Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-2000-1] Nova vulnerabilities (Jamie Strandboge)
2. [USN-2001-1] Swift vulnerability (Jamie Strandboge)
3. [USN-2003-1] Glance vulnerability (Jamie Strandboge)
4. [USN-2004-1] python-glanceclient vulnerability (Jamie Strandboge)
5. [USN-2005-1] Cinder vulnerabilities (Jamie Strandboge)
6. [USN-2002-1] Keystone vulnerabilities (Jamie Strandboge)
----------------------------------------------------------------------
Message: 1
Date: Wed, 23 Oct 2013 15:42:36 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2000-1] Nova vulnerabilities
Message-ID: <526834BC.1040702@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2000-1
October 23, 2013
nova vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Nova could be made to crash if it received specially crafted network
requests.
Software Description:
- nova: OpenStack Compute cloud infrastructure
Details:
It was discovered that Nova did not properly enforce the is_public property
when determining flavor access. An authenticated attacker could exploit
this to obtain sensitive information in private flavors. This issue only
affected Ubuntu 12.10 and 13.10. (CVE-2013-2256, CVE-2013-4278)
Grant Murphy discovered that Nova would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Nova API to
cause a denial of service via resource exhaustion. This issue only
affected Ubuntu 13.10. (CVE-2013-4179)
Vishvananda Ishaya discovered that Nova inefficiently handled network
security group updates when Nova was configured to use nova-network. An
authenticated attacker could exploit this to cause a denial of service.
(CVE-2013-4185)
Jaroslav Henner discovered that Nova did not properly handle certain inputs
to the instance console when Nova was configured to use Apache Qpid. An
authenticated attacker could exploit this to cause a denial of service on
the compute node running the instance. By default, Ubuntu uses RabbitMQ
instead of Qpid. (CVE-2013-4261)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
python-nova 1:2013.1.3-0ubuntu1.1
Ubuntu 12.10:
python-nova 2012.2.4-0ubuntu3.1
Ubuntu 12.04 LTS:
python-nova 2012.1.3+stable-20130423-e52e6912-0ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2000-1
CVE-2013-2256, CVE-2013-4179, CVE-2013-4185, CVE-2013-4261,
CVE-2013-4278
Package Information:
https://launchpad.net/ubuntu/+source/nova/1:2013.1.3-0ubuntu1.1
https://launchpad.net/ubuntu/+source/nova/2012.2.4-0ubuntu3.1
https://launchpad.net/ubuntu/+source/nova/2012.1.3+stable-20130423-e52e6912-0ubuntu1.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131023/20ab42e2/attachment-0001.pgp>
------------------------------
Message: 2
Date: Wed, 23 Oct 2013 15:41:56 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2001-1] Swift vulnerability
Message-ID: <52683494.7090202@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2001-1
October 23, 2013
swift vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Swift could cause the system to crash if it received specially crafted
requests over the network.
Software Description:
- swift: OpenStack distributed virtual object store
Details:
Peter Portante discovered that Swift did not properly handle requests with
old X-Timestamp values. An authenticated attacker could exploit this to
cause a denial of service via disk consumption.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
python-swift 1.8.0-0ubuntu1.3
Ubuntu 12.10:
python-swift 1.7.4-0ubuntu2.3
Ubuntu 12.04 LTS:
python-swift 1.4.8-0ubuntu2.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2001-1
CVE-2013-4155
Package Information:
https://launchpad.net/ubuntu/+source/swift/1.8.0-0ubuntu1.3
https://launchpad.net/ubuntu/+source/swift/1.7.4-0ubuntu2.3
https://launchpad.net/ubuntu/+source/swift/1.4.8-0ubuntu2.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131023/3fa173ce/attachment-0001.pgp>
------------------------------
Message: 3
Date: Wed, 23 Oct 2013 15:45:27 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2003-1] Glance vulnerability
Message-ID: <52683567.2080804@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2003-1
October 23, 2013
glance vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04
- Ubuntu 12.10
Summary:
Glance could be made to expose sensitive information over the network
under certain circumstances.
Software Description:
- glance: OpenStack Image Registry and Delivery Service
Details:
Stuart McLaren discovered that Glance did not properly enforce the
'download_image' policy for cached images. An authenticated user could
exploit this to obtain sensitive information in an image protected by this
setting.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
python-glance 1:2013.1.3-0ubuntu1.1
Ubuntu 12.10:
python-glance 2012.2.4-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2003-1
CVE-2013-4428
Package Information:
https://launchpad.net/ubuntu/+source/glance/1:2013.1.3-0ubuntu1.1
https://launchpad.net/ubuntu/+source/glance/2012.2.4-0ubuntu1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131023/909d36f6/attachment.pgp>
------------------------------
Message: 4
Date: Wed, 23 Oct 2013 15:45:56 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2004-1] python-glanceclient vulnerability
Message-ID: <52683584.7060609@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2004-1
October 23, 2013
python-glanceclient vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04
Summary:
python-glanceclient could be made to expose sensitive information over the
network.
Software Description:
- python-glanceclient: Client library for Openstack glance server.
Details:
Thomas Leaman discovered that the Python client library for Glance did not
properly verify SSL certificates. A remote attacker could exploit this to
perform a man in the middle attack.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
python-glanceclient 1:0.9.0-0ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2004-1
CVE-2013-4111
Package Information:
https://launchpad.net/ubuntu/+source/python-glanceclient/1:0.9.0-0ubuntu1.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131023/1b7760a4/attachment.pgp>
------------------------------
Message: 5
Date: Wed, 23 Oct 2013 15:46:20 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2005-1] Cinder vulnerabilities
Message-ID: <5268359C.5070003@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2005-1
October 23, 2013
cinder vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04
Summary:
Cinder could be made to crash or expose sensitive information.
Software Description:
- cinder: OpenStack storage service
Details:
Rongze Zhu discovered that the Cinder LVM driver did not zero out data
when deleting snapshots. This could expose sensitive information to
authenticated users when subsequent servers use the volume. (CVE-2013-4183)
Grant Murphy discovered that Cinder would allow XML entity processing. A
remote unauthenticated attacker could exploit this using the Cinder API to
cause a denial of service via resource exhaustion. (CVE-2013-4179,
CVE-2013-4202)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
python-cinder 1:2013.1.3-0ubuntu2.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2005-1
CVE-2013-4179, CVE-2013-4183, CVE-2013-4202
Package Information:
https://launchpad.net/ubuntu/+source/cinder/1:2013.1.3-0ubuntu2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131023/acff7834/attachment.pgp>
------------------------------
Message: 6
Date: Wed, 23 Oct 2013 15:44:47 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2002-1] Keystone vulnerabilities
Message-ID: <5268353F.3010406@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2002-1
October 23, 2013
keystone vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04
- Ubuntu 12.10
Summary:
Keystone would improperly grant access to invalid tokens under certain
circumstances.
Software Description:
- keystone: OpenStack identity service
Details:
Chmouel Boudjnah discovered that Keystone did not properly invalidate user
tokens when a tenant was disabled which allowed an authenticated user to
retain access via the token. (CVE-2013-4222)
Kieran Spear discovered that Keystone did not properly verify PKI tokens
when performing revocation when using the memcache and KVS backends. An
authenticated attacker could exploit this to bypass intended access
restrictions. (CVE-2013-4294)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
python-keystone 1:2013.1.3-0ubuntu1.1
Ubuntu 12.10:
python-keystone 2012.2.4-0ubuntu3.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2002-1
CVE-2013-4222, CVE-2013-4294
Package Information:
https://launchpad.net/ubuntu/+source/keystone/1:2013.1.3-0ubuntu1.1
https://launchpad.net/ubuntu/+source/keystone/2012.2.4-0ubuntu3.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20131023/bcc5e4a4/attachment.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 109, Issue 7
********************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2013
(149)
-
▼
October
(9)
- ubuntu-security-announce Digest, Vol 109, Issue 9
- ubuntu-security-announce Digest, Vol 109, Issue 8
- ubuntu-security-announce Digest, Vol 109, Issue 7
- ubuntu-security-announce Digest, Vol 109, Issue 6
- ubuntu-security-announce Digest, Vol 109, Issue 5
- ubuntu-security-announce Digest, Vol 109, Issue 4
- ubuntu-security-announce Digest, Vol 109, Issue 3
- ubuntu-security-announce Digest, Vol 109, Issue 2
- ubuntu-security-announce Digest, Vol 109, Issue 1
-
▼
October
(9)
No comments:
Post a Comment