Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-2205-1] LibTIFF vulnerabilities (Marc Deslauriers)
2. [USN-2206-1] OpenStack Horizon vulnerability (Jamie Strandboge)
3. [USN-2207-1] OpenStack Swift vulnerability (Jamie Strandboge)
4. [USN-2208-1] OpenStack Cinder vulnerability (Jamie Strandboge)
5. [USN-2208-2] OpenStack Quantum vulnerability (Jamie Strandboge)
----------------------------------------------------------------------
Message: 1
Date: Tue, 06 May 2014 10:07:10 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2205-1] LibTIFF vulnerabilities
Message-ID: <5368EC8E.6060802@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2205-1
May 06, 2014
tiff vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.
Software Description:
- tiff: Tag Image File Format (TIFF) library
Details:
Pedro Ribeiro discovered that LibTIFF incorrectly handled certain
malformed images when using the gif2tiff tool. If a user or automated
system were tricked into opening a specially crafted GIF image, a remote
attacker could crash the application, leading to a denial of service, or
possibly execute arbitrary code with user privileges. This issue only
affected Ubuntu 10.04 LTS, Ubunu 12.04 LTS, Ubuntu 12.10 and Ubuntu 13.10.
(CVE-2013-4231)
Pedro Ribeiro discovered that LibTIFF incorrectly handled certain
malformed images when using the tiff2pdf tool. If a user or automated
system were tricked into opening a specially crafted TIFF image, a remote
attacker could crash the application, leading to a denial of service, or
possibly execute arbitrary code with user privileges. This issue only
affected Ubuntu 10.04 LTS, Ubunu 12.04 LTS, Ubuntu 12.10 and Ubuntu 13.10.
(CVE-2013-4232)
Murray McAllister discovered that LibTIFF incorrectly handled certain
malformed images when using the gif2tiff tool. If a user or automated
system were tricked into opening a specially crafted GIF image, a remote
attacker could crash the application, leading to a denial of service, or
possibly execute arbitrary code with user privileges. (CVE-2013-4243)
Huzaifa Sidhpurwala discovered that LibTIFF incorrectly handled certain
malformed images when using the gif2tiff tool. If a user or automated
system were tricked into opening a specially crafted GIF image, a remote
attacker could crash the application, leading to a denial of service, or
possibly execute arbitrary code with user privileges. This issue only
affected Ubuntu 10.04 LTS, Ubunu 12.04 LTS, Ubuntu 12.10 and Ubuntu 13.10.
(CVE-2013-4244)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
libtiff5 4.0.3-7ubuntu0.1
Ubuntu 13.10:
libtiff5 4.0.2-4ubuntu3.1
Ubuntu 12.10:
libtiff5 4.0.2-1ubuntu2.3
Ubuntu 12.04 LTS:
libtiff4 3.9.5-2ubuntu1.6
Ubuntu 10.04 LTS:
libtiff4 3.9.2-2ubuntu0.14
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2205-1
CVE-2013-4231, CVE-2013-4232, CVE-2013-4243, CVE-2013-4244
Package Information:
https://launchpad.net/ubuntu/+source/tiff/4.0.3-7ubuntu0.1
https://launchpad.net/ubuntu/+source/tiff/4.0.2-4ubuntu3.1
https://launchpad.net/ubuntu/+source/tiff/4.0.2-1ubuntu2.3
https://launchpad.net/ubuntu/+source/tiff/3.9.5-2ubuntu1.6
https://launchpad.net/ubuntu/+source/tiff/3.9.2-2ubuntu0.14
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140506/c3e7cade/attachment-0001.pgp>
------------------------------
Message: 2
Date: Tue, 06 May 2014 10:19:51 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2206-1] OpenStack Horizon vulnerability
Message-ID: <5368FD97.6020003@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2206-1
May 06, 2014
horizon vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
Summary:
OpenStack Horizon did not properly process Heat templates.
Software Description:
- horizon: Web interface for OpenStack cloud infrastructure
Details:
Cristian Fiorentino discovered that OpenStack Horizon did not properly
perform input sanitization for Heat templates. If a user were tricked into
using a specially crafted Heat template, an attacker could conduct
cross-site scripting attacks. With cross-site scripting vulnerabilities, if
a user were tricked into viewing server output during a crafted server
request, a remote attacker could exploit this to modify the contents, or
steal confidential data, within the same domain.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
openstack-dashboard 1:2013.2.3-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2206-1
CVE-2014-0157
Package Information:
https://launchpad.net/ubuntu/+source/horizon/1:2013.2.3-0ubuntu1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140506/5484b878/attachment-0001.pgp>
------------------------------
Message: 3
Date: Tue, 06 May 2014 15:08:52 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2207-1] OpenStack Swift vulnerability
Message-ID: <53694154.5070706@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2207-1
May 06, 2014
swift vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
OpenStack Swift would allow unintended access to files over the network.
Software Description:
- swift: OpenStack distributed virtual object store
Details:
Samuel Merritt discovered a timing attack vulnerability in OpenStack Swift.
If Swift was configured to use the TempURL middleware, an attacker could
exploit this to guess valid secret URLs and obtain unintended access to
objects publicly shared with specific recipients.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
python-swift 1.10.0-0ubuntu1.1
Ubuntu 12.10:
python-swift 1.7.4-0ubuntu2.4
Ubuntu 12.04 LTS:
python-swift 1.4.8-0ubuntu2.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2207-1
CVE-2014-0006
Package Information:
https://launchpad.net/ubuntu/+source/swift/1.10.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/swift/1.7.4-0ubuntu2.4
https://launchpad.net/ubuntu/+source/swift/1.4.8-0ubuntu2.4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140506/5c94ef9e/attachment-0001.pgp>
------------------------------
Message: 4
Date: Tue, 06 May 2014 17:13:44 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2208-1] OpenStack Cinder vulnerability
Message-ID: <53695E98.1060806@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2208-1
May 06, 2014
cinder vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
OpenStack Cinder could be made to expose sensitive information over the
network.
Software Description:
- cinder: OpenStack storage service
Details:
JuanFra Rodriguez Cardoso discovered that OpenStack Cinder did not enforce
SSL connections when Nova was configured to use QPid and qpid_protocol is
set to 'ssl'. If a remote attacker were able to perform a man-in-the-middle
attack, this flaw could be exploited to view sensitive information. Ubuntu
does not use QPid with Nova by default.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-cinder 2012.2.4-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2208-1
CVE-2013-6491
Package Information:
https://launchpad.net/ubuntu/+source/cinder/2012.2.4-0ubuntu1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140506/53e6fb56/attachment-0001.pgp>
------------------------------
Message: 5
Date: Tue, 06 May 2014 17:17:30 -0500
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2208-2] OpenStack Quantum vulnerability
Message-ID: <53695F7A.6090801@canonical.com>
Content-Type: text/plain; charset="utf-8"
==========================================================================
Ubuntu Security Notice USN-2208-2
May 06, 2014
quantum vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
OpenStack Quantum could be made to expose sensitive information over the
network.
Software Description:
- quantum: OpenStack Virtual Network Service
Details:
USN-2208-1 fixed vulnerabilities in OpenStack Cinder. This update provides
the corresponding updates for OpenStack Quantum.
Original advisory details:
JuanFra Rodriguez Cardoso discovered that OpenStack Cinder did not enforce
SSL connections when Nova was configured to use QPid and qpid_protocol is
set to 'ssl'. If a remote attacker were able to perform a man-in-the-middle
attack, this flaw could be exploited to view sensitive information. Ubuntu
does not use QPid with Nova by default.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
python-quantum 2012.2.4-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2208-2
http://www.ubuntu.com/usn/usn-2208-1
CVE-2013-6491
Package Information:
https://launchpad.net/ubuntu/+source/quantum/2012.2.4-0ubuntu1.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140506/8cbf40db/attachment-0001.pgp>
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 116, Issue 4
********************************************************
News
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2014
(407)
-
▼
May
(13)
- ubuntu-security-announce Digest, Vol 116, Issue 13
- ubuntu-security-announce Digest, Vol 116, Issue 12
- ubuntu-security-announce Digest, Vol 116, Issue 11
- ubuntu-security-announce Digest, Vol 116, Issue 10
- ubuntu-security-announce Digest, Vol 116, Issue 9
- ubuntu-security-announce Digest, Vol 116, Issue 8
- ubuntu-security-announce Digest, Vol 116, Issue 7
- ubuntu-security-announce Digest, Vol 116, Issue 6
- ubuntu-security-announce Digest, Vol 116, Issue 5
- ubuntu-security-announce Digest, Vol 116, Issue 4
- ubuntu-security-announce Digest, Vol 116, Issue 3
- ubuntu-security-announce Digest, Vol 116, Issue 2
- ubuntu-security-announce Digest, Vol 116, Issue 1
-
▼
May
(13)
No comments:
Post a Comment