Description:
===========================================================Ubuntu Security Notice USN-670-1 November 13, 2008vm-builder vulnerabilityhttps://bugs.launchpad.net/+bug/296841===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSUbuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: passwd 1:4.0.13-7ubuntu3.3Ubuntu 7.10: passwd 1:4.0.18.1-9ubuntu0.1Ubuntu 8.04 LTS: passwd 1:4.0.18.2-1ubuntu2.1Ubuntu 8.10: passwd 1:4.1.1-1ubuntu1.1 python-vm-builder 0.9-0ubuntu3.1In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:Mathias Gug discovered that vm-builder improperly set the rootpassword when creating virtual machines. An attacker could exploitthis to gain root privileges to the virtual machine by using apredictable password.This vulnerability only affects virtual machines created withvm-builder under Ubuntu 8.10, and does not affect native Ubuntuinstallations. An update was made to the shadow package to detectvulnerable systems and disable password authentication for theroot account. Vulnerable virtual machines which an attacker hasaccess to should be considered compromised, and appropriate actionstaken to secure the machine.
More...
