Revizija preporuke vezane uz Update Manager

Objavljena je revizija sigurnosne preporuke prvotno objavljene 28. studenog 2011. godine. U izvornoj preporuci opisani su sigurnosni propusti koji su napadaču omogućavali otkrivanje osjetljivih informacija i izmjenu podataka.

Paket:	update-manager 0.x
Operacijski sustavi:	Ubuntu Linux 8.04, Ubuntu Linux 10.04, Ubuntu Linux 10.10, Ubuntu Linux 11.04, Ubuntu Linux 11.10
Problem:	neodgovarajuća provjera ulaznih podataka, neodgovarajuće rukovanje datotekama
Iskorištavanje:	lokalno/udaljeno
Posljedica:	izmjena podataka, otkrivanje osjetljivih informacija
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2011-3152, CVE-2011-3154
Izvorni ID preporuke:	USN-1284-2
Izvor:	Ubuntu

Problem:
Sigurnosni propusti se javljaju zbog prihvata određenih nadogradnji bez provjere GPG (eng. GNU Privacy Guard) potpisa te zbog stvaranja privremenog direktorija na nesiguran način. Revizija preporuke je izdana zbog nove nadogradnje koja ispravlja nedostatke uzrokovane instalacijom prethodno objavljene zakrpe.
Posljedica:
Zloćudni korisnik navedene ranjivosti može iskoristiti za izmjenu proizvoljnih datoteka i čitanje XAUTHORITY datoteke.
Rješenje:
Rješenje problema sigurnosti je korištenje dostupnih programskih nadogradnji i zakrpa.

Izvorni tekst preporuke

==========================================================================
Ubuntu Security Notice USN-1284-2
February 16, 2012

update-manager regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

USN-1284-1 introduced a regression in Update Manager.

Software Description:
- update-manager: GNOME application that manages apt updates

Details:

USN-1284-1 fixed vulnerabilities in Update Manager. One of the fixes
introduced a regression for Kubuntu users attempting to upgrade to a newer
Ubuntu release. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 David Black discovered that Update Manager incorrectly extracted the
 downloaded upgrade tarball before verifying its GPG signature. If a remote
 attacker were able to perform a man-in-the-middle attack, this flaw could
 potentially be used to replace arbitrary files. (CVE-2011-3152)
 
 David Black discovered that Update Manager created a temporary directory
 in an insecure fashion. A local attacker could possibly use this flaw to
 read the XAUTHORITY file of the user performing the upgrade.
 (CVE-2011-3154)
 
 This update also adds a hotfix to Update Notifier to handle cases where the
 upgrade is being performed from CD media.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
  update-manager-core             1:0.152.25.8

Ubuntu 11.04:
  update-manager-core             1:0.150.5.2

Ubuntu 10.10:
  update-manager-core             1:0.142.23.2

Ubuntu 10.04 LTS:
  update-manager-core             1:0.134.11.2

Ubuntu 8.04 LTS:
  update-manager-core             1:0.87.33

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1284-2
  http://www.ubuntu.com/usn/usn-1284-1
  https://launchpad.net/bugs/933225

Package Information:
  https://launchpad.net/ubuntu/+source/update-manager/1:0.152.25.8
  https://launchpad.net/ubuntu/+source/update-manager/1:0.150.5.2
  https://launchpad.net/ubuntu/+source/update-manager/1:0.142.23.2
  https://launchpad.net/ubuntu/+source/update-manager/1:0.134.11.2
  https://launchpad.net/ubuntu/+source/update-manager/1:0.87.33

Revizija preporuke vezane uz Update Manager

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Revizija preporuke vezane uz Update Manager

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti