"Ubuntu Security Notice USN-783-1 June 08, 2009
ecryptfs-utils vulnerability
CVE-2009-1296
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.04:
ecryptfs-utils 73-0ubuntu6.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Chris Jones discovered that the eCryptfs support utilities would
report the mount passphrase into installation logs when an eCryptfs
home directory was selected during Ubuntu installation. The logs are
only readable by the root user, but this still left the mount passphrase
unencrypted on disk, potentially leading to a loss of privacy.
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1.diff.gz
Size/MD5: 12184 7f965e34c9eb44ceae0bafc65a3cc434
http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1.dsc
Size/MD5: 1707 d12ca96dd31ab19e559d8e4a86052b4c
http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/ecryptfs-utils_73.orig.tar.gz
Size/MD5: 504056 cd1c344b4cabf16971a405db353cb5cd
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1_amd64.deb
Size/MD5: 102032 cb22885adb2b4cab782ef18167fc94c6
http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/libecryptfs-dev_73-0ubuntu6.1_amd64.deb
Size/MD5: 62688 be22d84e388e0dbecf4286ccdd829fb1
http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/libecryptfs0_73-0ubuntu6.1_amd64.deb
Size/MD5: 68838 fe8104a4a5e469c6bd57378c5c0c40b2
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1_i386.deb
Size/MD5: 96908 e737d11e4132c59d2ab3b97257010ebe
http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/libecryptfs-dev_73-0ubuntu6.1_i386.deb
Size/MD5: 56284 d02501ddb287e2e32422570228ebc6a6
http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/libecryptfs0_73-0ubuntu6.1_i386.deb
Size/MD5: 65424 e8e6e045f06a6a43493f1b50c4f55138
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1_lpia.deb
Size/MD5: 96272 23e8f81d0b3b678abf548d316ad13a8a
http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/libecryptfs-dev_73-0ubuntu6.1_lpia.deb
Size/MD5: 55578 780f0e6fc6accf33b5a0419ddf3930c5
http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/libecryptfs0_73-0ubuntu6.1_lpia.deb
Size/MD5: 63784 18a5b3f566928e63518fc5e2a87fd66e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1_powerpc.deb
Size/MD5: 117060 479282ff1ba602eedaf6246770c276fc
http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/libecryptfs-dev_73-0ubuntu6.1_powerpc.deb
Size/MD5: 63200 689a7a750b08350be0252dc6ad571b08
http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/libecryptfs0_73-0ubuntu6.1_powerpc.deb
Size/MD5: 73604 2d03fa7da4649c06aa3b1d29a6512923
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1_sparc.deb
Size/MD5: 97944 37ecc02c57e7ae4efd708cbb9bfc2d74
http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/libecryptfs-dev_73-0ubuntu6.1_sparc.deb
Size/MD5: 58200 db71c5e6ad82ffdd119d739904e427d1
http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/libecryptfs0_73-0ubuntu6.1_sparc.deb
Size/MD5: 63088 6513b0bbbc6ec32c2360e05467470b8d
--H+4ONPRPur6+Ovig
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook
iEYEARECAAYFAkotfWYACgkQH/9LqRcGPm2AkQCgnwQbl7dHYj+M2hX5eGwQ4vCK
mnsAnRR2jkRZtbHo08JkATN/33G8Z1mB
=btJN
-----END PGP SIGNATURE-----
"
This entry was posted
on 8:55 PM
.
Archives
-
▼
2009
(488)
-
▼
June
(53)
- RHSA-2009:1127-01 Critical: kdelibs security update
- RHSA-2009:1128-01 Important: kdelibs security update
- USN-782-1: Thunderbird vulnerabilities
- RHSA-2009:1125-01 Moderate: thunderbird security u...
- RHSA-2009:1123-01 Moderate: gstreamer-plugins-good...
- USN-791-2: Moodle vulnerability
- RHSA-2009:1130-01 Critical: kdegraphics security u...
- RHSA-2009:1126-01 Moderate: thunderbird security u...
- DSA 1821-1: New amule packages fix insufficient in...
- RHSA-2009:1109-01 Critical: acroread security update
- DSA 1822-1: New mahara packages fix cross-site scr...
- DSA 1817-1: New ctorrent packages fix arbitrary co...
- RHSA-2009:1101-01 Moderate: cscope security update
- USN-788-1: Tomcat vulnerabilities
- DSA 1816-1: New apache2 packages fix privilege esc...
- RHSA-2009:1106-01 Important: kernel security and b...
- RHSA-2009:1102-01 Moderate: cscope security update
- DSA 1818-1: New gforge packages fix insufficient i...
- RHSA-2009:1100-01 Moderate: wireshark security update
- RHSA-2009:1107-01 Moderate: apr-util security update
- USN-775-2: Quagga regression
- DSA 1815-1: New libtorrent-rasterbar packages fix ...
- RHSA-2009:1096-01 Critical: seamonkey security update
- DSA 1814-1: New libsndfile packages fix arbitrary ...
- USN-784-1: ImageMagick vulnerability
- USN-785-1: ipsec-tools vulnerabilities
- RHSA-2009:1087-01 Important: mod_jk security update
- USN-783-1: eCryptfs vulnerability
- USN-781-1: Pidgin vulnerabilities
- RHSA-2009:1081-01 Important: kernel-rt security an...
- DSA 1809-1: New Linux 2.6.26 packages fix several ...
- RHSA-2009:1082-01 Important: cups security update
- USN-780-1: CUPS vulnerability
- USN-780-1: CUPS vulnerability
- DSA 1810-1: New cups/cupsys packages fix denial of...
- DSA 1812-1: New apr-util packages fix several vuln...
- RHSA-2009:1083-01 Important: cups security update
- USN-781-2: Gaim vulnerabilities
- RHSA-2009:1077-01 Important: kernel security and b...
- DSA 1810-1: New libapache-mod-jk packages fix info...
- USN-778-1: cron vulnerability
- RHSA-2009:1076-01 Low: Red Hat Enterprise Linux 2....
- DSA 1807-1: New cyrus-sasl2/cyrus-sasl2-heimdal pa...
- GLSA 200905-06 acpid: Denial of Service
- DSA 1805-1: New pidgin packages fix several vulner...
- GLSA 200905-08 NTP: Remote execution of arbitrary...
- GLSA 200905-07 Pidgin: Multiple vulnerabilities
- RHSA-2009:1067-01 Moderate: Red Hat Application St...
- RHSA-2009:1075-01 Moderate: httpd security update
- GLSA 200905-09 libsndfile: User-assisted executio...
- RHSA-2009:1066-01 Important: squirrelmail security...
- GLSA 200905-03 IPSec Tools: Denial of Service
- GLSA 200905-05 FreeType: Multiple vulnerabilities
-
▼
June
(53)