English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 146377 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

==========================================================================
Ubuntu Security Notice USN-1562-1
September 10, 2012

linux-lts-backport-natty vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

The system could be made to crash under certain conditions.

Software Description:
- linux-lts-backport-natty: Linux kernel backport from Natty

Details:

Some errors where discovered in the Linux kernel's UDF file system, which
is used to mount some CD-ROMs and DVDs. An unprivileged local user could
use these flaws to crash the system.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
  linux-image-2.6.38-15-generic   2.6.38-15.66~lucid1
  linux-image-2.6.38-15-generic-pae  2.6.38-15.66~lucid1
  linux-image-2.6.38-15-server    2.6.38-15.66~lucid1
  linux-image-2.6.38-15-virtual   2.6.38-15.66~lucid1

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1562-1
  CVE-2012-3400

Package Information:
  https://launchpad.net/ubuntu/+source/linux-lts-backport-natty/2.6.38-15.66~lucid1


--------------010507010406030709010300
Content-Type: text/plain; charset=UTF-8;
 name="Attached Message Part"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="Attached Message Part"


--------------010507010406030709010300--

--------------enig5E04685575081AA01C140940
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBCgAGBQJQTmJmAAoJEAUvNnAY1cPYQtcP/iE0BfY/3xvnyBS5gl9/fv4i
bqttv0QG54i9HWVJMOgp3KzDkFj2J0JbFXC/2NxfwSUk8KDChjw4Lyo5ejudoCum
NUBG6dwLxBIrLsOJvN9H15vTlRMVePIFcx7GsN5pt3oI+R5AU8Jj0mnEs5n+gHhM
74CVf6Gu4iZupkvlHuntC3h07wLC9fvdOwBD5bNar9aYbW56hKocpNLTy/rKeCAO
Tt7PCyV/gwQNQfSUoAaWCwBdKS3QCiKcmQuiEsv36acYwOgqlgGtMuQV0d/5/09P
ee+aXZpim0ZmQozFWYwXHvQ/4OCUsDcCePbV3Pw5CuoB09GFJob3/eSyAlO7A7qy
de37FglTjUMiRd+boBkIA86LAVWtNmGSV/uvHmiDwn4rqQQzzPlDAw+s6iMQXcWu
oOgaMeI1B6sTOZHq7AewA+C6EZ55XG9TRQGWcH2l5t+mhQObMresun8AQpzPngtA
O4A5lKQ37F9KxW+4Jc0Ne2Kx4nucZ4qetoOs4aI9gtpCUXNBDpbZ/0TmYeeEMj5c
h0zk6EXlQu2/rInCWz1yvJNgxu0tU/2swvh6+8+kpXSfaUME32hE6VMqbEaCjfev
LGPcu8AJA9sXsPTSLXZsiRkvShbsIGkFJwKcMFWgaC0CZyAPHmAj6GK7BiUTbpfR
SRn1TYdZbEk20/rwMBxH
=yl55
-----END PGP SIGNATURE-----

--------------enig5E04685575081AA01C140940--


--==============85363539167198831=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--==============85363539167198831==--

From - Mon Sep 10 18:14:33 2012
X-Account-Key: account7
X-UIDL: 4d7faa1e0001ed7b
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:                                                                                 
Return-Path: <ubuntu-security-announce-bounces@lists.ubuntu.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204])
by mx.securityspace.com (Postfix) with ESMTP id 2C19FEC124
for <lists@securityspace.com>; Mon, 10 Sep 2012 18:10:35 -0400 (EDT)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
by chlorine.canonical.com with esmtp (Exim 4.71)
(envelope-from <ubuntu-security-announce-bounces@lists.ubuntu.com>)
id 1TBC74-0001dy-OW; Mon, 10 Sep 2012 22:05:50 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
by chlorine.canonical.com with esmtp (Exim 4.71)
(envelope-from <john.johansen@canonical.com>) id 1TBC6d-0001YS-Eb
for ubuntu-security-announce@lists.ubuntu.com;
Mon, 10 Sep 2012 22:05:23 +0000
Received: from static-50-53-53-239.bvtn.or.frontiernet.net ([50.53.53.239]
helo=[192.168.192.110]) by youngberry.canonical.com with esmtpsa
(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71)
(envelope-from <john.johansen@canonical.com>) id 1TBC88-0000nk-8r
for ubuntu-security-announce@lists.ubuntu.com;
Mon, 10 Sep 2012 22:06:56 +0000
Message-ID: <504E647E.7060108@canonical.com>
Date: Mon, 10 Sep 2012 15:06:54 -0700
From: John Johansen <john.johansen@canonical.com>
Organization: Canonical
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
Followup-To: security@ubuntu.com
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1563-1] Linux kernel (Oneiric backport) vulnerability
X-Enigmail-Version: 1.4.4
X-Mailman-Approved-At: Mon, 10 Sep 2012 22:05:46 +0000
X-BeenThere: ubuntu-security-announce@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
Reply-To: ubuntu-users@lists.ubuntu.com, security@ubuntu.com
List-Id: Ubuntu Security Announcements
<ubuntu-security-announce.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/ubuntu-security-announce>,
<mailto:ubuntu-security-announce-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/ubuntu-security-announce>
List-Post: <mailto:ubuntu-security-announce@lists.ubuntu.com>
List-Help: <mailto:ubuntu-security-announce-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce>,
<mailto:ubuntu-security-announce-request@lists.ubuntu.com?subject=subscribe>
Content-Type: multipart/mixed; boundary="==============�74775805354106881=="
Sender: ubuntu-security-announce-bounces@lists.ubuntu.com
Errors-To: ubuntu-security-announce-bounces@lists.ubuntu.com
Status:   

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--==============�74775805354106881=Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="------------enig6BB48AD3EBE618AF09230AD4"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig6BB48AD3EBE618AF09230AD4
Content-Type: multipart/mixed;
 boundary="------------050003020800020300000601"

This is a multi-part message in MIME format.
--------------050003020800020300000601
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-1563-1
September 10, 2012

linux-lts-backport-oneiric vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

The system could be made to crash under certain conditions.

Software Description:
- linux-lts-backport-oneiric: Linux kernel backport from Oneiric

Details:

A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS)
protocol implementation. A local, unprivileged user could use this flaw to
cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.04 LTS:
  linux-image-3.0.0-25-generic    3.0.0-25.41~lucid1
  linux-image-3.0.0-25-generic-pae  3.0.0-25.41~lucid1
  linux-image-3.0.0-25-server     3.0.0-25.41~lucid1
  linux-image-3.0.0-25-virtual    3.0.0-25.41~lucid1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
  http://www.ubuntu.com/usn/usn-1563-1
  CVE-2012-2372

Package Information:
  https://launchpad.net/ubuntu/+source/linux-lts-backport-oneiric/3.0.0-25.41~lucid1


--------------050003020800020300000601
Content-Type: text/plain; charset=UTF-8;
 name="Attached Message Part"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="Attached Message Part"


--------------050003020800020300000601--

--------------enig6BB48AD3EBE618AF09230AD4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBCgAGBQJQTmR+AAoJEAUvNnAY1cPYJnQQAK0T3gGebxP99lOZiz4Rqstw
rmzZt6pUbN0+nerI+xUrURLkfe1lhocHVMTSX0wiWYHS0X5w9A2X5hmpXe9qT0zK
wpVJDIdkINDHylwID+3K02Xcze9jIMNQuuxy3Sve1xTg30UYAW75KNAAs4me8Ocx
J8jqYDtnJwvOU+eFZiqXwdN8260pzoDW21JA65d002/9q4YaL/xsgQ0C2ypR6uQD
WDuI0YwSSqW/u4mv57ZZqjCDqGdlp0i/6J+psN8xZNhqoj1jU/jh0kbpUpaoBL5q
UTrpQpun55ZWarV527UUimDJ3eYb3bTJ72OpqZ2kpmPs5HXwU/yLXp89w63mdeEL
iFxWAbZksJ0w7cRBhSLPvTOu0YBkFPZtp2up/EX83r1vsjd5HaA4oaho5OF2JZK6
iGGQN8+DZyoAYe9w4QV71q6gL4VXUgRzWCY+3TC00vjAIJshcBS+LP6HP3EmVgQJ
ee3meRE+f8wWKikwSsa+oV/BTu8xvSo0NWH807UPmczdyqVr4kbEKgPk56aiHgv4
0lSfvQazo3ZZV2AUR3MnjcwpnN602u7+Vadyl7CZsWaiKfEnrNvY+svBe+q1Y/os
GCZYVwTV2n2e0+I1u0hmiunseKc8e9SobQlyQh5UbPpZdEoXiRE3oXAjbYnSyVko
14kaV6zLOxrCz7TWSKpH
=WFDr
-----END PGP SIGNATURE-----

--------------enig6BB48AD3EBE618AF09230AD4--


--==============�74775805354106881=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--==============�74775805354106881==--

From - Tue Sep 11 09:52:34 2012
X-Account-Key: account7
X-UIDL: 4d7faa1e0001edb1
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:                                                                                 
Return-Path: <ubuntu-security-announce-bounces@lists.ubuntu.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204])
by mx.securityspace.com (Postfix) with ESMTP id 7F01D374780
for <lists@securityspace.com>; Tue, 11 Sep 2012 09:48:46 -0400 (EDT)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
by chlorine.canonical.com with esmtp (Exim 4.71)
(envelope-from <ubuntu-security-announce-bounces@lists.ubuntu.com>)
id 1TBQmZ-0007dq-O7; Tue, 11 Sep 2012 13:45:39 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
by chlorine.canonical.com with esmtp (Exim 4.71)
(envelope-from <micah@canonical.com>) id 1TBQkx-0007Vx-Lx
for ubuntu-security-announce@lists.ubuntu.com;
Tue, 11 Sep 2012 13:43:59 +0000
Received: from 24-148-91-163.c3-0.arm-ubr1.chi-arm.il.cable.rcn.com
([24.148.91.163] helo=[192.168.0.100])
by youngberry.canonical.com with esmtpsa
(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71)
(envelope-from <micah@canonical.com>) id 1TBQmU-00072w-Vl
for ubuntu-security-announce@lists.ubuntu.com;
Tue, 11 Sep 2012 13:45:35 +0000
Message-ID: <504F4073.5090404@canonical.com>
Date: Tue, 11 Sep 2012 08:45:23 -0500
From: Micah Gersten <micah@canonical.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1548-2] Firefox regression
References: <20120911132709.1AB0026C27DC@lillypilly.canonical.com>
In-Reply-To: <20120911132709.1AB0026C27DC@lillypilly.canonical.com>
X-Enigmail-Version: 1.4.4
X-Forwarded-Message-Id: <20120911132709.1AB0026C27DC@lillypilly.canonical.com>
X-Mailman-Approved-At: Tue, 11 Sep 2012 13:45:33 +0000
X-BeenThere: ubuntu-security-announce@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
Reply-To: ubuntu-users@lists.ubuntu.com, Ubuntu Security <security@ubuntu.com>
List-Id: Ubuntu Security Announcements
<ubuntu-security-announce.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/ubuntu-security-announce>,
<mailto:ubuntu-security-announce-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/ubuntu-security-announce>
List-Post: <mailto:ubuntu-security-announce@lists.ubuntu.com>
List-Help: <mailto:ubuntu-security-announce-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce>,
<mailto:ubuntu-security-announce-request@lists.ubuntu.com?subject=subscribe>
Content-Type: multipart/mixed; boundary="==============981195905762107441=="
Sender: ubuntu-security-announce-bounces@lists.ubuntu.com
Errors-To: ubuntu-security-announce-bounces@lists.ubuntu.com
Status:   

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--==============981195905762107441=Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enigE51C3531641E1ECA94F4CDEC"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigE51C3531641E1ECA94F4CDEC
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-1548-2
September 11, 2012

firefox regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS

Summary:

USN-1548-1 introduced a regression in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

USN-1548-1 fixed vulnerabilities in Firefox. The new package caused a
regression in Private Browsing which could leak sites visited to the
browser cache. This update fixes the problem.

Original advisory details:

 Gary Kwong, Christian Holler, Jesse Ruderman, Steve Fink, Bob Clary, Andrew
 Sutherland, Jason Smith, John Schoenick, Vladimir Vukicevic and Daniel
 Holbert discovered memory safety issues affecting Firefox. If the user were
 tricked into opening a specially crafted page, an attacker could exploit
 these to cause a denial of service via application crash, or potentially
 execute code with the privileges of the user invoking Firefox.
 (CVE-2012-1970, CVE-2012-1971)
 
 Abhishek Arya discovered multiple use-after-free vulnerabilities. If the
 user were tricked into opening a specially crafted page, an attacker could
 exploit these to cause a denial of service via application crash, or
 potentially execute code with the privileges of the user invoking Firefox.
 (CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975, CVE-2012-1976,
 CVE-2012-3956, CVE-2012-3957, CVE-2012-3958, CVE-2012-3959, CVE-2012-3960,
 CVE-2012-3961, CVE-2012-3962, CVE-2012-3963, CVE-2012-3964)
 
 Mariusz Mlynsk discovered that it is possible to shadow the location object
 using Object.defineProperty. This could potentially result in a cross-site
 scripting (XSS) attack against plugins. With cross-site scripting
 vulnerabilities, if a user were tricked into viewing a specially crafted
 page, a remote attacker could exploit this to modify the contents or steal
 confidential data within the same domain. (CVE-2012-1956)
 
 Mariusz Mlynski discovered an escalation of privilege vulnerability through
 about:newtab. This could possibly lead to potentially code execution with
 the privileges of the user invoking Firefox. (CVE-2012-3965)
 
 Frédéric Hoguin discovered that bitmap format images with a negative height
 could potentially result in memory corruption. If the user were tricked
 into opening a specially crafted image, an attacker could exploit
 this to cause a denial of service via application crash, or potentially
 execute code with the privileges of the user invoking Firefox.
 (CVE-2012-3966)
 
 It was discovered that Firefox's WebGL implementation was vulnerable to
 multiple memory safety issues. If the user were tricked into opening a
 specially crafted page, an attacker could exploit these to cause a denial
 of service via application crash, or potentially execute code with the
 privileges of the user invoking Firefox. (CVE-2012-3967, CVE-2012-3968)
 
 Arthur Gerkis discovered multiple memory safety issues in Firefox's
 Scalable Vector Graphics (SVG) implementation. If the user were tricked
 into opening a specially crafted image, an attacker could exploit these to
 cause a denial of service via application crash, or potentially execute
 code with the privileges of the user invoking Firefox. (CVE-2012-3969,
 CVE-2012-3970)
 
 Christoph Diehl discovered multiple memory safety issues in the bundled
 Graphite 2 library. If the user were tricked into opening a specially
 crafted page, an attacker could exploit these to cause a denial of service
 via application crash, or potentially execute code with the privileges of
 the user invoking Firefox. (CVE-2012-3971)
 
 Nicolas Grégoire discovered an out-of-bounds read in the format-number
 feature of XSLT. This could potentially cause inaccurate formatting of
 numbers and information leakage. (CVE-2012-3972)
 
 Mark Goodwin discovered that under certain circumstances, Firefox's
 developer tools could allow remote debugging even when disabled.
 (CVE-2012-3973)
 
 It was discovered that when the DOMParser is used to parse text/html data
 in a Firefox extension, linked resources within this HTML data will be
 loaded. If the data being parsed in the extension is untrusted, it could
 lead to information leakage and potentially be combined with other attacks
 to become exploitable. (CVE-2012-3975)
 
 Mark Poticha discovered that under certain circumstances incorrect SSL
 certificate information can be displayed on the addressbar, showing the SSL
 data for a previous site while another has been loaded. This could
 potentially be used for phishing attacks. (CVE-2012-3976)
 
 It was discovered that, in some instances, certain security checks in the
 location object could be bypassed. This could allow for the loading of
 restricted content and can potentially be combined with other issues to
 become exploitable. (CVE-2012-3978)
 
 Colby Russell discovered that eval in the web console can execute injected
 code with chrome privileges, leading to the running of malicious code in a
 privileged context. If the user were tricked into opening a specially
 crafted page, an attacker could exploit this to cause a denial of service
 via application crash, or potentially execute code with the privileges of
 the user invoking Firefox. (CVE-2012-3980)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
  firefox                         15.0.1+build1-0ubuntu0.12.04.1

Ubuntu 11.10:
  firefox                         15.0.1+build1-0ubuntu0.11.10.1

Ubuntu 11.04:
  firefox                         15.0.1+build1-0ubuntu0.11.04.1

Ubuntu 10.04 LTS:
  firefox                         15.0.1+build1-0ubuntu0.10.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1548-2
  http://www.ubuntu.com/usn/usn-1548-1
  https://launchpad.net/bugs/1047667

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/15.0.1+build1-0ubuntu0.12.04.1
  https://launchpad.net/ubuntu/+source/firefox/15.0.1+build1-0ubuntu0.11.10.1
  https://launchpad.net/ubuntu/+source/firefox/15.0.1+build1-0ubuntu0.11.04.1
  https://launchpad.net/ubuntu/+source/firefox/15.0.1+build1-0ubuntu0.10.04.1






--------------enigE51C3531641E1ECA94F4CDEC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlBPQHoACgkQTniv4aqX/VmS6wCeIbYjrs8CB5VREjRK3ke+KWor
k+sAoIaQ2NhCQCzhJ7GQMnBqyJqIZg3Y
�e/
-----END PGP SIGNATURE-----

--------------enigE51C3531641E1ECA94F4CDEC--


--==============981195905762107441=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--==============981195905762107441==--

From - Thu Sep 13 02:22:42 2012
X-Account-Key: account7
X-UIDL: 4d7faa1e0001ee06
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Mozilla-Keys:                                                                                 
Return-Path: <ubuntu-security-announce-bounces@lists.ubuntu.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204])
by mx.securityspace.com (Postfix) with ESMTP id 6C3B8ED6B3
for <lists@securityspace.com>; Thu, 13 Sep 2012 02:22:10 -0400 (EDT)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
by chlorine.canonical.com with esmtp (Exim 4.71)
(envelope-from <ubuntu-security-announce-bounces@lists.ubuntu.com>)
id 1TC2lC-0001xe-Hy; Thu, 13 Sep 2012 06:18:46 +0000
Received: from 208-151-246-43.dq1sn.easystreet.com ([208.151.246.43]
helo=lizaveta.nxnw.org)
by chlorine.canonical.com with esmtp (Exim 4.71)
(envelope-from <sbeattie@ubuntu.com>) id 1TC2hL-0001hB-Vv
for ubuntu-security-announce@lists.ubuntu.com;
Thu, 13 Sep 2012 06:14:48 +0000
Received: from kryten.nxnw.org (kryten.nxnw.org [10.19.96.254])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "kryten.int.wirex.com", Issuer "nxnw.org" (not verified))
by lizaveta.nxnw.org (Postfix) with ESMTPS id DBBFDFF02
for <ubuntu-security-announce@lists.ubuntu.com>;
Wed, 12 Sep 2012 23:16:23 -0700 (PDT)
Received: by kryten.nxnw.org (Postfix, from userid 1000)
id 5F344142C14; Wed, 12 Sep 2012 23:14:36 -0700 (PDT)
Date: Wed, 12 Sep 2012 23:14:36 -0700
From: Steve Beattie <sbeattie@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-1564-1] OpenStack Keystone vulnerability
Message-ID: <20120913061436.GA25260@nxnw.org>
Mail-Followup-To: Ubuntu Security <security@ubuntu.com>
MIME-Version: 1.0
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Mailman-Approved-At: Thu, 13 Sep 2012 06:18:41 +0000
X-BeenThere: ubuntu-security-announce@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
Reply-To: ubuntu-users@lists.ubuntu.com, Ubuntu Security <security@ubuntu.com>
List-Id: Ubuntu Security Announcements
<ubuntu-security-announce.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/ubuntu-security-announce>,
<mailto:ubuntu-security-announce-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/ubuntu-security-announce>
List-Post: <mailto:ubuntu-security-announce@lists.ubuntu.com>
List-Help: <mailto:ubuntu-security-announce-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce>,
<mailto:ubuntu-security-announce-request@lists.ubuntu.com?subject=subscribe>
Content-Type: multipart/mixed; boundary="==============D35723505732905170=="
Sender: ubuntu-security-announce-bounces@lists.ubuntu.com
Errors-To: ubuntu-security-announce-bounces@lists.ubuntu.com
Status:   


--==============D35723505732905170=Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="82I3+IH0IqGh5yIs"
Content-Disposition: inline


--82I3+IH0IqGh5yIs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

=========================================================================Ubuntu Security Notice USN-1564-1
September 13, 2012

keystone vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

OpenStack Keystone did not properly handle user role changes

Software Description:
- keystone: OpenStack identity service

Details:

Dolph Mathews discovered that when roles are granted and revoked to
users in Keystone, pre-existing tokens were not updated or invalidated
to take the new roles into account. An attacker could use this to
continue to access resources that have been revoked.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
  keystone                        2012.1+stable~20120824-a16a0ab9-0ubuntu2.2
  python-keystone                 2012.1+stable~20120824-a16a0ab9-0ubuntu2.2

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1564-1
  CVE-2012-4413

Package Information:
  https://launchpad.net/ubuntu/+source/keystone/2012.1+stable~20120824-a16a0ab9-0ubuntu2.2


--82I3+IH0IqGh5yIs



© 1998-2025 E-Soft Inc. All rights reserved.