USN-2105-1: MAAS vulnerabilities

Ubuntu Security Notice USN-2105-1

13th February, 2014

maas vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 13.10


• Ubuntu 12.10


• Ubuntu 12.04 LTS

Summary

The cluster could be made to run programs as an administrator.

Software description

• maas - Ubuntu MAAS Server

Details

James Troup discovered that MAAS stored RabbitMQ authentication

credentials in a world-readable file. A local authenticated user

could read this password and potentially gain privileges of other

user accounts. This update restricts the file permissions to prevent

unintended access. (CVE-2013-1070)

Chris Glass discovered that the MAAS API was vulnerable to cross-site

scripting vulnerabilities. With cross-site scripting vulnerabilities,

if a user were tricked into viewing a specially crafted page, a remote

attacker could exploit this to modify the contents, or steal confidential

data, within the same domain. (CVE-2013-1069)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 13.10:

maas-region-controller 1.4+bzr1693+dfsg-0ubuntu2.3

python-django-maas 1.4+bzr1693+dfsg-0ubuntu2.3

Ubuntu 12.10:

maas-region-controller 1.2+bzr1373+dfsg-0ubuntu1.2

python-django-maas 1.2+bzr1373+dfsg-0ubuntu1.2

Ubuntu 12.04 LTS:

maas-region-controller 1.2+bzr1373+dfsg-0ubuntu1~12.04.5

python-django-maas 1.2+bzr1373+dfsg-0ubuntu1~12.04.5

To update your system, please follow these instructions: http://bit.ly/1aJDvTw.

After a standard system update you need to restart apache2 to make all

the necessary changes.

References

CVE-2013-1069, CVE-2013-1070

via Ubuntu Security Notices http://bit.ly/1nwAmMe