ubuntu-security-announce Digest, Vol 115, Issue 14

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-2186-1] Date and Time Indicator vulnerability
(Marc Deslauriers)
2. [USN-2187-1] OpenJDK 7 vulnerabilities (Jamie Strandboge)
3. [USN-2188-1] elfutils vulnerability (Marc Deslauriers)
4. [USN-2184-2] Unity vulnerabilities (Marc Deslauriers)
5. [USN-2189-1] Thunderbird vulnerabilities (Chris Coulson)
6. Ubuntu 12.10 (Quantal Quetzal) reaches End of Life on May 16
2014 (Adam Conrad)


----------------------------------------------------------------------

Message: 1
Date: Wed, 30 Apr 2014 08:46:39 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2186-1] Date and Time Indicator vulnerability
Message-ID: <5360F0AF.6050500@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2186-1
April 30, 2014

indicator-datetime vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10

Summary:

The Date and Time Indicator would allow unintended access.

Software Description:
- indicator-datetime: Simple clock

Details:

It was discovered that the Date and Time Indicator incorrectly allowed
Evolution to be opened at the greeter screen. An attacker could use this
issue to possibly gain unexpected access to applications such as a web
browser with privileges of the greeter user.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
indicator-datetime 13.10.0+13.10.20131023.2-0ubuntu1.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2186-1
CVE-2013-7374

Package Information:

https://launchpad.net/ubuntu/+source/indicator-datetime/13.10.0+13.10.20131023.2-0ubuntu1.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140430/4598e0bd/attachment-0001.pgp>

------------------------------

Message: 2
Date: Wed, 30 Apr 2014 09:53:57 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2187-1] OpenJDK 7 vulnerabilities
Message-ID: <53610E85.2010505@canonical.com>
Content-Type: text/plain; charset="utf-8"


==========================================================================
Ubuntu Security Notice USN-2187-1
April 30, 2014

openjdk-7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10

Summary:

Several security issues were fixed in OpenJDK 7.

Software Description:
- openjdk-7: Open Source Java implementation

Details:

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-0452,
CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458,
CVE-2014-0461, CVE-2014-2397, CVE-2014-2402, CVE-2014-2412, CVE-2014-2414,
CVE-2014-2421, CVE-2014-2423, CVE-2014-2427)

Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-0453, CVE-2014-0460)

A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2014-0459)

Jakub Wilk discovered that the OpenJDK JRE incorrectly handled temporary
files. A local attacker could possibly use this issue to overwrite
arbitrary files. In the default installation of Ubuntu, this should be
prevented by the Yama link restrictions. (CVE-2014-1876)

Two vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-2398, CVE-2014-2413)

A vulnerability was discovered in the OpenJDK JRE related to information
disclosure. An attacker could exploit this to expose sensitive data over
the network. (CVE-2014-2403)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
icedtea-7-jre-jamvm 7u55-2.4.7-1ubuntu1
openjdk-7-jre 7u55-2.4.7-1ubuntu1
openjdk-7-jre-headless 7u55-2.4.7-1ubuntu1
openjdk-7-jre-lib 7u55-2.4.7-1ubuntu1
openjdk-7-jre-zero 7u55-2.4.7-1ubuntu1

Ubuntu 13.10:
icedtea-7-jre-jamvm 7u55-2.4.7-1ubuntu1~0.13.10.1
openjdk-7-jre 7u55-2.4.7-1ubuntu1~0.13.10.1
openjdk-7-jre-headless 7u55-2.4.7-1ubuntu1~0.13.10.1
openjdk-7-jre-lib 7u55-2.4.7-1ubuntu1~0.13.10.1
openjdk-7-jre-zero 7u55-2.4.7-1ubuntu1~0.13.10.1

Ubuntu 12.10:
icedtea-7-jre-cacao 7u55-2.4.7-1ubuntu1~0.12.10.1
icedtea-7-jre-jamvm 7u55-2.4.7-1ubuntu1~0.12.10.1
openjdk-7-jre 7u55-2.4.7-1ubuntu1~0.12.10.1
openjdk-7-jre-headless 7u55-2.4.7-1ubuntu1~0.12.10.1
openjdk-7-jre-lib 7u55-2.4.7-1ubuntu1~0.12.10.1
openjdk-7-jre-zero 7u55-2.4.7-1ubuntu1~0.12.10.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2187-1
CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-0452,
CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0456,
CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460,
CVE-2014-0461, CVE-2014-1876, CVE-2014-2397, CVE-2014-2398,
CVE-2014-2402, CVE-2014-2403, CVE-2014-2412, CVE-2014-2413,
CVE-2014-2414, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427,
https://launchpad.net/bugs/1283828

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u55-2.4.7-1ubuntu1
https://launchpad.net/ubuntu/+source/openjdk-7/7u55-2.4.7-1ubuntu1~0.13.10.1
https://launchpad.net/ubuntu/+source/openjdk-7/7u55-2.4.7-1ubuntu1~0.12.10.1




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140430/4f1c11d2/attachment-0001.pgp>

------------------------------

Message: 3
Date: Wed, 30 Apr 2014 11:02:13 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2188-1] elfutils vulnerability
Message-ID: <53611075.2040609@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2188-1
April 30, 2014

elfutils vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10

Summary:

elfutils could be made to crash or run programs if it processed a specially
crafted file.

Software Description:
- elfutils: collection of utilities to handle ELF objects

Details:

Florian Weimer discovered that the elfutils libdw library incorrectly
handled malformed compressed debug sections in ELF files. If a user or
automated system were tricked into processing a specially crafted ELF file,
applications linked against libdw could be made to crash, or possibly
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
libdw1 0.158-0ubuntu5.1

Ubuntu 13.10:
libdw1 0.157-1ubuntu1.1

Ubuntu 12.10:
libdw1 0.153-1ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2188-1
CVE-2014-0172

Package Information:
https://launchpad.net/ubuntu/+source/elfutils/0.158-0ubuntu5.1
https://launchpad.net/ubuntu/+source/elfutils/0.157-1ubuntu1.1
https://launchpad.net/ubuntu/+source/elfutils/0.153-1ubuntu1.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140430/3f2cfc3a/attachment-0001.pgp>

------------------------------

Message: 4
Date: Wed, 30 Apr 2014 14:50:12 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2184-2] Unity vulnerabilities
Message-ID: <536145E4.1030202@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2184-2
April 30, 2014

unity vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

The Unity lock screen could be bypassed.

Software Description:
- unity: Interface designed for efficiency of space and interaction.

Details:

USN-2184-1 fixed lock screen vulnerabilities in Unity. Further testing has
uncovered more issues which have been fixed in this update. This update
also fixes a regression with the shutdown dialogue.

We apologize for the inconvenience.

Original advisory details:

Fr?d?ric Bardy discovered that Unity incorrectly filtered keyboard
shortcuts when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.
Giovanni Mellini discovered that Unity could display the Dash in certain
conditions when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
unity 7.2.0+14.04.20140423-0ubuntu1.2

After a standard system update you need to restart your session to make all
the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2184-2
http://www.ubuntu.com/usn/usn-2184-1
https://launchpad.net/bugs/1314247

Package Information:
https://launchpad.net/ubuntu/+source/unity/7.2.0+14.04.20140423-0ubuntu1.2


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140430/953f1812/attachment-0001.pgp>

------------------------------

Message: 5
Date: Wed, 30 Apr 2014 23:56:05 +0100
From: Chris Coulson <chris.coulson@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2189-1] Thunderbird vulnerabilities
Message-ID: <53617F85.7050302@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-2189-1
April 30, 2014

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Bobby Holley, Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij,
Jesse Ruderman, Nathan Froyd and Christian Holler discovered multiple
memory safety issues in Thunderbird. If a user were tricked in to opening
a specially crafted message with scripting enabled, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2014-1518)

Abhishek Arya discovered an out of bounds read when decoding JPG images.
An attacker could potentially exploit this to cause a denial of service
via application crash. (CVE-2014-1523)

Abhishek Arya discovered a buffer overflow when a script uses a non-XBL
object as an XBL object. If a user had enabled scripting, an attacker
could potentially exploit this to execute arbitrary code with the
privileges of the user invoking Thunderbird. (CVE-2014-1524)

Mariusz Mlynski discovered that sites with notification permissions can
run script in a privileged context in some circumstances. If a user had
enabled scripting, an attacker could exploit this to execute arbitrary
code with the privileges of the user invoking Thunderbird. (CVE-2014-1529)

It was discovered that browser history navigations could be used to load
a site with the addressbar displaying the wrong address. If a user had
enabled scripting, an attacker could potentially exploit this to conduct
cross-site scripting or phishing attacks. (CVE-2014-1530)

A use-after-free was discovered when resizing images in some
circumstances. If a user had enabled scripting, an attacker could
potentially exploit this to cause a denial of service via application
crash or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2014-1531)

Tyson Smith and Jesse Schwartzentruber discovered a use-after-free during
host resolution in some circumstances. An attacker could potentially
exploit this to cause a denial of service via application crash or execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2014-1532)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
thunderbird 1:24.5.0+build1-0ubuntu0.14.04.1

Ubuntu 13.10:
thunderbird 1:24.5.0+build1-0ubuntu0.13.10.1

Ubuntu 12.10:
thunderbird 1:24.5.0+build1-0ubuntu0.12.10.1

Ubuntu 12.04 LTS:
thunderbird 1:24.5.0+build1-0ubuntu0.12.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2189-1
CVE-2014-1518, CVE-2014-1523, CVE-2014-1524, CVE-2014-1529,
CVE-2014-1530, CVE-2014-1531, CVE-2014-1532, https://launchpad.net/bugs/1313886

Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.13.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.12.04.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140430/f28b85a3/attachment-0001.pgp>

------------------------------

Message: 6
Date: Wed, 30 Apr 2014 17:51:45 -0600
From: Adam Conrad <adconrad@ubuntu.com>
To: ubuntu-announce@lists.ubuntu.com
Cc: ubuntu-security-announce@lists.ubuntu.com
Subject: Ubuntu 12.10 (Quantal Quetzal) reaches End of Life on May 16
2014
Message-ID: <20140430235145.GU28005@0c3.net>
Content-Type: text/plain; charset=us-ascii

Ubuntu announced its 12.10 (Quantal Quetzal) release more than 18 months
ago, on October 18, 2012. Since changes to the Ubuntu support cycle
mean that Ubuntu 13.04 has reached end of life before Ubuntu 12.10, the
support cycle for Ubuntu 12.10 has been extended slightly to overlap
with the release of Ubuntu 14.04 LTS. This allowing users to move
directly from Ubuntu 12.10 to Ubuntu 14.04 LTS (via Ubuntu 13.10).

This period of overlap is now coming to a close, and we will be retiring
Ubuntu 12.10 on Friday, May 16, 2014. At that time, Ubuntu Security
Notices will no longer include information or updated packages for
Ubuntu 12.10.

The supported upgrade path from Ubuntu 12.10 is via Ubuntu 13.10, though
we highly recommend that once you've upgraded to 13.10, you continue to
upgrade through to 14.04, as 13.10's support will end in July.

Instructions and caveats for the upgrade may be found at:

https://help.ubuntu.com/community/SaucyUpgrades
https://help.ubuntu.com/community/TrustyUpgrades

Ubuntu 13.10 and 14.04 continue to be actively supported with security
updates and select high-impact bug fixes. Announcements of security
updates for Ubuntu releases are sent to the ubuntu-security-announce
mailing list, information about which may be found at:

https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customize or alter their software in order to meet their needs.

On behalf of the Ubuntu Release Team,

Adam Conrad




------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 115, Issue 14
*********************************************************