星球

RSS | RDF | ATOM

USN-1352-1: Software Properties vulnerability

2012/1/31 22:37:38 | Ubuntu security notices

Ubuntu Security Notice USN-1352-1


31st January, 2012


software-properties vulnerability


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 11.10


  • Ubuntu 11.04


  • Ubuntu 10.10


  • Ubuntu 10.04 LTS





Summary


Software Properties could be tricked into installing arbitrary PPA GPG
keys.





Software description





  • software-properties
    - manage the repositories that you install software from













Details


David Black discovered that Software Properties incorrectly validated
server certificates when performing secure connections to download PPA GPG
key fingerprints. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to install altered
package repository GPG keys.



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 11.10:




python-software-properties

0.81.13.3





Ubuntu 11.04:




python-software-properties

0.80.9.1





Ubuntu 10.10:




python-software-properties

0.76.7.1





Ubuntu 10.04 LTS:




python-software-properties

0.75.10.2






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


In general, a standard system update will make all the necessary changes.





References




CVE-2011-4407


USN-1351-1: AccountsService vulnerability

2012/1/31 22:37:38 | Ubuntu security notices

Ubuntu Security Notice USN-1351-1


31st January, 2012


accountsservice vulnerability


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 11.10





Summary


AccountsService could be made to overwrite files as the administrator.





Software description





  • accountsservice
    - query and manipulate user account information







Details


Hayawardh Vijayakumar discovered that AccountsService incorrectly handled
privileges when modifying the language settings on Ubuntu. A local attacker
could exploit this issue to modify arbitrary files, and possibly create a
denial of service or obtain increased privileges.



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 11.10:




accountsservice

0.6.14-1git1ubuntu1.1






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


After a standard system update you need to reboot your computer to make
all the necessary changes.





References




CVE-2011-4406


請改用國網中心的鏡像站(mirror)

2012/1/29 5:08:00 | 凍仁的 Ubuntu 筆記
大約一年前,台灣的鏡像站(mirror)開始不穩,凍仁則改用 shadow.ind.ntou.edu.tw 鏡像站。2011/10/12 凍仁發現其首頁有大大的標題寫著「ftp.tw.debian.org 以及 tw.archive.ubuntu.com 的管理者正在尋求資源」才終於知道這些 mirror 不穩的原因,幫不上忙的凍仁,只能上 Plurk 問前輩們,最後在前輩們的提醒下改用國網中心[1]的 mirror 就穩定了。

可以看的出來下方有幾個網域名稱(Domain name)是指到同一個 IP,凍仁雖不能肯定是指到同一台 Server,但可以肯定的是機器不夠力了!

OS Mirror IP
Debian  opensource.nchc.org.tw   211.73.64.9 
 Ubuntu  free.nchc.org.tw  211.73.64.9 
 Ubuntu  ftp.twaren.net 140.110.123.9
 2001:e10:5c00:5::9 
國網中心的 mirror。


OS Mirror IP
Debian  ftp.tw.debian.org   140.138.145.242 
 Ubuntu  tw.archive.ubuntu.com  140.138.145.242 
 Ubuntu   shadow.ind.ntou.edu.tw  140.121.80.201
凍仁原先使用的 mirror。


1. 使用更新管理員更換 mirror

1.1. 開啟「更新管理員」。

1.2. 點選「設定」按鈕。

1.3. 點選「下載自:」 一欄,並點選「其他...」。

1.4. 找到國網中心的 mirror 後點選「選擇伺服器」。

2. 使用 sed 取代 mirror


2.1. 在取代前得先找出目前使用的 mirror。
jonny@oneiric:~$ cat /etc/apt/sources.list | grep main | awk '{ print $2}' | cut -d'/' -f3 | sed -n '3P' [Enter]
tw.archive.ubuntu.com

2.2. 將 tw.archive.ubuntu.com 替換成 free.nchc.org.tw。
jonny@oneiric:~$ sudo sed -i 's/tw.archive.ubuntu.com/free.nchc.org.tw/g' /etc/apt/sources.list [Enter]

使用完以上任ㄧ方法都得再次更新套件來源,切忌切記[2]

# 註1:國網中心的全名為國家實驗研究院高速網路與計算中心(NCHC)
# 註2:「切忌」指的是千万不可,而「切記」則是要牢記的意思。


延伸閱讀:
NCHC | Main / HomePage

相關連結:
大澤木小鐵 好奇 ftp://os.nchc.org.tw 滿載了,請問大家都是在哪裡更新 Ubuntu ? [已解] 國研院國網中心自由軟體

USN-1349-1: X.Org vulnerability

2012/1/27 8:55:05 | Ubuntu security notices

Ubuntu Security Notice USN-1349-1


26th January, 2012


xorg vulnerability


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 11.10


  • Ubuntu 11.04


  • Ubuntu 10.10


  • Ubuntu 10.04 LTS





Summary


X could be made to start by a user who lacked appropriate permissions.





Software description





  • xorg
    - X.Org X Window System













Details


It was discovered that the X wrapper incorrectly checked certain console
permissions when launched by unprivileged users. An attacker connected
remotely could use this flaw to start X, bypassing the console permissions
check.



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 11.10:




xserver-xorg

1:7.6+7ubuntu7.1





Ubuntu 11.04:




xserver-xorg

1:7.6+4ubuntu3.2





Ubuntu 10.10:




xserver-xorg

1:7.5+6ubuntu3.1





Ubuntu 10.04 LTS:




xserver-xorg

1:7.5+5ubuntu1.1






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


In general, a standard system update will make all the necessary changes.





References




CVE-2011-4613


USN-1348-1: ICU vulnerability

2012/1/27 8:55:05 | Ubuntu security notices

Ubuntu Security Notice USN-1348-1


26th January, 2012


icu vulnerability


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 11.10


  • Ubuntu 11.04


  • Ubuntu 10.10


  • Ubuntu 10.04 LTS





Summary


ICU could be made to crash or run programs as your login if it
opened specially crafted data.





Software description





  • icu
    - International Components for Unicode library













Details


It was discovered that ICU did not properly handle invalid locale data
during Unicode conversion. If an application using ICU processed crafted
data, an attacker could cause it to crash or potentially execute arbitrary
code with the privileges of the user invoking the program.



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 11.10:




libicu44

4.4.2-2ubuntu0.11.10.1





Ubuntu 11.04:




libicu44

4.4.2-2ubuntu0.11.04.1





Ubuntu 10.10:




libicu42

4.2.1-3ubuntu0.10.10.1





Ubuntu 10.04 LTS:




libicu42

4.2.1-3ubuntu0.10.04.1






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


In general, a standard system update will make all the necessary changes.





References




CVE-2011-4599


USN-1342-1: Linux kernel (Oneiric backport) vulnerability

2012/1/27 8:55:05 | Ubuntu security notices

Ubuntu Security Notice USN-1342-1


25th January, 2012


linux-lts-backport-oneiric vulnerability


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 10.04 LTS





Summary


The system could be made to run programs as an administrator.





Software description





  • linux-lts-backport-oneiric
    - Linux kernel backport from Oneiric







Details


Jüri Aedla discovered that the kernel incorrectly handled /proc/<pid>/mem
permissions. A local attacker could exploit this and gain root privileges.



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 10.04 LTS:




linux-image-3.0.0-15-server

3.0.0-15.26~lucid1






linux-image-3.0.0-15-generic

3.0.0-15.26~lucid1






linux-image-3.0.0-15-virtual

3.0.0-15.26~lucid1






linux-image-3.0.0-15-generic-pae

3.0.0-15.26~lucid1






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


After a standard system update you need to reboot your computer to make
all the necessary changes.





References




CVE-2012-0056


USN-1347-1: Evince vulnerability

2012/1/26 11:31:50 | Ubuntu security notices

Ubuntu Security Notice USN-1347-1


25th January, 2012


evince vulnerability


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 11.04


  • Ubuntu 10.10


  • Ubuntu 10.04 LTS





Summary


Evince could be made to crash or run programs as your login if it opened a
specially crafted file.





Software description





  • evince
    - Document viewer











Details


It was discovered that Evince did not properly parse AFM font files when
processing DVI files. If a user were tricked into opening a specially
crafted DVI file, an attacker could cause Evince to crash or potentially
execute arbitrary code with the privileges of the user invoking the
program.



In the default installation, attackers would be isolated by the Evince
AppArmor profile.



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 11.04:




libevdocument3

2.32.0-0ubuntu12.4





Ubuntu 10.10:




libevdocument3

2.32.0-0ubuntu1.2





Ubuntu 10.04 LTS:




libevdocument2

2.30.3-0ubuntu1.3






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


In general, a standard system update will make all the necessary changes.





References




CVE-2011-0433


USN-1346-1: curl vulnerability

2012/1/26 11:31:50 | Ubuntu security notices

Ubuntu Security Notice USN-1346-1


24th January, 2012


curl vulnerability


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 11.10


  • Ubuntu 11.04


  • Ubuntu 10.10





Summary


curl could be tricked into injecting arbitrary data if it handled a
malicious URL.





Software description





  • curl
    - HTTP, HTTPS, and FTP client and client libraries











Details


Dan Fandrich discovered that curl incorrectly handled URLs containing
embedded or percent-encoded control characters. If a user or automated
system were tricked into processing a specially crafted URL, arbitrary
data could be injected.



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 11.10:




libcurl3-nss

7.21.6-3ubuntu3.2






libcurl3-gnutls

7.21.6-3ubuntu3.2






libcurl3

7.21.6-3ubuntu3.2





Ubuntu 11.04:




libcurl3-nss

7.21.3-1ubuntu1.5






libcurl3-gnutls

7.21.3-1ubuntu1.5






libcurl3

7.21.3-1ubuntu1.5





Ubuntu 10.10:




libcurl3-gnutls

7.21.0-1ubuntu1.3






libcurl3

7.21.0-1ubuntu1.3






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


In general, a standard system update will make all the necessary changes.





References




CVE-2012-0036


USN-1345-1: Linux kernel vulnerabilities

2012/1/26 11:31:50 | Ubuntu security notices

Ubuntu Security Notice USN-1345-1


24th January, 2012


linux vulnerabilities


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 11.04





Summary


Several security issues were fixed in the kernel.





Software description





  • linux
    - Linux kernel







Details


Peter Huewe discovered an information leak in the handling of reading
security-related TPM data. A local, unprivileged user could read the
results of a previous TPM command. (CVE-2011-1162)



Clement Lecigne discovered a bug in the HFS filesystem. A local attacker
could exploit this to cause a kernel oops. (CVE-2011-2203)



A flaw was found in how the Linux kernel handles user-defined key types. An
unprivileged local user could exploit this to crash the system.
(CVE-2011-4110)



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 11.04:




linux-image-2.6.38-13-powerpc

2.6.38-13.54






linux-image-2.6.38-13-powerpc64-smp

2.6.38-13.54






linux-image-2.6.38-13-generic-pae

2.6.38-13.54






linux-image-2.6.38-13-versatile

2.6.38-13.54






linux-image-2.6.38-13-generic

2.6.38-13.54






linux-image-2.6.38-13-virtual

2.6.38-13.54






linux-image-2.6.38-13-server

2.6.38-13.54






linux-image-2.6.38-13-omap

2.6.38-13.54






linux-image-2.6.38-13-powerpc-smp

2.6.38-13.54






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


After a standard system update you need to reboot your computer to make
all the necessary changes.





References




CVE-2011-1162,

CVE-2011-2203,

CVE-2011-4110


USN-1344-1: Linux kernel vulnerabilities

2012/1/26 11:31:50 | Ubuntu security notices

Ubuntu Security Notice USN-1344-1


24th January, 2012


linux vulnerabilities


A security issue affects these releases of Ubuntu and its
derivatives:




  • Ubuntu 10.04 LTS





Summary


Several security issues were fixed in the kernel.





Software description





  • linux
    - Linux kernel







Details


Clement Lecigne discovered a bug in the HFS filesystem. A local attacker
could exploit this to cause a kernel oops. (CVE-2011-2203)



A flaw was found in how the Linux kernel handles user-defined key types. An
unprivileged local user could exploit this to crash the system.
(CVE-2011-4110)



Update instructions


The problem can be corrected by updating your system to the following
package version:




Ubuntu 10.04 LTS:




linux-image-2.6.32-38-powerpc

2.6.32-38.83






linux-image-2.6.32-38-386

2.6.32-38.83






linux-image-2.6.32-38-sparc64

2.6.32-38.83






linux-image-2.6.32-38-generic-pae

2.6.32-38.83






linux-image-2.6.32-38-preempt

2.6.32-38.83






linux-image-2.6.32-38-lpia

2.6.32-38.83






linux-image-2.6.32-38-sparc64-smp

2.6.32-38.83






linux-image-2.6.32-38-powerpc64-smp

2.6.32-38.83






linux-image-2.6.32-38-versatile

2.6.32-38.83






linux-image-2.6.32-38-generic

2.6.32-38.83






linux-image-2.6.32-38-virtual

2.6.32-38.83






linux-image-2.6.32-38-server

2.6.32-38.83






linux-image-2.6.32-38-powerpc-smp

2.6.32-38.83






linux-image-2.6.32-38-ia64

2.6.32-38.83






To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.


After a standard system update you need to reboot your computer to make
all the necessary changes.



ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.





References




CVE-2011-2203,

CVE-2011-4110