Articles / Ubuntu

RSS All articles tagged with Ubuntu

March 06, 2013 10:28 Ubuntu: Security update for Keystone

4

Nathanael Burton discovered that Keystone did not properly verify disabled users. An authenticated but disabled user would continue to have access rights that were removed. Jonathan Murray discovered that Keystone would allow XML entity processing. A remote unauthenticated attacker could exploit this to cause a denial of service via resource exhaustion. Authenticated users could also use this to view arbitrary files on the Keystone server.

Updated packages are available from security.debian.org.

March 05, 2013 09:04 Ubuntu: Security update for Firefox

0

Security researchers discovered multiple memory safety issues affecting Firefox. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash. Atte Kettunen discovered that Firefox could perform an out-of-bounds read while rendering GIF format images. An attacker could exploit this to crash Firefox. Boris Zbarsky discovered that Firefox did not properly handle some wrapped WebIDL objects. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit this to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox.

Bobby Holley discovered vulnerabilities in Chrome Object Wrappers (COW) and System Only Wrappers (SOW). If a user were tricked into opening a specially crafted page, a remote attacker could exploit this to bypass security protections to obtain sensitive information or potentially execute code with the privileges of the user invoking Firefox. Frederik Braun that Firefox made the location of the active browser profile available to JavaScript workers. A use-after-free vulnerability was discovered in Firefox. An attacker could potentially exploit this to execute code with the privileges of the user invoking Firefox.

Michal Zalewski discovered that Firefox would not always show the correct address when cancelling a proxy authentication prompt. A remote attacker could exploit this to conduct URL spoofing and phishing attacks. Abhishek Arya discovered several problems related to memory handling. If the user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute code with the privileges of the user invoking Firefox.

Updated packages are available from security.ubuntu.com.

March 05, 2013 08:57 Ubuntu: Security update for Boost

0

It was discovered that the Boost.Locale library incorrectly validated some invalid UTF-8 sequences. An attacker could possibly use this issue to bypass input validation in certain applications.

Updated packages are available from security.ubuntu.com.

March 01, 2013 09:23 Ubuntu: Security update for the Linux kernel

0

Andrew Cooper of Citrix reported a Xen stack corruption in the Linux kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest kernel to crash, or operate erroneously.

Updated packages are available from security.ubuntu.com.

February 27, 2013 10:03 Ubuntu: Security update for OpenJDK

0

Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit these to cause a denial of service. Vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. Several data integrity vulnerabilities were discovered in the OpenJDK JRE.

Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure and data integrity. A vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could exploit this to cause a denial of service. A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to cause a denial of service.

A data integrity vulnerability was discovered in the OpenJDK JRE. An information disclosure vulnerability was discovered in the OpenJDK JRE. A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to cause a denial of service.

Updated packages are available from security.ubuntu.com.

February 27, 2013 10:01 Ubuntu: Security update for Qt

0

Richard J. Moore and Peter Hartmann discovered that Qt allowed redirecting requests from http to file schemes. If an attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. Stephen Cheng discovered that Qt may report incorrect errors when ssl certificate verification fails. Tim Brown and Mark Lowe discovered that Qt incorrectly used weak permissions on shared memory segments. A local attacker could use this issue to view sensitive information, or modify program data belonging to other users.

Updated packages are available from security.ubuntu.com.

February 25, 2013 11:10 Ubuntu: Security update for jQuery

1

It was discovered that jQuery incorrectly handled selecting elements using location.hash, resulting in a possible cross-site scripting (XSS) issue. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain.

Updated packages are available from security.ubuntu.com.

February 25, 2013 11:08 Ubuntu: Security update for curl

0

It was discovered that curl incorrectly handled SASL authentication when communicating over POP3, SMTP or IMAP. If a user or automated system were tricked into processing a specially crafted URL, an attacker could cause a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service.

Updated packages are available from security.ubuntu.com.

February 25, 2013 11:06 Ubuntu: Security update for the Linux kernel

0

It was discovered that hypervkvpd, which is distributed in the Linux kernel, was not correctly validating the origin on Netlink messages. An untrusted local user can cause a denial of service of Linux guests in Hyper-V virtualization environments. Dmitry Monakhov reported a race condition flaw the Linux ext4 filesystem that can expose stale data. An unprivileged user could exploit this flaw to cause an information leak. Florian Weimer discovered that hypervkvpd, which is distributed in the Linux kernel, was not correctly validating source addresses of netlink packets. An untrusted local user can cause a denial of service by causing hypervkvpd to exit.

Andrew Cooper of Citrix reported a Xen stack corruption in the Linux kernel. An unprivileged user in a 32bit PVOPS guest can cause the guest kernel to crash, or operate erroneously.

Updated packages are available from security.ubuntu.com.

February 25, 2013 11:05 Ubuntu: Security update for PostgreSQL

0

Sumit Soni discovered that PostgreSQL incorrectly handled calling a certain internal function with invalid arguments. An authenticated attacker could use this issue to cause PostgreSQL to crash, resulting in a denial of service.

Updated packages are available from security.ubuntu.com.

February 22, 2013 13:18 Ubuntu: Security update for gnome-screensaver

1

It was discovered that gnome-screensaver did not start automatically after logging in. This may result in the screen not being automatically locked after the inactivity timeout is reached, permitting an attacker with physical access to gain access to an unlocked session.

Updated packages are available from security.ubuntu.com.

February 20, 2013 09:03 Ubuntu: Security update for Keystone

0

Dan Prince discovered that Keystone did not properly perform input validation when handling certain error conditions. An unauthenticated user could exploit this to cause a denial of service in Keystone API servers via disk space exhaustion.

Updated packages are available from security.ubuntu.com.

February 18, 2013 18:14 Ubuntu: Security update for QXL

0

It was discovered that the QXL graphics driver incorrectly handled terminated connections. An attacker that could connect to a guest using SPICE and the QXL graphics driver could cause the guest to hang or crash, resulting in a denial of service.

Updated packages are available from security.ubuntu.com.

February 11, 2013 10:45 Ubuntu: Security update for Inkscape

0

It was discoverd that Inkscape incorrectly handled XML external entities in SVG files. If a user were tricked into opening a specially-crafted SVG file, Inkscape could possibly include external files in drawings, resulting in information disclosure. It was discovered that Inkscape attempted to open certain files from the /tmp directory instead of the current directory. A local attacker could trick a user into opening a different file than the one that was intended.

Updated packages are available from security.ubuntu.com.

February 11, 2013 10:41 Ubuntu: Security update for Glance

0

Dan Prince discovered an issue in Glance error reporting. An authenticated attacker could exploit this to expose the Glance operator’s Swift credentials for a misconfigured or otherwise unusable Swift endpoint.

Updated packages are available from security.ubuntu.com.

February 11, 2013 10:40 Ubuntu: Security update for nova

0

Phil Day discovered that nova-volume did not validate access to volumes. An authenticated attacker could exploit this to bypass intended access controls and boot from arbitrary volumes.

Updated packages are available from security.ubuntu.com.

February 11, 2013 10:39 Ubuntu: Security update for libvirt

0

Wenlong Huang discovered that libvirt incorrectly handled certain RPC calls. A remote attacker could exploit this and cause libvirt to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. Tingting Zheng discovered that libvirt incorrectly handled cleanup under certain error conditions. A remote attacker could exploit this and cause libvirt to crash, resulting in a denial of service, or possibly execute arbitrary code.

Updated packages are available from security.ubuntu.com.

February 08, 2013 10:17 Ubuntu: Security update for libssh

0

Yong Chuan Koh discovered that libssh incorrectly handled certain negotiation requests. A remote attacker could use this to cause libssh to crash, resulting in a denial of service.

Updated packages are available from security.ubuntu.com.

February 08, 2013 10:15 Ubuntu: Security update for Libav

0

It was discovered that Libav incorrectly handled certain malformed media files. If a user were tricked into opening a crafted media file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program.

Updated packages are available from security.ubuntu.com.

February 08, 2013 10:13 Ubuntu: Security update for FFmpeg

0

It was discovered that FFmpeg incorrectly handled certain malformed media files. If a user were tricked into opening a crafted media file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program.

Updated packages are available from security.ubuntu.com.

February 06, 2013 08:45 Ubuntu: Security update for PHP

0

It was discovered that PHP incorrectly handled the openssl_encrypt function when used with an empty string. An attacker could use this flaw to cause PHP to disclose arbitrary memory contents and possibly expose sensitive information.

Updated packages are available from security.ubuntu.com.

February 06, 2013 08:42 Ubuntu: Security update for MySQL

0

Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

Updated packages are available from security.ubuntu.com.

February 04, 2013 07:59 Ubuntu: Security update for Vino

0

It was discovered that Vino incorrectly transmitted clipboard activity before authenticating the remote connection. A remote attacker could connect to Vino and monitor clipboard activity.

Updated packages are available from security.ubuntu.com.

February 04, 2013 07:53 Ubuntu: Security update for the Linux kernel

0

Jon Howell reported a flaw in KVM (Kernel-based virtual machine) subsystem’s handling of the XSAVE CPU feature. On hosts without the XSAVE CPU feature, using qemu userspace, an unprivileged local attacker could exploit this flaw to crash the system. A flaw was discovered in handling of script execution when module loading is enabled. A local attacker could exploit this flaw to cause a leak of kernel stack contents. Florian Weimer discovered that hypervkvpd was not correctly validating source addresses of netlink packets. An untrusted local user can cause a denial of service by causing hypervkvpd to exit.

Updated packages are available from security.ubuntu.com.

February 01, 2013 09:24 Ubuntu: Security update for Linux kernel

0

Jon Howell reported a flaw in the Linux kernel’s KVM (Kernel-based virtual machine) subsystem’s handling of the XSAVE CPU feature. On hosts without the XSAVE CPU feature, using qemu userspace, an unprivileged local attacker could exploit this flaw to crash the system. A flaw was discovered in the Linux kernel’s handling of script execution when module loading is enabled. A local attacker could exploit this flaw to cause a leak of kernel stack contents. Florian Weimer discovered that hypervkvpd, which is distributed in the Linux kernel, was not correctly validating source addresses of netlink packets. An untrusted local user can cause a denial of service by causing hypervkvpd to exit.

Updated packages are available from security.ubuntu.com.

February 01, 2013 09:23 Ubuntu: Security update for RPM

0

It was discovered that RPM incorrectly handled certain package headers. If a user or automated system were tricked into installing a specially crafted RPM package, an attacker could cause RPM to crash, resulting in a denial of service, or possibly execute arbitrary code.

Updated packages are available from security.ubuntu.com.

February 01, 2013 09:22 Ubuntu: Security update for RPM

0

It was discovered that RPM incorrectly handled signature checking. An attacker could create a specially-crafted rpm with an invalid signature which could pass the signature validation check.

Updated packages are available from security.ubuntu.com.

February 01, 2013 09:19 Ubuntu: Security update for OpenJDK

0

It was discovered that OpenJDK 7’s security mechanism could be bypassed via Java applets. If a user were tricked into opening a malicious website, a remote attacker could exploit this to perform arbitrary code execution as the user invoking the program.

Updated packages are available from security.ubuntu.com.

February 01, 2013 09:18 Ubuntu: Security update for QEMU

0

It was discovered that QEMU incorrectly handled certain e1000 packet sizes. In certain environments, an attacker may use this flaw in combination with large packets to cause a denial of service or execute arbitrary code in the guest.

Updated packages are available from security.ubuntu.com.

January 30, 2013 13:59 Ubuntu: Security update for Linux kernel

0

Jon Howell reported a flaw in the Linux kernel’s KVM (Kernel-based virtual machine) subsystem’s handling of the XSAVE feature. On hosts, using qemu userspace, without the XSAVE feature an unprivileged local attacker could exploit this flaw to crash the system. A flaw was discovered in the Linux kernel’s handling of script execution when module loading is enabled. A local attacker could exploit this flaw to cause a leak of kernel stack contents.

Updated packages are available from security.ubuntu.com.

Screenshot

Project Spotlight

Aspose.Tasks for Java

A non-graphical Java project management component.

Screenshot

Project Spotlight

Polipo

A lightweight caching Web proxy.