Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in Update Manager (Aktualisierung)
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in Update Manager (Aktualisierung)
ID: USN-1284-2
Distribution: Ubuntu
Plattformen: Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04, Ubuntu 11.10
Datum: Do, 16. Februar 2012, 22:32
Referenzen: Keine Angabe
Applikationen: Update Manager
Update von: Zwei Probleme in Update Manager

Originalnachricht


--===============4701712805188707356==
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature";
boundary="=-SvoBOjTINv3xiAqZ2Xwg"


--=-SvoBOjTINv3xiAqZ2Xwg
Content-Type: text/plain; charset="UTF-8
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-1284-2
February 16, 2012

update-manager regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

USN-1284-1 introduced a regression in Update Manager.

Software Description:
- update-manager: GNOME application that manages apt updates

Details:

USN-1284-1 fixed vulnerabilities in Update Manager. One of the fixes
introduced a regression for Kubuntu users attempting to upgrade to a newer
Ubuntu release. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

David Black discovered that Update Manager incorrectly extracted the
downloaded upgrade tarball before verifying its GPG signature. If a remote
attacker were able to perform a man-in-the-middle attack, this flaw could
potentially be used to replace arbitrary files. (CVE-2011-3152)

David Black discovered that Update Manager created a temporary directory
in an insecure fashion. A local attacker could possibly use this flaw to
read the XAUTHORITY file of the user performing the upgrade.
(CVE-2011-3154)

This update also adds a hotfix to Update Notifier to handle cases where the
upgrade is being performed from CD media.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
update-manager-core 1:0.152.25.8

Ubuntu 11.04:
update-manager-core 1:0.150.5.2

Ubuntu 10.10:
update-manager-core 1:0.142.23.2

Ubuntu 10.04 LTS:
update-manager-core 1:0.134.11.2

Ubuntu 8.04 LTS:
update-manager-core 1:0.87.33

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1284-2
http://www.ubuntu.com/usn/usn-1284-1
https://launchpad.net/bugs/933225

Package Information:
https://launchpad.net/ubuntu/+source/update-manager/1:0.152.25.8
https://launchpad.net/ubuntu/+source/update-manager/1:0.150.5.2
https://launchpad.net/ubuntu/+source/update-manager/1:0.142.23.2
https://launchpad.net/ubuntu/+source/update-manager/1:0.134.11.2
https://launchpad.net/ubuntu/+source/update-manager/1:0.87.33



--ÜvoBOjTINv3xiAqZ2Xwg
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAABCgAGBQJPPVPUAAoJEGVp2FWnRL6TA/IP/RH5tA9EY1lpudg2geuDHksJ
h9G/Lymt+KcslMM9D8J/RLuOiPTQ/6aTcsPT27X2GdVzNukhdMWC/IvtnoGsvS8B
6weIuwsWi4tAJeE5GzZJv1BIbIYVpmLjCt1eQYyteOVS7/RznC68gYhnUEKK+B/T
X9kL+dA/s80JE0/UlGaAQ519LbLMD6kZ9r0kgmFQrLKlkOGy53xFVg8BUybKzGlO
Ifgi49mAiJTmVuM6gCGDvow248GFWvQSWJrIwewPJ2y84Pa15kBoZtAJ6S1t9NpG
DvimxBSFR4A/RCg4qGGeyJcZwekRtVBVvOZY6dMmPtU/jBFn7HwR03zCHiLKxSn9
VLv/Qk8CpJL4bT4jMDGuGiiG5125aVo73rIV3OYxnvy+JBpm9nP6nwD/P4YIix3f
1YJMN8YgTA2iGPRYsSPn38h7repPevpW6q9u2yG/c9tq91jNnoYuxrlukgfoGrzK
E9mnLngKY1EDGHfdzFHcuZBO+Kq1z5DFnGBTBGJjRBat4snJIWvGZDlxtKV1Au1o
hmMmsP7zuAMM7XBrlGQLu5AWsOC57AAciES5qcwmpdhm2t7qqjkb+oWwrBULZoAr
AYgvC28/0zgzIo/1oxKIAs3CJ3DXAAedtqJFCUR8bHFNByBDfr5lvZHVURFwsMQ4
Wz5vflwPxddnzZKaOQWO
=erk/
-----END PGP SIGNATURE-----

--=-SvoBOjTINv3xiAqZ2Xwg--



--===============4701712805188707356==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============4701712805188707356==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung