USN-815-1: libxml2 vulnerabilities
Submitted by MarcDeslauriers on Tue, 2009-08-11 18:43Referenced CVEs:
CVE-2008-3529, CVE-2009-2414, CVE-2009-2416
Description:
===========================================================
Ubuntu Security Notice USN-815-1 August 11, 2009
libxml2 vulnerabilities
CVE-2008-3529, CVE-2009-2414, CVE-2009-2416
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libxml2 2.6.24.dfsg-1ubuntu1.5
Ubuntu 8.04 LTS:
libxml2 2.6.31.dfsg-2ubuntu1.4
Ubuntu 8.10:
libxml2 2.6.32.dfsg-4ubuntu1.2
Ubuntu 9.04:
libxml2 2.6.32.dfsg-5ubuntu4.2
After a standard system upgrade you need to restart your sessions to effect
the necessary changes.
Details follow:
It was discovered that libxml2 did not correctly handle root XML document
element DTD definitions. If a user were tricked into processing a specially
crafted XML document, a remote attacker could cause the application linked
against libxml2 to crash, leading to a denial of service. (CVE-2009-2414)
It was discovered that libxml2 did not correctly parse Notation and
Enumeration attribute types. If a user were tricked into processing a
specially crafted XML document, a remote attacker could cause the
application linked against libxml2 to crash, leading to a denial of
service. (CVE-2009-2416)
USN-644-1 fixed a vulnerability in libxml2. This advisory provides the
corresponding update for Ubuntu 9.04.
Original advisory details:
It was discovered that libxml2 did not correctly handle long entity names.
If a user were tricked into processing a specially crafted XML document, a
remote attacker could execute arbitrary code with user privileges or cause
the application linked against libxml2 to crash, leading to a denial of
service. (CVE-2008-3529)
USN-814-1: OpenJDK vulnerabilities
Submitted by KeesCook on Tue, 2009-08-11 05:53Referenced CVEs:
CVE-2009-0217, CVE-2009-1896, CVE-2009-2475, CVE-2009-2476, CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2674, CVE-2009-2675, CVE-2009-2676, CVE-2009-2689, CVE-2009-2690
Description:
===========================================================
Ubuntu Security Notice USN-814-1 August 11, 2009
openjdk-6 vulnerabilities
CVE-2009-0217, CVE-2009-1896, CVE-2009-2475, CVE-2009-2476,
CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672,
CVE-2009-2673, CVE-2009-2674, CVE-2009-2675, CVE-2009-2676,
CVE-2009-2689, CVE-2009-2690
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.10:
icedtea6-plugin 6b12-0ubuntu6.5
openjdk-6-jre 6b12-0ubuntu6.5
openjdk-6-jre-lib 6b12-0ubuntu6.5
Ubuntu 9.04:
icedtea6-plugin 6b14-1.4.1-0ubuntu11
openjdk-6-jre 6b14-1.4.1-0ubuntu11
openjdk-6-jre-lib 6b14-1.4.1-0ubuntu11
After a standard system upgrade you need to restart any Java applications
to effect the necessary changes.
Details follow:
It was discovered that the XML HMAC signature system did not
correctly check certain lengths. If an attacker sent a truncated
HMAC, it could bypass authentication, leading to potential privilege
escalation. (CVE-2009-0217)
It was discovered that JAR bundles would appear signed if only one element
was signed. If a user were tricked into running a malicious Java applet, a
remote attacker could exploit this to gain access to private information and
potentially run untrusted code. (CVE-2009-1896)
It was discovered that certain variables could leak information. If a
user were tricked into running a malicious Java applet, a remote attacker
could exploit this to gain access to private information and potentially
run untrusted code. (CVE-2009-2475, CVE-2009-2690)
A flaw was discovered the OpenType checking. If a user were tricked
into running a malicious Java applet, a remote attacker could bypass
access restrictions. (CVE-2009-2476)
It was discovered that the XML processor did not correctly check
recursion. If a user or automated system were tricked into processing
a specially crafted XML, the system could crash, leading to a denial of
service. (CVE-2009-2625)
It was discovered that the Java audio subsystem did not correctly validate
certain parameters. If a user were tricked into running an untrusted
applet, a remote attacker could read system properties. (CVE-2009-2670)
Multiple flaws were discovered in the proxy subsystem. If a user
were tricked into running an untrusted applet, a remote attacker could
discover local user names, obtain access to sensitive information, or
bypass socket restrictions, leading to a loss of privacy. (CVE-2009-2671,
CVE-2009-2672, CVE-2009-2673)
Flaws were discovered in the handling of JPEG images, Unpack200 archives,
and JDK13Services. If a user were tricked into running an untrusted
applet, a remote attacker could load a specially crafted file that would
bypass local file access protections and run arbitrary code with user
privileges. (CVE-2009-2674, CVE-2009-2675, CVE-2009-2676, CVE-2009-2689)
USN-813-3: apr-util vulnerability
Submitted by JamesStrandboge on Sat, 2009-08-08 05:56Referenced CVEs:
CVE-2009-2412
Description:
===========================================================
Ubuntu Security Notice USN-813-3 August 08, 2009
apr-util vulnerability
CVE-2009-2412
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
libaprutil1 1.2.12+dfsg-3ubuntu0.2
Ubuntu 8.10:
libaprutil1 1.2.12+dfsg-7ubuntu0.3
Ubuntu 9.04:
libaprutil1 1.2.12+dfsg-8ubuntu0.3
After a standard system upgrade you need to restart any applications using
apr-util, such as Subversion and Apache, to effect the necessary changes.
Details follow:
USN-813-1 fixed vulnerabilities in apr. This update provides the corresponding updates for apr-util.
Original advisory details:
Matt Lewis discovered that apr did not properly sanitize its input when
allocating memory. If an application using apr processed crafted input, a
remote attacker could cause a denial of service or potentially execute
arbitrary code as the user invoking the application.
USN-813-2: Apache vulnerability
Submitted by JamesStrandboge on Sat, 2009-08-08 01:06Referenced CVEs:
CVE-2009-2412
Description:
===========================================================
Ubuntu Security Notice USN-813-2 August 08, 2009
apache2 vulnerability
CVE-2009-2412
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libapr0 2.0.55-4ubuntu2.7
After a standard system upgrade you need to restart any applications using
apr, such as Subversion and Apache, to effect the necessary changes.
Details follow:
USN-813-1 fixed vulnerabilities in apr. This update provides the
corresponding updates for apr as provided by Apache on Ubuntu 6.06 LTS.
Original advisory details:
Matt Lewis discovered that apr did not properly sanitize its input when
allocating memory. If an application using apr processed crafted input, a
remote attacker could cause a denial of service or potentially execute
arbitrary code as the user invoking the application.
USN-813-1: apr vulnerability
Submitted by JamesStrandboge on Sat, 2009-08-08 00:57Referenced CVEs:
CVE-2009-2412
Description:
===========================================================
Ubuntu Security Notice USN-813-1 August 08, 2009
apr vulnerability
CVE-2009-2412
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
libapr1 1.2.11-1ubuntu0.1
Ubuntu 8.10:
libapr1 1.2.12-4ubuntu0.1
Ubuntu 9.04:
libapr1 1.2.12-5ubuntu0.1
After a standard system upgrade you need to restart any applications using
apr, such as Subversion and Apache, to effect the necessary changes.
Details follow:
Matt Lewis discovered that apr did not properly sanitize its input when
allocating memory. If an application using apr processed crafted input, a
remote attacker could cause a denial of service or potentially execute
arbitrary code as the user invoking the application.
USN-812-1: Subversion vulnerability
Submitted by JamesStrandboge on Sat, 2009-08-08 00:56Referenced CVEs:
CVE-2009-2411
Description:
===========================================================
Ubuntu Security Notice USN-812-1 August 08, 2009
subversion vulnerability
CVE-2009-2411
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libsvn0 1.3.1-3ubuntu1.2
Ubuntu 8.04 LTS:
libsvn1 1.4.6dfsg1-2ubuntu1.1
Ubuntu 8.10:
libsvn1 1.5.1dfsg1-1ubuntu2.1
Ubuntu 9.04:
libsvn1 1.5.4dfsg1-1ubuntu2.1
After a standard system upgrade you need to restart any applications that
use Subversion, such as Apache when using mod_dav_svn, to effect the
necessary changes.
Details follow:
Matt Lewis discovered that Subversion did not properly sanitize its input
when processing svndiff streams, leading to various integer and heap
overflows. If a user or automated system processed crafted input, a remote
attacker could cause a denial of service or potentially execute arbitrary
code as the user processing the input.
USN-811-1: Firefox and Xulrunner vulnerability
Submitted by JamesStrandboge on Wed, 2009-08-05 02:33Referenced CVEs:
CVE-2009-2654
Description:
===========================================================
Ubuntu Security Notice USN-811-1 August 05, 2009
firefox-3.0, xulrunner-1.9 vulnerability
CVE-2009-2654
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
firefox-3.0 3.0.13+nobinonly-0ubuntu0.8.04.1
xulrunner-1.9 1.9.0.13+nobinonly-0ubuntu0.8.04.1
Ubuntu 8.10:
abrowser 3.0.13+nobinonly-0ubuntu0.8.10.1
firefox-3.0 3.0.13+nobinonly-0ubuntu0.8.10.1
xulrunner-1.9 1.9.0.13+nobinonly-0ubuntu0.8.10.1
Ubuntu 9.04:
abrowser 3.0.13+nobinonly-0ubuntu0.9.04.1
firefox-3.0 3.0.13+nobinonly-0ubuntu0.9.04.1
xulrunner-1.9 1.9.0.13+nobinonly-0ubuntu0.9.04.1
After a standard system upgrade you need to restart Firefox and any
applications that use xulrunner, such as Epiphany, to effect the necessary
changes.
Details follow:
Juan Pablo Lopez Yacubian discovered that Firefox did not properly display
invalid URLs. If a user were tricked into accessing a malicious website, an
attacker could exploit this to spoof the location bar, such as in a
phishing attack. Furthermore, if the malicious website had a valid SSL
certificate, Firefox would display the spoofed page as trusted.
USN-810-2: NSPR update
Submitted by JamesStrandboge on Tue, 2009-08-04 22:00Description:
===========================================================
Ubuntu Security Notice USN-810-2 August 04, 2009
nspr update
https://launchpad.net/bugs/387745
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
libnspr4-0d 4.7.5-0ubuntu0.8.04.1
Ubuntu 8.10:
libnspr4-0d 4.7.5-0ubuntu0.8.10.1
Ubuntu 9.04:
libnspr4-0d 4.7.5-0ubuntu0.9.04.1
After a standard system upgrade you need to restart any applications that
use NSPR, such as Firefox, to effect the necessary changes.
Details follow:
USN-810-1 fixed vulnerabilities in NSS. This update provides the NSPR
needed to use the new NSS.
Original advisory details:
Moxie Marlinspike discovered that NSS did not properly handle regular
expressions in certificate names. A remote attacker could create a
specially crafted certificate to cause a denial of service (via application
crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)
Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did
not properly handle certificates with NULL characters in the certificate
name. An attacker could exploit this to perform a man in the middle attack
to view sensitive information or alter encrypted communications.
(CVE-2009-2408)
Dan Kaminsky discovered NSS would still accept certificates with MD2 hash
signatures. As a result, an attacker could potentially create a malicious
trusted certificate to impersonate another site. (CVE-2009-2409)
USN-810-1: NSS vulnerabilities
Submitted by JamesStrandboge on Tue, 2009-08-04 21:22Referenced CVEs:
CVE-2009-2404, CVE-2009-2408, CVE-2009-2409
Description:
===========================================================
Ubuntu Security Notice USN-810-1 August 04, 2009
nss vulnerabilities
CVE-2009-2404, CVE-2009-2408, CVE-2009-2409
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
libnss3-1d 3.12.3.1-0ubuntu0.8.04.1
Ubuntu 8.10:
libnss3-1d 3.12.3.1-0ubuntu0.8.10.1
Ubuntu 9.04:
libnss3-1d 3.12.3.1-0ubuntu0.9.04.1
After a standard system upgrade you need to restart any applications that
use NSS, such as Firefox, to effect the necessary changes.
Details follow:
Moxie Marlinspike discovered that NSS did not properly handle regular
expressions in certificate names. A remote attacker could create a
specially crafted certificate to cause a denial of service (via application
crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)
Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did
not properly handle certificates with NULL characters in the certificate
name. An attacker could exploit this to perform a man in the middle attack
to view sensitive information or alter encrypted communications.
(CVE-2009-2408)
Dan Kaminsky discovered NSS would still accept certificates with MD2 hash
signatures. As a result, an attacker could potentially create a malicious
trusted certificate to impersonate another site. (CVE-2009-2409)
Canonical Systems Management and Monitoring Tool Adds Dedicated Server
Canonical Systems Management and Monitoring Tool Adds Dedicated Server
‘Landscape Dedicated Server’ Now Available For Pre-Order
LONDON, August 4, 2008 – Canonical, the founder of the Ubuntu project, announced today a new architecture and installation option for its systems management and monitoring system for Ubuntu machines - enabling enterprises to have greater local control over their deployments.
Canonical’s Landscape Dedicated Server will be available to be installed on the customer's site running on their local network.


