Friday, September 25, 2015

[USN-2746-2] Simple Streams regression

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJWBZWpAAoJEGVp2FWnRL6T8UYP/jqBgr2F0YNUyOi2LcFaRxQS
P96viX4Mxf/zoEamm/woQpseNFk3q9NJ6XzbJqcvBiznWalcOufe1FE57UB711RH
j8G6pMwEHgDDBUY7F8acLSEIMrdRlsuElB1kMdAccLp6r3BpOvXG/1Wg7cIjjBjC
uXqQ33d9DxB/9fYlJUDjBQGtdhRodY59tjok1zDZzLzhF4fK2pVK1TghAz0i26oN
M87IMZLIdqpDb6MpSN6kvBWS/f+a3mOwEF50RMs5woYKluUD7PGTmQP9eljk6MJR
BRGXaEg5p+SQzpIsatWgnTdGq6zHWM6a812GlaOzzLdvGYeA3T7aIaph1NQsyXUu
glN8OFbfVdcjls9UST7s7cRqX0WYnWme5B2ySRxeR7jTMJ9wn9qu7Q8ZDY3+g2yQ
k5y3rGu+FputdYL8pOODmrWWTUPcm+iaUI75uXkAq/xEyM7xA6non79O1dbT2Nh4
U1QdkAday7UAeVzMaaiMWRsnusoL5vyHfMideFi+B6DPxkHgeGbbhbCCgncGjbNx
z97hHSuuVxkeOiAJxfBscahrNX13tkAMmKDimbjkziVLkHHpXGYE5V4WGrvZEoBo
qqZLD3nizvEkdGJC7CJH4mN7vjJhY/GFcAipUss6ObfvWsxO3nYdyaaH4as5Zwz/
WYhT/zilBYDgawdUpQDb
=aJxb
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2746-2
September 25, 2015

simplestreams regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 15.04
- Ubuntu 14.04 LTS

Summary:

USN-2746-1 introduced a regression in Simple Streams.

Software Description:
- simplestreams: Library and tools for using Simple Streams data

Details:

USN-2746-1 fixed a vulnerability in Simple Streams. The update caused a
regression preventing MAAS from downloading PXE images. This update fixes
the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that Simple Streams did not properly perform gpg
verification in some situations. A remote attacker could use this to
perform a man-in-the-middle attack and inject malicious content into
the stream.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.04:
python-simplestreams 0.1.0~bzr354-0ubuntu1.15.04.2
python-simplestreams-openstack 0.1.0~bzr354-0ubuntu1.15.04.2
python3-simplestreams 0.1.0~bzr354-0ubuntu1.15.04.2
simplestreams 0.1.0~bzr354-0ubuntu1.15.04.2

Ubuntu 14.04 LTS:
python-simplestreams 0.1.0~bzr341-0ubuntu2.3
python-simplestreams-openstack 0.1.0~bzr341-0ubuntu2.3
python3-simplestreams 0.1.0~bzr341-0ubuntu2.3
simplestreams 0.1.0~bzr341-0ubuntu2.3

After a standard system update you need to restart any services that
make use of python-simplestreams or python3-simplestreams to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2746-2
http://www.ubuntu.com/usn/usn-2746-1
https://launchpad.net/bugs/1499749

Package Information:
https://launchpad.net/ubuntu/+source/simplestreams/0.1.0~bzr354-0ubuntu1.15.04.2
https://launchpad.net/ubuntu/+source/simplestreams/0.1.0~bzr341-0ubuntu2.3

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)