========================================================================
Ubuntu Security Notice USN-1521-1
July 31, 2012
icedtea-web vulnerabilities
========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
The IcedTea-Web Java web browser plugin could be made to crash or
possibly run programs as your login if it opened a specially crafted
applet.
Software Description:
- icedtea-web: A web browser plugin to execute Java applets
Details:
Chamal De Silva discovered that the IcedTea-Web Java web browser
plugin could dereference an uninitialized pointer. A remote attacker
could use this to craft a malicious web page that could cause a
denial of service by crashing the web browser or possibly execute
arbitrary code. (CVE-2012-3422)
Steven Bergom and others discovered that the IcedTea-Web Java web
browser plugin assumed that all strings provided by browsers are NULL
terminated, which is not guaranteed by the NPAPI (Netscape Plugin
Application Programming Interface). A remote attacker could use this
to craft a malicious Java applet that could cause a denial of service
by crashing the web browser, expose sensitive information or possibly
execute arbitrary code. (CVE-2012-3423)
Tuesday, July 31, 2012
[USN-1520-1] Kerberos vulnerabilities
========================================================================
Ubuntu Security Notice USN-1520-1
July 31, 2012
krb5 vulnerabilities
========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Kerberos.
Software Description:
- krb5: MIT Kerberos Network Authentication Protocol
Details:
Emmanuel Bouillon discovered that the MIT krb5 Key Distribution Center
(KDC) daemon could free an uninitialized pointer when handling a
malformed AS-REQ message. A remote unauthenticated attacker could
use this to cause a denial of service or possibly execute arbitrary
code. (CVE-2012-1015)
Emmanuel Bouillon discovered that the MIT krb5 Key Distribution Center
(KDC) daemon could dereference an uninitialized pointer while handling
a malformed AS-REQ message. A remote unauthenticated attacker could
use this to cause a denial of service or possibly execute arbitrary
code. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-1014)
Simo Sorce discovered that the MIT krb5 Key Distribution Center (KDC)
daemon could dereference a NULL pointer when handling a malformed
TGS-REQ message. A remote authenticated attacker could use this to
cause a denial of service. (CVE-2012-1013)
It was discovered that the kadmin protocol implementation in MIT krb5
did not properly restrict access to the SET_STRING and GET_STRINGS
operations. A remote authenticated attacker could use this to expose
or modify sensitive information. This issue only affected Ubuntu
12.04 LTS. (CVE-2012-1012)
Ubuntu Security Notice USN-1520-1
July 31, 2012
krb5 vulnerabilities
========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Kerberos.
Software Description:
- krb5: MIT Kerberos Network Authentication Protocol
Details:
Emmanuel Bouillon discovered that the MIT krb5 Key Distribution Center
(KDC) daemon could free an uninitialized pointer when handling a
malformed AS-REQ message. A remote unauthenticated attacker could
use this to cause a denial of service or possibly execute arbitrary
code. (CVE-2012-1015)
Emmanuel Bouillon discovered that the MIT krb5 Key Distribution Center
(KDC) daemon could dereference an uninitialized pointer while handling
a malformed AS-REQ message. A remote unauthenticated attacker could
use this to cause a denial of service or possibly execute arbitrary
code. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-1014)
Simo Sorce discovered that the MIT krb5 Key Distribution Center (KDC)
daemon could dereference a NULL pointer when handling a malformed
TGS-REQ message. A remote authenticated attacker could use this to
cause a denial of service. (CVE-2012-1013)
It was discovered that the kadmin protocol implementation in MIT krb5
did not properly restrict access to the SET_STRING and GET_STRINGS
operations. A remote authenticated attacker could use this to expose
or modify sensitive information. This issue only affected Ubuntu
12.04 LTS. (CVE-2012-1012)
New Sponsor of Fedora Infrastructure
Folks who access fedoraproject.org resources may have noticed in the
last week that things have become a bit faster. The reason for this is
simple: We have a new sponsor of Fedora Infrastructure!
I'd like to welcome Colocation America to the folks that provide Fedora
Infrastructure resources. In this case they have graciously donated to
us the use of a server in their Los Angles data center.
We have put this server to use as a proxy and application server, so if
you are going to any fedoraproject.org sites and you are in North
America you will likely be accessing us from there.
If you are in the market for a server, do take a look at their
offerings for Linux Dedicated Servers:
http://www.colocationamerica.com/dedicated-servers/linux-dedicated.htm
The support and administrative contacts there have been quick to
respond and have been quite knowledgeable. They support native IPv6
connectivity (which we are using as well). The can install Fedora 17 as
a base OS choice. Console access is available to help you with
re-installing or off line work, and so far the network has been very
solid.
Support us by supporting them!
See our sponsors page at: http://fedoraproject.org/sponsors for a full
list of sponsors.
kevin
last week that things have become a bit faster. The reason for this is
simple: We have a new sponsor of Fedora Infrastructure!
I'd like to welcome Colocation America to the folks that provide Fedora
Infrastructure resources. In this case they have graciously donated to
us the use of a server in their Los Angles data center.
We have put this server to use as a proxy and application server, so if
you are going to any fedoraproject.org sites and you are in North
America you will likely be accessing us from there.
If you are in the market for a server, do take a look at their
offerings for Linux Dedicated Servers:
http://www.colocationamerica.com/dedicated-servers/linux-dedicated.htm
The support and administrative contacts there have been quick to
respond and have been quite knowledgeable. They support native IPv6
connectivity (which we are using as well). The can install Fedora 17 as
a base OS choice. Console access is available to help you with
re-installing or off line work, and so far the network has been very
solid.
Support us by supporting them!
See our sponsors page at: http://fedoraproject.org/sponsors for a full
list of sponsors.
kevin
Fedora 18 Feature Freeze in one week - Tuesday Aug 07
REMINDER: Tuesday, August 07 is the Feature Freeze for Fedora 18,
the Planning & Development phase ends.
the Planning & Development phase ends.
At this point, all accepted features should be substantially complete,
and testable. Additionally, if a feature is to be enabled by default,
it must be so enabled at Feature Freeze. Check [1] and [2].
Feature owners - please make sure to update the percentage of completion
and the last updated date. If you're not sure to make the deadline,
please let me know and update current status to reflect the issues you
hit. It's going to help me a lot to understand what's going on with
your feature. Features that do not make Feature Freeze in testeable
state will be submitted to FESCo for re-review to assure we should
promote them as Features. Currently we have 61 Features approved by
FESCo and one still waiting for approval.
In case of any questions etc., feel free to contact me - I'm still very
friendly Feature Wrangler, especially to all Feature owners with 85%+
percentage of completion ;-)
Jaroslav
[1] https://fedoraproject.org/wiki/Feature_Freeze_Policy
[2] https://fedoraproject.org/wiki/Features/Policy/Milestones#Feature_Freeze
--
Jaroslav Řezník <jreznik@redhat.com>
Your Feature Wrangler
Office: +420 532 294 275
Mobile: +420 602 797 774
Red Hat, Inc. http://www.redhat.com/
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
[announce] NYC*BUG Wednesday: NAS From Scratch
2012-08-01 @ 18:45 - Location: suspenders
NAS: From Scratch, Henry Mendez
This talk will be on how to build and configure a Network Attached
Storage device. The first half will cover hardware purchasing tips,
steps to build the computer yourself, and common problems that you might
encounter along the way. The second half will cover how to setup your
disks (using RAID, ZFS), and configure the required network services to
get you up and running quickly.
About the speaker:
Henry Mendez is a Systems Administrator for Tablet, and an avid NYC*BUG
attendee. He has been building computers since he was 15.
NAS: From Scratch, Henry Mendez
This talk will be on how to build and configure a Network Attached
Storage device. The first half will cover hardware purchasing tips,
steps to build the computer yourself, and common problems that you might
encounter along the way. The second half will cover how to setup your
disks (using RAID, ZFS), and configure the required network services to
get you up and running quickly.
About the speaker:
Henry Mendez is a Systems Administrator for Tablet, and an avid NYC*BUG
attendee. He has been building computers since he was 15.
Monday, July 30, 2012
[FreeBSD-Announce] EuroBSDcon 2012 registration is now open!
Hello.
I'm pleased to announce that the registration for the EuroBSDcon 2012
conference in Warsaw, Poland is now officially open!
You can find all information about the conference at its official website:
http://2012.eurobsdcon.org/
More frequent updates will be posted to the conference's Facebook page:
https://www.facebook.com/pages/EuroBSDcon/171013546286700
and on Twitter:
@eurobsdcon or via the twitter website https://twitter.com/eurobsdcon
You can register at:
http://2012.eurobsdcon.org/register/
You can find the conference program at:
http://2012.eurobsdcon.org/agenda/talks/
http://2012.eurobsdcon.org/agenda/tutorials/
The official hotel for the conference is Novotel Warszawa Centrum, which is
located in the exact city center and within walking distance from the venue.
You can find more information about the hotels at:
http://2012.eurobsdcon.org/venue/hotels/
To make use of the special offer, follow the instructions that page.
You can find more info about getting to and moving around Warsaw at:
http://2012.eurobsdcon.org/venue/transport/
Thanks to our generous sponsors and Poland's low costs, this year's EuroBSDcon
is a bargain! This is also why we expect the conference to be very popular.
If you want to be sure to attend, we strongly recommend that you register early.
Please do not delay hotel booking either, as our pool of available rooms will be
dropping quickly. It is very important that you book your room as soon as
possible.
Poland is part of the European Union and belongs to the Schengen Area, so in
most cases people will have no problem visiting Poland. However to avoid
surprises, we strongly recommend that you check whether you will need a visa.
In case you do, the conference can provide a letter of invitation upon a
request sent to info@eurobsdcon.org once you complete the registration process
and pay the conference fee.
This conference would not be possible without our sponsors:
Platinum sponsors:
EMC http://www.emc.com
iXsystems http://www.ixsystems.com
Wheel Systems http://www.wheelsystems.com
Gold sponsors:
The FreeBSD Foundation http://www.freebsdfoundation.org
Silver sponsors:
BSDeurope.eu http://www.bsdeurope.eu
Google http://www.google.com
Bronze sponsors:
Madison Gurkha http://www.madison-gurkha.com
pfSense http://www.pfSense.org
The NetBSD Foundation http://www.netbsd.org
USENIX http://www.usenix.org
Media partners:
BSD Magazine http://www.bsdmag.org
Thank you!
--
Pawel Jakub Dawidek
EuroBSDcon Foundation
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
I'm pleased to announce that the registration for the EuroBSDcon 2012
conference in Warsaw, Poland is now officially open!
You can find all information about the conference at its official website:
http://2012.eurobsdcon.org/
More frequent updates will be posted to the conference's Facebook page:
https://www.facebook.com/pages/EuroBSDcon/171013546286700
and on Twitter:
@eurobsdcon or via the twitter website https://twitter.com/eurobsdcon
You can register at:
http://2012.eurobsdcon.org/register/
You can find the conference program at:
http://2012.eurobsdcon.org/agenda/talks/
http://2012.eurobsdcon.org/agenda/tutorials/
The official hotel for the conference is Novotel Warszawa Centrum, which is
located in the exact city center and within walking distance from the venue.
You can find more information about the hotels at:
http://2012.eurobsdcon.org/venue/hotels/
To make use of the special offer, follow the instructions that page.
You can find more info about getting to and moving around Warsaw at:
http://2012.eurobsdcon.org/venue/transport/
Thanks to our generous sponsors and Poland's low costs, this year's EuroBSDcon
is a bargain! This is also why we expect the conference to be very popular.
If you want to be sure to attend, we strongly recommend that you register early.
Please do not delay hotel booking either, as our pool of available rooms will be
dropping quickly. It is very important that you book your room as soon as
possible.
Poland is part of the European Union and belongs to the Schengen Area, so in
most cases people will have no problem visiting Poland. However to avoid
surprises, we strongly recommend that you check whether you will need a visa.
In case you do, the conference can provide a letter of invitation upon a
request sent to info@eurobsdcon.org once you complete the registration process
and pay the conference fee.
This conference would not be possible without our sponsors:
Platinum sponsors:
EMC http://www.emc.com
iXsystems http://www.ixsystems.com
Wheel Systems http://www.wheelsystems.com
Gold sponsors:
The FreeBSD Foundation http://www.freebsdfoundation.org
Silver sponsors:
BSDeurope.eu http://www.bsdeurope.eu
Google http://www.google.com
Bronze sponsors:
Madison Gurkha http://www.madison-gurkha.com
pfSense http://www.pfSense.org
The NetBSD Foundation http://www.netbsd.org
USENIX http://www.usenix.org
Media partners:
BSD Magazine http://www.bsdmag.org
Thank you!
--
Pawel Jakub Dawidek
EuroBSDcon Foundation
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Friday, July 27, 2012
[announce] FreeBSD Ports & Docs Bugfest tomorrow
Two soon-to-happen events:
FreeBSD Bugfest tomorrow, and the August 1 Meeting
* * *
2012-07-28 @ 14:00 - Location: suspenders
FreeBSD Bugathon, none
NYC*BSD is sponsoring a FreeBSD Bugathon along with the Bay Area FreeBSD
User Group in California. It's a great opportunity to mingle and
coordinate with FreeBSD developers locally and beyond.
http://wiki.freebsd.org/Bugathons/2012July
A basic outline includes:
o Docs updating and validation
a. What do the other BSD's say?
b. Is it it accurate?
c. Improvements
d. New docs / examples
o Porting help for creating new ports
o Ports bug busting
a. Confirming PR's
b. Fixes to open PR's
c. Testing various config options (i.e. can I set var=yes in make.conf
and get useful results?)
We'll also be on efnet #nycbug for coordinating beyond NYC.
* * *
2012-08-01 @ 18:45 - Location: suspenders
NAS: From Scratch, Henry Mendez
This talk will be on how to build and configure a Network Attached
Storage device. The first half will cover hardware purchasing tips,
steps to build the computer yourself, and common problems that you might
encounter along the way. The second half will cover how to setup your
disks (using RAID, ZFS), and configure the required network services to
get you up and running quickly.
About the speaker:
Henry Mendez is a Systems Administrator for Tablet, and an avid NYC*BUG
attendee. He has been building computers since he was 15.
_______________________________________________
announce mailing list
announce@lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/announce
FreeBSD Bugfest tomorrow, and the August 1 Meeting
* * *
2012-07-28 @ 14:00 - Location: suspenders
FreeBSD Bugathon, none
NYC*BSD is sponsoring a FreeBSD Bugathon along with the Bay Area FreeBSD
User Group in California. It's a great opportunity to mingle and
coordinate with FreeBSD developers locally and beyond.
http://wiki.freebsd.org/Bugathons/2012July
A basic outline includes:
o Docs updating and validation
a. What do the other BSD's say?
b. Is it it accurate?
c. Improvements
d. New docs / examples
o Porting help for creating new ports
o Ports bug busting
a. Confirming PR's
b. Fixes to open PR's
c. Testing various config options (i.e. can I set var=yes in make.conf
and get useful results?)
We'll also be on efnet #nycbug for coordinating beyond NYC.
* * *
2012-08-01 @ 18:45 - Location: suspenders
NAS: From Scratch, Henry Mendez
This talk will be on how to build and configure a Network Attached
Storage device. The first half will cover hardware purchasing tips,
steps to build the computer yourself, and common problems that you might
encounter along the way. The second half will cover how to setup your
disks (using RAID, ZFS), and configure the required network services to
get you up and running quickly.
About the speaker:
Henry Mendez is a Systems Administrator for Tablet, and an avid NYC*BUG
attendee. He has been building computers since he was 15.
_______________________________________________
announce mailing list
announce@lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/announce
Thursday, July 26, 2012
[USN-1519-1] DHCP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-1519-1
July 26, 2012
isc-dhcp vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
Summary:
DHCP could be made to crash if it received specially crafted network
traffic.
Software Description:
- isc-dhcp: DHCP server and client
Details:
Markus Hietava discovered that the DHCP server incorrectly handled certain
malformed client identifiers. A remote attacker could use this issue to
cause DHCP to crash, resulting in a denial of service. (CVE-2012-3571)
Glen Eustace discovered that the DHCP server incorrectly handled memory. A
remote attacker could use this issue to cause DHCP to crash, resulting in a
denial of service. (CVE-2012-3954)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
isc-dhcp-server 4.1.ESV-R4-0ubuntu5.2
Ubuntu 11.10:
isc-dhcp-server 4.1.1-P1-17ubuntu10.3
Ubuntu 11.04:
isc-dhcp-server 4.1.1-P1-15ubuntu9.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1519-1
CVE-2012-3571, CVE-2012-3954
Package Information:
https://launchpad.net/ubuntu/+source/isc-dhcp/4.1.ESV-R4-0ubuntu5.2
https://launchpad.net/ubuntu/+source/isc-dhcp/4.1.1-P1-17ubuntu10.3
https://launchpad.net/ubuntu/+source/isc-dhcp/4.1.1-P1-15ubuntu9.4
Ubuntu Security Notice USN-1519-1
July 26, 2012
isc-dhcp vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
Summary:
DHCP could be made to crash if it received specially crafted network
traffic.
Software Description:
- isc-dhcp: DHCP server and client
Details:
Markus Hietava discovered that the DHCP server incorrectly handled certain
malformed client identifiers. A remote attacker could use this issue to
cause DHCP to crash, resulting in a denial of service. (CVE-2012-3571)
Glen Eustace discovered that the DHCP server incorrectly handled memory. A
remote attacker could use this issue to cause DHCP to crash, resulting in a
denial of service. (CVE-2012-3954)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
isc-dhcp-server 4.1.ESV-R4-0ubuntu5.2
Ubuntu 11.10:
isc-dhcp-server 4.1.1-P1-17ubuntu10.3
Ubuntu 11.04:
isc-dhcp-server 4.1.1-P1-15ubuntu9.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1519-1
CVE-2012-3571, CVE-2012-3954
Package Information:
https://launchpad.net/ubuntu/+source/isc-dhcp/4.1.ESV-R4-0ubuntu5.2
https://launchpad.net/ubuntu/+source/isc-dhcp/4.1.1-P1-17ubuntu10.3
https://launchpad.net/ubuntu/+source/isc-dhcp/4.1.1-P1-15ubuntu9.4
Wednesday, July 25, 2012
Outage of fedorahosted mailing lists and services
There will be an outage starting at 2012-07-26 16:00 UTC, which will
last approximately 2 hours.
last approximately 2 hours.
To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto or run:
date -d '2012-07-26 16:00 UTC'
Reason for outage:
In order to grow the fedora hosted services we are moving the services
email lists to a new server. This will require an outage of about an
hour as we turn off old services.. sync data.. turn on new services.
Affected Services:
Fedora Hosted - https://fedorahosted.org/
Unaffected Services:
Ask Fedora - http://ask.fedoraproject.org/
BFO - http://boot.fedoraproject.org/
Bodhi - https://admin.fedoraproject.org/updates/
Buildsystem - http://koji.fedoraproject.org/
GIT / Source Control
DNS - ns1.fedoraproject.org, ns2.fedoraproject.org
Docs - http://docs.fedoraproject.org/
Email system
Fedora Account System - https://admin.fedoraproject.org/accounts/
Fedora Community - https://admin.fedoraproject.org/community/
Fedora Insight - https://insight.fedoraproject.org/
Fedora People - http://fedorapeople.org/
Main Website - http://fedoraproject.org/
Mirror List - https://mirrors.fedoraproject.org/
Mirror Manager - https://admin.fedoraproject.org/mirrormanager/
Package Database - https://admin.fedoraproject.org/pkgdb/
QA Services
Secondary Architectures
Smolt - http://smolts.org/
Spins - http://spins.fedoraproject.org/
Start - http://start.fedoraproject.org/
Torrent - http://torrent.fedoraproject.org/
Wiki - http://fedoraproject.org/wiki/
Ticket Link: https://fedorahosted.org/fedora-infrastructure/ticket/3401
Contact Information:
Please join #fedora-admin or #fedora-noc on irc.freenode.net or add
comments to the ticket for this outage above.
--
Stephen J Smoogen.
"Don't derail a useful feature for the 99% because you're not in it."
Linus Torvalds
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd
--
announce mailing list
announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/announce
[USN-1517-1] Mono vulnerabilities
==========================================================================
Ubuntu Security Notice USN-1517-1
July 25, 2012
mono vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Mono could be made to expose sensitive information over the network.
Software Description:
- mono: Mono is a platform for running and developing applications
Details:
It was discovered that the Mono System.Web library incorrectly filtered
certain error messages related to forbidden files. If a user were tricked
into opening a specially crafted URL, an attacker could possibly exploit
this to conduct cross-site scripting (XSS) attacks. (CVE-2012-3382)
It was discovered that the Mono System.Web library incorrectly handled the
EnableViewStateMac property. If a user were tricked into opening a
specially crafted URL, an attacker could possibly exploit this to conduct
cross-site scripting (XSS) attacks. This issue only affected Ubuntu
10.04 LTS. (CVE-2010-1459)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libmono-system-web2.0-cil 2.10.8.1-1ubuntu2.2
libmono-system-web4.0-cil 2.10.8.1-1ubuntu2.2
Ubuntu 11.10:
libmono-system-web2.0-cil 2.10.5-1ubuntu0.1
libmono-system-web4.0-cil 2.10.5-1ubuntu0.1
Ubuntu 11.04:
libmono-system-web1.0-cil 2.6.7-5ubuntu3.1
libmono-system-web2.0-cil 2.6.7-5ubuntu3.1
Ubuntu 10.04 LTS:
libmono-system-web1.0-cil 2.4.4~svn151842-1ubuntu4.1
libmono-system-web2.0-cil 2.4.4~svn151842-1ubuntu4.1
After a standard system update you need to restart Mono applications to
make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1517-1
CVE-2010-1459, CVE-2012-3382
Package Information:
https://launchpad.net/ubuntu/+source/mono/2.10.8.1-1ubuntu2.2
https://launchpad.net/ubuntu/+source/mono/2.10.5-1ubuntu0.1
https://launchpad.net/ubuntu/+source/mono/2.6.7-5ubuntu3.1
https://launchpad.net/ubuntu/+source/mono/2.4.4~svn151842-1ubuntu4.1
Ubuntu Security Notice USN-1517-1
July 25, 2012
mono vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Mono could be made to expose sensitive information over the network.
Software Description:
- mono: Mono is a platform for running and developing applications
Details:
It was discovered that the Mono System.Web library incorrectly filtered
certain error messages related to forbidden files. If a user were tricked
into opening a specially crafted URL, an attacker could possibly exploit
this to conduct cross-site scripting (XSS) attacks. (CVE-2012-3382)
It was discovered that the Mono System.Web library incorrectly handled the
EnableViewStateMac property. If a user were tricked into opening a
specially crafted URL, an attacker could possibly exploit this to conduct
cross-site scripting (XSS) attacks. This issue only affected Ubuntu
10.04 LTS. (CVE-2010-1459)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libmono-system-web2.0-cil 2.10.8.1-1ubuntu2.2
libmono-system-web4.0-cil 2.10.8.1-1ubuntu2.2
Ubuntu 11.10:
libmono-system-web2.0-cil 2.10.5-1ubuntu0.1
libmono-system-web4.0-cil 2.10.5-1ubuntu0.1
Ubuntu 11.04:
libmono-system-web1.0-cil 2.6.7-5ubuntu3.1
libmono-system-web2.0-cil 2.6.7-5ubuntu3.1
Ubuntu 10.04 LTS:
libmono-system-web1.0-cil 2.4.4~svn151842-1ubuntu4.1
libmono-system-web2.0-cil 2.4.4~svn151842-1ubuntu4.1
After a standard system update you need to restart Mono applications to
make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1517-1
CVE-2010-1459, CVE-2012-3382
Package Information:
https://launchpad.net/ubuntu/+source/mono/2.10.8.1-1ubuntu2.2
https://launchpad.net/ubuntu/+source/mono/2.10.5-1ubuntu0.1
https://launchpad.net/ubuntu/+source/mono/2.6.7-5ubuntu3.1
https://launchpad.net/ubuntu/+source/mono/2.4.4~svn151842-1ubuntu4.1
Fedora Summer of Open Hardware and Fun Sweepstakes
Today (at 12:00 PM Eastern Daylight Time), we're launching a sweepstakes
for our Fedora Contributors called the Fedora Summer of Open Hardware
and Fun! We wanted to do something nice to thank our Fedora community
for all that they do for Free Software and Content, and we thought that
giving away a lot of Open Hardware would be a great way to do that.
We're giving away 220 total hardware units, including:
* [50] OLPC XO 1.75 units
* [150] Raspberry Pi (B) units
* [20] Arduino Uno R3 (assembled) units + choice of shield (8 different
shields to choose from)
Unfortunately, we don't have enough hardware to give something to every
Fedora Contributor, so this is a sweepstakes, and sweepstakes come with
all sorts of rules and restrictions.
This sweepstakes is for Fedora Contributors (defined as users in the
Fedora Account System who have signed the FPCA and are in one additional
group). There are some geographic and age restrictions, the reason for
this is that it is extremely costly and time-consuming to determine
whether or not it is possible to run a sweepstakes in a given country.
Sweepstakes laws and regulations vary considerably from country to
country, and many countries have strict registration requirements and
fees associated with running sweepstakes. Other countries simply
prohibit sweepstakes entirely. As a result, we are only offering this
sweepstakes in countries where we know that the sweepstakes is lawful.
We sincerely apologize for any inconvenience this may cause you.
Also, please note that Red Hat employees are not allowed to enter the
sweepstakes.
To learn more, read the full sweepstakes rules, and to enter, please go to:
https://fedoraproject.org/openhw2012
(You can jump straight to the complete legal sweepstakes rules here:
https://fedoraproject.org/openhw2012/details )
*****
And now, a quick FAQ:
Q. Hey, it's not summer where I am!
A. That's not a question.
Q. Why does it say Summer when it isn't Summer where I am?
A. Just close your eyes and pretend it is Summer. Think of the warm
fuzzy feeling you'll get from winning one of these sweet prizes.
Q. Where did the money come from for this?
A. I'm going to assume you mean that in a specific way, not in the
"Daddy, where does money come from way". If you are really asking the
more generic question, just watch this video
(http://video.nationalgeographic.com/video/kids/cartoons-tv-movies-kids/cha-ching-kids/cha-ching-01-earn-spend-save-donate-kids/).
For everyone else, the money for this sweepstakes came from a special
allocation from the Open Source and Standards group at Red Hat, and did
not take away from the normal Fedora community budget in any way.
Q. Why can't Red Hat employees enter? We contribute a lot to Fedora!
A. Because in the eyes of the law, it seems shady when a company runs a
sweepstakes and their employees end up winning.
Q. Why is there an age restriction on this?
A. Because it is a sweepstakes, and that's the law. It varies by region,
but our app is clever enough to adjust it accordingly.
Q. I am sad that my state/country/unincorporated region prevents me from
entering this sweepstakes. Is there anything you can do for me?
A. We feel sad that we have to exclude you. Much sadder than the time
that Tasha Yar got eaten by that sentient oil spill. Short of sending
you hardware, money, or other legal impossibilities, feel free to leave
a comment on this post with a suggestion on how we can make it up to
you. Also, feel free to mention your country. If there are hundreds of
people left out in the cold in Luxembourg, we might be able to do a
legal review and have it added for future sweepstakes eligibility (no
promises though).
Q. What about Fedora users?
A. We love you too, but we really wanted to give an extra-special thank
you to those Fedora Contributors who take that next step and help us
make Fedora better. You can become a contributor and be eligible when we
do something like this again, see: http://fedoraproject.org/join-fedora
Q. If I win, how will I get my hardware?
A. We'll ship it to you, on our dime. We'll ask the winners for that
information later.
Q. I can't decide which hardware I want, can I pick them all?
A. No. You need to pick one. Just one.
Q. Can I enter multiple times?
A. No. (Actually, I think the app will let you re-enter if you change
your mind, but only the latest entry will stick.)
Q. How do you choose the winners?
A. Completely at random from all valid entries.
Q. How did you get so many OLPC XO units?
A. The wonderful folks at laptop.org donated them for us to give away.
Q. How did you get so many Raspberry Pi units?
A. Black magic. Deep black magic.
Q. Why Arduino? It doesn't run Fedora Linux!
A. So what? It's open, its fun, and you can do all sorts of Open Source
geekery with it.
Q. Why didn't you choose to give away instead?
A. Our crack team of Fedora experts (okay, me, Robyn, and Ruth)
generated a list of hardware, then ranked them by coolness, cost, and
availability. Except for the awesome and well dressed folks at
Laptop.org, no one had any cool free hardware lying around (although, I
offered to put some old SPARC systems in the mix, which was vetoed), so
we ended up spending our money on the coolest things we could get the
most of at the least cost. We'd love to do this again, so feel free to
leave a comment here with your suggestions.
Q. Hey, I'm a hardware vendor and I want to work with you to give away
more awesome Open Hardware to Fedora people in the future, who do I
contact to help out?
A. Tom Callaway <spot@redhat.com>
Q. Anyone else you'd like to thank?
A. Why, how nice of you to ask. I'd also like to thank Ruth Suehle &
Robyn Bergeron for brainstorming, researching, and generally being
awesome to make this a reality. Luke Macken for writing the app code
(and making changes at the last possible minute). Mo Duffy for making it
simple, clean and beautiful to enter. The wonderful folks at Farnell,
Adafruit, Sparkfun, and Laptop.org for all of my export and ordering
related questions. Pam Chestek and Erin Dutton, for helping this
sweepstakes be fully blessed and legally awesome. Amy Ross, for
addressing our many export needs. Kevin Fenzi and the folks on the
Fedora Admin team for making sure we had this webapp running, and
sitting in the proper location (except for that brief minute where all
mainpage traffic was pointing at the webapp, whoopsy!). And of course,
Red Hat and OSAS for paying for it all.
~tom
==
Fedora Project
for our Fedora Contributors called the Fedora Summer of Open Hardware
and Fun! We wanted to do something nice to thank our Fedora community
for all that they do for Free Software and Content, and we thought that
giving away a lot of Open Hardware would be a great way to do that.
We're giving away 220 total hardware units, including:
* [50] OLPC XO 1.75 units
* [150] Raspberry Pi (B) units
* [20] Arduino Uno R3 (assembled) units + choice of shield (8 different
shields to choose from)
Unfortunately, we don't have enough hardware to give something to every
Fedora Contributor, so this is a sweepstakes, and sweepstakes come with
all sorts of rules and restrictions.
This sweepstakes is for Fedora Contributors (defined as users in the
Fedora Account System who have signed the FPCA and are in one additional
group). There are some geographic and age restrictions, the reason for
this is that it is extremely costly and time-consuming to determine
whether or not it is possible to run a sweepstakes in a given country.
Sweepstakes laws and regulations vary considerably from country to
country, and many countries have strict registration requirements and
fees associated with running sweepstakes. Other countries simply
prohibit sweepstakes entirely. As a result, we are only offering this
sweepstakes in countries where we know that the sweepstakes is lawful.
We sincerely apologize for any inconvenience this may cause you.
Also, please note that Red Hat employees are not allowed to enter the
sweepstakes.
To learn more, read the full sweepstakes rules, and to enter, please go to:
https://fedoraproject.org/openhw2012
(You can jump straight to the complete legal sweepstakes rules here:
https://fedoraproject.org/openhw2012/details )
*****
And now, a quick FAQ:
Q. Hey, it's not summer where I am!
A. That's not a question.
Q. Why does it say Summer when it isn't Summer where I am?
A. Just close your eyes and pretend it is Summer. Think of the warm
fuzzy feeling you'll get from winning one of these sweet prizes.
Q. Where did the money come from for this?
A. I'm going to assume you mean that in a specific way, not in the
"Daddy, where does money come from way". If you are really asking the
more generic question, just watch this video
(http://video.nationalgeographic.com/video/kids/cartoons-tv-movies-kids/cha-ching-kids/cha-ching-01-earn-spend-save-donate-kids/).
For everyone else, the money for this sweepstakes came from a special
allocation from the Open Source and Standards group at Red Hat, and did
not take away from the normal Fedora community budget in any way.
Q. Why can't Red Hat employees enter? We contribute a lot to Fedora!
A. Because in the eyes of the law, it seems shady when a company runs a
sweepstakes and their employees end up winning.
Q. Why is there an age restriction on this?
A. Because it is a sweepstakes, and that's the law. It varies by region,
but our app is clever enough to adjust it accordingly.
Q. I am sad that my state/country/unincorporated region prevents me from
entering this sweepstakes. Is there anything you can do for me?
A. We feel sad that we have to exclude you. Much sadder than the time
that Tasha Yar got eaten by that sentient oil spill. Short of sending
you hardware, money, or other legal impossibilities, feel free to leave
a comment on this post with a suggestion on how we can make it up to
you. Also, feel free to mention your country. If there are hundreds of
people left out in the cold in Luxembourg, we might be able to do a
legal review and have it added for future sweepstakes eligibility (no
promises though).
Q. What about Fedora users?
A. We love you too, but we really wanted to give an extra-special thank
you to those Fedora Contributors who take that next step and help us
make Fedora better. You can become a contributor and be eligible when we
do something like this again, see: http://fedoraproject.org/join-fedora
Q. If I win, how will I get my hardware?
A. We'll ship it to you, on our dime. We'll ask the winners for that
information later.
Q. I can't decide which hardware I want, can I pick them all?
A. No. You need to pick one. Just one.
Q. Can I enter multiple times?
A. No. (Actually, I think the app will let you re-enter if you change
your mind, but only the latest entry will stick.)
Q. How do you choose the winners?
A. Completely at random from all valid entries.
Q. How did you get so many OLPC XO units?
A. The wonderful folks at laptop.org donated them for us to give away.
Q. How did you get so many Raspberry Pi units?
A. Black magic. Deep black magic.
Q. Why Arduino? It doesn't run Fedora Linux!
A. So what? It's open, its fun, and you can do all sorts of Open Source
geekery with it.
Q. Why didn't you choose to give away instead?
A. Our crack team of Fedora experts (okay, me, Robyn, and Ruth)
generated a list of hardware, then ranked them by coolness, cost, and
availability. Except for the awesome and well dressed folks at
Laptop.org, no one had any cool free hardware lying around (although, I
offered to put some old SPARC systems in the mix, which was vetoed), so
we ended up spending our money on the coolest things we could get the
most of at the least cost. We'd love to do this again, so feel free to
leave a comment here with your suggestions.
Q. Hey, I'm a hardware vendor and I want to work with you to give away
more awesome Open Hardware to Fedora people in the future, who do I
contact to help out?
A. Tom Callaway <spot@redhat.com>
Q. Anyone else you'd like to thank?
A. Why, how nice of you to ask. I'd also like to thank Ruth Suehle &
Robyn Bergeron for brainstorming, researching, and generally being
awesome to make this a reality. Luke Macken for writing the app code
(and making changes at the last possible minute). Mo Duffy for making it
simple, clean and beautiful to enter. The wonderful folks at Farnell,
Adafruit, Sparkfun, and Laptop.org for all of my export and ordering
related questions. Pam Chestek and Erin Dutton, for helping this
sweepstakes be fully blessed and legally awesome. Amy Ross, for
addressing our many export needs. Kevin Fenzi and the folks on the
Fedora Admin team for making sure we had this webapp running, and
sitting in the proper location (except for that brief minute where all
mainpage traffic was pointing at the webapp, whoopsy!). And of course,
Red Hat and OSAS for paying for it all.
~tom
==
Fedora Project
[USN-1516-1] OpenSSL vulnerability
==========================================================================
Ubuntu Security Notice USN-1516-1
July 25, 2012
openssl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
OpenSSL incorrectly disabled TLS 1.1 and TLS 1.2 in certain applications.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
It was discovered that OpenSSL incorrectly handled the SSL_OP_ALL setting.
This resulted in TLS 1.1 and TLS 1.2 being inadvertently disabled for
certain server and client applications.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.3
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1516-1
https://launchpad.net/bugs/1018998
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.3
Ubuntu Security Notice USN-1516-1
July 25, 2012
openssl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
OpenSSL incorrectly disabled TLS 1.1 and TLS 1.2 in certain applications.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
It was discovered that OpenSSL incorrectly handled the SSL_OP_ALL setting.
This resulted in TLS 1.1 and TLS 1.2 being inadvertently disabled for
certain server and client applications.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.3
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1516-1
https://launchpad.net/bugs/1018998
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.3
Tuesday, July 24, 2012
Fedora 18 Schedule reminders - Feature Submission and Feature Freeze deadlines
A few important Fedora milestones reminders:
* Feature Submission deadline is *TODAY*, 2012-07-24 and you still
have a time to submit a new Feature proposal. Reminder: it has to be
in the ReadyForWrangler category, see [1].
* Feature Freeze is in two weeks from now, 2012-08-07. Please keep
in mind that it's the time when your feature has to be in *substantially
complete and in a testable state!* Check the Feature Freeze policy [2].
As we are already so far in the Fedora 18 development phase, please,
make sure to update your feature according to the current state -
completion percentage and the last update too. If you're *at risk* of not
making the Feature Freeze, please update your feature page accordingly
and let me know. The community can help a lot, communication is the
key. I've already contacted a few of you and expect more reminder emails
from me :) I'm constantly updating FeatureList according to your input
and approved features by FESCo.
You can check currently approved features [3] and see what's going
on in Fedora 18 lands.
Important note: the correct schedule is on Wiki [4], sorry for the
problems with generated TaskJuggler schedules and calendars. We
are working on fixing it with Robyn.
Jaroslav
[1] http://fedoraproject.org/wiki/Features/Policy
[2] http://fedoraproject.org/wiki/ReleaseEngineering/FeatureFreezePolicy
[3] http://fedoraproject.org/wiki/Releases/18/FeatureList
[4] http://fedoraproject.org/wiki/Releases/18/Schedule
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
Monday, July 23, 2012
[USN-1515-1] Linux kernel vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJQDa/zAAoJEAUvNnAY1cPYP/UP/A+tOCiwmsaHUQEe3UExm1I8
hwnlFPoJlKvwNUpU4LRZ7j0OOFtlHi45R79APdeG1deG2YzSOSybx3SYtnP2QH/u
KbVKKyNgUzoHYYcLL/u+n8Bncz8pp3CHa+nJY8qV9BaHn1LYSj13j333cEf3EWMU
NEqttFXB6hZ5xx7LkuNK0bsm0w4tci3y2jGtjIlcej6TFKbqEVdfVOYiuc77iQR9
1or2Fu3Flq6qQaIT7gCcbtEJypV8B7u7zuJmkTdPRQMZf7EpPuCRCiP3ZRXiaVhO
3FTpCYneT/scaWueuZOz70czABcFtpclJ+RmxvIQsQKTGVu/l9K/RRc2wsWKmt0H
P/7+W4bpiuNtfvO3IhuSaR4GIipQghMyH74W2jbamGRh1PGJ35fxACKmGHtQMHNb
yImwasG43RkFUqs0JTrNo3l3mREysbXxpoqPBv8xW+olb3zlxgbSzgDb+7vZsxs1
Qe9wJCajQm4F4cOY0voZrC5FJWNc2wFyIztCqjYhBtc5noYq1zLq2B0d7+TYlBep
azu9Jflcs5o/VMKhlAMy9/AOomK865TjVRYjENZBVV/AnthjROUdTKNR9jV1Z8ZR
ZiTYScN+Cgt0mCfJCk8YZjdfXgEMYRptFVg66ol+jJnxSW0y6TaPaXndXD9RgY/N
AKAePf8CFn9HcSIT5Lrv
=ccbs
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1515-1
July 23, 2012
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux: Linux kernel
Details:
An error was discovered in the Linux kernel's memory subsystem (hugetlb).
An unprivileged local user could exploit this flaw to cause a denial of
service (crash the system).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-27-generic 3.2.0-27.43
linux-image-3.2.0-27-generic-pae 3.2.0-27.43
linux-image-3.2.0-27-highbank 3.2.0-27.43
linux-image-3.2.0-27-omap 3.2.0-27.43
linux-image-3.2.0-27-powerpc-smp 3.2.0-27.43
linux-image-3.2.0-27-powerpc64-smp 3.2.0-27.43
linux-image-3.2.0-27-virtual 3.2.0-27.43
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1515-1
CVE-2012-2390
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-27.43
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJQDa/zAAoJEAUvNnAY1cPYP/UP/A+tOCiwmsaHUQEe3UExm1I8
hwnlFPoJlKvwNUpU4LRZ7j0OOFtlHi45R79APdeG1deG2YzSOSybx3SYtnP2QH/u
KbVKKyNgUzoHYYcLL/u+n8Bncz8pp3CHa+nJY8qV9BaHn1LYSj13j333cEf3EWMU
NEqttFXB6hZ5xx7LkuNK0bsm0w4tci3y2jGtjIlcej6TFKbqEVdfVOYiuc77iQR9
1or2Fu3Flq6qQaIT7gCcbtEJypV8B7u7zuJmkTdPRQMZf7EpPuCRCiP3ZRXiaVhO
3FTpCYneT/scaWueuZOz70czABcFtpclJ+RmxvIQsQKTGVu/l9K/RRc2wsWKmt0H
P/7+W4bpiuNtfvO3IhuSaR4GIipQghMyH74W2jbamGRh1PGJ35fxACKmGHtQMHNb
yImwasG43RkFUqs0JTrNo3l3mREysbXxpoqPBv8xW+olb3zlxgbSzgDb+7vZsxs1
Qe9wJCajQm4F4cOY0voZrC5FJWNc2wFyIztCqjYhBtc5noYq1zLq2B0d7+TYlBep
azu9Jflcs5o/VMKhlAMy9/AOomK865TjVRYjENZBVV/AnthjROUdTKNR9jV1Z8ZR
ZiTYScN+Cgt0mCfJCk8YZjdfXgEMYRptFVg66ol+jJnxSW0y6TaPaXndXD9RgY/N
AKAePf8CFn9HcSIT5Lrv
=ccbs
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1515-1
July 23, 2012
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux: Linux kernel
Details:
An error was discovered in the Linux kernel's memory subsystem (hugetlb).
An unprivileged local user could exploit this flaw to cause a denial of
service (crash the system).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-27-generic 3.2.0-27.43
linux-image-3.2.0-27-generic-pae 3.2.0-27.43
linux-image-3.2.0-27-highbank 3.2.0-27.43
linux-image-3.2.0-27-omap 3.2.0-27.43
linux-image-3.2.0-27-powerpc-smp 3.2.0-27.43
linux-image-3.2.0-27-powerpc64-smp 3.2.0-27.43
linux-image-3.2.0-27-virtual 3.2.0-27.43
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1515-1
CVE-2012-2390
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-27.43
[announce] FreeBSD Ports & Docs Bugathon
This Saturday we're sponsoring a FreeBSD Bugathon along with the Bay
Area FreeBSD User Group in California.
Saturday, July 28
Suspenders Restaurant backroom
2-6 PM EST, 11-3 PM PST
It's a great opportunity to mingle and coordinate with FreeBSD
developers locally and beyond.
http://wiki.freebsd.org/Bugathons/2012July
A basic outline includes:
o Docs updating and validation
a. What does the other bsd's say
b. is it it accurate
c. Improvements
d. New docs / examples
o Porting help for creating new ports
o Ports bug busting
a. Confirming pr's
b. fixes to open pr's
c. Testing various config options ie can I set var=yes in make.conf
and get useful results
We'll also be on efnet #nycbug for coordinating beyond NYC.
_______________________________________________
announce mailing list
announce@lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/announce
Area FreeBSD User Group in California.
Saturday, July 28
Suspenders Restaurant backroom
2-6 PM EST, 11-3 PM PST
It's a great opportunity to mingle and coordinate with FreeBSD
developers locally and beyond.
http://wiki.freebsd.org/Bugathons/2012July
A basic outline includes:
o Docs updating and validation
a. What does the other bsd's say
b. is it it accurate
c. Improvements
d. New docs / examples
o Porting help for creating new ports
o Ports bug busting
a. Confirming pr's
b. fixes to open pr's
c. Testing various config options ie can I set var=yes in make.conf
and get useful results
We'll also be on efnet #nycbug for coordinating beyond NYC.
_______________________________________________
announce mailing list
announce@lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/announce
[USN-1513-1] libexif vulnerabilities
==========================================================================
Ubuntu Security Notice USN-1513-1
July 23, 2012
libexif vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
libexif could be made to crash, run programs as your login, or expose
sensitive information if it opened a specially crafted file.
Software Description:
- libexif: library to parse EXIF files
Details:
Mateusz Jurczyk discovered that libexif incorrectly parsed certain
malformed EXIF tags. If a user or automated system were tricked into
processing a specially crafted image file, an attacker could cause libexif
to crash, leading to a denial of service, or possibly obtain sensitive
information. (CVE-2012-2812, CVE-2012-2813)
Mateusz Jurczyk discovered that libexif incorrectly parsed certain
malformed EXIF tags. If a user or automated system were tricked into
processing a specially crafted image file, an attacker could cause libexif
to crash, leading to a denial of service, or possibly execute arbitrary
code. (CVE-2012-2814)
Yunho Kim discovered that libexif incorrectly parsed certain malformed EXIF
tags. If a user or automated system were tricked into processing a
specially crafted image file, an attacker could cause libexif to crash,
leading to a denial of service, or possibly obtain sensitive information.
(CVE-2012-2836)
Yunho Kim discovered that libexif incorrectly parsed certain malformed EXIF
tags. If a user or automated system were tricked into processing a
specially crafted image file, an attacker could cause libexif to crash,
leading to a denial of service. (CVE-2012-2837)
Dan Fandrich discovered that libexif incorrectly parsed certain malformed
EXIF tags. If a user or automated system were tricked into processing a
specially crafted image file, an attacker could cause libexif to crash,
leading to a denial of service, or possibly execute arbitrary code.
(CVE-2012-2840, CVE-2012-2841)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libexif12 0.6.20-2ubuntu0.1
Ubuntu 11.10:
libexif12 0.6.20-1ubuntu0.1
Ubuntu 11.04:
libexif12 0.6.20-0ubuntu1.1
Ubuntu 10.04 LTS:
libexif12 0.6.19-1ubuntu0.1
Ubuntu 8.04 LTS:
libexif12 0.6.16-2.1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1513-1
CVE-2012-2812, CVE-2012-2813, CVE-2012-2814, CVE-2012-2836,
CVE-2012-2837, CVE-2012-2840, CVE-2012-2841
Package Information:
https://launchpad.net/ubuntu/+source/libexif/0.6.20-2ubuntu0.1
https://launchpad.net/ubuntu/+source/libexif/0.6.20-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libexif/0.6.20-0ubuntu1.1
https://launchpad.net/ubuntu/+source/libexif/0.6.19-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libexif/0.6.16-2.1ubuntu0.2
Ubuntu Security Notice USN-1513-1
July 23, 2012
libexif vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
libexif could be made to crash, run programs as your login, or expose
sensitive information if it opened a specially crafted file.
Software Description:
- libexif: library to parse EXIF files
Details:
Mateusz Jurczyk discovered that libexif incorrectly parsed certain
malformed EXIF tags. If a user or automated system were tricked into
processing a specially crafted image file, an attacker could cause libexif
to crash, leading to a denial of service, or possibly obtain sensitive
information. (CVE-2012-2812, CVE-2012-2813)
Mateusz Jurczyk discovered that libexif incorrectly parsed certain
malformed EXIF tags. If a user or automated system were tricked into
processing a specially crafted image file, an attacker could cause libexif
to crash, leading to a denial of service, or possibly execute arbitrary
code. (CVE-2012-2814)
Yunho Kim discovered that libexif incorrectly parsed certain malformed EXIF
tags. If a user or automated system were tricked into processing a
specially crafted image file, an attacker could cause libexif to crash,
leading to a denial of service, or possibly obtain sensitive information.
(CVE-2012-2836)
Yunho Kim discovered that libexif incorrectly parsed certain malformed EXIF
tags. If a user or automated system were tricked into processing a
specially crafted image file, an attacker could cause libexif to crash,
leading to a denial of service. (CVE-2012-2837)
Dan Fandrich discovered that libexif incorrectly parsed certain malformed
EXIF tags. If a user or automated system were tricked into processing a
specially crafted image file, an attacker could cause libexif to crash,
leading to a denial of service, or possibly execute arbitrary code.
(CVE-2012-2840, CVE-2012-2841)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libexif12 0.6.20-2ubuntu0.1
Ubuntu 11.10:
libexif12 0.6.20-1ubuntu0.1
Ubuntu 11.04:
libexif12 0.6.20-0ubuntu1.1
Ubuntu 10.04 LTS:
libexif12 0.6.19-1ubuntu0.1
Ubuntu 8.04 LTS:
libexif12 0.6.16-2.1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1513-1
CVE-2012-2812, CVE-2012-2813, CVE-2012-2814, CVE-2012-2836,
CVE-2012-2837, CVE-2012-2840, CVE-2012-2841
Package Information:
https://launchpad.net/ubuntu/+source/libexif/0.6.20-2ubuntu0.1
https://launchpad.net/ubuntu/+source/libexif/0.6.20-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libexif/0.6.20-0ubuntu1.1
https://launchpad.net/ubuntu/+source/libexif/0.6.19-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libexif/0.6.16-2.1ubuntu0.2
Sunday, July 22, 2012
Mass rebuild for Fedora 18 Complete
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
iQIcBAEBAgAGBQJQDGC5AAoJEEs3sNgP+7teKlwP/iHNYz2fM7vp9UlbHFyTT0FR
BJ72OwEp3zToaz4U1ItcPxN0zYXdvQuNrfBM+cM0cEhLio5ZvTGgsK91ecksHsaG
ZXDfQo/joiFTuJ1RVQeE8s5g1tMwQre9F94vS37xd2f8mxj2eIXCj1FXvvhTML2G
8YreUyaWad6u9P/2eiDEyy9Win4EYB71IQLRYCjfUPDyE+OK3S2cblVdRd/0Lzmt
eCwNvY8YxYgzjJj1nGHKhOFEp1Jft4r8XlNZuyugBc3+d1btZL1evYWNdoC2U8cq
9jjEEFbF+E0/e3mrZgr5QqY0kbqhh6dd82gXbZTBCh2Zt0HZeEa7XREkUWg5kHQ2
ODnAvZosw3/oOFHfpUU91Jbl8snBiBhsnxdcJ3XAyPpTa5f7g3bijQAIrISx3P//
MkeaTIJf84mYciUhtArHOcMT1j65ctzaMwT1ZC2nW8775Hrv3ywe+1sB+GYrL9MD
tbdS3XwL+BKGTYO1RBpCn/zY9StahYfmE7wS32Ce7ddQxDHEhndZNEuN3Uf+0iE8
etdJPkDnHLb/tJIzn3bYwMmR1ufu/JS8kH93M9a3OsllhNN8BiDqukA+n7hQJj+1
z1hriiWSKeGrrGCj/w1koNZHOzU6Ip6iB2mGla2jDBVNbwmelorFV4ipdvijsAbn
dT3eM7uJtOgQUKoenY6O
=c8B4
-----END PGP SIGNATURE-----
On Tue, 17 Jul 2012 07:39:31 -0500
Dennis Gilmore <dennis@ausil.us> wrote:
> it was requested in https://fedorahosted.org/rel-eng/ticket/5222 that
> we do a mass rebuild for Fedora 18 for
> https://fedoraproject.org/wiki/Features/DwarfCompressor and
> https://fedoraproject.org/wiki/Features/MiniDebugInfo due to a mix up
> in dates it was going to start on 2012-07-30 but since that only gives
> a week to do the rebuild before branching for f18 on 2012-08-07 we
> will be starting the mass rebuild on 2012-07-18
>
> This is a heads up that it will be done in a side tag and moved over
> when completed. We will be running scripts to output failure stats.
> please be sure to let releng know if you see any bugs in the
> reporting.
The mass rebuild has completed and been tagged back into rawhide, they
should appear in tomorrow's rawhide compose.
11057 packages were successfully rebuilt.
656 packages failed to rebuild.
Please fix any packages you maintain that failed to rebuild.
kevin
Version: GnuPG v2.0.18 (GNU/Linux)
iQIcBAEBAgAGBQJQDGC5AAoJEEs3sNgP+7teKlwP/iHNYz2fM7vp9UlbHFyTT0FR
BJ72OwEp3zToaz4U1ItcPxN0zYXdvQuNrfBM+cM0cEhLio5ZvTGgsK91ecksHsaG
ZXDfQo/joiFTuJ1RVQeE8s5g1tMwQre9F94vS37xd2f8mxj2eIXCj1FXvvhTML2G
8YreUyaWad6u9P/2eiDEyy9Win4EYB71IQLRYCjfUPDyE+OK3S2cblVdRd/0Lzmt
eCwNvY8YxYgzjJj1nGHKhOFEp1Jft4r8XlNZuyugBc3+d1btZL1evYWNdoC2U8cq
9jjEEFbF+E0/e3mrZgr5QqY0kbqhh6dd82gXbZTBCh2Zt0HZeEa7XREkUWg5kHQ2
ODnAvZosw3/oOFHfpUU91Jbl8snBiBhsnxdcJ3XAyPpTa5f7g3bijQAIrISx3P//
MkeaTIJf84mYciUhtArHOcMT1j65ctzaMwT1ZC2nW8775Hrv3ywe+1sB+GYrL9MD
tbdS3XwL+BKGTYO1RBpCn/zY9StahYfmE7wS32Ce7ddQxDHEhndZNEuN3Uf+0iE8
etdJPkDnHLb/tJIzn3bYwMmR1ufu/JS8kH93M9a3OsllhNN8BiDqukA+n7hQJj+1
z1hriiWSKeGrrGCj/w1koNZHOzU6Ip6iB2mGla2jDBVNbwmelorFV4ipdvijsAbn
dT3eM7uJtOgQUKoenY6O
=c8B4
-----END PGP SIGNATURE-----
On Tue, 17 Jul 2012 07:39:31 -0500
Dennis Gilmore <dennis@ausil.us> wrote:
> it was requested in https://fedorahosted.org/rel-eng/ticket/5222 that
> we do a mass rebuild for Fedora 18 for
> https://fedoraproject.org/wiki/Features/DwarfCompressor and
> https://fedoraproject.org/wiki/Features/MiniDebugInfo due to a mix up
> in dates it was going to start on 2012-07-30 but since that only gives
> a week to do the rebuild before branching for f18 on 2012-08-07 we
> will be starting the mass rebuild on 2012-07-18
>
> This is a heads up that it will be done in a side tag and moved over
> when completed. We will be running scripts to output failure stats.
> please be sure to let releng know if you see any bugs in the
> reporting.
The mass rebuild has completed and been tagged back into rawhide, they
should appear in tomorrow's rawhide compose.
11057 packages were successfully rebuilt.
656 packages failed to rebuild.
Please fix any packages you maintain that failed to rebuild.
kevin
Thursday, July 19, 2012
Proposal request for ideas on naming Fedora releases.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hash: SHA1
The Fedora Board is soliciting ideas for how to name Fedora releases
from community members. Proposals should be sent to the Advisory
Board list[0][1] no later than 16:00 UTC on 25 July 2012. The
community is invited to discuss the proposals on the Advisory Board list.
[0] https://lists.fedoraproject.org/mailman/listinfo/advisory-board
[1] advisory-board@lists.fedoraproject.org
Thanks,
Eric "Sparks"
Fedora Board Member
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJQCCarAAoJEIB2q94CS7PRXvwP/2KCNz985J35CTZoOTLyTJ6l
BopmuaumlGoUYAKaXkKYCJgbwOFMO7uNg9NooaG56EkGGcYD+05EA3fVuGYWDqjc
7le8FC64e5jaIVjVrvdclUPY7VMfC8vKWORe+EH/ISX/tCunEEwn7DkCORcbJTQv
ybxuMPJ+1MA9h6Nj75eIo9ek5Dy//WKW03Rcdq2ikgCe3uApBY+SMCkRMh2stTXB
KlO7PC+geXUzHa/GB4B5Ss51vecYJaV7u4DMU4E53L271iquhOQ33mnq8WuIRVJc
UGsrzpENAdmLvdn6zZ3AQW6haE8lHHrglKbq2+lwLlPXZ1iLVJ3Is6sFpB6ihlHz
mdozmgvZjnC19srNJat9kDPsON/fAfQ3xmkIpdsxO8iavn2J//9jOyQLPx9cV9P7
3CcI4a27r/B8zSqzNQnQAFCMuLu5MQKRfGD9Uh/C9p7p1DXX6jT+CAxPPmvt9wXw
chBfW5z1dCc1aTJ85OoZbZDfOImIkgR6cJ3aeXyQT3ypxCXB5F0yI3XugTIpwYg7
N/DV9Dkl5pMvMiQAo06aXD7MXwpPy0rLdUc0CZFgi3yhP7hBxVtbEGvnFp1/2tz3
aJ51wLBE0P7xH1r2iWYF/GIBkLf4beEyIQj7wq+WpUr6fhb+pAFob18sXBArIAHn
AWvXdIhdzTWkdG4xtjnX
=gPM2
-----END PGP SIGNATURE-----
--
announce mailing list
announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/announce
[USN-1512-1] KDE PIM vulnerability
==========================================================================
Ubuntu Security Notice USN-1512-1
July 19, 2012
kdepim vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
KDE PIM could be made to execute JavaScript if it opened a specially
crafted email.
Software Description:
- kdepim: Personal Information Management apps
Details:
It was discovered that KDE PIM html renderer incorrectly enabled
JavaScript, Java and Plugins. A remote attacker could use this flaw to send
an email with embedded JavaScript that possibly executes when opened.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
kdepim 4:4.8.4a-0ubuntu0.3
Ubuntu 11.10:
kdepim 4:4.7.4+git111222-0ubuntu0.3
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1512-1
CVE-2012-3413
Package Information:
https://launchpad.net/ubuntu/+source/kdepim/4:4.8.4a-0ubuntu0.3
https://launchpad.net/ubuntu/+source/kdepim/4:4.7.4+git111222-0ubuntu0.3
Ubuntu Security Notice USN-1512-1
July 19, 2012
kdepim vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
KDE PIM could be made to execute JavaScript if it opened a specially
crafted email.
Software Description:
- kdepim: Personal Information Management apps
Details:
It was discovered that KDE PIM html renderer incorrectly enabled
JavaScript, Java and Plugins. A remote attacker could use this flaw to send
an email with embedded JavaScript that possibly executes when opened.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
kdepim 4:4.8.4a-0ubuntu0.3
Ubuntu 11.10:
kdepim 4:4.7.4+git111222-0ubuntu0.3
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1512-1
CVE-2012-3413
Package Information:
https://launchpad.net/ubuntu/+source/kdepim/4:4.8.4a-0ubuntu0.3
https://launchpad.net/ubuntu/+source/kdepim/4:4.7.4+git111222-0ubuntu0.3
[USN-1511-1] tiff vulnerability
==========================================================================
Ubuntu Security Notice USN-1511-1
July 19, 2012
tiff vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
tiff2pdf could be made to crash or run programs as your login if it opened
a specially crafted file.
Software Description:
- tiff: Tag Image File Format (TIFF) library
Details:
Huzaifa Sidhpurwala discovered that the tiff2pdf utility incorrectly
handled certain malformed TIFF images. If a user or automated system were
tricked into opening a specially crafted TIFF image, a remote attacker
could crash the application, leading to a denial of service, or possibly
execute arbitrary code with user privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libtiff-tools 3.9.5-2ubuntu1.2
Ubuntu 11.10:
libtiff-tools 3.9.5-1ubuntu1.3
Ubuntu 11.04:
libtiff-tools 3.9.4-5ubuntu6.3
Ubuntu 10.04 LTS:
libtiff-tools 3.9.2-2ubuntu0.10
Ubuntu 8.04 LTS:
libtiff-tools 3.8.2-7ubuntu3.13
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1511-1
CVE-2012-3401
Package Information:
https://launchpad.net/ubuntu/+source/tiff/3.9.5-2ubuntu1.2
https://launchpad.net/ubuntu/+source/tiff/3.9.5-1ubuntu1.3
https://launchpad.net/ubuntu/+source/tiff/3.9.4-5ubuntu6.3
https://launchpad.net/ubuntu/+source/tiff/3.9.2-2ubuntu0.10
https://launchpad.net/ubuntu/+source/tiff/3.8.2-7ubuntu3.13
Ubuntu Security Notice USN-1511-1
July 19, 2012
tiff vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
tiff2pdf could be made to crash or run programs as your login if it opened
a specially crafted file.
Software Description:
- tiff: Tag Image File Format (TIFF) library
Details:
Huzaifa Sidhpurwala discovered that the tiff2pdf utility incorrectly
handled certain malformed TIFF images. If a user or automated system were
tricked into opening a specially crafted TIFF image, a remote attacker
could crash the application, leading to a denial of service, or possibly
execute arbitrary code with user privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
libtiff-tools 3.9.5-2ubuntu1.2
Ubuntu 11.10:
libtiff-tools 3.9.5-1ubuntu1.3
Ubuntu 11.04:
libtiff-tools 3.9.4-5ubuntu6.3
Ubuntu 10.04 LTS:
libtiff-tools 3.9.2-2ubuntu0.10
Ubuntu 8.04 LTS:
libtiff-tools 3.8.2-7ubuntu3.13
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1511-1
CVE-2012-3401
Package Information:
https://launchpad.net/ubuntu/+source/tiff/3.9.5-2ubuntu1.2
https://launchpad.net/ubuntu/+source/tiff/3.9.5-1ubuntu1.3
https://launchpad.net/ubuntu/+source/tiff/3.9.4-5ubuntu6.3
https://launchpad.net/ubuntu/+source/tiff/3.9.2-2ubuntu0.10
https://launchpad.net/ubuntu/+source/tiff/3.8.2-7ubuntu3.13
Tuesday, July 17, 2012
[USN-1509-2] ubufox update
==========================================================================
Ubuntu Security Notice USN-1509-2
July 18, 2012
ubufox update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
This update provides compatible ubufox packages for the latest Firefox.
Software Description:
- ubufox: Ubuntu Firefox specific configuration defaults and apt support
Details:
USN-1509-1 fixed vulnerabilities in Firefox. This update provides an updated
ubufox package for use with the lastest Firefox.
Original advisory details:
Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian Smith,
Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey discovered
memory safety issues affecting Firefox. If the user were tricked into opening a
specially crafted page, an attacker could possibly exploit these to cause a
denial of service via application crash, or potentially execute code with the
privileges of the user invoking Firefox. (CVE-2012-1948, CVE-2012-1949)
Mario Gomes discovered that the address bar may be incorrectly updated.
Drag-and-drop events in the address bar may cause the address of the previous
site to be displayed while a new page is loaded. An attacker could exploit this
to conduct phishing attacks. (CVE-2012-1950)
Abhishek Arya discovered four memory safety issues affecting Firefox. If the
user were tricked into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Firefox.
(CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954)
Mariusz Mlynski discovered that the address bar may be incorrectly updated.
Calls to history.forward and history.back could be used to navigate to a site
while the address bar still displayed the previous site. A remote attacker
could exploit this to conduct phishing attacks. (CVE-2012-1955)
Mario Heiderich discovered that HTML <embed> tags were not filtered out of the
HTML <description> of RSS feeds. A remote attacker could exploit this to
conduct cross-site scripting (XSS) attacks via javascript execution in the HTML
feed view. (CVE-2012-1957)
Arthur Gerkis discovered a use-after-free vulnerability. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox. (CVE-2012-1958)
Bobby Holley discovered that same-compartment security wrappers (SCSW) could be
bypassed to allow XBL access. If the user were tricked into opening a specially
crafted page, an attacker could possibly exploit this to execute code with the
privileges of the user invoking Firefox. (CVE-2012-1959)
Tony Payne discovered an out-of-bounds memory read in Mozilla's color
management library (QCMS). If the user were tricked into opening a specially
crafted color profile, an attacker could possibly exploit this to cause a
denial of service via application crash. (CVE-2012-1960)
Frédéric Buclin discovered that the X-Frame-Options header was ignored when its
value was specified multiple times. An attacker could exploit this to conduct
clickjacking attacks. (CVE-2012-1961)
Bill Keese discovered a memory corruption vulnerability. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox. (CVE-2012-1962)
Karthikeyan Bhargavan discovered an information leakage vulnerability in the
Content Security Policy (CSP) 1.0 implementation. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit this to
access a user's OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963)
Matt McCutchen discovered a clickjacking vulnerability in the certificate
warning page. A remote attacker could trick a user into accepting a malicious
certificate via a crafted certificate warning page. (CVE-2012-1964)
Mario Gomes and Soroush Dalili discovered that javascript was not filtered out
of feed URLs. If the user were tricked into opening a specially crafted URL, an
attacker could possibly exploit this to conduct cross-site scripting (XSS)
attacks. (CVE-2012-1965)
A vulnerability was discovered in the context menu of data: URLs. If the user
were tricked into opening a specially crafted URL, an attacker could possibly
exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2012-1966)
It was discovered that the execution of javascript: URLs was not properly
handled in some cases. A remote attacker could exploit this to execute code
with the privileges of the user invoking Firefox. (CVE-2012-1967)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
ubufox 2.1.1-0ubuntu0.12.04.1
xul-ext-ubufox 2.1.1-0ubuntu0.12.04.1
Ubuntu 11.10:
ubufox 2.1.1-0ubuntu0.11.10.1
xul-ext-ubufox 2.1.1-0ubuntu0.11.10.1
Ubuntu 11.04:
ubufox 2.1.1-0ubuntu0.11.04.1
xul-ext-ubufox 2.1.1-0ubuntu0.11.04.1
Ubuntu 10.04 LTS:
ubufox 2.1.1-0ubuntu0.10.04.1
xul-ext-ubufox 2.1.1-0ubuntu0.10.04.1
When upgrading, users should be aware of the following:
- In Ubuntu 11.04, unity-2d users may lose the ability to view drop-down menus,
context menus, and perform drag-and-drop operations in Firefox. This is a known
issue being tracked in https://launchpad.net/bugs/1020198 and may be fixed in a
later update.
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1509-2
http://www.ubuntu.com/usn/usn-1509-1
https://launchpad.net/bugs/1024562
Package Information:
https://launchpad.net/ubuntu/+source/ubufox/2.1.1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/ubufox/2.1.1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/ubufox/2.1.1-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/ubufox/2.1.1-0ubuntu0.10.04.1
Ubuntu Security Notice USN-1509-2
July 18, 2012
ubufox update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
This update provides compatible ubufox packages for the latest Firefox.
Software Description:
- ubufox: Ubuntu Firefox specific configuration defaults and apt support
Details:
USN-1509-1 fixed vulnerabilities in Firefox. This update provides an updated
ubufox package for use with the lastest Firefox.
Original advisory details:
Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian Smith,
Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey discovered
memory safety issues affecting Firefox. If the user were tricked into opening a
specially crafted page, an attacker could possibly exploit these to cause a
denial of service via application crash, or potentially execute code with the
privileges of the user invoking Firefox. (CVE-2012-1948, CVE-2012-1949)
Mario Gomes discovered that the address bar may be incorrectly updated.
Drag-and-drop events in the address bar may cause the address of the previous
site to be displayed while a new page is loaded. An attacker could exploit this
to conduct phishing attacks. (CVE-2012-1950)
Abhishek Arya discovered four memory safety issues affecting Firefox. If the
user were tricked into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Firefox.
(CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954)
Mariusz Mlynski discovered that the address bar may be incorrectly updated.
Calls to history.forward and history.back could be used to navigate to a site
while the address bar still displayed the previous site. A remote attacker
could exploit this to conduct phishing attacks. (CVE-2012-1955)
Mario Heiderich discovered that HTML <embed> tags were not filtered out of the
HTML <description> of RSS feeds. A remote attacker could exploit this to
conduct cross-site scripting (XSS) attacks via javascript execution in the HTML
feed view. (CVE-2012-1957)
Arthur Gerkis discovered a use-after-free vulnerability. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox. (CVE-2012-1958)
Bobby Holley discovered that same-compartment security wrappers (SCSW) could be
bypassed to allow XBL access. If the user were tricked into opening a specially
crafted page, an attacker could possibly exploit this to execute code with the
privileges of the user invoking Firefox. (CVE-2012-1959)
Tony Payne discovered an out-of-bounds memory read in Mozilla's color
management library (QCMS). If the user were tricked into opening a specially
crafted color profile, an attacker could possibly exploit this to cause a
denial of service via application crash. (CVE-2012-1960)
Frédéric Buclin discovered that the X-Frame-Options header was ignored when its
value was specified multiple times. An attacker could exploit this to conduct
clickjacking attacks. (CVE-2012-1961)
Bill Keese discovered a memory corruption vulnerability. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox. (CVE-2012-1962)
Karthikeyan Bhargavan discovered an information leakage vulnerability in the
Content Security Policy (CSP) 1.0 implementation. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit this to
access a user's OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963)
Matt McCutchen discovered a clickjacking vulnerability in the certificate
warning page. A remote attacker could trick a user into accepting a malicious
certificate via a crafted certificate warning page. (CVE-2012-1964)
Mario Gomes and Soroush Dalili discovered that javascript was not filtered out
of feed URLs. If the user were tricked into opening a specially crafted URL, an
attacker could possibly exploit this to conduct cross-site scripting (XSS)
attacks. (CVE-2012-1965)
A vulnerability was discovered in the context menu of data: URLs. If the user
were tricked into opening a specially crafted URL, an attacker could possibly
exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2012-1966)
It was discovered that the execution of javascript: URLs was not properly
handled in some cases. A remote attacker could exploit this to execute code
with the privileges of the user invoking Firefox. (CVE-2012-1967)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
ubufox 2.1.1-0ubuntu0.12.04.1
xul-ext-ubufox 2.1.1-0ubuntu0.12.04.1
Ubuntu 11.10:
ubufox 2.1.1-0ubuntu0.11.10.1
xul-ext-ubufox 2.1.1-0ubuntu0.11.10.1
Ubuntu 11.04:
ubufox 2.1.1-0ubuntu0.11.04.1
xul-ext-ubufox 2.1.1-0ubuntu0.11.04.1
Ubuntu 10.04 LTS:
ubufox 2.1.1-0ubuntu0.10.04.1
xul-ext-ubufox 2.1.1-0ubuntu0.10.04.1
When upgrading, users should be aware of the following:
- In Ubuntu 11.04, unity-2d users may lose the ability to view drop-down menus,
context menus, and perform drag-and-drop operations in Firefox. This is a known
issue being tracked in https://launchpad.net/bugs/1020198 and may be fixed in a
later update.
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1509-2
http://www.ubuntu.com/usn/usn-1509-1
https://launchpad.net/bugs/1024562
Package Information:
https://launchpad.net/ubuntu/+source/ubufox/2.1.1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/ubufox/2.1.1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/ubufox/2.1.1-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/ubufox/2.1.1-0ubuntu0.10.04.1
[USN-1510-1] Thunderbird vulnerabilities
==========================================================================
Ubuntu Security Notice USN-1510-1
July 17, 2012
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian Smith,
Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey discovered
memory safety issues affecting Thunderbird. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit these to
cause a denial of service via application crash, or potentially execute code
with the privileges of the user invoking Thunderbird. (CVE-2012-1948,
CVE-2012-1949)
Abhishek Arya discovered four memory safety issues affecting Thunderbird. If
the user were tricked into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Thunderbird.
(CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954)
Mariusz Mlynski discovered that the address bar may be incorrectly updated.
Calls to history.forward and history.back could be used to navigate to a site
while the address bar still displayed the previous site. A remote attacker
could exploit this to conduct phishing attacks. (CVE-2012-1955)
Mario Heiderich discovered that HTML <embed> tags were not filtered out of the
HTML <description> of RSS feeds. A remote attacker could exploit this to
conduct cross-site scripting (XSS) attacks via javascript execution in the HTML
feed view. (CVE-2012-1957)
Arthur Gerkis discovered a use-after-free vulnerability. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Thunderbird.
(CVE-2012-1958)
Bobby Holley discovered that same-compartment security wrappers (SCSW) could be
bypassed to allow XBL access. If the user were tricked into opening a specially
crafted page, an attacker could possibly exploit this to execute code with the
privileges of the user invoking Thunderbird. (CVE-2012-1959)
Tony Payne discovered an out-of-bounds memory read in Mozilla's color
management library (QCMS). If the user were tricked into opening a specially
crafted color profile, an attacker could possibly exploit this to cause a
denial of service via application crash. (CVE-2012-1960)
Frédéric Buclin discovered that the X-Frame-Options header was ignored when its
value was specified multiple times. An attacker could exploit this to conduct
clickjacking attacks. (CVE-2012-1961)
Bill Keese discovered a memory corruption vulnerability. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Thunderbird.
(CVE-2012-1962)
Karthikeyan Bhargavan discovered an information leakage vulnerability in the
Content Security Policy (CSP) 1.0 implementation. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit this to
access a user's OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963)
It was discovered that the execution of javascript: URLs was not properly
handled in some cases. A remote attacker could exploit this to execute code
with the privileges of the user invoking Thunderbird. (CVE-2012-1967)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
thunderbird 14.0+build1-0ubuntu0.12.04.1
Ubuntu 11.10:
thunderbird 14.0+build1-0ubuntu0.11.10.1
Ubuntu 11.04:
thunderbird 14.0+build1-0ubuntu0.11.04.1
Ubuntu 10.04 LTS:
thunderbird 14.0+build1-0ubuntu0.10.04.1
When upgrading, users should be aware of the following:
- In Ubuntu 11.04, unity-2d users may lose the ability to view drop-down menus,
context menus, and perform drag-and-drop operations in Thunderbird. This is a
known issue being tracked in https://launchpad.net/bugs/1020198 and may be
fixed in a later update.
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1510-1
CVE-2012-1948, CVE-2012-1949, CVE-2012-1951, CVE-2012-1952,
CVE-2012-1953, CVE-2012-1954, CVE-2012-1955, CVE-2012-1957,
CVE-2012-1958, CVE-2012-1959, CVE-2012-1960, CVE-2012-1961,
CVE-2012-1962, CVE-2012-1963, CVE-2012-1967, https://launchpad.net/bugs/1020198,
https://launchpad.net/bugs/1024564
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/14.0+build1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/thunderbird/14.0+build1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/thunderbird/14.0+build1-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/thunderbird/14.0+build1-0ubuntu0.10.04.1
Ubuntu Security Notice USN-1510-1
July 17, 2012
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian Smith,
Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey discovered
memory safety issues affecting Thunderbird. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit these to
cause a denial of service via application crash, or potentially execute code
with the privileges of the user invoking Thunderbird. (CVE-2012-1948,
CVE-2012-1949)
Abhishek Arya discovered four memory safety issues affecting Thunderbird. If
the user were tricked into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Thunderbird.
(CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954)
Mariusz Mlynski discovered that the address bar may be incorrectly updated.
Calls to history.forward and history.back could be used to navigate to a site
while the address bar still displayed the previous site. A remote attacker
could exploit this to conduct phishing attacks. (CVE-2012-1955)
Mario Heiderich discovered that HTML <embed> tags were not filtered out of the
HTML <description> of RSS feeds. A remote attacker could exploit this to
conduct cross-site scripting (XSS) attacks via javascript execution in the HTML
feed view. (CVE-2012-1957)
Arthur Gerkis discovered a use-after-free vulnerability. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Thunderbird.
(CVE-2012-1958)
Bobby Holley discovered that same-compartment security wrappers (SCSW) could be
bypassed to allow XBL access. If the user were tricked into opening a specially
crafted page, an attacker could possibly exploit this to execute code with the
privileges of the user invoking Thunderbird. (CVE-2012-1959)
Tony Payne discovered an out-of-bounds memory read in Mozilla's color
management library (QCMS). If the user were tricked into opening a specially
crafted color profile, an attacker could possibly exploit this to cause a
denial of service via application crash. (CVE-2012-1960)
Frédéric Buclin discovered that the X-Frame-Options header was ignored when its
value was specified multiple times. An attacker could exploit this to conduct
clickjacking attacks. (CVE-2012-1961)
Bill Keese discovered a memory corruption vulnerability. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Thunderbird.
(CVE-2012-1962)
Karthikeyan Bhargavan discovered an information leakage vulnerability in the
Content Security Policy (CSP) 1.0 implementation. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit this to
access a user's OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963)
It was discovered that the execution of javascript: URLs was not properly
handled in some cases. A remote attacker could exploit this to execute code
with the privileges of the user invoking Thunderbird. (CVE-2012-1967)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
thunderbird 14.0+build1-0ubuntu0.12.04.1
Ubuntu 11.10:
thunderbird 14.0+build1-0ubuntu0.11.10.1
Ubuntu 11.04:
thunderbird 14.0+build1-0ubuntu0.11.04.1
Ubuntu 10.04 LTS:
thunderbird 14.0+build1-0ubuntu0.10.04.1
When upgrading, users should be aware of the following:
- In Ubuntu 11.04, unity-2d users may lose the ability to view drop-down menus,
context menus, and perform drag-and-drop operations in Thunderbird. This is a
known issue being tracked in https://launchpad.net/bugs/1020198 and may be
fixed in a later update.
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1510-1
CVE-2012-1948, CVE-2012-1949, CVE-2012-1951, CVE-2012-1952,
CVE-2012-1953, CVE-2012-1954, CVE-2012-1955, CVE-2012-1957,
CVE-2012-1958, CVE-2012-1959, CVE-2012-1960, CVE-2012-1961,
CVE-2012-1962, CVE-2012-1963, CVE-2012-1967, https://launchpad.net/bugs/1020198,
https://launchpad.net/bugs/1024564
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/14.0+build1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/thunderbird/14.0+build1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/thunderbird/14.0+build1-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/thunderbird/14.0+build1-0ubuntu0.10.04.1
[USN-1509-1] Firefox vulnerabilities
==========================================================================
Ubuntu Security Notice USN-1509-1
July 17, 2012
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Firefox.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian Smith,
Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey discovered
memory safety issues affecting Firefox. If the user were tricked into opening a
specially crafted page, an attacker could possibly exploit these to cause a
denial of service via application crash, or potentially execute code with the
privileges of the user invoking Firefox. (CVE-2012-1948, CVE-2012-1949)
Mario Gomes discovered that the address bar may be incorrectly updated.
Drag-and-drop events in the address bar may cause the address of the previous
site to be displayed while a new page is loaded. An attacker could exploit this
to conduct phishing attacks. (CVE-2012-1950)
Abhishek Arya discovered four memory safety issues affecting Firefox. If the
user were tricked into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Firefox.
(CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954)
Mariusz Mlynski discovered that the address bar may be incorrectly updated.
Calls to history.forward and history.back could be used to navigate to a site
while the address bar still displayed the previous site. A remote attacker
could exploit this to conduct phishing attacks. (CVE-2012-1955)
Mario Heiderich discovered that HTML <embed> tags were not filtered out of the
HTML <description> of RSS feeds. A remote attacker could exploit this to
conduct cross-site scripting (XSS) attacks via javascript execution in the HTML
feed view. (CVE-2012-1957)
Arthur Gerkis discovered a use-after-free vulnerability. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox. (CVE-2012-1958)
Bobby Holley discovered that same-compartment security wrappers (SCSW) could be
bypassed to allow XBL access. If the user were tricked into opening a specially
crafted page, an attacker could possibly exploit this to execute code with the
privileges of the user invoking Firefox. (CVE-2012-1959)
Tony Payne discovered an out-of-bounds memory read in Mozilla's color
management library (QCMS). If the user were tricked into opening a specially
crafted color profile, an attacker could possibly exploit this to cause a
denial of service via application crash. (CVE-2012-1960)
Frédéric Buclin discovered that the X-Frame-Options header was ignored when its
value was specified multiple times. An attacker could exploit this to conduct
clickjacking attacks. (CVE-2012-1961)
Bill Keese discovered a memory corruption vulnerability. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox. (CVE-2012-1962)
Karthikeyan Bhargavan discovered an information leakage vulnerability in the
Content Security Policy (CSP) 1.0 implementation. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit this to
access a user's OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963)
Matt McCutchen discovered a clickjacking vulnerability in the certificate
warning page. A remote attacker could trick a user into accepting a malicious
certificate via a crafted certificate warning page. (CVE-2012-1964)
Mario Gomes and Soroush Dalili discovered that javascript was not filtered out
of feed URLs. If the user were tricked into opening a specially crafted URL, an
attacker could possibly exploit this to conduct cross-site scripting (XSS)
attacks. (CVE-2012-1965)
A vulnerability was discovered in the context menu of data: URLs. If the user
were tricked into opening a specially crafted URL, an attacker could possibly
exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2012-1966)
It was discovered that the execution of javascript: URLs was not properly
handled in some cases. A remote attacker could exploit this to execute code
with the privileges of the user invoking Firefox. (CVE-2012-1967)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
firefox 14.0.1+build1-0ubuntu0.12.04.1
Ubuntu 11.10:
firefox 14.0.1+build1-0ubuntu0.11.10.1
Ubuntu 11.04:
firefox 14.0.1+build1-0ubuntu0.11.04.1
Ubuntu 10.04 LTS:
firefox 14.0.1+build1-0ubuntu0.10.04.1
When upgrading, users should be aware of the following:
- In Ubuntu 11.04, unity-2d users may lose the ability to view drop-down menus,
context menus, and perform drag-and-drop operations in Firefox. This is a known
issue being tracked in https://launchpad.net/bugs/1020198 and may be fixed in a
later update.
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1509-1
CVE-2012-1948, CVE-2012-1949, CVE-2012-1950, CVE-2012-1951,
CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1955,
CVE-2012-1957, CVE-2012-1958, CVE-2012-1959, CVE-2012-1960,
CVE-2012-1961, CVE-2012-1962, CVE-2012-1963, CVE-2012-1964,
CVE-2012-1965, CVE-2012-1966, CVE-2012-1967, https://launchpad.net/bugs/1020198,
https://launchpad.net/bugs/1024562
Package Information:
https://launchpad.net/ubuntu/+source/firefox/14.0.1+build1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/firefox/14.0.1+build1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/firefox/14.0.1+build1-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/firefox/14.0.1+build1-0ubuntu0.10.04.1
Ubuntu Security Notice USN-1509-1
July 17, 2012
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Firefox.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian Smith,
Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle Huey discovered
memory safety issues affecting Firefox. If the user were tricked into opening a
specially crafted page, an attacker could possibly exploit these to cause a
denial of service via application crash, or potentially execute code with the
privileges of the user invoking Firefox. (CVE-2012-1948, CVE-2012-1949)
Mario Gomes discovered that the address bar may be incorrectly updated.
Drag-and-drop events in the address bar may cause the address of the previous
site to be displayed while a new page is loaded. An attacker could exploit this
to conduct phishing attacks. (CVE-2012-1950)
Abhishek Arya discovered four memory safety issues affecting Firefox. If the
user were tricked into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Firefox.
(CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954)
Mariusz Mlynski discovered that the address bar may be incorrectly updated.
Calls to history.forward and history.back could be used to navigate to a site
while the address bar still displayed the previous site. A remote attacker
could exploit this to conduct phishing attacks. (CVE-2012-1955)
Mario Heiderich discovered that HTML <embed> tags were not filtered out of the
HTML <description> of RSS feeds. A remote attacker could exploit this to
conduct cross-site scripting (XSS) attacks via javascript execution in the HTML
feed view. (CVE-2012-1957)
Arthur Gerkis discovered a use-after-free vulnerability. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox. (CVE-2012-1958)
Bobby Holley discovered that same-compartment security wrappers (SCSW) could be
bypassed to allow XBL access. If the user were tricked into opening a specially
crafted page, an attacker could possibly exploit this to execute code with the
privileges of the user invoking Firefox. (CVE-2012-1959)
Tony Payne discovered an out-of-bounds memory read in Mozilla's color
management library (QCMS). If the user were tricked into opening a specially
crafted color profile, an attacker could possibly exploit this to cause a
denial of service via application crash. (CVE-2012-1960)
Frédéric Buclin discovered that the X-Frame-Options header was ignored when its
value was specified multiple times. An attacker could exploit this to conduct
clickjacking attacks. (CVE-2012-1961)
Bill Keese discovered a memory corruption vulnerability. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to cause a denial of service via application crash, or potentially
execute code with the privileges of the user invoking Firefox. (CVE-2012-1962)
Karthikeyan Bhargavan discovered an information leakage vulnerability in the
Content Security Policy (CSP) 1.0 implementation. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit this to
access a user's OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963)
Matt McCutchen discovered a clickjacking vulnerability in the certificate
warning page. A remote attacker could trick a user into accepting a malicious
certificate via a crafted certificate warning page. (CVE-2012-1964)
Mario Gomes and Soroush Dalili discovered that javascript was not filtered out
of feed URLs. If the user were tricked into opening a specially crafted URL, an
attacker could possibly exploit this to conduct cross-site scripting (XSS)
attacks. (CVE-2012-1965)
A vulnerability was discovered in the context menu of data: URLs. If the user
were tricked into opening a specially crafted URL, an attacker could possibly
exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2012-1966)
It was discovered that the execution of javascript: URLs was not properly
handled in some cases. A remote attacker could exploit this to execute code
with the privileges of the user invoking Firefox. (CVE-2012-1967)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
firefox 14.0.1+build1-0ubuntu0.12.04.1
Ubuntu 11.10:
firefox 14.0.1+build1-0ubuntu0.11.10.1
Ubuntu 11.04:
firefox 14.0.1+build1-0ubuntu0.11.04.1
Ubuntu 10.04 LTS:
firefox 14.0.1+build1-0ubuntu0.10.04.1
When upgrading, users should be aware of the following:
- In Ubuntu 11.04, unity-2d users may lose the ability to view drop-down menus,
context menus, and perform drag-and-drop operations in Firefox. This is a known
issue being tracked in https://launchpad.net/bugs/1020198 and may be fixed in a
later update.
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1509-1
CVE-2012-1948, CVE-2012-1949, CVE-2012-1950, CVE-2012-1951,
CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1955,
CVE-2012-1957, CVE-2012-1958, CVE-2012-1959, CVE-2012-1960,
CVE-2012-1961, CVE-2012-1962, CVE-2012-1963, CVE-2012-1964,
CVE-2012-1965, CVE-2012-1966, CVE-2012-1967, https://launchpad.net/bugs/1020198,
https://launchpad.net/bugs/1024562
Package Information:
https://launchpad.net/ubuntu/+source/firefox/14.0.1+build1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/firefox/14.0.1+build1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/firefox/14.0.1+build1-0ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/firefox/14.0.1+build1-0ubuntu0.10.04.1
Call for Test Days for Fedora 18
Hey, folks. It's that time again - time to start thinking about Test
Days for Fedora 18.
Days for Fedora 18.
For anyone who isn't aware, a Test Day is an event usually focused
around IRC for interaction and a Wiki page for instructions and results,
with the aim being to get a bunch of interested users and developers
together to test a specific feature or area of the distribution. You can
run a Test Day on just about anything for which it would be useful to do
some fairly focused testing in 'real time' with a group of testers; it
doesn't have to be code, for instance we often run Test Days for
l10n/i18n topics. For more information on Test Days, see
https://fedoraproject.org/wiki/QA/Test_Days .
Anyone who wants to can host their own Test Day, or you can request that
the QA group helps you out with organization, or any combination of the
two. To propose a Test Day, just file a ticket in QA trac - full details
are at https://fedoraproject.org/wiki/QA/Test_Days/Create . For
instructions on hosting a Test Day, see
https://fedoraproject.org/wiki/QA/SOP_Test_Day_management .
You can see the schedule at
https://fedoraproject.org/wiki/QA/Fedora_18_test_days . There are many
slots open right now, with the earliest on 2012-08-09 and the latest
2012-11-01. Consider the development schedule, though, in deciding when
you want to run your Test Day - for some topics you may want to avoid
the time before the Alpha release or the time after the feature freeze
or the Final freeze.
We normally aim to schedule Test Days on Thursdays; however, if you want
to run a series of related Test Days, it's often a good idea to do
something like Tuesday / Wednesday / Thursday of the same week (this is
how we usually run the X Test Week, for instance). If all the Thursday
slots fill up but more people want to run Test Days, we will open up
Tuesday slots as overflows. And finally, if you really want to run a
Test Day in a specific timeframe due to the development schedule, but
the Thursday slot for that week is full, we can add a slot on another
day. We're flexible! Just put in your ticket the date or timeframe you'd
like, and we'll figure it out from there.
If you have any questions about the Test Day process, please don't
hesitate to contact me or any other member of the QA team on test@ or in
#fedora-qa on IRC. Thanks!
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
Fedora 18 Feature Submission Deadline in one week (2012-07-24)
Hi!
This a friendly reminder that The Fedora 18 Feature Submission
Deadline is coming soon (maybe too soon for some of you;-) - see
the Fedora 18 Schedule [1] - and it's exactly in one week,
on Tuesday, July 24, 2012. After this date newly submitted
features will be targeted for Fedora 19 unless an exception
is granted by FESCo. So, think about the stuff you're working on
if it deserves the broader visibility within the release and
submit it as a feature, see Feature process Policy [2].
This a friendly reminder that The Fedora 18 Feature Submission
Deadline is coming soon (maybe too soon for some of you;-) - see
the Fedora 18 Schedule [1] - and it's exactly in one week,
on Tuesday, July 24, 2012. After this date newly submitted
features will be targeted for Fedora 19 unless an exception
is granted by FESCo. So, think about the stuff you're working on
if it deserves the broader visibility within the release and
submit it as a feature, see Feature process Policy [2].
Feature Freeze follows in other next two weeks (2012-08-07) and
Features should be *substantially complete and in a testable state*
at this point [3].
Please take a look on accepted Fedora 18 Features so far to
check what's going to happen in Spherical Cow, if there are no
conflicts with your features or you have a cool idea how to extend/
help with the features itself.
Also - for the owners of already accepted features - please update
the current status of your feature (both completion percentage and
last updated date). I'll go through the list in a next few days to
update the main FeatureList page. After that time I can't promise
you a friendly reminder but...
Thanks for all for the amazing job!
Jaroslav
Your Feature Wrangler
[1] http://fedoraproject.org/wiki/Releases/18/Schedule
[2] http://fedoraproject.org/wiki/Features/Policy
[3] http://fedoraproject.org/wiki/ReleaseEngineering/FeatureFreezePolicy
[4] http://fedoraproject.org/wiki/Releases/18/FeatureList
Btw. in case you'll need a help with Feature, feel free to contact
me (email, ping etc.).
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
Mass rebuild for Fedora 18
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
it was requested in https://fedorahosted.org/rel-eng/ticket/5222 that
we do a mass rebuild for Fedora 18 for
https://fedoraproject.org/wiki/Features/DwarfCompressor and
https://fedoraproject.org/wiki/Features/MiniDebugInfo due to a mix up
in dates it was going to start on 2012-07-30 but since that only gives
a week to do the rebuild before branching for f18 on 2012-08-07 we will
be starting the mass rebuild on 2012-07-18
This is a heads up that it will be done in a side tag and moved over
when completed. We will be running scripts to output failure stats.
please be sure to let releng know if you see any bugs in the reporting.
Dennis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
iEYEARECAAYFAlAFXQoACgkQkSxm47BaWfeSAACgu+vUKWhm2mLYHF4Xqr0TlrkS
qB4AoJocdVao2s6eUpWS82L5HO2bUSdC
=AAjf
-----END PGP SIGNATURE-----
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
Hash: SHA1
it was requested in https://fedorahosted.org/rel-eng/ticket/5222 that
we do a mass rebuild for Fedora 18 for
https://fedoraproject.org/wiki/Features/DwarfCompressor and
https://fedoraproject.org/wiki/Features/MiniDebugInfo due to a mix up
in dates it was going to start on 2012-07-30 but since that only gives
a week to do the rebuild before branching for f18 on 2012-08-07 we will
be starting the mass rebuild on 2012-07-18
This is a heads up that it will be done in a side tag and moved over
when completed. We will be running scripts to output failure stats.
please be sure to let releng know if you see any bugs in the reporting.
Dennis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
iEYEARECAAYFAlAFXQoACgkQkSxm47BaWfeSAACgu+vUKWhm2mLYHF4Xqr0TlrkS
qB4AoJocdVao2s6eUpWS82L5HO2bUSdC
=AAjf
-----END PGP SIGNATURE-----
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
Monday, July 16, 2012
[USN-1508-1] Linux kernel (OMAP4) vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJQBL8VAAoJEAUvNnAY1cPYUf4P/jH33wzzl/W3FFpmDOz9lZ+l
rdG+ReooMoXsE4wZbhH7V1vbfmE9Wv81q5kFkg0Qp6cQA5GwD46Xp4UI/VuEnY0b
ZnZwTuu5KUgttwEToRjBVy80ET63fcyPYx09GbPX9ddtCaPf7yi8MYd12Jao6Nib
vlK7+heRRZn1sOSqDxvwnk94ur8poI79MbCJCoDl1g0tpKkOzTXQMoTbvcRDJIkY
tS0SOrSIhKcSHajGy+czqyJXLHoKumC4jeCq3Fx4IRVoHSIEtwrm5AuTuMohX4Xq
r3tQw3V2PvXTD1acrSH9V/sO2Zb58xQ+U/yL0LbZL9vT62zO6dIEkdqFdAlxRQpU
alXK6G7qLh9LYdp9lpL7UJBNGydh+o9TCJdKj3HeLp8jf0WTqtAmDSnwI8Spaavz
HyDIc6W6aaYw5JMriEdNcy4oF0cD6XgvHPOEYHslgWhXL+XRyo234OmyglLyXBdc
6n8fCknjpoXc/qy59r+2mxkwj2OEUMbu01eW5qOFjSNoL0KgEM4QkKf4mMrD0HFU
1Ex2qrjCJ5ruN20KNEtFlsv5tWImh9NiHKj4E9XmE+rHw6YCTW3yjZu9WUYO+3A8
nZMEdNcOyTGrhHmVrgAYbJWAL4vLQtR8qheIqfICVnGnGsbmHKI7/OaedSIzRbMP
lOYWHKpTVh7hvtSjgb8J
=2HBz
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1508-1
July 17, 2012
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
An error was discovered in the Linux kernel's memory subsystem (hugetlb).
An unprivileged local user could exploit this flaw to cause a denial of
service (crash the system).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-1416-omap4 3.2.0-1416.22
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1508-1
CVE-2012-2390
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1416.22
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJQBL8VAAoJEAUvNnAY1cPYUf4P/jH33wzzl/W3FFpmDOz9lZ+l
rdG+ReooMoXsE4wZbhH7V1vbfmE9Wv81q5kFkg0Qp6cQA5GwD46Xp4UI/VuEnY0b
ZnZwTuu5KUgttwEToRjBVy80ET63fcyPYx09GbPX9ddtCaPf7yi8MYd12Jao6Nib
vlK7+heRRZn1sOSqDxvwnk94ur8poI79MbCJCoDl1g0tpKkOzTXQMoTbvcRDJIkY
tS0SOrSIhKcSHajGy+czqyJXLHoKumC4jeCq3Fx4IRVoHSIEtwrm5AuTuMohX4Xq
r3tQw3V2PvXTD1acrSH9V/sO2Zb58xQ+U/yL0LbZL9vT62zO6dIEkdqFdAlxRQpU
alXK6G7qLh9LYdp9lpL7UJBNGydh+o9TCJdKj3HeLp8jf0WTqtAmDSnwI8Spaavz
HyDIc6W6aaYw5JMriEdNcy4oF0cD6XgvHPOEYHslgWhXL+XRyo234OmyglLyXBdc
6n8fCknjpoXc/qy59r+2mxkwj2OEUMbu01eW5qOFjSNoL0KgEM4QkKf4mMrD0HFU
1Ex2qrjCJ5ruN20KNEtFlsv5tWImh9NiHKj4E9XmE+rHw6YCTW3yjZu9WUYO+3A8
nZMEdNcOyTGrhHmVrgAYbJWAL4vLQtR8qheIqfICVnGnGsbmHKI7/OaedSIzRbMP
lOYWHKpTVh7hvtSjgb8J
=2HBz
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1508-1
July 17, 2012
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
An error was discovered in the Linux kernel's memory subsystem (hugetlb).
An unprivileged local user could exploit this flaw to cause a denial of
service (crash the system).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-1416-omap4 3.2.0-1416.22
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1508-1
CVE-2012-2390
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1416.22
[USN-1507-1] Linux kernel vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJQBL1HAAoJEAUvNnAY1cPYMeUP/1aX6/5THugJ3R0wg81ZO/64
2uSAMhvSRuid0kEzG49TQj0CzYRPlqUO+IH+08eT7eLgJdD/hS5Z4+mAhZr1CR3Q
QzbJzBw81PDrGaEtyNSX4U5RqWHyfpzujJEu2oxaNF4sYvtJyxIzHaJwsIjXIuW9
GL3U1ABiszvcGvw4wD3oUk3RGzodOPfhyhrlKTvod/Rup90CxhAk1Hu5BgOtxx8Z
30LmmXA/7cY8K3uAEUodawl4Wie7J25ESN/GyYXvnJhjrWpuflFb9jxsjI4RW2OH
LuFrXHKyTqDy+oXL47KP/Z4r9oB0gNRQrgsgrVyE6eOD32ZYLZ1pOpCm+c71CEsE
+gndD/g2ofjszfBZvy05w4alCFz8y12VJThLz91xV5Sn5ThBQb2Sov/Vm9ppH/ud
Q4RV43GDUAEvrIFnW8F9L7lYRWL22B2yf6btrK6Z3aFEH4fwsN4QhuAEkfqBdhfo
bJR6P10np41Uy/gn9jCBhWgIJjbvl7GSt9em+zZ0mMv8FqrkRDbD3ksAR3x2A4Sz
hgsrCS1lLAg1fnzgDAxa7Op3KDETRPqb0LEi5O4+Kphsvwkj9NMAyT8qZ1Tj9eaj
1G6/Rxkuv4tE781Ero6uzbgJ+UlJRznreTOvFPm2cek7CjBXPzx7P4h6l5gb9FWD
rbjmJRSm+uip+llayKzg
=Up/y
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1507-1
July 17, 2012
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 8.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual
cpu setup. An unprivileged local user could exploit this flaw to crash the
system leading to a denial of service. (CVE-2012-1601)
An error was found in the Linux kernel's IPv6 netfilter when connection
tracking is enabled. A remote attacker could exploit this flaw to crash a
system if it is using IPv6 with the nf_contrack_ipv6 kernel module loaded.
(CVE-2012-2744)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 8.04 LTS:
linux-image-2.6.24-32-386 2.6.24-32.104
linux-image-2.6.24-32-generic 2.6.24-32.104
linux-image-2.6.24-32-hppa32 2.6.24-32.104
linux-image-2.6.24-32-hppa64 2.6.24-32.104
linux-image-2.6.24-32-itanium 2.6.24-32.104
linux-image-2.6.24-32-lpia 2.6.24-32.104
linux-image-2.6.24-32-lpiacompat 2.6.24-32.104
linux-image-2.6.24-32-mckinley 2.6.24-32.104
linux-image-2.6.24-32-openvz 2.6.24-32.104
linux-image-2.6.24-32-powerpc 2.6.24-32.104
linux-image-2.6.24-32-powerpc-smp 2.6.24-32.104
linux-image-2.6.24-32-powerpc64-smp 2.6.24-32.104
linux-image-2.6.24-32-rt 2.6.24-32.104
linux-image-2.6.24-32-server 2.6.24-32.104
linux-image-2.6.24-32-sparc64 2.6.24-32.104
linux-image-2.6.24-32-sparc64-smp 2.6.24-32.104
linux-image-2.6.24-32-virtual 2.6.24-32.104
linux-image-2.6.24-32-xen 2.6.24-32.104
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1507-1
CVE-2012-1601, CVE-2012-2744
Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.24-32.104
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJQBL1HAAoJEAUvNnAY1cPYMeUP/1aX6/5THugJ3R0wg81ZO/64
2uSAMhvSRuid0kEzG49TQj0CzYRPlqUO+IH+08eT7eLgJdD/hS5Z4+mAhZr1CR3Q
QzbJzBw81PDrGaEtyNSX4U5RqWHyfpzujJEu2oxaNF4sYvtJyxIzHaJwsIjXIuW9
GL3U1ABiszvcGvw4wD3oUk3RGzodOPfhyhrlKTvod/Rup90CxhAk1Hu5BgOtxx8Z
30LmmXA/7cY8K3uAEUodawl4Wie7J25ESN/GyYXvnJhjrWpuflFb9jxsjI4RW2OH
LuFrXHKyTqDy+oXL47KP/Z4r9oB0gNRQrgsgrVyE6eOD32ZYLZ1pOpCm+c71CEsE
+gndD/g2ofjszfBZvy05w4alCFz8y12VJThLz91xV5Sn5ThBQb2Sov/Vm9ppH/ud
Q4RV43GDUAEvrIFnW8F9L7lYRWL22B2yf6btrK6Z3aFEH4fwsN4QhuAEkfqBdhfo
bJR6P10np41Uy/gn9jCBhWgIJjbvl7GSt9em+zZ0mMv8FqrkRDbD3ksAR3x2A4Sz
hgsrCS1lLAg1fnzgDAxa7Op3KDETRPqb0LEi5O4+Kphsvwkj9NMAyT8qZ1Tj9eaj
1G6/Rxkuv4tE781Ero6uzbgJ+UlJRznreTOvFPm2cek7CjBXPzx7P4h6l5gb9FWD
rbjmJRSm+uip+llayKzg
=Up/y
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1507-1
July 17, 2012
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 8.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
A flaw was found in the Linux kernel's KVM (Kernel Virtual Machine) virtual
cpu setup. An unprivileged local user could exploit this flaw to crash the
system leading to a denial of service. (CVE-2012-1601)
An error was found in the Linux kernel's IPv6 netfilter when connection
tracking is enabled. A remote attacker could exploit this flaw to crash a
system if it is using IPv6 with the nf_contrack_ipv6 kernel module loaded.
(CVE-2012-2744)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 8.04 LTS:
linux-image-2.6.24-32-386 2.6.24-32.104
linux-image-2.6.24-32-generic 2.6.24-32.104
linux-image-2.6.24-32-hppa32 2.6.24-32.104
linux-image-2.6.24-32-hppa64 2.6.24-32.104
linux-image-2.6.24-32-itanium 2.6.24-32.104
linux-image-2.6.24-32-lpia 2.6.24-32.104
linux-image-2.6.24-32-lpiacompat 2.6.24-32.104
linux-image-2.6.24-32-mckinley 2.6.24-32.104
linux-image-2.6.24-32-openvz 2.6.24-32.104
linux-image-2.6.24-32-powerpc 2.6.24-32.104
linux-image-2.6.24-32-powerpc-smp 2.6.24-32.104
linux-image-2.6.24-32-powerpc64-smp 2.6.24-32.104
linux-image-2.6.24-32-rt 2.6.24-32.104
linux-image-2.6.24-32-server 2.6.24-32.104
linux-image-2.6.24-32-sparc64 2.6.24-32.104
linux-image-2.6.24-32-sparc64-smp 2.6.24-32.104
linux-image-2.6.24-32-virtual 2.6.24-32.104
linux-image-2.6.24-32-xen 2.6.24-32.104
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1507-1
CVE-2012-1601, CVE-2012-2744
Package Information:
https://launchpad.net/ubuntu/+source/linux/2.6.24-32.104
Friday, July 13, 2012
Outage: Mass reboots/Updates outage - 2012-07-17 21:00 UTC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
iQIcBAEBAgAGBQJQAGCAAAoJEEs3sNgP+7teqHQP/ArTgrJzV540Fd+rPvXXBPyu
I3wdrY/KctYYN2OCx/awJoQcmoAwUGpMExQB/1S9nb0qZNDUef/SRmX9jx2gFEr8
luI4Qc96NMpRQK3/CkkeqWIrvE2o3+hqAZSYvLB2iiISScL+0cKKYOmuSudpIcFK
C8plwUyvYufxokJUKtLfPpuN39jAazI5CvyJ398iOpxtQaPA8VCSkTsUvk6VA03n
5raF8WKZfsbWjYAeTrtx5DIKnZzhyX+K8iZjKwcdodYoFYtqZ4W+Q8q1ddDByhGM
ENqOoEoIztc1t+CvPmRPByqez2pmlXZ8Aj+Kl5KSCEcFry5rargo0Qfk4vRFJtVb
0GcdQDl8QVp6zFO8cJ7Jj570FW/p5ugesNI/Gbjk0sEWcV2J0mGQZAUusWEEvdET
VE637daQnYO42TAIAAAFKrnXKbrzY7vRDQZxHaNI9js494Q/LacnidmKHPhFy+xj
IjA76kgOrTyjVdc/+aS2k6adEm8mQ1LaQRkFQQ332he8gj/u94X9dpts6s2c14tp
fURqQjs0etgE4iFJdhgwciEfxfa8NvfwAsLS9cgcsCCltOLBC8jpECg55YPNppRE
fJBUd5mkAfvHXf/xFmbD4ncRtO5r87QP0Ke+rcZEAt4VGIntoJvhhqgkE2MIBT2Q
SPNBcp9LP9qIRDOOUxoG
=fRCI
-----END PGP SIGNATURE-----
Outage: Mass reboots/Updates outage - 2012-07-17 21:00 UTC
There will be an outage starting at 2012-07-17 21:00 UTC, which will
last approximately 2 hours.
To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto or run:
date -d '2012-07-17 21:00 UTC'
Reason for outage:
Servers are going to be upgraded and rebooted into new kernels.
During the outage window some services may be down for brief periods.
No single service should be affected for more than a few minutes.
Affected Services:
Ask Fedora - http://ask.fedoraproject.org/
BFO - http://boot.fedoraproject.org/
Bodhi - https://admin.fedoraproject.org/updates/
Buildsystem - http://koji.fedoraproject.org/
GIT / Source Control
Email system
Fedora Account System - https://admin.fedoraproject.org/accounts/
Fedora Community - https://admin.fedoraproject.org/community/
Fedora Hosted - https://fedorahosted.org/
Fedora Insight - https://insight.fedoraproject.org/
Fedora People - http://fedorapeople.org/
Package Database - https://admin.fedoraproject.org/pkgdb/
Mirror Manager - https://admin.fedoraproject.org/mirrormanager/
QA Services
Smolt - http://smolts.org/
Spins - http://spins.fedoraproject.org/
Start - http://start.fedoraproject.org/
Torrent - http://torrent.fedoraproject.org/
Wiki - http://fedoraproject.org/wiki/
Unaffected Services:
DNS - ns1.fedoraproject.org, ns2.fedoraproject.org
Docs - http://docs.fedoraproject.org/
Main Website - http://fedoraproject.org/
Mirror List - https://mirrors.fedoraproject.org/
Secondary Architectures
Ticket Link: https://fedorahosted.org/fedora-infrastructure/ticket/3384
Contact Information:
Please join #fedora-admin or #fedora-noc on irc.freenode.net or add
comments to the ticket for this outage above.
Version: GnuPG v2.0.18 (GNU/Linux)
iQIcBAEBAgAGBQJQAGCAAAoJEEs3sNgP+7teqHQP/ArTgrJzV540Fd+rPvXXBPyu
I3wdrY/KctYYN2OCx/awJoQcmoAwUGpMExQB/1S9nb0qZNDUef/SRmX9jx2gFEr8
luI4Qc96NMpRQK3/CkkeqWIrvE2o3+hqAZSYvLB2iiISScL+0cKKYOmuSudpIcFK
C8plwUyvYufxokJUKtLfPpuN39jAazI5CvyJ398iOpxtQaPA8VCSkTsUvk6VA03n
5raF8WKZfsbWjYAeTrtx5DIKnZzhyX+K8iZjKwcdodYoFYtqZ4W+Q8q1ddDByhGM
ENqOoEoIztc1t+CvPmRPByqez2pmlXZ8Aj+Kl5KSCEcFry5rargo0Qfk4vRFJtVb
0GcdQDl8QVp6zFO8cJ7Jj570FW/p5ugesNI/Gbjk0sEWcV2J0mGQZAUusWEEvdET
VE637daQnYO42TAIAAAFKrnXKbrzY7vRDQZxHaNI9js494Q/LacnidmKHPhFy+xj
IjA76kgOrTyjVdc/+aS2k6adEm8mQ1LaQRkFQQ332he8gj/u94X9dpts6s2c14tp
fURqQjs0etgE4iFJdhgwciEfxfa8NvfwAsLS9cgcsCCltOLBC8jpECg55YPNppRE
fJBUd5mkAfvHXf/xFmbD4ncRtO5r87QP0Ke+rcZEAt4VGIntoJvhhqgkE2MIBT2Q
SPNBcp9LP9qIRDOOUxoG
=fRCI
-----END PGP SIGNATURE-----
Outage: Mass reboots/Updates outage - 2012-07-17 21:00 UTC
There will be an outage starting at 2012-07-17 21:00 UTC, which will
last approximately 2 hours.
To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto or run:
date -d '2012-07-17 21:00 UTC'
Reason for outage:
Servers are going to be upgraded and rebooted into new kernels.
During the outage window some services may be down for brief periods.
No single service should be affected for more than a few minutes.
Affected Services:
Ask Fedora - http://ask.fedoraproject.org/
BFO - http://boot.fedoraproject.org/
Bodhi - https://admin.fedoraproject.org/updates/
Buildsystem - http://koji.fedoraproject.org/
GIT / Source Control
Email system
Fedora Account System - https://admin.fedoraproject.org/accounts/
Fedora Community - https://admin.fedoraproject.org/community/
Fedora Hosted - https://fedorahosted.org/
Fedora Insight - https://insight.fedoraproject.org/
Fedora People - http://fedorapeople.org/
Package Database - https://admin.fedoraproject.org/pkgdb/
Mirror Manager - https://admin.fedoraproject.org/mirrormanager/
QA Services
Smolt - http://smolts.org/
Spins - http://spins.fedoraproject.org/
Start - http://start.fedoraproject.org/
Torrent - http://torrent.fedoraproject.org/
Wiki - http://fedoraproject.org/wiki/
Unaffected Services:
DNS - ns1.fedoraproject.org, ns2.fedoraproject.org
Docs - http://docs.fedoraproject.org/
Main Website - http://fedoraproject.org/
Mirror List - https://mirrors.fedoraproject.org/
Secondary Architectures
Ticket Link: https://fedorahosted.org/fedora-infrastructure/ticket/3384
Contact Information:
Please join #fedora-admin or #fedora-noc on irc.freenode.net or add
comments to the ticket for this outage above.
Thursday, July 12, 2012
[USN-1505-1] OpenJDK 6 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-1505-1
July 13, 2012
icedtea-web, openjdk-6 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in OpenJDK 6.
Software Description:
- openjdk-6: Open Source Java implementation
- icedtea-web: A web browser plugin to execute Java applets
Details:
It was discovered that multiple flaws existed in the CORBA (Common
Object Request Broker Architecture) implementation in OpenJDK. An
attacker could create a Java application or applet that used these
flaws to bypass Java sandbox restrictions or modify immutable object
data. (CVE-2012-1711, CVE-2012-1719)
It was discovered that multiple flaws existed in the OpenJDK font
manager's layout lookup implementation. A attacker could specially
craft a font file that could cause a denial of service through
crashing the JVM (Java Virtual Machine) or possibly execute arbitrary
code. (CVE-2012-1713)
It was discovered that the SynthLookAndFeel class from Swing in
OpenJDK did not properly prevent access to certain UI elements
from outside the current application context. An attacker could
create a Java application or applet that used this flaw to cause a
denial of service through crashing the JVM or bypass Java sandbox
restrictions. (CVE-2012-1716)
It was discovered that OpenJDK runtime library classes could create
temporary files with insecure permissions. A local attacker could
use this to gain access to sensitive information. (CVE-2012-1717)
It was discovered that OpenJDK did not handle CRLs (Certificate
Revocation Lists) properly. A remote attacker could use this to gain
access to sensitive information. (CVE-2012-1718)
It was discovered that the OpenJDK HotSpot Virtual Machine did not
properly verify the bytecode of the class to be executed. A remote
attacker could create a Java application or applet that used this
to cause a denial of service through crashing the JVM or bypass Java
sandbox restrictions. (CVE-2012-1723, CVE-2012-1725)
It was discovered that the OpenJDK XML (Extensible Markup Language)
parser did not properly handle some XML documents. An attacker could
create an XML document that caused a denial of service in a Java
application or applet parsing the document. (CVE-2012-1724)
As part of this update, the IcedTea web browser applet plugin was
updated for Ubuntu 10.04 LTS, Ubuntu 11.04, and Ubuntu 11.10.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
openjdk-6-jre 6b24-1.11.3-1ubuntu0.12.04.1
Ubuntu 11.10:
icedtea-6-plugin 1.2-2ubuntu0.11.10.1
openjdk-6-jre 6b24-1.11.3-1ubuntu0.11.10.1
Ubuntu 11.04:
icedtea-6-plugin 1.2-2ubuntu0.11.04.1
openjdk-6-jre 6b24-1.11.3-1ubuntu0.11.04.1
Ubuntu 10.04 LTS:
icedtea-6-plugin 1.2-2ubuntu0.10.04.1
openjdk-6-jre 6b24-1.11.3-1ubuntu0.10.04.1
This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1505-1
CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717,
CVE-2012-1718, CVE-2012-1719, CVE-2012-1723, CVE-2012-1724,
CVE-2012-1725
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.10.04.1
https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.10.04.1
Ubuntu Security Notice USN-1505-1
July 13, 2012
icedtea-web, openjdk-6 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in OpenJDK 6.
Software Description:
- openjdk-6: Open Source Java implementation
- icedtea-web: A web browser plugin to execute Java applets
Details:
It was discovered that multiple flaws existed in the CORBA (Common
Object Request Broker Architecture) implementation in OpenJDK. An
attacker could create a Java application or applet that used these
flaws to bypass Java sandbox restrictions or modify immutable object
data. (CVE-2012-1711, CVE-2012-1719)
It was discovered that multiple flaws existed in the OpenJDK font
manager's layout lookup implementation. A attacker could specially
craft a font file that could cause a denial of service through
crashing the JVM (Java Virtual Machine) or possibly execute arbitrary
code. (CVE-2012-1713)
It was discovered that the SynthLookAndFeel class from Swing in
OpenJDK did not properly prevent access to certain UI elements
from outside the current application context. An attacker could
create a Java application or applet that used this flaw to cause a
denial of service through crashing the JVM or bypass Java sandbox
restrictions. (CVE-2012-1716)
It was discovered that OpenJDK runtime library classes could create
temporary files with insecure permissions. A local attacker could
use this to gain access to sensitive information. (CVE-2012-1717)
It was discovered that OpenJDK did not handle CRLs (Certificate
Revocation Lists) properly. A remote attacker could use this to gain
access to sensitive information. (CVE-2012-1718)
It was discovered that the OpenJDK HotSpot Virtual Machine did not
properly verify the bytecode of the class to be executed. A remote
attacker could create a Java application or applet that used this
to cause a denial of service through crashing the JVM or bypass Java
sandbox restrictions. (CVE-2012-1723, CVE-2012-1725)
It was discovered that the OpenJDK XML (Extensible Markup Language)
parser did not properly handle some XML documents. An attacker could
create an XML document that caused a denial of service in a Java
application or applet parsing the document. (CVE-2012-1724)
As part of this update, the IcedTea web browser applet plugin was
updated for Ubuntu 10.04 LTS, Ubuntu 11.04, and Ubuntu 11.10.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
openjdk-6-jre 6b24-1.11.3-1ubuntu0.12.04.1
Ubuntu 11.10:
icedtea-6-plugin 1.2-2ubuntu0.11.10.1
openjdk-6-jre 6b24-1.11.3-1ubuntu0.11.10.1
Ubuntu 11.04:
icedtea-6-plugin 1.2-2ubuntu0.11.04.1
openjdk-6-jre 6b24-1.11.3-1ubuntu0.11.04.1
Ubuntu 10.04 LTS:
icedtea-6-plugin 1.2-2ubuntu0.10.04.1
openjdk-6-jre 6b24-1.11.3-1ubuntu0.10.04.1
This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1505-1
CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717,
CVE-2012-1718, CVE-2012-1719, CVE-2012-1723, CVE-2012-1724,
CVE-2012-1725
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.10.04.1
https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.10.04.1
[USN-1506-1] Puppet vulnerabilities
==========================================================================
Ubuntu Security Notice USN-1506-1
July 12, 2012
puppet vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Puppet.
Software Description:
- puppet: Centralized configuration management
Details:
It was discovered that Puppet incorrectly handled certain HTTP GET
requests. An attacker could use this flaw with a valid client certificate
to retrieve arbitrary files from the Puppet master. (CVE-2012-3864)
It was discovered that Puppet incorrectly handled Delete requests. If a
Puppet master were reconfigured to allow the "Delete" method, an attacker
on an authenticated host could use this flaw to delete arbitrary files from
the Puppet server, leading to a denial of service. (CVE-2012-3865)
It was discovered that Puppet incorrectly set file permissions on the
last_run_report.yaml file. An attacker could use this flaw to access
sensitive information. This issue only affected Ubuntu 11.10 and Ubuntu
12.04 LTS. (CVE-2012-3866)
It was discovered that Puppet incorrectly handled agent certificate names.
An attacker could use this flaw to create a specially crafted certificate
and trick an administrator into signing a certificate that can then be used
to man-in-the-middle agent nodes. (CVE-2012-3867)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
puppet-common 2.7.11-1ubuntu2.1
Ubuntu 11.10:
puppet-common 2.7.1-1ubuntu3.7
Ubuntu 11.04:
puppet-common 2.6.4-2ubuntu2.10
Ubuntu 10.04 LTS:
puppet-common 0.25.4-2ubuntu6.8
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1506-1
CVE-2012-3864, CVE-2012-3865, CVE-2012-3866, CVE-2012-3867
Package Information:
https://launchpad.net/ubuntu/+source/puppet/2.7.11-1ubuntu2.1
https://launchpad.net/ubuntu/+source/puppet/2.7.1-1ubuntu3.7
https://launchpad.net/ubuntu/+source/puppet/2.6.4-2ubuntu2.10
https://launchpad.net/ubuntu/+source/puppet/0.25.4-2ubuntu6.8
Ubuntu Security Notice USN-1506-1
July 12, 2012
puppet vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Puppet.
Software Description:
- puppet: Centralized configuration management
Details:
It was discovered that Puppet incorrectly handled certain HTTP GET
requests. An attacker could use this flaw with a valid client certificate
to retrieve arbitrary files from the Puppet master. (CVE-2012-3864)
It was discovered that Puppet incorrectly handled Delete requests. If a
Puppet master were reconfigured to allow the "Delete" method, an attacker
on an authenticated host could use this flaw to delete arbitrary files from
the Puppet server, leading to a denial of service. (CVE-2012-3865)
It was discovered that Puppet incorrectly set file permissions on the
last_run_report.yaml file. An attacker could use this flaw to access
sensitive information. This issue only affected Ubuntu 11.10 and Ubuntu
12.04 LTS. (CVE-2012-3866)
It was discovered that Puppet incorrectly handled agent certificate names.
An attacker could use this flaw to create a specially crafted certificate
and trick an administrator into signing a certificate that can then be used
to man-in-the-middle agent nodes. (CVE-2012-3867)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
puppet-common 2.7.11-1ubuntu2.1
Ubuntu 11.10:
puppet-common 2.7.1-1ubuntu3.7
Ubuntu 11.04:
puppet-common 2.6.4-2ubuntu2.10
Ubuntu 10.04 LTS:
puppet-common 0.25.4-2ubuntu6.8
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1506-1
CVE-2012-3864, CVE-2012-3865, CVE-2012-3866, CVE-2012-3867
Package Information:
https://launchpad.net/ubuntu/+source/puppet/2.7.11-1ubuntu2.1
https://launchpad.net/ubuntu/+source/puppet/2.7.1-1ubuntu3.7
https://launchpad.net/ubuntu/+source/puppet/2.6.4-2ubuntu2.10
https://launchpad.net/ubuntu/+source/puppet/0.25.4-2ubuntu6.8
Wednesday, July 11, 2012
[USN-1504-1] Qt vulnerabilities
==========================================================================
Ubuntu Security Notice USN-1504-1
July 11, 2012
qt4-x11 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Qt Applications could be made to crash or run programs as your login if
they opened specially crafted files.
Software Description:
- qt4-x11: transitional package for Qt 4 assistant module
Details:
It was discovered that Qt did not properly handle wildcard domain names or
IP addresses in the Common Name field of X.509 certificates. An attacker
could exploit this to perform a man in the middle attack to view sensitive
information or alter encrypted communications. This issue only affected
Ubuntu 10.04 LTS. (CVE-2010-5076)
A heap-based buffer overflow was discovered in the HarfBuzz module. If a
user were tricked into opening a crafted font file in a Qt application,
an attacker could cause a denial of service or possibly execute arbitrary
code with the privileges of the user invoking the program. (CVE-2011-3193)
It was discovered that Qt did not properly handle greyscale TIFF images.
If a Qt application could be made to process a crafted TIFF file, an
attacker could cause a denial of service. (CVE-2011-3194)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
libqt4-network 4:4.7.2-0ubuntu6.4
libqtgui4 4:4.7.2-0ubuntu6.4
Ubuntu 10.04 LTS:
libqt4-network 4:4.6.2-0ubuntu5.4
libqtgui4 4:4.6.2-0ubuntu5.4
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1504-1
CVE-2010-5076, CVE-2011-3193, CVE-2011-3194
Package Information:
https://launchpad.net/ubuntu/+source/qt4-x11/4:4.7.2-0ubuntu6.4
https://launchpad.net/ubuntu/+source/qt4-x11/4:4.6.2-0ubuntu5.4
Ubuntu Security Notice USN-1504-1
July 11, 2012
qt4-x11 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Qt Applications could be made to crash or run programs as your login if
they opened specially crafted files.
Software Description:
- qt4-x11: transitional package for Qt 4 assistant module
Details:
It was discovered that Qt did not properly handle wildcard domain names or
IP addresses in the Common Name field of X.509 certificates. An attacker
could exploit this to perform a man in the middle attack to view sensitive
information or alter encrypted communications. This issue only affected
Ubuntu 10.04 LTS. (CVE-2010-5076)
A heap-based buffer overflow was discovered in the HarfBuzz module. If a
user were tricked into opening a crafted font file in a Qt application,
an attacker could cause a denial of service or possibly execute arbitrary
code with the privileges of the user invoking the program. (CVE-2011-3193)
It was discovered that Qt did not properly handle greyscale TIFF images.
If a Qt application could be made to process a crafted TIFF file, an
attacker could cause a denial of service. (CVE-2011-3194)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
libqt4-network 4:4.7.2-0ubuntu6.4
libqtgui4 4:4.7.2-0ubuntu6.4
Ubuntu 10.04 LTS:
libqt4-network 4:4.6.2-0ubuntu5.4
libqtgui4 4:4.6.2-0ubuntu5.4
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1504-1
CVE-2010-5076, CVE-2011-3193, CVE-2011-3194
Package Information:
https://launchpad.net/ubuntu/+source/qt4-x11/4:4.7.2-0ubuntu6.4
https://launchpad.net/ubuntu/+source/qt4-x11/4:4.6.2-0ubuntu5.4
Subscribe to:
Posts (Atom)