It-säkerhet

It-säkerhet

[USN-2371-1] Exuberant Ctags vulnerability

It säkerhetsrapporter LinuxSkapad av J. Halex ons, oktober 08, 2014 22:20:34

==========================================================================

Ubuntu Security Notice USN-2371-1

October 08, 2014

exuberant-ctags vulnerability

==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

- Ubuntu 12.04 LTS

Summary:

Exuberant Ctags could be made to consume resources.

Software Description:

- exuberant-ctags: build tag file indexes of source code definitions

Details:

It was discovered that Exuberant Ctags incorrectly handled certain minified js files. An attacker could use this issue to possibly cause Exuberant Ctags to consume resources, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS:

exuberant-ctags 1:5.9~svn20110310-7ubuntu0.1

Ubuntu 12.04 LTS:

exuberant-ctags 1:5.9~svn20110310-3ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:

http://www.ubuntu.com/usn/usn-2371-1

CVE-2014-7204

Package Information:

https://launchpad.net/ubuntu/+source/exuberant-ctags/1:5.9~svn20110310-7ubuntu0.1

https://launchpad.net/ubuntu/+source/exuberant-ctags/1:5.9~svn20110310-3ubuntu0.1



  • Kommentarer(0)//itsakerhetsinformation.it-losningar-och-it-sakerhet.se/#post118

[SECURITY] [DSA 3047-1] rsyslog security update

It säkerhetsrapporter LinuxSkapad av J. Halex ons, oktober 08, 2014 16:58:35

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

- -------------------------------------------------------------------------

Debian Security Advisory DSA-3047-1 security@debian.org

http://www.debian.org/security/ Luciano Bello

October 08, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

Package : rsyslog

CVE ID : CVE-2014-3683

Mancha discovered a vulnerability in rsyslog, a system for log processing. This vulnerability is an integer overflow that can be triggered by malformed messages to a server, if this one accepts data from untrusted sources, provoking message loss.

This vulnerability can be seen as an incomplete fix of CVE-2014-3634 (DSA 3040-1).

For the stable distribution (wheezy), this problem has been fixed in version 5.8.11-3+deb7u2.

For the testing distribution (jessie), this problem has been fixed in version 8.4.2-1.

For the unstable distribution (sid), this problem has been fixed in version 8.4.2-1.

We recommend that you upgrade your rsyslog packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

=rKeg

-----END PGP SIGNATURE-----

--

To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: https://lists.debian.org/1856350.xlUVpWEtu8@box



  • Kommentarer(0)//itsakerhetsinformation.it-losningar-och-it-sakerhet.se/#post115

[USN-2308-1] OpenSSL vulnerabilities

It säkerhetsrapporter LinuxSkapad av J. Halex fre, augusti 08, 2014 06:24:21

==========================================================================

Ubuntu Security Notice USN-2308-1

August 07, 2014

openssl vulnerabilities

==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

- Ubuntu 12.04 LTS

- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:

- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

Adam Langley and Wan-Teh Chang discovered that OpenSSL incorrectly handled certain DTLS packets. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2014-3505)

Adam Langley discovered that OpenSSL incorrectly handled memory when processing DTLS handshake messages. A remote attacker could use this issue to cause OpenSSL to consume memory, resulting in a denial of service.

(CVE-2014-3506)

Adam Langley discovered that OpenSSL incorrectly handled memory when processing DTLS fragments. A remote attacker could use this issue to cause OpenSSL to leak memory, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3507)

Ivan Fratric discovered that OpenSSL incorrectly leaked information in the pretty printing functions. When OpenSSL is used with certain applications, an attacker may use this issue to possibly gain access to sensitive information. (CVE-2014-3508)

Gabor Tyukasz discovered that OpenSSL contained a race condition when processing serverhello messages. A malicious server could use this issue to cause clients to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3509)

Felix Gröbert discovered that OpenSSL incorrectly handled certain DTLS handshake messages. A malicious server could use this issue to cause clients to crash, resulting in a denial of service. (CVE-2014-3510)

David Benjamin and Adam Langley discovered that OpenSSL incorrectly handled fragmented ClientHello messages. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be used to force a protocol downgrade to TLS 1.0. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3511)

Sean Devlin and Watson Ladd discovered that OpenSSL incorrectly handled certain SRP parameters. A remote attacker could use this with applications that use SRP to cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.

(CVE-2014-3512)

Joonas Kuorilehto and Riku Hietamäki discovered that OpenSSL incorrectly handled certain Server Hello messages that specify an SRP ciphersuite. A malicious server could use this issue to cause clients to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-5139)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS:

libssl1.0.0 1.0.1f-1ubuntu2.5

Ubuntu 12.04 LTS:

libssl1.0.0 1.0.1-4ubuntu5.17

Ubuntu 10.04 LTS:

libssl0.9.8 0.9.8k-7ubuntu8.20

After a standard system update you need to reboot your computer to make all the necessary changes.

References:

http://www.ubuntu.com/usn/usn-2308-1

CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508,

CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512,

CVE-2014-5139

Package Information:

https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.5

https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.17

https://launchpad.net/ubuntu/+source/openssl/0.9.8k-7ubuntu8.20



  • Kommentarer(0)//itsakerhetsinformation.it-losningar-och-it-sakerhet.se/#post106

[SECURITY] [DSA 2998-1] openssl security update

It säkerhetsrapporter LinuxSkapad av J. Halex fre, augusti 08, 2014 06:21:02

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2998-1 security@debian.org

http://www.debian.org/security/ Raphael Geissert

August 07, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

Package : openssl

CVE ID : CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3508

CVE-2014-3509 CVE-2014-3510 CVE-2014-3511 CVE-2014-3512

CVE-2014-5139

Multiple vulnerabilities have been identified in OpenSSL, a Secure Sockets Layer toolkit, that may result in denial of service (application crash, large memory consumption), information leak, protocol downgrade. Additionally, a buffer overrun affecting only applications explicitly set up for SRP has been fixed (CVE-2014-3512).

Detailed descriptions of the vulnerabilities can be found at:

https://www.openssl.org/news/secadv_20140806.txt

It's important that you upgrade the libssl1.0.0 package and not just the openssl package.

All applications linked to openssl need to be restarted. You can use the "checkrestart" tool from the debian-goodies package to detect affected programs. Alternatively, you may reboot your system.

For the stable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u12.

For the testing distribution (jessie), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in version 1.0.1i-1.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlPivdIACgkQYy49rUbZzloF4wCfbT57xtlsGcXFYm5yQaIAsiFD

+SIAn1k+yj9EoqiTlKSrCSVLTR9oBiwz

=/GX1

-----END PGP SIGNATURE-----

--

To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: https://lists.debian.org/3248882.K4VXMTKrDC@eee



  • Kommentarer(0)//itsakerhetsinformation.it-losningar-och-it-sakerhet.se/#post105

[USN-2307-1] GPGME vulnerability

It säkerhetsrapporter LinuxSkapad av J. Halex ons, augusti 06, 2014 16:15:26

==========================================================================

Ubuntu Security Notice USN-2307-1

August 06, 2014

gpgme1.0 vulnerability

==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

- Ubuntu 12.04 LTS

- Ubuntu 10.04 LTS

Summary:

GPGME could be made to crash or run programs as your login if it processed a specially crafted certificate.

Software Description:

- gpgme1.0: GPGME - GnuPG Made Easy (library)

Details:

Tomáš Trnka discovered that GPGME incorrectly handled certain certificate line lengths. An attacker could use this issue to cause applications using GPGME to crash, resulting in a denial of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS:

libgpgme11 1.4.3-0.1ubuntu5.1

Ubuntu 12.04 LTS:

libgpgme11 1.2.0-1.4ubuntu2.1

Ubuntu 10.04 LTS:

libgpgme11 1.2.0-1.2ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:

http://www.ubuntu.com/usn/usn-2307-1

CVE-2014-3564

Package Information:

https://launchpad.net/ubuntu/+source/gpgme1.0/1.4.3-0.1ubuntu5.1

https://launchpad.net/ubuntu/+source/gpgme1.0/1.2.0-1.4ubuntu2.1

https://launchpad.net/ubuntu/+source/gpgme1.0/1.2.0-1.2ubuntu1.1



  • Kommentarer(0)//itsakerhetsinformation.it-losningar-och-it-sakerhet.se/#post104

[SECURITY] [DSA 2997-1] reportbug security update

It säkerhetsrapporter LinuxSkapad av J. Halex tis, augusti 05, 2014 21:52:23

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2997-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

August 05, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

Package : reportbug

CVE ID : CVE-2014-0479

Jakub Wilk discovered a remote command execution flaw in reportbug, a tool to report bugs in the Debian distribution. A man-in-the-middle attacker could put shell metacharacters in the version number allowing arbitrary code execution with the privileges of the user running reportbug.

For the stable distribution (wheezy), this problem has been fixed in version 6.4.4+deb7u1.

For the testing distribution (jessie), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 6.5.0+nmu1.

We recommend that you upgrade your reportbug packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

iQIcBAEBCgAGBQJT4R2DAAoJEAVMuPMTQ89EQ3IP/jpMDvRgkU3Qf9zVnbsqBudl

ChgkyXxAFvsCOUSB9IwXdaBX4pd6B4g/3hxXlrp6CO2iA+dYIqx8Ih57kQSFU5aJ

dSyR7VmEu2VuiEHi9cRIc/857Eye5iZHiuRQPfwYIfQgKAaNwFSdEAfcKuUS3zJu

yE5TCVRXuS4W32iqgjVbpGgBzlbX+8IssqFvh/9Rx/FJvfHHTx3QS4TUyxC93bgf

aIWdggniW3NmKhvE0IlrnAU+vUQMivWaOw2zocXUjKwoXPSm3dpXC9HWGwbwUYwf

ebggLC/RMdS353+GsS3wXfyueD4dSLoDnCcOAzzl1Q8iFnrtPmDre3XWzvMeGEPy

IuvK64Ulmpy83ZmpL7yBJMjCH/oivFeax9SeQwpP/UY0vg1s7awQT69DiO2tr7t4

v8HVPTUhfakKlagIqda+CHIX8i/6cu8d0QInwdk0EaFJinO4MBeYq/7/SD1AkW8e

8jsGAFZjcpMHYLpbeoVVWTZjLz/qIlIAiIUZ89RGqiDn2Ws84OzgwCku9ABZyKJd

QAK2VkEWISk7h1olnDfOkYPCtTlmH1KaAmlhVYPXdKGHx+bmEwuLzutjnRSrIJYv

MQYESsZlrqMePs1NwOuWj2C7io8uLapgr+Ity57xYaZ2mGx+CO0Is9sUyQ7Blsqw

HsWQa6M8WJz3bcLpjrpw

=+VYD

-----END PGP SIGNATURE-----

--

To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: https://lists.debian.org/E1XEjA6-0006qk-4I@master.debian.org



  • Kommentarer(0)//itsakerhetsinformation.it-losningar-och-it-sakerhet.se/#post103

[USN-2306-2] GNU C Library regression

It säkerhetsrapporter LinuxSkapad av J. Halex tis, augusti 05, 2014 21:51:22

==========================================================================

Ubuntu Security Notice USN-2306-2

August 05, 2014

eglibc regression

==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.04 LTS

Summary:

USN-2306-1 introduced a regression in the GNU C Library.

Software Description:

- eglibc: GNU C Library

Details:

USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04 LTS, the security update cause a regression in certain environments that use the Name Service Caching Daemon (nscd), such as those configured for LDAP or MySQL authentication. In these environments, the nscd daemon may need to be stopped manually for name resolution to resume working so that updates can be downloaded, including environments configured for unattended updates.

We apologize for the inconvenience.

Original advisory details:

Maksymilian Arciemowicz discovered that the GNU C Library incorrectly handled the getaddrinfo() function. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 10.04 LTS.

(CVE-2013-4357)

It was discovered that the GNU C Library incorrectly handled the

getaddrinfo() function. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.

(CVE-2013-4458)

Stephane Chazelas discovered that the GNU C Library incorrectly handled locale environment variables. An attacker could use this issue to possibly bypass certain restrictions such as the ForceCommand restrictions in OpenSSH. (CVE-2014-0475)

David Reid, Glyph Lefkowitz, and Alex Gaynor discovered that the GNU C Library incorrectly handled posix_spawn_file_actions_addopen() path arguments. An attacker could use this issue to cause a denial of service.

(CVE-2014-4043)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 10.04 LTS:

libc6 2.11.1-0ubuntu7.15

After a standard system update you need to reboot your computer to make all the necessary changes.

References:

http://www.ubuntu.com/usn/usn-2306-2

http://www.ubuntu.com/usn/usn-2306-1

https://launchpad.net/bugs/1352504

Package Information:

https://launchpad.net/ubuntu/+source/eglibc/2.11.1-0ubuntu7.15



  • Kommentarer(0)//itsakerhetsinformation.it-losningar-och-it-sakerhet.se/#post102

[SECURITY] [DSA 2992-1] linux security update

It säkerhetsrapporter LinuxSkapad av J. Halex ons, juli 30, 2014 10:19:41

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

- -------------------------------------------------------------------------

Debian Security Advisory DSA-2992-1 security@debian.org

http://www.debian.org/security/ Salvatore Bonaccorso

July 29, 2014 http://www.debian.org/security/faq

- -------------------------------------------------------------------------

Package : linux

CVE ID : CVE-2014-3534 CVE-2014-4667 CVE-2014-4943

Debian Bug : 728705

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation:

CVE-2014-3534

Martin Schwidefsky of IBM discovered that the ptrace subsystem does

not properly sanitize the psw mask value. On s390 systems, an

unprivileged local user could use this flaw to set address space

control bits to kernel space combination and thus gain read/write

access to kernel memory.

CVE-2014-4667

Gopal Reddy Kodudula of Nokia Siemens Networks discovered that the

sctp_association_free function does not properly manage a certain

backlog value, which allows remote attackers to cause a denial of

service (socket outage) via a crafted SCTP packet.

CVE-2014-4943

Sasha Levin discovered a flaw in the Linux kernel's point-to-point

protocol (PPP) when used with the Layer Two Tunneling Protocol

(L2TP). An unprivileged local user could use this flaw for privilege

escalation.

For the stable distribution (wheezy), these problems have been fixed in version 3.2.60-1+deb7u3.

For the unstable distribution (sid), these problems have been fixed in version 3.14.13-2.

We recommend that you upgrade your linux packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

iQIcBAEBCgAGBQJT1zuqAAoJEAVMuPMTQ89EFZEP+gMpesreXSVTK6H/WKOxAQty

2Job+gY43NY21tSzKZUbatJIhhq+9a4BPzspZuV66h35ITmI+DzhyKNQnUUdrrUu

h8pt81OixydxGKifFCldbfjDucy5Tm6Akn8iPlOWgMTNGHWDLhNCy2yZw3cG4CMd

vv9NRu++kPQBxJ2rpt8DcWuU133xNJwS/VSOlUk4z6A535TEAngOggnfGj2Y+4Xp

MmBuGW+PohmXhhbE64WM3KX2vmC38p/hpXQt/PfbGypJkeiTkJLjYCpCLhwEpKch

fzfcjC34EcZt//Jnbg4Nqu0/SVwEf1fsbL+ETGBE1HoKciXJg8eUnZMA2+UKlrIl

ud2EHEObGyly1FSdKvD7CXIH1I+krCtPO8oSQHeiH0kbMyWOm3s7HcV6YMsOc3K7

Vl2oH3mXWjY+zLOZfjaTGeG/5M07sjM12TGZ6UpuhazcRn7YHys+SgxCM3ic4aW+

nANCT/e2CZS53Gg5UvrmHnFjwela3pk8fVyVgaS/27lxbYql4IrydW0Gsc1x+TEb

ArisHmbWhG0HJnrEOY3fay7bZ8XjmKnALr/f7HxtSkYDG1VcwKi3oR8B6SGcefdO

jSCS+KXU4I11cYg5qfHiTC5VuWfGJOEKlGkFO4G8GcKR0FNnsluJ/G//6fgUeqQ/

jaUiUlTQMFdNhomFFIy4

=hzfh

-----END PGP SIGNATURE-----

--

To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: https://lists.debian.org/E1XC16m-0003Ua-So@master.debian.org



  • Kommentarer(0)//itsakerhetsinformation.it-losningar-och-it-sakerhet.se/#post93
Nästa »