Ubuntu 正體中文站 :: 首頁

USN-981-1: libwww-perl vulnerability

SecurityTeam — 2010-08-31T22:05:39+16:00

Referenced CVEs:

CVE-2010-2253

Description:

===========================================================
Ubuntu Security Notice USN-981-1 August 31, 2010
libwww-perl vulnerability
CVE-2010-2253
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
libwww-perl 5.803-4ubuntu0.1

Ubuntu 8.04 LTS:
libwww-perl 5.808-1ubuntu0.1

Ubuntu 9.04:
libwww-perl 5.820-1ubuntu0.1

Ubuntu 9.10:
libwww-perl 5.831-1ubuntu0.1

Ubuntu 10.04 LTS:
libwww-perl 5.834-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that libwww-perl incorrectly filtered filenames suggested
by Content-Disposition headers. If a user were tricked into downloading a
file from a malicious site, a remote attacker could overwrite hidden files
in the user's directory.

出處: http://www.ubuntu.com/usn/usn-981-1 SecurityTeam

USN-980-1: bogofilter vulnerability

SecurityTeam — 2010-08-31T21:46:56+16:00

Referenced CVEs:

CVE-2010-2494

Description:

===========================================================
Ubuntu Security Notice USN-980-1 August 31, 2010
bogofilter vulnerability
CVE-2010-2494
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
bogofilter-bdb 1.1.5-2ubuntu5.1
bogofilter-sqlite 1.1.5-2ubuntu5.1

Ubuntu 9.04:
bogofilter-bdb 1.1.7-1ubuntu1.1
bogofilter-sqlite 1.1.7-1ubuntu1.1

Ubuntu 9.10:
bogofilter-bdb 1.2.0-3ubuntu1.1
bogofilter-sqlite 1.2.0-3ubuntu1.1

Ubuntu 10.04 LTS:
bogofilter-bdb 1.2.1-0ubuntu1.1
bogofilter-sqlite 1.2.1-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

Details follow:

Julius Plenz discovered that bogofilter incorrectly handled certain
malformed encodings. By sending a specially crafted email, a remote
attacker could exploit this and cause bogofilter to crash, resulting in a
denial of service.

出處: http://www.ubuntu.com/usn/usn-980-1 SecurityTeam

USN-979-1: okular vulnerability

SecurityTeam — 2010-08-27T10:06:17+16:00

Referenced CVEs:

CVE-2010-2575

Description:

===========================================================
Ubuntu Security Notice USN-979-1 August 27, 2010
kdegraphics vulnerability
CVE-2010-2575
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.04:
okular 4:4.2.2-0ubuntu2.1

Ubuntu 9.10:
okular 4:4.3.2-0ubuntu1.1

Ubuntu 10.04 LTS:
okular 4:4.4.2-0ubuntu1.1

After a standard system update you need to restart any running instances
of okular to make all the necessary changes.

Details follow:

Stefan Cornelius of Secunia Research discovered a boundary error during
RLE decompression in the "TranscribePalmImageToJPEG()" function in
generators/plucker/inplug/image.cpp of okular when processing images
embedded in PDB files, which can be exploited to cause a heap-based
buffer overflow. (CVE-2010-2575)

出處: http://www.ubuntu.com/usn/usn-979-1 SecurityTeam

為 mupdf 加上全螢幕切換功能

jserv — 2010-08-27T16:50:00+16:00

昨天受邀去內湖某公司作簡報，因為 OpenOffice 產生的 PDF 檔案稍大，用 evince 播放時，略為停頓一下，致使跟不上預定的節奏，有些細節就不慎忽略。回辦公室後，認真思考改良 PDF 簡報放映的方式，歸納以下軟體需求：避免太多相依性或執行時期的檔案 -- 讓任何一台裝有 GNU/Linux 的電腦都能作簡報與程式展示快速 -- 就算播放幾十 MBytes 的 PDF 檔案也順暢流暢鍵盤操作 -- 快速 zooming, 切換視角, 切換頁面，標注重點等等 open source -- 這還要說嗎？這年頭好多 closed source PDF viewer 根本就是 spy/ad-ware [MuPDF] 是目前最符合上述需求的軟體，輕薄短小，而且相當快速，但缺乏最重要的功能，也就是全螢幕播放，只好自己動手改。初步的 patch...
出處: http://blog.linux.org.tw/~jserv/archives/2010/08/_mupdf.html jserv

Linux上的電子收銀機系統（POS）-LemonPOS

魔法設計師 — 2010-08-28T10:17:00+16:00

最近我在幫一間我認識的小商店研究從原始的收銀方式，邁進到省錢、自由度又高的電子收銀機制（一般被稱為Point Of Sale的東西）方案。經過一番研究，我發現Ubuntu裡面內附的LemonPOS很符合需求，簡單好用，朋友並沒有開連鎖店，只是想把閒置的電腦拿來運用，不想買市面上一體式給很多分店用的那種專用高貴POS電腦，LemonpPOS剛好符合他需求，然後我覺得超讚的是，沒想到現在的USB條碼槍很棒，我跟認識書店老闆借一隻試用看看，首先先把自己建檔成一個商品XD然後把USB條碼槍插上去試刷看看。天哪，裝上去就直接可以用了！！！！好棒喔，Kernel直接就有driver耶！我只是拿現成的條碼槍用的說，沒去特別注意有沒有支援Linux，而且發現條碼槍很好玩，原來刷到的資料會盡入到當前的任何「游標焦點」，可以是console、編輯器、瀏覽器、bra..brahh，只是目前只有簡體中文的PO檔
出處: http://magicdesign.blogspot.com/2010/08/linuxpos-lemonpos.html 魔法設計師

USN-974-2: Linux kernel regression

SecurityTeam — 2010-08-27T02:36:03+16:00

Description:

===========================================================
Ubuntu Security Notice USN-974-2 August 26, 2010
linux regression
https://launchpad.net/bugs/620994
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
linux-image-2.6.24-28-386 2.6.24-28.77
linux-image-2.6.24-28-generic 2.6.24-28.77
linux-image-2.6.24-28-hppa32 2.6.24-28.77
linux-image-2.6.24-28-hppa64 2.6.24-28.77
linux-image-2.6.24-28-itanium 2.6.24-28.77
linux-image-2.6.24-28-lpia 2.6.24-28.77
linux-image-2.6.24-28-lpiacompat 2.6.24-28.77
linux-image-2.6.24-28-mckinley 2.6.24-28.77
linux-image-2.6.24-28-openvz 2.6.24-28.77
linux-image-2.6.24-28-powerpc 2.6.24-28.77
linux-image-2.6.24-28-powerpc-smp 2.6.24-28.77
linux-image-2.6.24-28-powerpc64-smp 2.6.24-28.77
linux-image-2.6.24-28-rt 2.6.24-28.77
linux-image-2.6.24-28-server 2.6.24-28.77
linux-image-2.6.24-28-sparc64 2.6.24-28.77
linux-image-2.6.24-28-sparc64-smp 2.6.24-28.77
linux-image-2.6.24-28-virtual 2.6.24-28.77
linux-image-2.6.24-28-xen 2.6.24-28.77

After a standard system update you need to reboot your computer to make
all the necessary changes.

Details follow:

USN-974-1 fixed vulnerabilities in the Linux kernel. The fixes for
CVE-2010-2240 caused failures for Xen hosts. This update fixes the
problem.

We apologize for the inconvenience.

Original advisory details:

Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory
manager did not properly handle when applications grow stacks into adjacent
memory regions. A local attacker could exploit this to gain control of
certain applications, potentially leading to privilege escalation, as
demonstrated in attacks against the X server. (CVE-2010-2240)

Kees Cook discovered that under certain situations the ioctl subsystem for
DRM did not properly sanitize its arguments. A local attacker could exploit
this to read previously freed kernel memory, leading to a loss of privacy.
(CVE-2010-2803)

Ben Hawkes discovered an integer overflow in the Controller Area Network
(CAN) subsystem when setting up frame content and filtering certain
messages. An attacker could send specially crafted CAN traffic to crash the
system or gain root privileges. (CVE-2010-2959)

出處: http://www.ubuntu.com/usn/usn-974-2 SecurityTeam

我的ThinkpadX201i A22+Ubuntu10.04 webcam問題的解法

魔法設計師 — 2010-08-26T10:27:00+16:00

之前提到發現webcam的問題已經解除了，開啟webcam導致xwindow崩潰的問題（其實開totem也會）我測試過只發生在Ubuntu官方包的rt kernel（一般的kernel不會），因為該rt kernel是舊的9.10 原碼tree編出來的，有不少問題，改用falk-t-j的PPA裡面的realtime kernel問題就解決了，唉，Ubuntu官方不太在意RT kernel的運作XD自己要多努力了。我的機器也到了一個星期，機器用一個星期狀況很好，於是就給它貼上了貼紙，貼紙是上上星期COSCUP2010第一天研討會晚上Ubutu BOF上拿的，看起來像好吃的日本便當吧？打開裡面裝著（偽）初音未來然後這一台可是Powered by Ubuntu，可沒有windows貼紙喔:)真的很推薦大家Thinkpad x201i A22，便宜（三萬有找）、沒OS、有傳統Thinkpad
出處: http://magicdesign.blogspot.com/2010/08/thinkpadx201i-a22ubuntu1004-webcam.html 魔法設計師

USN-977-1: MoinMoin vulnerabilities

SecurityTeam — 2010-08-25T23:46:03+16:00

Referenced CVEs:

CVE-2010-2487, CVE-2010-2969, CVE-2010-2970

Description:

===========================================================
Ubuntu Security Notice USN-977-1 August 25, 2010
moin vulnerabilities
CVE-2010-2487, CVE-2010-2969, CVE-2010-2970
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
python2.4-moinmoin 1.5.2-1ubuntu2.7

Ubuntu 8.04 LTS:
python-moinmoin 1.5.8-5.1ubuntu2.5

Ubuntu 9.04:
python-moinmoin 1.8.2-2ubuntu2.5

Ubuntu 9.10:
python-moinmoin 1.8.4-1ubuntu1.3

Ubuntu 10.04 LTS:
python-moinmoin 1.9.2-2ubuntu3.1

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that MoinMoin did not properly sanitize its input,
resulting in cross-site scripting (XSS) vulnerabilities. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data, within the same
domain.

出處: http://www.ubuntu.com/usn/usn-977-1 SecurityTeam

USN-976-1: Tomcat vulnerability

SecurityTeam — 2010-08-25T23:38:36+16:00

Referenced CVEs:

CVE-2010-2227

Description:

===========================================================
Ubuntu Security Notice USN-976-1 August 25, 2010
tomcat6 vulnerability
CVE-2010-2227
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.04:
libtomcat6-java 6.0.18-0ubuntu6.3

Ubuntu 9.10:
libtomcat6-java 6.0.20-2ubuntu2.2

Ubuntu 10.04 LTS:
libtomcat6-java 6.0.24-2ubuntu1.3

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that Tomcat incorrectly handled invalid Transfer-Encoding
headers. A remote attacker could send specially crafted requests containing
invalid headers to the server and cause a denial of service, or possibly
obtain sensitive information from other requests.

出處: http://www.ubuntu.com/usn/usn-976-1 SecurityTeam

Ubuntu Studio 10.04 進一步調校（音樂製作用）

魔法設計師 — 2010-08-24T22:53:00+16:00

為了音樂的製作，我們得把核心換成即時的核心，Ubuntu Studio 10.04目前有內附兩個即時核心，然而，他們是用Ubuntu 9.10的原碼tree編出來的，啟動時它們會抱怨：mount: mounting none on /dev failed No such device然後已經有人在PPA編譯了更好的即時核心，解決了這問題，可在falk-t-j的PPA找到，除了更好的即時核心以外，還有更多自由的sf2音色、取樣等等，全部共300多MB，對作音樂的幫助不小。
出處: http://magicdesign.blogspot.com/2010/08/ubuntu-studio-1004.html 魔法設計師