News

Friday, June 20, 2014

ubuntu-security-announce Digest, Vol 117, Issue 11

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-2250-1] Thunderbird vulnerabilities (Chris Coulson)
2. [USN-2251-1] Linux kernel vulnerabilities (John Johansen)
3. [USN-2252-1] Linux kernel (EC2) vulnerabilities (John Johansen)
4. Ubuntu 13.10 (Saucy Salamander) reaches End of Life on July
17 2014 (Adam Conrad)


----------------------------------------------------------------------

Message: 1
Date: Thu, 19 Jun 2014 12:32:57 +0100
From: Chris Coulson <chris.coulson@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2250-1] Thunderbird vulnerabilities
Message-ID: <53A2CA69.2060005@canonical.com>
Content-Type: text/plain; charset="iso-8859-1"

==========================================================================
Ubuntu Security Notice USN-2250-1
June 19, 2014

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Gary Kwong, Christoph Diehl, Christian Holler, Hannes Verschore, Jan de
Mooij, Ryan VanderMeulen, Jeff Walden and Kyle Huey discovered multiple
memory safety issues in Thunderbird. If a user were tricked in to opening
a specially crafted message with scripting enabled, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2014-1533)

Abhishek Arya discovered multiple use-after-free and out-of-bounds read
issues in Thunderbird. If a user had enabled scripting, an attacker could
potentially exploit these to cause a denial of service via application
crash or execute arbitrary code with the priviliges of the user invoking
Thunderbird. (CVE-2014-1538)

A use-after-free was discovered in the SMIL animation controller. If a
user had enabled scripting, an attacker could potentially exploit this
to cause a denial of service via application crash or execute arbitrary
code with the priviliges of the user invoking Thunderbird. (CVE-2014-1541)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
thunderbird 1:24.6.0+build1-0ubuntu0.14.04.1

Ubuntu 13.10:
thunderbird 1:24.6.0+build1-0ubuntu0.13.10.1

Ubuntu 12.04 LTS:
thunderbird 1:24.6.0+build1-0ubuntu0.12.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2250-1
CVE-2014-1533, CVE-2014-1538, CVE-2014-1541, https://launchpad.net/bugs/1328003

Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:24.6.0+build1-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.6.0+build1-0ubuntu0.13.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.6.0+build1-0ubuntu0.12.04.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140619/042006b4/attachment-0001.pgp>

------------------------------

Message: 2
Date: Thu, 19 Jun 2014 22:26:23 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2251-1] Linux kernel vulnerabilities
Message-ID: <53A3C5FF.90700@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2251-1
June 20, 2014

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

A bounds check error was discovered in the socket filter subsystem of the
Linux kernel. A local user could exploit this flaw to cause a denial of
service (system crash) via crafted BPF instructions. (CVE-2014-3144)

A remainder calculation error was discovered in the socket filter subsystem
of the Linux kernel. A local user could exploit this flaw to cause a denial
of service (system crash) via crafted BPF instructions. (CVE-2014-3145)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
linux-image-2.6.32-62-386 2.6.32-62.125
linux-image-2.6.32-62-generic 2.6.32-62.125
linux-image-2.6.32-62-generic-pae 2.6.32-62.125
linux-image-2.6.32-62-ia64 2.6.32-62.125
linux-image-2.6.32-62-lpia 2.6.32-62.125
linux-image-2.6.32-62-powerpc 2.6.32-62.125
linux-image-2.6.32-62-powerpc-smp 2.6.32-62.125
linux-image-2.6.32-62-powerpc64-smp 2.6.32-62.125
linux-image-2.6.32-62-preempt 2.6.32-62.125
linux-image-2.6.32-62-server 2.6.32-62.125
linux-image-2.6.32-62-sparc64 2.6.32-62.125
linux-image-2.6.32-62-sparc64-smp 2.6.32-62.125
linux-image-2.6.32-62-versatile 2.6.32-62.125
linux-image-2.6.32-62-virtual 2.6.32-62.125

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-2251-1
CVE-2014-3144, CVE-2014-3145

Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.32-62.125


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140619/248a4ed3/attachment-0001.pgp>

------------------------------

Message: 3
Date: Thu, 19 Jun 2014 22:26:51 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2252-1] Linux kernel (EC2) vulnerabilities
Message-ID: <53A3C61B.7040808@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2252-1
June 20, 2014

linux-ec2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-ec2: Linux kernel for EC2

Details:

A bounds check error was discovered in the socket filter subsystem of the
Linux kernel. A local user could exploit this flaw to cause a denial of
service (system crash) via crafted BPF instructions. (CVE-2014-3144)

A remainder calculation error was discovered in the socket filter subsystem
of the Linux kernel. A local user could exploit this flaw to cause a denial
of service (system crash) via crafted BPF instructions. (CVE-2014-3145)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
linux-image-2.6.32-366-ec2 2.6.32-366.80

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-2252-1
CVE-2014-3144, CVE-2014-3145

Package Information:
https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-366.80


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140619/3534c5d2/attachment-0001.pgp>

------------------------------

Message: 4
Date: Thu, 19 Jun 2014 23:00:13 -0600
From: Adam Conrad <adconrad@ubuntu.com>
To: ubuntu-announce@lists.ubuntu.com
Cc: ubuntu-security-announce@lists.ubuntu.com
Subject: Ubuntu 13.10 (Saucy Salamander) reaches End of Life on July
17 2014
Message-ID: <20140620050013.GC28005@0c3.net>
Content-Type: text/plain; charset=us-ascii

Ubuntu announced its 13.10 (Saucy Salamander) release almost 9 months
ago, on October 17, 2013. This was the second release with our new 9
month support cycle and, as such, the support period is now nearing
its end and Ubuntu 13.10 will reach end of life on Thursday, July
17th. At that time, Ubuntu Security Notices will no longer include
information or updated packages for Ubuntu 13.10.

The supported upgrade path from Ubuntu 13.10 is via Ubuntu 14.04 LTS.
Instructions and caveats for the upgrade may be found at:

https://help.ubuntu.com/community/TrustyUpgrades

Ubuntu 14.04 LTS continues to be actively supported with security
updates and select high-impact bug fixes. Announcements of security
updates for Ubuntu releases are sent to the ubuntu-security-announce
mailing list, information about which may be found at:

https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customise or alter their software in order to meet their needs.

On behalf of the Ubuntu Release Team,

Adam Conrad



------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 117, Issue 11
*********************************************************

No comments:

Blog Archive