Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2010.0042 network-manager-applet vulnerabilities 14 January 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: network-manager-gnome Publisher: Ubuntu Operating System: Ubuntu Linux variants Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2009-4145 CVE-2009-4144 Original Bulletin: http://www.ubuntu.com/usn/usn-883-1 Comment: This advisory references vulnerabilities in products which run on platforms other than Ubuntu. It is recommended that administrators running network-manager-gnome check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- =========================================================== Ubuntu Security Notice USN-883-1 January 13, 2010 network-manager-applet vulnerabilities CVE-2009-4144, CVE-2009-4145 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: network-manager-gnome 0.7~~svn20081020t000444-0ubuntu1.8.10.3 Ubuntu 9.04: network-manager-gnome 0.7.1~rc4.1-0ubuntu2.1 After a standard system upgrade you need to restart your session to effect the necessary changes. Details follow: It was discovered that NetworkManager did not ensure that the Certification Authority (CA) certificate file remained present when using WPA Enterprise or 802.1x networks. A remote attacker could use this flaw to spoof the identity of a wireless network and view sensitive information. (CVE-2009-4144) It was discovered that the connection editor GUI would incorrectly export objects over D-Bus. A local user could read D-Bus signals to view other users' network connection passwords and pre-shared keys. (CVE-2009-4145) Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/network-manager-applet/network-manager-applet_0.7~~svn20081020t000444-0ubuntu1.8.10.3.diff.gz Size/MD5: 52472 b82ebcb1945e432b7141c51500cf54d0 http://security.ubuntu.com/ubuntu/pool/main/n/network-manager-applet/network-manager-applet_0.7~~svn20081020t000444-0ubuntu1.8.10.3.dsc Size/MD5: 1745 682f49446d481b1c47a9191a7e8863d0 http://security.ubuntu.com/ubuntu/pool/main/n/network-manager-applet/network-manager-applet_0.7~~svn20081020t000444.orig.tar.gz Size/MD5: 668729 af829714605058afb3cf77c5d419ae83 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/network-manager-applet/network-manager-gnome_0.7~~svn20081020t000444-0ubuntu1.8.10.3_amd64.deb Size/MD5: 314590 93926fe52218799bb9582a9937625ebc i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/network-manager-applet/network-manager-gnome_0.7~~svn20081020t000444-0ubuntu1.8.10.3_i386.deb Size/MD5: 300692 e8130472fa267cd98d5696a660f7121b lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/network-manager-applet/network-manager-gnome_0.7~~svn20081020t000444-0ubuntu1.8.10.3_lpia.deb Size/MD5: 299180 9b9c2a8e5577ede2474873c864dfb620 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/network-manager-applet/network-manager-gnome_0.7~~svn20081020t000444-0ubuntu1.8.10.3_powerpc.deb Size/MD5: 310850 051260d8bf82146f1533e10ec842db46 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/n/network-manager-applet/network-manager-gnome_0.7~~svn20081020t000444-0ubuntu1.8.10.3_sparc.deb Size/MD5: 303226 0fcfffc3b7948a93d8c20a22a867b34e Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/network-manager-applet/network-manager-applet_0.7.1~rc4.1-0ubuntu2.1.diff.gz Size/MD5: 39587 f761e8d9cbe68d5ff1a1ef1f373d0855 http://security.ubuntu.com/ubuntu/pool/main/n/network-manager-applet/network-manager-applet_0.7.1~rc4.1-0ubuntu2.1.dsc Size/MD5: 1621 83c06ab153587c3d3ece6ec8d27e8fa6 http://security.ubuntu.com/ubuntu/pool/main/n/network-manager-applet/network-manager-applet_0.7.1~rc4.1.orig.tar.gz Size/MD5: 812190 85177fb4f930e731187ad1f811f07888 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/network-manager-applet/network-manager-gnome_0.7.1~rc4.1-0ubuntu2.1_amd64.deb Size/MD5: 381524 c8a4ece54773441228662a1d8f0b78c0 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/network-manager-applet/network-manager-gnome_0.7.1~rc4.1-0ubuntu2.1_i386.deb Size/MD5: 365622 13d6469d61d2323a6813e2ef763eccb2 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/n/network-manager-applet/network-manager-gnome_0.7.1~rc4.1-0ubuntu2.1_lpia.deb Size/MD5: 362318 17f179f208b66b13320543e806f7aaed powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/n/network-manager-applet/network-manager-gnome_0.7.1~rc4.1-0ubuntu2.1_powerpc.deb Size/MD5: 375036 32034d9e9af5d92a8a8174a2684f1ce2 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/n/network-manager-applet/network-manager-gnome_0.7.1~rc4.1-0ubuntu2.1_sparc.deb Size/MD5: 368592 95d9b33243243701ecf97145d473043e - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFLTrOxNVH5XJJInbgRAs7OAJ9arpewQXSf4HKJvT7iGt72993XOwCfRoWp FY3wv1KTihI+f3elzGG+O7w= =VbWu -----END PGP SIGNATURE-----