Ubuntu - news, usn

USN-530-1: hplip vulnerability

KeesCook — Fri, 12 Oct 2007 19:56:35 +0100

Referenced CVEs:

CVE-2007-5208

Description:

=========================================================== Ubuntu Security Notice USN-530-1 October 12, 2007 hplip vulnerability CVE-2007-5208 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.10: hplip 1.6.9-0ubuntu2.1 Ubuntu 7.04: hplip 1.7.3-0ubuntu1.1 In general, a standard system upgrade is sufficient to affect the necessary changes. Details follow: It was discovered that the hpssd tool of hplip did not correctly handle shell meta-characters. A local attacker could exploit this to execute arbitrary commands as the hplip user.

Announcing the Release Candidate for Ubuntu 7.10

MatthewNuzum — Thu, 11 Oct 2007 23:19:25 +0100

Announcing the Release Candidate for Ubuntu 7.10

The Ubuntu team is proud to announce the Release Candidate for version 7.10 of Ubuntu, Kubuntu, Edubuntu, Gobuntu, and Xubuntu codenamed "Gutsy Gibbon". The Release Candidate includes installable live Desktop CDs, server images, alternate text-mode installation CDs, and an upgrade wizard for users of the current stable release.

We consider this release candidate to be complete, stable, and suitable for testing by any user.

USN-529-1: Tk vulnerability

KeesCook — Thu, 11 Oct 2007 20:14:52 +0100

Referenced CVEs:

CVE-2007-5137 CVE-2007-5378

Description:

=========================================================== Ubuntu Security Notice USN-529-1 October 11, 2007 tk8.3, tk8.4 vulnerability CVE-2007-5137 CVE-2007-5378 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: tk8.3 8.3.5-4ubuntu1.1 tk8.4 8.4.12-0ubuntu1.1 Ubuntu 6.10: tk8.3 8.3.5-6ubuntu1.1 tk8.4 8.4.12-1ubuntu0.1 Ubuntu 7.04: tk8.3 8.3.5-6ubuntu2.1 tk8.4 8.4.14-0ubuntu2.1 In general, a standard system upgrade is sufficient to affect the necessary changes. Details follow: It was discovered that Tk could be made to overrun a buffer when loading certain images. If a user were tricked into opening a specially crafted GIF image, remote attackers could cause a denial of service or execute arbitrary code with user privileges.

USN-528-1: MySQL vulnerabilities

KeesCook — Thu, 11 Oct 2007 07:24:21 +0100

Referenced CVEs:

CVE-2007-2583, CVE-2007-2691, CVE-2007-3780, CVE-2007-3782

Description:

=========================================================== Ubuntu Security Notice USN-528-1 October 11, 2007 mysql-dfsg-5.0 vulnerabilities CVE-2007-2583, CVE-2007-2691, CVE-2007-3780, CVE-2007-3782 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: mysql-server-5.0 5.0.22-0ubuntu6.06.5 Ubuntu 6.10: mysql-server-5.0 5.0.24a-9ubuntu2.1 Ubuntu 7.04: mysql-server-5.0 5.0.38-0ubuntu1.1 In general, a standard system upgrade is sufficient to affect the necessary changes. ATTENTION: A change was made to the init script for mysql. Now on start-up, mysql is checked to make sure that the mysql root password is set. If it is blank, a message is sent to the console and the system logger alerting that the password is not set, along with instructions on how to set it. Additionally, you can now use: sudo /etc/init.d/mysql reset-password to set the root mysql user's password. Details follow: Neil Kettle discovered that MySQL could be made to dereference a NULL pointer and divide by zero. An authenticated user could exploit this with a crafted IF clause, leading to a denial of service. (CVE-2007-2583) Victoria Reznichenko discovered that MySQL did not always require the DROP privilege. An authenticated user could exploit this via RENAME TABLE statements to rename arbitrary tables, possibly gaining additional database access. (CVE-2007-2691) It was discovered that MySQL could be made to overflow a signed char during authentication. Remote attackers could use crafted authentication requests to cause a denial of service. (CVE-2007-3780) Phil Anderton discovered that MySQL did not properly verify access privileges when accessing external tables. As a result, authenticated users could exploit this to obtain UPDATE privileges to external tables. (CVE-2007-3782) In certain situations, when installing or upgrading mysql, there was no notification that the mysql root user password needed to be set. If the password was left unset, attackers would be able to obtain unrestricted access to mysql. This is now checked during mysql start-up.

Canonical Launches Latest Ubuntu Desktop

MatthewNuzum — Wed, 10 Oct 2007 02:57:07 +0100

Canonical Launches Latest Ubuntu Desktop

Ubuntu 7.10 Adds Enhanced User Interface, Integrated Desktop Search, Plug and Play Printing

LONDON, October 15, 2007 – Canonical Ltd. today announced the upcoming availability of Ubuntu 7.10 Desktop Edition, further improving the desktop Linux experience. Ubuntu 7.10 will be available for free download on Thursday 18 October. Canonical is the commercial sponsor of Ubuntu.

Canonical Announces Latest Ubuntu Server

MatthewNuzum — Wed, 10 Oct 2007 02:56:12 +0100

Canonical Announces Latest Ubuntu Server

Ubuntu 7.10 delivers platform for rapid server deployment to developers and businesses

Ubuntu Family Announcement

MatthewNuzum — Wed, 10 Oct 2007 02:55:07 +0100

New Ubuntu 7.10 Variants for KDE Enthusiasts and Educators

Edubuntu, Kubuntu, Xubuntu Now Include Thin Client Improvements, Preview of KDE 4 Beta

Ubuntu 7.10 Released, Delivering the Best of Open Source Software

MatthewNuzum — Wed, 10 Oct 2007 02:53:52 +0100

Ubuntu 7.10 Released, Delivering the Best of Open Source Software

LONDON, October 15, 2007 – Canonical Ltd. announced today the upcoming availability of version 7.10 of the Ubuntu Server, Desktop, Kubuntu and Edubuntu Editions. All will be available for free download on Thursday 18 October. Canonical is the commercial sponsor of Ubuntu.

USN-527-1: xen-3.0 vulnerability

KeesCook — Tue, 09 Oct 2007 18:08:05 +0100

Referenced CVEs:

CVE-2007-4993

Description:

=========================================================== Ubuntu Security Notice USN-527-1 October 05, 2007 xen-3.0 vulnerability CVE-2007-4993 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.04: xen-utils-3.0 3.0.3-0ubuntu10.1 In general, a standard system upgrade is sufficient to affect the necessary changes. Details follow: Joris van Rantwijk discovered that the Xen host did not correctly validate the contents of a Xen guests's grug.conf file. Xen guest root users could exploit this to run arbitrary commands on the host when the guest system was rebooted.

USN-526-1: debian-goodies vulnerability

KeesCook — Fri, 05 Oct 2007 01:17:44 +0100

Referenced CVEs:

CVE-2007-3912

Description:

=========================================================== Ubuntu Security Notice USN-526-1 October 04, 2007 debian-goodies vulnerability CVE-2007-3912 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: debian-goodies 0.23ubuntu0.6.06.1 Ubuntu 6.10: debian-goodies 0.23ubuntu0.6.10.1 Ubuntu 7.04: debian-goodies 0.27ubuntu0.1 In general, a standard system upgrade is sufficient to affect the necessary changes. Details follow: Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart.