Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-2166-1] Net-SNMP vulnerabilities (Marc Deslauriers)
2. [USN-2167-1] curl vulnerabilities (Marc Deslauriers)
----------------------------------------------------------------------
Message: 1
Date: Mon, 14 Apr 2014 09:17:22 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2166-1] Net-SNMP vulnerabilities
Message-ID: <534BDFE2.3080203@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2166-1
April 14, 2014
net-snmp vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Net-SNMP could be made to crash if it received specially crafted network
traffic.
Software Description:
- net-snmp: SNMP (Simple Network Management Protocol) server and applications
Details:
Ken Farnen discovered that Net-SNMP incorrectly handled AgentX timeouts. A
remote attacker could use this issue to cause the server to crash or to
hang, resulting in a denial of service. (CVE-2012-6151)
It was discovered that the Net-SNMP ICMP-MIB incorrectly validated input. A
remote attacker could use this issue to cause the server to crash,
resulting in a denial of service. This issue only affected Ubuntu 13.10.
(CVE-2014-2284)
Viliam P??ik discovered that the Net-SNMP perl trap handler incorrectly
handled NULL arguments. A remote attacker could use this issue to cause the
server to crash, resulting in a denial of service. (CVE-2014-2285)
It was discovered that Net-SNMP incorrectly handled AgentX multi-object
requests. A remote attacker could use this issue to cause the server to
hang, resulting in a denial of service. This issue only affected Ubuntu
10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 12.10. (CVE-2014-2310)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
libsnmp30 5.7.2~dfsg-8ubuntu1.1
Ubuntu 12.10:
libsnmp15 5.4.3~dfsg-2.5ubuntu1.1
Ubuntu 12.04 LTS:
libsnmp15 5.4.3~dfsg-2.4ubuntu1.2
Ubuntu 10.04 LTS:
libsnmp15 5.4.2.1~dfsg0ubuntu1-0ubuntu2.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2166-1
CVE-2012-6151, CVE-2014-2284, CVE-2014-2285, CVE-2014-2310
Package Information:
https://launchpad.net/ubuntu/+source/net-snmp/5.7.2~dfsg-8ubuntu1.1
https://launchpad.net/ubuntu/+source/net-snmp/5.4.3~dfsg-2.5ubuntu1.1
https://launchpad.net/ubuntu/+source/net-snmp/5.4.3~dfsg-2.4ubuntu1.2
https://launchpad.net/ubuntu/+source/net-snmp/5.4.2.1~dfsg0ubuntu1-0ubuntu2.3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140414/759edc56/attachment-0001.pgp>
------------------------------
Message: 2
Date: Mon, 14 Apr 2014 14:29:46 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2167-1] curl vulnerabilities
Message-ID: <534C291A.6060304@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2167-1
April 14, 2014
curl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Steve Holme discovered that libcurl incorrectly reused wrong connections
when using protocols other than HTTP and FTP. This could lead to the use of
unintended credentials, possibly exposing sensitive information.
(CVE-2014-0138)
Richard Moore discovered that libcurl incorrectly validated wildcard SSL
certificates that contain literal IP addresses. An attacker could possibly
exploit this to perform a man in the middle attack to view sensitive
information or alter encrypted communications. (CVE-2014-0139)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
libcurl3 7.32.0-1ubuntu1.4
libcurl3-gnutls 7.32.0-1ubuntu1.4
libcurl3-nss 7.32.0-1ubuntu1.4
Ubuntu 12.10:
libcurl3 7.27.0-1ubuntu1.9
libcurl3-gnutls 7.27.0-1ubuntu1.9
libcurl3-nss 7.27.0-1ubuntu1.9
Ubuntu 12.04 LTS:
libcurl3 7.22.0-3ubuntu4.8
libcurl3-gnutls 7.22.0-3ubuntu4.8
libcurl3-nss 7.22.0-3ubuntu4.8
Ubuntu 10.04 LTS:
libcurl3 7.19.7-1ubuntu1.7
libcurl3-gnutls 7.19.7-1ubuntu1.7
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2167-1
CVE-2014-0138, CVE-2014-0139
Package Information:
https://launchpad.net/ubuntu/+source/curl/7.32.0-1ubuntu1.4
https://launchpad.net/ubuntu/+source/curl/7.27.0-1ubuntu1.9
https://launchpad.net/ubuntu/+source/curl/7.22.0-3ubuntu4.8
https://launchpad.net/ubuntu/+source/curl/7.19.7-1ubuntu1.7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140414/d001fbf0/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 115, Issue 5
********************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2014
(407)
-
▼
April
(15)
- ubuntu-security-announce Digest, Vol 115, Issue 14
- ubuntu-security-announce Digest, Vol 115, Issue 13
- ubuntu-security-announce Digest, Vol 115, Issue 12
- ubuntu-security-announce Digest, Vol 115, Issue 11
- ubuntu-security-announce Digest, Vol 115, Issue 10
- ubuntu-security-announce Digest, Vol 115, Issue 9
- ubuntu-security-announce Digest, Vol 115, Issue 8
- ubuntu-security-announce Digest, Vol 115, Issue 7
- ubuntu-security-announce Digest, Vol 115, Issue 6
- ubuntu-security-announce Digest, Vol 115, Issue 5
- Massive Open Source Internet Security Flaw Affects...
- ubuntu-security-announce Digest, Vol 115, Issue 4
- ubuntu-security-announce Digest, Vol 115, Issue 3
- ubuntu-security-announce Digest, Vol 115, Issue 2
- ubuntu-security-announce Digest, Vol 115, Issue 1
-
▼
April
(15)
No comments:
Post a Comment