DistroStuff

div class=field field-type-text field-field-referenced-cvesdiv class=field-labelReferenced CVEs:nbsp;/divdiv class=field-itemsdiv class=field-itemCVE-2008-1419, CVE-2008-1420, CVE-2008-1423/div/div/divdiv class=field field-type-text field-field-descriptiondiv class=field-labelDescription:nbsp;/divdiv class=field-itemsdiv class=field-itemdiv class=usn===========================================================Ubuntu Security Notice USN-682-1 December 01, 2008libvorbis vulnerabilitiesCVE-2008-1419, CVE-2008-1420, CVE-2008-1423===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSThis advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: libvorbis0a 1.1.2-0ubuntu2.3Ubuntu 7.10: libvorbis0a 1.2.0.dfsg-1ubuntu0.1Ubuntu 8.04 LTS: libvorbis0a 1.2.0.dfsg-2ubuntu0.1After a standard system upgrade you need to restart any applications thatuse libvorbis, such as Totem and gtkpod, to effect the necessary changes.Details follow:It was discovered that libvorbis did not correctly handle certain malformedsound files. If a user were tricked into opening a specially crafted soundfile with an application that uses libvorbis, an attacker could executearbitrary code with the user's privileges./div/div/div/div

Mon, 1 Dec 2008

div class=field field-type-text field-field-referenced-cvesdiv class=field-labelReferenced CVEs:nbsp;/divdiv class=field-itemsdiv class=field-itemCVE-2008-1096/div/div/divdiv class=field field-type-text field-field-descriptiondiv class=field-labelDescription:nbsp;/divdiv class=field-itemsdiv class=field-itemdiv class=usn===========================================================Ubuntu Security Notice USN-681-1 December 01, 2008imagemagick vulnerabilityCVE-2008-1096===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: imagemagick 6:6.2.4.5-0.6ubuntu0.8Ubuntu 7.10: imagemagick 7:6.2.4.5.dfsg1-2ubuntu1.1After a standard system upgrade you need to restart any applications thatuse ImageMagick, such as OpenOffice.org and Inkscape, to effect thenecessary changes.Details follow:It was discovered that ImageMagick did not correctly handle certainmalformed XCF images. If a user were tricked into opening a speciallycrafted image with an application that uses ImageMagick, an attackercould cause a denial of service and possibly execute arbitrary code withthe user's privileges./div/div/div/div

Mon, 1 Dec 2008

div class=field field-type-text field-field-referenced-cvesdiv class=field-labelReferenced CVEs:nbsp;/divdiv class=field-itemsdiv class=field-itemCVE-2007-5498, CVE-2008-3831, CVE-2008-4210, CVE-2008-4554, CVE-2008-4576, CVE-2008-4618, CVE-2008-4933, CVE-2008-4934, CVE-2008-5025, CVE-2008-5029, CVE-2008-5033/div/div/divdiv class=field field-type-text field-field-descriptiondiv class=field-labelDescription:nbsp;/divdiv class=field-itemsdiv class=field-itemdiv class=usn===========================================================Ubuntu Security Notice USN-679-1 November 27, 2008linux, linux-source-2.6.15/22 vulnerabilitiesCVE-2007-5498, CVE-2008-3831, CVE-2008-4210, CVE-2008-4554,CVE-2008-4576, CVE-2008-4618, CVE-2008-4933, CVE-2008-4934,CVE-2008-5025, CVE-2008-5029, CVE-2008-5033===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSUbuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: linux-image-2.6.15-53-386 2.6.15-53.74 linux-image-2.6.15-53-686 2.6.15-53.74 linux-image-2.6.15-53-amd64-generic 2.6.15-53.74 linux-image-2.6.15-53-amd64-k8 2.6.15-53.74 linux-image-2.6.15-53-amd64-server 2.6.15-53.74 linux-image-2.6.15-53-amd64-xeon 2.6.15-53.74 linux-image-2.6.15-53-hppa32 2.6.15-53.74 linux-image-2.6.15-53-hppa32-smp 2.6.15-53.74 linux-image-2.6.15-53-hppa64 2.6.15-53.74 linux-image-2.6.15-53-hppa64-smp 2.6.15-53.74 linux-image-2.6.15-53-itanium 2.6.15-53.74 linux-image-2.6.15-53-itanium-smp 2.6.15-53.74 linux-image-2.6.15-53-k7 2.6.15-53.74 linux-image-2.6.15-53-mckinley 2.6.15-53.74 linux-image-2.6.15-53-mckinley-smp 2.6.15-53.74 linux-image-2.6.15-53-powerpc 2.6.15-53.74 linux-image-2.6.15-53-powerpc-smp 2.6.15-53.74 linux-image-2.6.15-53-powerpc64-smp 2.6.15-53.74 linux-image-2.6.15-53-server 2.6.15-53.74 linux-image-2.6.15-53-server-bigiron 2.6.15-53.74 linux-image-2.6.15-53-sparc64 2.6.15-53.74 linux-image-2.6.15-53-sparc64-smp 2.6.15-53.74Ubuntu 7.10: linux-image-2.6.22-16-386 2.6.22-16.60 linux-image-2.6.22-16-cell 2.6.22-16.60 linux-image-2.6.22-16-generic 2.6.22-16.60 linux-image-2.6.22-16-hppa32 2.6.22-16.60 linux-image-2.6.22-16-hppa64 2.6.22-16.60 linux-image-2.6.22-16-itanium 2.6.22-16.60 linux-image-2.6.22-16-lpia 2.6.22-16.60 linux-image-2.6.22-16-lpiacompat 2.6.22-16.60 linux-image-2.6.22-16-mckinley 2.6.22-16.60 linux-image-2.6.22-16-powerpc 2.6.22-16.60 linux-image-2.6.22-16-powerpc-smp 2.6.22-16.60 linux-image-2.6.22-16-powerpc64-smp 2.6.22-16.60 linux-image-2.6.22-16-rt 2.6.22-16.60 linux-image-2.6.22-16-server 2.6.22-16.60 linux-image-2.6.22-16-sparc64 2.6.22-16.60 linux-image-2.6.22-16-sparc64-smp 2.6.22-16.60 linux-image-2.6.22-16-ume 2.6.22-16.60 linux-image-2.6.22-16-virtual 2.6.22-16.60 linux-image-2.6.22-16-xen 2.6.22-16.60Ubuntu 8.04 LTS: linux-image-2.6.24-22-386 2.6.24-22.45 linux-image-2.6.24-22-generic 2.6.24-22.45 linux-image-2.6.24-22-hppa32 2.6.24-22.45 linux-image-2.6.24-22-hppa64 2.6.24-22.45 linux-image-2.6.24-22-itanium 2.6.24-22.45 linux-image-2.6.24-22-lpia 2.6.24-22.45 linux-image-2.6.24-22-lpiacompat 2.6.24-22.45 linux-image-2.6.24-22-mckinley 2.6.24-22.45 linux-image-2.6.24-22-openvz 2.6.24-22.45 linux-image-2.6.24-22-powerpc 2.6.24-22.45 linux-image-2.6.24-22-powerpc-smp 2.6.24-22.45 linux-image-2.6.24-22-powerpc64-smp 2.6.24-22.45 linux-image-2.6.24-22-rt 2.6.24-22.45 linux-image-2.6.24-22-server 2.6.24-22.45 linux-image-2.6.24-22-sparc64 2.6.24-22.45 linux-image-2.6.24-22-sparc64-smp 2.6.24-22.45 linux-image-2.6.24-22-virtual 2.6.24-22.45 linux-image-2.6.24-22-xen 2.6.24-22.45Ubuntu 8.10: linux-image-2.6.27-9-generic 2.6.27-9.19 linux-image-2.6.27-9-server 2.6.27-9.19 linux-image-2.6.27-9-virtual 2.6.27-9.19After a standard system upgrade you need to reboot your computer toeffect the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed. Ifyou use linux-restricted-modules, you have to update that package aswell to get modules which work with the new kernel version. Unless youmanually uninstalled the standard kernel metapackages (e.g. linux-generic,linux-server, linux-powerpc), a standard system upgrade will automaticallyperform this as well.Details follow:It was discovered that the Xen hypervisor block driver did not correctlyvalidate requests. A user with root privileges in a guest OS could make amalicious IO request with a large number of blocks that would crash thehost OS, leading to a denial of service. This only affected Ubuntu 7.10.(CVE-2007-5498)It was discovered the the i915 video driver did not correctly validatememory addresses. A local attacker could exploit this to remap memory thatcould cause a system crash, leading to a denial of service. This issue didnot affect Ubuntu 6.06 and was previous fixed for Ubuntu 7.10 and 8.04 inUSN-659-1. Ubuntu 8.10 has now been corrected as well. (CVE-2008-3831)David Watson discovered that the kernel did not correctly strip permissionswhen creating files in setgid directories. A local user could exploit thisto gain additional group privileges. This issue only affected Ubuntu 6.06.(CVE-2008-4210)Olaf Kirch and Miklos Szeredi discovered that the Linux kernel didnot correctly reject the append flag when handling file splicerequests. A local attacker could bypass append mode and make changes toarbitrary locations in a file. This issue only affected Ubuntu 7.10 and8.04. (CVE-2008-4554)It was discovered that the SCTP stack did not correctly handle INIT-ACK. Aremote user could exploit this by sending specially crafted SCTP trafficwhich would trigger a crash in the system, leading to a denial of service.This issue did not affect Ubuntu 8.10. (CVE-2008-4576)It was discovered that the SCTP stack did not correctly handle bad packetlengths. A remote user could exploit this by sending specially crafted SCTPtraffic which would trigger a crash in the system, leading to a denial ofservice. This issue did not affect Ubuntu 8.10. (CVE-2008-4618)Eric Sesterhenn discovered multiple flaws in the HFS+ filesystem. If alocal user or automated system were tricked into mounting a malicious HFS+filesystem, the system could crash, leading to a denial of service.(CVE-2008-4933, CVE-2008-4934, CVE-2008-5025)It was discovered that the Unix Socket handler did not correctly processthe SCM_RIGHTS message. A local attacker could make a malicious socketrequest that would crash the system, leading to a denial of service.(CVE-2008-5029)It was discovered that the driver for simple i2c audio interfaces did notcorrectly validate certain function pointers. A local user could exploitthis to gain root privileges or crash the system, leading to a denial ofservice. (CVE-2008-5033)/div/div/div/div

Thu, 27 Nov 2008

div class=field field-type-text field-field-referenced-cvesdiv class=field-labelReferenced CVEs:nbsp;/divdiv class=field-itemsdiv class=field-itemCVE-2008-4314/div/div/divdiv class=field field-type-text field-field-descriptiondiv class=field-labelDescription:nbsp;/divdiv class=field-itemsdiv class=field-itemdiv class=usn===========================================================Ubuntu Security Notice USN-680-1 November 27, 2008samba vulnerabilityCVE-2008-4314===========================================================A security issue affects the following Ubuntu releases:Ubuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 8.10: samba 2:3.2.3-1ubuntu3.3In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:It was discovered that Samba did not properly perform bounds checkingin certain operations. A remote attacker could possibly exploit this toread arbitrary memory contents of the smb process, which could containsensitive infomation or possibly have other impacts, such as a denial ofservice./div/div/div/div

Thu, 27 Nov 2008

div class=field field-type-text field-field-referenced-cvesdiv class=field-labelReferenced CVEs:nbsp;/divdiv class=field-itemsdiv class=field-itemCVE-2008-4989/div/div/divdiv class=field field-type-text field-field-descriptiondiv class=field-labelDescription:nbsp;/divdiv class=field-itemsdiv class=field-itemdiv class=usn===========================================================Ubuntu Security Notice USN-678-1 November 26, 2008gnutls12, gnutls13, gnutls26 vulnerabilityCVE-2008-4989===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSUbuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: libgnutls12 1.2.9-2ubuntu1.3Ubuntu 7.10: libgnutls13 1.6.3-1ubuntu0.2Ubuntu 8.04 LTS: libgnutls13 2.0.4-1ubuntu2.2Ubuntu 8.10: libgnutls26 2.4.1-1ubuntu0.1In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:Martin von Gagern discovered that GnuTLS did not properly verify certificatechains when the last certificate in the chain was self-signed. If a remoteattacker were able to perform a man-in-the-middle attack, this flaw could beexploited to view sensitive information. (CVE-2008-4989)/div/div/div/div

Wed, 26 Nov 2008

div class=field field-type-text field-field-referenced-cvesdiv class=field-labelReferenced CVEs:nbsp;/divdiv class=field-itemsdiv class=field-itemCVE-2008-5012 CVE-2008-5014 CVE-2008-5016 CVE-2008-5017 CVE-2008-5018 CVE-2008-5021 CVE-2008-5022 CVE-2008-5024/div/div/divdiv class=field field-type-text field-field-descriptiondiv class=field-labelDescription:nbsp;/divdiv class=field-itemsdiv class=field-itemdiv class=usn===========================================================Ubuntu Security Notice USN-668-1 November 26, 2008mozilla-thunderbird, thunderbird vulnerabilitiesCVE-2008-4582, CVE-2008-5012, CVE-2008-5014, CVE-2008-5016,CVE-2008-5017, CVE-2008-5018, CVE-2008-5021, CVE-2008-5022,CVE-2008-5024===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSUbuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: mozilla-thunderbird 1.5.0.13+1.5.0.15~prepatch080614h-0ubuntu0.6.06.1Ubuntu 7.10: thunderbird 2.0.0.18+nobinonly-0ubuntu0.7.10.1Ubuntu 8.04 LTS: thunderbird 2.0.0.18+nobinonly-0ubuntu0.8.04.1Ubuntu 8.10: thunderbird 2.0.0.18+nobinonly-0ubuntu0.8.10.1After a standard system upgrade you need to restart Thunderbird to effectthe necessary changes.Georgi Guninski, Michal Zalewsk and Chris Evans discovered that the same-origincheck in Thunderbird could be bypassed. If a user were tricked into opening amalicious website, an attacker could obtain private information from datastored in the images, or discover information about software on the user'scomputer. (CVE-2008-5012)Jesse Ruderman discovered that Thunderbird did not properly guard locks onnon-native objects. If a user had JavaScript enabled and were tricked intoopening malicious web content, an attacker could cause a browser crash andpossibly execute arbitrary code with user privileges. (CVE-2008-5014)Several problems were discovered in the browser, layout and JavaScript engines.If a user had JavaScript enabled, these problems could allow an attacker tocrash Thunderbird and possibly execute arbitrary code with user privileges.(CVE-2008-5016, CVE-2008-5017, CVE-2008-5018)A flaw was discovered in Thunderbird's DOM constructing code. If a user weretricked into opening a malicious website while having JavaScript enabled, anattacker could cause the browser to crash and potentially execute arbitrarycode with user privileges. (CVE-2008-5021)It was discovered that the same-origin check in Thunderbird could be bypassed.If a user had JavaScript enabled and were tricked into opening malicious webcontent, an attacker could execute JavaScript in the context of a differentwebsite. (CVE-2008-5022)Chris Evans discovered that Thunderbird did not properly parse E4X documents,leading to quote characters in the namespace not being properly escaped.(CVE-2008-5024)Boris Zbarsky discovered that Thunderbird did not properly process comments inforwarded in-line messages. If a user had JavaScript enabled and opened amalicious email, an attacker may be able to obtain information about therecipient. (CVE-2008-4582)/div/div/div/div

Wed, 26 Nov 2008

div class=field field-type-text field-field-referenced-cvesdiv class=field-labelReferenced CVEs:nbsp;/divdiv class=field-itemsdiv class=field-itemCVE-2008-2237 CVE-2008-2238 CVE-2008-4937/div/div/divdiv class=field field-type-text field-field-descriptiondiv class=field-labelDescription:nbsp;/divdiv class=field-itemsdiv class=field-itemdiv class=usn===========================================================Ubuntu Security Notice USN-677-1 November 24, 2008openoffice.org, openoffice.org-amd64 vulnerabilitiesCVE-2008-2237, CVE-2008-2238, CVE-2008-4937===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSUbuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: openoffice.org-core 2.0.2-2ubuntu12.7-2Ubuntu 7.10: openoffice.org-core 1:2.3.0-1ubuntu5.5Ubuntu 8.04 LTS: openoffice.org-common 1:2.4.1-1ubuntu2.1 openoffice.org-core 1:2.4.1-1ubuntu2.1Ubuntu 8.10: openoffice.org-core 1:2.4.1-11ubuntu2.1After a standard system upgrade you need to restart OpenOffice.org to effectthe necessary changes.Details follow:Multiple memory overflow flaws were discovered in OpenOffice.org's handling ofWMF and EMF files. If a user were tricked into opening a specially crafteddocument, a remote attacker might be able to execute arbitrary code with userprivileges. (CVE-2008-2237, CVE-2008-2238)Dmitry E. Oboukhov discovered that senddoc, as included in OpenOffice.org,created temporary files in an insecure way. Local users could exploit a racecondition to create or overwrite files with the privileges of the user invokingthe program. This issue only affected Ubuntu 8.04 LTS. (CVE-2008-4937)/div/div/div/div

Mon, 24 Nov 2008

div class=field field-type-text field-field-referenced-cvesdiv class=field-labelReferenced CVEs:nbsp;/divdiv class=field-itemsdiv class=field-itemCVE-2008-3632/div/div/divdiv class=field field-type-text field-field-descriptiondiv class=field-labelDescription:nbsp;/divdiv class=field-itemsdiv class=field-itemdiv class=usn===========================================================Ubuntu Security Notice USN-676-1 November 24, 2008webkit vulnerabilityCVE-2008-3632===========================================================A security issue affects the following Ubuntu releases:Ubuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 8.10: libwebkit-1.0-1 1.0.1-2ubuntu0.1After a standard system upgrade you need to restart any applications thatuse WebKit, such as Epiphany-webkit and Midori, to effect the necessarychanges.Details follow:It was discovered that WebKit did not properly handle Cascading Style Sheets(CSS) import statements. If a user were tricked into opening a maliciouswebsite, an attacker could cause a browser crash and possibly executearbitrary code with user privileges./div/div/div/div

Mon, 24 Nov 2008

div class=field field-type-text field-field-referenced-cvesdiv class=field-labelReferenced CVEs:nbsp;/divdiv class=field-itemsdiv class=field-itemCVE-2008-2927/div/div/divdiv class=field field-type-text field-field-descriptiondiv class=field-labelDescription:nbsp;/divdiv class=field-itemsdiv class=field-itemdiv class=usn===========================================================Ubuntu Security Notice USN-675-2 November 24, 2008gaim vulnerabilityCVE-2008-2927===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSThis advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: gaim 1:1.5.0+1.5.1cvs20051015-1ubuntu10.1After a standard system upgrade you need to restart Gaim to effectthe necessary changes.Details follow:It was discovered that Gaim did not properly handle certain malformedmessages in the MSN protocol handler. A remote attacker could send a speciallycrafted message and possibly execute arbitrary code with user privileges.(CVE-2008-2927)/div/div/div/div

Mon, 24 Nov 2008

div class=field field-type-text field-field-referenced-cvesdiv class=field-labelReferenced CVEs:nbsp;/divdiv class=field-itemsdiv class=field-itemCVE-2008-2927, CVE-2008-2955, CVE-2008-2957, CVE-2008-3532/div/div/divdiv class=field field-type-text field-field-descriptiondiv class=field-labelDescription:nbsp;/divdiv class=field-itemsdiv class=field-itemdiv class=usn===========================================================Ubuntu Security Notice USN-675-1 November 24, 2008pidgin vulnerabilitiesCVE-2008-2927, CVE-2008-2955, CVE-2008-2957, CVE-2008-3532===========================================================A security issue affects the following Ubuntu releases:Ubuntu 7.10Ubuntu 8.04 LTSThis advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 7.10: pidgin 1:2.2.1-1ubuntu4.3Ubuntu 8.04 LTS: pidgin 1:2.4.1-1ubuntu2.2After a standard system upgrade you need to restart Pidgin to effectthe necessary changes.Details follow:It was discovered that Pidgin did not properly handle certain malformedmessages in the MSN protocol handler. A remote attacker could send a speciallycrafted message and possibly execute arbitrary code with user privileges.(CVE-2008-2927)It was discovered that Pidgin did not properly handle file transfers containinga long filename and special characters in the MSN protocol handler. A remoteattacker could send a specially crafted filename in a file transfer requestand cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955)It was discovered that Pidgin did not impose resource limitations in the UPnPservice. A remote attacker could cause Pidgin to download arbitrary files and cause a denial of service from memory or disk space exhaustion.(CVE-2008-2957)It was discovered that Pidgin did not validate SSL certificates when using asecure connection. If a remote attacker were able to perform aman-in-the-middle attack, this flaw could be exploited to view sensitiveinformation. This update alters Pidgin behaviour by asking users to confirmthe validity of a certificate upon initial login. (CVE-2008-3532)/div/div/div/div

Mon, 24 Nov 2008