Zwei Probleme in MAAS
ID: | USN-2105-1 |
Distribution: | Ubuntu |
Plattformen: | Ubuntu 12.04 LTS, Ubuntu 12.10, Ubuntu 13.10 |
Datum: | Fr, 14. Februar 2014, 07:35 |
Referenzen: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1070 |
Applikationen: | MAAS |
Originalnachricht |
|
--===============3061427382035331204== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" Content-Disposition: inline --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline ========================================================================== Ubuntu Security Notice USN-2105-1 February 13, 2014 maas vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 12.10 - Ubuntu 12.04 LTS Summary: The cluster could be made to run programs as an administrator. Software Description: - maas: Ubuntu MAAS Server Details: James Troup discovered that MAAS stored RabbitMQ authentication credentials in a world-readable file. A local authenticated user could read this password and potentially gain privileges of other user accounts. This update restricts the file permissions to prevent unintended access. (CVE-2013-1070) Chris Glass discovered that the MAAS API was vulnerable to cross-site scripting vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing a specially crafted page, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2013-1069) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: maas-region-controller 1.4+bzr1693+dfsg-0ubuntu2.3 python-django-maas 1.4+bzr1693+dfsg-0ubuntu2.3 Ubuntu 12.10: maas-region-controller 1.2+bzr1373+dfsg-0ubuntu1.2 python-django-maas 1.2+bzr1373+dfsg-0ubuntu1.2 Ubuntu 12.04 LTS: maas-region-controller 1.2+bzr1373+dfsg-0ubuntu1~12.04.5 python-django-maas 1.2+bzr1373+dfsg-0ubuntu1~12.04.5 After a standard system update you need to restart apache2 to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2105-1 CVE-2013-1069, CVE-2013-1070 Package Information: https://launchpad.net/ubuntu/+source/maas/1.4+bzr1693+dfsg-0ubuntu2.3 https://launchpad.net/ubuntu/+source/maas/1.2+bzr1373+dfsg-0ubuntu1.2 https://launchpad.net/ubuntu/+source/maas/1.2+bzr1373+dfsg-0ubuntu1~12.04.5 --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQEcBAEBAgAGBQJS/TA0AAoJEPMhclmdjS6XBOIH/j+HYgh1UX5Ympy45LzgSi1O IhgGQ0p/WGxX8+6Ahd9RGS7ytGJcK9cY0pRN+bO6f6HRbrMGVzBM22R39qKEJLOI MHF3kk72f5kPu2sxVobQbq82aZ3qSckTxnZMwq9dA9qyiGSUZYygcJhVBNIWH7Fd xOUEeoFL7cQuOtYQhdTQ7SJkK9UCmg/clzLGMljZv8ni18O9I5fRqrvIWQb3AXdm spAsgP3IWl7WmBfpNxWbtV+OUYGieoVbUYG+L3vDU1TAvJjUtm4yz38jKTxO/QX4 pjGhumgYiRdV5o8PAnPUW8YxRUOszjIvee3328VK36BndOKfwrKxU6d7Ax6mwoc= =3Q1Y -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- --===============3061427382035331204== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce --===============3061427382035331204==-- |