[Full-disclosure] [USN-1126-2] PHP Regressions
== Ubuntu Security Notice USN-1126-2 May 05, 2011 php5 regressions == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 9.10 - Ubuntu 8.04 LTS - Ubuntu 6.06 LTS Summary: USN 1126-1 introduced two regressions in PHP. Software Description: - php5: HTML-embedded scripting language interpreter Details: USN 1126-1 fixed several vulnerabilities in PHP. The fix for CVE-2010-4697 introduced an incorrect reference counting regression in the Zend engine that caused the PHP interpreter to segfault. This regression affects Ubuntu 6.06 LTS and Ubuntu 8.04 LTS. The fixes for CVE-2011-1072 and CVE-2011-1144 introduced a regression in the PEAR installer that prevented it from creating its cache directory and reporting errors correctly. We apologize for the inconvenience. Original advisory details: Stephane Chazelas discovered that the /etc/cron.d/php5 cron job for PHP 5.3.5 allows local users to delete arbitrary files via a symlink attack on a directory under /var/lib/php5/. (CVE-2011-0441) Raphael Geisert and Dan Rosenberg discovered that the PEAR installer allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. (CVE-2011-1072, CVE-2011-1144) Ben Schmidt discovered that a use-after-free vulnerability in the PHP Zend engine could allow an attacker to cause a denial of service (heap memory corruption) or possibly execute arbitrary code. (CVE-2010-4697) Martin Barbella discovered a buffer overflow in the PHP GD extension that allows an attacker to cause a denial of service (application crash) via a large number of anti- aliasing steps in an argument to the imagepstext function. (CVE-2010-4698) It was discovered that PHP accepts the \0 character in a pathname, which might allow an attacker to bypass intended access restrictions by placing a safe file extension after this character. This issue is addressed in Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2006-7243) Maksymilian Arciemowicz discovered that the grapheme_extract function in the PHP Internationalization extension (Intl) for ICU allow an attacker to cause a denial of service (crash) via an invalid size argument, which triggers a NULL pointer dereference. This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2011-0420) Maksymilian Arciemowicz discovered that the _zip_name_locate function in the PHP Zip extension does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow an attacker to cause a denial of service (NULL pointer dereference) via an empty ZIP archive. This issue affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2011-0421) Luca Carettoni discovered that the PHP Exif extension performs an incorrect cast on 64bit platforms, which allows a remote attacker to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD). (CVE-2011-0708) Jose Carlos Norte discovered that an integer overflow in the PHP shmop extension could allow an attacker to cause a denial of service (crash) and possibly read sensitive memory function. (CVE-2011-1092) Felipe Pena discovered that a use-after-free vulnerability in the substr_replace function allows an attacker to cause a denial of service (memory corruption) or possibly execute arbitrary code. (CVE-2011-1148) Felipe Pena discovered multiple format string vulnerabilities in the PHP phar extension. These could allow an attacker to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code. This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04.(CVE-2011-1153) It was discovered that a buffer overflow occurs in the strval function when the precision configuration option has a large value. The default compiler options for Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04 should reduce the vulnerability to a denial of service. (CVE-2011-1464) It was discovered that an integer overflow in the SdnToJulian function in the PHP Calendar extension could allow an attacker to cause a denial of service (application crash). (CVE-2011-1466) Tomas Hoger discovered that an integer overflow in the NumberFormatter::setSymbol function in the PHP Intl extension could allow an attacker to cause a denial of service (application crash). This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2011-1467) It was discovered that multiple memory leaks in the PHP OpenSSL extension might allow a remote attacker to cause a denial of
[Full-disclosure] [USN-1126-1] PHP vulnerabilities
== Ubuntu Security Notice USN-1126-1 April 29, 2011 php5 vulnerabilities == A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 9.10 - Ubuntu 8.04 LTS - Ubuntu 6.06 LTS Summary: Multiple vulnerabilities in PHP. Software Description: - php5: HTML-embedded scripting language interpreter Details: Stephane Chazelas discovered that the /etc/cron.d/php5 cron job for PHP 5.3.5 allows local users to delete arbitrary files via a symlink attack on a directory under /var/lib/php5/. (CVE-2011-0441) Raphael Geisert and Dan Rosenberg discovered that the PEAR installer allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. (CVE-2011-1072, CVE-2011-1144) Ben Schmidt discovered that a use-after-free vulnerability in the PHP Zend engine could allow an attacker to cause a denial of service (heap memory corruption) or possibly execute arbitrary code. (CVE-2010-4697) Martin Barbella discovered a buffer overflow in the PHP GD extension that allows an attacker to cause a denial of service (application crash) via a large number of anti- aliasing steps in an argument to the imagepstext function. (CVE-2010-4698) It was discovered that PHP accepts the \0 character in a pathname, which might allow an attacker to bypass intended access restrictions by placing a safe file extension after this character. This issue is addressed in Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2006-7243) Maksymilian Arciemowicz discovered that the grapheme_extract function in the PHP Internationalization extension (Intl) for ICU allow an attacker to cause a denial of service (crash) via an invalid size argument, which triggers a NULL pointer dereference. This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2011-0420) Maksymilian Arciemowicz discovered that the _zip_name_locate function in the PHP Zip extension does not properly handle a ZIPARCHIVE::FL_UNCHANGED argument, which might allow an attacker to cause a denial of service (NULL pointer dereference) via an empty ZIP archive. This issue affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2011-0421) Luca Carettoni discovered that the PHP Exif extension performs an incorrect cast on 64bit platforms, which allows a remote attacker to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD). (CVE-2011-0708) Jose Carlos Norte discovered that an integer overflow in the PHP shmop extension could allow an attacker to cause a denial of service (crash) and possibly read sensitive memory function. (CVE-2011-1092) Felipe Pena discovered that a use-after-free vulnerability in the substr_replace function allows an attacker to cause a denial of service (memory corruption) or possibly execute arbitrary code. (CVE-2011-1148) Felipe Pena discovered multiple format string vulnerabilities in the PHP phar extension. These could allow an attacker to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code. This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04.(CVE-2011-1153) It was discovered that a buffer overflow occurs in the strval function when the precision configuration option has a large value. The default compiler options for Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04 should reduce the vulnerability to a denial of service. (CVE-2011-1464) It was discovered that an integer overflow in the SdnToJulian function in the PHP Calendar extension could allow an attacker to cause a denial of service (application crash). (CVE-2011-1466) Tomas Hoger discovered that an integer overflow in the NumberFormatter::setSymbol function in the PHP Intl extension could allow an attacker to cause a denial of service (application crash). This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2011-1467) It was discovered that multiple memory leaks in the PHP OpenSSL extension might allow a remote attacker to cause a denial of service (memory consumption). This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, and Ubuntu 11.04. (CVE-2011-1468) Daniel Buschke discovered that the PHP Streams component in PHP handled types improperly, possibly allowing an attacker to cause a denial of service (application crash). (CVE-2011-1469) It was discovered that the PHP Zip extension could allow an attacker to cause a denial of service (application crash) via a ziparchive stream that is not properly handled by the stream_get_contents function. This issue affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, Ubuntu
[Full-disclosure] [USN-1099-1] GDM vulnerability
=== Ubuntu Security Notice USN-1099-1March 30, 2011 gdm vulnerability CVE-2011-0727 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: gdm 2.28.1-0ubuntu2.3 Ubuntu 10.04 LTS: gdm 2.30.2.is.2.30.0-0ubuntu5.1 Ubuntu 10.10: gdm 2.30.5-0ubuntu4.1 After a standard system update you need to log out all desktop sessions and restart GDM to make all the necessary changes. Details follow: Sebastian Krahmer discovered that GDM (GNOME Display Manager) did not properly drop privileges when handling the cache directories used to store users' dmrc and face icon files. This could allow a local attacker to change the ownership of arbitrary files, thereby gaining root privileges. Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.28.1-0ubuntu2.3.diff.gz Size/MD5: 769588 17bc09f417591f1913940d47cec9cc35 http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.28.1-0ubuntu2.3.dsc Size/MD5: 2168 09c46d7f6f577daa95f47643025ea67c http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.28.1.orig.tar.gz Size/MD5: 3661916 b8f101394aa73e4505bad4ed4f0a695c amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.28.1-0ubuntu2.3_amd64.deb Size/MD5: 731002 0e00de9426edb0a1dd9cd74d86251548 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.28.1-0ubuntu2.3_i386.deb Size/MD5: 672338 2e903d2e97356a7a7138f1da9c37c27a armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/g/gdm/gdm_2.28.1-0ubuntu2.3_armel.deb Size/MD5: 662246 d6a5a00bc8e37ab1e8ab6faaec9efb42 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/g/gdm/gdm_2.28.1-0ubuntu2.3_lpia.deb Size/MD5: 669764 79d09e696d5ff527e86a263944cdf7db powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/g/gdm/gdm_2.28.1-0ubuntu2.3_powerpc.deb Size/MD5: 697456 eff967e0f0206a299f68e93b76f48d13 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/g/gdm/gdm_2.28.1-0ubuntu2.3_sparc.deb Size/MD5: 681890 23eec0f66ceb24635f86e3e4f3d06ade Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.30.2.is.2.30.0-0ubuntu5.1.diff.gz Size/MD5: 795064 e314a75da58ead79bd79cac83730c057 http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.30.2.is.2.30.0-0ubuntu5.1.dsc Size/MD5: 2223 ea497892c7cc53f86ea3769c78e75962 http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.30.2.is.2.30.0.orig.tar.gz Size/MD5: 3725698 583f6e50936f085be268e8543905fb74 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.30.2.is.2.30.0-0ubuntu5.1_amd64.deb Size/MD5: 798524 1e7b5dee40db568fcafa7d5f8c085c65 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.30.2.is.2.30.0-0ubuntu5.1_i386.deb Size/MD5: 734446 1de50ebe2d1a869a3cc2a4ffb7136de9 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/g/gdm/gdm_2.30.2.is.2.30.0-0ubuntu5.1_armel.deb Size/MD5: 725942 f443a1c4098e116c293ebd9bc153f661 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/g/gdm/gdm_2.30.2.is.2.30.0-0ubuntu5.1_powerpc.deb Size/MD5: 760048 30592a26d7d20bc8b70d24543baf6182 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/g/gdm/gdm_2.30.2.is.2.30.0-0ubuntu5.1_sparc.deb Size/MD5: 753996 be562ec975b051a5e6909b394fc5cbc7 Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.30.5-0ubuntu4.1.debian.tar.gz Size/MD5: 112891 a3aee3567a60f658b826668807c4dc6e http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.30.5-0ubuntu4.1.dsc Size/MD5: 2187 07a449c1f9b1b1b393b92608f019cfd8 http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.30.5.orig.tar.gz Size/MD5: 3784180 9d200a16d6bbab0ac41b93b9dbe6d508 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/g/gdm/gdm_2.30.5-0ubuntu4.1_amd64.deb Size/MD5: 808788 c88e512ff6c1d9b0afe2553bca3aaa0c i386 architecture (x86 compatible Intel/AMD):
[Full-disclosure] [USN-1079-3] OpenJDK 6 vulnerabilities
=== Ubuntu Security Notice USN-1079-3March 17, 2011 openjdk-6b18 vulnerabilities CVE-2010-4448, CVE-2010-4450, CVE-2010-4465, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4476, CVE-2011-0706 === A security issue affects the following Ubuntu releases: Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.10: icedtea6-plugin 6b18-1.8.7-0ubuntu2.1 openjdk-6-jre 6b18-1.8.7-0ubuntu2.1 openjdk-6-jre-headless 6b18-1.8.7-0ubuntu2.1 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: USN-1079-2 fixed vulnerabilities in OpenJDK 6 for armel (ARM) architectures in Ubuntu 9.10 and Ubuntu 10.04 LTS. This update fixes vulnerabilities in OpenJDK 6 for armel (ARM) architectures for Ubuntu 10.10. Original advisory details: It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448) It was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450) It was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465) It was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469) It was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470) It was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471) It was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472) Konstantin Preißer and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476) It was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706) Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu2.1.diff.gz Size/MD5: 149561 b35ae7a82db49282379d36e7ece58484 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu2.1.dsc Size/MD5: 3015 04cb459aeaab6c228e722caf07a44de9 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7.orig.tar.gz Size/MD5: 71430490 b2811b2e53cd9abaad6959d33fe10d19 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea-6-jre-cacao_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 377802 d4439da20492eafbccb33e2fe979e8c9 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea6-plugin_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5:78338 7bdf93e00fd81dc82fd0d9a8b4e905c7 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-dbg_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 85497146 1512e0d6563dd5120729cf5b993c618c http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-demo_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 1545620 544c54891d44bdac534c81318a7f2bcb http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jdk_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 9140042 0a2d6ed937081800baeb6fc55326a754 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre-headless_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 30092886 4cc5ad7c54638278e55ee7d2acaab413 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 266102 4278c2c06387cf883325356efda3c4d4 http://ports.ubuntu.com/pool/universe/o/openjdk-6b18/openjdk-6-jre-zero_6b18-1.8.7-0ubuntu2.1_armel.deb Size/MD5: 1959296 6becfb4d5a2ecbe7aee622b84df57f12 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter:
[Full-disclosure] [USN-1088-1] Kerberos vulnerability
=== Ubuntu Security Notice USN-1088-1March 15, 2011 krb5 vulnerability CVE-2011-0284 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: krb5-kdc1.7dfsg~beta3-1ubuntu0.12 Ubuntu 10.04 LTS: krb5-kdc1.8.1+dfsg-2ubuntu0.8 Ubuntu 10.10: krb5-kdc1.8.1+dfsg-5ubuntu0.6 In general, a standard system update will make all the necessary changes. Details follow: Cameron Meadors discovered that the MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled. This could allow a remote attacker to cause a denial of service. Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.7dfsg~beta3-1ubuntu0.12.diff.gz Size/MD5: 118084 1fefaa6377231431facb204859a43ccf http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.7dfsg~beta3-1ubuntu0.12.dsc Size/MD5: 2381 6c91e7d011baa054e524da73ede3ff6d http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.7dfsg~beta3.orig.tar.gz Size/MD5: 12235083 5219bf9a5c23d6a1d9d9687b918f632d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5-doc_1.7dfsg~beta3-1ubuntu0.12_all.deb Size/MD5: 2172970 4320b48d207d1c6fbbce16f98b5433af amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5-user_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5: 142882 1225eb3d734b7fe9cff08394765427ae http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libgssapi-krb5-2_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5: 115336 a0f7e3a7f8dcf39ee451533efb0dca2d http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libgssrpc4_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5:79464 794b7652428908ef7343c8e49c52a117 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libk5crypto3_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5: 74 880bb70cd2f36f4fbedf963ca9f46ac9 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm5clnt6_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5:61624 07ea814cb4e345fbeb49d56c92071fe8 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm5srv6_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5:75176 9fe20119202d453623c0e8c66c1dddcd http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkdb5-4_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5:59376 7d6549210984ad185173f0be96c37669 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-3_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5: 354926 95398e58fad232e2ba6aae5281a6d5c8 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dbg_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5: 1498188 3f6dd7e6af67b1ca90a2e0c0a92c6562 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5: 101860 e92dfe5a26767dc54cad409c4b986843 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5support0_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5:42476 f8f454910c68b0844ccf0b4aa2d5ab3a http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5: 110316 677810bc842e85473cbb954c53cc999d http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5: 218554 b35ed5a2e4153e62ff332ea049766a02 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5:71454 99523b818c187a87fd4ff5328a9eaf3e http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc-ldap_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5: 112594 fcccea0570f68150660d3c43cdf09262 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5: 209032 fbf1ba4ec32a32ddfcafd7af84232c12 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-pkinit_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5:73264 78ea653b8e075dde1006b90a07436fd8 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5:86842 a3570379bbd101dd2b5942c311eaed9f http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.7dfsg~beta3-1ubuntu0.12_amd64.deb Size/MD5:78052 e60ba6cd2483edbd2842df3957780cea i386 architecture
[Full-disclosure] [USN-1079-2] OpenJDK 6 vulnerabilities
=== Ubuntu Security Notice USN-1079-2March 15, 2011 openjdk-6b18 vulnerabilities CVE-2010-4448, CVE-2010-4450, CVE-2010-4465, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4476, CVE-2011-0706 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: icedtea6-plugin 6b18-1.8.7-0ubuntu1~9.10.1 openjdk-6-jre 6b18-1.8.7-0ubuntu1~9.10.1 openjdk-6-jre-headless 6b18-1.8.7-0ubuntu1~9.10.1 Ubuntu 10.04 LTS: icedtea6-plugin 6b18-1.8.7-0ubuntu1~10.04.2 openjdk-6-jre 6b18-1.8.7-0ubuntu1~10.04.2 openjdk-6-jre-headless 6b18-1.8.7-0ubuntu1~10.04.2 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: USN-1079-1 fixed vulnerabilities in OpenJDK 6 for non-armel (ARM) architectures. This update provides the corresponding updates for OpenJDK 6 for use with the armel (ARM) architectures. In order to build the armel (ARM) OpenJDK 6 update for Ubuntu 10.04 LTS, it was necessary to rebuild binutils and gcj-4.4 from Ubuntu 10.04 LTS updates. Original advisory details: It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448) It was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450) It was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465) It was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469) It was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470) It was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471) It was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472) Konstantin Preißer and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476) It was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu1~9.10.1.diff.gz Size/MD5: 146232 31c9fd1c87f901507dec909a87d40589 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu1~9.10.1.dsc Size/MD5: 3009 13ad66a10ac1cb3698ec20d1d214a626 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7.orig.tar.gz Size/MD5: 71430490 b2811b2e53cd9abaad6959d33fe10d19 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea-6-jre-cacao_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb Size/MD5: 369758 6c4489efb438728ec430f7fe9c560a24 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea6-plugin_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb Size/MD5:75714 7d6bcfe18707892e7aebe836cff565db http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-dbg_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb Size/MD5: 84965722 3bd57de4c9b80d33e545cd1e9c9492e9 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-demo_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb Size/MD5: 1544602 d3689556c3354209f1ac402f2ebde500 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jdk_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb Size/MD5: 9107834 c31913d1c41bc826021784ea9c99cfb5 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre-headless_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb Size/MD5: 29720800 eff015c81953c6d7384706d14d97a896
[Full-disclosure] [USN-1079-1] OpenJDK 6 vulnerabilities
=== Ubuntu Security Notice USN-1079-1March 01, 2011 openjdk-6 vulnerabilities CVE-2010-4448, CVE-2010-4450, CVE-2010-4465, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4476, CVE-2011-0706 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: icedtea6-plugin 6b20-1.9.7-0ubuntu1~9.10.1 openjdk-6-jre 6b20-1.9.7-0ubuntu1~9.10.1 openjdk-6-jre-headless 6b20-1.9.7-0ubuntu1~9.10.1 openjdk-6-jre-lib 6b20-1.9.7-0ubuntu1~9.10.1 Ubuntu 10.04 LTS: icedtea6-plugin 6b20-1.9.7-0ubuntu1~10.04.1 openjdk-6-jre 6b20-1.9.7-0ubuntu1~10.04.1 openjdk-6-jre-headless 6b20-1.9.7-0ubuntu1~10.04.1 openjdk-6-jre-lib 6b20-1.9.7-0ubuntu1~10.04.1 Ubuntu 10.10: icedtea6-plugin 6b20-1.9.7-0ubuntu1 openjdk-6-jre 6b20-1.9.7-0ubuntu1 openjdk-6-jre-headless 6b20-1.9.7-0ubuntu1 openjdk-6-jre-lib 6b20-1.9.7-0ubuntu1 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448) It was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450) It was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465) It was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469) It was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470) It was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471) It was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472) Konstantin Preißer and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476) It was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1~9.10.1.diff.gz Size/MD5: 132023 8f8f9a8e3c033dbb852547dcfaa9213b http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1~9.10.1.dsc Size/MD5: 3018 9a6f0f82ce6e6963199fa5f1e0da963a http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7.orig.tar.gz Size/MD5: 73265927 c7367808152f71091603546acca43633 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b20-1.9.7-0ubuntu1~9.10.1_all.deb Size/MD5: 19980542 c56f9b378efdad1e9f0e6612eedb14f7 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b20-1.9.7-0ubuntu1~9.10.1_all.deb Size/MD5: 6168608 3193825377cfc1b486c2ab8ad1995d5a http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b20-1.9.7-0ubuntu1~9.10.1_all.deb Size/MD5: 26867734 4764b5997e7f34e22a0cde19ea31e230 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 433362 194f199c99819e8230676d9f5d370520 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5:83644 1850fd6280ba241df9afde6ebe99912f http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 119625978 0d16cfb58e678ba32291d17c6d549d9c
[Full-disclosure] [USN-1078-1] Logwatch vulnerability
=== Ubuntu Security Notice USN-1078-1March 01, 2011 logwatch vulnerability CVE-2011-1018 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: logwatch7.3.6-1ubuntu1.1 Ubuntu 9.10: logwatch7.3.6.cvs20090906-1ubuntu1.1 Ubuntu 10.04 LTS: logwatch7.3.6.cvs20090906-1ubuntu2.1 Ubuntu 10.10: logwatch7.3.6.cvs20090906-1ubuntu3.1 In general, a standard system update will make all the necessary changes. Details follow: Dominik George discovered that logwatch did not properly sanitize log file names that were passed to the shell as part of a command. If a remote attacker were able to generate specially crafted filenames (for example, via Samba logging), they could execute arbitrary code with root privileges. Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6-1ubuntu1.1.diff.gz Size/MD5:15656 31f40f13457aeb20f21c2cfd2ad460b8 http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6-1ubuntu1.1.dsc Size/MD5: 1413 037612770004ad6b553b8c5b02840350 http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.orig.tar.gz Size/MD5: 297296 937d982006b2a76a83edfcfd2e5a9d7d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6-1ubuntu1.1_all.deb Size/MD5: 307458 da69f492898cee9560bb752b87e8af1c Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu1.1.diff.gz Size/MD5:87133 eb1efb5614967c87dcee5a0627db91a2 http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu1.1.dsc Size/MD5: 1932 b32ef1d8ada8a539c73a6e8da732a7c8 http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906.orig.tar.gz Size/MD5: 338115 b12229916e0a5891a8c1da59afb61e40 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu1.1_all.deb Size/MD5: 400012 6a943f596ed79064930b328a7058357e Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu2.1.diff.gz Size/MD5:87803 0bba6a4701307c1abb9fea16c15c11fd http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu2.1.dsc Size/MD5: 1932 d87291a904f97e6c13dc15f0c996eeb4 http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906.orig.tar.gz Size/MD5: 338115 b12229916e0a5891a8c1da59afb61e40 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu2.1_all.deb Size/MD5: 401512 d68a24ddbbfde6880fdbff79290bf344 Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu3.1.diff.gz Size/MD5:90181 971dda35e4fa086a1bab9b9d7814a0df http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu3.1.dsc Size/MD5: 1932 388d1296df12dc1f46d0ddebfe6bf6ae http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906.orig.tar.gz Size/MD5: 338115 b12229916e0a5891a8c1da59afb61e40 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu3.1_all.deb Size/MD5: 398960 d7967323e366778cc5c79701aa1dc156 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-1064-1] OpenSSL vulnerability
=== Ubuntu Security Notice USN-1064-1 February 15, 2011 openssl vulnerability CVE-2011-0014 === A security issue affects the following Ubuntu releases: Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.6 Ubuntu 10.10: libssl0.9.8 0.9.8o-1ubuntu4.4 After a standard system update you need to reboot your computer to make all the necessary changes. Details follow: Neel Mehta discovered that incorrectly formatted ClientHello handshake messages could cause OpenSSL to parse past the end of the message. This could allow a remote attacker to cause a crash and denial of service by triggering invalid memory accesses. Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8k-7ubuntu8.6.diff.gz Size/MD5: 113947 666d4d39c8d15495574b3e8cde84d14b http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8k-7ubuntu8.6.dsc Size/MD5: 2097 a9aee866b987128cbb53018bb4c3e076 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8k.orig.tar.gz Size/MD5: 3852259 e555c6d58d276aec7fdc53363e338ab3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8k-7ubuntu8.6_all.deb Size/MD5: 640766 4410bba4b493067940d740ba0bfd9e36 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-7ubuntu8.6_amd64.udeb Size/MD5: 630236 4e57f2683a2fd11379ef834de483e92a http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8k-7ubuntu8.6_amd64.deb Size/MD5: 2143716 b73b8e9eca5d99faf5bba7b3ad885d0d http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-7ubuntu8.6_amd64.deb Size/MD5: 1650734 15024c4129edb6729aadd42a3c6625d9 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-udeb_0.9.8k-7ubuntu8.6_amd64.udeb Size/MD5: 136136 c691630136d1888d9818afcbef5b3376 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8k-7ubuntu8.6_amd64.deb Size/MD5: 979838 e410fcc0f092be5bdf0dd48866030de6 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8k-7ubuntu8.6_amd64.deb Size/MD5: 406380 45ae705310a650701711237bc24834fa i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-7ubuntu8.6_i386.udeb Size/MD5: 582632 605d20a6d46358bb020263b589628bc7 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8k-7ubuntu8.6_i386.deb Size/MD5: 2006542 2651ca8bad5a1274f8ac9eb3c9928f10 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-7ubuntu8.6_i386.deb Size/MD5: 5806564 99755b3eed448fd0bedaf6c90c760222 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-udeb_0.9.8k-7ubuntu8.6_i386.udeb Size/MD5: 129782 08548187135f8ef21f91c1206231c46c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8k-7ubuntu8.6_i386.deb Size/MD5: 3015290 d32c63182c7b0eb4ef8eb8427d89ec65 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8k-7ubuntu8.6_i386.deb Size/MD5: 400386 0a10c201d957f574524d98d9e4b87df3 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-7ubuntu8.6_armel.udeb Size/MD5: 532308 0532b6933c19ecb8ddf0cf502acdbef7 http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8k-7ubuntu8.6_armel.deb Size/MD5: 1935434 3b86a27ba4064993fa641b7a57700947 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8k-7ubuntu8.6_armel.deb Size/MD5: 1624860 cc66be850879a7506c83199a8307c0a8 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-udeb_0.9.8k-7ubuntu8.6_armel.udeb Size/MD5: 115646 5f09e1585b7d8213a34c326e878d2855 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8k-7ubuntu8.6_armel.deb Size/MD5: 849808 fe1a2c9bb7fa58309897e2c74428565c http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8k-7ubuntu8.6_armel.deb Size/MD5: 394134 6dae0590575a5d6cca5ec37bee48c3d0 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8k-7ubuntu8.6_powerpc.udeb Size/MD5: 627048 9cc7f8c9c8e834804f6b8ad9d4f038e1 http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8k-7ubuntu8.6_powerpc.deb Size/MD5: 2147450
[Full-disclosure] [USN-1062-1] Kerberos vulnerabilities
=== Ubuntu Security Notice USN-1062-1 February 15, 2011 krb5 vulnerabilities CVE-2010-4022, CVE-2011-0281, CVE-2011-0282 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: krb5-kdc1.6.dfsg.3~beta1-2ubuntu1.8 Ubuntu 9.10: krb5-kdc1.7dfsg~beta3-1ubuntu0.9 krb5-kdc-ldap 1.7dfsg~beta3-1ubuntu0.9 Ubuntu 10.04 LTS: krb5-kdc1.8.1+dfsg-2ubuntu0.6 krb5-kdc-ldap 1.8.1+dfsg-2ubuntu0.6 Ubuntu 10.10: krb5-kdc1.8.1+dfsg-5ubuntu0.4 krb5-kdc-ldap 1.8.1+dfsg-5ubuntu0.4 In general, a standard system update will make all the necessary changes. Details follow: Keiichi Mori discovered that the MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial of service attack due to improper logic when a worker child process exited because of invalid network input. This could only occur when kpropd is running in standalone mode; kpropd was not affected when running in incremental propagation mode (iprop) or as an inetd server. This issue only affects Ubuntu 9.10, Ubuntu 10.04 LTS, and Ubuntu 10.10. (CVE-2010-4022) Kevin Longfellow and others discovered that the MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks when using an LDAP back end due to improper handling of network input. (CVE-2011-0281, CVE-2011-0282) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.6.dfsg.3~beta1-2ubuntu1.8.diff.gz Size/MD5: 1755478 b0098fe4390fbcc19746fc9f8dc8e0ed http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.6.dfsg.3~beta1-2ubuntu1.8.dsc Size/MD5: 1732 0dd68e09c2aca8d26464d8ff6a786d5a http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.6.dfsg.3~beta1.orig.tar.gz Size/MD5: 14672599 7a36c3471aa31ffd01d5a020f9d82dff Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5-doc_1.6.dfsg.3~beta1-2ubuntu1.8_all.deb Size/MD5: 2121914 209bd6abfa0fe80abcbf27ba56b1fdb1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5-user_1.6.dfsg.3~beta1-2ubuntu1.8_amd64.deb Size/MD5: 141226 8f96ebfd892196ef126165a886212710 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.6.dfsg.3~beta1-2ubuntu1.8_amd64.deb Size/MD5: 162470 186501596523d662ff683dc145529b06 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dbg_1.6.dfsg.3~beta1-2ubuntu1.8_amd64.deb Size/MD5: 1338050 7d3b6575ea7e203b091ca8dbe34f7990 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.6.dfsg.3~beta1-2ubuntu1.8_amd64.deb Size/MD5:89698 8d2a3e602c8970f7602f9d13602bd4f4 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.6.dfsg.3~beta1-2ubuntu1.8_amd64.deb Size/MD5: 497822 73792c24bfe26aceb1de172223fadcde http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.6.dfsg.3~beta1-2ubuntu1.8_amd64.deb Size/MD5:88478 8ef0e44ff563e6d66a91c4c28d76aff7 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.6.dfsg.3~beta1-2ubuntu1.8_amd64.deb Size/MD5: 230330 673e7f3f938e3cc24bd35f98ce198348 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.6.dfsg.3~beta1-2ubuntu1.8_amd64.deb Size/MD5:65966 107e7bc03b2c629fbf8ea4f0cdd44f90 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.6.dfsg.3~beta1-2ubuntu1.8_amd64.deb Size/MD5: 186458 75a4a7932b3c27c745c51542ac4c882c http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-pkinit_1.6.dfsg.3~beta1-2ubuntu1.8_amd64.deb Size/MD5:65274 36c3bad487210db88f79a5b009b20176 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.6.dfsg.3~beta1-2ubuntu1.8_amd64.deb Size/MD5:92146 ea6d0b272f2314eab8fb4817feb58928 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.6.dfsg.3~beta1-2ubuntu1.8_amd64.deb Size/MD5:73496 9a755218f290b73a6f7e98f6598fd517 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5-user_1.6.dfsg.3~beta1-2ubuntu1.8_i386.deb Size/MD5: 131600 162a384c3efa4df98540f3a23995bc3c http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.6.dfsg.3~beta1-2ubuntu1.8_i386.deb Size/MD5: 146286 11d4c76535a21496a7fc2fc63bfc1c46
[Full-disclosure] [USN-1055-1] OpenJDK vulnerabilities
=== Ubuntu Security Notice USN-1055-1 February 01, 2011 openjdk-6, openjdk-6b18 vulnerabilities CVE-2010-4351, CVE-2011-0025 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: icedtea6-plugin 6b20-1.9.5-0ubuntu1~9.10.1 Ubuntu 10.04 LTS: icedtea6-plugin 6b20-1.9.5-0ubuntu1~10.04.1 Ubuntu 10.10: icedtea6-plugin 6b20-1.9.5-0ubuntu1 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: It was discovered that IcedTea for Java did not properly verify signatures when handling multiply signed or partially signed JAR files, allowing an attacker to cause code to execute that appeared to come from a verified source. (CVE-2011-0025) USN 1052-1 fixed a vulnerability in OpenJDK for Ubuntu 9.10 and Ubuntu 10.04 LTS on all architectures, and Ubuntu 10.10 for all architectures except for the armel (ARM) architecture. This update provides the corresponding update for Ubuntu 10.10 on the armel (ARM) architecture. Original advisory details: It was discovered that the JNLP SecurityManager in IcedTea for Java OpenJDK in some instances failed to properly apply the intended scurity policy in its checkPermission method. This could allow an attacker to execute code with privileges that should have been prevented. (CVE-2010-4351) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.5-0ubuntu1~9.10.1.diff.gz Size/MD5: 130663 07167b8caf223fe920ac0c361e42344c http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.5-0ubuntu1~9.10.1.dsc Size/MD5: 3018 d3cc6e1842be3094f39ef33e7de3f353 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.5.orig.tar.gz Size/MD5: 73242981 a46692c197b9d63625a0593f0f5261a1 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.5-0ubuntu1~9.10.1.diff.gz Size/MD5: 131802 6e88eb789ee0d06c18b07194af10bb93 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.5-0ubuntu1~9.10.1.dsc Size/MD5: 2997 595fc33270e578ea4b81d23e557c53ec http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.5.orig.tar.gz Size/MD5: 71411043 bd54d036357114075c6d4cfb162cb3ad Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b20-1.9.5-0ubuntu1~9.10.1_all.deb Size/MD5: 20569646 0263c3295e00ffd691559e93a926b89c http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b20-1.9.5-0ubuntu1~9.10.1_all.deb Size/MD5: 6211712 8cf32f132d7249d3b8c293502eb64bac http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b20-1.9.5-0ubuntu1~9.10.1_all.deb Size/MD5: 26919048 66c7073fd00bdace7d5f515d875fbcbb amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.5-0ubuntu1~9.10.1_amd64.deb Size/MD5: 436014 2034a505f2c4e922b445256bd5f80f49 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.5-0ubuntu1~9.10.1_amd64.deb Size/MD5:83640 3683906aaf32d462fa577675c441acac http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.5-0ubuntu1~9.10.1_amd64.deb Size/MD5: 119563714 4660ba7c5fb8aac316377c576459a638 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.5-0ubuntu1~9.10.1_amd64.deb Size/MD5: 2385194 0ea219022e6aea6c1159897d9e34088f http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.5-0ubuntu1~9.10.1_amd64.deb Size/MD5: 11087968 357e95538a652ff16a499bdef84ffba5 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.5-0ubuntu1~9.10.1_amd64.deb Size/MD5: 25600282 746ff952e9c2f2bc4f0f64b07014f409 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.5-0ubuntu1~9.10.1_amd64.deb Size/MD5: 270666 68ac2c4181b549c79eedca8794650509 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.5-0ubuntu1~9.10.1_amd64.deb Size/MD5: 5569254 c0077d670243fea709d4f199dda088ca i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.5-0ubuntu1~9.10.1_i386.deb Size/MD5: 418096 c0141822eb47c8c6e06f9af23feef5c5
[Full-disclosure] [USN-1052-1] OpenJDK vulnerability
=== Ubuntu Security Notice USN-1052-1 January 26, 2011 openjdk-6, openjdk-6b18 vulnerability CVE-2010-4351 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: icedtea6-plugin 6b20-1.9.4-0ubuntu1~9.10.1 Ubuntu 10.04 LTS: icedtea6-plugin 6b20-1.9.4-0ubuntu1~10.04.1 Ubuntu 10.10: icedtea6-plugin 6b20-1.9.4-0ubuntu1 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: It was discovered that the JNLP SecurityManager in IcedTea for Java OpenJDK in some instances failed to properly apply the intended scurity policy in its checkPermission method. This could allow an attacker execute code with privileges that should have been prevented. (CVE-2010-4351) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.4-0ubuntu1~9.10.1.diff.gz Size/MD5: 130597 b695702ffabdff2b295120905ba07780 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.4-0ubuntu1~9.10.1.dsc Size/MD5: 3018 3a15ba89ac3d8ec43057f1b4ee263084 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.4.orig.tar.gz Size/MD5: 73205024 b8a99377ee01bc543e73c21caba0e16d http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.4-0ubuntu1~9.10.1.diff.gz Size/MD5: 145537 250716e800eb500cc236ef9e3d6ddfe8 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.4-0ubuntu1~9.10.1.dsc Size/MD5: 2997 dfa9f1ba1c76ff9792ce88f8176aadd4 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.4.orig.tar.gz Size/MD5: 71375187 36e126c797818b9385d8ac48136782de Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b20-1.9.4-0ubuntu1~9.10.1_all.deb Size/MD5: 19978228 422aad6ce9714e8d521f054f005a5c2e http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b20-1.9.4-0ubuntu1~9.10.1_all.deb Size/MD5: 6168100 92e1760d6f8727947750fad6a05a8d38 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b20-1.9.4-0ubuntu1~9.10.1_all.deb Size/MD5: 26856742 2ab559527abf492ca1db334e09e0052a amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 432714 06150a87d0deb18514098c4fd4d914c5 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5:83638 697efc67d953f29ecdfe2d02452edb70 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 119549160 f846ad33ad1efcad3a08d8f64f334b3a http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 2364520 194534ae02377afe4b7667743ba6dbac http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 10860680 04143fe33c016f8178f9303bc188e286 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 25605026 ef8eb5491f617666154924cd115367ee http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 270650 c228dc2ad44c587c1b3f10e9064bbd98 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.4-0ubuntu1~9.10.1_amd64.deb Size/MD5: 5569110 a277a5d2676e1d2c045b03c087bbedf0 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.4-0ubuntu1~9.10.1_i386.deb Size/MD5: 417736 0e878b1628c73c7c99f28f1eb151ca3c http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.4-0ubuntu1~9.10.1_i386.deb Size/MD5:79226 4383c7addee3d356603e0837bd8edd34 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.4-0ubuntu1~9.10.1_i386.deb Size/MD5: 172916362 568b5697863394351ccecdec006c23cf http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.4-0ubuntu1~9.10.1_i386.deb Size/MD5: 2351096 6e3bfaaf5c310cfb46b4a1c7d1d10fdf
[Full-disclosure] [USN-1031-1] ClamAV vulnerabilities
=== Ubuntu Security Notice USN-1031-1 December 10, 2010 clamav vulnerabilities CVE-2010-4260, CVE-2010-4261, CVE-2010-4479 === A security issue affects the following Ubuntu releases: Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.04 LTS: libclamav6 0.96.3+dfsg-2ubuntu1.0.10.04.2 Ubuntu 10.10: libclamav6 0.96.3+dfsg-2ubuntu1.2 In general, a standard system update will make all the necessary changes. Details follow: Arkadiusz Miskiewicz and others discovered that the PDF processing code in libclamav improperly validated input. This could allow a remote attacker to craft a PDF document that could crash clamav or possibly execute arbitrary code. (CVE-2010-4260, CVE-2010-4479) It was discovered that an off-by-one error in the icon_cb function in pe_icons.c in libclamav could allow an attacker to corrupt memory, causing clamav to crash or possibly execute arbitrary code. (CVE-2010-4261) In the default installation, attackers would be isolated by the clamav AppArmor profile. Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.96.3+dfsg-2ubuntu1.0.10.04.2.diff.gz Size/MD5: 284066 72a7c4ff80f395c5dc8e4e7acd6fcd39 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.96.3+dfsg-2ubuntu1.0.10.04.2.dsc Size/MD5: 2323 d1d47147356bfaf610c993b8a9ed0530 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.96.3+dfsg.orig.tar.gz Size/MD5: 40572329 730c1af9badcee2bce4bbaf1cf8ea20a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-base_0.96.3+dfsg-2ubuntu1.0.10.04.2_all.deb Size/MD5: 297088 745b7132479daa4dbdc5ca6cc023e0b2 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-docs_0.96.3+dfsg-2ubuntu1.0.10.04.2_all.deb Size/MD5: 1295426 b03dae836f5cdf461c3a5f6a98a7363f http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-testfiles_0.96.3+dfsg-2ubuntu1.0.10.04.2_all.deb Size/MD5: 5257088 aa5604ebd0f1e4646ce5d9e056513d11 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-daemon_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 424096 28c2f45042aafbf487e59ce679327bb3 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-dbg_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 22343058 abe9dff9f24f9f9b6b9f9faf5be2936b http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-freshclam_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 313300 e88ecbee6c0f900b5854b2c1ca9b0771 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 335490 6d0081c84e0f46ee73bbf452309c03a3 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav-dev_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 217914 11b54c1f926069a93149ce28b7cf5325 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav6_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 3898290 0bd7e669232378b4b83a8bfdd0c8d716 http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-milter_0.96.3+dfsg-2ubuntu1.0.10.04.2_amd64.deb Size/MD5: 345108 843a766d2909777cc88ccbf03468a6fa i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-daemon_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 410854 416f5d73612e5d37fbb904bb80dffb49 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-dbg_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 22043342 aa53f5f25b3a28b22315e17544bd7a6d http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-freshclam_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 308344 d090653db3483820420e465513b7d858 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 327348 4cdcc06e3cfb9c241c7d6f560963116b http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav-dev_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 218084 752cc79037d5f08df096c528bc7eb8b6 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav6_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 3751526 c6dc2280d050c37f1f82ce62ba612cac http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-milter_0.96.3+dfsg-2ubuntu1.0.10.04.2_i386.deb Size/MD5: 338432 7156843fc6e5b7087d1fba58177ee81f armel architecture (ARM Architecture):
[Full-disclosure] [USN-1029-1] OpenSSL vulnerabilities
=== Ubuntu Security Notice USN-1029-1 December 08, 2010 openssl vulnerabilities CVE-2008-7270, CVE-2010-4180 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libssl0.9.8 0.9.8a-7ubuntu0.14 Ubuntu 8.04 LTS: libssl0.9.8 0.9.8g-4ubuntu3.13 Ubuntu 9.10: libssl0.9.8 0.9.8g-16ubuntu3.5 Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.5 Ubuntu 10.10: libssl0.9.8 0.9.8o-1ubuntu4.3 After a standard system update you need to reboot your computer to make all the necessary changes. Details follow: It was discovered that an old bug workaround in the SSL/TLS server code allowed an attacker to modify the stored session cache ciphersuite. This could possibly allow an attacker to downgrade the ciphersuite to a weaker one on subsequent connections. (CVE-2010-4180) It was discovered that an old bug workaround in the SSL/TLS server code allowed allowed an attacker to modify the stored session cache ciphersuite. An attacker could possibly take advantage of this to force the use of a disabled cipher. This vulnerability only affects the versions of OpenSSL in Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and Ubuntu 9.10. (CVE-2008-7270) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14.diff.gz Size/MD5:67296 3de8e480bcec0653b94001366e2f1f27 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14.dsc Size/MD5: 1465 a5f93020840f693044eb64af528fd01e http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a.orig.tar.gz Size/MD5: 3271435 1d16c727c10185e4d694f87f5e424ee1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_amd64.udeb Size/MD5: 572012 b3792d19d5f7783929e473b6eb1e239c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_amd64.deb Size/MD5: 2181644 746b74e9b6c42731ff2021c396789708 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_amd64.deb Size/MD5: 1696628 abe942986698bf86938312c5e344e0ba http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_amd64.deb Size/MD5: 880292 9d6d854dcef14c90ce24c1aa232a418a http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_amd64.deb Size/MD5: 998466 9c51c334fd6c0b7c7b73340a01af61c8 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_i386.udeb Size/MD5: 509644 e1617d062d546f7dad2298bf6463bc3c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_i386.deb Size/MD5: 2031000 6755c67294ab2ff03255a3bf7079ab26 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_i386.deb Size/MD5: 5195206 37fcd0cdefd012f0ea7d79d0e6a1b48f http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_i386.deb Size/MD5: 2660326 9083ddc71b89e4f4e95c4ca999bcedba http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_i386.deb Size/MD5: 979408 518eaad303d089ab7dcc1b89fd019f19 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_powerpc.udeb Size/MD5: 558018 0e94d5f570a83f4b41bef642e032c256 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.14_powerpc.deb Size/MD5: 2189034 6588292725cfa33c8d56a61c3d8120b1 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.14_powerpc.deb Size/MD5: 1740524 0b98e950e59c538333716ee939710150 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.14_powerpc.deb Size/MD5: 865778 d1e44ecc73dea8a8a11cd4d6b7c38abf http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.14_powerpc.deb Size/MD5: 984342 a3ff875c30b6721a1d6dd59d9a6393e0 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.14_sparc.udeb Size/MD5: 531126 7f598ce48b981eece01e0a1044bbdcc5
[Full-disclosure] [USN-1018-1] OpenSSL vulnerability
=== Ubuntu Security Notice USN-1018-1 November 18, 2010 openssl vulnerability CVE-2010-3864 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libssl0.9.8 0.9.8g-4ubuntu3.12 Ubuntu 9.10: libssl0.9.8 0.9.8g-16ubuntu3.4 Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.4 Ubuntu 10.10: libssl0.9.8 0.9.8o-1ubuntu4.2 After a standard system update you need to reboot your computer to make all the necessary changes. Details follow: Rob Hulswit discovered a race condition in the OpenSSL TLS server extension parsing code when used within a threaded server. A remote attacker could trigger this flaw to cause a denial of service or possibly execute arbitrary code with application privileges. (CVE-2010-3864) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.12.diff.gz Size/MD5:73629 8e83dfc0b87bcbae8b314538a3468030 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.12.dsc Size/MD5: 1563 e2ad4535833ad250f3a80547f74ff939 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g.orig.tar.gz Size/MD5: 3354792 acf70a16359bf3658bdfb74bda1c4419 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8g-4ubuntu3.12_all.deb Size/MD5: 641642 1b8774cb48f140e2a65b44425e6a84a9 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.12_amd64.udeb Size/MD5: 604226 701b868dae6ff3b4acaecba7e4805c73 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.12_amd64.deb Size/MD5: 2084370 9dc23d12935cc2deaf0764464fb5c165 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.12_amd64.deb Size/MD5: 1621412 21a0195a5b94a95c0f31a11cdb442332 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.12_amd64.deb Size/MD5: 941460 36b4e23bedeaee6dd3c950578da33ce1 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.12_amd64.deb Size/MD5: 392742 4a8010b5cd8f1b489660479bee7667ed i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.12_i386.udeb Size/MD5: 564968 3e35d334fe54a00fb455b9c5a540775d http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.12_i386.deb Size/MD5: 1958032 2be87dd83d0296d0289eb62e25e28d88 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.12_i386.deb Size/MD5: 5410054 d9c82287b3e43f6cbdc9d6f371983967 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.12_i386.deb Size/MD5: 2860472 3061edbd23d5c0647588a8ad2567cd84 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.12_i386.deb Size/MD5: 387702 7eb7b9e1284eb43f8d840455e6eb83b0 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.12_lpia.udeb Size/MD5: 535616 b226bddb20b4f228d7218a22f986d9fa http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.12_lpia.deb Size/MD5: 1932078 903a47c3d8ba7ad7eeb1b184fb475d75 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.12_lpia.deb Size/MD5: 1532942 7594def771ba6c7c24d6da4557899ce5 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.12_lpia.deb Size/MD5: 852414 c5b8154e801e4ff4e6a5c6e81d284599 http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.12_lpia.deb Size/MD5: 392078 695a93af2b6a22f8b2871d854679b854 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.12_powerpc.udeb Size/MD5: 610448 f22581d0b31ea15eba35688d89127eed http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.12_powerpc.deb Size/MD5: 2091252 5dd7ddf2bf6acbce76b9fa0895c021cb http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.12_powerpc.deb Size/MD5: 1658682 d9d826c948abbac11f786b44d6a39f31 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.12_powerpc.deb
[Full-disclosure] [USN-1010-1] OpenJDK vulnerabilities
=== Ubuntu Security Notice USN-1010-1 October 28, 2010 openjdk-6, openjdk-6b18 vulnerabilities CVE-2009-3555, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3551, CVE-2010-3553, CVE-2010-3554, CVE-2010-3557, CVE-2010-3561, CVE-2010-3562, CVE-2010-3564, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3573, CVE-2010-3574 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: icedtea6-plugin 6b18-1.8.2-4ubuntu1~8.04.1 openjdk-6-jdk 6b18-1.8.2-4ubuntu1~8.04.1 openjdk-6-jre 6b18-1.8.2-4ubuntu1~8.04.1 openjdk-6-jre-headless 6b18-1.8.2-4ubuntu1~8.04.1 Ubuntu 9.10: icedtea6-plugin 6b18-1.8.2-4ubuntu1~9.10.1 openjdk-6-jdk 6b18-1.8.2-4ubuntu1~9.10.1 openjdk-6-jre 6b18-1.8.2-4ubuntu1~9.10.1 openjdk-6-jre-headless 6b18-1.8.2-4ubuntu1~9.10.1 Ubuntu 10.04 LTS: icedtea6-plugin 6b18-1.8.2-4ubuntu2 openjdk-6-jdk 6b18-1.8.2-4ubuntu2 openjdk-6-jre 6b18-1.8.2-4ubuntu2 openjdk-6-jre-headless 6b18-1.8.2-4ubuntu2 Ubuntu 10.10: icedtea6-plugin 6b18-1.8.2-4ubuntu1 openjdk-6-jdk 6b18-1.8.2-4ubuntu1 openjdk-6-jre 6b18-1.8.2-4ubuntu1 openjdk-6-jre-headless 6b18-1.8.2-4ubuntu1 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user's session. USN-923-1 disabled SSL/TLS renegotiation by default; this update implements the TLS Renegotiation Indication Extension as defined in RFC 5746, and thus supports secure renegotiation between updated clients and servers. (CVE-2009-3555) It was discovered that the HttpURLConnection class did not validate request headers set by java applets, which could allow an attacker to trigger actions otherwise not allowed to HTTP clients. (CVE-2010-3541) It was discovered that JNDI could leak information that would allow an attacker to to access information about otherwise-protected internal network names. (CVE-2010-3548) It was discovered that HttpURLConnection improperly handled the chunked transfer encoding method, which could allow attackers to conduct HTTP response splitting attacks. (CVE-2010-3549) It was discovered that the NetworkInterface class improperly checked the network connect permissions for local network addresses. This could allow an attacker to read local network addresses. (CVE-2010-3551) It was discovered that UIDefault.ProxyLazyValue had unsafe reflection usage, allowing an attacker to create objects. (CVE-2010-3553) It was discovered that multiple flaws in the CORBA reflection implementation could allow an attacker to execute arbitrary code by misusing permissions granted to certain system objects. (CVE-2010-3554) It was discovered that unspecified flaws in the Swing library could allow untrusted applications to modify the behavior and state of certain JDK classes. (CVE-2010-3557) It was discovered that the privileged accept method of the ServerSocket class in the CORBA implementation allowed it to receive connections from any host, instead of just the host of the current connection. An attacker could use this flaw to bypass restrictions defined by network permissions. (CVE-2010-3561) It was discovered that there exists a double free in java's indexColorModel that could allow an attacker to cause an applet or application to crash, or possibly execute arbitrary code with the privilege of the user running the java applet or application. (CVE-2010-3562) It was discovered that the Kerberos implementation improperly checked AP-REQ requests, which could allow an attacker to cause a denial of service against the receiving JVM. (CVE-2010-3564) It was discovered that improper checks of unspecified image metadata in JPEGImageWriter.writeImage of the imageio API could allow an attacker to execute arbitrary code with the privileges of the user running a java applet or application. (CVE-2010-3565) It was discovered that an unspecified vulnerability in the ICC profile handling code could allow an attacker to execute arbitrary code with the privileges of the user running a java applet or application. (CVE-2010-3566) It was discovered that a miscalculation in the
[Full-disclosure] [USN-991-1] quassel vulnerability
=== Ubuntu Security Notice USN-991-1 September 23, 2010 quassel vulnerability https://launchpad.net/bugs/629774 === A security issue affects the following Ubuntu releases: Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.04: quassel 0.4.1-0ubuntu3.1 quassel-core0.4.1-0ubuntu3.1 Ubuntu 9.10: quassel 0.5.0-0ubuntu1.2 quassel-core0.5.0-0ubuntu1.2 Ubuntu 10.04 LTS: quassel 0.6.1-0ubuntu1.1 quassel-core0.6.1-0ubuntu1.1 After a standard system update you need to restart quassel or quasselcore to make all the necessary changes. Details follow: Jima discovered that quassel would respond to a single privmsg containing multiple CTCP requests with multiple NOTICEs, possibly resulting in a denial of service against the IRC connection. Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1.diff.gz Size/MD5:14652 af43ed7a72ffa090d37c2d0d00702078 http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1.dsc Size/MD5: 1963 5ae8d0ff60b5b06b895bb9ae171d5245 http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.4.1.orig.tar.gz Size/MD5: 3387386 ad02d180d013e4e802405bc0d4fbc92f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel-data_0.4.1-0ubuntu3.1_all.deb Size/MD5: 473278 ed6d2d9ce47958e33c22d53eeb130eb1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1_amd64.deb Size/MD5: 19585188 055a31fd179133cea112d8ade393af00 http://security.ubuntu.com/ubuntu/pool/universe/q/quassel/quassel-client_0.4.1-0ubuntu3.1_amd64.deb Size/MD5: 16123196 4768b70faa56de99a58887eba390df0f http://security.ubuntu.com/ubuntu/pool/universe/q/quassel/quassel-core_0.4.1-0ubuntu3.1_amd64.deb Size/MD5: 5329522 59c6d37437fe451c63a57ac97e16a73e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1_i386.deb Size/MD5: 19364706 5accb85ff4b7650cef63ea278d68240c http://security.ubuntu.com/ubuntu/pool/universe/q/quassel/quassel-client_0.4.1-0ubuntu3.1_i386.deb Size/MD5: 15952248 61e3e2a169bd98c1ddb4e281f658588e http://security.ubuntu.com/ubuntu/pool/universe/q/quassel/quassel-core_0.4.1-0ubuntu3.1_i386.deb Size/MD5: 5235750 6312c44c3bf5bac1db19898f335a607e lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1_lpia.deb Size/MD5: 19463224 baa50d79d8a62f81c6864a5db776e7eb http://ports.ubuntu.com/pool/universe/q/quassel/quassel-client_0.4.1-0ubuntu3.1_lpia.deb Size/MD5: 16028358 88bc16020301f4bfc678737932d3b199 http://ports.ubuntu.com/pool/universe/q/quassel/quassel-core_0.4.1-0ubuntu3.1_lpia.deb Size/MD5: 5263036 aca976fd07ee5ff6dbb3ee73267781c1 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1_powerpc.deb Size/MD5: 20086318 f5e0299a1d9419a08955f4706768f15d http://ports.ubuntu.com/pool/universe/q/quassel/quassel-client_0.4.1-0ubuntu3.1_powerpc.deb Size/MD5: 16547258 91262f19d6d83196f7124b90e5d331a7 http://ports.ubuntu.com/pool/universe/q/quassel/quassel-core_0.4.1-0ubuntu3.1_powerpc.deb Size/MD5: 5444286 7628daecf48ef865fc46fee187b89815 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/q/quassel/quassel_0.4.1-0ubuntu3.1_sparc.deb Size/MD5: 901540 b050e39630f12db8759a6d0071501b6a http://ports.ubuntu.com/pool/universe/q/quassel/quassel-client_0.4.1-0ubuntu3.1_sparc.deb Size/MD5: 748492 5d3f95e15324a98ffe371154c7846681 http://ports.ubuntu.com/pool/universe/q/quassel/quassel-core_0.4.1-0ubuntu3.1_sparc.deb Size/MD5: 286256 1451beeb70db724cab56ccc61b188600 Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.5.0-0ubuntu1.2.diff.gz Size/MD5:17877 a7e04cda3cc45e3409eb57a4ea20148c http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.5.0-0ubuntu1.2.dsc Size/MD5: 1991 6ff013a9b19d1d76b87817da84d37687 http://security.ubuntu.com/ubuntu/pool/main/q/quassel/quassel_0.5.0.orig.tar.gz Size/MD5: 3708203 24e2733475557ba9641d83a74442a329 Architecture independent packages:
[Full-disclosure] [USN-979-1] okular vulnerability
=== Ubuntu Security Notice USN-979-1August 27, 2010 kdegraphics vulnerability CVE-2010-2575 === A security issue affects the following Ubuntu releases: Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.04: okular 4:4.2.2-0ubuntu2.1 Ubuntu 9.10: okular 4:4.3.2-0ubuntu1.1 Ubuntu 10.04 LTS: okular 4:4.4.2-0ubuntu1.1 After a standard system update you need to restart any running instances of okular to make all the necessary changes. Details follow: Stefan Cornelius of Secunia Research discovered a boundary error during RLE decompression in the TranscribePalmImageToJPEG() function in generators/plucker/inplug/image.cpp of okular when processing images embedded in PDB files, which can be exploited to cause a heap-based buffer overflow. (CVE-2010-2575) Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics_4.2.2-0ubuntu2.1.diff.gz Size/MD5:28706 783af94d0e87c6abec9fd8b9513225aa http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics_4.2.2-0ubuntu2.1.dsc Size/MD5: 2792 9d6c28d62fa9fe453831d41d974f12a4 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics_4.2.2.orig.tar.gz Size/MD5: 3965835 7275537558d579dff5d58061572786f5 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics_4.2.2-0ubuntu2.1_all.deb Size/MD5:24352 c6e1237ce00d6521cc617e0ff06fd368 http://security.ubuntu.com/ubuntu/pool/universe/k/kdegraphics/kolourpaint_4.2.2-0ubuntu2.1_all.deb Size/MD5:24038 5f9ff387b41a338fc15e185706acae3b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/gwenview_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 1317464 9866165611eb8a20bfb7dae53c9712be http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kamera_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:90084 3bcdb445a7f155d8a9a6a844d1252ef2 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kcolorchooser_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:30208 6d3dacf570d57f493fb2e88d695704c0 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics-dbg_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 26469420 777c6c3d2dbc945d8476cf38ac87bfad http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kdegraphics-strigi-plugins_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:55736 f43d9feb79efe91eb26cf344bc889c9e http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kgamma_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:78168 a03f826da21e3aa4068375902e4202c8 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kolourpaint4_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 993054 a83acad23ab01d8a7503cc0c8418dd48 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/kruler_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:94508 592753c4c883e2d659104c713511e0fb http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/ksnapshot_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 209432 4e5c2f4c8f5dd7dab3889e1d141bb10d http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libkdcraw7-dev_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:15952 12be8ee726595f30b4074fb9b42d0909 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libkdcraw7_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 230082 208c4aed97a1aa69edf0b9d74f9d65f1 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libkexiv2-7-dev_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:13990 5ce1dd2be305b186b1d1ab6389487d3f http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libkexiv2-7_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 132672 d3b4bd63801344957f869d36c3902664 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libkipi6-dev_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:10580 15379be1a10cb43f5785ad7204fd8dea http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libkipi6_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:80374 d91d043d151014a9c69148f1996bc320 http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libksane-dev_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 8556 2d56470d4fc705fe8bfa87841cce039b http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libksane0_4.2.2-0ubuntu2.1_amd64.deb Size/MD5:99368 a86c630162d858de04d262e75185732a http://security.ubuntu.com/ubuntu/pool/main/k/kdegraphics/libokularcore1_4.2.2-0ubuntu2.1_amd64.deb Size/MD5: 282598 6dc6e873d647be210183fe21340bc430
[Full-disclosure] [USN-967-1] w3m vulnerability
=== Ubuntu Security Notice USN-967-1August 09, 2010 w3m vulnerability CVE-2010-2074 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: w3m 0.5.1-4ubuntu2.6.06.1 Ubuntu 8.04 LTS: w3m 0.5.1-5.1ubuntu1.1 Ubuntu 9.04: w3m 0.5.2-2ubuntu0.1 Ubuntu 9.10: w3m 0.5.2-2ubuntu1.1 Ubuntu 10.04 LTS: w3m 0.5.2-2.1ubuntu1.1 After a standard system update you need to restart any running instances of w3m to effect the necessary changes. Details follow: Ludwig Nussel discovered w3m does not properly handle SSL/TLS certificates with NULL characters in the certificate name. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2010-2074) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.06.1.diff.gz Size/MD5:36950 61af8116989ea20fc9de2bc2035bff27 http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.06.1.dsc Size/MD5: 1355 c63dfd7a3190d33b6a8bf3faf00cd142 http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1.orig.tar.gz Size/MD5: 1892121 0678b72e07e69c41709d71ef0fe5da13 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.06.1_amd64.deb Size/MD5: 1126754 b720fb3c60139097a5c5edd9d897b87c http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-4ubuntu2.6.06.1_amd64.deb Size/MD5:88686 f55ffb8f155ca56e20be538ac07e6fee i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.06.1_i386.deb Size/MD5: 1068634 434395522c44f645a31c114209dd1c2a http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-4ubuntu2.6.06.1_i386.deb Size/MD5:87694 6a0dad78d29a994fdf68b67b88671ae4 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.06.1_powerpc.deb Size/MD5: 1127384 b6901e8fb952d3bdb3fbb0509b5f9a5d http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-4ubuntu2.6.06.1_powerpc.deb Size/MD5:90024 094ae7b60a014e5a618cb8ce7d703a94 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-4ubuntu2.6.06.1_sparc.deb Size/MD5: 1091422 1ba881612fbd9485a867236f1d11b7dd http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-4ubuntu2.6.06.1_sparc.deb Size/MD5:88080 25fb4183bccb613a8488a95cb62bb3c4 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-5.1ubuntu1.1.diff.gz Size/MD5:66475 4a2a88d49cf5ab546a6982a99898c58b http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-5.1ubuntu1.1.dsc Size/MD5: 1464 65975db4cabadca4c9bec3f29809c74b http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1.orig.tar.gz Size/MD5: 1892121 0678b72e07e69c41709d71ef0fe5da13 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-5.1ubuntu1.1_amd64.deb Size/MD5: 1135768 32c8b4569c5b58a09bd64f56282ec654 http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-5.1ubuntu1.1_amd64.deb Size/MD5:96198 1137f5eeb518741972967557945e3258 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/w/w3m/w3m_0.5.1-5.1ubuntu1.1_i386.deb Size/MD5: 1089658 109a28386eae068081eeb146d4925e56 http://security.ubuntu.com/ubuntu/pool/universe/w/w3m/w3m-img_0.5.1-5.1ubuntu1.1_i386.deb Size/MD5:94568 6da0f035169b3bf4fd4400c8acac72ca lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/w/w3m/w3m_0.5.1-5.1ubuntu1.1_lpia.deb Size/MD5: 1090736 9bfff0a2b71d4aa37b4b28cdb5e61582 http://ports.ubuntu.com/pool/universe/w/w3m/w3m-img_0.5.1-5.1ubuntu1.1_lpia.deb Size/MD5:90628 358b504f48d6d172dfbb1945804c4bf7 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/w/w3m/w3m_0.5.1-5.1ubuntu1.1_powerpc.deb Size/MD5: 1146328 20445145a9b1bc1e2b8d77f6e4a349ee http://ports.ubuntu.com/pool/universe/w/w3m/w3m-img_0.5.1-5.1ubuntu1.1_powerpc.deb Size/MD5:
[Full-disclosure] [USN-965-1] OpenLDAP vulnerabilities
=== Ubuntu Security Notice USN-965-1August 09, 2010 openldap, openldap2.2, openldap2.3 vulnerabilities CVE-2010-0211, CVE-2010-0212 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: slapd 2.2.26-5ubuntu2.10 Ubuntu 8.04 LTS: slapd 2.4.9-0ubuntu0.8.04.4 Ubuntu 9.04: slapd 2.4.15-1ubuntu3.1 Ubuntu 9.10: slapd 2.4.18-0ubuntu1.1 Ubuntu 10.04 LTS: slapd 2.4.21-0ubuntu5.2 In general, a standard system update will make all the necessary changes. Details follow: Using the Codenomicon LDAPv3 test suite, Ilkka Mattila and Tuomas Salomäki discovered that the slap_modrdn2mods function in modrdn.c in OpenLDAP does not check the return value from a call to the smr_normalize function. A remote attacker could use specially crafted modrdn requests to crash the slapd daemon or possibly execute arbitrary code. (CVE-2010-0211) Using the Codenomicon LDAPv3 test suite, Ilkka Mattila and Tuomas Salomäki discovered that OpenLDAP does not properly handle empty RDN strings. A remote attacker could use specially crafted modrdn requests to crash the slapd daemon. (CVE-2010-0212) In the default installation under Ubuntu 8.04 LTS and later, attackers would be isolated by the OpenLDAP AppArmor profile for the slapd daemon. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.10.diff.gz Size/MD5: 517754 c8f27c0b3f97fc0fe6681ca49f889853 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.10.dsc Size/MD5: 1671 d667c44fbed4302c7e791de823c92101 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz Size/MD5: 2626629 afc8700b5738da863b30208e1d3e9de8 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.10_amd64.deb Size/MD5: 131024 8c0891ec76cd3f95b242a7042bfd091c http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.10_amd64.deb Size/MD5: 166622 fb170a93d5f97e19c97cf5960778d406 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.10_amd64.deb Size/MD5: 962148 a486923e28e03c42878c3708b355febc i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.10_i386.deb Size/MD5: 118864 305df718b6b2009f5eb9e7cbd517a3a9 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.10_i386.deb Size/MD5: 146624 1c96d1f77af35fd6f09461ad6f202b5a http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.10_i386.deb Size/MD5: 873620 4c773a4c3f56a94118ad1463f12cfd1f powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.10_powerpc.deb Size/MD5: 133184 b83c0764c9d6e9411a7d1fbeb61a8197 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.10_powerpc.deb Size/MD5: 157668 8980fa65f994c60f13c913f1bd5dc608 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.10_powerpc.deb Size/MD5: 960432 d1077d920a75a62fbc95d615b6704471 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.10_sparc.deb Size/MD5: 121062 302b962696d3eefefb94e1173b1ca661 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.10_sparc.deb Size/MD5: 148724 dd3eae7b1cc9cba7b26006e18361d16b http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.10_sparc.deb Size/MD5: 904184 1510f4aa7d28690bdd6e555123f78f36 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9-0ubuntu0.8.04.4.diff.gz Size/MD5: 148114 3c4b6c99fb3f094f1f1514daeb3f7120 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9-0ubuntu0.8.04.4.dsc Size/MD5: 2158 05d2052ae3e6ea8e1b847d0e5fe9e18c http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.4.9.orig.tar.gz Size/MD5: 3694611 3c0b5ae3d45f5675e67aaf81ce7decc9 amd64 architecture (Athlon64,