http://blog.gmane.org/gmane.linux.ubuntu.security.announce hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1724 <pre>========================================================================== Ubuntu Security Notice USN-1451-1 May 24, 2012 openssl vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Applications using OpenSSL in certain situations could be made to crash or expose sensitive information. Software Description: - openssl: Secure Socket Layer (SSL) cryptographic library and tools Details: Ivan Nestlerode discovered that the Cryptographic Message Syntax (CMS) and PKCS #7 implementations in OpenSSL returned early if RSA decryption failed. This could allow an attacker to expose sensitive information via a Million Message Attack (MMA). (CVE-2012-0884) It was discovered that an integer underflow was possible when using TLS 1.1, TLS 1.2, or DTLS with CBC encryption. This could allow a remote attacker to cause a denial of service. (CVE-2012-2333) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.2 openssl 1.0.1-4ubuntu5.2 Ubuntu 11.10: libssl1.0.0 1.0.0e-2ubuntu4.6 openssl 1.0.0e-2ubuntu4.6 Ubuntu 11.04: libssl0.9.8 0.9.8o-5ubuntu1.7 openssl 0.9.8o-5ubuntu1.7 Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.13 openssl 0.9.8k-7ubuntu8.13 Ubuntu 8.04 LTS: libssl0.9.8 0.9.8g-4ubuntu3.19 openssl 0.9.8g-4ubuntu3.19 After a standard system update you need to reboot your computer to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1451-1 CVE-2012-0884, CVE-2012-2333 Package Information: https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.2 https://launchpad.net/ubuntu/+source/openssl/1.0.0e-2ubuntu4.6 https://launchpad.net/ubuntu/+source/openssl/0.9.8o-5ubuntu1.7 https://launchpad.net/ubuntu/+source/openssl/0.9.8k-7ubuntu8.13 https://launchpad.net/ubuntu/+source/openssl/0.9.8g-4ubuntu3.19 </pre> Steve Beattie 2012-05-24T22:58:25 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1723 <pre>========================================================================== Ubuntu Security Notice USN-1450-1 May 23, 2012 net-snmp vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Net-SNMP could be made to crash if it received specially crafted network traffic. Software Description: - net-snmp: SNMP (Simple Network Management Protocol) server and applications Details: It was discovered that Net-SNMP incorrectly performed entry lookups in the extension table. A remote attacker could send a specially crafted request and cause the SNMP server to crash, leading to a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: libsnmp15 5.4.3~dfsg-2.4ubuntu1.1 Ubuntu 11.10: libsnmp15 5.4.3~dfsg-2.2ubuntu1.1 Ubuntu 11.04: libsnmp15 5.4.3~dfsg-2ubuntu1.1 Ubuntu 10.04 LTS: libsnmp15 5.4.2.1~dfsg0ubuntu1-0ubuntu2.2 Ubuntu 8.04 LTS: libsnmp15 5.4.1~dfsg-4ubuntu4.4 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1450-1 CVE-2012-2141 Package Information: https://launchpad.net/ubuntu/+source/net-snmp/5.4.3~dfsg-2.4ubuntu1.1 https://launchpad.net/ubuntu/+source/net-snmp/5.4.3~dfsg-2.2ubuntu1.1 https://launchpad.net/ubuntu/+source/net-snmp/5.4.3~dfsg-2ubuntu1.1 https://launchpad.net/ubuntu/+source/net-snmp/5.4.2.1~dfsg0ubuntu1-0ubuntu2.2 https://launchpad.net/ubuntu/+source/net-snmp/5.4.1~dfsg-4ubuntu4.4 </pre> Marc Deslauriers 2012-05-23T18:12:56 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1722 <pre>========================================================================== Ubuntu Security Notice USN-1449-1 May 22, 2012 feedparser vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS Summary: Applications using feedparser could be made to crash if they fetched a specially crafted feed. Software Description: - feedparser: Universal Feed Parser for Python Details: It was discovered that feedparser did not properly sanitize ENTITY declarations in encoded fields. A remote attacker could exploit this to cause a denial of service via memory exhaustion. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: python-feedparser 5.1-0ubuntu3.1 python3-feedparser 5.1-0ubuntu3.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1449-1 CVE-2012-2921 Package Information: https://launchpad.net/ubuntu/+source/feedparser/5.1-0ubuntu3.1 </pre> Jamie Strandboge 2012-05-22T19:23:01 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1721 <pre>========================================================================== Ubuntu Security Notice USN-1448-1 May 21, 2012 linux vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS Summary: Several security issues were fixed in the kernel. Software Description: - linux: Linux kernel Details: A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: linux-image-3.2.0-24-generic 3.2.0-24.38 linux-image-3.2.0-24-generic-pae 3.2.0-24.38 linux-image-3.2.0-24-omap 3.2.0-24.38 linux-image-3.2.0-24-powerpc-smp 3.2.0-24.38 linux-image-3.2.0-24-powerpc64-smp 3.2.0-24.38 linux-image-3.2.0-24-virtual 3.2.0-24.38 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. If you use linux-restricted-modules, you have to update that package as well to get modules which work with the new kernel version. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well. References: http://www.ubuntu.com/usn/usn-1448-1 CVE-2012-1601, CVE-2012-2123 Package Information: https://launchpad.net/ubuntu/+source/linux/3.2.0-24.38 </pre> John Johansen 2012-05-21T23:12:21 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1720 <pre>========================================================================== Ubuntu Security Notice USN-1447-1 May 21, 2012 libxml2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Applications using libxml2 could be made to crash or run programs as your login if they opened a specially crafted file. Software Description: - libxml2: GNOME XML library Details: Juri Aedla discovered that libxml2 contained an off by one error in its XPointer functionality. If a user or application linked against libxml2 were tricked into opening a specially crafted XML file, an attacker could cause the application to crash or possibly execute arbitrary code with the privileges of the user invoking the program. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: libxml2 2.7.8.dfsg-5.1ubuntu4.1 Ubuntu 11.10: libxml2 2.7.8.dfsg-4ubuntu0.3 Ubuntu 11.04: libxml2 2.7.8.dfsg-2ubuntu0.4 Ubuntu 10.04 LTS: libxml2 2.7.6.dfsg-1ubuntu1.5 Ubuntu 8.04 LTS: libxml2 2.6.31.dfsg-2ubuntu1.9 After a standard system update you need to reboot your computer to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1447-1 CVE-2011-3102 Package Information: https://launchpad.net/ubuntu/+source/libxml2/2.7.8.dfsg-5.1ubuntu4.1 https://launchpad.net/ubuntu/+source/libxml2/2.7.8.dfsg-4ubuntu0.3 https://launchpad.net/ubuntu/+source/libxml2/2.7.8.dfsg-2ubuntu0.4 https://launchpad.net/ubuntu/+source/libxml2/2.7.6.dfsg-1ubuntu1.5 https://launchpad.net/ubuntu/+source/libxml2/2.6.31.dfsg-2ubuntu1.9 </pre> Jamie Strandboge 2012-05-21T22:15:27 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1719 <pre>========================================================================== Ubuntu Security Notice USN-1445-1 May 18, 2012 linux vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 10.04 LTS Summary: Several security issues were fixed in the kernel. Software Description: - linux: Linux kernel Details: A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.04 LTS: linux-image-2.6.32-41-386 2.6.32-41.89 linux-image-2.6.32-41-generic 2.6.32-41.89 linux-image-2.6.32-41-generic-pae 2.6.32-41.89 linux-image-2.6.32-41-ia64 2.6.32-41.89 linux-image-2.6.32-41-lpia 2.6.32-41.89 linux-image-2.6.32-41-powerpc 2.6.32-41.89 linux-image-2.6.32-41-powerpc-smp 2.6.32-41.89 linux-image-2.6.32-41-powerpc64-smp 2.6.32-41.89 linux-image-2.6.32-41-preempt 2.6.32-41.89 linux-image-2.6.32-41-server 2.6.32-41.89 linux-image-2.6.32-41-sparc64 2.6.32-41.89 linux-image-2.6.32-41-sparc64-smp 2.6.32-41.89 linux-image-2.6.32-41-versatile 2.6.32-41.89 linux-image-2.6.32-41-virtual 2.6.32-41.89 After a standard system update you need to reboot your computer to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1445-1 CVE-2011-4086, CVE-2012-1601, CVE-2012-2123 Package Information: https://launchpad.net/ubuntu/+source/linux/2.6.32-41.89 </pre> John Johansen 2012-05-18T01:32:48 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1718 <pre>========================================================================== Ubuntu Security Notice USN-1445-1 May 18, 2012 linux vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 10.04 LTS Summary: Several security issues were fixed in the kernel. Software Description: - linux: Linux kernel Details: A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual cpu setup. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1601) Steve Grubb reported a flaw with Linux fscaps (file system base capabilities) when used to increase the permissions of a process. For application on which fscaps are in use a local attacker can disable address space randomization to make attacking the process with raised privileges easier. (CVE-2012-2123) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.04 LTS: linux-image-2.6.32-41-386 2.6.32-41.89 linux-image-2.6.32-41-generic 2.6.32-41.89 linux-image-2.6.32-41-generic-pae 2.6.32-41.89 linux-image-2.6.32-41-ia64 2.6.32-41.89 linux-image-2.6.32-41-lpia 2.6.32-41.89 linux-image-2.6.32-41-powerpc 2.6.32-41.89 linux-image-2.6.32-41-powerpc-smp 2.6.32-41.89 linux-image-2.6.32-41-powerpc64-smp 2.6.32-41.89 linux-image-2.6.32-41-preempt 2.6.32-41.89 linux-image-2.6.32-41-server 2.6.32-41.89 linux-image-2.6.32-41-sparc64 2.6.32-41.89 linux-image-2.6.32-41-sparc64-smp 2.6.32-41.89 linux-image-2.6.32-41-versatile 2.6.32-41.89 linux-image-2.6.32-41-virtual 2.6.32-41.89 After a standard system update you need to reboot your computer to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1445-1 CVE-2011-4086, CVE-2012-1601, CVE-2012-2123 Package Information: https://launchpad.net/ubuntu/+source/linux/2.6.32-41.89 </pre> John Johansen 2012-05-18T00:38:04 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1717 <pre>========================================================================== Ubuntu Security Notice USN-1444-1 May 17, 2012 backuppc vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: BackupPC could be made to expose sensitive information over the network. Software Description: - backuppc: high-performance, enterprise-grade system for backing up PCs Details: It was discovered that BackupPC did not properly sanitize its input when processing RestoreFile error messages, resulting in a cross-site scripting (XSS) vulnerability. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: backuppc 3.2.1-2ubuntu1.1 Ubuntu 11.10: backuppc 3.2.1-1ubuntu1.2 Ubuntu 11.04: backuppc 3.2.0-3ubuntu4.3 Ubuntu 10.04 LTS: backuppc 3.1.0-9ubuntu1.3 Ubuntu 8.04 LTS: backuppc 3.0.0-4ubuntu1.4 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1444-1 CVE-2011-5081 Package Information: https://launchpad.net/ubuntu/+source/backuppc/3.2.1-2ubuntu1.1 https://launchpad.net/ubuntu/+source/backuppc/3.2.1-1ubuntu1.2 https://launchpad.net/ubuntu/+source/backuppc/3.2.0-3ubuntu4.3 https://launchpad.net/ubuntu/+source/backuppc/3.1.0-9ubuntu1.3 https://launchpad.net/ubuntu/+source/backuppc/3.0.0-4ubuntu1.4 </pre> Jamie Strandboge 2012-05-17T22:48:11 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1716 <pre>========================================================================== Ubuntu Security Notice USN-1443-1 May 17, 2012 update-manager vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 Summary: Update Manager could expose sensitive information in certain circumstances. Software Description: - update-manager: GNOME application that manages apt updates Details: It was discovered that Update Manager created system state archive files with incorrect permissions when upgrading releases. A local user could possibly use this to read repository credentials. (CVE-2012-0948) Felix Geyer discovered that the Update Manager Apport hook incorrectly uploaded certain system state archive files to Launchpad when reporting bugs. This could possibly result in repository credentials being included in public bug reports. (CVE-2012-0949) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: update-manager-core 1:0.156.14.4 Ubuntu 11.10: update-manager-core 1:0.152.25.11 Ubuntu 11.04: update-manager-core 1:0.150.5.3 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1443-1 CVE-2012-0948, CVE-2012-0949 Package Information: https://launchpad.net/ubuntu/+source/update-manager/1:0.156.14.4 https://launchpad.net/ubuntu/+source/update-manager/1:0.152.25.11 https://launchpad.net/ubuntu/+source/update-manager/1:0.150.5.3 </pre> Marc Deslauriers 2012-05-17T18:51:39 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1715 <pre>========================================================================== Ubuntu Security Notice USN-1442-1 May 16, 2012 sudo vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Sudo could allow users to run arbitrary programs as the administrator. Software Description: - sudo: Provide limited super user privileges to specific users Details: It was discovered that sudo incorrectly handled network masks when using Host and Host_List. A local user who is listed in sudoers may be allowed to run commands on unintended hosts when IPv4 network masks are used to grant access. A local attacker could exploit this to bypass intended access restrictions. Host and Host_List are not used in the default installation of Ubuntu. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: sudo 1.8.3p1-1ubuntu3.2 sudo-ldap 1.8.3p1-1ubuntu3.2 Ubuntu 11.10: sudo 1.7.4p6-1ubuntu2.1 sudo-ldap 1.7.4p6-1ubuntu2.1 Ubuntu 11.04: sudo 1.7.4p4-5ubuntu7.2 sudo-ldap 1.7.4p4-5ubuntu7.2 Ubuntu 10.04 LTS: sudo 1.7.2p1-1ubuntu5.4 sudo-ldap 1.7.2p1-1ubuntu5.4 Ubuntu 8.04 LTS: sudo 1.6.9p10-1ubuntu3.9 sudo-ldap 1.6.9p10-1ubuntu3.9 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1442-1 CVE-2012-2337 Package Information: https://launchpad.net/ubuntu/+source/sudo/1.8.3p1-1ubuntu3.2 https://launchpad.net/ubuntu/+source/sudo/1.7.4p6-1ubuntu2.1 https://launchpad.net/ubuntu/+source/sudo/1.7.4p4-5ubuntu7.2 https://launchpad.net/ubuntu/+source/sudo/1.7.2p1-1ubuntu5.4 https://launchpad.net/ubuntu/+source/sudo/1.6.9p10-1ubuntu3.9 </pre> Tyler Hicks 2012-05-16T19:29:08 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1714 <pre>========================================================================== Ubuntu Security Notice USN-1441-1 May 15, 2012 quagga vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS Summary: Quagga could be made to crash if it received specially crafted network traffic. Software Description: - quagga: BGP/OSPF/RIP routing daemon Details: It was discovered that Quagga incorrectly handled Link State Update messages with invalid lengths. A remote attacker could use this flaw to cause Quagga to crash, resulting in a denial of service. (CVE-2012-0249, CVE-2012-0250) It was discovered that Quagga incorrectly handled messages with a malformed Four-octet AS Number Capability. A remote attacker could use this flaw to cause Quagga to crash, resulting in a denial of service. (CVE-2012-0255) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: quagga 0.99.20.1-0ubuntu0.12.04.2 Ubuntu 11.10: quagga 0.99.20.1-0ubuntu0.11.10.2 Ubuntu 11.04: quagga 0.99.20.1-0ubuntu0.11.04.2 Ubuntu 10.04 LTS: quagga 0.99.20.1-0ubuntu0.10.04.2 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart Quagga to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1441-1 CVE-2012-0249, CVE-2012-0250, CVE-2012-0255 Package Information: https://launchpad.net/ubuntu/+source/quagga/0.99.20.1-0ubuntu0.12.04.2 https://launchpad.net/ubuntu/+source/quagga/0.99.20.1-0ubuntu0.11.10.2 https://launchpad.net/ubuntu/+source/quagga/0.99.20.1-0ubuntu0.11.04.2 https://launchpad.net/ubuntu/+source/quagga/0.99.20.1-0ubuntu0.10.04.2 </pre> Marc Deslauriers 2012-05-15T12:54:00 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1713 <pre>========================================================================== Ubuntu Security Notice USN-1440-1 May 08, 2012 linux-lts-backport-natty vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 10.04 LTS Summary: Several security issues were fixed in the kernel. Software Description: - linux-lts-backport-natty: Linux kernel backport from Natty Details: A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl in the Linux kernel. A local user could use this flaw to crash the system causing a denial of service. (CVE-2011-4347) Stephan Bärwolf discovered a flaw in the KVM (kernel-based virtual machine) subsystem of the Linux kernel. A local unprivileged user can crash use this flaw to crash VMs causing a deny of service. (CVE-2012-0045) A flaw was discovered in the Linux kernel's cifs file system. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1090) H. Peter Anvin reported a flaw in the Linux kernel that could crash the system. A local user could exploit this flaw to crash the system. (CVE-2012-1097) A flaw was discovered in the Linux kernel's cgroups subset. A local attacker could use this flaw to crash the system. (CVE-2012-1146) A flaw was found in the Linux kernel's ext4 file system when mounting a corrupt filesystem. A user-assisted remote attacker could exploit this flaw to cause a denial of service. (CVE-2012-2100) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.04 LTS: linux-image-2.6.38-15-generic 2.6.38-15.59~lucid1 linux-image-2.6.38-15-generic-pae 2.6.38-15.59~lucid1 linux-image-2.6.38-15-server 2.6.38-15.59~lucid1 linux-image-2.6.38-15-virtual 2.6.38-15.59~lucid1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. If you use linux-restricted-modules, you have to update that package as well to get modules which work with the new kernel version. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well. References: http://www.ubuntu.com/usn/usn-1440-1 CVE-2011-4086, CVE-2011-4347, CVE-2012-0045, CVE-2012-1090, CVE-2012-1097, CVE-2012-1146, CVE-2012-2100 Package Information: https://launchpad.net/ubuntu/+source/linux-lts-backport-natty/2.6.38-15.59~lucid1 </pre> John Johansen 2012-05-08T07:56:29 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1712 <pre>========================================================================== Ubuntu Security Notice USN-1432-1 May 08, 2012 linux vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.04 Summary: Several security issues were fixed in the kernel. Software Description: - linux: Linux kernel Details: A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) A flaw was discovered in the Linux kernel's cifs file system. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1090) A flaw was found in the Linux kernel's ext4 file system when mounting a corrupt filesystem. A user-assisted remote attacker could exploit this flaw to cause a denial of service. (CVE-2012-2100) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.04: linux-image-2.6.38-15-generic 2.6.38-15.59 linux-image-2.6.38-15-generic-pae 2.6.38-15.59 linux-image-2.6.38-15-omap 2.6.38-15.59 linux-image-2.6.38-15-powerpc 2.6.38-15.59 linux-image-2.6.38-15-powerpc-smp 2.6.38-15.59 linux-image-2.6.38-15-powerpc64-smp 2.6.38-15.59 linux-image-2.6.38-15-server 2.6.38-15.59 linux-image-2.6.38-15-versatile 2.6.38-15.59 linux-image-2.6.38-15-virtual 2.6.38-15.59 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. If you use linux-restricted-modules, you have to update that package as well to get modules which work with the new kernel version. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well. References: http://www.ubuntu.com/usn/usn-1432-1 CVE-2011-4086, CVE-2012-1090, CVE-2012-2100 Package Information: https://launchpad.net/ubuntu/+source/linux/2.6.38-15.59 </pre> John Johansen 2012-05-08T06:40:23 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1711 <pre>========================================================================== Ubuntu Security Notice USN-1439-1 May 07, 2012 horizon vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS Summary: Horizon could be made to expose sensitive information over the network. Software Description: - horizon: Web interface for OpenStack cloud infrastructure Details: Matthias Weckbecker discovered a cross-site scripting (XSS) vulnerability in Horizon via the log viewer refrash mechanism. If a user were tricked into viewing a specially crafted log message, a remote attacker could exploit this to modify the contents or steal confidential data within the same domain. (CVE-2012-2094) Thomas Biege discovered a session fixation vulnerability in Horizon. An attacker could exploit this to potentially allow access to unauthorized information and capabilities. (CVE-2012-2144) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: python-django-horizon 2012.1-0ubuntu8.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1439-1 CVE-2012-2094, CVE-2012-2144 Package Information: https://launchpad.net/ubuntu/+source/horizon/2012.1-0ubuntu8.1 </pre> Jamie Strandboge 2012-05-07T14:14:10 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1710 <pre>========================================================================== Ubuntu Security Notice USN-1437-1 May 04, 2012 php5 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Standalone PHP CGI scripts could be made to execute arbitrary code with the privilege of the web server. Software Description: - php5: HTML-embedded scripting language interpreter Details: It was discovered that PHP, when used as a stand alone CGI processor for the Apache Web Server, did not properly parse and filter query strings. This could allow a remote attacker to execute arbitrary code running with the privilege of the web server. Configurations using mod_php5 and FastCGI were not vulnerable. This update addresses the issue when the PHP CGI interpreter is configured using mod_cgi and mod_actions as described in /usr/share/doc/php5-cgi/README.Debian.gz; however, if an alternate configuration is used to enable PHP CGI processing, it should be reviewed to ensure that command line arguments cannot be passed to the PHP interpreter. Please see http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2311.html for more details and potential mitigation approaches. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: php5-cgi 5.3.10-1ubuntu3.1 Ubuntu 11.10: php5-cgi 5.3.6-13ubuntu3.7 Ubuntu 11.04: php5-cgi 5.3.5-1ubuntu7.8 Ubuntu 10.04 LTS: php5-cgi 5.3.2-1ubuntu4.15 Ubuntu 8.04 LTS: php5-cgi 5.2.4-2ubuntu5.24 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1437-1 CVE-2012-1823, CVE-2012-2311 Package Information: https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.1 https://launchpad.net/ubuntu/+source/php5/5.3.6-13ubuntu3.7 https://launchpad.net/ubuntu/+source/php5/5.3.5-1ubuntu7.8 https://launchpad.net/ubuntu/+source/php5/5.3.2-1ubuntu4.15 https://launchpad.net/ubuntu/+source/php5/5.2.4-2ubuntu5.24 </pre> Steve Beattie 2012-05-04T20:24:58 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1709 <pre>========================================================================== Ubuntu Security Notice USN-1430-3 May 04, 2012 thunderbird vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS Summary: Several security issues were fixed in Thunderbird. Software Description: - thunderbird: Mozilla Open Source mail and newsgroup client Details: USN-1430-1 fixed vulnerabilities in Firefox. This update provides the corresponding fixes for Thunderbird. Original advisory details: Bob Clary, Christian Holler, Brian Hackett, Bobby Holley, Gary Kwong, Hilary Hall, Honza Bambas, Jesse Ruderman, Julian Seward, and Olli Pettay discovered memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-0467, CVE-2012-0468) Aki Helin discovered a use-after-free vulnerability in XPConnect. An attacker could potentially exploit this to execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2012-0469) Atte Kettunen discovered that invalid frees cause heap corruption in gfxImageSurface. If a user were tricked into opening a malicious Scalable Vector Graphics (SVG) image file, an attacker could exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-0470) Anne van Kesteren discovered a potential cross-site scripting (XSS) vulnerability via multibyte content processing errors. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2012-0471) Matias Juntunen discovered a vulnerability in Firefox's WebGL implementation that potentially allows the reading of illegal video memory. An attacker could possibly exploit this to cause a denial of service via application crash. (CVE-2012-0473) Jordi Chancel, Eddy Bordi, and Chris McGowen discovered that Firefox allowed the address bar to display a different website than the one the user was visiting. This could potentially leave the user vulnerable to cross-site scripting (XSS) attacks. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2012-0474) Simone Fabiano discovered that Firefox did not always send correct origin headers when connecting to an IPv6 websites. An attacker could potentially use this to bypass intended access controls. (CVE-2012-0475) Masato Kinugawa discovered that cross-site scripting (XSS) injection is possible during the decoding of ISO-2022-KR and ISO-2022-CN character sets. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2012-0477) It was discovered that certain images rendered using WebGL could cause Firefox to crash. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2012-0478) Mateusz Jurczyk discovered an off-by-one error in the OpenType Sanitizer. If the user were tricked into opening a specially crafted page, an attacker could exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox. (CVE-2011-3062) Daniel Divricean discovered a defect in the error handling of JavaScript errors can potentially leak the file names and location of JavaScript files on a server. This could potentially lead to inadvertent information disclosure and a vector for further attacks. (CVE-2011-1187) Jeroen van der Gun discovered a vulnerability in the way Firefox handled RSS and Atom feeds. Invalid RSS or ATOM content loaded over HTTPS caused the location bar to be updated with the address of this content, while the main window still displays the previously loaded content. An attacker could potentially exploit this vulnerability to conduct phishing attacks. (CVE-2012-0479) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: thunderbird 12.0.1+build1-0ubuntu0.12.04.1 Ubuntu 11.10: thunderbird 12.0.1+build1-0ubuntu0.11.10.1 Ubuntu 11.04: thunderbird 12.0.1+build1-0ubuntu0.11.04.1 Ubuntu 10.04 LTS: thunderbird 12.0.1+build1-0ubuntu0.10.04.1 After a standard system update you need to restart Thunderbird to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1430-3 http://www.ubuntu.com/usn/usn-1430-1 CVE-2011-1187, CVE-2011-3062, CVE-2012-0467, CVE-2012-0468, CVE-2012-0469, CVE-2012-0470, CVE-2012-0471, CVE-2012-0473, CVE-2012-0474, CVE-2012-0475, CVE-2012-0477, CVE-2012-0478, CVE-2012-0479, https://launchpad.net/bugs/987305 Package Information: https://launchpad.net/ubuntu/+source/thunderbird/12.0.1+build1-0ubuntu0.12.04.1 https://launchpad.net/ubuntu/+source/thunderbird/12.0.1+build1-0ubuntu0.11.10.1 https://launchpad.net/ubuntu/+source/thunderbird/12.0.1+build1-0ubuntu0.11.04.1 https://launchpad.net/ubuntu/+source/thunderbird/12.0.1+build1-0ubuntu0.10.04.1 </pre> Micah Gersten 2012-05-04T11:18:21 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1708 <pre>========================================================================== Ubuntu Security Notice USN-1438-1 May 03, 2012 nova vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 Summary: Nova could be made to crash the system under certain conditions. Software Description: - nova: OpenStack Compute cloud infrastructure Details: Dan Prince discovered that Nova did not enforce quotas for security groups and rules added to security groups. An authenticated user could exploit this to cause a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: python-nova 2012.1-0ubuntu2.1 Ubuntu 11.10: python-nova 2011.3-0ubuntu6.6 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1438-1 CVE-2012-2101 Package Information: https://launchpad.net/ubuntu/+source/nova/2012.1-0ubuntu2.1 https://launchpad.net/ubuntu/+source/nova/2011.3-0ubuntu6.6 </pre> Jamie Strandboge 2012-05-03T23:12:34 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1707 <pre>========================================================================== Ubuntu Security Notice USN-1436-1 May 02, 2012 libtasn1-3 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Libtasn1 could be made to crash or run programs as your login if it received specially crafted input. Software Description: - libtasn1-3: Library to manage ASN.1 structures Details: Matthew Hall discovered that Libtasn1 incorrectly handled certain large values. An attacker could exploit this with a specially crafted ASN.1 structure and cause a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: libtasn1-3 2.10-1ubuntu1.1 Ubuntu 11.10: libtasn1-3 2.9-4ubuntu0.1 Ubuntu 11.04: libtasn1-3 2.7-1ubuntu1.1 Ubuntu 10.04 LTS: libtasn1-3 2.4-1ubuntu0.1 Ubuntu 8.04 LTS: libtasn1-3 1.1-1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1436-1 CVE-2012-1569 Package Information: https://launchpad.net/ubuntu/+source/libtasn1-3/2.10-1ubuntu1.1 https://launchpad.net/ubuntu/+source/libtasn1-3/2.9-4ubuntu0.1 https://launchpad.net/ubuntu/+source/libtasn1-3/2.7-1ubuntu1.1 https://launchpad.net/ubuntu/+source/libtasn1-3/2.4-1ubuntu0.1 https://launchpad.net/ubuntu/+source/libtasn1-3/1.1-1ubuntu0.1 </pre> Marc Deslauriers 2012-05-02T12:21:38 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1706 <pre>========================================================================== Ubuntu Security Notice USN-1435-1 May 01, 2012 imagemagick vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS Summary: ImageMagick could be made to crash or run programs as your login if it opened a specially crafted file. Software Description: - imagemagick: Image manipulation programs and library Details: Joonas Kuorilehto and Aleksis Kauppinen discovered that ImageMagick incorrectly handled certain ResolutionUnit tags. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. (CVE-2012-0247, CVE-2012-1185) Joonas Kuorilehto and Aleksis Kauppinen discovered that ImageMagick incorrectly handled certain IFD structures. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service. (CVE-2012-0248, CVE-2012-1186) Aleksis Kauppinen, Joonas Kuorilehto and Tuomas Parttimaa discovered that ImageMagick incorrectly handled certain JPEG EXIF tags. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service. (CVE-2012-0259) It was discovered that ImageMagick incorrectly handled certain JPEG EXIF tags. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. (CVE-2012-1610) Aleksis Kauppinen, Joonas Kuorilehto and Tuomas Parttimaa discovered that ImageMagick incorrectly handled certain TIFF EXIF tags. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. (CVE-2012-1798) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: imagemagick 8:6.6.9.7-5ubuntu3.1 libmagick++4 8:6.6.9.7-5ubuntu3.1 Ubuntu 11.10: imagemagick 8:6.6.0.4-3ubuntu1.1 libmagick++3 8:6.6.0.4-3ubuntu1.1 Ubuntu 11.04: imagemagick 7:6.6.2.6-1ubuntu4.1 libmagick++3 7:6.6.2.6-1ubuntu4.1 Ubuntu 10.04 LTS: imagemagick 7:6.5.7.8-1ubuntu1.2 libmagick++2 7:6.5.7.8-1ubuntu1.2 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1435-1 CVE-2012-0247, CVE-2012-0248, CVE-2012-0259, CVE-2012-1185, CVE-2012-1186, CVE-2012-1610, CVE-2012-1798 Package Information: https://launchpad.net/ubuntu/+source/imagemagick/8:6.6.9.7-5ubuntu3.1 https://launchpad.net/ubuntu/+source/imagemagick/8:6.6.0.4-3ubuntu1.1 https://launchpad.net/ubuntu/+source/imagemagick/7:6.6.2.6-1ubuntu4.1 https://launchpad.net/ubuntu/+source/imagemagick/7:6.5.7.8-1ubuntu1.2 </pre> Marc Deslauriers 2012-05-01T15:33:09 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1705 <pre>========================================================================== Ubuntu Security Notice USN-1434-1 May 01, 2012 samba vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS Summary: Samba could allow a user to gain administrative privileges to the Samba server. Software Description: - samba: SMB/CIFS file, print, and login server for Unix Details: Ivano Cristofolini discovered that Samba incorrectly handled some Local Security Authority (LSA) remote procedure calls (RPC). A remote, authenticated attacker could exploit this to grant administrative privileges to arbitrary users. The administrative privileges could be used to bypass permission checks performed by the Samba server. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: samba 2:3.6.3-2ubuntu2.1 Ubuntu 11.10: samba 2:3.5.11~dfsg-1ubuntu2.3 Ubuntu 11.04: samba 2:3.5.8~dfsg-1ubuntu2.5 Ubuntu 10.04 LTS: samba 2:3.4.7~dfsg-1ubuntu3.10 After a standard system update you may need to review the privileges of Samba user accounts. References: http://www.ubuntu.com/usn/usn-1434-1 CVE-2012-2111 Package Information: https://launchpad.net/ubuntu/+source/samba/2:3.6.3-2ubuntu2.1 https://launchpad.net/ubuntu/+source/samba/2:3.5.11~dfsg-1ubuntu2.3 https://launchpad.net/ubuntu/+source/samba/2:3.5.8~dfsg-1ubuntu2.5 https://launchpad.net/ubuntu/+source/samba/2:3.4.7~dfsg-1ubuntu3.10 </pre> Tyler Hicks 2012-05-01T07:33:46 http://permalink.gmane.org/gmane.linux.ubuntu.security.announce/1704 <pre>========================================================================== Ubuntu Security Notice USN-1433-1 May 01, 2012 linux-lts-backport-oneiric vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 10.04 LTS Summary: Several security issues were fixed in the kernel. Software Description: - linux-lts-backport-oneiric: Linux kernel backport from Oneiric Details: A flaw was found in the Linux's kernels ext4 file system when mounted with a journal. A local, unprivileged user could exploit this flaw to cause a denial of service. (CVE-2011-4086) Sasha Levin discovered a flaw in the permission checking for device assignments requested via the kvm ioctl in the Linux kernel. A local user could use this flaw to crash the system causing a denial of service. (CVE-2011-4347) Stephan Bärwolf discovered a flaw in the KVM (kernel-based virtual machine) subsystem of the Linux kernel. A local unprivileged user can crash use this flaw to crash VMs causing a deny of service. (CVE-2012-0045) A flaw was discovered in the Linux kernel's cifs file system. An unprivileged local user could exploit this flaw to crash the system leading to a denial of service. (CVE-2012-1090) H. Peter Anvin reported a flaw in the Linux kernel that could crash the system. A local user could exploit this flaw to crash the system. (CVE-2012-1097) A flaw was discovered in the Linux kernel's cgroups subset. A local attacker could use this flaw to crash the system. (CVE-2012-1146) A flaw was found in the Linux kernel's handling of paged memory. A local unprivileged user, or a privileged user within a KVM guest, could exploit this flaw to crash the system. (CVE-2012-1179) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.04 LTS: linux-image-3.0.0-19-generic 3.0.0-19.33~lucid1 linux-image-3.0.0-19-generic-pae 3.0.0-19.33~lucid1 linux-image-3.0.0-19-server 3.0.0-19.33~lucid1 linux-image-3.0.0-19-virtual 3.0.0-19.33~lucid1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. If you use linux-restricted-modules, you have to update that package as well to get modules which work with the new kernel version. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well. References: http://www.ubuntu.com/usn/usn-1433-1 CVE-2011-4086, CVE-2011-4347, CVE-2012-0045, CVE-2012-1090, CVE-2012-1097, CVE-2012-1146, CVE-2012-1179 Package Information: https://launchpad.net/ubuntu/+source/linux-lts-backport-oneiric/3.0.0-19.33~lucid1 </pre> John Johansen 2012-05-01T05:29:06 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.linux.ubuntu.security.announce