Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0551 -- [Linux][Ubuntu] eCryptfs: Access Confidential Data 11 June 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ecryptfs-utils Publisher: Ubuntu Operating System: Ubuntu Linux variants Impact: Access Confidential Data Access: Existing Account CVE Names: CVE-2009-1296 Original Bulletin: http://www.ubuntu.com/usn/usn-783-1 Comment: This advisory references vulnerabilities in products which run on platforms other than Ubuntu. It is recommended that administrators running ecryptfs-utils check for an updated version of the software for their operating system. Revision History: June 11 2009: Document number changed from ESB-2009.0697 to ESB-2009.0551 June 9 2009: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- =========================================================== Ubuntu Security Notice USN-783-1 June 08, 2009 ecryptfs-utils vulnerability CVE-2009-1296 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.04: ecryptfs-utils 73-0ubuntu6.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Chris Jones discovered that the eCryptfs support utilities would report the mount passphrase into installation logs when an eCryptfs home directory was selected during Ubuntu installation. The logs are only readable by the root user, but this still left the mount passphrase unencrypted on disk, potentially leading to a loss of privacy. Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1.diff.gz Size/MD5: 12184 7f965e34c9eb44ceae0bafc65a3cc434 http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1.dsc Size/MD5: 1707 d12ca96dd31ab19e559d8e4a86052b4c http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/ecryptfs-utils_73.orig.tar.gz Size/MD5: 504056 cd1c344b4cabf16971a405db353cb5cd amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1_amd64.deb Size/MD5: 102032 cb22885adb2b4cab782ef18167fc94c6 http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/libecryptfs-dev_73-0ubuntu6.1_amd64.deb Size/MD5: 62688 be22d84e388e0dbecf4286ccdd829fb1 http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/libecryptfs0_73-0ubuntu6.1_amd64.deb Size/MD5: 68838 fe8104a4a5e469c6bd57378c5c0c40b2 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1_i386.deb Size/MD5: 96908 e737d11e4132c59d2ab3b97257010ebe http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/libecryptfs-dev_73-0ubuntu6.1_i386.deb Size/MD5: 56284 d02501ddb287e2e32422570228ebc6a6 http://security.ubuntu.com/ubuntu/pool/main/e/ecryptfs-utils/libecryptfs0_73-0ubuntu6.1_i386.deb Size/MD5: 65424 e8e6e045f06a6a43493f1b50c4f55138 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1_lpia.deb Size/MD5: 96272 23e8f81d0b3b678abf548d316ad13a8a http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/libecryptfs-dev_73-0ubuntu6.1_lpia.deb Size/MD5: 55578 780f0e6fc6accf33b5a0419ddf3930c5 http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/libecryptfs0_73-0ubuntu6.1_lpia.deb Size/MD5: 63784 18a5b3f566928e63518fc5e2a87fd66e powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1_powerpc.deb Size/MD5: 117060 479282ff1ba602eedaf6246770c276fc http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/libecryptfs-dev_73-0ubuntu6.1_powerpc.deb Size/MD5: 63200 689a7a750b08350be0252dc6ad571b08 http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/libecryptfs0_73-0ubuntu6.1_powerpc.deb Size/MD5: 73604 2d03fa7da4649c06aa3b1d29a6512923 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/ecryptfs-utils_73-0ubuntu6.1_sparc.deb Size/MD5: 97944 37ecc02c57e7ae4efd708cbb9bfc2d74 http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/libecryptfs-dev_73-0ubuntu6.1_sparc.deb Size/MD5: 58200 db71c5e6ad82ffdd119d739904e427d1 http://ports.ubuntu.com/pool/main/e/ecryptfs-utils/libecryptfs0_73-0ubuntu6.1_sparc.deb Size/MD5: 63088 6513b0bbbc6ec32c2360e05467470b8d - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKMGybNVH5XJJInbgRAq91AJ0fbwXRqFd2lb2PRvRYBfZp37OE6gCeLs/M nzy110MJvt0QNImlDWEfn7U= =TMrc -----END PGP SIGNATURE-----