Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2368-1: OpenVPN vulnerability

October 11, 2014 007admin Leave a comment

Ubuntu Security Notice USN-2368-1

2nd October, 2014

openvpn vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

OpenVPN could be made to expose sensitive information over the network.

Software description

openvpn
– virtual private network software

Details

It was discovered that OpenVPN incorrectly handled HMAC comparisons when
running in UDP mode. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could possibly be used to perform a
plaintext recovery attack.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: openvpn

2.2.1-8ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-2061

Ubuntu

USN-2380-1: Bash vulnerabilities

October 11, 2014 007admin Leave a comment

Ubuntu Security Notice USN-2380-1

9th October, 2014

bash vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

Several security issues were fixed in Bash.

Software description

bash
– The GNU Bourne Again SHell

Details

Michal Zalewski discovered that Bash incorrectly handled parsing certain
function definitions. If an attacker were able to create an environment
variable containing a function definition with a very specific name, these
issues could possibly be used to bypass certain environment restrictions
and execute arbitrary code. (CVE-2014-6277, CVE-2014-6278)

Please note that the previous Bash security update, USN-2364-1, includes
a hardening measure that prevents these issues from being used in a
Shellshock attack.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: bash

4.3-7ubuntu1.5
Ubuntu 12.04 LTS:: bash

4.2-2ubuntu2.6
Ubuntu 10.04 LTS:: bash

4.1-2ubuntu3.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-6277,

CVE-2014-6278

Ubuntu

USN-2367-1: OpenSSL update

October 11, 2014 007admin Leave a comment

Ubuntu Security Notice USN-2367-1

2nd October, 2014

openssl update

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

OpenSSL TLSv1.2 support has been improved.

Software description

openssl
– Secure Socket Layer (SSL) cryptographic library and tools

Details

For compatibility reasons, OpenSSL in Ubuntu 12.04 LTS disables TLSv1.2
by default when being used as a client. When forcing the use of TLSv1.2,
another compatibility feature (OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) was used
that would truncate the cipher list. This would prevent certain ciphers
from being selected, and would prevent secure renegotiations. This update
removes the cipher list truncation workaround when forcing the use of
TLSv1.2.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: libssl1.0.0

1.0.1-4ubuntu5.18

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1376447

Ubuntu

USN-2381-1: Rsyslog vulnerabilities

October 11, 2014 007admin Leave a comment

Ubuntu Security Notice USN-2381-1

9th October, 2014

rsyslog vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

Rsyslog could be made to crash if it received specially crafted input.

Software description

rsyslog
– Enhanced syslogd

Details

It was discovered that Rsyslog incorrectly handled invalid PRI values. An
attacker could use this issue to send malformed messages to the Rsyslog
server and cause it to stop responding, resulting in a denial of service
and possibly message loss. (CVE-2014-3634, CVE-2014-3683)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: rsyslog

7.4.4-1ubuntu2.3
Ubuntu 12.04 LTS:: rsyslog

5.8.6-1ubuntu8.9
Ubuntu 10.04 LTS:: rsyslog

4.2.0-2ubuntu8.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3634,

CVE-2014-3683

007 Software

Category Archives: Ubuntu

USN-2368-1: OpenVPN vulnerability

Ubuntu Security Notice USN-2368-1

openvpn vulnerability

Summary

Software description

Details

Update instructions

References

USN-2380-1: Bash vulnerabilities

Ubuntu Security Notice USN-2380-1

bash vulnerabilities

Summary

Software description

Details

Update instructions

References

USN-2367-1: OpenSSL update

Ubuntu Security Notice USN-2367-1

openssl update

Summary

Software description

Details

Update instructions

References

USN-2381-1: Rsyslog vulnerabilities

Ubuntu Security Notice USN-2381-1

rsyslog vulnerabilities

Summary

Software description

Details

Update instructions

References

Software and Security Information