Edgy Changes

squid, 2.6.1-3ubuntu1.5

Ubuntu Installer — Wed, 09 Jan 2008 20:56:11 +0000

squid (2.6.1-3ubuntu1.5)

SECURITY UPDATE: denial of service through memory exhaustion.
Add cache_header_shrinking.dpatch: upstream fixes thanks to Martin Nagy.
References CVE-2007-6239

openssh, 1:4.3p2-5ubuntu1.1

Ubuntu Installer — Wed, 09 Jan 2008 23:55:32 +0000

openssh (1:4.3p2-5ubuntu1.1)

SECURITY UPDATE: trusted cookie leak when untrusted cookie cannot be generated.
clientloop.c: Applied patch according to openssh upstream (LP: #162171), thanks to Stephan Hermann.
References: CVE-2007-4752 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444738 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c.diff?r1=1.180&r2=1.181

bind9 1:9.3.2-2ubuntu3.3

Soren Hansen — Fri, 11 Jan 2008 12:30:40 +0000

bind9 (1:9.3.2-2ubuntu3.3)

l.root-servers.net. got a new IP. (LP #160176)

squid 2.6.1-3ubuntu1.6

Martin Pitt — Fri, 11 Jan 2008 13:07:02 +0000

squid (2.6.1-3ubuntu1.6)

Fix transparent proxies (LP: #68818).

postgresql-8.1, 8.1.11-0ubuntu0.6.10.1

Ubuntu Installer — Mon, 14 Jan 2008 18:56:00 +0000

postgresql-8.1 (8.1.11-0ubuntu0.6.10.1)

New upstream security/bugfix release:
- Prevent functions in indexes from executing with the privileges of the user running "VACUUM", "ANALYZE", etc. "SET ROLE" is now forbidden within a SECURITY DEFINER context. [CVE-2007-6600]
- Suitably crafted regular-expression patterns could cause crashes, infinite or near-infinite looping, and/or massive memory consumption, all of which pose denial-of-service hazards for applications that accept regex search patterns from untrustworthy sources. [CVE-2007-4769, CVE-2007-4772, CVE-2007-6067]
- Require non-superusers who use "/contrib/dblink" to use only password authentication, as a security measure. The fix that appeared for this in 8.2.5 was incomplete, as it plugged the hole for only some "dblink" functions. [CVE-2007-6601, CVE-2007-3278]
- Fix planner failure in some cases of WHERE false AND var IN (SELECT ...).
- Preserve the tablespace and storage parameters of indexes that are rebuilt by "ALTER TABLE ... ALTER COLUMN TYPE".
- Make archive recovery always start a new WAL timeline, rather than only when a recovery stop time was used. This avoids a corner-case risk of trying to overwrite an existing archived copy of the last WAL segment, and seems simpler and cleaner than the original definition.
- Make "VACUUM" not use all of maintenance_work_mem when the table is too small for it to be useful.
- Fix potential crash in translate() when using a multibyte database encoding.
- Fix overflow in extract(epoch from interval) for intervals exceeding 68 years.
- Fix PL/Perl to not fail when a UTF-8 regular expression is used in a trusted function.
- Fix PL/Python to not crash on long exception messages.
- Fix pg_dump to correctly handle inheritance child tables that have default expressions different from their parent's.
- Fix libpq crash when PGPASSFILE refers to a file that is not a plain file.
- ecpg parser fixes.
- Make "contrib/tablefunc"'s crosstab() handle NULL rowid as a category in its own right, rather than crashing.
- Fix tsvector and tsquery output routines to escape backslashes correctly.
- Fix crash of to_tsvector() on huge input strings.
Use the timezone database from the system tzdata instead of shipping our own.
- debian/patches/04-timezone-symlinks.patch: Drop previous hardlink-to-symlink patch to zic, since that is irrelevant now. Replace the patch with a Makefile change that just symlinks /usr/share/zoneinfo to where postgresql previously installed its own tzdata copy.
- debian/control: Add tzdata dependency.
- debian/postgresql-8.1.install: Install the 'timezone' symlink, not the files in the dereferenced directory.
- debian/postgresql-8.1.postinst: Replace the timezone directory with the symlink on upgrades, since dpkg does not do that automatically. Without this, we'd end up with an empty timezone directory.

libxml2, 2.6.26.dfsg-2ubuntu4.1

Ubuntu Installer — Mon, 14 Jan 2008 22:55:39 +0000

libxml2 (2.6.26.dfsg-2ubuntu4.1)

SECURITY UPDATE: infinite loop with malformed UTF8
parserInternals.c: patched inline with upstream changes, thanks to Daniel Veillard.
References http://mail.gnome.org/archives/xml/2008-January/msg00036.html CVE-2007-6284

boost, 1.33.1-7ubuntu1.1

Ubuntu Installer — Wed, 16 Jan 2008 20:57:48 +0000

boost (1.33.1-7ubuntu1.1)

SECURITY UPDATE: null pointer dereference via crafted regular expression
debian/patches/06_SECURITY_CVE-2008-0172.patch: fix for basic_regex_parser() in boost/regex/v4/basic_regex_parser.hpp to return error on invalid repetition of next state
References CVE-2008-0171 CVE-2008-0172

libxfont, 1:1.2.0-0ubuntu3.2

Ubuntu Installer — Fri, 18 Jan 2008 00:55:31 +0000

libxfont (1:1.2.0-0ubuntu3.2)

SECURITY UPDATE: overflow in PCF font handling.
Added fix_CVE-2008-0006.patch: backported from upstream commit (b76df66d2c507898472bba0f9986ef5700029a36)

xorg-server, 1:1.1.1-0ubuntu12.3

Ubuntu Installer — Fri, 18 Jan 2008 00:56:40 +0000

xorg-server (1:1.1.1-0ubuntu12.3)

SECURITY UPDATE: multiple memory corruption flaws.
Added fix_CVE-2007-5958.patch: upstream fix from Matthieu Herrb.
Added fix_CVE-2007-5760.patch: backported upstream fixes (bbde5b62a137ba726a747b838d81e92d72c1b42b) for XFree86 Misc extension out of bounds array index.
Added fix_CVE-2007-6427.patch: backported upstream fixes (dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27) for Xinput extension memory corruption.
Added fix_CVE-2007-6428.patch: backported upstream fixes (7dc1717ff0f96b99271a912b8948dfce5164d5ad) for TOG-cup extension memory corruption.
Added fix_CVE-2007-6429.patch: backported upstream fixes (6de61f82728df22ea01f9659df6581b87f33f11d) for MIT-SHM and EVI extensions integer overflows.
Added fix_CVE-2008-0006.patch: backported upstream fixes (8e133d96740d010a4fd969a8188e6e71fb2cafe2) for PCF Font parser buffer overflow.

xorg-server, 1:1.1.1-0ubuntu12.4

Ubuntu Installer — Fri, 18 Jan 2008 18:55:58 +0000

xorg-server (1:1.1.1-0ubuntu12.4)

Revert previous security update since it causes severe regressions. (LP: #183969)

syslog-ng, 1.9.11-1.1ubuntu0.1

Ubuntu Installer — Fri, 18 Jan 2008 23:55:18 +0000

syslog-ng (1.9.11-1.1ubuntu0.1)

SECURITY UPDATE: Allows remote attackers to cause a denial of service (crash) via a message with a timestamp that does not contain a trailing space, which triggers a NULL pointer dereference.
src/logmsg.c (log_msg_parse): fixed possible NULL pointer dereference in log message parsing, as done in upstream RCS
References:
- http://git.balabit.hu/?p=bazsi/syslog-ng-2.0.git;a=commitdiff;h=3126ebad217e7fd6356f4733ca33f571aa87a170
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6437
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457334
Closes lp: #183389

xorg-server, 1:1.1.1-0ubuntu12.5

Ubuntu Installer — Sat, 19 Jan 2008 02:56:03 +0000

xorg-server (1:1.1.1-0ubuntu12.5)

SECURITY UPDATE: multiple memory corruption flaws.
Re-applied security patches from 1:1.1.1-0ubuntu12.3.
Updated fix_CVE-2007-6429.patch: upstream fixes for bbp < 8 crash regressions.
References http://gitweb.freedesktop.org/?p=xorg/xserver.git;a=commitdiff;h=e9fa7c1c88a8130a48f772c92b186b8b777986b5

apt 0.6.45ubuntu14.3

Michael Vogt — Tue, 22 Jan 2008 13:53:19 +0000

apt (0.6.45ubuntu14.3)

fix segfault when reading package lists (lp: #75273)

cacti, 0.8.6h-3ubuntu0.2

Ubuntu Installer — Tue, 29 Jan 2008 19:56:07 +0000

cacti (0.8.6h-3ubuntu0.2)

SECURITY UPDATE: (LP: #164072)
- CVE-2007-6035: SQL injection vulnerability in Cacti before 0.8.7a allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2007-3112: Cacti 0.8.6i, and possibly other versions, allows remote authenticated users to cause a denial of service (CPU consumption) via a large value of the (1) graph_start or (2) graph_end parameter.
- CVE-2007-3113: Cacti 0.8.6i, and possibly other versions, allows remote authenticated users to cause a denial of service (CPU consumption) via a large value of the (1) graph_height or (2) graph_width parameter.
debian/patches/10_CVE-2007-6035.dpatch: applied patch by upstream (Link: http://www.cacti.net/downloads/patches/0.8.6j/sec_sql_injection-0.8.6j.patch)
debian/patches/10_CVE-2007-3112+CVE-2007-3113.dpatch:
- Applied patch by upstream
- Link: http://svn.cacti.net/cgi-bin/viewvc.cgi/cacti/branches/0.8.7/graph_image.php?r1=3898&r2=3956&view=patch
References: CVE-2007-6035 CVE-2007-3112 CVE-2007-3113

yarssr, 0.2.2-1ubuntu0.6.10.1

Ubuntu Installer — Tue, 29 Jan 2008 19:56:37 +0000

yarssr (0.2.2-1ubuntu0.6.10.1)

Don't quote URLs when passing them to browsers. (LP: #172667)

sing, 1.1-11ubuntu0.6.10.1

Ubuntu Installer — Tue, 29 Jan 2008 19:57:11 +0000

sing (1.1-11ubuntu0.6.10.1)

SECURITY UPDATE: (LP: #173948)
- CVE-2007-6211: Send Nasty ICMP Garbage (sing) on Debian GNU/Linux allows local users to append to arbitrary files and gain privileges via the -L (output log file) option.
parser.c:
- Applied patch by Nico Golde <nion@debian.org>
- Link: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454167
References: CVE-2007-6211 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454167

libapache-mod-jk, 1:1.2.18-1ubuntu1.1

Ubuntu Installer — Tue, 29 Jan 2008 19:57:48 +0000

libapache-mod-jk (1:1.2.18-1ubuntu1.1)

SECURITY UPDATE: Forward unparsed URI to tomcat.
patches added: cve-2007-1860.dpatch. (Fixes LP: #119739)
References CVE-2007-1860

gtk-qt-engine 0.70-0ubuntu1.1

Jonathan Riddell — Fri, 01 Feb 2008 11:41:10 +0000

gtk-qt-engine (0.70-0ubuntu1.1)

Stable release update, support new Flash in Konqueror
Add kubuntu_03_xembed_fix_flashplayer.patch, turns off gtk-qt engine for plugins
Closes LP: #184149

kdelibs 4:3.5.5-0ubuntu3.6

Jonathan Riddell — Fri, 01 Feb 2008 11:46:18 +0000

kdelibs (4:3.5.5-0ubuntu3.6)

Stable release update, support new Flash in Konqueror
Add kubuntu_96_flash_xembed.diff, adds xembed support to plugins
LP: #184149
Closes LP: #184149

gtk-qt-engine 0.70-0ubuntu1.2

Jonathan Riddell — Fri, 01 Feb 2008 13:11:37 +0000

gtk-qt-engine (0.70-0ubuntu1.2)

Stable release update, support new Flash in Konqueror
Add kubuntu_03_xembed_fix_flashplayer.patch, turns off gtk-qt engine for plugins
LP: #184149

kdebase 4:3.5.5-0ubuntu3.8

Jonathan Riddell — Fri, 01 Feb 2008 13:27:46 +0000

kdebase (4:3.5.5-0ubuntu3.8)

Stable release update, support new Flash in Konqueror
Add kubuntu_9917_flash_xembed.diff, adds xembed support to Konqueror with backport from 3.5.8
Add build-dep on libglib2.0-dev
Closes LP: #184149

linux-source-2.6.17, 2.6.17.1-12.43

Ubuntu Installer — Mon, 04 Feb 2008 14:58:06 +0000

linux-source-2.6.17 (2.6.17.1-12.43)

tmpfs: restore missing clear_highpage (CVE-2007-6417)
vfs: coredumping fix (CVE-2007-6206)
I4L: fix isdn_ioctl memory overrun vulnerability (CVE-2007-6151)
isdn: avoid copying overly-long strings (CVE-2007-6063)
hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966)
[UBUNTU:ppc64] fix corrupted sigcontext during FPU stress (CVE-2007-3107)
CVE-2008-0001: Use access mode instead of open flags to determine needed permissions

apache2, 2.0.55-4ubuntu4.2

Ubuntu Installer — Mon, 04 Feb 2008 21:56:00 +0000

apache2 (2.0.55-4ubuntu4.2)

SECURITY UPDATE: denial of service (application crash) when using mod_proxy in threaded MPM via crafted date headers.
debian/patches/100_CVE-2007-3847.patch: fix proxy_util.c to use apr_date_parse_http() and apr_rfc822_date()
SECURITY UPDATE: cross-site scripting vulnerability in mod_autoindex.c when charset not defined
debian/patches/101_CVE-2007-4465.patch: fix mod_autoindex.c to properly check for and use charset
SECURITY UPDATE: cross-site scripting vulnerability in mod_imap
debian/patches/102_CVE-2007-5000.patch: fix for mod_imap.c to use ap_escape_html()
SECURITY UPDATE: cross-site scripting vulnerability in mod_status when server-status is enabled
debian/patches/103_CVE-2007-6388.patch: fix for mod_status.c to properly setup table
SECURITY UPDATE: cross-site scripting vulnerability in proxy_ftp when charset is not defined
debian/patches/104_CVE-2008-0005.patch: fix for proxy_ftp.c to define a charset
SECURITY UPDATE: cross-site scripting vulnerability in Expect headers
debian/patches/105_CVE-2006-3918.patch: fix for http_protocol.c to use ap_escape_html()
References CVE-2007-3847 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 CVE-2006-3918

firefox, 2.0.0.12+0nobinonly+2-0ubuntu0.6.10

Ubuntu Installer — Fri, 08 Feb 2008 01:01:49 +0000

firefox (2.0.0.12+0nobinonly+2-0ubuntu0.6.10)

New security/stability release (v2.0.0.12)
New security/stability upstream release (v2.0.0.12) - 1.8.0.14 prepatches
MFSA 2008-01 aka CVE-2008-0412: Crashes with evidence of memory corruption v1.8.1.12 (Browser crashes)
MFSA 2008-01 aka CVE-2008-0413: Crashes with evidence of memory corruption v1.8.1.12 (javascript crashes)
MFSA 2008-02 aka CVE-2008-0414: Multiple file input focus stealing vulnerabilities: 1. Focus shifting bugs and 2. Selective keystroke blocking bugs
MFSA 2008-03 aka CVE-2008-0415: Privilege escalation, XSS, Remote Code Execution (JavaScript privilege escalation bugs)
MFSA 2008-04 aka CVE-2008-0416: Multiple XSS vulnerabilities from character encoding
MFSA 2008-05 aka CVE-2008-0417: Stored password corruption
MFSA 2008-06 aka CVE-2008-0418: Directory traversal via chrome: URI
MFSA 2008-07 aka CVE-2008-0419: Web browsing history and forward navigation stealing
MFSA 2008-08 aka CVE-2008-0420: Possible information disclosure in BMP decoder
MFSA 2008-09 aka CVE-2008-0591: File action dialog tampering
MFSA 2008-10 aka CVE-2008-0592: Mishandling of locally-saved plain text files
MFSA 2008-11 aka CVE-2008-0593: URL token stealing via stylesheet redirect
MFSA 2008-12 aka CVE-2008-0594: Web forgery overwrite with div overlay

linux-source-2.6.17, 2.6.17.1-12.44

Ubuntu Installer — Tue, 12 Feb 2008 13:57:45 +0000

linux-source-2.6.17 (2.6.17.1-12.44)

splice: fix user pointer access in get_iovec_page_array() (CVE-2008-0600)

libcdio, 0.76-1ubuntu1.6.10.1

Ubuntu Installer — Wed, 20 Feb 2008 18:55:37 +0000

libcdio (0.76-1ubuntu1.6.10.1)

SECURITY UPDATE:
- CVE-2007-6613: a stack-based buffer overflow in the print_iso9660_recurse function could lead to cause a denial of service or arbitrary code execution if the iso-info tool is used with a crafted iso image (LP: #191216)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=459129

pcre3, 7.4-0ubuntu0.6.10.2

Ubuntu Installer — Thu, 21 Feb 2008 18:55:38 +0000

pcre3 (7.4-0ubuntu0.6.10.2)

SECURITY UPDATE: stack overflow when handling long UTF8 strings.
pcre_compile.c, testdata/test{in,out}put4: upstream changes from 7.6 backported, thanks to Tomas Hoger and Florian Weimer.
References CVE-2008-0674

cacti, 0.8.6h-3ubuntu0.3

Ubuntu Installer — Fri, 22 Feb 2008 02:55:24 +0000

cacti (0.8.6h-3ubuntu0.3)

SECURITY UPDATE: (LP: #192199)
- CVE-2008-0783: Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to inject arbitrary web script or HTML via the (1) view_type parameter to graph.php, (2) filter parameter to graph_view.php, and (3) action and login_username parameters to index.php/login.
- CVE-2008-0784: graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allows remote attackers to obtain the full path via an invalid local_graph_id parameter and other unspecified vectors.
debian/patches/11_CVE-2008-0783_CVE-2008-0784.dpatch: applied patch by upstream. (backported from 0.8.6j) (Link: http://www.cacti.net/downloads/patches/0.8.6j/multiple_vulnerabilities-0.8.6j.patch)
References: CVE-2008-0783 CVE-2008-0784

lighttpd, 1.4.13~r1370-1ubuntu1.4

Ubuntu Installer — Wed, 27 Feb 2008 14:55:43 +0000

lighttpd (1.4.13~r1370-1ubuntu1.4)

SECURITY UPDATE:
- debian/patches/90_maxfds_crash_fix.dpatch:
  - added patch from upstream to fix the maxfds issue (LP: #195380)
References
- http://trac.lighttpd.net/trac/ticket/1562

lookup-el,lookup-el 1.4-4ubuntu0.6.10

Ubuntu Installer — Wed, 27 Feb 2008 14:56:16 +0000

lookup-el (1.4-4ubuntu0.6.10)

SECURITY UPDATE:
- lisp/ndeb-binary.el: Make a temporary subdirectory securely. (LP: #176931)
References
- http://www.debian.org/security/2007/dsa-1269
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0237

mozilla-thunderbird, 1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.0

Ubuntu Installer — Fri, 29 Feb 2008 15:55:36 +0000

mozilla-thunderbird (1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.0)

USN-582-1 - release security backports for 1.8.0.12 (including previously not released firefox patches for 1.8.0.10/11)
add distro version patch to indicate post-EOL maintainence release
- add debian/patches/98_ubuntu_eol_distro_version.dpatch
- update debian/patches/00list

gnatsweb,gnatsweb 4.00-1ubuntu0.6.10

Ubuntu Installer — Tue, 04 Mar 2008 18:55:21 +0000

gnatsweb (4.00-1ubuntu0.6.10)

SECURITY UPDATE:
gnatsweb.pl (LP: #191196)
- Fixed missing escaping of the database parameter which leads to a cross-site scripting vulnerability (XSS) via this parameter (CVE-2007-2808).
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2808
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=427156

evolution, 2.8.1-0ubuntu4.2

Ubuntu Installer — Wed, 05 Mar 2008 18:57:19 +0000

evolution (2.8.1-0ubuntu4.2)

SECURITY UPDATE: code execution via format string in encrypted emails.
Add 99_00_encryption_format_string_fix.patch: upstream fixes from Srinivasa Ragavan.
References CVE-2008-0072

openldap2.2, 2.2.26-5ubuntu3.3

Ubuntu Installer — Wed, 05 Mar 2008 20:55:35 +0000

openldap2.2 (2.2.26-5ubuntu3.3)

SECURITY UPDATE: slapd crash when using the bdb backend and processing crafted modify and modrdn requests
patch to back-bdb/add.c, back-bdb/ctxcsn.c, back-bdb/delete.c, back-bdb/modify.c, back-bdb/modrdn.c to properly check for NOOP option
References: CVE-2007-6698 CVE-2008-0658 LP: #197077

tzdata 2007k-0ubuntu0.6.10.1

Martin Pitt — Thu, 06 Mar 2008 10:33:19 +0000

tzdata (2007k-0ubuntu0.6.10.1)

Add debian/patches/chile-dst2008.patch: Update DST rules for Chile to incorporate short-term DST change for 2008 (delayed for three weeks from March 08 to March 29). (LP: #198129)

mozilla-thunderbird, 1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1

Ubuntu Installer — Thu, 06 Mar 2008 18:55:41 +0000

mozilla-thunderbird (1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1)

fix memory access regression (LP: #197504)
- add debian/patches/0071_279505-attachment-297724-(fix-396613-regression).dpatch
- update debian/patches/00list

lighttpd, 1.4.13~r1370-1ubuntu1.5

Ubuntu Installer — Fri, 07 Mar 2008 18:56:01 +0000

lighttpd (1.4.13~r1370-1ubuntu1.5)

SECURITY UPDATE:
debian/patches/91_CVE-2008-1111.dpatch:
- Fixes CVE-2008-1111 "mod_cgi in lighttpd 1.4.18, when a fork failure occurs, sends the source code of CGI scripts instead of a 500 error, which might allow remote attackers to obtain sensitive information." (LP: #198731)
References
http://trac.lighttpd.net/trac/changeset/2107
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1111

python2.4, 2.4.4~c1-0ubuntu1.1

Ubuntu Installer — Mon, 10 Mar 2008 21:56:37 +0000

python2.4 (2.4.4~c1-0ubuntu1.1)

SECURITY UPDATE: code execution via integer overflows, information leak via strxfrm.
debian/rules, debian/patches/CVE-2007-4965-int-overflow.dpatch: upstream changes, thanks to Stephan Hermann.
debian/rules, debian/patches/strxfrm-leak.dpatch: upstream changes.
References http://bugs.python.org/file8592/python-2.5.CVE-2007-4965-int-overflow.patch CVE-2007-4965 CVE-2007-2052

python2.5, 2.5-2ubuntu2.1

Ubuntu Installer — Mon, 10 Mar 2008 21:57:01 +0000

python2.5 (2.5-2ubuntu2.1)

SECURITY UPDATE: code execution via integer overflows, information leak via strxfrm.
debian/rules, debian/patches/CVE-2007-4965-int-overflow.dpatch: upstream changes, thanks to Stephan Hermann.
debian/rules, debian/patches/strxfrm-leak.dpatch: upstream changes.
References http://bugs.python.org/file8592/python-2.5.CVE-2007-4965-int-overflow.patch CVE-2007-4965 CVE-2007-2052

lighttpd, 1.4.13~r1370-1ubuntu1.6

Ubuntu Installer — Tue, 11 Mar 2008 19:55:41 +0000

lighttpd (1.4.13~r1370-1ubuntu1.6)

SECURITY UPDATE: (LP: #200987)
debian/patches/91_CVE-2008-1270.dpatch
- mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.
References
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
http://trac.lighttpd.net/trac/ticket/1587
http://trac.lighttpd.net/trac/changeset/2120

mysql-dfsg-5.0 5.0.24a-9ubuntu2.3

Jamie Strandboge — Wed, 12 Mar 2008 08:13:47 +0000

mysql-dfsg-5.0 (5.0.24a-9ubuntu2.3)

SECURITY UPDATE: buffer overflow via ProcessOldClientHello() in handshake.cpp and input_buffer& operator>> in yassl_imp.cpp
SECURITY UPDATE: buffer overread in HASHwithTransform::Update in hash.cpp
debian/patches/99_SECURITY_CVE-2008-0226_0227.dpatch: properly verify length of input (LP: #186978).
SECURITY UPDATE: privilege escalation via crafted CREATE SQL SECURITY DEFINER VIEW and ALTER VIEW statements
debian/patches/100_SECURITY_CVE-2007-6303.dpatch: make sure lex->definer is non-NULL in sql_view.cc (LP: #185039). This patch also fixes upstream bug #21080, which was needed to keep VIEW definitions in sync.
SECURITY UPDATE: denial of service via crafted EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table
debian/patches/101_SECURITY_CVE-2006-7232.dpatch: make sure thd->lex-describe is non-NULL in sql_select.cc (LP: #161127)
debian/patches/102_view_fix-now.dpatch: update view.test and view.result to use a static year instead of now(). These tests are not part of the build but helps with qa-regression-testing
SECURITY UPDATE: privilege escalation via SQL SECURITY INVOKER stored routines
debian/patches/103_SECURITY_CVE-2007-2692.dpatch: restore THD::db_access when returning from stored routine by performing privilege checks in the execution stage rather than the parsing stage.
References CVE-2008-0226 CVE-2008-0227 CVE-2007-6303 CVE-2006-7232 CVE-2007-2692 http://bugs.mysql.com/bug.php?id=27337 http://bugs.mysql.com/bug.php?id=21080

tzdata 2008a-0ubuntu0.6.10

Martin Pitt — Wed, 12 Mar 2008 09:23:12 +0000

tzdata (2008a-0ubuntu0.6.10)

Replace tzdata2007k.tar.gz with new version tzdata2008a:
- Fixes Chile DST properly, our patch switched it on a day too early.
- Drop debian/patches/chile-dst2008.patch.
- LP: #198129

vlc, 0.8.6-svn20061012.debian-1ubuntu1.2

Ubuntu Installer — Wed, 12 Mar 2008 17:56:12 +0000

vlc (0.8.6-svn20061012.debian-1ubuntu1.2)

SECURITY UPDATE:
- debian/patches/CVE-2008-0984.patch (LP: #195949)
- VLC media player's MPEG-4 file format parser (a.k.a. the MP4 demuxer)
  - suffers from an arbitrary memory overwrite vulnerability when using
  - crash the player instance.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0984
- http://www.videolan.org/security/sa0802.html

mailman, 1:2.1.8-2ubuntu2.1

Ubuntu Installer — Fri, 14 Mar 2008 18:55:40 +0000

mailman (1:2.1.8-2ubuntu2.1)

SECURITY UPDATE:
debian/patches/100_CVE-2008-0564.dpatch (LP: #199338)
- Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) editing templates and (2) the list's "info attribute" in the web administrator interface.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0564
http://bugs.gentoo.org/show_bug.cgi?id=208710

phpmyadmin, 4:2.8.2-0.2ubuntu0.1

Ubuntu Installer — Fri, 14 Mar 2008 20:55:25 +0000

phpmyadmin (4:2.8.2-0.2ubuntu0.1)

SECURITY UPDATE:
debian/patches/050_CVE-2008-1149.dpatch
- Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation , Allows unauthorized disclosure of information , Allows disruption of service. (LP: #198745)
References:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1149
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1

wml, 2.0.8-11ubuntu0.6.10

Ubuntu Installer — Fri, 14 Mar 2008 20:56:06 +0000

wml (2.0.8-11ubuntu0.6.10)

SECURITY UPDATE: (LP: #191205)
wml_backend/p1_ipp/ipp.src (CVE-2008-0665)
- in Website META Language (WML) 2.0.11 allows local users to overwrite arbitrary files via a symlink attack on the ipp.$$.tmp temporary file.
wlm_backend/p3_eperl/eperl_sys.c wml_contrib/wmg.cgi (CVE-2008-0666)
- Website META Language (WML) 2.0.11 allows local users to overwrite arbitrary files via a symlink attack on (1) the /tmp/pe.tmp.$$ temporary file used by wml_contrib/wmg.cgi and (2) temporary files used by wml_backend/p3_eperl/eperl_sys.c.
References
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0665
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0666
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463907

python-cherrypy, 2.2.1-3ubuntu0.1

Ubuntu Installer — Fri, 14 Mar 2008 20:56:33 +0000

python-cherrypy (2.2.1-3ubuntu0.1)

SECURITY UPDATE: directory traversal via session cookie ID.
- debian/patches/10_CVE-2008-0252.diff: Add. Ensure that the path generated from the session ID is within the session directory. Patch from upstream SVN. (LP: #187481)
- References:
  - CVE-2008-0252

krb5, 1.4.3-9ubuntu1.6

Ubuntu Installer — Tue, 18 Mar 2008 23:56:01 +0000

krb5 (1.4.3-9ubuntu1.6)

SECURITY UPDATE: arbitrary code execution via freed pointer and memory overflows.
src/kdc/{kerberos_v4,dispatch,network}.c: backported upstream fixes patched inline (MITKRB5-SA-2008-001: CVE-2008-0062, CVE-2008-0063).
src/lib/rpc/{svc,svc_tcp}.c: upstream fixed patched inline (MITKRB5-SA-2008-002: CVE-2008-0947)

mysql-dfsg-5.0, 5.0.24a-9ubuntu2.4

Ubuntu Installer — Thu, 20 Mar 2008 10:56:17 +0000

mysql-dfsg-5.0 (5.0.24a-9ubuntu2.4)

no change build for -security upload

mysql-dfsg-5.0 (5.0.24a-9ubuntu2.3)

SECURITY UPDATE: buffer overflow via ProcessOldClientHello() in handshake.cpp and input_buffer& operator>> in yassl_imp.cpp
SECURITY UPDATE: buffer overread in HASHwithTransform::Update in hash.cpp
debian/patches/99_SECURITY_CVE-2008-0226_0227.dpatch: properly verify length of input (LP: #186978).
SECURITY UPDATE: privilege escalation via crafted CREATE SQL SECURITY DEFINER VIEW and ALTER VIEW statements
debian/patches/100_SECURITY_CVE-2007-6303.dpatch: make sure lex->definer is non-NULL in sql_view.cc (LP: #185039). This patch also fixes upstream bug #21080, which was needed to keep VIEW definitions in sync.
SECURITY UPDATE: denial of service via crafted EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table
debian/patches/101_SECURITY_CVE-2006-7232.dpatch: make sure thd->lex-describe is non-NULL in sql_select.cc (LP: #161127)
debian/patches/102_view_fix-now.dpatch: update view.test and view.result to use a static year instead of now(). These tests are not part of the build but helps with qa-regression-testing
SECURITY UPDATE: privilege escalation via SQL SECURITY INVOKER stored routines
debian/patches/103_SECURITY_CVE-2007-2692.dpatch: restore THD::db_access when returning from stored routine by performing privilege checks in the execution stage rather than the parsing stage.
References CVE-2008-0226 CVE-2008-0227 CVE-2007-6303 CVE-2006-7232 CVE-2007-2692 http://bugs.mysql.com/bug.php?id=27337 http://bugs.mysql.com/bug.php?id=21080

unzip, 5.52-8ubuntu1.1

Ubuntu Installer — Thu, 20 Mar 2008 17:55:52 +0000

unzip (5.52-8ubuntu1.1)

SECURITY UPDATE: arbitrary code execution via heap corruption.
inflate.c: fix invalid free() calls, patch from Tavis Ormandy.
References CVE-2008-0888

smarty,smarty 2.6.14-1ubuntu0.6.10.1

Ubuntu Installer — Mon, 24 Mar 2008 12:55:36 +0000

smarty (2.6.14-1ubuntu0.6.10.1)

SECURITY UPDATE: (LP: #202422)
libs/plugins/modifier.regex_replace.php
- The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP functions via templates, related to a '\0' character in a search string.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1066
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469492

mplayer, 2:0.99+1.0pre8-0ubuntu8.3

Ubuntu Installer — Mon, 24 Mar 2008 15:55:57 +0000

mplayer (2:0.99+1.0pre8-0ubuntu8.3)

SECURITY UPDATE: buffer overruns in RMMF, CDDB, MOV demuxer, FLAC header parser, and URL parser. (LP: #191488)
stream/librtsp/rtsp_session.c, stream/realrtsp/rmff.c, stream/realrtsp/rmff.h, libmpdemux/demux_mov.c, libmpdemux/demux_audio.c, stream/stream_cddb.c, stream/url.c: Patches from upstream.
References:
- CVE-2008-0225
- CVE-2008-0238
- CVE-2008-0485
- CVE-2008-0486
- CVE-2008-0629
- CVE-2008-0630

bzip2, 1.0.3-3ubuntu0.1

Ubuntu Installer — Mon, 24 Mar 2008 17:55:36 +0000

bzip2 (1.0.3-3ubuntu0.1)

SECURITY UPDATE: denial of service via heap memory corruption.
bzlib.c, bzlib_private.h: upstream patch from 1.0.5 applied inline.
References CVE-2008-1372

icu, 3.4.1a-1ubuntu1.6.10.1

Ubuntu Installer — Mon, 24 Mar 2008 17:56:49 +0000

icu (3.4.1a-1ubuntu1.6.10.1)

SECURITY UPDATE: possible read from and write to out of bounds memory locations via back reference '\0' in regular expressions
SECURITY UPDATE: denial of service due to memory exhaustion via a crafted regular expression
debian/patches/SECURITY_CVE-2007-4770_4771.patch: fix regexcmp.cpp to return error on invalid back reference. fix rematch.cpp, uvectr32.h and uvectr32.cpp to return error when capacity is greater than maxCapacity
References CVE-2007-4770 CVE-2007-4771

dspam, 3.6.8-1ubuntu0.1

Ubuntu Installer — Wed, 26 Mar 2008 03:55:55 +0000

dspam (3.6.8-1ubuntu0.1)

SECURITY UPDATE: The libdspam7-drv-mysql cron job includes the MySQL dspam database password in a command line argument, which might allow local users to read the password by listing the process and its arguments.
debian/libdspam7-drv-mysql.cron.daily: applied patch from Debian to use a password file instead.
References
- LP: #195691
- CVE-2007-6418

firefox, 2.0.0.13+0nobinonly-0ubuntu0.6.10

Ubuntu Installer — Wed, 26 Mar 2008 10:58:26 +0000

firefox (2.0.0.13+0nobinonly-0ubuntu0.6.10)

New security/stability release (v2.0.0.13)
- see USN-592-1

libnet-dns-perl, 0.57-1ubuntu1.1

Ubuntu Installer — Wed, 26 Mar 2008 17:56:20 +0000

libnet-dns-perl (0.57-1ubuntu1.1)

SECURITY UPDATE:
debian/patches/42_CVE-2007-6341.dpatch (LP: #201454)
- used in packages such as SpamAssassin and OTRS, allows remote attackers to cause a denial of service (program "croak") via a crafted DNS response.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6341
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457445

dovecot, 1.0.rc2-1ubuntu2.3

Ubuntu Installer — Wed, 26 Mar 2008 17:56:02 +0000

dovecot (1.0.rc2-1ubuntu2.3)

SECURITY UPDATE: mailboxes of other users could be read via symlinks.
Add upstream-mail-group-fixes.dpatch: upstream fixes (CVE-2008-1199).
Add upstream-invalid-password-fixes.dpatch: proactive upstream fixes to avoid future issues in underlying passdb (CVE-2008-1218).
References http://dovecot.org/list/dovecot-news/2008-March/000060.html http://dovecot.org/list/dovecot-news/2008-March/000064.html

sdl-image1.2, 1.2.5-2ubuntu0.6.10.1

Ubuntu Installer — Wed, 26 Mar 2008 18:55:32 +0000

sdl-image1.2 (1.2.5-2ubuntu0.6.10.1)

SECURITY UPDATE: Buffer overflow in GIF handling; possible denial of service and arbitrary code execution.
SECURITY UPDATE: Buffer overflow in IFF ILBM handling; possible denial of service and arbitrary code execution.
Added patches to prevent buffer overflow in IMG_gif.c and IMG_lbm.c. Patches prepared from sdl-image1.2_1.2.5-2etch1 update in debian. Applied inline. (LP: #185782)
References: http://www.debian.org/security/2008/dsa-1493 CVE-2007-6697 and CVE-2008-0544

ruby1.8, 1.8.4-5ubuntu1.3

Ubuntu Installer — Wed, 26 Mar 2008 18:56:28 +0000

ruby1.8 (1.8.4-5ubuntu1.3)

SECURITY UPDATE: SSL connections did not check commonName early enough, possibly allowing sensitive information to be exposed.
debian/patches/915_CVE-2007-5162.patch: upstream fixes, from http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13499
debian/patches/915_CVE-2007-5770.patch: upstream fixes, from http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656
References: CVE-2007-5162 CVE-2007-5770 (LP: #149616)

horde3, 3.1.3-1ubuntu0.1

Ubuntu Installer — Thu, 27 Mar 2008 16:55:30 +0000

horde3 (3.1.3-1ubuntu0.1)

SECURITY UPDATE: (LP: #203456)
Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5,
- and Groupware Webmail Edition before 1.0.6, when running with certain
- configurations, allows remote authenticated users to read and execute arbitrary
- files via ".." sequences and a null byte in the theme name.
- Fix directory traversal vulnerability in Registry.php which allows
- an attacker to read and execute arbitrary local files via crafted
- path sequences.
References
http://ftp.horde.org/pub/horde/patches/patch-horde-3.1.6-3.1.7.gz
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1284
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470640
http://www.debian.org/security/2008/dsa-1519

dspam, 3.6.8-1ubuntu0.2

Ubuntu Installer — Fri, 28 Mar 2008 00:55:34 +0000

dspam (3.6.8-1ubuntu0.2)

debian/libdspam7-drv-mysql.cron.daily: Fix bashism introduced in previous security update (s/echo -e/printf/) (LP: #207579)

openssh, 1:4.3p2-5ubuntu1.2

Ubuntu Installer — Tue, 01 Apr 2008 22:55:42 +0000

openssh (1:4.3p2-5ubuntu1.2)

SECURITY UPDATE: X11 forward hijacking via alternate address families.
channels.c: upstream fixes, patched inline. Thanks to Nicolas Valcarcel (LP: #210175).
References CVE-2008-1483

cupsys, 1.2.4-2ubuntu3.3

Ubuntu Installer — Wed, 02 Apr 2008 21:55:52 +0000

cupsys (1.2.4-2ubuntu3.3)

debian/patches/72_CVE-2008-0047.dpatch: Fix buffer overflow in cgiCompileSearch() using crafted search expressions. Exploitable if printer sharing is enabled. Thanks to Martin Pitt for supplying the patch.
debian/patches/73_CVE-2008-0882.dpatch: Fix double-free in process_browse_data(), which could be exploited to a remote DoS by sending crafted data to the cups UDP port. Thanks to Martin Pitt for supplying the patch.
debian/patches/74_pid.dpatch: Specify PidFile in temporary directory in the self test's cupsd.conf. This affects the test suite (in the sense that it actually works now) and does not affect the built binaries at all. (Backported from trunk). Thanks to Martin Pitt for supplying the patch.
debian/patches/75_CVE-2008-0053.dpatch: Fix buffer overflows in ParseCommand() in hpgl-input.c by properly checking number of parameters
debian/patches/76_CVE-2008-1373.dpatch: Fix buffer overflow in gif_read_image() in image-gif.c by properly validating code_size
References CVE-2008-0047 CVE-2008-0882 CVE-2008-0053 CVE-2008-1373 http://www.cups.org/str.php?L2729 http://www.cups.org/str.php?L2656

ca-certificates 20050804-0ubuntu0.6.10

James Westby — Fri, 04 Apr 2008 11:45:27 +0000

ca-certificates (20050804-0ubuntu0.6.10)

Fix up generation of the /etc/ssl/certs/ca-certificates.crt file for those users who installed the package in a pt_BR locale (LP: #153625). A mistake in the translation template meant that the choices were not available in this locale, and so the file was always empty.
- If you were affected and have not tried to reconfigure this package, then the problem should be corrected for you automatically.
- If you were affected and have tried to reconfigure the package you may be shown a debconf question to allow you to select the certificates that you want.
- The only users who were not affected by this bug but may be affected by this fix are those who installed in a different locale, and then reconfigured the package so that no certificates are trusted, and who now run in a pt_BR locale. They will have to deselect all of the certificates again.

cacti, 0.8.6h-3ubuntu0.4

Ubuntu Installer — Sat, 05 Apr 2008 13:55:30 +0000

cacti (0.8.6h-3ubuntu0.4)

debian/patches/12_CVE-2008-0783_CVE-2008-0784_regression.dpatch: fix 'Invalid PHP_SELF Path' regression (LP: #194687)

opera 9.27-20080331.6edgy1

Brian Thomason — Mon, 07 Apr 2008 21:05:26 +0000

opera (9.27-20080331.6edgy1)

New upstream release
See http://www.opera.com/docs/changelogs/ for details

gs-esp, 8.15.2.dfsg.0ubuntu1-0ubuntu4.1

Ubuntu Installer — Wed, 09 Apr 2008 18:56:14 +0000

gs-esp (8.15.2.dfsg.0ubuntu1-0ubuntu4.1)

SECURITY UPDATE: buffer overflow in color space handling code
debian/patches/05_CVE-2008-0411.dpatch: fix zseticcspace() to perform range checks
References CVE-2008-0411

gs-gpl, 8.50-1.1ubuntu1.2

Ubuntu Installer — Wed, 09 Apr 2008 18:56:52 +0000

gs-gpl (8.50-1.1ubuntu1.2)

SECURITY UPDATE: buffer overflow in color space handling code
debian/patches/41_CVE-2008-0411.dpatch: fix zseticcspace() to perform range checks
References CVE-2008-0411

squid, 2.6.1-3ubuntu1.7

Ubuntu Installer — Mon, 14 Apr 2008 14:55:48 +0000

squid (2.6.1-3ubuntu1.7)

SECURITY UPDATE: off by one assertion could cause a denial of service
debian/patches/SECURITY_CVE-2008-1612.dpatch: fix arrayShrink() in lib/Array.c to properly check a->capacity

lighttpd, 1.4.13~r1370-1ubuntu1.7

Ubuntu Installer — Thu, 17 Apr 2008 13:55:32 +0000

lighttpd (1.4.13~r1370-1ubuntu1.7)

SECURITY UPDATE: (LP: #209627)
debian/patches/91_CVE-2008-1531.dpatch
- lighttpd 1.4.19 and earlier allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost.
References
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
http://trac.lighttpd.net/trac/changeset/2136
http://trac.lighttpd.net/trac/changeset/2139

poppler, 0.5.4-0ubuntu4.4

Ubuntu Installer — Thu, 17 Apr 2008 15:55:39 +0000

poppler (0.5.4-0ubuntu4.4)

SECURITY UPDATE: arbitrary code execution via malicious embedded fonts.
debian/patches/102_embedded-font-fixes.patch: upstream fix and stronger type-checking added.
References CVE-2008-1693

koffice, 1:1.5.2-0ubuntu2.4

Ubuntu Installer — Thu, 17 Apr 2008 16:00:14 +0000

koffice (1:1.5.2-0ubuntu2.4)

SECURITY UPDATE: arbitrary code execution via malicious embedded fonts.
debian/patches/40_pdf2-embedded-font-fixes.diff: stronger type-checking added.
References CVE-2008-1693

gnumeric, 1.7.0-1ubuntu4.1

Ubuntu Installer — Tue, 22 Apr 2008 00:55:39 +0000

gnumeric (1.7.0-1ubuntu4.1)

SECURITY UPDATE: arbitrary code execution via integer overflow in Excel spreadsheet HLINK processing.
plugins/excel/ms-excel-read.c: backported upstream fixes thanks to Debian, with an additional bugfix.
References CVE-2008-0668

firefox, 2.0.0.14+0nobinonly-0ubuntu0.6.10

Ubuntu Installer — Tue, 22 Apr 2008 01:02:12 +0000

firefox (2.0.0.14+0nobinonly-0ubuntu0.6.10)

New security/stability release (v2.0.0.14)
- see USN-602-1