News

=========================================================== Ubuntu Security Notice USN-695-1 December 18, 2008 shadow vulnerability CVE-2008-5394 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: login 1:4.0.13-7ubuntu3.4 Ubuntu 7.10: login 1:4.0.18.1-9ubuntu0.2 Ubuntu 8.04 LTS: login 1:4.0.18.2-1ubuntu2.2 Ubuntu 8.10: login 1:4.1.1-1ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Paul Szabo discovered a race condition in login. While setting up tty permissions, login did not correctly handle symlinks. If a local attacker were able to gain control of the system utmp file, they could cause login to change the ownership and permissions on arbitrary files, leading to a root privilege escalation.