Ubuntu Update For Update-manager USN-1284-1 Network Vulnerability

Summary

Ubuntu Update for Linux kernel vulnerabilities USN-1284-1

Solution

Please Install the Updated Packages.

Insight

David Black discovered that Update Manager incorrectly extracted the downloaded upgrade tarball before verifying its GPG signature. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to replace arbitrary files. (CVE-2011-3152) David Black discovered that Update Manager created a temporary directory in an insecure fashion. A local attacker could possibly use this flaw to read the XAUTHORITY file of the user performing the upgrade. (CVE-2011-3154) This update also adds a hotfix to Update Notifier to handle cases where the upgrade is being performed from CD media.

Affected

update-manager on Ubuntu 11.04 , Ubuntu 10.10 , Ubuntu 10.04 LTS , Ubuntu 8.04 LTS

References

https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-November/001502.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-3152, CVE-2011-3154
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

Related Vulnerabilities

Ubuntu Update for update-manager USN-1284-1

Take action and discover your vulnerabilities