[Bug 986892] Re: mysql-server postrm breaks apparmor profile for later versions on purge
** Changed in: mysql-5.5 (Ubuntu) Assignee: e75ice...@aol.com (e75iceman) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/986892 Title: mysql-server postrm breaks apparmor profile for later versions on purge To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/986892/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 996162] Re: Please update Asterisk from Debian Sid
asterisk (1:1.8.11.1~dfsg-1) unstable; urgency=high . * New upstream release, Closes: #670180: - AST-2012-004 - further Manager permission fixes (CVE-2012-2414). - AST-2012-005 - Heap overflow in chan_skinny (CVE-2012-2415). - AST-2012-006 - Remote crash on SIP UPDATE method (CVE-2012-2416). * Fix daemon status check in init.d script (Closes: #669378). * Patch menuselect_cflags: allow passing our flags to menuselect's build. - Use it t opass our CFLAGS to menuselect (Closes: #664086). ** Tags added: upgrade-software-version ** Bug watch added: Debian Bug tracker #670180 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670180 ** Also affects: asterisk (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670180 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/996162 Title: Please update Asterisk from Debian Sid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/996162/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1022360] Re: (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite t
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3863 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1022360 Title: (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1022360/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023931] [NEW] (CVE-2012-3864) puppet: multiple vulnerabilities for 2.7.17 and earlier releases (CVE-(2012-{3408, 3864, 3865, 3866, 3867})
*** This bug is a security vulnerability *** Public security bug reported: http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.18 This is a security release in the 2.7.x branch. CVE-2012-3864 Arbitrary file read on the puppet master from authenticated clients (high) It is possible to construct an HTTP get request from an authenticated client with a valid certificate that will return the contents of an arbitrary file on the Puppet master that the master has read-access to. CVE-2012-3865 Arbitrary file delete/D.O.S on Puppet Master from authenticated clients (high) Given a Puppet master with the Delete directive allowed in auth.conf for an authenticated host, an attacker on that host can send a specially crafted Delete request that can cause an arbitrary file deletion on the Puppet master, potentially causing a denial of service attack. Note that this vulnerability does *not* exist in Puppet as configured by default. CVE-2012-3866 last_run_report.yaml is world readable (medium) The most recent Puppet run report is stored on the Puppet master with world-readable permissions. The report file contains the context diffs of any changes to configuration on an agent, which may contain sensitive information that an attacker can then access. The last run report is overwritten with every Puppet run. Arbitrary file read on the Puppet master by an agent (medium) This vulnerability is dependent upon CVE-2012-3866 last_run_report.yml is world readable above. By creating a hard link of a Puppet-managed file to an arbitrary file that the Puppet master can read, an attacker forces the contents to be written to the puppet run summary. The context diff is stored in last_run_report.yaml, which can then be accessed by the attacker. CVE-2012-3867 Insufficient input validation for agent hostnames (low) An attacker could trick the administrator into signing an attacker's certificate rather than the intended one by constructing specially crafted certificate requests containing specific ANSI control sequences. It is possible to use the sequences to rewrite the order of text displayed to an administrator such that display of an invalid certificate and valid certificate are transposed. If the administrator signs the attacker's certificate, the attacker can then man-in-the-middle the agent. CVE-2012-3408 Agents with certnames of IP addresses can be impersonated (low) If an authenticated host with a certname of an IP address changes IP addresses, and a second host assumes the first host's former IP address, the second host will be treated by the puppet master as the first one, giving the second host access to the first host's catalog. Note: This will not be fixed in Puppet versions prior to the forthcoming 3.x. Instead, with this Puppet 2.7.18, IP-based authentication in Puppet 3.x is deprecated, and a warning will be issued when used. Hotfixes http://puppetlabs.com/security/cve/cve-2012-3408/hotfixes/ ** Affects: puppet (Ubuntu) Importance: Undecided Status: New ** Affects: gentoo Importance: Unknown Status: Unknown ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3408 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3864 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3865 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3866 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3867 ** Bug watch added: Gentoo Bugzilla #425112 https://bugs.gentoo.org/show_bug.cgi?id=425112 ** Also affects: gentoo via https://bugs.gentoo.org/show_bug.cgi?id=425112 Importance: Unknown Status: Unknown ** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to puppet in Ubuntu. https://bugs.launchpad.net/bugs/1023931 Title: (CVE-2012-3864) puppet: multiple vulnerabilities for 2.7.17 and earlier releases (CVE-(2012-{3408,3864,3865,3866,3867}) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1023931/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023931] Re: (CVE-2012-3864) puppet: multiple vulnerabilities for 2.7.17 and earlier releases (CVE-(2012-{3408, 3864, 3865, 3866, 3867})
http://puppetlabs.com/security/cve/cve-2012-3864/hotfixes/ http://puppetlabs.com/security/cve/cve-2012-3865/hotfixes/ http://puppetlabs.com/security/cve/cve-2012-3866/hotfixes/ http://puppetlabs.com/security/cve/cve-2012-3867/hotfixes/ -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to puppet in Ubuntu. https://bugs.launchpad.net/bugs/1023931 Title: (CVE-2012-3864) puppet: multiple vulnerabilities for 2.7.17 and earlier releases (CVE-(2012-{3408,3864,3865,3866,3867}) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1023931/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1022360] [NEW] (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite
*** This bug is a security vulnerability *** Public security bug reported: AST-2012-011 If a single voicemail account is manipulated by two parties simultaneously, a condition can occur where memory is freed twice causing a crash. http://downloads.asterisk.org/pub/security/AST-2012-011.txt http://downloads.asterisk.org/pub/security/AST-2012-011.pdf http://downloads.asterisk.org/pub/security/AST-2012-011-1.8.diff http://downloads.asterisk.org/pub/security/AST-2012-011-10.diff ** Affects: asterisk (Ubuntu) Importance: Undecided Status: New ** Affects: asterisk (Debian) Importance: Unknown Status: Unknown ** Affects: asterisk (Fedora) Importance: Unknown Status: Unknown ** Affects: gentoo Importance: Unknown Status: Unknown ** Bug watch added: Red Hat Bugzilla #838179 https://bugzilla.redhat.com/show_bug.cgi?id=838179 ** Also affects: asterisk (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=838179 Importance: Unknown Status: Unknown ** Bug watch added: Gentoo Bugzilla #425050 https://bugs.gentoo.org/show_bug.cgi?id=425050 ** Also affects: gentoo via https://bugs.gentoo.org/show_bug.cgi?id=425050 Importance: Unknown Status: Unknown ** Summary changed: - (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application + (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1022360 Title: (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1022360/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1022360] Re: (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite t
AST-2012-010 If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional response but never sends a final response, then the SIP dialog structure is never freed and the RTP ports for the call are never released. If an attacker has the ability to place a call, they could create a denial of service by using all available RTP ports. References: http://downloads.asterisk.org/pub/security/AST-2012-010.pdf http://downloads.asterisk.org/pub/security/AST-2012-010.txt http://downloads.asterisk.org/pub/security/AST-2012-010-10.diff http://downloads.asterisk.org/pub/security/AST-2012-010-1.8.diff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1022360 Title: (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1022360/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1009422] Re: (CVE-2012-1013) krb5 : kadmind denial of service
** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1009422 Title: (CVE-2012-1013) krb5 : kadmind denial of service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1009422/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs