About Ubuntu

=========================================================== Ubuntu Security Notice USN-612-6 May 14, 2008 openvpn regression https://launchpad.net/bugs/230193 https://launchpad.net/bugs/230208 http://www.ubuntu.com/usn/usn-612-3 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.04: openssl-blacklist 0.1-0ubuntu0.7.04.2 openvpn 2.0.9-5ubuntu0.2 Ubuntu 7.10: openssl-blacklist 0.1-0ubuntu0.7.10.2 openvpn 2.0.9-8ubuntu0.2 Ubuntu 8.04 LTS: openssl-blacklist 0.1-0ubuntu0.8.04.2 openvpn 2.1~rc7-1ubuntu3.2 After a standard system upgrade you need to restart openvpn to effect the necessary changes. Details follow: USN-612-3 addressed a weakness in OpenSSL certificate and keys generation in OpenVPN by adding checks for vulnerable certificates and keys to OpenVPN. A regression was introduced in OpenVPN when using TLS, multi-client/server mode, and specifying a user or group which caused OpenVPN to not start when using valid SSL certificates. It was also found that openssl-vulnkey from openssl-blacklist would fail when stderr was not available. This caused OpenVPN to fail to start when used with applications such as NetworkManager. This update fixes these problems. We apologize for the inconvenience. Original advisory details: A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

=========================================================== Ubuntu Security Notice USN-612-5 May 14, 2008 openssh update https://launchpad.net/bugs/230029 http://www.ubuntu.com/usn/usn-612-2 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.04: openssh-client 1:4.3p2-8ubuntu1.4 openssh-client-udeb 1:4.3p2-8ubuntu1.4 Ubuntu 7.10: openssh-client 1:4.6p1-5ubuntu0.5 openssh-client-udeb 1:4.6p1-5ubuntu0.5 Ubuntu 8.04 LTS: openssh-client 1:4.7p1-8ubuntu1.2 openssh-client-udeb 1:4.7p1-8ubuntu1.2 After performing a standard system upgrade, users are encouraged to re-run ssh-vulnkey on their systems. Details follow: Matt Zimmerman discovered that entries in ~/.ssh/authorized_keys with options (such as "no-port-forwarding" or forced commands) were ignored by the new ssh-vulnkey tool introduced in OpenSSH (see USN-612-2). This could cause some compromised keys not to be listed in ssh-vulnkey's output. This update also adds more information to ssh-vulnkey's manual page. Original advisory details: A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.

=========================================================== Ubuntu Security Notice USN-612-4 May 14, 2008 ssl-cert vulnerability CVE-2008-0166, http://www.ubuntu.com/usn/usn-612-1 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.04: ssl-cert 1.0.13-0ubuntu0.7.04.1 Ubuntu 7.10: ssl-cert 1.0.14-0ubuntu0.7.10.1 Ubuntu 8.04 LTS: ssl-cert 1.0.14-0ubuntu2.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-612-1 fixed vulnerabilities in openssl. This update provides the corresponding updates for ssl-cert -- potentially compromised snake-oil SSL certificates will be regenerated. Original advisory details: A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates. This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems. (CVE-2008-0166) == Who is affected == Systems which are running any of the following releases: * Ubuntu 7.04 (Feisty) * Ubuntu 7.10 (Gutsy) * Ubuntu 8.04 LTS (Hardy) * Ubuntu "Intrepid Ibex" (development): libssl <= 0.9.8g-8 * Debian 4.0 (etch) (see corresponding Debian security advisory) and have openssh-server installed or have been used to create an OpenSSH key or X.509 (SSL) certificate. All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied. This includes the automatically generated host keys used by OpenSSH, which are the basis for its server spoofing and man-in-the-middle protection.

=========================================================== Ubuntu Security Notice USN-612-3 May 13, 2008 openvpn vulnerability CVE-2008-0166, http://www.ubuntu.com/usn/usn-612-1 =========================================================== A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of shared encryption keys and SSL/TLS certificates in OpenVPN. This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems. The following Ubuntu releases are affected: Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.04: openvpn 2.0.9-5ubuntu0.1 Ubuntu 7.10: openvpn 2.0.9-8ubuntu0.1 Ubuntu 8.04 LTS: openvpn 2.1~rc7-1ubuntu3.1 Details follow: Once the update is applied, weak shared encryption keys and SSL/TLS certificates will be rejected where possible (though they cannot be detected in all cases). If you are using such keys or certificates, OpenVPN will not start and the keys or certificates will need to be regenerated. The safest course of action is to regenerate all OpenVPN certificates and key files, except where it can be established to a high degree of certainty that the certificate or shared key was generated on an unaffected system. Once the update is applied, you can check for weak OpenVPN shared secret keys with the openvpn-vulnkey command. $ openvpn-vulnkey /path/to/key OpenVPN shared keys can be regenerated using the openvpn command. $ openvpn --genkey --secret Additionally, you can check for weak SSL/TLS certificates by installing openssl-blacklist via your package manager, and using the openssl-vulnkey command. $ openssl-vulnkey /path/to/key Please note that openssl-vulnkey only checks RSA private keys with 1024 and 2048 bit lengths. If in doubt, destroy the certificate and/or key and generate a new one. Please consult the OpenVPN documentation when recreating SSL/TLS certificates. Also, if certificates have been generated for use on other systems, they must be found and replaced as well.

=========================================================== Ubuntu Security Notice USN-612-2 May 13, 2008 openssh vulnerability CVE-2008-0166, http://www.ubuntu.com/usn/usn-612-1 =========================================================== A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH. This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems. The following Ubuntu releases are affected: Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. Updating your system: 1. Install the security updates Ubuntu 7.04: openssh-client 1:4.3p2-8ubuntu1.3 openssh-server 1:4.3p2-8ubuntu1.3 Ubuntu 7.10: openssh-client 1:4.6p1-5ubuntu0.3 openssh-server 1:4.6p1-5ubuntu0.3 Ubuntu 8.04 LTS: openssh-client 1:4.7p1-8ubuntu1.1 openssh-server 1:4.7p1-8ubuntu1.1 Once the update is applied, weak user keys will be automatically rejected where possible (though they cannot be detected in all cases). If you are using such keys for user authentication, they will immediately stop working and will need to be replaced (see step 3). OpenSSH host keys can be automatically regenerated when the OpenSSH security update is applied. The update will prompt for confirmation before taking this step. 2. Update OpenSSH known_hosts files The regeneration of host keys will cause a warning to be displayed when connecting to the system using SSH until the host key is updated in the known_hosts file. The warning will look like this: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. In this case, the host key has simply been changed, and you should update the relevant known_hosts file as indicated in the error message. 3. Check all OpenSSH user keys The safest course of action is to regenerate all OpenSSH user keys, except where it can be established to a high degree of certainty that the key was generated on an unaffected system. Check whether your key is affected by running the ssh-vulnkey tool, included in the security update. By default, ssh-vulnkey will check the standard location for user keys (~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity), your authorized_keys file (~/.ssh/authorized_keys and ~/.ssh/authorized_keys2), and the system's host keys (/etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key). To check all your own keys, assuming they are in the standard locations (~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity): $ ssh-vulnkey To check all keys on your system: $ sudo ssh-vulnkey -a To check a key in a non-standard location: $ ssh-vulnkey /path/to/key If ssh-vulnkey says "COMPROMISED", the key is vulnerable and should be replaced. If ssh-vulnkey says "Unknown (no blacklist information)", then it has no information about whether that key is affected because the key is of a type for which no blacklist is available. If in doubt, destroy the key and generate a new one. 4. Regenerate any affected user keys OpenSSH keys used for user authentication must be manually regenerated, including those which may have since been transferred to a different system after being generated. New keys can be generated using ssh-keygen, e.g.: $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 user@host 5. Update authorized_keys files (if necessary) Once the user keys have been regenerated, the relevant public keys must be propagated to any authorized_keys files on remote systems. Be sure to delete the affected key.

=========================================================== Ubuntu Security Notice USN-612-1 May 13, 2008 openssl vulnerability CVE-2008-0166 =========================================================== A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates. This vulnerability only affects operating systems which (like Ubuntu) are based on Debian. However, other systems can be indirectly affected if weak keys are imported into them. We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems. (CVE-2008-0166) This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. == Who is affected == Systems which are running any of the following releases: * Ubuntu 7.04 (Feisty) * Ubuntu 7.10 (Gutsy) * Ubuntu 8.04 LTS (Hardy) * Ubuntu "Intrepid Ibex" (development): libssl <= 0.9.8g-8 * Debian 4.0 (etch) (see corresponding Debian security advisory) and have openssh-server installed or have been used to create an OpenSSH key or X.509 (SSL) certificate. All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied. This includes the automatically generated host keys used by OpenSSH, which are the basis for its server spoofing and man-in-the-middle protection. Blacklists have been created for certain known-vulnerable keys and certificates. Please see the following advisories for more information: http://www.ubuntu.com/usn/usn-612-2 (OpenSSH) http://www.ubuntu.com/usn/usn-612-3 (OpenVPN) http://www.ubuntu.com/usn/usn-612-4 (ssl-cert) http://www.ubuntu.com/usn/usn-612-5 (OpenSSH update) The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.04: libssl0.9.8 0.9.8c-4ubuntu0.3 Ubuntu 7.10: libssl0.9.8 0.9.8e-5ubuntu3.2 Ubuntu 8.04 LTS: libssl0.9.8 0.9.8g-4ubuntu3.1

=========================================================== Ubuntu Security Notice USN-611-3 May 08, 2008 gst-plugins-good0.10 vulnerability CVE-2008-1686 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: gstreamer0.10-plugins-good 0.10.3-0ubuntu4.1 Ubuntu 7.04: gstreamer0.10-plugins-good 0.10.5-1ubuntu2.1 Ubuntu 7.10: gstreamer0.10-plugins-good 0.10.6-0ubuntu4.1 Ubuntu 8.04 LTS: gstreamer0.10-plugins-good 0.10.7-3ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-611-1 fixed a vulnerability in Speex. This update provides the corresponding update for GStreamer Good Plugins. Original advisory details: It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service in applications linked against Speex or possibly execute arbitrary code as the user invoking the program.

=========================================================== Ubuntu Security Notice USN-611-2 May 08, 2008 vorbis-tools vulnerability CVE-2008-1686 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: vorbis-tools 1.1.1-3ubuntu0.1 Ubuntu 7.04: vorbis-tools 1.1.1-6ubuntu0.1 Ubuntu 7.10: vorbis-tools 1.1.1-13ubuntu0.1 Ubuntu 8.04 LTS: vorbis-tools 1.1.1-15ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-611-1 fixed a vulnerability in Speex. This update provides the corresponding update for ogg123, part of vorbis-tools. Original advisory details: It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service in applications linked against Speex or possibly execute arbitrary code as the user invoking the program.

=========================================================== Ubuntu Security Notice USN-611-1 May 08, 2008 speex vulnerability CVE-2008-1686 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libspeex1 1.1.11.1-1ubuntu0.3 Ubuntu 7.04: libspeex1 1.1.12-3ubuntu0.7.04.1 Ubuntu 7.10: libspeex1 1.1.12-3ubuntu0.7.10.1 Ubuntu 8.04 LTS: libspeex1 1.1.12-3ubuntu0.8.04.1 After a standard system upgrade you need to restart applications linked against Speex to effect the necessary changes. Details follow: It was discovered that Speex did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service in applications linked against Speex or possibly execute arbitrary code as the user invoking the program.

=========================================================== Ubuntu Security Notice USN-610-1 May 06, 2008 ltsp vulnerability CVE-2008-1293 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: ldm 0.87.1 Ubuntu 7.04: ldm 5.0.7.1 Ubuntu 7.10: ldm 5.0.39.1 After a standard system upgrade you need to update your LTSP client chroots to effect the necessary changes. For more details, please see: http://doc.ubuntu.com/edubuntu/edubuntu/handbook/C/ltsp-updates.html#id531224 Details follow: Christian Herzog discovered that it was possible to connect to any LTSP client's X session over the network. A remote attacker could eavesdrop on X events, read window contents, and record keystrokes, possibly gaining access to private information.