Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-2130-1] Tomcat vulnerabilities (Marc Deslauriers)
2. [USN-2131-1] IcedTea Web vulnerability (Marc Deslauriers)
3. [USN-2132-1] ImageMagick vulnerabilities (Marc Deslauriers)
----------------------------------------------------------------------
Message: 1
Date: Thu, 06 Mar 2014 08:58:55 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2130-1] Tomcat vulnerabilities
Message-ID: <53187F1F.6090105@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2130-1
March 06, 2014
tomcat6, tomcat7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Tomcat.
Software Description:
- tomcat7: Servlet and JSP engine
- tomcat6: Servlet and JSP engine
Details:
It was discovered that Tomcat incorrectly handled certain inconsistent
HTTP headers. A remote attacker could possibly use this flaw to conduct
request smuggling attacks. (CVE-2013-4286)
It was discovered that Tomcat incorrectly handled certain requests
submitted using chunked transfer encoding. A remote attacker could use this
flaw to cause the Tomcat server to stop responding, resulting in a denial
of service. (CVE-2013-4322)
It was discovered that Tomcat incorrectly applied the disableURLRewriting
setting when handling a session id in a URL. A remote attacker could
possibly use this flaw to conduct session fixation attacks. This issue
only applied to Ubuntu 12.04 LTS. (CVE-2014-0033)
It was discovered that Tomcat incorrectly handled malformed Content-Type
headers and multipart requests. A remote attacker could use this flaw to
cause the Tomcat server to stop responding, resulting in a denial of
service. This issue only applied to Ubuntu 12.10 and Ubuntu 13.10.
(CVE-2014-0050)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
libtomcat7-java 7.0.42-1ubuntu0.1
Ubuntu 12.10:
libtomcat7-java 7.0.30-0ubuntu1.3
Ubuntu 12.04 LTS:
libtomcat6-java 6.0.35-1ubuntu3.4
Ubuntu 10.04 LTS:
libtomcat6-java 6.0.24-2ubuntu1.15
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2130-1
CVE-2013-4286, CVE-2013-4322, CVE-2014-0033, CVE-2014-0050
Package Information:
https://launchpad.net/ubuntu/+source/tomcat7/7.0.42-1ubuntu0.1
https://launchpad.net/ubuntu/+source/tomcat7/7.0.30-0ubuntu1.3
https://launchpad.net/ubuntu/+source/tomcat6/6.0.35-1ubuntu3.4
https://launchpad.net/ubuntu/+source/tomcat6/6.0.24-2ubuntu1.15
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140306/3676c78c/attachment-0001.pgp>
------------------------------
Message: 2
Date: Thu, 06 Mar 2014 09:01:07 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2131-1] IcedTea Web vulnerability
Message-ID: <53187FA3.5020408@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2131-1
March 06, 2014
icedtea-web vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
IcedTea Web could be made to expose or alter sensitive information.
Software Description:
- icedtea-web: A web browser plugin to execute Java applets
Details:
Michael Scherer discovered that IcedTea Web created temporary directories
in an unsafe fashion. A local attacker could possibly use this issue to
obtain or modify sensitive information from other local user sessions.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
icedtea-6-plugin 1.4-3ubuntu2.1
icedtea-7-plugin 1.4-3ubuntu2.1
Ubuntu 12.10:
icedtea-6-plugin 1.3.2-1ubuntu0.12.10.3
icedtea-7-plugin 1.3.2-1ubuntu0.12.10.3
Ubuntu 12.04 LTS:
icedtea-6-plugin 1.2.3-0ubuntu0.12.04.4
icedtea-7-plugin 1.2.3-0ubuntu0.12.04.4
After a standard system update you need to restart your browser to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2131-1
CVE-2013-6493
Package Information:
https://launchpad.net/ubuntu/+source/icedtea-web/1.4-3ubuntu2.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.3.2-1ubuntu0.12.10.3
https://launchpad.net/ubuntu/+source/icedtea-web/1.2.3-0ubuntu0.12.04.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140306/3921c57e/attachment-0001.pgp>
------------------------------
Message: 3
Date: Thu, 06 Mar 2014 14:48:10 -0500
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2132-1] ImageMagick vulnerabilities
Message-ID: <5318D0FA.7060704@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2132-1
March 06, 2014
imagemagick vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
ImageMagick could be made to crash or run programs if it opened a specially
crafted image file.
Software Description:
- imagemagick: Image manipulation programs and library
Details:
Aleksis Kauppinen, Joonas Kuorilehto and Tuomas Parttimaa discovered that
ImageMagick incorrectly handled certain restart markers in JPEG images. If
a user or automated system using ImageMagick were tricked into opening a
specially crafted JPEG image, an attacker could exploit this to cause
memory consumption, resulting in a denial of service. This issue only
affected Ubuntu 12.04 LTS. (CVE-2012-0260)
It was discovered that ImageMagick incorrectly handled decoding certain PSD
images. If a user or automated system using ImageMagick were tricked into
opening a specially crafted PSD image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program. (CVE-2014-1958, CVE-2014-2030)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
libmagick++5 8:6.7.7.10-5ubuntu3.1
libmagickcore5 8:6.7.7.10-5ubuntu3.1
Ubuntu 12.10:
libmagick++5 8:6.7.7.10-2ubuntu4.2
libmagickcore5 8:6.7.7.10-2ubuntu4.2
Ubuntu 12.04 LTS:
libmagick++4 8:6.6.9.7-5ubuntu3.3
libmagickcore4 8:6.6.9.7-5ubuntu3.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2132-1
CVE-2012-0260, CVE-2014-1958, CVE-2014-2030
Package Information:
https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-5ubuntu3.1
https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-2ubuntu4.2
https://launchpad.net/ubuntu/+source/imagemagick/8:6.6.9.7-5ubuntu3.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140306/b85d4475/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 114, Issue 4
********************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2014
(407)
-
▼
March
(17)
- ubuntu-security-announce Digest, Vol 114, Issue 17
- ubuntu-security-announce Digest, Vol 114, Issue 16
- ubuntu-security-announce Digest, Vol 114, Issue 15
- ubuntu-security-announce Digest, Vol 114, Issue 14
- ubuntu-security-announce Digest, Vol 114, Issue 13
- ubuntu-security-announce Digest, Vol 114, Issue 12
- ubuntu-security-announce Digest, Vol 114, Issue 11
- ubuntu-security-announce Digest, Vol 114, Issue 10
- ubuntu-security-announce Digest, Vol 114, Issue 9
- ubuntu-security-announce Digest, Vol 114, Issue 8
- ubuntu-security-announce Digest, Vol 114, Issue 7
- ubuntu-security-announce Digest, Vol 114, Issue 6
- ubuntu-security-announce Digest, Vol 114, Issue 5
- ubuntu-security-announce Digest, Vol 114, Issue 4
- ubuntu-security-announce Digest, Vol 114, Issue 3
- ubuntu-security-announce Digest, Vol 114, Issue 2
- ubuntu-security-announce Digest, Vol 114, Issue 1
-
▼
March
(17)
No comments:
Post a Comment