Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-2192-1] OpenSSL vulnerabilities (Marc Deslauriers)
2. [USN-2193-1] OpenStack Glance vulnerability (Jamie Strandboge)
3. [USN-2194-1] OpenStack Neutron vulnerability (Jamie Strandboge)
4. [USN-2196-1] Linux kernel vulnerability (John Johansen)
5. [USN-2197-1] Linux kernel (EC2) vulnerability (John Johansen)
6. [USN-2198-1] Linux kernel vulnerability (John Johansen)
----------------------------------------------------------------------
Message: 1
Date: Mon, 05 May 2014 11:01:53 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2192-1] OpenSSL vulnerabilities
Message-ID: <5367A7E1.70501@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2192-1
May 05, 2014
openssl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
OpenSSL could be made to crash if it received specially crafted network
traffic.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
It was discovered that OpenSSL incorrectly handled memory in the
ssl3_read_bytes() function. A remote attacker could use this issue to
possibly cause OpenSSL to crash, resulting in a denial of service.
(CVE-2010-5298)
It was discovered that OpenSSL incorrectly handled memory in the
do_ssl3_write() function. A remote attacker could use this issue to
possibly cause OpenSSL to crash, resulting in a denial of service.
(CVE-2014-0198)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.1
Ubuntu 13.10:
libssl1.0.0 1.0.1e-3ubuntu1.3
Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.8
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.13
After a standard system update you need to reboot your computer to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2192-1
CVE-2010-5298, CVE-2014-0198
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.1
https://launchpad.net/ubuntu/+source/openssl/1.0.1e-3ubuntu1.3
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.8
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140505/57552d22/attachment-0001.pgp>
------------------------------
Message: 2
Date: Mon, 05 May 2014 15:27:47 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2193-1] OpenStack Glance vulnerability
Message-ID: <5367F443.4080703@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2193-1
May 05, 2014
glance vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
Summary:
OpenStack Glance could be made to run programs as the glance user if it
processed a specially crafted request.
Software Description:
- glance: OpenStack Image Registry and Delivery Service
Details:
Paul McMillan discovered that the Sheepdog backend in OpenStack Glance did
not properly handle untrusted input. A remote authenticated attacker
exploit this to execute arbitrary commands as the glance user.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
python-glance 1:2013.2.3-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2193-1
CVE-2014-0162
Package Information:
https://launchpad.net/ubuntu/+source/glance/1:2013.2.3-0ubuntu1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140505/cc2c6e4d/attachment-0001.pgp>
------------------------------
Message: 3
Date: Mon, 05 May 2014 16:36:50 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2194-1] OpenStack Neutron vulnerability
Message-ID: <53680472.7010603@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2194-1
May 05, 2014
neutron vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
Summary:
OpenStack Neutron would allow unintended access to other tenant networks.
Software Description:
- neutron: Openstack Virtual Network Service
Details:
Aaron Rosen discovered that OpenStack Neutron did not properly perform
authorization checks when creating ports when using plugins relying on the
l3-agent. A remote authenticated attacker could exploit this to access the
network of other tenants.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
python-neutron 1:2013.2.3-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2194-1
CVE-2014-0056
Package Information:
https://launchpad.net/ubuntu/+source/neutron/1:2013.2.3-0ubuntu1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140505/af1ccf2a/attachment-0001.pgp>
------------------------------
Message: 4
Date: Mon, 05 May 2014 19:47:50 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2196-1] Linux kernel vulnerability
Message-ID: <53684D56.6080204@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2196-1
May 06, 2014
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An
unprivileged user could exploit this flaw to cause a denial of service
(system crash) or potentially gain administrator privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-58-386 2.6.32-58.121
linux-image-2.6.32-58-generic 2.6.32-58.121
linux-image-2.6.32-58-generic-pae 2.6.32-58.121
linux-image-2.6.32-58-ia64 2.6.32-58.121
linux-image-2.6.32-58-lpia 2.6.32-58.121
linux-image-2.6.32-58-powerpc 2.6.32-58.121
linux-image-2.6.32-58-powerpc-smp 2.6.32-58.121
linux-image-2.6.32-58-powerpc64-smp 2.6.32-58.121
linux-image-2.6.32-58-preempt 2.6.32-58.121
linux-image-2.6.32-58-server 2.6.32-58.121
linux-image-2.6.32-58-sparc64 2.6.32-58.121
linux-image-2.6.32-58-sparc64-smp 2.6.32-58.121
linux-image-2.6.32-58-versatile 2.6.32-58.121
linux-image-2.6.32-58-virtual 2.6.32-58.121
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2196-1
CVE-2014-0196
Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.32-58.121
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140505/208a153c/attachment-0001.pgp>
------------------------------
Message: 5
Date: Mon, 05 May 2014 19:48:34 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2197-1] Linux kernel (EC2) vulnerability
Message-ID: <53684D82.6010905@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2197-1
May 06, 2014
linux-ec2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 10.04 LTS
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-ec2: Linux kernel for EC2
Details:
A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An
unprivileged user could exploit this flaw to cause a denial of service
(system crash) or potentially gain administrator privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 10.04 LTS:
linux-image-2.6.32-363-ec2 2.6.32-363.77
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2197-1
CVE-2014-0196
Package Information:
https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-363.77
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140505/c944702f/attachment-0001.pgp>
------------------------------
Message: 6
Date: Mon, 05 May 2014 19:49:28 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2198-1] Linux kernel vulnerability
Message-ID: <53684DB8.9090407@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2198-1
May 06, 2014
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
A flaw was discovered in the Linux kernel's pseudo tty (pty) device. An
unprivileged user could exploit this flaw to cause a denial of service
(system crash) or potentially gain administrator privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-61-generic 3.2.0-61.93
linux-image-3.2.0-61-generic-pae 3.2.0-61.93
linux-image-3.2.0-61-highbank 3.2.0-61.93
linux-image-3.2.0-61-omap 3.2.0-61.93
linux-image-3.2.0-61-powerpc-smp 3.2.0-61.93
linux-image-3.2.0-61-powerpc64-smp 3.2.0-61.93
linux-image-3.2.0-61-virtual 3.2.0-61.93
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2198-1
CVE-2014-0196
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-61.93
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140505/116d3835/attachment.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 116, Issue 2
********************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2014
(407)
-
▼
May
(13)
- ubuntu-security-announce Digest, Vol 116, Issue 13
- ubuntu-security-announce Digest, Vol 116, Issue 12
- ubuntu-security-announce Digest, Vol 116, Issue 11
- ubuntu-security-announce Digest, Vol 116, Issue 10
- ubuntu-security-announce Digest, Vol 116, Issue 9
- ubuntu-security-announce Digest, Vol 116, Issue 8
- ubuntu-security-announce Digest, Vol 116, Issue 7
- ubuntu-security-announce Digest, Vol 116, Issue 6
- ubuntu-security-announce Digest, Vol 116, Issue 5
- ubuntu-security-announce Digest, Vol 116, Issue 4
- ubuntu-security-announce Digest, Vol 116, Issue 3
- ubuntu-security-announce Digest, Vol 116, Issue 2
- ubuntu-security-announce Digest, Vol 116, Issue 1
-
▼
May
(13)
No comments:
Post a Comment