星球
USN-1042-1: PHP vulnerabilities
2011/1/12 7:57:48 | Ubuntu security notices
Referenced CVEs:
CVE-2009-5016, CVE-2010-3436, CVE-2010-3709, CVE-2010-3710, CVE-2010-3870, CVE-2010-4156, CVE-2010-4409, CVE-2010-4645
Description:
===========================================================
Ubuntu Security Notice USN-1042-1 January 11, 2011
php5 vulnerabilities
CVE-2009-5016, CVE-2010-3436, CVE-2010-3709, CVE-2010-3710,
CVE-2010-3870, CVE-2010-4156, CVE-2010-4409, CVE-2010-4645
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libapache2-mod-php5 5.1.2-1ubuntu3.20
php5-cgi 5.1.2-1ubuntu3.20
php5-cli 5.1.2-1ubuntu3.20
Ubuntu 8.04 LTS:
libapache2-mod-php5 5.2.4-2ubuntu5.13
php5-cgi 5.2.4-2ubuntu5.13
php5-cli 5.2.4-2ubuntu5.13
Ubuntu 9.10:
libapache2-mod-php5 5.2.10.dfsg.1-2ubuntu6.6
php5-cgi 5.2.10.dfsg.1-2ubuntu6.6
php5-cli 5.2.10.dfsg.1-2ubuntu6.6
Ubuntu 10.04 LTS:
libapache2-mod-php5 5.3.2-1ubuntu4.6
php5-cgi 5.3.2-1ubuntu4.6
php5-cli 5.3.2-1ubuntu4.6
Ubuntu 10.10:
libapache2-mod-php5 5.3.3-1ubuntu9.2
php5-cgi 5.3.3-1ubuntu9.2
php5-cli 5.3.3-1ubuntu9.2
In general, a standard system update will make all the necessary changes.
Details follow:
It was discovered that an integer overflow in the XML UTF-8 decoding
code could allow an attacker to bypass cross-site scripting (XSS)
protections. This issue only affected Ubuntu 6.06 LTS, Ubuntu 8.04 LTS,
and Ubuntu 9.10. (CVE-2009-5016)
It was discovered that the XML UTF-8 decoding code did not properly
handle non-shortest form UTF-8 encoding and ill-formed subsequences
in UTF-8 data, which could allow an attacker to bypass cross-site
scripting (XSS) protections. (CVE-2010-3870)
It was discovered that attackers might be able to bypass open_basedir()
restrictions by passing a specially crafted filename. (CVE-2010-3436)
Maksymilian Arciemowicz discovered that a NULL pointer derefence in the
ZIP archive handling code could allow an attacker to cause a denial
of service through a specially crafted ZIP archive. This issue only
affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, and Ubuntu
10.10. (CVE-2010-3709)
It was discovered that a stack consumption vulnerability in the
filter_var() PHP function when in FILTER_VALIDATE_EMAIL mode, could
allow a remote attacker to cause a denial of service. This issue
only affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, and
Ubuntu 10.10. (CVE-2010-3710)
It was discovered that the mb_strcut function in the Libmbfl
library within PHP could allow an attacker to read arbitrary memory
within the application process. This issue only affected Ubuntu
10.10. (CVE-2010-4156)
Maksymilian Arciemowicz discovered that an integer overflow in the
NumberFormatter::getSymbol function could allow an attacker to cause
a denial of service. This issue only affected Ubuntu 10.04 LTS and
Ubuntu 10.10. (CVE-2010-4409)
Rick Regan discovered that when handing PHP textual representations
of the largest subnormal double-precision floating-point number,
the zend_strtod function could go into an infinite loop on 32bit
x86 processors, allowing an attacker to cause a denial of service.
(CVE-2010-4645)
在 10.04 使用 10.10 中的套件 PPA[10.04]
2011/1/11 21:25:00 | 手把手玩Ubuntu
老實說對 Ubuntu 10.10 沒什麼信心,剛出時灌了四、五次,安裝時沒有問題,但只要一更新就會出一些有的沒的問題,許多套件無法順利更新,在安裝時出錯等等,還有新的格式 btrfs 表現不如預期,就退回了 10.04 至今了。
使用 10.04 期間看到這個方法能使用 10.10 的套件,雖然不是在 10.10 上的套件都能安裝(如 Kernel,...
請按標題讀更多:)
使用 10.04 期間看到這個方法能使用 10.10 的套件,雖然不是在 10.10 上的套件都能安裝(如 Kernel,...
請按標題讀更多:)
USN-1041-1: Linux kernel vulnerabilities
2011/1/11 6:38:23 | Ubuntu security notices
Referenced CVEs:
CVE-2010-2537, CVE-2010-2538, CVE-2010-2943, CVE-2010-2962, CVE-2010-3079, CVE-2010-3296, CVE-2010-3297, CVE-2010-3298, CVE-2010-3301, CVE-2010-3858, CVE-2010-3861, CVE-2010-4072
Description:
===========================================================
Ubuntu Security Notice USN-1041-1 January 10, 2011
linux, linux-ec2 vulnerabilities
CVE-2010-2537, CVE-2010-2538, CVE-2010-2943, CVE-2010-2962,
CVE-2010-3079, CVE-2010-3296, CVE-2010-3297, CVE-2010-3298,
CVE-2010-3301, CVE-2010-3858, CVE-2010-3861, CVE-2010-4072
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.10:
linux-image-2.6.31-22-386 2.6.31-22.70
linux-image-2.6.31-22-generic 2.6.31-22.70
linux-image-2.6.31-22-generic-pae 2.6.31-22.70
linux-image-2.6.31-22-ia64 2.6.31-22.70
linux-image-2.6.31-22-lpia 2.6.31-22.70
linux-image-2.6.31-22-powerpc 2.6.31-22.70
linux-image-2.6.31-22-powerpc-smp 2.6.31-22.70
linux-image-2.6.31-22-powerpc64-smp 2.6.31-22.70
linux-image-2.6.31-22-server 2.6.31-22.70
linux-image-2.6.31-22-sparc64 2.6.31-22.70
linux-image-2.6.31-22-sparc64-smp 2.6.31-22.70
linux-image-2.6.31-22-virtual 2.6.31-22.70
linux-image-2.6.31-307-ec2 2.6.31-307.23
Ubuntu 10.04 LTS:
linux-image-2.6.32-27-386 2.6.32-27.49
linux-image-2.6.32-27-generic 2.6.32-27.49
linux-image-2.6.32-27-generic-pae 2.6.32-27.49
linux-image-2.6.32-27-ia64 2.6.32-27.49
linux-image-2.6.32-27-lpia 2.6.32-27.49
linux-image-2.6.32-27-powerpc 2.6.32-27.49
linux-image-2.6.32-27-powerpc-smp 2.6.32-27.49
linux-image-2.6.32-27-powerpc64-smp 2.6.32-27.49
linux-image-2.6.32-27-preempt 2.6.32-27.49
linux-image-2.6.32-27-server 2.6.32-27.49
linux-image-2.6.32-27-sparc64 2.6.32-27.49
linux-image-2.6.32-27-sparc64-smp 2.6.32-27.49
linux-image-2.6.32-27-versatile 2.6.32-27.49
linux-image-2.6.32-27-virtual 2.6.32-27.49
linux-image-2.6.32-311-ec2 2.6.32-311.23
Ubuntu 10.10:
linux-image-2.6.35-24-generic 2.6.35-24.42
linux-image-2.6.35-24-generic-pae 2.6.35-24.42
linux-image-2.6.35-24-omap 2.6.35-24.42
linux-image-2.6.35-24-powerpc 2.6.35-24.42
linux-image-2.6.35-24-powerpc-smp 2.6.35-24.42
linux-image-2.6.35-24-powerpc64-smp 2.6.35-24.42
linux-image-2.6.35-24-server 2.6.35-24.42
linux-image-2.6.35-24-versatile 2.6.35-24.42
linux-image-2.6.35-24-virtual 2.6.35-24.42
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the Ubuntu 10.04 LTS and
Ubuntu 10.10 kernel updates have been given a new version number,
which requires you to recompile and reinstall all third party kernel
modules you might have installed. If you use linux-restricted-modules,
you have to update that package as well to get modules which work with
the new kernel version. Unless you manually uninstalled the standard
kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc),
a standard system upgrade will automatically perform this as well.
Details follow:
Dan Rosenberg discovered that the btrfs filesystem did not correctly
validate permissions when using the clone function. A local attacker could
overwrite the contents of file handles that were opened for append-only,
or potentially read arbitrary contents, leading to a loss of privacy. Only
Ubuntu 9.10 was affected. (CVE-2010-2537, CVE-2010-2538)
Dave Chinner discovered that the XFS filesystem did not correctly order
inode lookups when exported by NFS. A remote attacker could exploit this
to read or write disk blocks that had changed file assignement or had
become unlinked, leading to a loss of privacy. (CVE-2010-2943)
Kees Cook discovered that the Intel i915 graphics driver did not
correctly validate memory regions. A local attacker with access to the
video card could read and write arbitrary kernel memory to gain root
privileges. Ubuntu 10.10 was not affected. (CVE-2010-2962)
Robert Swiecki discovered that ftrace did not correctly handle mutexes. A
local attacker could exploit this to crash the kernel, leading to a
denial of service. (CVE-2010-3079)
Dan Rosenberg discovered that several network ioctls did not clear kernel
memory correctly. A local user could exploit this to read kernel stack
memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297,
CVE-2010-3298)
Ben Hawkes discovered that the Linux kernel did not correctly filter
registers on 64bit kernels when performing 32bit system calls. On a
64bit system, a local attacker could manipulate 32bit system calls
to gain root privileges. The Ubuntu EC2 kernels needed additional
fixing. (CVE-2010-3301)
Brad Spengler discovered that stack memory for new a process was not
correctly calculated. A local attacker could exploit this to crash the
system, leading to a denial of service. (CVE-2010-3858)
Kees Cook discovered that the ethtool interface did not correctly clear
kernel memory. A local attacker could read kernel heap memory, leading
to a loss of privacy. (CVE-2010-3861)
Kees Cook and Vasiliy Kulikov discovered that the shm interface did not
clear kernel memory correctly. A local attacker could exploit this to
read kernel stack memory, leading to a loss of privacy. (CVE-2010-4072)
Synergy on Windows XP
2011/1/7 22:35:00 | 凍仁的 Ubuntu 筆記
自從得知軟體 KVM ----「Synergy」是一套跨平台的 open source 軟體,凍仁便開始透過它來串接 Windows 與 Linux,這樣就可以透過 Linux 來操作 Windows,一來也是因為 Logitech Marble TrackMan 只有在 Linux 的環境下才能顯現的出它的神奇,windows 在某些小細節還是沒有 linux 好用,但又不能完全捨棄 windows。
原理都是一樣的,只要把 Screen 位置分佈、Screen 名稱以及開防火牆就可以了,而 Synergy 預設的 port 為 24800,看完以上說明以後,會不會覺得 Linux 比較人性化阿 (誤~)。
Z
 |
| 主介面,這邊可選要當 Client 還是 Server。 |
前置設定
這邊凍仁先說明 Advanced(進階設定) 跟 AutoStart(自動啟動)。 |
| 進階選項的 Screen Name 是指本機的電腦名稱。 |
 |
| 左:登入後自動執行。 右:一開機就自動執行。 |
Client
在 Client 設定方便不管是對哪家而言都很簡單,只要確認 Server hostname/IP address 並記得打上自家的 Screen Name,順便附上之前在 Ubuntu 上的截圖好參考其欄位設定。 |
| 請 keyin 預連接 server 的 IP or Domain name。 |
 |
| QuickSynergy on Ubuntu 10.04 |
Server
 |
| 選擇 Server。 |
 |
| 點選下方的 Configure。 |
 |
| 新增 Client 與 Server 的 Screen Name 並配置左右。 |
 |
| 新增 Screen Name:jonny-pc。 |
 |
| 新增 Screen Name:joybook。 |
 |
| 配置 Screen 位置:joybook 在 jonny-pc 左邊。 |
 |
| 配置 Screen 位置:jonny-pc 在 joybook 右邊。 |
 |
| QuickSynergy on Ubuntu 10.04 |
原理都是一樣的,只要把 Screen 位置分佈、Screen 名稱以及開防火牆就可以了,而 Synergy 預設的 port 為 24800,
延伸閱讀:
★QuickSynergy(softKvm) on Ubuntu | 凍仁的 Ubuntu 筆記
相關連結:
★Synergy 官方網站Z
USN-1040-1: Django vulnerabilities
2011/1/7 8:46:55 | Ubuntu security notices
Referenced CVEs:
CVE-2010-4534, CVE-2010-4535
Description:
===========================================================
Ubuntu Security Notice USN-1040-1 January 07, 2011
python-django vulnerabilities
CVE-2010-4534, CVE-2010-4535
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.10:
python-django 1.1.1-1ubuntu1.1
Ubuntu 10.04 LTS:
python-django 1.1.1-2ubuntu1.2
Ubuntu 10.10:
python-django 1.2.3-1ubuntu0.2.10.10.1
In general, a standard system update will make all the necessary changes.
Details follow:
Adam Baldwin discovered that Django did not properly validate query string
lookups. This could be exploited to provide an information leak to an
attacker with admin privilieges. (CVE-2010-4534)
Paul McMillan discovered that Django did not validate the length of the
token used when generating a password reset. An attacker could exploit
this to cause a denial of service via resource exhaustion. (CVE-2010-4535)
USN-1039-1: AppArmor update
2011/1/7 8:19:33 | Ubuntu security notices
Description:
===========================================================
Ubuntu Security Notice USN-1039-1 January 07, 2011
apparmor update
https://launchpad.net/bugs/693082
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.10:
apparmor 2.3.1+1403-0ubuntu27.4
Ubuntu 10.04 LTS:
apparmor 2.5.1-0ubuntu0.10.04.2
Ubuntu 10.10:
apparmor 2.5.1-0ubuntu0.10.10.3
In general, a standard system update will make all the necessary changes.
Details follow:
It was discovered that if AppArmor was misconfigured, under certain
circumstances the parser could generate policy using an unconfined fallback
execute transition when one was not specified.
USN-1038-1: dpkg vulnerability
2011/1/7 5:44:25 | Ubuntu security notices
Referenced CVEs:
CVE-2010-1679
Description:
===========================================================
Ubuntu Security Notice USN-1038-1 January 06, 2011
dpkg vulnerability
CVE-2010-1679
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.10:
dpkg-dev 1.15.4ubuntu2.3
Ubuntu 10.04 LTS:
dpkg-dev 1.15.5.6ubuntu4.5
Ubuntu 10.10:
dpkg-dev 1.15.8.4ubuntu3.1
In general, a standard system update will make all the necessary changes.
Details follow:
Jakub Wilk and Raphaël Hertzog discovered that dpkg-source did not
correctly handle certain paths and symlinks when unpacking source-format
version 3.0 packages. If a user or an automated system were tricked into
unpacking a specially crafted source package, a remote attacker could
modify files outside the target unpack directory, leading to a denial
of service or potentially gaining access to the system.
USN-1035-1: Evince vulnerabilities
2011/1/5 22:38:03 | Ubuntu security notices
Referenced CVEs:
CVE-2010-2640, CVE-2010-2641, CVE-2010-2642, CVE-2010-2643
Description:
===========================================================
Ubuntu Security Notice USN-1035-1 January 05, 2011
evince vulnerabilities
CVE-2010-2640, CVE-2010-2641, CVE-2010-2642, CVE-2010-2643
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
evince 2.22.2-0ubuntu2.1
Ubuntu 9.10:
evince 2.28.1-0ubuntu1.3
Ubuntu 10.04 LTS:
evince 2.30.3-0ubuntu1.2
Ubuntu 10.10:
evince 2.32.0-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
Details follow:
Jon Larimer discovered that Evince's font parsers incorrectly handled
certain buffer lengths when rendering a DVI file. By tricking a user into
opening or previewing a DVI file that uses a specially crafted font file,
an attacker could crash evince or execute arbitrary code with the user's
privileges.
In the default installation of Ubuntu 9.10 and later, attackers would be
isolated by the Evince AppArmor profile.
安裝Libreoffice 3.3.0-RC2 PPA[10.04,10.10,11.04]
2011/1/5 1:01:00 | 手把手玩Ubuntu
之前發表過的手動下載安裝比較麻煩,現在有PPA來源只要加入就可以直接安裝囉,目前版本是Libreoffice 3.3.0-RC2,以後有新版本直接更新就可以了。
1、在終端機輸入指令:
sudo add-apt-repository ppa:libreoffice/ppa
sudo apt-get update && sudo apt-get install...
請按標題讀更多:)
1、在終端機輸入指令:
sudo add-apt-repository ppa:libreoffice/ppa
sudo apt-get update && sudo apt-get install...
請按標題讀更多:)
DesktopNova 定時更改背景圖片PPA [9.10,10.04]
2010/12/31 21:01:00 | 手把手玩Ubuntu
DesktopNova 是一款定時更改背景圖片軟體,不用學會如何設定 xml ,安裝完成只要設定幾個步驟就可定時更改背景圖片,要開機自動啟動記得勾選相關的 Autorun 選項。Ubuntu 10.10 以上(含)使用者可以直接安裝,9.10,10.04 需添加 PPA 來源才能安裝。
1、於終端機輸入指令
sudo apt-add-repository...
請按標題讀更多:)
1、於終端機輸入指令
sudo apt-add-repository...
請按標題讀更多:)