WINDOWS CENTER: September 2014

Tuesday, September 30, 2014

Through Microservices, a Renewed Push for Simplicity and IT Minimalism

Guerrilla SOA redux? PwC consultants recommend lighter, simpler, faster services to keep up with business demands.

Intel, Cisco, HP, Others Form NFV Consortium

The OPNFV will be a project at the Linux Foundation to create an open-source reference platform for NFV.

Arduino to Sell 3D Printer—$800 in Kit Form or $1,000 Pre-Assembled

Arduino Arduino, maker of the open source hardware platform of the same name, is teaming up with a startup called Sharebot to sell a 3D printer for about $1,000. Announced today, Materia 101 will be demonstrated at the Maker Faire in Rome this weekend. An on-sale date has not been revealed.

Piston’s McKenty to Leave Company He Founded for Pivotal

The New Stack: Josh McKenty, founder of Piston and an early architect of what became OpenStack, announced today that he's leaving the company he started to take on a new role at Pivotal.

Chromecast Getting Competition from Firefox OS-Powered Matchstick

The streaming stick market is apparently heating up. Google, Microsoft, and Amazon all have entrants in this space, and if a new Kickstarter appeal succeeds, there will soon be a Firefox OS stick getting in on the action.

Facebook has Over 200 Open Source Projects on GitHub

Facebook. It's one of the world's most well-known tech companies and on the forefront of open source technology. Just take a look their portfolio of over 200 open source projects on GitHub. In this interview with James Pearce, head of Open Source at Facebook, I speak with him prior to...

Distribution Release: CentOS 5.11

Johnny Hughes has announced the release of CentOS 5.11, the distribution's final release in the 5.x branch.

Apache Storm is Ready for Prime Time

Storm, a real-time framework for dealing with Big Data, has become an Apache top level project.

Scribbleton Has a Ton of Potential

Scribbleton is a very infant -- as in alpha -- release of an innovative note-taking app for Linux that provides cross-platform access with Windows and Apple computers. It creates a personal wiki for storing everything from quick notes to detailed checklists to outlines. It creates links between pages in Scribbleton.

eBay, PayPal Breakup an OpenStack Private Cloud Split Too

eBay and PayPal are both on the OpenStack bandwagon. The PayPal spin-off will highlight how easy or difficult it will be to break up an OpenStack private cloud.

VMware's Role in OpenStack: A Second Look

I had believed that VMware took part in the OpenStack community because it was dragged there by its customers. Boy, I was wrong. VMware's Dan Wendlandt helps set me straight.

Bringing Together a Disconnected Team

How do you connect remote workers together for better culture?

Fedora Might Try A New Scheduling Strategy For Its Releases

It's no secret that Fedora has had a challenging time sticking to their release schedules for a long time. With taking care of blocker bugs, Fedora Linux releases tend to frequently slip -- with Fedora 21 it's about two months behind schedule and we're just past the alpha stage. By...

Ten Fastest-Growing IT Skills Offer Opportunities

Baseline: If you want to move ahead in your career, it's important to command a skill that will enable you to write your own ticket in terms of job opportunities.

Open Sourcing Automation Tools for Testing Linux Images on Microsoft Azure

Openness at Microsft Blog: Microsoft has participated in the Linux community for several years now, contributing drivers for Hyper-V to the Linux kernel source code base, and then working with Linux distribution partners to incorporate those drivers into their distros. We've had great results in running a variety of Linux distros as a guest OS on Hyper-V and as a VM in Microsoft Azure, and our collaboration with SUSE...

NVIDIA GeForce GTX 980: The Best GPU For Linux Gamers

Earlier this month NVIDIA launched the GeForce GTX 970 and GTX 980 as their highest-end offerings based on their Maxwell architecture. Since the GTX 750 series debut I have been anxious to see Maxwell succeed Kepler in the high-end space and finally last week I got hands on time with...

Open Source Drives Innovation in Another Multi-Billion Dollar Market: World’s Largest Carriers, Vendors to Bring Virtualization

The Linux Foundation today is announcing a new Collaborative Project, Open Platform for NFV, or OPNFV. It involves nearly 40 companies and has largely been driven by end users like AT&T, China Mobile, NTT DOCOMO, Telecom Italia and Vodafone, among others. Together this community aims to build a carrier-grade, integrated, open source reference platform to accelerate Network Function Virtualization.

ubuntu-security-announce Digest, Vol 120, Issue 19

Monday, September 29, 2014

Protect yourself from the big bad shellshock

It has been announced on Wednesday, that a serious vulnerability has been found in the bash program installed on Linux, Unix and MacOSX systems. Because this bug is a hidden open-door to your system, hackers can gain access to your system from the internet, a run programs completely taking over the system.

This is a serious problem, that if not handled quickly, and properly, will cause serious damage to your computer and Internet infrastructures since most of the computers servicing the Internet are running a Linux or Unix OS.

Heed these warnings. Read these links thoroughly and make sure you update your Linux, Unix and MacOS X systems with the latest patch for bash. Start patching immediately.

http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/

http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

http://www.linux.com/news/enterprise/systems-management/789720-improved-patch-tackles-new-shellshock-bash-bug-attack-vectors

Web Software vs. Native Linux Software

Both Web-based software and Linux software offer significant costs savings. Is one actually better in the long term?

Tor Executive Director Hints at Firefox Integration

Daily Dot: Is this how the mainstream finally begins to win back its online privacy?

HP Unveils ARM-Based Moonshot Servers

The new systems ramp up ARM's competition with Intel and give data centers greater compute choices.

Eclipse Foundation Delivers Open IoT Stack for Java

The Eclipse IoT community is helping Java developers to connect and manage devices in an IoT solution by delivering an Open IoT Stack for Java.

The Internet Is Broken, and Shellshock Is Just the Start of Our Woes

The year was 1987, and as Fox drove cross-country to his new home, the tapes held a software program called Bash, a tool for the UNIX operating system he had written and tagged with a license that let anyone use the code and even redistribute it to others.

Improved Patch Tackles New Shellshock Bash Bug Attack Vectors

System administrators who spent last week making sure their computers are patched against Shellshock, a critical vulnerability in the Bash Unix command-line interpreter, will have to install a new patch that addresses additional attack vectors.

Cloudflare Just Added SSL Encryption to Two Million Websites for Free

Last year, the web optimization network CloudFlare promised it would double SSL usage on the web in 2014 — and last night, the company made good on its promise. Overnight, CloudFlare deployed its Universal SSL feature, offering free SSL encryption to any site that opted in. All told, that meant...

Shellshock Makes Heartbleed Look Insignificant

The new vulnerability in the Bash shell is the worst we've seen in many years. No software on critical systems can be assumed as safe.

Open, Open, Open: OpenDaylight Helium is Here

Everywhere you turn these days you hear the term "open" in networking. The idea of openness in networking has come a long way in the past year and it's now considered the de facto standard way that we'll achieve interoperability and innovation.

LibreSSL: More Than 30 Days Later

Ted Unangst has posted an update on LibreSSL development. "Joel and I have been working on a replacement API for OpenSSL, appropriately entitled ressl. Reimagined SSL is how I think of it. Our goals are consistency and simplicity. In particular, we answer the question 'What would the user like to...

Saturday, September 27, 2014

ubuntu-security-announce Digest, Vol 120, Issue 18

Friday, September 26, 2014

ubuntu-security-announce Digest, Vol 120, Issue 17

Thursday, September 25, 2014

ubuntu-security-announce Digest, Vol 120, Issue 16

Wednesday, September 24, 2014

Microsoft VP Scott Charney Architect of Trustworthy Computing Changes

View on Mobile Phone | View as Web page

Microsoft VP, Scott Charney, Outs Himself as the Architect of Trustworthy Computing Changes

by Rod Trent

In addition to job loss from round two in the Microsoft employment cull last week, several groups within the company were disbanded and consolidated. One of those, the Trustworthy Computing group, I reported on Monday. A piece of what this group has been responsible for since 2002 is ensuring Microsoft products remain secure through updates and patches. Of course, as we know, the patches Microsoft has been releasing of late have seen diminished quality and have caused more widely reported problems than seemingly ever before. This has caused many organizations to alter their patching policies, extending the time to deploy by weeks in some cases. For critical security matters, and software exploits reported in the wild and advancing, this is clearly not a good situation. Some have gone as far as calling the security group at Microsoft the UnTrustworthy Computing group. And, with news last week that the group has been disbanded and assimilated by other, existing groups within Microsoft, customers are now wondering if being trustworthy is still a strong focus for Microsoft and how the company will be able to keep its products secure in an intensified, more dangerous security landscape.

More...

It's Here: Gartner Magic Quadrant for SIEM 2014

AlienVault is on a mission to change how organizations detect & mitigate threats - affordably & simply. Our USM solution integrates SIEM with built-in asset discovery, vulnerability scanning, intrusion detection, behavioral monitoring & continuous threat intelligence (starting at only $3600). So, you can go from installation to insight in days, not months. Download the report.

Protect Windows IIS FTP Servers

by Jan De Clercq

Q: How can I protect my Windows IIS FTP servers against automated logon attacks? Does the IIS FTP server provide any features I can leverage?

More...

TODAY: Windows Server 2012 R2 In-Depth with John Savill
Learn advanced features of Windows Server 2012 R2 from master trainer John Savill. By the end of this course, you'll learn best practices to deploy and maintain a 2012 R2 based environment. Sessions meet today (September 24th) at 11am, 1pm, 3pm EDT. All session recordings are available to students one hour after the conclusion of each session.
Don't Miss Out – Enroll Now!

The IT Security Conundrum

by Doug Spindler

I've been in the IT industry for many years now and watched as company after company leaks confidential information. Sometimes it's the result of an attacker, while other times it's the result of a Google search, clicking on a link and finding your screen is full of what you know is confidential data. What to do?

More...

Additional Resources

Supercharge Your Infrastructure
Read this whitepaper to gain insight on solutions for closing the storage I/O and management gap, and areas where certain flash vendors fall short.

Join Our Community:

Resources

How to Detect System Compromise & Data Exfiltration
Join security engineer, Tom D'Aquino, for a security webcast on October 15th at 2pm ET, as he walks through the steps of a systems compromise and how to detect these corrupt activities at every stage.

When Applications Attack
Join Rod Trent in this webcast on October 7th at 2pm ET to learn about the current situation with application sprawl and how you can prevent it.

MORE RESOURCES

Events

Windows 8 Essentials
In this one-day training course, Paul Thurrott shows you the advantages Windows 8 brings to the desktop and how you can tailor Windows 8 to work most effectively on the PC of your choice. Sessions meet October 7th. Register by September 30th for ONLY $169!

MORE EVENTS

Contact Us
About the commentary -- letters@windowsitpro.com
About technical questions -- forums.windowsitpro.com
About product news -- products@windowsitpro.com
About advertising -- michelle.andrews@penton.com

Make sure your copy of Security UPDATE doesn't get mistakenly blocked by antispam software! Be sure to add Security UPDATE to your list of allowed senders and contacts.

You are subscribed as: boy.blogger@gmail.com. To unsubscribe, click here.

Windows IT Pro | Penton | 1166 Avenue of the Americas | New York, NY 10036 | Privacy Statement

ubuntu-security-announce Digest, Vol 120, Issue 15

Tuesday, September 23, 2014

ubuntu-security-announce Digest, Vol 120, Issue 14

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."

Today's Topics:

1. [USN-2353-1] APT vulnerability (Marc Deslauriers)
2. [USN-2354-1] Linux kernel vulnerabilities (John Johansen)
3. [USN-2355-1] Linux kernel (EC2) vulnerabilities (John Johansen)
4. [USN-2356-1] Linux kernel vulnerabilities (John Johansen)
5. [USN-2357-1] Linux kernel (OMAP4) vulnerabilities (John Johansen)
6. [USN-2358-1] Linux kernel (Trusty HWE) vulnerabilities
(John Johansen)

----------------------------------------------------------------------

Message: 1
Date: Tue, 23 Sep 2014 12:38:49 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2353-1] APT vulnerability
Message-ID: <5421A219.3020005@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2353-1
September 23, 2014

apt vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

APT could be made to crash or run programs if it received specially crafted
network traffic.

Software Description:
- apt: Advanced front-end for dpkg

Details:

It was discovered that APT incorrectly handled certain http URLs. If a
remote attacker were able to perform a man-in-the-middle attack, this flaw
could be exploited to cause APT to crash, resulting in a denial of service,
or possibly execute arbitrary code. (CVE-2014-6273)

In addition, this update fixes regressions introduced by the USN-2348-1
security update: APT incorrectly handled file:/// sources on a different
partition, incorrectly handled Dir::state::lists set to a relative path,
and incorrectly handled cdrom: sources.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
apt 1.0.1ubuntu2.4.1

Ubuntu 12.04 LTS:
apt 0.8.16~exp12ubuntu10.20.1

Ubuntu 10.04 LTS:
apt 0.7.25.3ubuntu9.17.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2353-1
CVE-2014-6273

Package Information:
https://launchpad.net/ubuntu/+source/apt/1.0.1ubuntu2.4.1
https://launchpad.net/ubuntu/+source/apt/0.8.16~exp12ubuntu10.20.1
https://launchpad.net/ubuntu/+source/apt/0.7.25.3ubuntu9.17.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140923/0dce380a/attachment-0001.pgp>

------------------------------

Message: 2
Date: Tue, 23 Sep 2014 14:52:39 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2354-1] Linux kernel vulnerabilities
Message-ID: <5421EBA7.5050504@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2354-1
September 23, 2014

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

Chris Evans reported an flaw in the Linux kernel's handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel's handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
linux-image-2.6.32-66-386 2.6.32-66.132
linux-image-2.6.32-66-generic 2.6.32-66.132
linux-image-2.6.32-66-generic-pae 2.6.32-66.132
linux-image-2.6.32-66-ia64 2.6.32-66.132
linux-image-2.6.32-66-lpia 2.6.32-66.132
linux-image-2.6.32-66-powerpc 2.6.32-66.132
linux-image-2.6.32-66-powerpc-smp 2.6.32-66.132
linux-image-2.6.32-66-powerpc64-smp 2.6.32-66.132
linux-image-2.6.32-66-preempt 2.6.32-66.132
linux-image-2.6.32-66-server 2.6.32-66.132
linux-image-2.6.32-66-sparc64 2.6.32-66.132
linux-image-2.6.32-66-sparc64-smp 2.6.32-66.132
linux-image-2.6.32-66-versatile 2.6.32-66.132
linux-image-2.6.32-66-virtual 2.6.32-66.132

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-2354-1
CVE-2014-5471, CVE-2014-5472

Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.32-66.132

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140923/069be072/attachment-0001.pgp>

------------------------------

Message: 3
Date: Tue, 23 Sep 2014 14:58:33 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2355-1] Linux kernel (EC2) vulnerabilities
Message-ID: <5421ED09.4040209@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2355-1
September 23, 2014

linux-ec2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-ec2: Linux kernel for EC2

Details:

Chris Evans reported an flaw in the Linux kernel's handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel's handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
linux-image-2.6.32-370-ec2 2.6.32-370.86

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-2355-1
CVE-2014-5471, CVE-2014-5472

Package Information:
https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-370.86

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140923/bed884f1/attachment-0001.pgp>

------------------------------

Message: 4
Date: Tue, 23 Sep 2014 14:59:31 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2356-1] Linux kernel vulnerabilities
Message-ID: <5421ED43.6060204@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2356-1
September 23, 2014

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl
Virtual Machine) subsystem in the Linux kernel. A guest OS user could
exploit this flaw to cause a denial of service (host OS memory corruption)
or possibly have other unspecified impact on the host OS. (CVE-2014-3601)

Chris Evans reported an flaw in the Linux kernel's handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel's handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-69-generic 3.2.0-69.103
linux-image-3.2.0-69-generic-pae 3.2.0-69.103
linux-image-3.2.0-69-highbank 3.2.0-69.103
linux-image-3.2.0-69-omap 3.2.0-69.103
linux-image-3.2.0-69-powerpc-smp 3.2.0-69.103
linux-image-3.2.0-69-powerpc64-smp 3.2.0-69.103
linux-image-3.2.0-69-virtual 3.2.0-69.103

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-2356-1
CVE-2014-3601, CVE-2014-5471, CVE-2014-5472

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-69.103

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140923/1e37f4d9/attachment-0001.pgp>

------------------------------

Message: 5
Date: Tue, 23 Sep 2014 15:00:07 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2357-1] Linux kernel (OMAP4) vulnerabilities
Message-ID: <5421ED67.8070001@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2357-1
September 23, 2014

linux-ti-omap4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl
Virtual Machine) subsystem in the Linux kernel. A guest OS user could
exploit this flaw to cause a denial of service (host OS memory corruption)
or possibly have other unspecified impact on the host OS. (CVE-2014-3601)

Chris Evans reported an flaw in the Linux kernel's handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel's handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1453-omap4 3.2.0-1453.73

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-2357-1
CVE-2014-3601, CVE-2014-5471, CVE-2014-5472

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1453.73

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140923/b9b4fa86/attachment-0001.pgp>

------------------------------

Message: 6
Date: Tue, 23 Sep 2014 15:01:35 -0700
From: John Johansen <john.johansen@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2358-1] Linux kernel (Trusty HWE) vulnerabilities
Message-ID: <5421EDBF.4050806@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2358-1
September 23, 2014

linux-lts-trusty vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty

Details:

Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl
Virtual Machine) subsystem in the Linux kernel. A guest OS user could
exploit this flaw to cause a denial of service (host OS memory corruption)
or possibly have other unspecified impact on the host OS. (CVE-2014-3601)

Jason Gunthorpe reported a flaw with SCTP authentication in the Linux
kernel. A remote attacker could exploit this flaw to cause a denial of
service (NULL pointer dereference and OOPS). (CVE-2014-5077)

Chris Evans reported an flaw in the Linux kernel's handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel's handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.13.0-36-generic 3.13.0-36.63~precise1
linux-image-3.13.0-36-generic-lpae 3.13.0-36.63~precise1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-2358-1
CVE-2014-3601, CVE-2014-5077, CVE-2014-5471, CVE-2014-5472

Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-trusty/3.13.0-36.63~precise1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140923/de1dec07/attachment.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

End of ubuntu-security-announce Digest, Vol 120, Issue 14
*********************************************************

News