[Bug 986892] Re: mysql-server postrm breaks apparmor profile for later versions on purge
** Changed in: mysql-5.5 (Ubuntu) Assignee: e75ice...@aol.com (e75iceman) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/986892 Title: mysql-server postrm breaks apparmor profile for later versions on purge To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/986892/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 996162] Re: Please update Asterisk from Debian Sid
asterisk (1:1.8.11.1~dfsg-1) unstable; urgency=high . * New upstream release, Closes: #670180: - AST-2012-004 - further Manager permission fixes (CVE-2012-2414). - AST-2012-005 - Heap overflow in chan_skinny (CVE-2012-2415). - AST-2012-006 - Remote crash on SIP UPDATE method (CVE-2012-2416). * Fix daemon status check in init.d script (Closes: #669378). * Patch menuselect_cflags: allow passing our flags to menuselect's build. - Use it t opass our CFLAGS to menuselect (Closes: #664086). ** Tags added: upgrade-software-version ** Bug watch added: Debian Bug tracker #670180 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670180 ** Also affects: asterisk (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670180 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/996162 Title: Please update Asterisk from Debian Sid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/996162/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1022360] Re: (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite t
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-3863 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1022360 Title: (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1022360/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023931] [NEW] (CVE-2012-3864) puppet: multiple vulnerabilities for 2.7.17 and earlier releases (CVE-(2012-{3408, 3864, 3865, 3866, 3867})
*** This bug is a security vulnerability ***
Public security bug reported:
http://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes#2.7.18
This is a security release in the 2.7.x branch.
CVE-2012-3864 Arbitrary file read on the puppet master from
authenticated clients (high)
It is possible to construct an HTTP get request from an authenticated
client with a valid certificate that will return the contents of an arbitrary
file on the Puppet master that the master has read-access to.
CVE-2012-3865 Arbitrary file delete/D.O.S on Puppet Master from
authenticated clients (high)
Given a Puppet master with the Delete directive allowed in auth.conf
for an authenticated host, an attacker on that host can send a specially
crafted Delete request that can cause an arbitrary file deletion on the
Puppet master, potentially causing a denial of service attack. Note that
this vulnerability does *not* exist in Puppet as configured by default.
CVE-2012-3866 last_run_report.yaml is world readable (medium)
The most recent Puppet run report is stored on the Puppet master
with world-readable permissions. The report file contains the context
diffs of any changes to configuration on an agent, which may contain
sensitive information that an attacker can then access. The last run
report is overwritten with every Puppet run.
Arbitrary file read on the Puppet master by an agent (medium)
This vulnerability is dependent upon CVE-2012-3866 last_run_report.yml
is world readable above. By creating a hard link of a Puppet-managed
file to an arbitrary file that the Puppet master can read, an attacker forces
the contents to be written to the puppet run summary. The context diff is
stored in last_run_report.yaml, which can then be accessed by the
attacker.
CVE-2012-3867 Insufficient input validation for agent hostnames (low)
An attacker could trick the administrator into signing an attacker's
certificate rather than the intended one by constructing specially
crafted certificate requests containing specific ANSI control sequences.
It is possible to use the sequences to rewrite the order of text displayed
to an administrator such that display of an invalid certificate and valid
certificate are transposed. If the administrator signs the attacker's
certificate, the attacker can then man-in-the-middle the agent.
CVE-2012-3408 Agents with certnames of IP addresses can be impersonated
(low)
If an authenticated host with a certname of an IP address changes IP
addresses, and a second host assumes the first host's former IP
address, the second host will be treated by the puppet master as the
first one, giving the second host access to the first host's catalog.
Note: This will not be fixed in Puppet versions prior to the forthcoming
3.x. Instead, with this Puppet 2.7.18, IP-based authentication in
Puppet 3.x is deprecated, and a warning will be issued when used.
Hotfixes
http://puppetlabs.com/security/cve/cve-2012-3408/hotfixes/
** Affects: puppet (Ubuntu)
Importance: Undecided
Status: New
** Affects: gentoo
Importance: Unknown
Status: Unknown
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3408
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3864
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3865
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3866
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3867
** Bug watch added: Gentoo Bugzilla #425112
https://bugs.gentoo.org/show_bug.cgi?id=425112
** Also affects: gentoo via
https://bugs.gentoo.org/show_bug.cgi?id=425112
Importance: Unknown
Status: Unknown
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to puppet in Ubuntu.
https://bugs.launchpad.net/bugs/1023931
Title:
(CVE-2012-3864) puppet: multiple vulnerabilities for 2.7.17 and
earlier releases (CVE-(2012-{3408,3864,3865,3866,3867})
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1023931/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1023931] Re: (CVE-2012-3864) puppet: multiple vulnerabilities for 2.7.17 and earlier releases (CVE-(2012-{3408, 3864, 3865, 3866, 3867})
http://puppetlabs.com/security/cve/cve-2012-3864/hotfixes/
http://puppetlabs.com/security/cve/cve-2012-3865/hotfixes/
http://puppetlabs.com/security/cve/cve-2012-3866/hotfixes/
http://puppetlabs.com/security/cve/cve-2012-3867/hotfixes/
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to puppet in Ubuntu.
https://bugs.launchpad.net/bugs/1023931
Title:
(CVE-2012-3864) puppet: multiple vulnerabilities for 2.7.17 and
earlier releases (CVE-(2012-{3408,3864,3865,3866,3867})
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/puppet/+bug/1023931/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1022360] [NEW] (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite
*** This bug is a security vulnerability *** Public security bug reported: AST-2012-011 If a single voicemail account is manipulated by two parties simultaneously, a condition can occur where memory is freed twice causing a crash. http://downloads.asterisk.org/pub/security/AST-2012-011.txt http://downloads.asterisk.org/pub/security/AST-2012-011.pdf http://downloads.asterisk.org/pub/security/AST-2012-011-1.8.diff http://downloads.asterisk.org/pub/security/AST-2012-011-10.diff ** Affects: asterisk (Ubuntu) Importance: Undecided Status: New ** Affects: asterisk (Debian) Importance: Unknown Status: Unknown ** Affects: asterisk (Fedora) Importance: Unknown Status: Unknown ** Affects: gentoo Importance: Unknown Status: Unknown ** Bug watch added: Red Hat Bugzilla #838179 https://bugzilla.redhat.com/show_bug.cgi?id=838179 ** Also affects: asterisk (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=838179 Importance: Unknown Status: Unknown ** Bug watch added: Gentoo Bugzilla #425050 https://bugs.gentoo.org/show_bug.cgi?id=425050 ** Also affects: gentoo via https://bugs.gentoo.org/show_bug.cgi?id=425050 Importance: Unknown Status: Unknown ** Summary changed: - (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application + (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1022360 Title: (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1022360/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1022360] Re: (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite t
AST-2012-010 If Asterisk sends a re-invite and an endpoint responds to the re-invite with a provisional response but never sends a final response, then the SIP dialog structure is never freed and the RTP ports for the call are never released. If an attacker has the ability to place a call, they could create a denial of service by using all available RTP ports. References: http://downloads.asterisk.org/pub/security/AST-2012-010.pdf http://downloads.asterisk.org/pub/security/AST-2012-010.txt http://downloads.asterisk.org/pub/security/AST-2012-010-10.diff http://downloads.asterisk.org/pub/security/AST-2012-010-1.8.diff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to asterisk in Ubuntu. https://bugs.launchpad.net/bugs/1022360 Title: (CVE-2012-3812) CVE-2012-3812 asterisk: Remote crash vulnerability in voice mail application (CVE-2012-3863) CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1022360/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1009422] Re: (CVE-2012-1013) krb5 : kadmind denial of service
** Visibility changed to: Public -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1009422 Title: (CVE-2012-1013) krb5 : kadmind denial of service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1009422/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
