USN-806-1: Python vulnerabilities
Submitted by MarcDeslauriers on Thu, 2009-07-23 19:32Referenced CVEs:
CVE-2008-4864, CVE-2008-5031
Description:
===========================================================
Ubuntu Security Notice USN-806-1 July 23, 2009
python2.4, python2.5 vulnerabilities
CVE-2008-4864, CVE-2008-5031
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
python2.4 2.4.3-0ubuntu6.3
python2.4-minimal 2.4.3-0ubuntu6.3
Ubuntu 8.04 LTS:
python2.4 2.4.5-1ubuntu4.2
python2.4-minimal 2.4.5-1ubuntu4.2
python2.5 2.5.2-2ubuntu6
python2.5-minimal 2.5.2-2ubuntu6
Ubuntu 8.10:
python2.4 2.4.5-5ubuntu1.1
python2.4-minimal 2.4.5-5ubuntu1.1
After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Details follow:
It was discovered that Python incorrectly handled certain arguments in the
imageop module. If an attacker were able to pass specially crafted
arguments through the crop function, they could execute arbitrary code with
user privileges. For Python 2.5, this issue only affected Ubuntu 8.04 LTS.
(CVE-2008-4864)
Multiple integer overflows were discovered in Python's stringobject and
unicodeobject expandtabs method. If an attacker were able to exploit these
flaws they could execute arbitrary code with user privileges or cause
Python applications to crash, leading to a denial of service.
(CVE-2008-5031)
USN-798-1: Firefox and Xulrunner vulnerabilities
Submitted by JamesStrandboge on Wed, 2009-07-22 15:40Referenced CVEs:
CVE-2009-2462, CVE-2009-2463, CVE-2009-2464, CVE-2009-2465, CVE-2009-2466, CVE-2009-2467, CVE-2009-2469, CVE-2009-2472
Description:
===========================================================
Ubuntu Security Notice USN-798-1 July 22, 2009
firefox-3.0, xulrunner-1.9 vulnerabilities
CVE-2009-2462, CVE-2009-2463, CVE-2009-2464, CVE-2009-2465,
CVE-2009-2466, CVE-2009-2467, CVE-2009-2469, CVE-2009-2472
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
firefox-3.0 3.0.12+build1+nobinonly-0ubuntu0.8.04.1
xulrunner-1.9 1.9.0.12+build1+nobinonly-0ubuntu0.8.04.1
Ubuntu 8.10:
abrowser 3.0.12+build1+nobinonly-0ubuntu0.8.10.1
firefox-3.0 3.0.12+build1+nobinonly-0ubuntu0.8.10.1
xulrunner-1.9 1.9.0.12+build1+nobinonly-0ubuntu0.8.10.2
Ubuntu 9.04:
abrowser 3.0.12+build1+nobinonly-0ubuntu0.9.04.1
firefox-3.0 3.0.12+build1+nobinonly-0ubuntu0.9.04.1
xulrunner-1.9 1.9.0.12+build1+nobinonly-0ubuntu0.9.04.1
After a standard system upgrade you need to restart Firefox and any
applications that use xulrunner, such as Epiphany, to effect the necessary
changes.
Details follow:
Several flaws were discovered in the Firefox browser and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2009-2462,
CVE-2009-2463, CVE-2009-2464, CVE-2009-2465, CVE-2009-2466, CVE-2009-2469)
Attila Suszter discovered a flaw in the way Firefox processed Flash content.
If a user were tricked into viewing and navigating within a specially
crafted Flash object, a remote attacker could cause a denial of service or
possibly execute arbitrary code with the privileges of the user invoking
the program. (CVE-2009-2467)
It was discovered that Firefox did not properly handle some SVG content. An
attacker could exploit this to cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-2469)
A flaw was discovered in the JavaScript engine. If a user were tricked into
viewing a malicious website, an attacker could exploit this perform
cross-site scripting attacks. (CVE-2009-2472)
Canonical releases source code for Launchpad
Canonical releases source code for Launchpad
Release of Launchpad to encourage innovation
London July 21, 2009: Canonical, the founder of the Ubuntu project, announced today that it has open-sourced the code that runs Launchpad, the software development and collaboration platform used by tens of thousands of developers.
Launchpad is used to build Ubuntu and thousands of other projects, and its users can now participate directly in the development of Launchpad itself.
USN-805-1: Ruby vulnerabilities
Submitted by MarcDeslauriers on Mon, 2009-07-20 14:51Referenced CVEs:
CVE-2009-0642, CVE-2009-1904
Description:
===========================================================
Ubuntu Security Notice USN-805-1 July 20, 2009
ruby1.8, ruby1.9 vulnerabilities
CVE-2009-0642, CVE-2009-1904
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libruby1.8 1.8.4-1ubuntu1.7
ruby1.8 1.8.4-1ubuntu1.7
Ubuntu 8.04 LTS:
libruby1.8 1.8.6.111-2ubuntu1.3
ruby1.8 1.8.6.111-2ubuntu1.3
Ubuntu 8.10:
libruby1.8 1.8.7.72-1ubuntu0.2
libruby1.9 1.9.0.2-7ubuntu1.2
ruby1.8 1.8.7.72-1ubuntu0.2
ruby1.9 1.9.0.2-7ubuntu1.2
Ubuntu 9.04:
libruby1.8 1.8.7.72-3ubuntu0.1
libruby1.9 1.9.0.2-9ubuntu1.1
ruby1.8 1.8.7.72-3ubuntu0.1
ruby1.9 1.9.0.2-9ubuntu1.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that Ruby did not properly validate certificates. An
attacker could exploit this and present invalid or revoked X.509
certificates. (CVE-2009-0642)
It was discovered that Ruby did not properly handle string arguments that
represent large numbers. An attacker could exploit this and cause a denial
of service. (CVE-2009-1904)
USN-804-1: PulseAudio vulnerability
Submitted by KeesCook on Thu, 2009-07-16 18:23Referenced CVEs:
CVE-2009-1894
Description:
===========================================================
Ubuntu Security Notice USN-804-1 July 16, 2009
pulseaudio vulnerability
CVE-2009-1894
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
pulseaudio 0.9.10-1ubuntu1.1
Ubuntu 8.10:
pulseaudio 0.9.10-2ubuntu9.4
Ubuntu 9.04:
pulseaudio 1:0.9.14-0ubuntu20.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Tavis Ormandy, Julien Tinnes, and Yorick Koster discovered that
PulseAudio did not safely re-execute itself. A local attacker could
exploit this to gain root privileges.
USN-803-1: dhcp vulnerability
Submitted by JamesStrandboge on Tue, 2009-07-14 19:44Referenced CVEs:
CVE-2009-0692
Description:
===========================================================
Ubuntu Security Notice USN-803-1 July 14, 2009
dhcp3 vulnerability
CVE-2009-0692
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
dhcp3-client 3.0.3-6ubuntu7.1
dhcp3-client-udeb 3.0.3-6ubuntu7.1
Ubuntu 8.04 LTS:
dhcp3-client 3.0.6.dfsg-1ubuntu9.1
dhcp3-client-udeb 3.0.6.dfsg-1ubuntu9.1
Ubuntu 8.10:
dhcp3-client 3.1.1-1ubuntu2.1
dhcp3-client-udeb 3.1.1-1ubuntu2.1
Ubuntu 9.04:
dhcp3-client 3.1.1-5ubuntu8.1
dhcp3-client-udeb 3.1.1-5ubuntu8.1
After a standard system upgrade you need to restart any DHCP network
connections utilizing dhclient3 to effect the necessary changes.
Details follow:
It was discovered that the DHCP client as included in dhcp3 did not verify
the length of certain option fields when processing a response from an IPv4
dhcp server. If a user running Ubuntu 6.06 LTS or 8.04 LTS connected to a
malicious dhcp server, a remote attacker could cause a denial of service or
execute arbitrary code as the user invoking the program, typically the
'dhcp' user. For users running Ubuntu 8.10 or 9.04, a remote attacker
should only be able to cause a denial of service in the DHCP client. In
Ubuntu 9.04, attackers would also be isolated by the AppArmor dhclient3
profile.
USN-802-1: Apache vulnerabilities
Submitted by MarcDeslauriers on Mon, 2009-07-13 19:37Referenced CVEs:
CVE-2009-1890, CVE-2009-1891
Description:
===========================================================
Ubuntu Security Notice USN-802-1 July 13, 2009
apache2 vulnerabilities
CVE-2009-1890, CVE-2009-1891
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
apache2-common 2.0.55-4ubuntu2.6
apache2-mpm-perchild 2.0.55-4ubuntu2.6
apache2-mpm-prefork 2.0.55-4ubuntu2.6
apache2-mpm-worker 2.0.55-4ubuntu2.6
libapr0 2.0.55-4ubuntu2.6
Ubuntu 8.04 LTS:
apache2-mpm-event 2.2.8-1ubuntu0.10
apache2-mpm-perchild 2.2.8-1ubuntu0.10
apache2-mpm-prefork 2.2.8-1ubuntu0.10
apache2-mpm-worker 2.2.8-1ubuntu0.10
apache2.2-common 2.2.8-1ubuntu0.10
Ubuntu 8.10:
apache2-mpm-event 2.2.9-7ubuntu3.2
apache2-mpm-prefork 2.2.9-7ubuntu3.2
apache2-mpm-worker 2.2.9-7ubuntu3.2
apache2.2-common 2.2.9-7ubuntu3.2
Ubuntu 9.04:
apache2-mpm-event 2.2.11-2ubuntu2.2
apache2-mpm-prefork 2.2.11-2ubuntu2.2
apache2-mpm-worker 2.2.11-2ubuntu2.2
apache2.2-common 2.2.11-2ubuntu2.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that mod_proxy_http did not properly handle a large
amount of streamed data when used as a reverse proxy. A remote attacker
could exploit this and cause a denial of service via memory resource
consumption. This issue affected Ubuntu 8.04 LTS, 8.10 and 9.04.
(CVE-2009-1890)
It was discovered that mod_deflate did not abort compressing large files
when the connection was closed. A remote attacker could exploit this and
cause a denial of service via CPU resource consumption. (CVE-2009-1891)
USN-801-1: tiff vulnerability
Submitted by MarcDeslauriers on Mon, 2009-07-13 19:36Referenced CVEs:
CVE-2009-2347
Description:
===========================================================
Ubuntu Security Notice USN-801-1 July 13, 2009
tiff vulnerability
CVE-2009-2347
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libtiff4 3.7.4-1ubuntu3.6
Ubuntu 8.04 LTS:
libtiff4 3.8.2-7ubuntu3.4
Ubuntu 8.10:
libtiff4 3.8.2-11ubuntu0.8.10.3
Ubuntu 9.04:
libtiff4 3.8.2-11ubuntu0.9.04.3
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Tielei Wang and Tom Lane discovered that the TIFF library did not correctly
handle certain malformed TIFF images. If a user or automated system were
tricked into processing a malicious image, an attacker could execute
arbitrary code with the privileges of the user invoking the program.
USN-799-1: D-Bus vulnerability
Submitted by MarcDeslauriers on Mon, 2009-07-13 19:35Referenced CVEs:
CVE-2009-1189
Description:
===========================================================
Ubuntu Security Notice USN-799-1 July 13, 2009
dbus vulnerability
CVE-2009-1189
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libdbus-1-2 0.60-6ubuntu8.4
Ubuntu 8.04 LTS:
libdbus-1-3 1.1.20-1ubuntu3.3
Ubuntu 8.10:
libdbus-1-3 1.2.4-0ubuntu1.1
Ubuntu 9.04:
libdbus-1-3 1.2.12-0ubuntu2.1
After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Details follow:
It was discovered that the D-Bus library did not correctly validate
signatures. If a local user sent a specially crafted D-Bus key, they could
spoof a valid signature and bypass security policies.
USN-800-1: irssi vulnerability
Submitted by JamesStrandboge on Mon, 2009-07-13 19:25Referenced CVEs:
CVE-2009-1959
Description:
===========================================================
Ubuntu Security Notice USN-800-1 July 13, 2009
irssi vulnerability
CVE-2009-1959
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
irssi 0.8.10-1ubuntu1.1
Ubuntu 8.04 LTS:
irssi 0.8.12-3ubuntu3.1
Ubuntu 8.10:
irssi 0.8.12-4ubuntu2.1
Ubuntu 9.04:
irssi 0.8.12-6ubuntu1.1
After a standard system upgrade you need to restart irssi to effect the
necessary changes.
Details follow:
It was discovered that irssi did not properly check the length of strings
when processing WALLOPS messages. If a user connected to an IRC network
where an attacker had IRC operator privileges, a remote attacker could
cause a denial of service.
