Login
Newsletter
Werbung

Sicherheit: Zwei Probleme in MAAS
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in MAAS
ID: USN-2105-1
Distribution: Ubuntu
Plattformen: Ubuntu 12.04 LTS, Ubuntu 12.10, Ubuntu 13.10
Datum: Fr, 14. Februar 2014, 07:35
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1070
Applikationen: MAAS

Originalnachricht


--===============3061427382035331204==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="y0ulUmNC+osPPQO6"
Content-Disposition: inline


--y0ulUmNC+osPPQO6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================================
Ubuntu Security Notice USN-2105-1
February 13, 2014

maas vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

The cluster could be made to run programs as an administrator.

Software Description:
- maas: Ubuntu MAAS Server

Details:

James Troup discovered that MAAS stored RabbitMQ authentication
credentials in a world-readable file. A local authenticated user
could read this password and potentially gain privileges of other
user accounts. This update restricts the file permissions to prevent
unintended access. (CVE-2013-1070)

Chris Glass discovered that the MAAS API was vulnerable to cross-site
scripting vulnerabilities. With cross-site scripting vulnerabilities,
if a user were tricked into viewing a specially crafted page, a remote
attacker could exploit this to modify the contents, or steal confidential
data, within the same domain. (CVE-2013-1069)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
maas-region-controller 1.4+bzr1693+dfsg-0ubuntu2.3
python-django-maas 1.4+bzr1693+dfsg-0ubuntu2.3

Ubuntu 12.10:
maas-region-controller 1.2+bzr1373+dfsg-0ubuntu1.2
python-django-maas 1.2+bzr1373+dfsg-0ubuntu1.2

Ubuntu 12.04 LTS:
maas-region-controller 1.2+bzr1373+dfsg-0ubuntu1~12.04.5
python-django-maas 1.2+bzr1373+dfsg-0ubuntu1~12.04.5

After a standard system update you need to restart apache2 to make all
the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2105-1
CVE-2013-1069, CVE-2013-1070

Package Information:
https://launchpad.net/ubuntu/+source/maas/1.4+bzr1693+dfsg-0ubuntu2.3
https://launchpad.net/ubuntu/+source/maas/1.2+bzr1373+dfsg-0ubuntu1.2
https://launchpad.net/ubuntu/+source/maas/1.2+bzr1373+dfsg-0ubuntu1~12.04.5


--y0ulUmNC+osPPQO6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQEcBAEBAgAGBQJS/TA0AAoJEPMhclmdjS6XBOIH/j+HYgh1UX5Ympy45LzgSi1O
IhgGQ0p/WGxX8+6Ahd9RGS7ytGJcK9cY0pRN+bO6f6HRbrMGVzBM22R39qKEJLOI
MHF3kk72f5kPu2sxVobQbq82aZ3qSckTxnZMwq9dA9qyiGSUZYygcJhVBNIWH7Fd
xOUEeoFL7cQuOtYQhdTQ7SJkK9UCmg/clzLGMljZv8ni18O9I5fRqrvIWQb3AXdm
spAsgP3IWl7WmBfpNxWbtV+OUYGieoVbUYG+L3vDU1TAvJjUtm4yz38jKTxO/QX4
pjGhumgYiRdV5o8PAnPUW8YxRUOszjIvee3328VK36BndOKfwrKxU6d7Ax6mwoc=
=3Q1Y
-----END PGP SIGNATURE-----

--y0ulUmNC+osPPQO6--


--===============3061427382035331204==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============3061427382035331204==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung