Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-2088-1] NSS vulnerability (Marc Deslauriers)
2. [USN-2087-1] NSPR vulnerability (Marc Deslauriers)
3. [USN-2089-1] openjdk-7 vulnerabilities (Jamie Strandboge)
----------------------------------------------------------------------
Message: 1
Date: Thu, 23 Jan 2014 11:22:27 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2088-1] NSS vulnerability
Message-ID: <52E141C3.80406@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2088-1
January 23, 2014
nss vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
NSS could be made to expose sensitive information over the network.
Software Description:
- nss: Network Security Service library
Details:
Brian Smith discovered that NSS incorrectly handled the TLS False Start
feature. If a remote attacker were able to perform a man-in-the-middle
attack, this flaw could be exploited to spoof SSL servers.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
libnss3 2:3.15.4-0ubuntu0.13.10.1
Ubuntu 12.10:
libnss3 3.15.4-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
libnss3 3.15.4-0ubuntu0.12.04.1
Ubuntu 10.04 LTS:
libnss3-1d 3.15.4-0ubuntu0.10.04.1
After a standard system update you need to restart any applications that
use NSS, such as Evolution and Chromium, to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2088-1
CVE-2013-1740
Package Information:
https://launchpad.net/ubuntu/+source/nss/2:3.15.4-0ubuntu0.13.10.1
https://launchpad.net/ubuntu/+source/nss/3.15.4-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/nss/3.15.4-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/nss/3.15.4-0ubuntu0.10.04.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140123/815dcfea/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 23 Jan 2014 11:21:55 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2087-1] NSPR vulnerability
Message-ID: <52E141A3.6060308@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2087-1
January 23, 2014
nspr vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
NSPR could be made to crash or run programs if it received a specially
crafted certificate.
Software Description:
- nspr: NetScape Portable Runtime Library
Details:
It was discovered that NSPR incorrectly handled certain malformed X.509
certificates. A remote attacker could use a crafted X.509 certificate to
cause NSPR to crash, leading to a denial of service, or possibly execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
libnspr4 2:4.9.5-1ubuntu1.1
Ubuntu 12.10:
libnspr4 4.9.5-0ubuntu0.12.10.2
Ubuntu 12.04 LTS:
libnspr4 4.9.5-0ubuntu0.12.04.2
Ubuntu 10.04 LTS:
libnspr4-0d 4.9.5-0ubuntu0.10.04.2
After a standard system update you need to restart your session to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2087-1
CVE-2013-5607
Package Information:
https://launchpad.net/ubuntu/+source/nspr/2:4.9.5-1ubuntu1.1
https://launchpad.net/ubuntu/+source/nspr/4.9.5-0ubuntu0.12.10.2
https://launchpad.net/ubuntu/+source/nspr/4.9.5-0ubuntu0.12.04.2
https://launchpad.net/ubuntu/+source/nspr/4.9.5-0ubuntu0.10.04.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140123/4fc2e642/attachment-0001.pgp>
------------------------------
Message: 3
Date: Thu, 23 Jan 2014 14:55:48 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2089-1] openjdk-7 vulnerabilities
Message-ID: <52E181D4.5080400@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2089-1
January 23, 2014
openjdk-7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
- Ubuntu 13.04
- Ubuntu 12.10
Summary:
Several security issues were fixed in OpenJDK 7.
Software Description:
- openjdk-7: Open Source Java implementation
Details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2013-3829, CVE-2013-5783,
CVE-2013-5804, CVE-2014-0411)
Several vulnerabilities were discovered in the OpenJDK JRE related to
availability. An attacker could exploit these to cause a denial of service.
(CVE-2013-4002, CVE-2013-5803, CVE-2013-5823, CVE-2013-5825, CVE-2013-5896,
CVE-2013-5910)
Several vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2013-5772, CVE-2013-5774, CVE-2013-5784, CVE-2013-5797,
CVE-2013-5820, CVE-2014-0376, CVE-2014-0416)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2013-5778, CVE-2013-5780, CVE-2013-5790,
CVE-2013-5800, CVE-2013-5840, CVE-2013-5849, CVE-2013-5851, CVE-2013-5884,
CVE-2014-0368)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2013-5782, CVE-2013-5802, CVE-2013-5809, CVE-2013-5829,
CVE-2013-5814, CVE-2013-5817, CVE-2013-5830, CVE-2013-5842, CVE-2013-5850,
CVE-2013-5878, CVE-2013-5893, CVE-2013-5907, CVE-2014-0373, CVE-2014-0408,
CVE-2014-0422, CVE-2014-0428)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and availability. An attacker could exploit this to expose
sensitive data over the network or cause a denial of service.
(CVE-2014-0423)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
icedtea-7-jre-jamvm 7u51-2.4.4-0ubuntu0.13.10.1
openjdk-7-jre 7u51-2.4.4-0ubuntu0.13.10.1
openjdk-7-jre-headless 7u51-2.4.4-0ubuntu0.13.10.1
openjdk-7-jre-lib 7u51-2.4.4-0ubuntu0.13.10.1
openjdk-7-jre-zero 7u51-2.4.4-0ubuntu0.13.10.1
Ubuntu 13.04:
icedtea-7-jre-jamvm 7u51-2.4.4-0ubuntu0.13.04.2
openjdk-7-jre 7u51-2.4.4-0ubuntu0.13.04.2
openjdk-7-jre-headless 7u51-2.4.4-0ubuntu0.13.04.2
openjdk-7-jre-lib 7u51-2.4.4-0ubuntu0.13.04.2
openjdk-7-jre-zero 7u51-2.4.4-0ubuntu0.13.04.2
Ubuntu 12.10:
icedtea-7-jre-cacao 7u51-2.4.4-0ubuntu0.12.10.2
icedtea-7-jre-jamvm 7u51-2.4.4-0ubuntu0.12.10.2
openjdk-7-jre 7u51-2.4.4-0ubuntu0.12.10.2
openjdk-7-jre-headless 7u51-2.4.4-0ubuntu0.12.10.2
openjdk-7-jre-lib 7u51-2.4.4-0ubuntu0.12.10.2
openjdk-7-jre-zero 7u51-2.4.4-0ubuntu0.12.10.2
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2089-1
CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774,
CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783,
CVE-2013-5784, CVE-2013-5790, CVE-2013-5797, CVE-2013-5800,
CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5805,
CVE-2013-5806, CVE-2013-5809, CVE-2013-5814, CVE-2013-5817,
CVE-2013-5820, CVE-2013-5823, CVE-2013-5825, CVE-2013-5829,
CVE-2013-5830, CVE-2013-5840, CVE-2013-5842, CVE-2013-5849,
CVE-2013-5850, CVE-2013-5851, CVE-2013-5878, CVE-2013-5884,
CVE-2013-5893, CVE-2013-5896, CVE-2013-5907, CVE-2013-5910,
CVE-2014-0368, CVE-2014-0373, CVE-2014-0376, CVE-2014-0408,
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u51-2.4.4-0ubuntu0.13.10.1
https://launchpad.net/ubuntu/+source/openjdk-7/7u51-2.4.4-0ubuntu0.13.04.2
https://launchpad.net/ubuntu/+source/openjdk-7/7u51-2.4.4-0ubuntu0.12.10.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140123/ca81186a/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 112, Issue 11
*********************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2014
(407)
-
▼
January
(13)
- ubuntu-security-announce Digest, Vol 112, Issue 13
- ubuntu-security-announce Digest, Vol 112, Issue 12
- ubuntu-security-announce Digest, Vol 112, Issue 11
- ubuntu-security-announce Digest, Vol 112, Issue 10
- ubuntu-security-announce Digest, Vol 112, Issue 9
- ubuntu-security-announce Digest, Vol 112, Issue 8
- ubuntu-security-announce Digest, Vol 112, Issue 7
- ubuntu-security-announce Digest, Vol 112, Issue 6
- ubuntu-security-announce Digest, Vol 112, Issue 5
- ubuntu-security-announce Digest, Vol 112, Issue 4
- ubuntu-security-announce Digest, Vol 112, Issue 3
- ubuntu-security-announce Digest, Vol 112, Issue 2
- ubuntu-security-announce Digest, Vol 112, Issue 1
-
▼
January
(13)
No comments:
Post a Comment