WINDOWS CENTER

Send ubuntu-security-announce mailing list submissions to

	ubuntu-security-announce@lists.ubuntu.com

To subscribe or unsubscribe via the World Wide Web, visit

	https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

or, via email, send a message with subject or body 'help' to

	ubuntu-security-announce-request@lists.ubuntu.com

You can reach the person managing the list at

	ubuntu-security-announce-owner@lists.ubuntu.com

When replying, please edit your Subject line so it is more specific

than "Re: Contents of ubuntu-security-announce digest..."

Today's Topics:

   1. [USN-1443-1] Update Manager vulnerabilities (Marc Deslauriers)

   2. [USN-1444-1] BackupPC vulnerability (Jamie Strandboge)

   3. [USN-1445-1] Linux kernel vulnerabilities (John Johansen)

   4. [USN-1445-1] Linux kernel vulnerabilities (John Johansen)

----------------------------------------------------------------------

Message: 1

Date: Thu, 17 May 2012 14:51:39 -0400

From: Marc Deslauriers <marc.deslauriers@canonical.com>

To: ubuntu-security-announce@lists.ubuntu.com

Subject: [USN-1443-1] Update Manager vulnerabilities

Message-ID: <1337280699.20410.136.camel@mdlinux>

Content-Type: text/plain; charset="utf-8"

==========================================================================

Ubuntu Security Notice USN-1443-1

May 17, 2012

update-manager vulnerabilities

==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

- Ubuntu 11.10

- Ubuntu 11.04

Summary:

Update Manager could expose sensitive information in certain circumstances.

Software Description:

- update-manager: GNOME application that manages apt updates

Details:

It was discovered that Update Manager created system state archive files

with incorrect permissions when upgrading releases. A local user could

possibly use this to read repository credentials. (CVE-2012-0948)

Felix Geyer discovered that the Update Manager Apport hook incorrectly

uploaded certain system state archive files to Launchpad when reporting

bugs. This could possibly result in repository credentials being included

in public bug reports. (CVE-2012-0949)

Update instructions:

The problem can be corrected by updating your system to the following

package versions:

Ubuntu 12.04 LTS:

  update-manager-core             1:0.156.14.4

Ubuntu 11.10:

  update-manager-core             1:0.152.25.11

Ubuntu 11.04:

  update-manager-core             1:0.150.5.3

In general, a standard system update will make all the necessary changes.

References:

  http://www.ubuntu.com/usn/usn-1443-1

  CVE-2012-0948, CVE-2012-0949

Package Information:

  https://launchpad.net/ubuntu/+source/update-manager/1:0.156.14.4

  https://launchpad.net/ubuntu/+source/update-manager/1:0.152.25.11

  https://launchpad.net/ubuntu/+source/update-manager/1:0.150.5.3

-------------- next part --------------

A non-text attachment was scrubbed...

Name: signature.asc

Type: application/pgp-signature

Size: 836 bytes

Desc: This is a digitally signed message part

URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120517/78d77bda/attachment-0001.pgp>

------------------------------

Message: 2

Date: Thu, 17 May 2012 17:48:11 -0500

From: Jamie Strandboge <jamie@canonical.com>

To: ubuntu-security-announce@lists.ubuntu.com

Subject: [USN-1444-1] BackupPC vulnerability

Message-ID: <1337294891.12413.38.camel@localhost>

Content-Type: text/plain; charset="utf-8"

==========================================================================

Ubuntu Security Notice USN-1444-1

May 17, 2012

backuppc vulnerability

==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

- Ubuntu 11.10

- Ubuntu 11.04

- Ubuntu 10.04 LTS

- Ubuntu 8.04 LTS

Summary:

BackupPC could be made to expose sensitive information over the network.

Software Description:

- backuppc: high-performance, enterprise-grade system for backing up PCs

Details:

It was discovered that BackupPC did not properly sanitize its input when

processing RestoreFile error messages, resulting in a cross-site

scripting (XSS) vulnerability. With cross-site scripting vulnerabilities,

if a user were tricked into viewing server output during a crafted server

request, a remote attacker could exploit this to modify the contents, or

steal confidential data, within the same domain.

Update instructions:

The problem can be corrected by updating your system to the following

package versions:

Ubuntu 12.04 LTS:

  backuppc                        3.2.1-2ubuntu1.1

Ubuntu 11.10:

  backuppc                        3.2.1-1ubuntu1.2

Ubuntu 11.04:

  backuppc                        3.2.0-3ubuntu4.3

Ubuntu 10.04 LTS:

  backuppc                        3.1.0-9ubuntu1.3

Ubuntu 8.04 LTS:

  backuppc                        3.0.0-4ubuntu1.4

In general, a standard system update will make all the necessary changes.

References:

  http://www.ubuntu.com/usn/usn-1444-1

  CVE-2011-5081

Package Information:

  https://launchpad.net/ubuntu/+source/backuppc/3.2.1-2ubuntu1.1

  https://launchpad.net/ubuntu/+source/backuppc/3.2.1-1ubuntu1.2

  https://launchpad.net/ubuntu/+source/backuppc/3.2.0-3ubuntu4.3

  https://launchpad.net/ubuntu/+source/backuppc/3.1.0-9ubuntu1.3

  https://launchpad.net/ubuntu/+source/backuppc/3.0.0-4ubuntu1.4

-------------- next part --------------

A non-text attachment was scrubbed...

Name: signature.asc

Type: application/pgp-signature

Size: 836 bytes

Desc: This is a digitally signed message part

URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120517/1b731576/attachment-0001.pgp>

------------------------------

Message: 3

Date: Thu, 17 May 2012 17:38:04 -0700

From: John Johansen <john.johansen@canonical.com>

To: ubuntu-security-announce@lists.ubuntu.com

Subject: [USN-1445-1] Linux kernel vulnerabilities

Message-ID: <4FB599EC.4070801@canonical.com>

Content-Type: text/plain; charset="iso-8859-1"

==========================================================================

Ubuntu Security Notice USN-1445-1

May 18, 2012

linux vulnerabilities

==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:

- linux: Linux kernel

Details:

A flaw was found in the Linux's kernels ext4 file system when mounted with

a journal. A local, unprivileged user could exploit this flaw to cause a

denial of service. (CVE-2011-4086)

A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual

cpu setup. An unprivileged local user could exploit this flaw to crash the

system leading to a denial of service. (CVE-2012-1601)

Steve Grubb reported a flaw with Linux fscaps (file system base

capabilities) when used to increase the permissions of a process. For

application on which fscaps are in use a local attacker can disable address

space randomization to make attacking the process with raised privileges

easier. (CVE-2012-2123)

Update instructions:

The problem can be corrected by updating your system to the following

package versions:

Ubuntu 10.04 LTS:

  linux-image-2.6.32-41-386       2.6.32-41.89

  linux-image-2.6.32-41-generic   2.6.32-41.89

  linux-image-2.6.32-41-generic-pae  2.6.32-41.89

  linux-image-2.6.32-41-ia64      2.6.32-41.89

  linux-image-2.6.32-41-lpia      2.6.32-41.89

  linux-image-2.6.32-41-powerpc   2.6.32-41.89

  linux-image-2.6.32-41-powerpc-smp  2.6.32-41.89

  linux-image-2.6.32-41-powerpc64-smp  2.6.32-41.89

  linux-image-2.6.32-41-preempt   2.6.32-41.89

  linux-image-2.6.32-41-server    2.6.32-41.89

  linux-image-2.6.32-41-sparc64   2.6.32-41.89

  linux-image-2.6.32-41-sparc64-smp  2.6.32-41.89

  linux-image-2.6.32-41-versatile  2.6.32-41.89

  linux-image-2.6.32-41-virtual   2.6.32-41.89

After a standard system update you need to reboot your computer to make

all the necessary changes.

References:

  http://www.ubuntu.com/usn/usn-1445-1

  CVE-2011-4086, CVE-2012-1601, CVE-2012-2123

Package Information:

  https://launchpad.net/ubuntu/+source/linux/2.6.32-41.89

-------------- next part --------------

A non-text attachment was scrubbed...

Name: signature.asc

Type: application/pgp-signature

Size: 900 bytes

Desc: OpenPGP digital signature

URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120517/ec73720e/attachment-0001.pgp>

------------------------------

Message: 4

Date: Thu, 17 May 2012 18:32:48 -0700

From: John Johansen <john.johansen@canonical.com>

To: ubuntu-security-announce@lists.ubuntu.com

Subject: [USN-1445-1] Linux kernel vulnerabilities

Message-ID: <4FB5A6C0.7030303@canonical.com>

Content-Type: text/plain; charset="iso-8859-1"

==========================================================================

Ubuntu Security Notice USN-1445-1

May 18, 2012

linux vulnerabilities

==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in the kernel.

Software Description:

- linux: Linux kernel

Details:

A flaw was found in the Linux's kernels ext4 file system when mounted with

a journal. A local, unprivileged user could exploit this flaw to cause a

denial of service. (CVE-2011-4086)

A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual

cpu setup. An unprivileged local user could exploit this flaw to crash the

system leading to a denial of service. (CVE-2012-1601)

Steve Grubb reported a flaw with Linux fscaps (file system base

capabilities) when used to increase the permissions of a process. For

application on which fscaps are in use a local attacker can disable address

space randomization to make attacking the process with raised privileges

easier. (CVE-2012-2123)

Update instructions:

The problem can be corrected by updating your system to the following

package versions:

Ubuntu 10.04 LTS:

  linux-image-2.6.32-41-386       2.6.32-41.89

  linux-image-2.6.32-41-generic   2.6.32-41.89

  linux-image-2.6.32-41-generic-pae  2.6.32-41.89

  linux-image-2.6.32-41-ia64      2.6.32-41.89

  linux-image-2.6.32-41-lpia      2.6.32-41.89

  linux-image-2.6.32-41-powerpc   2.6.32-41.89

  linux-image-2.6.32-41-powerpc-smp  2.6.32-41.89

  linux-image-2.6.32-41-powerpc64-smp  2.6.32-41.89

  linux-image-2.6.32-41-preempt   2.6.32-41.89

  linux-image-2.6.32-41-server    2.6.32-41.89

  linux-image-2.6.32-41-sparc64   2.6.32-41.89

  linux-image-2.6.32-41-sparc64-smp  2.6.32-41.89

  linux-image-2.6.32-41-versatile  2.6.32-41.89

  linux-image-2.6.32-41-virtual   2.6.32-41.89

After a standard system update you need to reboot your computer to make

all the necessary changes.

References:

  http://www.ubuntu.com/usn/usn-1445-1

  CVE-2011-4086, CVE-2012-1601, CVE-2012-2123

Package Information:

  https://launchpad.net/ubuntu/+source/linux/2.6.32-41.89

-------------- next part --------------

A non-text attachment was scrubbed...

Name: signature.asc

Type: application/pgp-signature

Size: 900 bytes

Desc: OpenPGP digital signature

URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20120517/eea99c4e/attachment-0001.pgp>

------------------------------

-- 

ubuntu-security-announce mailing list

ubuntu-security-announce@lists.ubuntu.com

Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

End of ubuntu-security-announce Digest, Vol 92, Issue 9

*******************************************************

WINDOWS CENTER

Friday, May 18, 2012

ubuntu-security-announce Digest, Vol 92, Issue 9

No comments:

Post a Comment