Boletín de Seguridad de Ubuntu: las últimas vulnerabilidades

En detalle las vulnerabilidades publicadas en el Boletín Oficial de Ubuntu, relativas a la primera quincena del mes, en el período del 1 al 16/07/2009.

Se refieren obviamente a todas las versiones por las cuales todavìa Canonical brinda soporte técnico: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04.

Aplicables para: Ubuntu, Kubuntu, Edubuntu y Xubuntu

Ubuntu Security Notice USN-804-1 July 16, 2009 pulseaudio vulnerability CVE-2009-1894

A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: pulseaudio 0.9.10-1ubuntu1.1 Ubuntu 8.10: pulseaudio 0.9.10-2ubuntu9.4 Ubuntu 9.04: pulseaudio 1:0.9.14-0ubuntu20.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy, Julien Tinnes, and Yorick Koster discovered that PulseAudio did not safely re-execute itself. A local attacker could exploit this to gain root privileges.

Ubuntu Security Notice USN-803-1 July 14, 2009 dhcp3 vulnerability CVE-2009-0692

A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: dhcp3-client 3.0.3-6ubuntu7.1 dhcp3-client-udeb 3.0.3-6ubuntu7.1 Ubuntu 8.04 LTS: dhcp3-client 3.0.6.dfsg-1ubuntu9.1 dhcp3-client-udeb 3.0.6.dfsg-1ubuntu9.1 Ubuntu 8.10: dhcp3-client 3.1.1-1ubuntu2.1 dhcp3-client-udeb 3.1.1-1ubuntu2.1 Ubuntu 9.04: dhcp3-client 3.1.1-5ubuntu8.1 dhcp3-client-udeb 3.1.1-5ubuntu8.1 After a standard system upgrade you need to restart any DHCP network connections utilizing dhclient3 to effect the necessary changes. Details follow: It was discovered that the DHCP client as included in dhcp3 did not verify the length of certain option fields when processing a response from an IPv4 dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a malicious dhcp server, a remote attacker could cause a denial of service or execute arbitrary code as the user invoking the program, typically the 'dhcp' user. For users running Ubuntu 8.10 or 9.04, a remote attacker should only be able to cause a denial of service in the DHCP client. In Ubuntu 9.04, attackers would also be isolated by the AppArmor dhclient3 profile.

Ubuntu Security Notice USN-802-1 July 13, 2009 apache2 vulnerabilities CVE-2009-1890, CVE-2009-1891

A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: apache2-common 2.0.55-4ubuntu2.6 apache2-mpm-perchild 2.0.55-4ubuntu2.6 apache2-mpm-prefork 2.0.55-4ubuntu2.6 apache2-mpm-worker 2.0.55-4ubuntu2.6 libapr0 2.0.55-4ubuntu2.6 Ubuntu 8.04 LTS: apache2-mpm-event 2.2.8-1ubuntu0.10 apache2-mpm-perchild 2.2.8-1ubuntu0.10 apache2-mpm-prefork 2.2.8-1ubuntu0.10 apache2-mpm-worker 2.2.8-1ubuntu0.10 apache2.2-common 2.2.8-1ubuntu0.10 Ubuntu 8.10: apache2-mpm-event 2.2.9-7ubuntu3.2 apache2-mpm-prefork 2.2.9-7ubuntu3.2 apache2-mpm-worker 2.2.9-7ubuntu3.2 apache2.2-common 2.2.9-7ubuntu3.2 Ubuntu 9.04: apache2-mpm-event 2.2.11-2ubuntu2.2 apache2-mpm-prefork 2.2.11-2ubuntu2.2 apache2-mpm-worker 2.2.11-2ubuntu2.2 apache2.2-common 2.2.11-2ubuntu2.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that mod_proxy_http did not properly handle a large amount of streamed data when used as a reverse proxy. A remote attacker could exploit this and cause a denial of service via memory resource consumption. This issue affected Ubuntu 8.04 LTS, 8.10 and 9.04. (CVE-2009-1890) It was discovered that mod_deflate did not abort compressing large files when the connection was closed. A remote attacker could exploit this and cause a denial of service via CPU resource consumption. (CVE-2009-1891)

Ubuntu Security Notice USN-801-1 July 13, 2009 tiff vulnerability CVE-2009-2347

A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libtiff4 3.7.4-1ubuntu3.6 Ubuntu 8.04 LTS: libtiff4 3.8.2-7ubuntu3.4 Ubuntu 8.10: libtiff4 3.8.2-11ubuntu0.8.10.3 Ubuntu 9.04: libtiff4 3.8.2-11ubuntu0.9.04.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tielei Wang and Tom Lane discovered that the TIFF library did not correctly handle certain malformed TIFF images. If a user or automated system were tricked into processing a malicious image, an attacker could execute arbitrary code with the privileges of the user invoking the program.

Ubuntu Security Notice USN-799-1 July 13, 2009 dbus vulnerability CVE-2009-1189

A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libdbus-1-2 0.60-6ubuntu8.4 Ubuntu 8.04 LTS: libdbus-1-3 1.1.20-1ubuntu3.3 Ubuntu 8.10: libdbus-1-3 1.2.4-0ubuntu1.1 Ubuntu 9.04: libdbus-1-3 1.2.12-0ubuntu2.1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: It was discovered that the D-Bus library did not correctly validate signatures. If a local user sent a specially crafted D-Bus key, they could spoof a valid signature and bypass security policies.

Ubuntu Security Notice USN-800-1 July 13, 2009 irssi vulnerability CVE-2009-1959

A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: irssi 0.8.10-1ubuntu1.1 Ubuntu 8.04 LTS: irssi 0.8.12-3ubuntu3.1 Ubuntu 8.10: irssi 0.8.12-4ubuntu2.1 Ubuntu 9.04: irssi 0.8.12-6ubuntu1.1 After a standard system upgrade you need to restart irssi to effect the necessary changes. Details follow: It was discovered that irssi did not properly check the length of strings when processing WALLOPS messages. If a user connected to an IRC network where an attacker had IRC operator privileges, a remote attacker could cause a denial of service.

Ubuntu Security Notice USN-797-1 July 06, 2009 tiff vulnerability CVE-2009-2285

A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libtiff4 3.7.4-1ubuntu3.4 Ubuntu 8.04 LTS: libtiff4 3.8.2-7ubuntu3.2 Ubuntu 8.10: libtiff4 3.8.2-11ubuntu0.8.10.1 Ubuntu 9.04: libtiff4 3.8.2-11ubuntu0.9.04.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that the TIFF library did not correctly handle certain malformed TIFF images. If a user or automated system were tricked into processing a malicious image, a remote attacker could cause an application linked against libtiff to crash, leading to a denial of service.

Ubuntu Security Notice USN-796-1 July 06, 2009 pidgin vulnerability CVE-2009-1889

A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: pidgin 1:2.4.1-1ubuntu2.5 Ubuntu 8.10: pidgin 1:2.5.2-0ubuntu1.3 Ubuntu 9.04: pidgin 1:2.5.5-1ubuntu8.3 After a standard system upgrade you need to restart Pidgin to effect the necessary changes. Details follow: Yuriy Kaminskiy discovered that Pidgin did not properly handle certain messages in the ICQ protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash.

Ubuntu Security Notice USN-795-1 July 02, 2009 nagios2, nagios3 vulnerability CVE-2009-2288

A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: nagios2 2.11-1ubuntu1.5 Ubuntu 8.10: nagios3 3.0.2-1ubuntu1.2 Ubuntu 9.04: nagios3 3.0.6-2ubuntu1.1 After a standard system upgrade you need to restart Nagios to effect the necessary changes. Details follow: It was discovered that Nagios did not properly parse certain commands submitted using the WAP web interface. An authenticated user could exploit this flaw and execute arbitrary programs on the server.

Ubuntu Security Notice USN-794-1 July 02, 2009 libcompress-raw-zlib-perl, perl vulnerability CVE-2009-1391

A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libcompress-raw-zlib-perl 2.008-1ubuntu0.1 Ubuntu 8.10: libcompress-raw-zlib-perl 2.011-2ubuntu0.1 perl 5.10.0-11.1ubuntu2.3 Ubuntu 9.04: libcompress-raw-zlib-perl 2.015-1ubuntu0.1 perl 5.10.0-19ubuntu1.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that the Compress::Raw::Zlib Perl module incorrectly handled certain zlib compressed streams. If a user or automated system were tricked into processing a specially crafted compressed stream or file, a remote attacker could crash the application, leading to a denial of service.