=========================================================== Ubuntu Security Notice USN-837-1 September 24, 2009 newt vulnerability CVE-2009-2905 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libnewt0.51 0.51.6-31ubuntu1.1 Ubuntu 8.04 LTS: libnewt0.52 0.52.2-11.2ubuntu1.1 Ubuntu 8.10: libnewt0.52 0.52.2-11.3ubuntu1.1 Ubuntu 9.04: libnewt0.52 0.52.2-11.3ubuntu3.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Miroslav Lichvar discovered that Newt incorrectly handled rendering in a text box. An attacker could exploit this and cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program.

=========================================================== Ubuntu Security Notice USN-836-1 September 23, 2009 webkit vulnerabilities CVE-2009-0945, CVE-2009-1687, CVE-2009-1690, CVE-2009-1698, CVE-2009-1711, CVE-2009-1712, CVE-2009-1725 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: libwebkit-1.0-1 1.0.1-2ubuntu0.2 libwebkit-1.0-1-dbg 1.0.1-2ubuntu0.2 libwebkit-dev 1.0.1-2ubuntu0.2 Ubuntu 9.04: libwebkit-1.0-1 1.0.1-4ubuntu0.1 libwebkit-1.0-1-dbg 1.0.1-4ubuntu0.1 libwebkit-dev 1.0.1-4ubuntu0.1 After a standard system upgrade you need to restart any applications that use WebKit, such as Epiphany-webkit and Midori, to effect the necessary changes. Details follow: It was discovered that WebKit did not properly handle certain SVGPathList data structures. If a user were tricked into viewing a malicious website, an attacker could exploit this to execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0945) Several flaws were discovered in the WebKit browser and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-1687, CVE-2009-1690, CVE-2009-1698, CVE-2009-1711, CVE-2009-1725) It was discovered that WebKit did not prevent the loading of local Java applets. If a user were tricked into viewing a malicious website, an attacker could exploit this to execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-1712)

=========================================================== Ubuntu Security Notice USN-835-1 September 21, 2009 neon, neon27 vulnerabilities CVE-2008-3746, CVE-2009-2474 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libneon25 0.25.5.dfsg-5ubuntu0.1 Ubuntu 8.04 LTS: libneon27 0.27.2-1ubuntu0.1 libneon27-gnutls 0.27.2-1ubuntu0.1 Ubuntu 8.10: libneon27 0.28.2-2ubuntu0.1 libneon27-gnutls 0.28.2-2ubuntu0.1 Ubuntu 9.04: libneon27 0.28.2-6.1ubuntu0.1 libneon27-gnutls 0.28.2-6.1ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Joe Orton discovered that neon did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.

=========================================================== Ubuntu Security Notice USN-834-1 September 21, 2009 postgresql-8.1, postgresql-8.3 vulnerabilities CVE-2009-3229, CVE-2009-3230, CVE-2009-3231 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: postgresql-8.1 8.1.18-0ubuntu0.6.06 Ubuntu 8.04 LTS: postgresql-8.3 8.3.8-0ubuntu8.04 Ubuntu 8.10: postgresql-8.3 8.3.8-0ubuntu8.10 Ubuntu 9.04: postgresql-8.3 8.3.8-0ubuntu9.04 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that PostgreSQL could be made to unload and reload an already loaded module by using the LOAD command. A remote authenticated attacker could exploit this to cause a denial of service. This issue did not affect Ubuntu 6.06 LTS. (CVE-2009-3229) Due to an incomplete fix for CVE-2007-6600, RESET ROLE and RESET SESSION AUTHORIZATION operations were allowed inside security-definer functions. A remote authenticated attacker could exploit this to escalate privileges within PostgreSQL. (CVE-2009-3230) It was discovered that PostgreSQL did not properly perform LDAP authentication under certain circumstances. When configured to use LDAP with anonymous binds, a remote attacker could bypass authentication by supplying an empty password. This issue did not affect Ubuntu 6.06 LTS. (CVE-2009-3231)

=========================================================== Ubuntu Security Notice USN-833-1 September 18, 2009 kde4libs, kdelibs vulnerability CVE-2009-2702 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: kdelibs4c2a 4:3.5.10-0ubuntu1~hardy1.3 Ubuntu 8.10: kdelibs4c2a 4:3.5.10-0ubuntu6.2 kdelibs5 4:4.1.4-0ubuntu1~intrepid1.3 Ubuntu 9.04: kdelibs4c2a 4:3.5.10.dfsg.1-1ubuntu8.2 kdelibs5 4:4.2.2-0ubuntu5.2 After a standard system upgrade you need to restart your session to effect the necessary changes. Details follow: It was discovered that KDE did not properly handle certificates with NULL characters in the Subject Alternative Name field of X.509 certificates. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.

=========================================================== Ubuntu Security Notice USN-832-1 September 16, 2009 freeradius vulnerability CVE-2009-3111 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: freeradius 1.1.7-1ubuntu0.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that FreeRADIUS did not correctly handle certain malformed attributes. A remote attacker could exploit this flaw and cause the FreeRADIUS server to crash, resulting in a denial of service.

=========================================================== Ubuntu Security Notice USN-831-1 September 14, 2009 openexr vulnerabilities CVE-2009-1720, CVE-2009-1721, CVE-2009-1722 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libopenexr2ldbl 1.2.2-4.4ubuntu1.1 Ubuntu 8.10: libopenexr6 1.6.1-3ubuntu1.8.10.1 Ubuntu 9.04: libopenexr6 1.6.1-3ubuntu1.9.04.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Drew Yao discovered several flaws in the way OpenEXR handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-1720, CVE-2009-1721) It was discovered that OpenEXR did not properly handle certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 8.04 LTS. (CVE-2009-1722)

=========================================================== Ubuntu Security Notice USN-830-1 September 14, 2009 openssl vulnerability CVE-2009-2409 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libssl0.9.8 0.9.8a-7ubuntu0.10 Ubuntu 8.04 LTS: libssl0.9.8 0.9.8g-4ubuntu3.8 Ubuntu 8.10: libssl0.9.8 0.9.8g-10.1ubuntu2.5 Ubuntu 9.04: libssl0.9.8 0.9.8g-15ubuntu3.3 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: Dan Kaminsky discovered OpenSSL would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site. This update handles this issue by completely disabling MD2 for certificate validation.

=========================================================== Ubuntu Security Notice USN-829-1 September 10, 2009 qt4-x11 vulnerability CVE-2009-2700 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: libqt4-core 4.3.4-0ubuntu3.1 Ubuntu 8.10: libqt4-network 4.4.3-0ubuntu1.3 Ubuntu 9.04: libqt4-network 4.5.0-0ubuntu4.2 After a standard system upgrade you need to restart your session to effect the necessary changes. Details follow: It was discovered that Qt did not properly handle certificates with NULL characters in the Subject Alternative Name field of X.509 certificates. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2009-2700)