lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060712155622.GE5570@piware.de>
Date: Wed, 12 Jul 2006 17:56:22 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-316-1] installer vulnerability

=========================================================== 
Ubuntu Security Notice USN-316-1              July 12, 2006
Installer vulnerability
https://launchpad.net/bugs/48350
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  passwd                                   1:4.0.13-7ubuntu3.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Iwan Pieterse discovered that, if you select "Go Back" at the final
message displayed by the alternate or server CD installer ("Installation
complete") and then continue with the installation from the installer's
main menu, the root password is left blank rather than locked. This was
due to an error while clearing out the root password from the
installer's memory to avoid possible information leaks.

Installations from the alternate or server CDs when the user selected
"Continue" when the "Installation complete" message was first displayed
are not affected by this bug. Installations from the desktop CD are not
affected by this bug at all.

When you upgrade your passwd package to the newest version, it will
detect this condition and lock the root password if it was previously
blank. The next point release of Ubuntu 6.06 LTS will include a
corrected installer.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.13-7ubuntu3.2.diff.gz
      Size/MD5:   204800 1b29e1615364944d98ea95498d6058b8
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.13-7ubuntu3.2.dsc
      Size/MD5:      885 8ccf50d026fa2c4cffe85330f0d0985a
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.13.orig.tar.gz
      Size/MD5:  1622557 034fab52e187e63cb52f153bb7f304c8
    http://security.ubuntu.com/ubuntu/pool/main/u/user-setup/user-setup_1.1ubuntu4.dsc
      Size/MD5:      678 544762def71fb062b6d6f5484a4d7c45
    http://security.ubuntu.com/ubuntu/pool/main/u/user-setup/user-setup_1.1ubuntu4.tar.gz
      Size/MD5:    98334 f8d648ce6a9a007740b0e175b92385eb

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/u/user-setup/user-setup-udeb_1.1ubuntu4_all.udeb
      Size/MD5:    79418 4ec2af1d5e09f129d486c142575f4081
    http://security.ubuntu.com/ubuntu/pool/main/u/user-setup/user-setup_1.1ubuntu4_all.deb
      Size/MD5:   161864 bc876d6099a323cebd2ffc94df41db06

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.2_amd64.deb
      Size/MD5:   249450 bfdba1450cbe14f6c71f5d9dee5df9b3
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.2_amd64.deb
      Size/MD5:   683510 547ad48ac45f6f11cacbd268f42b152a

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.2_i386.deb
      Size/MD5:   240938 8500a4c2ab53f11b3fb8cb7fb4e00c78
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.2_i386.deb
      Size/MD5:   616346 a29d90e0ae7c7c70cbeffcbfba6bf04e

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.2_powerpc.deb
      Size/MD5:   251380 bd408187e20f19222e2b4fefe8706552
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.2_powerpc.deb
      Size/MD5:   665158 4975fe8598b4a8adc98fabcee1b4cb8e

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.2_sparc.deb
      Size/MD5:   239930 85dde4bfa6d09491338f70efe9d6d336
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.2_sparc.deb
      Size/MD5:   620124 b0fcdadde2568b1a8324e2500718a18b

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ