://launchpad.net/ubuntu/+source/glance/1:2013.1.3-0ubuntu1.1
https://launchpad.net/ubuntu/+source/glance/2012.2.4-0ubuntu1.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131023/909d36f6/attachment.pgp>

------------------------------

Message: 4
Date: Wed, 23 Oct 2013 15:45:56 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2004-1] python-glanceclient vulnerability
Message-ID: <52683584.7060609@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2004-1
October 23, 2013

python-glanceclient vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04

Summary:

python-glanceclient could be made to expose sensitive information over the
network.

Software Description:
- python-glanceclient: Client library for Openstack glance server.

Details:

Thomas Leaman discovered that the Python client library for Glance did not
properly verify SSL certificates. A remote attacker could exploit this to
perform a man in the middle attack.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
python-glanceclient 1:0.9.0-0ubuntu1.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2004-1
CVE-2013-4111

Package Information:
https://launchpad.net/ubuntu/+source/python-glanceclient/1:0.9.0-0ubuntu1.2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131023/1b7760a4/attachment.pgp>

------------------------------

Message: 5
Date: Wed, 23 Oct 2013 15:46:20 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2005-1] Cinder vulnerabilities
Message-ID: <5268359C.5070003@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2005-1
October 23, 2013

cinder vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04

Summary:

Cinder could be made to crash or expose sensitive information.

Software Description:
- cinder: OpenStack storage service

Details:

Rongze Zhu discovered that the Cinder LVM driver did not zero out data
when deleting snapshots. This could expose sensitive information to
authenticated users when subsequent servers use the volume. (CVE-2013-4183)

Grant Murphy discovered that Cinder would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Cinder API to
cause a denial of service via resource exhaustion. (CVE-2013-4179,
CVE-2013-4202)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
python-cinder 1:2013.1.3-0ubuntu2.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2005-1
CVE-2013-4179, CVE-2013-4183, CVE-2013-4202

Package Information:
https://launchpad.net/ubuntu/+source/cinder/1:2013.1.3-0ubuntu2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131023/acff7834/attachment.pgp>

------------------------------

Message: 6
Date: Wed, 23 Oct 2013 15:44:47 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2002-1] Keystone vulnerabilities
Message-ID: <5268353F.3010406@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2002-1
October 23, 2013

keystone vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10

Summary:

Keystone would improperly grant access to invalid tokens under certain
circumstances.

Software Description:
- keystone: OpenStack identity service

Details:

Chmouel Boudjnah discovered that Keystone did not properly invalidate user
tokens when a tenant was disabled which allowed an authenticated user to
retain access via the token. (CVE-2013-4222)

Kieran Spear discovered that Keystone did not properly verify PKI tokens
when performing revocation when using the memcache and KVS backends. An
authenticated attacker could exploit this to bypass intended access
restrictions. (CVE-2013-4294)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
python-keystone 1:2013.1.3-0ubuntu1.1

Ubuntu 12.10:
python-keystone 2012.2.4-0ubuntu3.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2002-1
CVE-2013-4222, CVE-2013-4294

Package Information:
https://launchpad.net/ubuntu/+source/keystone/1:2013.1.3-0ubuntu1.1
https://launchpad.net/ubuntu/+source/keystone/2012.2.4-0ubuntu3.2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131023/bcc5e4a4/attachment.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

End of ubuntu-security-announce Digest, Vol 109, Issue 7
********************************************************

Tuesday, October 22, 2013

ubuntu-security-announce Digest, Vol 109, Issue 6

Monday, October 21, 2013

ubuntu-security-announce Digest, Vol 109, Issue 5

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."

Today's Topics:

1. [USN-1991-1] GNU C Library vulnerabilities (Marc Deslauriers)
2. [USN-1992-1] Linux kernel vulnerability (John Johansen)
3. [USN-1993-1] Linux kernel (OMAP4) vulnerability (John Johansen)
4. [USN-1995-1] Linux kernel (Raring HWE) vulnerabilities
(John Johansen)
5. [USN-1994-1] Linux kernel (Quantal HWE) vulnerability
(John Johansen)
6. [USN-1996-1] Linux kernel vulnerability (John Johansen)

----------------------------------------------------------------------

Message: 1
Date: Mon, 21 Oct 2013 12:57:05 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1991-1] GNU C Library vulnerabilities
Message-ID: <52655CE1.6040202@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1991-1
October 21, 2013

eglibc vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in the GNU C Library.

Software Description:
- eglibc: GNU C Library

Details:

It was discovered that the GNU C Library incorrectly handled the strcoll()
function. An attacker could use this issue to cause a denial of service, or
possibly execute arbitrary code. (CVE-2012-4412, CVE-2012-4424)

It was discovered that the GNU C Library incorrectly handled multibyte
characters in the regular expression matcher. An attacker could use this
issue to cause a denial of service. (CVE-2013-0242)

It was discovered that the GNU C Library incorrectly handled large numbers
of domain conversion results in the getaddrinfo() function. An attacker
could use this issue to cause a denial of service. (CVE-2013-1914)

It was discovered that the GNU C Library readdir_r() function incorrectly
handled crafted NTFS or CIFS images. An attacker could use this issue to
cause a denial of service, or possibly execute arbitrary code.
(CVE-2013-4237)

It was discovered that the GNU C Library incorrectly handled memory
allocation. An attacker could use this issue to cause a denial of service.
(CVE-2013-4332)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
libc6 2.17-0ubuntu5.1

Ubuntu 12.10:
libc6 2.15-0ubuntu20.2

Ubuntu 12.04 LTS:
libc6 2.15-0ubuntu10.5

Ubuntu 10.04 LTS:
libc6 2.11.1-0ubuntu7.13

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1991-1
CVE-2012-4412, CVE-2012-4424, CVE-2013-0242, CVE-2013-1914,
CVE-2013-4237, CVE-2013-4332

Package Information:
https://launchpad.net/ubuntu/+source/eglibc/2.17-0ubuntu5.1
https://launchpad.net/ubuntu/+source/eglibc/2.15-0ubuntu20.2
https://launchpad.net/ubuntu/+source/eglibc/2.15-0ubuntu10.5
https://launchpad.net/ubuntu/+source/eglibc/2.11.1-0ubuntu7.13

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131021/cd3b97de/attachment-0001.pgp>

------------------------------

Message: 2
Date: Mon, 21 Oct 2013 21:27:46 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1992-1] Linux kernel vulnerability
Message-ID: <5265FEC2.9060600@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1992-1
October 22, 2013

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

The system could be made to expose sensitive information to a local user.

Software Description:
- linux: Linux kernel

Details:

An information leak was discovered in the Linux kernel when reading
broadcast messages from the notify_policy interface of the IPSec
key_socket. A local user could exploit this flaw to examine potentially
sensitive information in kernel memory.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-55-generic 3.2.0-55.85
linux-image-3.2.0-55-generic-pae 3.2.0-55.85
linux-image-3.2.0-55-highbank 3.2.0-55.85
linux-image-3.2.0-55-omap 3.2.0-55.85
linux-image-3.2.0-55-powerpc-smp 3.2.0-55.85
linux-image-3.2.0-55-powerpc64-smp 3.2.0-55.85
linux-image-3.2.0-55-virtual 3.2.0-55.85

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1992-1
CVE-2013-2237

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-55.85

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131021/ce455c59/attachment-0001.pgp>

------------------------------

Message: 3
Date: Mon, 21 Oct 2013 21:28:23 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1993-1] Linux kernel (OMAP4) vulnerability
Message-ID: <5265FEE7.7000506@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1993-1
October 22, 2013

linux-ti-omap4 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

The system could be made to expose sensitive information to a local user.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

An information leak was discovered in the Linux kernel when reading
broadcast messages from the notify_policy interface of the IPSec
key_socket. A local user could exploit this flaw to examine potentially
sensitive information in kernel memory.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1439-omap4 3.2.0-1439.58

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1993-1
CVE-2013-2237

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1439.58

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131021/e5c686bd/attachment-0001.pgp>

------------------------------

Message: 4
Date: Mon, 21 Oct 2013 21:30:03 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1995-1] Linux kernel (Raring HWE) vulnerabilities
Message-ID: <5265FF4B.8000506@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1995-1
October 22, 2013

linux-lts-raring vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-lts-raring: Linux hardware enablement kernel from Raring

Details:

An information leak was discovered in the Linux kernel when reading
broadcast messages from the notify_policy interface of the IPSec
key_socket. A local user could exploit this flaw to examine potentially
sensitive information in kernel memory. (CVE-2013-2237)

Kees Cook discovered flaw in the Human Interface Device (HID) subsystem of
the Linux kernel. A physically proximate attacker could exploit this flaw
to execute arbitrary code or cause a denial of service (heap memory
corruption) via a specially crafted device that provides an invalid Report
ID. (CVE-2013-2888)

Kees Cook discovered a flaw in the Human Interface Device (HID) subsystem
of the Linux kernel when CONFIG_HID_PANTHERLORD is enabled. A physically
proximate attacker could cause a denial of service (heap out-of-bounds
write) via a specially crafted device. (CVE-2013-2892)

Kees Cook discovered a vulnerability in the Linux Kernel's Human Interface
Device (HID) subsystem's support for N-Trig touch screens. A physically
proximate attacker could exploit this flaw to cause a denial of service
(OOPS) via a specially crafted device. (CVE-2013-2896)

Kees Cook discovered an information leak in the Linux kernel's Human
Interface Device (HID) subsystem when CONFIG_HID_SENSOR_HUB is enabled. A
physically proximate attacker could obtain potentially sensitive
information from kernel memory via a specially crafted device.
(CVE-2013-2898)

Kees Cook discovered a flaw in the Human Interface Device (HID) subsystem
of the Linux kernel whe CONFIG_HID_PICOLCD is enabled. A physically
proximate attacker could exploit this flaw to cause a denial of service
(OOPS) via a specially crafted device. (CVE-2013-2899)

A flaw was discovered in how the Linux Kernel's networking stack checks scm
credentials when used with namespaces. A local attacker could exploit this
flaw to gain privileges. (CVE-2013-4300)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.8.0-32-generic 3.8.0-32.47~precise1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1995-1
CVE-2013-2237, CVE-2013-2888, CVE-2013-2892, CVE-2013-2896,
CVE-2013-2898, CVE-2013-2899, CVE-2013-4300

Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-raring/3.8.0-32.47~precise1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131021/5ad0bdf6/attachment-0001.pgp>

------------------------------

Message: 5
Date: Mon, 21 Oct 2013 21:31:26 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1994-1] Linux kernel (Quantal HWE) vulnerability
Message-ID: <5265FF9E.7000704@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1994-1
October 22, 2013

linux-lts-quantal vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

The system could be made to expose sensitive information to a local user.

Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal

Details:

Dan Carpenter discovered an information leak in the HP Smart Array and
Compaq SMART2 disk-array driver in the Linux kernel. A local user could
exploit this flaw to obtain sensitive information from kernel memory.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.5.0-42-generic 3.5.0-42.65~precise1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1994-1
CVE-2013-2147

Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-42.65~precise1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131021/a5b83755/attachment-0001.pgp>

------------------------------

Message: 6
Date: Mon, 21 Oct 2013 21:32:01 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1996-1] Linux kernel vulnerability
Message-ID: <5265FFC1.6080805@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-1996-1
October 22, 2013

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

The system could be made to expose sensitive information to a local user.

Software Description:
- linux: Linux kernel

Details:

Dan Carpenter discovered an information leak in the HP Smart Array and
Compaq SMART2 disk-array driver in the Linux kernel. A local user could
exploit this flaw to obtain sensitive information from kernel memory.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
linux-image-3.5.0-42-generic 3.5.0-42.65
linux-image-3.5.0-42-highbank 3.5.0-42.65
linux-image-3.5.0-42-omap 3.5.0-42.65
linux-image-3.5.0-42-powerpc-smp 3.5.0-42.65
linux-image-3.5.0-42-powerpc64-smp 3.5.0-42.65

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1996-1
CVE-2013-2147

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-42.65

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131021/83b6a4f1/attachment.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

End of ubuntu-security-announce Digest, Vol 109, Issue 5
********************************************************

News

Wednesday, October 30, 2013

ubuntu-security-announce Digest, Vol 109, Issue 9

Friday, October 25, 2013

ubuntu-security-announce Digest, Vol 109, Issue 8

Wednesday, October 23, 2013

ubuntu-security-announce Digest, Vol 109, Issue 7

Tuesday, October 22, 2013

ubuntu-security-announce Digest, Vol 109, Issue 6

Monday, October 21, 2013

ubuntu-security-announce Digest, Vol 109, Issue 5

Friday, October 18, 2013

ubuntu-security-announce Digest, Vol 109, Issue 4

Wednesday, October 16, 2013

ubuntu-security-announce Digest, Vol 109, Issue 3

Thursday, October 10, 2013

ubuntu-security-announce Digest, Vol 109, Issue 2

Wednesday, October 02, 2013

ubuntu-security-announce Digest, Vol 109, Issue 1

WINDOWS CENTER

Blog Archive