ubuntu-security-announce Digest, Vol 114, Issue 14

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-2153-1] initramfs-tools vulnerability (Marc Deslauriers)
2. [USN-2152-1] Apache HTTP Server vulnerabilities (Marc Deslauriers)
3. [USN-2154-1] ca-certificates update (Marc Deslauriers)


----------------------------------------------------------------------

Message: 1
Date: Mon, 24 Mar 2014 15:33:09 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2153-1] initramfs-tools vulnerability
Message-ID: <53308875.5010902@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2153-1
March 24, 2014

initramfs-tools vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

initramfs-tools used incorrect mount options.

Software Description:
- initramfs-tools: tools for generating an initramfs

Details:

Kees Cook discovered that initramfs-tools incorrectly mounted /run without
the noexec option, contrary to expected behaviour.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
initramfs-tools 0.103ubuntu0.2.2

Ubuntu 12.04 LTS:
initramfs-tools 0.99ubuntu13.5

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2153-1
https://launchpad.net/bugs/1152744

Package Information:
https://launchpad.net/ubuntu/+source/initramfs-tools/0.103ubuntu0.2.2
https://launchpad.net/ubuntu/+source/initramfs-tools/0.99ubuntu13.5


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140324/4acf115d/attachment-0001.pgp>

------------------------------

Message: 2
Date: Mon, 24 Mar 2014 15:32:42 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2152-1] Apache HTTP Server vulnerabilities
Message-ID: <5330885A.60500@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2152-1
March 24, 2014

apache2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

Apache HTTP server could be made to crash if it received specially crafted
network traffic.

Software Description:
- apache2: Apache HTTP server

Details:

Ning Zhang & Amin Tora discovered that the mod_dav module incorrectly
handled whitespace characters in CDATA sections. A remote attacker could
use this issue to cause the server to stop responding, resulting in a
denial of service. (CVE-2013-6438)

Rainer M Canavan discovered that the mod_log_config module incorrectly
handled certain cookies. A remote attacker could use this issue to cause
the server to stop responding, resulting in a denial of service. This issue
only affected Ubuntu 12.04 LTS, Ubuntu 12.10 and Ubuntu 13.10.
(CVE-2014-0098)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
apache2.2-bin 2.4.6-2ubuntu2.2

Ubuntu 12.10:
apache2.2-bin 2.2.22-6ubuntu2.4

Ubuntu 12.04 LTS:
apache2.2-bin 2.2.22-1ubuntu1.5

Ubuntu 10.04 LTS:
apache2.2-bin 2.2.14-5ubuntu8.13

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2152-1
CVE-2013-6438, CVE-2014-0098

Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.6-2ubuntu2.2
https://launchpad.net/ubuntu/+source/apache2/2.2.22-6ubuntu2.4
https://launchpad.net/ubuntu/+source/apache2/2.2.22-1ubuntu1.5
https://launchpad.net/ubuntu/+source/apache2/2.2.14-5ubuntu8.13


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140324/39c29b6d/attachment-0001.pgp>

------------------------------

Message: 3
Date: Mon, 24 Mar 2014 15:33:37 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2154-1] ca-certificates update
Message-ID: <53308891.2030500@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2154-1
March 24, 2014

ca-certificates update
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

ca-certificates was updated to the 20130906 package.

Software Description:
- ca-certificates: Common CA certificates

Details:

The ca-certificates package contained outdated CA certificates. This update
refreshes the included certificates to those contained in the 20130906
package.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
ca-certificates 20130906ubuntu0.13.10.1

Ubuntu 12.10:
ca-certificates 20130906ubuntu0.12.10.1

Ubuntu 12.04 LTS:
ca-certificates 20130906ubuntu0.12.04.1

Ubuntu 10.04 LTS:
ca-certificates 20130906ubuntu0.10.04.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2154-1
https://launchpad.net/bugs/1257265

Package Information:
https://launchpad.net/ubuntu/+source/ca-certificates/20130906ubuntu0.13.10.1
https://launchpad.net/ubuntu/+source/ca-certificates/20130906ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/ca-certificates/20130906ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/ca-certificates/20130906ubuntu0.10.04.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140324/ad312286/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 114, Issue 14
*********************************************************