ubuntu-security-announce Digest, Vol 120, Issue 7

Send ubuntu-security-announce mailing list submissions to
ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."


Today's Topics:

1. [USN-2341-1] CUPS vulnerabilities (Marc Deslauriers)
2. [USN-2342-1] QEMU vulnerabilities (Marc Deslauriers)


----------------------------------------------------------------------

Message: 1
Date: Mon, 08 Sep 2014 11:05:23 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2341-1] CUPS vulnerabilities
Message-ID: <540DC5B3.7050103@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2341-1
September 08, 2014

cups vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

CUPS could be made to expose sensitive information, leading to privilege
escalation.

Software Description:
- cups: Common UNIX Printing System(tm)

Details:

Salvatore Bonaccorso discovered that the CUPS web interface incorrectly
validated permissions and incorrectly handled symlinks. An attacker could
possibly use this issue to bypass file permissions and read arbitrary
files, possibly leading to a privilege escalation.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
cups 1.7.2-0ubuntu1.2

Ubuntu 12.04 LTS:
cups 1.5.3-0ubuntu8.5

Ubuntu 10.04 LTS:
cups 1.4.3-1ubuntu1.13

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2341-1
CVE-2014-5029, CVE-2014-5030, CVE-2014-5031

Package Information:
https://launchpad.net/ubuntu/+source/cups/1.7.2-0ubuntu1.2
https://launchpad.net/ubuntu/+source/cups/1.5.3-0ubuntu8.5
https://launchpad.net/ubuntu/+source/cups/1.4.3-1ubuntu1.13


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140908/0e70ffec/attachment-0001.pgp>

------------------------------

Message: 2
Date: Mon, 08 Sep 2014 13:49:42 -0400
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-2342-1] QEMU vulnerabilities
Message-ID: <540DEC36.307@canonical.com>
Content-Type: text/plain; charset="utf-8"

==========================================================================
Ubuntu Security Notice USN-2342-1
September 08, 2014

qemu, qemu-kvm vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:
- qemu: Machine emulator and virtualizer
- qemu-kvm: Machine emulator and virtualizer

Details:

Michael S. Tsirkin, Anthony Liguori, and Michael Roth discovered multiple
issues with QEMU state loading after migration. An attacker able to modify
the state data could use these issues to cause a denial of service, or
possibly execute arbitrary code. (CVE-2013-4148, CVE-2013-4149,
CVE-2013-4150, CVE-2013-4151, CVE-2013-4526, CVE-2013-4527, CVE-2013-4529,
CVE-2013-4530, CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534,
CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538, CVE-2013-4539,
CVE-2013-4540, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182,
CVE-2014-3461)

Kevin Wolf, Stefan Hajnoczi, Fam Zheng, Jeff Cody, Stefan Hajnoczi, and
others discovered multiple issues in the QEMU block drivers. An attacker
able to modify disk images could use these issues to cause a denial of
service, or possibly execute arbitrary code. (CVE-2014-0142, CVE-2014-0143,
CVE-2014-0144, CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0222,
CVE-2014-0223)

It was discovered that QEMU incorrectly handled certain PCIe bus hotplug
operations. A malicious guest could use this issue to crash the QEMU host,
resulting in a denial of service. (CVE-2014-3471)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.3
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.3
qemu-system-arm 2.0.0+dfsg-2ubuntu1.3
qemu-system-mips 2.0.0+dfsg-2ubuntu1.3
qemu-system-misc 2.0.0+dfsg-2ubuntu1.3
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.3
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.3
qemu-system-x86 2.0.0+dfsg-2ubuntu1.3

Ubuntu 12.04 LTS:
qemu-kvm 1.0+noroms-0ubuntu14.17

Ubuntu 10.04 LTS:
qemu-kvm 0.12.3+noroms-0ubuntu9.24

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2342-1
CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151,
CVE-2013-4526, CVE-2013-4527, CVE-2013-4529, CVE-2013-4530,
CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534,
CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538,
CVE-2013-4539, CVE-2013-4540, CVE-2013-4541, CVE-2013-4542,
CVE-2013-6399, CVE-2014-0142, CVE-2014-0143, CVE-2014-0144,
CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0182,
CVE-2014-0222, CVE-2014-0223, CVE-2014-3461, CVE-2014-3471

Package Information:
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.3
https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.17
https://launchpad.net/ubuntu/+source/qemu-kvm/0.12.3+noroms-0ubuntu9.24


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140908/d6fc7563/attachment-0001.pgp>

------------------------------

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


End of ubuntu-security-announce Digest, Vol 120, Issue 7
********************************************************