Thursday, February 28, 2013
[USN-1729-2] Firefox regression
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRMCv7AAoJEFHb3FjMVZVzC4QP/3SISbwF3a4a50whRjkA592Q
fXRwkKl4et7rnsLHgoczAu3pyLudc4SLWtGcp+5BLPV3PD8cn2cOGmZS4B3JYgez
3W5whgrdkg618r4TBE79u8L7yO48QJCdhcp1EVabijsAXX2fZzBj/W8pScJFMiZM
2MY7vasdqYAAXn7iTP9HAscOP/vgokgprmVWzFkaEIhNj7lKmoF3J4WiCF9q8XT4
kV4xcW5e/VhlnZdBZzP/7SeEwTymjIEav0YGIrml4uiiYuTHINgDXBQZ1OYOzXi4
1Bz5Ol424ks9EdAAB29CUuzE9rzf5aKVi8uCMFmkhjob9uvzvIXn2tftiLQb7mow
HSTkhJom/6yXN7VVs1fLuhXRJh7Q7CF6PFiJ8BpVc51KhN54v3fYroVuchYJ+cXj
yOpD7/ySEfgrnPUkDvFhY2/VRT2xdsJOyRc10Oulv0cv8pkoEbo34fJUW7eSBx96
MijbLkWoGpeNIxhS8RZlaArUSmGpe5V+D1/OO+RRyiLY6Vw4fHrA+8Ojgxt8cpsn
V384Cn90kz7sBbxT5iSiTOKMSMdkTfDfLXEW/ZxeYDh5DNNt3y5kwZ51OCpumOYw
fytQ1f7Ol5OwdlKcvzlKgQjwq85uQMt6HH6VIkOGOHDJ/8vrm42ux0ExXi+cPHTH
nOeGdokivjiiUNwjesTr
=Pa5H
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1729-2
March 01, 2013
firefox regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Due to a regression, Firefox might crash or freeze under normal use.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
USN-1729-1 fixed vulnerabilities in Firefox. This update introduced a
regression which sometimes resulted in freezes and crashes when using
multiple tabs with images displayed. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Olli Pettay, Christoph Diehl, Gary Kwong, Jesse Ruderman, Andrew McCreight,
Joe Drew, Wayne Mery, Alon Zakai, Christian Holler, Gary Kwong, Luke
Wagner, Terrence Cole, Timothy Nikkel, Bill McCloskey, and Nicolas Pierron
discovered multiple memory safety issues affecting Firefox. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application crash.
(CVE-2013-0783, CVE-2013-0784)
Atte Kettunen discovered that Firefox could perform an out-of-bounds read
while rendering GIF format images. An attacker could exploit this to crash
Firefox. (CVE-2013-0772)
Boris Zbarsky discovered that Firefox did not properly handle some wrapped
WebIDL objects. If the user were tricked into opening a specially crafted
page, an attacker could possibly exploit this to cause a denial of service
via application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2013-0765)
Bobby Holley discovered vulnerabilities in Chrome Object Wrappers (COW) and
System Only Wrappers (SOW). If a user were tricked into opening a specially
crafted page, a remote attacker could exploit this to bypass security
protections to obtain sensitive information or potentially execute code
with the privileges of the user invoking Firefox. (CVE-2013-0773)
Frederik Braun discovered that Firefox made the location of the active
browser profile available to JavaScript workers. (CVE-2013-0774)
A use-after-free vulnerability was discovered in Firefox. An attacker could
potentially exploit this to execute code with the privileges of the user
invoking Firefox. (CVE-2013-0775)
Michal Zalewski discovered that Firefox would not always show the correct
address when cancelling a proxy authentication prompt. A remote attacker
could exploit this to conduct URL spoofing and phishing attacks.
(CVE-2013-0776)
Abhishek Arya discovered several problems related to memory handling. If
the user were tricked into opening a specially crafted page, an attacker
could possibly exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of the user invoking
Firefox. (CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780,
CVE-2013-0781, CVE-2013-0782)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
firefox 19.0+build1-0ubuntu0.12.10.2
Ubuntu 12.04 LTS:
firefox 19.0+build1-0ubuntu0.12.04.2
Ubuntu 11.10:
firefox 19.0+build1-0ubuntu0.11.10.2
After a standard system update you need to restart Firefox to make all the
necessary changes.
References:
http://www.ubuntu.com/usn/usn-1729-2
http://www.ubuntu.com/usn/usn-1729-1
https://launchpad.net/bugs/1134409
Package Information:
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.12.10.2
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.12.04.2
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.11.10.2
[CentOS-announce] CESA-2013:0581 Moderate CentOS 5 libxml2 Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2013-0581.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
37744da0abe7d75464da9498d9ad2575c550e875cf068f0d00e30d8c9221b0b5 libxml2-2.6.26-2.1.21.el5_9.1.i386.rpm
4a444273456b1fdba7330b37e6033715b7d471530e14c2d6f0e516fc6897f205 libxml2-devel-2.6.26-2.1.21.el5_9.1.i386.rpm
144b9741b82d70cb82de090609482987d34d6cdac657a9fbb9954f569cbdbaa0 libxml2-python-2.6.26-2.1.21.el5_9.1.i386.rpm
x86_64:
37744da0abe7d75464da9498d9ad2575c550e875cf068f0d00e30d8c9221b0b5 libxml2-2.6.26-2.1.21.el5_9.1.i386.rpm
a68601aad7a108fc5dce83d8d107a8e4850afcd58e378360a34123b6b639435b libxml2-2.6.26-2.1.21.el5_9.1.x86_64.rpm
4a444273456b1fdba7330b37e6033715b7d471530e14c2d6f0e516fc6897f205 libxml2-devel-2.6.26-2.1.21.el5_9.1.i386.rpm
f528e385046af9543854df65f50ab7214e2d62812752e52f3a2e98712ad4c268 libxml2-devel-2.6.26-2.1.21.el5_9.1.x86_64.rpm
cbe3c0ecbe4dd9f6696e440617862ee876999b7f4c3d7eab36214aee74008d01 libxml2-python-2.6.26-2.1.21.el5_9.1.x86_64.rpm
Source:
30a7bb607148784ac9bf6e76a4ab1914df94d4a2cbf2f5d23c7a4665aeef99c7 libxml2-2.6.26-2.1.21.el5_9.1.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CEBA-2013:0575 CentOS 5 libvirt Update
Upstream details at : https://rhn.redhat.com/errata/RHBA-2013-0575.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
5d226b37e3a94f164d50aef45b3f6b7b0a64788404270fe021f5c6efc9e37dba libvirt-0.8.2-29.el5_9.1.i386.rpm
0a581b651ae75683f2448834b6bf2121d8ce2387c496bbced6999680a2202f83 libvirt-devel-0.8.2-29.el5_9.1.i386.rpm
a8ff6a0b9fef2f20c5901bedaa2cb23d7d2350f607e9d04c8fe40949990f8540 libvirt-python-0.8.2-29.el5_9.1.i386.rpm
x86_64:
5d226b37e3a94f164d50aef45b3f6b7b0a64788404270fe021f5c6efc9e37dba libvirt-0.8.2-29.el5_9.1.i386.rpm
f0d871e9abda492ba0bfb48ae25a0c0594d73c361a95464a5511c4779c844f0d libvirt-0.8.2-29.el5_9.1.x86_64.rpm
0a581b651ae75683f2448834b6bf2121d8ce2387c496bbced6999680a2202f83 libvirt-devel-0.8.2-29.el5_9.1.i386.rpm
5fea1922e24b927f92abe455120d70bbee8251374af868c7af90c7ccee4e8bf5 libvirt-devel-0.8.2-29.el5_9.1.x86_64.rpm
7456a0536afef03552b2b92293017e8bae17fc60536dcd3bf4a6053e62628ba6 libvirt-python-0.8.2-29.el5_9.1.x86_64.rpm
Source:
5ca698b978950796c6098fb3c1d3ce8dd7f4f963663daa068cd744b3a4331a41 libvirt-0.8.2-29.el5_9.1.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2013:0568 Important CentOS 5 dbus-glib Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2013-0568.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
0223ca642952e05ebc211d0a4c70d384c940ac27b099bc3d75b54ca68f9c0f90 dbus-glib-0.73-11.el5_9.i386.rpm
62777a9ce986e177104fe0e1a0f0426f301da6507598d498e9ce33fe2393455a dbus-glib-devel-0.73-11.el5_9.i386.rpm
x86_64:
0223ca642952e05ebc211d0a4c70d384c940ac27b099bc3d75b54ca68f9c0f90 dbus-glib-0.73-11.el5_9.i386.rpm
04b24df1ce6e666a9270a596a472f35feeaf6b838b8c243d4a84b9ca24de2520 dbus-glib-0.73-11.el5_9.x86_64.rpm
62777a9ce986e177104fe0e1a0f0426f301da6507598d498e9ce33fe2393455a dbus-glib-devel-0.73-11.el5_9.i386.rpm
884d110f0c5379c6ca1fffdfbba09f54d92945dd81e6d212139189c113a20f57 dbus-glib-devel-0.73-11.el5_9.x86_64.rpm
Source:
35b7f75cbbb1386b4e632c74925555778b07f0701066f92bc336f5e52f6c6fc9 dbus-glib-0.73-11.el5_9.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[USN-1732-2] OpenSSL regression
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRL6V3AAoJEGVp2FWnRL6TNnEP/19pptjoARsiyDs2912zdh+a
Svw730GLal9r4PGpiMe7bEWkOc1CBWkR82oOl2ja1kZ5EGX/k2Ym+xQ+sR0fa04M
NgTmwJ1sdOwHG3Ky95Zllm5fFWgMjUPWTe74f3LG2Ja8IdbqwQb6ESTmXAVTUF0d
su2SkuejnjS+z5DU52neAATRPpcgwQQx1cZFiInRb7vG5CN3N479Ohy+eAnvl8vJ
CNGJ4zaH0fUoKSndX+Br3uMTsR0PIe3UEJLl2KaMXAL+x9C6b7v8XMtcCRENds8w
0EZ5kEe7den/KABI+4MdlglRLT5SNJiIOVfpdWZ2XXnpp9m6hnj8Pn/upKKGgLqJ
iG/pi5Vk4fuYyoV6EG4tliWtqOJwiWTxx+KJh5Dwl23MKCaaSpm+A2Elcy6pe65M
RV3OLU3g9M+Q3E88aeAa5+64t3qDyPesTsLMoNSTJuhcaguXenRvOiL4pzGvsDRk
uKES3LEUXLvkMxOOn6u/F5Rm4BZpdtaCX6iWXCzerxZ0fmONzmu9/Mtdsjriq+Xz
xYCPwVBycW7aN5KcFLR3AEzD6h1wCHS5GKBfv0hxtisKA2CVNA4/cfZfhd8Myc7E
Jnd1bV3flqcsqHu2uzWQG6Pppgq8uY23AqpBMsAZ1Xi0tXgv/1Hh5P+GvmFKSKva
Iuiky6qmJ4s4bL88GqHR
=6ilu
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1732-2
February 28, 2013
openssl regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
USN-1732-1 introduced a regression in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0166 and
CVE-2012-2686 introduced a regression causing decryption failures on
hardware supporting AES-NI. This update temporarily reverts the security
fix pending further investigation. We apologize for the inconvenience.
Original advisory details:
Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as
used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.2
openssl 1.0.1c-3ubuntu2.2
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.7
openssl 1.0.1-4ubuntu5.7
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1732-2
http://www.ubuntu.com/usn/usn-1732-1
https://launchpad.net/bugs/1133333
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.2
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.7
[USN-1754-1] Sudo vulnerability
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRL1onAAoJEGVp2FWnRL6T4YkP/325kNnRQFC4DSruIzEw+J3L
Pj+usQ0gvGXEm7KlrACVNSnfhuajfxIyEvtzhI8Qh3TsJ1j626qF2cX5/9lpkWMM
r0rdQRwcE9kZYty0I9ALVV9Knb4g5x+EgWZtG/gNyFClpnHZaL8MLG25vcwzPmxs
ZUs4d9wW6UD+9GBdooXnTmzIX4e26vCIPg/FKHrzDgjuGDq3GRMXERcFL4DPnG1W
s+oTW3Xvc2dCrMBulYH79nNeyXCcEFJpZUwSLZbz0/RkYfZHa7HNbRJqk2/AVjud
o/pG4hetgA68jYrC8/FCabrIhoVKDGOE4ajAtaK+Sxajnr1Jdt0Jw2jqc1qg7CSO
vx3U7fccozz5ZVQneOxXigNabXB51Tj9M0OaPGk1WHAsnSOWrlqez5Lwk2e6P2Nw
FgKvG04IeF5fpJIl2mGVt8r26tiFQRMroaHVhmG3ezlcrlGvXNCEk8NyNrMPyBeu
uQHqopikL7zwyLOY/giQI5drAFNcZMASCs8V7AuN3YwJVJjcrI2Jka3DV8r0kBov
mtn64V6SRRwij5bgRf4QvN8LKi+pcDfvhoZn3mpGEFy7vuMUbqqbqJlqEFGPa2VU
VSuobqGD0Ry/HASiwF90qpGV+JID1R1ng2ysPo8Bj1Yr3ykRtNORB4meCJII3O6e
Uo7MljsyEmQVzkAK0AyE
=D09n
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1754-1
February 28, 2013
sudo vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
Sudo could be made to run programs as the administrator without a password
prompt.
Software Description:
- sudo: Provide limited super user privileges to specific users
Details:
Marco Schoepl discovered that Sudo incorrectly handled time stamp files
when the system clock is set to epoch. A local attacker could use this
issue to run Sudo commands without a password prompt.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
sudo 1.8.5p2-1ubuntu1.1
sudo-ldap 1.8.5p2-1ubuntu1.1
Ubuntu 12.04 LTS:
sudo 1.8.3p1-1ubuntu3.4
sudo-ldap 1.8.3p1-1ubuntu3.4
Ubuntu 11.10:
sudo 1.7.4p6-1ubuntu2.2
sudo-ldap 1.7.4p6-1ubuntu2.2
Ubuntu 10.04 LTS:
sudo 1.7.2p1-1ubuntu5.6
sudo-ldap 1.7.2p1-1ubuntu5.6
Ubuntu 8.04 LTS:
sudo 1.6.9p10-1ubuntu3.10
sudo-ldap 1.6.9p10-1ubuntu3.10
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1754-1
CVE-2013-1775
Package Information:
https://launchpad.net/ubuntu/+source/sudo/1.8.5p2-1ubuntu1.1
https://launchpad.net/ubuntu/+source/sudo/1.8.3p1-1ubuntu3.4
https://launchpad.net/ubuntu/+source/sudo/1.7.4p6-1ubuntu2.2
https://launchpad.net/ubuntu/+source/sudo/1.7.2p1-1ubuntu5.6
https://launchpad.net/ubuntu/+source/sudo/1.6.9p10-1ubuntu3.10
Wednesday, February 27, 2013
Maintainers wanted for packages from 2013-02-27 FESCo Meeting
At today's FESCo meeting there were two tickets which had the end result
of needing to have new maintainers and comaintainers for some packages:
== https://fedorahosted.org/fesco/ticket/1028 ==
tor package was reassigned to a new maintainer. Former maintainer dropped
ownership of his other packages. Those are now orphaned and in need of a
new owner. Note to potential new maintainers: although not mandatory, you
may want to open an optional re-review request as the spec files for some
of these may be very out of sync with the current Fedora Packaging Guidelines
* clamav
* dhcp-forwarder
* fedora-usermgmt (epel branches still owned by ensc)
* gif2png
* hunt
* ip-sentinel
* kismet
* libextractor
* libtasn1
* milter-greylist
* mimetic
* util-vserver
* x11-ssh-askpass
* xmlrpc-c
* dietlibc (devel is still owned by ensc but maybe that was an oversight)
== https://fedorahosted.org/fesco/ticket/1091 ==
Non Responsive Maintainer ticket for mediawiki. The mediawiki package was
assigned a new maintainer due to nonresponse. The former owner owns other
packages as well. Fesco asks that comaintainers be solicited for these
packages. If package maintainer is nonresponsive for more packages,
consider performing the Mass Orphaning clause of the Nonresponsive
Maintainers Policy:
http://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers#Notes_for_Mass_Orphaning
* apt -- Debian's Advanced Packaging Tool with RPM support
* arpack -- Fortran77 subroutines for solving large scale eigenvalue problems
* chrpath -- Modify rpath of compiled programs
* fail2ban -- Ban IPs that make too many password failures
* fakechroot -- Gives a fake chroot environment
* fakeroot -- Gives a fake root environment
* fedora-package-config-apt -- Fedora configuration files for the apt-rpm package manager
* fedora-package-config-smart -- Fedora configuration files for the Smart package manager
* freenx-client -- Free client libraries and binaries for the NX protocol
* freenx-server -- Free Software (GPL) Implementation of the NX Server
* greylistd -- Greylisting daemon
* ivtv-firmware -- Firmware for the Hauppauge PVR 250/350/150/500/USB2 model series
* ivtv-utils -- Tools for the iTVC15/16 and CX23415/16 driver
* libcdaudio -- Control operation of a CD-ROM when playing audio CDs
* maildrop -- Mail delivery agent with filtering abilities
* mediawiki-openid -- The OpenID extension for MediaWiki
* nx -- Proxy system for X11
* perl-Text-CharWidth -- Get number of occupied columns of a string on terminal
* perl-Text-WrapI18N -- Line wrapping with support for several locale setups
* php-pear-Auth-OpenID -- PHP OpenID
* po4a -- A tool maintaining translations anywhere
* smart -- Next generation package handling tool
* synaptic -- Graphical frontend for APT package manager.
* vtk -- The Visualization Toolkit - A high level 3D visualization library
* vtkdata -- Example data file for VTK
Please let FESCo know via a ticket if you need any help becoming a comaintainer
because the owner is nonresponsive.
Thanks,
Toshio
[USN-1753-1] DBus-GLib vulnerability
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRLlkUAAoJEGVp2FWnRL6Tma4P/0UaCkzyppToAsW1c9RBLddI
nHVaqG6Bntte5aID46Y53naUc25BmGSNKvMxc7jcMXtNuAsxFdmjNP+quujobPsz
WSfSl7eNpquK+29HVJX/3CWUKVszuDCYe+5v9A2S2EZUOOkIwm7JtdHGWf22xECN
9KtZHCRn+sAvGtNGswOEjeDP9TFE0qoqpzwj+ZravFjhbw8a0rVTOFGLUOe4cbLz
9QZuGV2LBG3ZWiYub7I2Un5rlS6IKV1eHmXM3B7Frm2au57vuwqrtoqOy8H0wn1G
iBSSiVpMDxPkTTtojD+l/uKcXoYCMpYpuoL1aF5KvKfXM+08chT80+6ZJ2ltq6SZ
GHBvaOQFxzAH+Xw49xH+PBlIuLrhRNkaRYNaUPRUPRaXA3PRUOgLOYGFJL+MYXi3
qhyc9hA6Xb0haob9IR8rjfzugBuGfAyBCetgIot36jLo5G/p1ncc2ji0A8ghhyzv
jKzLVUTaMe3ebYXmbZCy/zlVwsf7P5uBJEJ7MiMhZT/5vlib/Ajysltf6H6fmHAz
rE9WLmk5JrXkRQZspPygGSVIIemcWHscX9fux5isG6ZZP6XGiPGlW6R//a1KoiWj
cFqfLVsIDPiGY77ha9IWivTmL+EmKAaMRrlRlfpFS3sT16wSBctsugi7pgQ2F+5K
Zcd2q/FVdZddFn57sIMM
=pysY
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1753-1
February 27, 2013
dbus-glib vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
An attacker could send crafted input to applications using DBus-GLib and
possibly escalate privileges.
Software Description:
- dbus-glib: simple interprocess messaging system
Details:
Sebastian Krahmer and Bastien Nocera discovered that DBus-GLib did not
properly validate the message sender when the "NameOwnerChanged" signal was
received. A local attacker could possibly use this issue to escalate their
privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libdbus-glib-1-2 0.100-1ubuntu0.1
Ubuntu 12.04 LTS:
libdbus-glib-1-2 0.98-1ubuntu1.1
Ubuntu 11.10:
libdbus-glib-1-2 0.94-4ubuntu0.1
Ubuntu 10.04 LTS:
libdbus-glib-1-2 0.84-1ubuntu0.3
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1753-1
CVE-2013-0292
Package Information:
https://launchpad.net/ubuntu/+source/dbus-glib/0.100-1ubuntu0.1
https://launchpad.net/ubuntu/+source/dbus-glib/0.98-1ubuntu1.1
https://launchpad.net/ubuntu/+source/dbus-glib/0.94-4ubuntu0.1
https://launchpad.net/ubuntu/+source/dbus-glib/0.84-1ubuntu0.3
[USN-1752-1] GnuTLS vulnerability
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRLhAIAAoJEGVp2FWnRL6TfVsP/2RrfhRI4BMxHR/g2ALF8q1B
rb/M9upCSwIieVkJ3KwQyTMMCpvKL3d70xQQ03RrBRxnIGNoywkDk+q+CvVA2n5i
WcrYTrVRNtEVzgRNiNJrcME6soDMJ5MrqJs82hLKX9XcXMUWPP6KE6MZ95B/rglH
NjtkBS9lOXEiX2tYIR7YDH+7ZD17z/GOKecl8NaN/yOut47DOo7wujJuOqYykz9J
ojc6jKPPML77hIhyLnK0HJ+eu6YYw87UVylhgodNNreOidZ28VRB1XnTgVmIv2Ze
1pC4AbK/pDhrplJykunaPgZcZs37wsO63d6UGqGvrIASeqjTYTg0IztEhEAqK1x3
xt25U9lXI30C73njQ8Wm+gRd7cJyA/ZxkItCC0xaFanZUTaD2Wnz4qCTd/XEco0w
Z+7N8Yu3EY9HwQjykMkYEWm/kDQ/ilJYuu1VQ6HO5HtvtHiwfkgA/pPHMRlY9rDl
p4r5Yhb0mgcF5EVEhLzAIbuFJRgUyBN8dBYWLOETsJ8W7qKGwO0HLseGXJlghx1q
uzTdMMWUP6alGHwRwBphckCiblc0l+l+QDOyLEJVq+C/zhDEZYoKjR8ZoF2gkXL7
hFKwZ0A+qIFGA/XgJjrRT0RhyxceujRetg9EyCAOjOi5TU8ihpXKW0qoT1wWuUvz
Vp3pXbKcP0gxDJFD1ckI
=2OaR
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1752-1
February 27, 2013
gnutls13, gnutls26 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS
Summary:
GnuTLS could be made to expose sensitive information over the network.
Software Description:
- gnutls26: GNU TLS library
- gnutls13: GNU TLS library
Details:
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in GnuTLS was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libgnutls26 2.12.14-5ubuntu4.2
Ubuntu 12.04 LTS:
libgnutls26 2.12.14-5ubuntu3.2
Ubuntu 11.10:
libgnutls26 2.10.5-1ubuntu3.3
Ubuntu 10.04 LTS:
libgnutls26 2.8.5-2ubuntu0.3
Ubuntu 8.04 LTS:
libgnutls13 2.0.4-1ubuntu2.9
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1752-1
CVE-2013-1619
Package Information:
https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu4.2
https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.2
https://launchpad.net/ubuntu/+source/gnutls26/2.10.5-1ubuntu3.3
https://launchpad.net/ubuntu/+source/gnutls26/2.8.5-2ubuntu0.3
https://launchpad.net/ubuntu/+source/gnutls13/2.0.4-1ubuntu2.9
[USN-1751-1] Linux kernel (OMAP4) vulnerability
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRLbYOAAoJEAUvNnAY1cPYwpIP/A1Eo6Fnh7vdM44fNqUD8X3K
1srKd1F49FS8RJpDzX2Y8axxucE4Y+XV3XDhLOb9lbubtK1KDtJzKX+8MFssiFDA
lq67Qd4umq6gkbfdLBhpl58iXY2Tnl6KAvrv8mPOFoi69ZC6UdOWCMSarAHyvBlZ
TqwVJC/nEIVbzO4twYpVe9LVnFYKMnPsxdGPnGhIPwRxWPqJJktov9gPYM0sNULG
21BW6OnXNnfste+jME0nw7zV/dfvs1w7BhYLntoLSpoWymJeNbIZlojmotmSmKbG
yqgwCMOn1rla2tgytMffcPnB5MYZ3RAs9eUqpm01ay4cmcZZ+o13xxrNakzUdAdj
O6SfzEs6URwc2mYZ1c9xxAe3D4NesdERhkNXuQEAu3OeRTgHl2WoXdCS5b1fXxSK
wH9HwqHKgN3wAT3PmBdNMt61KzVlZC+g0zq1X2R5gK5SRQjGR27dHzkjrrExh/DZ
LiDt3Qgz11KzdM4Dj3fNzENJaLA4/x8kU1NvF/gLwd+zEQDRe0HJAyPXz//HtgBj
Co48ox7HiKnUMRA3Aekjco9bFRMbv0upEfAy2j7TF3rluoDU5mZf1rC/sDCzL+mJ
h/siYLqFN+BTixO2DiU6lZLthNuHN1/Kz3s6la7rGz6xa7wUoz55nSqifE3k1pRa
xZ1EFMVhKjudTbf55yzq
=m8vz
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1751-1
February 27, 2013
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Mathias Krause discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-220-omap4 3.5.0-220.29
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1751-1
CVE-2013-1763
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-220.29
Tuesday, February 26, 2013
[opensuse-announce] Notification of removal of GNOME:Apps SLE_11_SP1
about a week.
Please switch to GNOME:Apps SLE_11_SP2 for continued use of GNOME:Apps
on SUSE SLED/S.
We are doing this to save build power and HD space on our beloved OBS
service.
On behalf of your friendly Gnome maintainers,
Zaitor / Bjørn Lie
--
To unsubscribe, e-mail: opensuse-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-announce+help@opensuse.org
[FreeBSD-Announce] FreeBSD Foundation Announces Newly Funded Project!
The FreeBSD Foundation is pleased to announce that Semihalf, an
embedded solutions company, has been awarded a grant to develop
transparent superpages support for the FreeBSD/arm architecture.
Semihalf is co-sponsoring the project with the foundation.
The ARM architecture is already common in the mobile and embedded
markets, and is becoming more prevalent in the server market. Among
the more interesting industry trends emerging recently is the 64-bit
ARMv8 architecture, which as an "ARM server" concept. Many top tier
companies have started developing systems or are announcing products
with this architecture.
One of the features needed for FreeBSD to be successful in this area
is transparent super pages. This provides improved performance and
scalability by allowing TLB translations to dynamically cover large
physical memory regions.
The project is expected to complete in mid July 2013.
The FreeBSD Foundation
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
[USN-1750-1] Linux kernel vulnerabilities
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRLPgeAAoJEAUvNnAY1cPY74EP/iF+4i1bC4ah4wq2a726qEjV
UNfne6BIiFJ13Of9PqNiqBRJO0Yl4x6zAmTal2f5ZteheXtCBbTw83At/IrMT4Gw
qgMD87s9N/gt9fvMg209T4nCLAtLCxH1HjSZRQM9QtFgQWRL97fLnG7uIWvSNei5
a++Xww7BA6tjD+Y8/h8zCQnaw9okvZI82h/Cr5NAgJnGbQVRRqbL5oHFl73l3saV
Q/AS1KgBV5iUcw2IjcOC3faHluO0wvHFs4THZxPuPoTlXv8yIv1nY6dtg7Kzmeyp
vIBw7QsZg8OTfkEfeSyP9Ty7MlKC6ZIOtVo/1xHBhGdczpmZx8JYz2HrI9QmCa+Q
LllL+o/mksPwPO3ZxLb+zlGuPNtcuYcnDzxb095ujoPIXoxRgYCWXO4iyQlvbF3v
hVyPbQ07mdm4Yq6Kcp3dMT8k7BPfKsXqYqz8A4j/wK2sjJDFInDHFEJwRSeIpgzn
b1eJwOA3r8UA4m7aGlB+WIrLWNOykiM0DjlAXOrbEZb0UrWM4cYeUledOdROjY96
CAVlqABS8Kumbxakk6ci4xSTOWwoDGStHSVXpOw4DmWbMdkJ6wTdM+J8q7g6jiWN
7zym0twiXZ/eoT7TP76cDsVUtOnBdZY9YWwPycR4R1HCHouWbUrDg7dOI1qwgnEo
UHIfDmStwCC5UCCBtVbK
=N4M7
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1750-1
February 26, 2013
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Brad Spengler discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-25-generic 3.5.0-25.39
linux-image-3.5.0-25-highbank 3.5.0-25.39
linux-image-3.5.0-25-omap 3.5.0-25.39
linux-image-3.5.0-25-powerpc-smp 3.5.0-25.39
linux-image-3.5.0-25-powerpc64-smp 3.5.0-25.39
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1750-1
CVE-2013-1763
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-25.39
[CentOS-announce] CEBA-2013:0559 CentOS 5 rgmanager Update
Upstream details at : https://rhn.redhat.com/errata/RHBA-2013-0559.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
10d6ad046b53a8e55920ddb5ea4c34f09e9405250143d716021da5004b22a856 rgmanager-2.0.52-37.el5.centos.1.i386.rpm
x86_64:
cf91e9ffdc1ab8ae24a7dfba2216ccce1be18f478f472a413999aade839cec47 rgmanager-2.0.52-37.el5.centos.1.x86_64.rpm
Source:
09f520aaea478ed93c8845aceb98b3b8f3432c5a96e5fc80cbb27faecb6f7e80 rgmanager-2.0.52-37.el5.centos.1.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CEBA-2013:0558 CentOS 5 rpm Update
Upstream details at : https://rhn.redhat.com/errata/RHBA-2013-0558.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
e1b9f740f247c2d2d5f12d994dfa20e060dd9cb4ecaf3f49a7178e3d269b1e5e popt-1.10.2.3-32.el5_9.i386.rpm
4754bbb37ef0cbbf93713f2c36db85bfd17b6ef4f20d592a2a326247c83b019e rpm-4.4.2.3-32.el5_9.i386.rpm
709aae2dcecd69d9f618ff2df6b2287a66ad19f70b49e71d6466b2728677f4f3 rpm-apidocs-4.4.2.3-32.el5_9.i386.rpm
0bf2abc1f4a4f8a5cd8c1b9640ae0dbc93ab494ca4871f74a1a6f92ad25004f1 rpm-build-4.4.2.3-32.el5_9.i386.rpm
7ca0a6635cc98a70b68f3d219634f7058d510fa94f0ff10094cf66a5a5133068 rpm-devel-4.4.2.3-32.el5_9.i386.rpm
639b54e492116f6ae6f5ad5d68b6369e0af9115ca19a4b7552cbd28af6abe0e9 rpm-libs-4.4.2.3-32.el5_9.i386.rpm
5311dcd963e3e5a886b667c8aaace683cb7d28cb74007e055c1af0920a6d2c7d rpm-python-4.4.2.3-32.el5_9.i386.rpm
x86_64:
e1b9f740f247c2d2d5f12d994dfa20e060dd9cb4ecaf3f49a7178e3d269b1e5e popt-1.10.2.3-32.el5_9.i386.rpm
2b80a4055de8dac4be3000e6e04c5413c975c30feeae12057a149944e93c571c popt-1.10.2.3-32.el5_9.x86_64.rpm
b709444ee4c7009046de6d64616bc2769c7b9aa2b88018e2ac982c5bd8fe869c rpm-4.4.2.3-32.el5_9.x86_64.rpm
66e2627515c37e20400d202d5bff7eeee54737871ec0689d9c3cacfac88dbd25 rpm-apidocs-4.4.2.3-32.el5_9.x86_64.rpm
df76ed1cb1d24996aecf644861f1f0ba7a309fc5ccdaaebf7f28cfb05fe52d53 rpm-build-4.4.2.3-32.el5_9.x86_64.rpm
7ca0a6635cc98a70b68f3d219634f7058d510fa94f0ff10094cf66a5a5133068 rpm-devel-4.4.2.3-32.el5_9.i386.rpm
990430a8952296ac879c0230071e0d3fbceab301265308ba10dd3af5d604a06e rpm-devel-4.4.2.3-32.el5_9.x86_64.rpm
639b54e492116f6ae6f5ad5d68b6369e0af9115ca19a4b7552cbd28af6abe0e9 rpm-libs-4.4.2.3-32.el5_9.i386.rpm
78d97ed81dd2bfb324611dc8b57ced8e74fbac94ba54e8b76a5db904939e3be3 rpm-libs-4.4.2.3-32.el5_9.x86_64.rpm
9a4ff6fd6ee5af2fe19a4a2ef59c8bf7e5e8af5576060c1f6134cf130e7d380e rpm-python-4.4.2.3-32.el5_9.x86_64.rpm
Source:
042c0e851da369e1557facc1b87ecfeb6bd2b4a22dc9d767b7eedd44366428e5 rpm-4.4.2.3-32.el5_9.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[USN-1749-1] Linux kernel (Quantal HWE) vulnerability
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRLH4jAAoJEAUvNnAY1cPYHm4P/1q8fa11iOF30l9rX+uuuBgB
XKobvUC8FK3uuMwcumv+Ezz2Z06AQ5Y6F+NNqiLr7tJ9ppN4lPBqlaSHvD4VBbpi
a8aVpU9kp3s110V3MfQWqZ5f2p0/K5hidhT2mKC8EE9ZjVYP/L3vit56gPFsrQzx
8VirzmV19jw6p9/42ro4Q73rBw0oXTDyJQcIUIsw+P0AQWuNkXXbDmm8jiwsdPQc
OHjo6U2WDx01g6L4nRdKixS0yYfMGvJnobEbhI60wIiGavFdq+gGf/hDmf+YM0rj
yuIY24XSV0elzjVk8F3UJiwk+BETKUzyIn38YXMUMb83AfQN2gcUXn50gfPoTuaA
fvxuUvDHStKVWtszd5fJO5rlf4WS1ezFhNPDJobtGEPKcESxTycN2I/4v8rsZVD5
XJrFkCzuZZ4q0QWJhR92cFDMZsQomzhyrzHYQtMu09hEQ7Zr4oU+cXq6mguw0Ydq
b1EMH1MNK8ThnlMPfbOXK2U0NzJskXYCJaOMgdAzHqURsMc6lGLb4nrplwk46D6v
q8FdPjIOnMOZKHTUfKm4IF/WUTeFzoKBBHAOsVO76NIktkg6IK1uKXbFhfaTV33W
wiK3GdC4/HW43MQxsSO/LVXoOd03rfi5l+5EF8nzcgYZ1qPhsx8euSbCvbrs3vsn
qylaTdA093tdStr+fvSg
=Z/Hy
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1749-1
February 26, 2013
linux-lts-quantal vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal
Details:
Brad Spengler discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.5.0-25-generic 3.5.0-25.39~precise1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1749-1
CVE-2013-1763
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-25.39~precise1
Monday, February 25, 2013
[USN-1748-1] Thunderbird vulnerabilities
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRK/1MAAoJEFHb3FjMVZVzgzYP/jz3wJm2YNa0tiK+Tv8wqsuN
msmdVZbihsGxKqFnvRqKyfjWkqTPJF4Qn6qGYB5v/MVjvToMw4toq0v7XxSdnSr4
khUP4aD0+eZXPm/DPEXAWfmAT9nRIKDCeOZnt2pjHCABkNWpkVP+U0GcHDpfl5Pq
TXf45G+F/1I2UI6ivGBtSNHGLGLNCS/Hd8sE5d+gFxRnv6zf9b0aBXJPVa8CFiJF
Z6zIqD62IdMJHRKiL7jNZ3R54CvHNaMktJQwilgGoaDf3+OEhaH9wLzmlI+irc2O
Ojp0r03Bt9QLGruu0DaMjKB2C9qEQ3N4irKdUWXXysB7ctia+5jkpeySulrAqGVu
vfmIliXiDiNC0fTXJT65waojwh9p87s/OFvDjS0dVjCog21QmhJy7nOi2dez0jhM
cMiP+cqQL9K7MGmOyFvOf6d9+Hzm/KKOP47PyTGN1HbzVlHG7F0DBaKdKlAhGk34
jmy5dslIA5yPSHSMGRfLeDBloB+o55KUbfeYNJC5w+aBZknwb+mrlFT9VaHAgaP+
mrVlFl3CMMUFrxGjSt78JUO7mAzzaEh46V6ekVEc7gRuiKoAK4bNKtjRmFT9IRC8
OCkbS9PKsJKXV4jZ+mZ0msBl8ffRsLxnk+pbTlBGMGu1f9engAjYSZz+ZANYY2Px
EfJPfNwjINkySMviqk8n
=ha1A
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1748-1
February 25, 2013
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Bobby Holley discovered vulnerabilities in Chrome Object Wrappers (COW) and
System Only Wrappers (SOW). If a user were tricked into opening a specially
crafted page and had scripting enabled, a remote attacker could exploit
this to bypass security protections to obtain sensitive information or
potentially execute code with the privileges of the user invoking
Thunderbird. (CVE-2013-0773)
Frederik Braun discovered that Thunderbird made the location of the active
browser profile available to JavaScript workers. Scripting for Thunderbird
is disabled by default in Ubuntu. (CVE-2013-0774)
A use-after-free vulnerability was discovered in Thunderbird. An attacker
could potentially exploit this to execute code with the privileges of the
user invoking Thunderbird if scripting were enabled. (CVE-2013-0775)
Michal Zalewski discovered that Thunderbird would not always show the
correct address when cancelling a proxy authentication prompt. A remote
attacker could exploit this to conduct URL spoofing and phishing attacks
if scripting were enabled.
(CVE-2013-0776)
Abhishek Arya discovered several problems related to memory handling. If
the user were tricked into opening a specially crafted page, an attacker
could possibly exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of the user invoking
Thunderbird. (CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780,
CVE-2013-0781, CVE-2013-0782)
Olli Pettay, Christoph Diehl, Gary Kwong, Jesse Ruderman, Andrew McCreight,
Joe Drew, Wayne Mery, Alon Zakai, Christian Holler, Gary Kwong, Luke
Wagner, Terrence Cole, Timothy Nikkel, Bill McCloskey, and Nicolas Pierron
discovered multiple memory safety issues affecting Thunderbird. If a user
had scripting enabled and was tricked into opening a specially crafted
page, an attacker could possibly exploit these to cause a denial of service
via application crash. (CVE-2013-0783, CVE-2013-0784)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
thunderbird 17.0.3+build1-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
thunderbird 17.0.3+build1-0ubuntu0.12.04.1
Ubuntu 11.10:
thunderbird 17.0.3+build1-0ubuntu0.11.10.1
Ubuntu 10.04 LTS:
thunderbird 17.0.3+build1-0ubuntu0.10.04.1
After a standard system update you need to restart Thunderbird to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1748-1
CVE-2013-0773, CVE-2013-0774, CVE-2013-0775, CVE-2013-0776,
CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780,
CVE-2013-0781, CVE-2013-0782, CVE-2013-0783, CVE-2013-0784,
https://launchpad.net/bugs/1131110
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.10.04.1
Planned Outage: Host reboots - 2013-02-27 22:00 UTC
Version: GnuPG v2.0.19 (GNU/Linux)
iQIcBAEBCgAGBQJRK6ZnAAoJEEs3sNgP+7teSPgP/1vkKL1l4jRXL3sBfXlAIzvi
K7NRDgGWTZaTQ1GmlUlQRy0fy+SASnCh0rvm6If3iBCM1KbCJYLACB+fOGTH6onY
m01e5CecDGpp6zYFt4D37IfdWgG0dBJ75I6nXHygMaA3P3MNHxzrMLsavUnv29yW
GdO3MiZmFnrLcpuXzKdqZdD38yDwX0/wg0fQadPyIFONfYiw+8oHGzkjtiBnks7i
2ySbw2Uo7ePsmRmTVRetD+hulkAT9etpPrDjnQuFioUSbgc/yw161z/fK6DOw0l9
wWBwhfPFk6+g5PqCTP2BcmUlQYGh0BPBrjvItPyG8DGDoy1P/l7h5VtT7GbCi/A6
45zDk1RFXDwgiAgEscw1nww+qKPFcfAClD4fkPTPWdrerzi+gyzTqlLUaiP91YkQ
Ho8f4xDL9ACGcWZ04rqmnI0cNYmEYsfzPLepM+XBZCBUt9hYMk6DcasjcrUl+NVa
7Gf//pXNP7Hm/YuYcnaj3OphkJrEto7VHf7IzvPewnqDKjGMc3n9e08IHvAl2RHE
mav0zBCLeQ8aMGpDT8/yflseU+bsoRiusbMxUsN/lBZGVTMMFH7A4Ah1LNiPjr1u
Gn1+XcCEC+ntDIKSLywliXi1Ozhe7qWToWaWdRbDBL/zU397/9AENwq1vkWX0WoP
3nX8FrihS1q0oF1cmk4i
=7+pY
-----END PGP SIGNATURE-----
Outage: Host reboots - 2013-02-27 22:00 UTC
There will be an outage starting at 2013-02-27 22:00 UTC, which will
last approximately 3 hours.
To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto
or run:
date -d '2013-02-27 22:00 UTC'
Reason for outage:
We will be rebooting servers to pick up the latest updates. During the
outage window, only particular services should be down as their hosts
are rebooted. Outages for particular services should be small.
Affected Services:
Ask Fedora - http://ask.fedoraproject.org/
BFO - http://boot.fedoraproject.org/
Bodhi - https://admin.fedoraproject.org/updates/
Buildsystem - http://koji.fedoraproject.org/
GIT / Source Control
DNS - ns1.fedoraproject.org, ns2.fedoraproject.org
Email system
Fedora Account System - https://admin.fedoraproject.org/accounts/
Fedora Community - https://admin.fedoraproject.org/community/
Fedora Hosted - https://fedorahosted.org/
Fedora People - http://fedorapeople.org/
Main Website - http://fedoraproject.org/
Mirror Manager - https://admin.fedoraproject.org/mirrormanager/
Package Database - https://admin.fedoraproject.org/pkgdb/
Secondary Architectures
Torrent - http://torrent.fedoraproject.org/
Wiki - http://fedoraproject.org/wiki/
Unaffected Services:
Docs - http://docs.fedoraproject.org/
Spins - http://spins.fedoraproject.org/
Start - http://start.fedoraproject.org/
Mirror List - https://mirrors.fedoraproject.org/
QA Services
Ticket Link: https://fedorahosted.org/fedora-infrastructure/ticket/3681
Contact Information:
Please join #fedora-admin or #fedora-noc on irc.freenode.net or add
comments to the ticket for this outage above.
[USN-1747-1] Transmission vulnerability
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRK3/8AAoJEGVp2FWnRL6TZbAP/0fsubzL0356lnBzBKjqNWHq
6/Z5Dk7XupaL9ZsUr42SiMT3s+zVrNCSF92pT2TXzj4fPHaWUVQhsQMBBZbx5Hq7
fvxDc00BcEBBj08bBbTFJFAereoCJVctUFmGeK0cWOVsRTxKMA9MGsEpUCiegBiL
3nXn1JLTBzDJHu86VBs5Hw7hXG2HhQVkD4zMT2FdB3Q1TaxfebI1C/xirzfGxxvO
0pfgkZE/uK9iRw31CW7EcNXA0ZBMrXkpm95BGgSxbg6vDjWTqqpdpziaT2BkW5xH
RCj0lD5GPgrRZaf0sJLSl3OPIMmeqgoS6FK0/pQIrgp/EGwJlrmeG8GfisUb1Qut
T6gKN/12hgY/bqyw6Kju2pqqoE8TaTk6GBafypIKmRWVAxXJ8jk3/y0OK8+DJUkS
6e/fo8RiZ8K9kbhDGGNL48WQVOfBhWIY8+UHPc5sUEHhmrKvSIauqFZZbQqGOBdi
I5+7qYmKqZzom4p4cYVuI7uhntVrICXIWXAHDTssCOu/BqvJW0Qc+nZJJdpjwxCl
CBLt1IK8QjEWuJwx4qrfrd7PJw4W7jgFsN+1WY2GbdDichwiihYaV+jDTQe/yq02
bWoMBg1+GW/l3XhQXPheRsQRxA48wr/XlvRxICHjWpMmZ3hZU7ZFw4Fbtgs55MTe
RKx7SvNQdIemalM/BrrF
=GMAE
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1747-1
February 25, 2013
transmission vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
Summary:
Transmission could be made to crash or run programs if it received
specially crafted network traffic.
Software Description:
- transmission: lightweight BitTorrent client
Details:
It was discovered that Transmission incorrectly handled certain micro
transport protocol packets. A remote attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
transmission-common 2.61-0ubuntu2.2
Ubuntu 12.04 LTS:
transmission-common 2.51-0ubuntu1.3
Ubuntu 11.10:
transmission-common 2.33-0ubuntu2.1
After a standard system update you need to restart Transmission to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1747-1
CVE-2012-6129
Package Information:
https://launchpad.net/ubuntu/+source/transmission/2.61-0ubuntu2.2
https://launchpad.net/ubuntu/+source/transmission/2.51-0ubuntu1.3
https://launchpad.net/ubuntu/+source/transmission/2.33-0ubuntu2.1
[USN-1746-1] Pidgin vulnerabilities
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRK3S2AAoJEGVp2FWnRL6TmXsP+wTrVvQf+s8ixS/5LXo8bnch
6fKVkybgJz1sviSR7/spwTLfaKo5A6XuUag+P/XECXlVvdrEOzYyoziE8sEPBWSr
P4VLPp/6vdnB9NYq+jW9vLbxekn7L8Aqwk2PqJMLNuq3PQVH8egGSVPBvXySH+Z3
cFG6B7tZPwMLsejFHSA9EFD0qAvUIBWvC7/HuzvAHbKBNVwpe1n2YlFHMuR2bRUL
xWwftnikBKWeYTSBxIbdApvDiekWn85XMpCH2/+j3VAadFwEoh2tpqLiYYiIInYj
AeuwVFGE6rkoQd1G7zHjGns/41DZ+Z0NjdV3dGDYK/28ZeqRM0R/toM4socg43NN
lQVfj7HczwD550pgdPm9xuVZKz92yY3m9lrCblKcQHpLrdBdOUctOSgoIcdK41Gu
VRhGj7Sp/hc92L3Ce+tt8xumLUSBFR10gEh7XAbUXrbrH165feOjL87Qp9WP4noM
hRsYeR6O7136HqwjWB+kbqrRceIZG7ALnKGf6UHRu/MwX0UlNB9Iiq3r2eO7XUMz
CxILUaXRDcTn9CuifaEVc1dww+uDFbYVmq5lur+TW7WmoPUoCoEWiQE1ZBCl5YV9
KJFkDUasugitw/QvRGNe3E+6pplvYtHdws7qcnQw9RP9iTu2tJtgjk8+fKMaDnXV
iD6zHRNWB79JBA11kqhs
=/1ka
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1746-1
February 25, 2013
pidgin vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Pidgin.
Software Description:
- pidgin: graphical multi-protocol instant messaging client for X
Details:
Chris Wysopal discovered that Pidgin incorrectly handled file transfers in
the MXit protocol handler. A remote attacker could use this issue to create
or overwrite arbitrary files. This issue only affected Ubuntu 11.10,
Ubuntu 12.04 LTS and Ubuntu 12.10. (CVE-2013-0271)
It was discovered that Pidgin incorrectly handled long HTTP headers in the
MXit protocol handler. A malicious remote server could use this issue to
execute arbitrary code. (CVE-2013-0272)
It was discovered that Pidgin incorrectly handled long user IDs in the
Sametime protocol handler. A malicious remote server could use this issue
to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-0273)
It was discovered that Pidgin incorrectly handled long strings when
processing UPnP responses. A remote attacker could use this issue to cause
Pidgin to crash, resulting in a denial of service. (CVE-2013-0274)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libpurple0 1:2.10.6-0ubuntu2.2
pidgin 1:2.10.6-0ubuntu2.2
Ubuntu 12.04 LTS:
libpurple0 1:2.10.3-0ubuntu1.3
pidgin 1:2.10.3-0ubuntu1.3
Ubuntu 11.10:
libpurple0 1:2.10.0-0ubuntu2.2
pidgin 1:2.10.0-0ubuntu2.2
Ubuntu 10.04 LTS:
libpurple0 1:2.6.6-1ubuntu4.6
pidgin 1:2.6.6-1ubuntu4.6
After a standard system update you need to restart Pidgin to make all the
necessary changes.
References:
http://www.ubuntu.com/usn/usn-1746-1
CVE-2013-0271, CVE-2013-0272, CVE-2013-0273, CVE-2013-0274
Package Information:
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.6-0ubuntu2.2
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.3-0ubuntu1.3
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.0-0ubuntu2.2
https://launchpad.net/ubuntu/+source/pidgin/1:2.6.6-1ubuntu4.6
Sunday, February 24, 2013
[Guidelines Change] Changes to the Packaging Guidelines
---
The Packaging Guidelines covering Desktop files have been amended to say
that for Fedora 19 and beyond, the vendor tag must not be used. If it
was being used in a previous release, it may continue to be used for
that previous release, but must be removed in Fedora 19. New packages
must not add the vendor tag for any release. Packagers are reminded that
they must not change the name of the desktop file in a stable Fedora
release.
https://fedoraproject.org/wiki/Packaging:Guidelines#desktop-file-install_usage
---
The Ruby Guidelines have been updated to prepare for JRuby integration
in Fedora (and new macros to assist in this).
https://fedoraproject.org/wiki/Packaging:Ruby
---
The Java Guidelines have been changed to reflect BuildRequires:
maven-local (instead of maven).
https://fedoraproject.org/wiki/Packaging:Java#maven_3
---
These guideline changes were approved by the Fedora Packaging
Committee (FPC).
Many thanks to Bohuslav Kabrda, Parag Nemade, Stanislav Ochotnicky, and
all of the members of the FPC, for assisting in drafting, refining, and
passing these guidelines.
As a reminder: The Fedora Packaging Guidelines are living documents! If
you find something missing, incorrect, or in need of revision, you can
suggest a draft change. The procedure for this is documented here:
https://fedoraproject.org/wiki/Packaging/Committee#GuidelineChangeProcedure
Thanks,
~tom
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
Saturday, February 23, 2013
Updated Debian 6.0: 6.0.7 released
The Debian Project http://www.debian.org/
Updated Debian 6.0: 6.0.7 released press@debian.org
February 23rd, 2013 http://www.debian.org/News/2013/20130223
------------------------------------------------------------------------
The Debian project is pleased to announce the seventh update of its
stable distribution Debian 6.0 (codename "squeeze"). This update mainly
adds corrections for security problems to the stable release, along with
a few adjustments for serious problems. Security advisories were already
published separately and are referenced where available.
Please note that this update does not constitute a new version of Debian
6.0 but only updates some of the packages included. There is no need to
throw away 6.0 CDs or DVDs but only to update via an up-to-date Debian
mirror after an installation, to cause any out of date packages to be
updated.
Those who frequently install updates from security.debian.org won't have
to update many packages and most updates from security.debian.org are
included in this update.
New installation media and CD and DVD images containing updated packages
will be available soon at the regular locations.
Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian's many FTP or HTTP mirrors. A comprehensive list of
mirrors is available at:
http://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
Package Reason
apt-show-versions Fix detection of squeeze-updates and
squeeze; update official
distribution list
base-files Update for the point release
bcron Don't allow jobs access to other
jobs' temporary files
bind9 Update IP for "D" root server
bugzilla Add dependency on liburi-perl, used
during package configuration
choose-mirror Update URL for master mirror list
clamav New upstream version
claws-mail Fix NULL pointer dereference
clive Adapt for youtube.com changes
cups Ship cups-files.conf's manpage
dbus Avoid code execution in setuid/
setgid binaries
dbus-glib Fix authentication bypass through
insufficient checks (CVE-2013-0292)
debian-installer Rebuild for 6.0.7
debian-installer-netboot- Rebuild against debian-installer
images 20110106+squeeze4+b3
dtach Properly handle close request
(CVE-2012-3368)
ettercap Fix hosts list parsing (CVE-2013-
0722)
fglrx-driver Fix diversion-related issues with
upgrades from lenny
flashplugin-nonfree Use gpg --verify
fusionforge Lenny to squeeze upgrade fix
gmime2.2 Add Conflicts: libgmime2.2-cil to
fix upgrades from lenny
gzip Avoid using memcpy on overlapping
regions
ia32-libs Update included packages from
stable / security.d.o
ia32-libs-core Update included packages from
stable / security.d.o
kfreebsd-8 Fix CVE-2012-4576: memory access
without proper validation in linux
compat system
libbusiness-onlinepayment- Backport changes to IPPay gateway's
ippay-perl server name and path
libproc-processtable- Fix unsafe temporary file usage
perl (CVE-2011-4363)
libzorpll Add missing Breaks/Replaces:
libzorp2-dev to libzorpll-dev
linux-2.6 Update to stable release 2.6.32.60.
Backport hpsa, isci and megaraid_sas
driver updates. Fix r8169 hangs
linux-kernel-di-amd64- Rebuild against linux-2.6 2.6.32-48
2.6
linux-kernel-di- Rebuild against linux-2.6 2.6.32-48
armel-2.6
linux-kernel-di-i386- Rebuild against linux-2.6 2.6.32-48
2.6
linux-kernel-di-ia64- Rebuild against linux-2.6 2.6.32-48
2.6
linux-kernel-di- Rebuild against linux-2.6 2.6.32-48
mips-2.6
linux-kernel-di- Rebuild against linux-2.6 2.6.32-48
mipsel-2.6
linux-kernel-di- Rebuild against linux-2.6 2.6.32-48
powerpc-2.6
linux-kernel-di-s390- Rebuild against linux-2.6 2.6.32-48
2.6
linux-kernel-di- Rebuild against linux-2.6 2.6.32-48
sparc-2.6
magpierss Fix upgrade issue
maradns Fix CVE-2012-1570 (deleted domain
record cache persistence flaw)
mediawiki Prevent session fixation in
Special:UserLogin (CVE-2012-5391);
prevent linker regex from exceeding
backtrack limit
moodle Multiple security fixes
nautilus Add Breaks: samba-common (<< 2:3.5)
to fix a lenny to squeeze upgrade
issue
openldap Dump the database in prerm on
upgrades to help upgrades to
releases with newer libdb versions
openssh Improve DoS resistance (CVE-2010-
5107)
pam-pgsql Fix issue with NULL passwords
pam-shield Correctly block IPs when
allow_missing_dns is "no"
perl Fix misparsing of maketext strings
(CVE-2012-6329)
poppler Security fixes; CVE-2010-0206,
CVE-2010-0207, CVE-2012-4653; fix
GooString::insert, correctly
initialise variables
portmidi Fix crash
postgresql-8.4 New upstream micro-release
sdic Move bzip2 from Suggests to Depends
as it is used during installation
snack Fix buffer overflow (CVE-2012-6303)
sphinx Fix incompatibility with jQuery>=
1.4
swath Fix potential buffer overflow in
Mule mode
swi-prolog Fix buffer overruns
ttf-ipafont Fix removal of alternatives
tzdata New upstream version; fix DST for
America/Bahia (Brazil)
unbound Update IP address hints for D.ROOT-
SERVERS.NET
xen Fix clock breakage
xnecview Fix FTBFS on armel
Security Updates
----------------
This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:
Advisory ID Package Correction(s)
DSA-2550 asterisk Multiple issues
DSA-2551 isc-dhcp Denial of service
DSA-2552 tiff Multiple issues
DSA-2553 iceweasel Multiple issues
DSA-2554 iceape Multiple issues
DSA-2555 libxslt Multiple issues
DSA-2556 icedove Multiple issues
DSA-2557 hostapd Denial of service
DSA-2558 bacula Information disclosure
DSA-2559 libexif Multiple issues
DSA-2560 bind9 Denial of service
DSA-2561 tiff Buffer overflow
DSA-2562 cups-pk-helper Privilege escalation
DSA-2563 viewvc Multiple issues
DSA-2564 tinyproxy Denial of service
DSA-2565 iceweasel Multiple issues
DSA-2566 exim4 Heap overflow
DSA-2567 request-tracker3.8 Multiple issues
DSA-2568 rtfm Privilege escalation
DSA-2569 icedove Multiple issues
DSA-2570 openoffice.org Multiple issues
DSA-2571 libproxy Buffer overflow
DSA-2572 iceape Multiple issues
DSA-2573 radsecproxy SSL certificate
verification weakness
DSA-2574 typo3-src Multiple issues
DSA-2575 tiff Heap overflow
DSA-2576 trousers Denial of service
DSA-2577 libssh Multiple issues
DSA-2578 rssh Multiple issues
DSA-2579 apache2 Multiple issues
DSA-2580 libxml2 Buffer overflow
DSA-2582 xen Denial of service
DSA-2583 iceweasel Multiple issues
DSA-2584 iceape Multiple issues
DSA-2585 bogofilter Heap-based buffer
overflow
DSA-2586 perl Multiple issues
DSA-2587 libcgi-pm-perl HTTP header injection
DSA-2588 icedove Multiple issues
DSA-2589 tiff Buffer overflow
DSA-2590 wireshark Multiple issues
DSA-2591 mahara Multiple issues
DSA-2592 elinks Programming error
DSA-2593 moin Multiple issues
DSA-2594 virtualbox-ose Programming error
DSA-2595 ghostscript Buffer overflow
DSA-2596 mediawiki- Cross-site scripting in
extensions RSSReader extension
DSA-2597 rails Input validation error
DSA-2598 weechat Multiple issues
DSA-2599 nss Mis-issued intermediates
DSA-2600 cups Privilege escalation
DSA-2601 gnupg2 Missing input sanitation
DSA-2601 gnupg Missing input sanitation
DSA-2602 zendframework XML external entity
inclusion
DSA-2603 emacs23 Programming error
DSA-2604 rails Insufficient input
validation
DSA-2605 asterisk Multiple issues
DSA-2606 proftpd-dfsg Symlink race
DSA-2607 qemu-kvm Buffer overflow
DSA-2608 qemu Buffer overflow
DSA-2609 rails SQL query manipulation
DSA-2610 ganglia Remote code execution
DSA-2611 movabletype- Multiple issues
opensource
DSA-2612 ircd-ratbox Remote crash
DSA-2613 rails Insufficient input
validation
DSA-2614 libupnp Multiple issues
DSA-2615 libupnp4 Multiple issues
DSA-2616 nagios3 Buffer overflow
vulnerability
DSA-2617 samba Multiple issues
DSA-2618 ircd-hybrid Denial of service
DSA-2619 xen-qemu-dm-4.0 Buffer overflow
DSA-2620 rails Multiple issues
DSA-2621 openssl Multiple issues
DSA-2622 polarssl Multiple issues
DSA-2623 openconnect Buffer overflow
DSA-2624 ffmpeg Multiple issues
DSA-2625 wireshark Multiple issues
DSA-2626 lighttpd Multiple issues
DSA-2627 nginx Information leak
Debian Installer
----------------
The installer has been rebuilt to include the fixes incorporated into
stable by the point release.
Removed packages
----------------
The following packages were removed due to circumstances beyond our
control:
Package Reason
elmerfem License problems (GPL + non-GPL)
URLs
----
The complete lists of packages that have changed with this revision:
http://ftp.debian.org/debian/dists/squeeze/ChangeLog
The current stable distribution:
http://ftp.debian.org/debian/dists/stable/
Proposed updates to the stable distribution:
http://ftp.debian.org/debian/dists/proposed-updates/
stable distribution information (release notes, errata etc.):
http://www.debian.org/releases/stable/
Security announcements and information:
http://security.debian.org/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
http://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
Thursday, February 21, 2013
[USN-1745-1] Linux kernel (OMAP4) vulnerability
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRJwbLAAoJEAUvNnAY1cPYzVAP/229fJ57sGSvwYPZSoLtPMRF
ZXW5CNamKl2dM5lfaQZcoBO3WXNyk2sJPwWCDio/ioqgVJeXQ4w2KlZblu/wRojR
G9fUKfNVt9u1NxYORe/9hRbEmZtkslqE9NoMftdnVXNYR+Lxu9azTih1f6s+PyfN
iHwIaTaEeoVVIcSS31XmRnBFvEnKan0Vsmwg3AyS3bPpSOhc6ImtIzoaigPgBsQc
gIzc6psQLK7DZADPS9I20mRybFkoN/Lm76xhNbZ6xQWEVQ8oxU2QbL+9dLGHnvqu
51tbI9QBTm34Ur34mBWMi8/LcnDpWCydzI+jz5jiOiPTe34EoRdDU9ygN3jrFGJZ
BapgN2RQTI+fFEfQXWKjZUGz42iUSL9KXPSJoW0HgCJYGyVBLBYeTrofEZPd9OzO
avcJe3XFKD+KyvaRilSqGXn5K0pfhfMLVb7yPyyFOzLX7O+yZV2V6E/gjn0wnIYw
AxXDvYo1RZg9XxlPQCL1AWtqqn23UekmE2v4LoD9jPmK7oWAmGQxyyZs3bqwQYXY
o7hGd056EjWV6BLPfgHicRl/HGhJcxvk9kRDZhdQjx9TL2ANpAlH9saKwQpkDYDf
k3Ts8J9nD4X8QhcxDYALnu23SYEGqxo9DFOw5fcvz45j6N56a/SSOzthkzxf+ivy
M2VABZgfP9GSa7IcsB9d
=CTZj
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1745-1
February 22, 2013
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-220-omap4 3.5.0-220.28
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1745-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-220.28
[USN-1744-1] Linux kernel vulnerability
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRJwVzAAoJEAUvNnAY1cPYAAcQAJ1D4U6GaMCSr9nHToHq8nKV
up2X4lHYwsxopcUN5x/yA3IVS34S+PZkeJLUFuNBoPr0OEjyIMoNsYBklpzBIJVz
zxzmhC0Ocnkmsm4xA3VcBshAsNzZAAXitWfktWsOjyDabfiaUim0RB6nQKRLtj1Y
9eDq2laXOhhEoUmrB6wxmvXmZ0SOxVVfcerT+xYtIznv2FVavbKQCpsQgRL5Cqxm
YEv45vDMoZKokdNlAygbohCpR+Om1s38+HmQk1yT+LCOSbWtE/z2Vo3yhGWe/Zex
yUbH5JSJ1cR/pXKUBwtsIT8mUA+9ebvbQIxhGoscn8MBTjZUahMWS0fRd09VQ9er
e5kNiK7CM16fJy1VlSgnCRKmF1NXmJWcN/2+Fxs+1FCP4JYMNEHD7bHf4WoSNbaH
0uK8RRF6msyE0Hj5dDi8RrKYtzmS6mDPU48e2aA8TxD7lhgs8JbGWRML0nx4eXrA
Ru3rHk9LyxtV5ybgTCF/I6Uot2UQIiQzps5IIAEgXb4gxfca8HrrOTdqv6RN3oz8
O6DJpqFG86TtUVT3OH7nwTeX5dqqE+Tbq160h3DIPl1IgWdjPBjv55pAbxRyCmCE
BvAfP/FV3m30Q2pHWRnkK484R7ao9rgNCQAPqgxBdqLoMWRJSLZZOA4TXSE8jqr4
CNVsmfK6MFmOPdmk4Y7U
=RZcU
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1744-1
February 22, 2013
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
linux-image-3.5.0-25-generic 3.5.0-25.38
linux-image-3.5.0-25-highbank 3.5.0-25.38
linux-image-3.5.0-25-omap 3.5.0-25.38
linux-image-3.5.0-25-powerpc-smp 3.5.0-25.38
linux-image-3.5.0-25-powerpc64-smp 3.5.0-25.38
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1744-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-25.38
[USN-1743-1] Linux kernel (Quantal HWE) vulnerability
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRJwETAAoJEAUvNnAY1cPYfAEP/RxUJdhfyPMVQEx9BgRyiPhr
0v4EP0NRtFwsapj4nZ6epkGM7a90cyU/ZMWn3hHknHcjm/GakQBuJtP8r+BOfMDL
OWnrlLyrMjRnEOgr1lY6ecqcICKtAq1nmlv0l9NTo7ALrEsASbtI5sQZgkEBHrrk
5LYcKXOZq1yt+oSRSL436cRUrcAf6OqVRJzESZE8CqYmDczkubsMIc6Qmvxm693w
m9NwsNiAh3MNf3z+kfoisCLRukusDkExJQ5BzUqZ89Qhsrl31M+L0ZD4J362meGo
QaGc3bzWLkLPCKrdFeghnvI4RNQ1pUiWlXZolw/8FbOGdwrqYROowV0H+7UohynU
QYCLeZzn5Cqf8zKVpDRQVsJD7I0Xh0gLXsjx84ckZKgxD5EBY0e0xtM48//71Nyu
DT1849z+JftiFk99G2smArC/4lS1LmYlr2vazXi54ptofmdfPo7ugD0QvVBFxjNL
LHioo6h9d6ra1T1FkZRVoiu9NXvXy2eOCgtKetLlFmJqcboGbx+U6x4JNZzjcADP
Tu+C0ZHGcb7LozS+0KhZ4U5cGXqUArl5xtdZdpmS5Jamjr9Zswj3DRA9zv+qjPH8
hmmSd4ggyG0+iAolOxywSSr4tCH54ZcyR87JorNVX6HNULM+tmuWJTBH9mtt+/W+
C82w0qR8kTtackpkznSV
=AQkK
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1743-1
February 22, 2013
linux-lts-quantal vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.5.0-25-generic 3.5.0-25.38~precise1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1743-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-25.38~precise1
[USN-1742-1] Linux kernel (OMAP4) vulnerability
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCgAGBQJRJv+HAAoJEAUvNnAY1cPYn+0P/1f4tyMfHfn4yy6UfyNDjn+I
Nls6Rau88OTUgi+q2ZV/FlenL0oTaEP4n2t5t7Un+ybFrAZmVqU5sYUYC0GxCGOM
piZj0jiy+vA25i16gr0ObN9fdXwF6MBcudUsYTxktq0OB7FuWg976Uh/amo3Gtej
hEO1pJGdH0voMTARoyfngXEgD6zRIylq2vck3xmJw9nqmsyd9TbDzvlTNJA0glrt
7eCgGbkS7YWC+Pa2NZm1lOvPwv7a8rXy/2Ee+O8n6DjCiZcjfi/uIwu7MCQTFHbq
byXZoeFktTZKUtPl/U/y47CJ5uQsemW7NOHQNv2WoU3gfsoLK+qaxl+sU2zq2t8W
RGFhT1dIvuk6ZjJGtpbMbpQGPxL0osa66zV18fRtlZGaMwLvHgK/tlDGnxO1iTL0
cdT/Dxc1UduGfU7EGWXHTQSRHQxszFNzjo41LQPCEpSCZcISLXGIh9X85NiPRs2Y
M/5SV9TXhQXeKzdd6pWZcxplkluldyZ5fy8yOebKuNj8sEeQqN/HKJW58pqLT2rl
HLdxDV4Iwv9FrlCshxpd1TGTXdLzRZspkCfdLxYI1Boy1KPNUkzFPRB2q/l4s0WU
Vcecom/G70LU8s08xp0HoPo2ve7Jo5IsqVyHU4/zApbvhcfmOOZoSD68daH3Zehs
+ufCVcH6rsfMKqIjJAKA
=9Qva
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1742-1
February 22, 2013
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-1426-omap4 3.2.0-1426.35
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-1742-1
CVE-2013-0871
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1426.35