Michal Zalewski discovered that unzip incorrectly handled certain
malformed zip archives. If a user or automated system were tricked into
processing a specially crafted zip archive, an attacker could possibly
execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: unzip

6.0-12ubuntu1.2
Ubuntu 14.04 LTS:: unzip

6.0-9ubuntu1.2
Ubuntu 12.04 LTS:: unzip

6.0-4ubuntu2.2
Ubuntu 10.04 LTS:: unzip

6.0-1ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9636

Ubuntu

USN-2490-1: Linux kernel vulnerabilities

February 4, 2015 007admin

Ubuntu Security Notice USN-2490-1

3rd February, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

Andy Lutomirski discovered an information leak in the Linux kernel’s Thread
Local Storage (TLS) implementation allowing users to bypass the espfix to
obtain information that could be used to bypass the Address Space Layout
Randomization (ASLR) protection mechanism. A local user could exploit this
flaw to obtain potentially sensitive information from kernel memory.
(CVE-2014-8133)

Prasad J Pandit reported a flaw in the rock_continue function of the Linux
kernel’s ISO 9660 CDROM file system. A local user could exploit this flaw
to cause a denial of service (system crash or hang). (CVE-2014-9420)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:: linux-image-2.6.32-72-386

2.6.32-72.139; linux-image-2.6.32-72-preempt

2.6.32-72.139; linux-image-2.6.32-72-powerpc-smp

2.6.32-72.139; linux-image-2.6.32-72-ia64

2.6.32-72.139; linux-image-2.6.32-72-generic-pae

2.6.32-72.139; linux-image-2.6.32-72-virtual

2.6.32-72.139; linux-image-2.6.32-72-sparc64

2.6.32-72.139; linux-image-2.6.32-72-lpia

2.6.32-72.139; linux-image-2.6.32-72-versatile

2.6.32-72.139; linux-image-2.6.32-72-sparc64-smp

2.6.32-72.139; linux-image-2.6.32-72-generic

2.6.32-72.139; linux-image-2.6.32-72-powerpc

2.6.32-72.139; linux-image-2.6.32-72-server

2.6.32-72.139; linux-image-2.6.32-72-powerpc64-smp

2.6.32-72.139

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-8133,

CVE-2014-9420

Ubuntu

USN-2491-1: Linux kernel (EC2) vulnerabilities

February 4, 2015 007admin

Ubuntu Security Notice USN-2491-1

3rd February, 2015

linux-ec2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-ec2
– Linux kernel for EC2

Details

Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)

Lars Bull reported a race condition in the PIT (programmable interrupt
timer) emulation in the KVM (Kernel Virtual Machine) subsystem of the Linux
kernel. A local guest user with access to PIT i/o ports could exploit this
flaw to cause a denial of service (crash) on the host. (CVE-2014-3611)

Lars Bull and Nadav Amit reported a flaw in how KVM (the Kernel Virtual
Machine) handles noncanonical writes to certain MSR registers. A privileged
guest user can exploit this flaw to cause a denial of service (kernel
panic) on the host. (CVE-2014-3610)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:: linux-image-2.6.32-375-ec2

2.6.32-375.92

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2492-1: Linux kernel vulnerabilities

February 4, 2015 007admin

Ubuntu Security Notice USN-2492-1

3rd February, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

A flaw was discovered with file renaming in the linux kernel. A local user
could exploit this flaw to cause a denial of service (deadlock and system
hang). (CVE-2014-8559)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-76-highbank

3.2.0-76.111; linux-image-3.2.0-76-virtual

3.2.0-76.111; linux-image-3.2.0-76-powerpc64-smp

3.2.0-76.111; linux-image-3.2.0-76-generic-pae

3.2.0-76.111; linux-image-3.2.0-76-omap

3.2.0-76.111; linux-image-3.2.0-76-generic

3.2.0-76.111; linux-image-3.2.0-76-powerpc-smp

3.2.0-76.111

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2014-8133,

CVE-2014-8559,

CVE-2014-9420

Ubuntu

USN-2493-1: Linux kernel (OMAP4) vulnerabilities

February 4, 2015 007admin

Ubuntu Security Notice USN-2493-1

3rd February, 2015

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-ti-omap4
– Linux kernel for OMAP4

Details

A flaw was discovered with file renaming in the linux kernel. A local user
could exploit this flaw to cause a denial of service (deadlock and system
hang). (CVE-2014-8559)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-1459-omap4

3.2.0-1459.79

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2014-8133,

CVE-2014-8559,

CVE-2014-9420

Avira

Is the Maker Movement a security threat?

February 4, 2015 007admin

For a lot of budding technology creators, software programming has been one of the best places to start, but thanks to the Maker Movement (which is powered by people who want to build things and tinker with hardware), hardware projects are also becoming a great way to learn about technology and build interesting and interactive things. In fact, if you’ve heard about Arduino or Raspberry Pi, then you’re already familiar with some of the devices that are being used as part of the Maker Movement.

The educational possibilities with this DIY hardware are endless, but just like with anything solidly based in technology, there are security concerns to think about. When we think about hacking attacks, we usually think of software that’s been designed by hackers to cause problems or steal data, but with the rise of DIY hardware, hackers now have another outlet in which they can orchestrate sophisticated attacks.

You see, if a regular computer user can use open hardware to build and program a physical device, then a skilled hacker can easily build a device that has security threats embedded within. One individual even showed how you can build a USB device that can hack a computer in about sixty seconds.

Some of these threats can sound pretty dramatic, but if you avoid plugging in or interacting with unknown homemade hardware devices, then you’re taking the right step to keep yourself protected. For years, we’ve had to train ourselves to be careful about where we click, but thanks to the Maker Movement, we also need to start training ourselves to be more cautious about hardware, too.

The post Is the Maker Movement a security threat? appeared first on Avira Blog.

Fedora

Fedora 20 Security Update: lcms-1.19-13.fc20

February 3, 2015 007admin

Resolved Bugs
992975 – CVE-2013-4276 lcms: Stack-based buffer overflows in ColorSpace conversion calculator and TIFF compare utility
992979 – lcms: Stack-based buffer overflows in ColorSpace conversion calculator and TIFF compare utility [fedora-all]
1003950 – Use of uninitialized values on 64 bit machines.<br
* apply patch for CVE-2013-4276
* apply patch for “Use of uninitialized values on 64 bit machines.”

Fedora

Fedora 21 Security Update: kernel-3.18.5-201.fc21

February 3, 2015 007admin

Resolved Bugs
1188074 – adjtimex fails with kernel-3.18.5 when ca
1183744 – kernel: net: DoS due to routing packets to too many different dsts/too fast
1188347 – kernel: net: DoS due to routing packets to too many different dsts/too fast [fedora-all]
1186448 – CVE-2015-0239 kernel: kvm: insufficient sysenter emulation when invoked from 16-bit code
1186453 – CVE-2015-0239 kernel: kvm: insufficient sysenter emulation when invoked from 16-bit code [fedora-all]<br
This update should fix the adjtimex issues seen on 32bit systems with 3.18.5-200
The 3.18.5 stable update contains a number of important fixes across the tree.
The 3.18.4 stable update contains a number of important fixes across the tree.

Fedora

Fedora 20 Security Update: kernel-3.18.5-101.fc20

February 3, 2015 007admin

Resolved Bugs
1188074 – adjtimex fails with kernel-3.18.5 when ca
1183744 – kernel: net: DoS due to routing packets to too many different dsts/too fast
1188347 – kernel: net: DoS due to routing packets to too many different dsts/too fast [fedora-all]
1186448 – CVE-2015-0239 kernel: kvm: insufficient sysenter emulation when invoked from 16-bit code
1186453 – CVE-2015-0239 kernel: kvm: insufficient sysenter emulation when invoked from 16-bit code [fedora-all]<br
This update should fix the adjtimex issues seen on 32bit systems with 3.18.5-100
The 3.18.5 stable update contains a number of important fixes across the tree.
The 3.18.4 stable update contains a number new features and drivers as well as several important fixes across the tree.

Ubuntu Security Notice USN-2489-1

unzip vulnerability

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2490-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2491-1

linux-ec2 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2492-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2493-1

linux-ti-omap4 vulnerabilities

Summary

Software description

Details

Update instructions

References

Software and Security Information