Login or Register to Ask a Question and Join Our Community


Security Advisories (RSS)

USN-670-1: VMBuilder vulnerability

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Security Advisories (RSS) USN-670-1: VMBuilder vulnerability
# 1  
Old 11-13-2008
USN-670-1: VMBuilder vulnerability
Description:
===========================================================Ubuntu Security Notice USN-670-1 November 13, 2008vm-builder vulnerabilityhttps://bugs.launchpad.net/+bug/296841===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSUbuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: passwd 1:4.0.13-7ubuntu3.3Ubuntu 7.10: passwd 1:4.0.18.1-9ubuntu0.1Ubuntu 8.04 LTS: passwd 1:4.0.18.2-1ubuntu2.1Ubuntu 8.10: passwd 1:4.1.1-1ubuntu1.1 python-vm-builder 0.9-0ubuntu3.1In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:Mathias Gug discovered that vm-builder improperly set the rootpassword when creating virtual machines. An attacker could exploitthis to gain root privileges to the virtual machine by using apredictable password.This vulnerability only affects virtual machines created withvm-builder under Ubuntu 8.10, and does not affect native Ubuntuinstallations. An update was made to the shadow package to detectvulnerable systems and disable password authentication for theroot account. Vulnerable virtual machines which an attacker hasaccess to should be considered compromised, and appropriate actionstaken to secure the machine.





More...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question

LEARN ABOUT LINUX

aa-enforce

AA-ENFORCE(8)                                                        AppArmor                                                        AA-ENFORCE(8)

NAME

       aa-enforce - set an AppArmor security profile to enforce mode from being disabled or complain mode.

SYNOPSIS

       aa-enforce <executable> [<executable> ...]

DESCRIPTION

       aa-enforce is used to set the enforcement mode for one or more profiles to enforce.  This command is only relevant in conjunction with the
       aa-complain utility which sets a profile to complain mode and the aa-disable utility which unloads and disables a profile. The default mode
       for a security policy is enforce and the aa-complain utility must be run to change this behavior.

BUGS

       If you find any bugs, please report them at <http://https://bugs.launchpad.net/apparmor/+filebug>.

SEE ALSO

       apparmor(7), apparmor.d(5), aa-complain(1), aa-disable(1), aa_change_hat(2), and <http://wiki.apparmor.net>.

AppArmor 2.7.103                                                    2012-06-28                                                       AA-ENFORCE(8)