星球 | Ubuntu 正體中文站

星球

RSS | RDF | ATOM

USN-1352-1: Software Properties vulnerability

2012/1/31 22:37:38 | Ubuntu security notices

Ubuntu Security Notice USN-1352-1

31st January, 2012

software-properties vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 11.10

Ubuntu 11.04

Ubuntu 10.10

Ubuntu 10.04 LTS

Summary

Software Properties could be tricked into installing arbitrary PPA GPG
keys.

Software description

software-properties
- manage the repositories that you install software from

Details

David Black discovered that Software Properties incorrectly validated
server certificates when performing secure connections to download PPA GPG
key fingerprints. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to install altered
package repository GPG keys.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 11.10:: python-software-properties

0.81.13.3
Ubuntu 11.04:: python-software-properties

0.80.9.1
Ubuntu 10.10:: python-software-properties

0.76.7.1
Ubuntu 10.04 LTS:: python-software-properties

0.75.10.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2011-4407

USN-1351-1: AccountsService vulnerability

2012/1/31 22:37:38 | Ubuntu security notices

Ubuntu Security Notice USN-1351-1

31st January, 2012

accountsservice vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 11.10

Summary

AccountsService could be made to overwrite files as the administrator.

Software description

accountsservice
- query and manipulate user account information

Details

Hayawardh Vijayakumar discovered that AccountsService incorrectly handled
privileges when modifying the language settings on Ubuntu. A local attacker
could exploit this issue to modify arbitrary files, and possibly create a
denial of service or obtain increased privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 11.10:: accountsservice

0.6.14-1git1ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2011-4406

請改用國網中心的鏡像站(mirror)

2012/1/29 5:08:00 | 凍仁的 Ubuntu 筆記

大約一年前，台灣的鏡像站(mirror)開始不穩，凍仁則改用 shadow.ind.ntou.edu.tw 鏡像站。2011/10/12 凍仁發現其首頁有大大的標題寫著「ftp.tw.debian.org 以及 tw.archive.ubuntu.com 的管理者正在尋求資源」才終於知道這些 mirror 不穩的原因，~~幫不上忙的凍仁，只能上 Plurk 問前輩們~~，最後在前輩們的提醒下改用國網中心[1]的 mirror 就穩定了。

可以看的出來下方有幾個網域名稱(Domain name)是指到同一個 IP，凍仁雖不能肯定是指到同一台 Server，但可以肯定的是機器不夠力了！

OS	Mirror	IP
Debian	opensource.nchc.org.tw	211.73.64.9
Ubuntu	free.nchc.org.tw	211.73.64.9
Ubuntu	ftp.twaren.net	140.110.123.9 2001:e10:5c00:5::9

國網中心的 mirror。

OS	Mirror	IP
Debian	ftp.tw.debian.org	140.138.145.242
Ubuntu	tw.archive.ubuntu.com	140.138.145.242
Ubuntu	shadow.ind.ntou.edu.tw	140.121.80.201

凍仁原先使用的 mirror。

1. 使用更新管理員更換 mirror

1.1. 開啟「更新管理員」。

1.2. 點選「設定」按鈕。

1.3. 點選「下載自：」一欄，並點選「其他...」。

1.4. 找到國網中心的 mirror 後點選「選擇伺服器」。

2. 使用 sed 取代 mirror

2.1. 在取代前得先找出目前使用的 mirror。

jonny@oneiric:~$ cat /etc/apt/sources.list | grep main | awk '{ print $2}' | cut -d'/' -f3 | sed -n '3P' [Enter]
tw.archive.ubuntu.com

2.2. 將 tw.archive.ubuntu.com 替換成 free.nchc.org.tw。

jonny@oneiric:~$ sudo sed -i 's/tw.archive.ubuntu.com/free.nchc.org.tw/g' /etc/apt/sources.list [Enter]

使用完以上任ㄧ方法都得再次更新套件來源，切忌切記[2]！

# 註1：國網中心的全名為國家實驗研究院高速網路與計算中心(NCHC)。
# 註2：「切忌」指的是千万不可，而「切記」則是要牢記的意思。

延伸閱讀：
★NCHC | Main / HomePage

相關連結：
★大澤木小鐵 好奇 ftp://os.nchc.org.tw 滿載了，請問大家都是在哪裡更新 Ubuntu ？ [已解] 國研院國網中心自由軟體

USN-1349-1: X.Org vulnerability

2012/1/27 8:55:05 | Ubuntu security notices

Ubuntu Security Notice USN-1349-1

26th January, 2012

xorg vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 11.10

Ubuntu 11.04

Ubuntu 10.10

Ubuntu 10.04 LTS

Summary

X could be made to start by a user who lacked appropriate permissions.

Software description

xorg
- X.Org X Window System

Details

It was discovered that the X wrapper incorrectly checked certain console
permissions when launched by unprivileged users. An attacker connected
remotely could use this flaw to start X, bypassing the console permissions
check.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 11.10:: xserver-xorg

1:7.6+7ubuntu7.1
Ubuntu 11.04:: xserver-xorg

1:7.6+4ubuntu3.2
Ubuntu 10.10:: xserver-xorg

1:7.5+6ubuntu3.1
Ubuntu 10.04 LTS:: xserver-xorg

1:7.5+5ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2011-4613

USN-1348-1: ICU vulnerability

2012/1/27 8:55:05 | Ubuntu security notices

Ubuntu Security Notice USN-1348-1

26th January, 2012

icu vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 11.10

Ubuntu 11.04

Ubuntu 10.10

Ubuntu 10.04 LTS

Summary

ICU could be made to crash or run programs as your login if it
opened specially crafted data.

Software description

icu
- International Components for Unicode library

Details

It was discovered that ICU did not properly handle invalid locale data
during Unicode conversion. If an application using ICU processed crafted
data, an attacker could cause it to crash or potentially execute arbitrary
code with the privileges of the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 11.10:: libicu44

4.4.2-2ubuntu0.11.10.1
Ubuntu 11.04:: libicu44

4.4.2-2ubuntu0.11.04.1
Ubuntu 10.10:: libicu42

4.2.1-3ubuntu0.10.10.1
Ubuntu 10.04 LTS:: libicu42

4.2.1-3ubuntu0.10.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2011-4599

USN-1342-1: Linux kernel (Oneiric backport) vulnerability

2012/1/27 8:55:05 | Ubuntu security notices

Ubuntu Security Notice USN-1342-1

25th January, 2012

linux-lts-backport-oneiric vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 10.04 LTS

Summary

The system could be made to run programs as an administrator.

Software description

linux-lts-backport-oneiric
- Linux kernel backport from Oneiric

Details

Jüri Aedla discovered that the kernel incorrectly handled /proc/<pid>/mem
permissions. A local attacker could exploit this and gain root privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:: linux-image-3.0.0-15-server

3.0.0-15.26~lucid1; linux-image-3.0.0-15-generic

3.0.0-15.26~lucid1; linux-image-3.0.0-15-virtual

3.0.0-15.26~lucid1; linux-image-3.0.0-15-generic-pae

3.0.0-15.26~lucid1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2012-0056

USN-1347-1: Evince vulnerability

2012/1/26 11:31:50 | Ubuntu security notices

Ubuntu Security Notice USN-1347-1

25th January, 2012

evince vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 11.04

Ubuntu 10.10

Ubuntu 10.04 LTS

Summary

Evince could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

evince
- Document viewer

Details

It was discovered that Evince did not properly parse AFM font files when
processing DVI files. If a user were tricked into opening a specially
crafted DVI file, an attacker could cause Evince to crash or potentially
execute arbitrary code with the privileges of the user invoking the
program.

In the default installation, attackers would be isolated by the Evince
AppArmor profile.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 11.04:: libevdocument3

2.32.0-0ubuntu12.4
Ubuntu 10.10:: libevdocument3

2.32.0-0ubuntu1.2
Ubuntu 10.04 LTS:: libevdocument2

2.30.3-0ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2011-0433

USN-1346-1: curl vulnerability

2012/1/26 11:31:50 | Ubuntu security notices

Ubuntu Security Notice USN-1346-1

24th January, 2012

curl vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 11.10

Ubuntu 11.04

Ubuntu 10.10

Summary

curl could be tricked into injecting arbitrary data if it handled a
malicious URL.

Software description

curl
- HTTP, HTTPS, and FTP client and client libraries

Details

Dan Fandrich discovered that curl incorrectly handled URLs containing
embedded or percent-encoded control characters. If a user or automated
system were tricked into processing a specially crafted URL, arbitrary
data could be injected.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 11.10:: libcurl3-nss

7.21.6-3ubuntu3.2; libcurl3-gnutls

7.21.6-3ubuntu3.2; libcurl3

7.21.6-3ubuntu3.2
Ubuntu 11.04:: libcurl3-nss

7.21.3-1ubuntu1.5; libcurl3-gnutls

7.21.3-1ubuntu1.5; libcurl3

7.21.3-1ubuntu1.5
Ubuntu 10.10:: libcurl3-gnutls

7.21.0-1ubuntu1.3; libcurl3

7.21.0-1ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2012-0036

USN-1345-1: Linux kernel vulnerabilities

2012/1/26 11:31:50 | Ubuntu security notices

Ubuntu Security Notice USN-1345-1

24th January, 2012

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 11.04

Summary

Several security issues were fixed in the kernel.

Software description

linux
- Linux kernel

Details

Peter Huewe discovered an information leak in the handling of reading
security-related TPM data. A local, unprivileged user could read the
results of a previous TPM command. (CVE-2011-1162)

Clement Lecigne discovered a bug in the HFS filesystem. A local attacker
could exploit this to cause a kernel oops. (CVE-2011-2203)

A flaw was found in how the Linux kernel handles user-defined key types. An
unprivileged local user could exploit this to crash the system.
(CVE-2011-4110)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 11.04:: linux-image-2.6.38-13-powerpc

2.6.38-13.54; linux-image-2.6.38-13-powerpc64-smp

2.6.38-13.54; linux-image-2.6.38-13-generic-pae

2.6.38-13.54; linux-image-2.6.38-13-versatile

2.6.38-13.54; linux-image-2.6.38-13-generic

2.6.38-13.54; linux-image-2.6.38-13-virtual

2.6.38-13.54; linux-image-2.6.38-13-server

2.6.38-13.54; linux-image-2.6.38-13-omap

2.6.38-13.54; linux-image-2.6.38-13-powerpc-smp

2.6.38-13.54

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2011-1162,

CVE-2011-2203,

CVE-2011-4110

USN-1344-1: Linux kernel vulnerabilities

2012/1/26 11:31:50 | Ubuntu security notices

Ubuntu Security Notice USN-1344-1

24th January, 2012

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
- Linux kernel

Details

Clement Lecigne discovered a bug in the HFS filesystem. A local attacker
could exploit this to cause a kernel oops. (CVE-2011-2203)

A flaw was found in how the Linux kernel handles user-defined key types. An
unprivileged local user could exploit this to crash the system.
(CVE-2011-4110)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:: linux-image-2.6.32-38-powerpc

2.6.32-38.83; linux-image-2.6.32-38-386

2.6.32-38.83; linux-image-2.6.32-38-sparc64

2.6.32-38.83; linux-image-2.6.32-38-generic-pae

2.6.32-38.83; linux-image-2.6.32-38-preempt

2.6.32-38.83; linux-image-2.6.32-38-lpia

2.6.32-38.83; linux-image-2.6.32-38-sparc64-smp

2.6.32-38.83; linux-image-2.6.32-38-powerpc64-smp

2.6.32-38.83; linux-image-2.6.32-38-versatile

2.6.32-38.83; linux-image-2.6.32-38-generic

2.6.32-38.83; linux-image-2.6.32-38-virtual

2.6.32-38.83; linux-image-2.6.32-38-server

2.6.32-38.83; linux-image-2.6.32-38-powerpc-smp

2.6.32-38.83; linux-image-2.6.32-38-ia64

2.6.32-38.83

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2011-2203,

CVE-2011-4110

(1) 2 3 4 ... 66 »

排序: 點擊 | 評分 | 時間
列表 | Blogs