[ubuntu/karmic-security] php5_5.2.10.dfsg.1-2ubuntu6.10_lpia_translations.tar.gz, php5_5.2.10.dfsg.1-2ubuntu6.10_armel_translations.tar.gz, php5_5.2.10.dfsg.1-2ubuntu6.10_sparc_translations.tar.gz (de

php5 (5.2.10.dfsg.1-2ubuntu6.10) karmic-security; urgency=low * debian/patches/php5-pear-CVE-2011-1144-regression.patch: fix mkdir parenthesis issue and PEAR::raiseErro typo (LP: #774452) Date: Mon, 02 May 2011 09:21:27 -0700 Changed-By: Steve Beattie sbeat...@ubuntu.com Maintainer: Ubuntu

[ubuntu/karmic-security] php5_5.2.10.dfsg.1-2ubuntu6.9_amd64_translations.tar.gz, php5_5.2.10.dfsg.1-2ubuntu6.9_ia64_translations.tar.gz, php5_5.2.10.dfsg.1-2ubuntu6.9_powerpc_translations.tar.gz, php

php5 (5.2.10.dfsg.1-2ubuntu6.9) karmic-security; urgency=low * SECURITY UPDATE: arbitrary files removal via cronjob - debian/php5-common.php5.cron.d: take greater care when removing session files. -

[ubuntu/karmic-security] rsync, rsync (delayed) 3.0.6-1ubuntu1.1 (Accepted)

rsync (3.0.6-1ubuntu1.1) karmic-security; urgency=low * SECURITY UPDATE: denial of service and possible arbitrary code execution via malformed data - debian/patches/security-CVE-2011-1097.diff: introduce and use FLAG_OWNED_BY_US in flist.c, generator.c, log.c, rsync.*. -

[ubuntu/karmic-security] pcsc-lite (delayed), pcsc-lite 1.5.3-1ubuntu1.2 (Accepted)

pcsc-lite (1.5.3-1ubuntu1.2) karmic-security; urgency=low * SECURITY UPDATE: arbitrary code execution via long attribute value - src/atrhandler.c: verify against maximum attribute size. - http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html -

[ubuntu/karmic-security] openslp-dfsg_1.2.1-7.5ubuntu0.1_lpia_translations.tar.gz, openslp-dfsg_1.2.1-7.5ubuntu0.1_amd64_translations.tar.gz, openslp-dfsg_1.2.1-7.5ubuntu0.1_armel_translations.tar.gz,

openslp-dfsg (1.2.1-7.5ubuntu0.1) karmic-security; urgency=low * SECURITY UPDATE: denial of service via circular reference - common/slp_message.c: detect circular reference. Patch thanks to SUSE. - CVE-2010-3609 Date: Tue, 05 Apr 2011 15:02:25 -0400 Changed-By: Marc Deslauriers

[ubuntu/karmic-security] dhcp3, dhcp3_3.1.2-1ubuntu7.3_sparc_translations.tar.gz (delayed), dhcp3_3.1.2-1ubuntu7.3_ia64_translations.tar.gz, dhcp3_3.1.2-1ubuntu7.3_powerpc_translations.tar.gz, dhcp3_3

dhcp3 (3.1.2-1ubuntu7.3) karmic-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted hostname - Patch for CVE-2011-0997 was getting reverted during the build because of special quilt handling in debian/rules for the ldap patches. -

[ubuntu/karmic-security] ia32-libs (delayed), ia32-libs 2.7ubuntu17.1 (Accepted)

ia32-libs (2.7ubuntu17.1) karmic-security; urgency=low * SECURITY UPDATE: Refresh packages to pull in security fixes, including: - lcms: buffer overflow, CVE-2009-0793 (LP: #700198) - openssl: multiple issues, including CVE-2009-3555, CVE-2009-3245, and CVE-2010-2939 -

[ubuntu/karmic-security] krb5, krb5_1.7dfsg~beta3-1ubuntu0.13_amd64_translations.tar.gz, krb5_1.7dfsg~beta3-1ubuntu0.13_armel_translations.tar.gz, krb5_1.7dfsg~beta3-1ubuntu0.13_powerpc_translations.t

krb5 (1.7dfsg~beta3-1ubuntu0.13) karmic-security; urgency=low * SECURITY UPDATE: kadmind denial of service from freeing of uninitialized pointer. - src/kadmin/server/{network,schpw}.c: fix, thanks to upstream. - CVE-2011-0285 - MITKRB5-SA-2011-004 Date: Mon, 18 Apr 2011

[ubuntu/karmic-security] policykit-1_0.94-1ubuntu1.1_lpia_translations.tar.gz, policykit-1_0.94-1ubuntu1.1_amd64_translations.tar.gz, policykit-1_0.94-1ubuntu1.1_sparc_translations.tar.gz (delayed), p

policykit-1 (0.94-1ubuntu1.1) karmic-security; urgency=low * SECURITY UPDATE: avoid /proc race conditions when checking privileges for pkexec. - 10_fix_proc_race.patch - CVE-2011-1485 Date: Tue, 19 Apr 2011 13:06:21 -0700 Changed-By: Kees Cook k...@ubuntu.com Maintainer: Ubuntu

[ubuntu/karmic-security] postfix_2.6.5-3ubuntu0.1_lpia_translations.tar.gz, postfix_2.6.5-3ubuntu0.1_sparc_translations.tar.gz (delayed), postfix, postfix_2.6.5-3ubuntu0.1_armel_translations.tar.gz, p

postfix (2.6.5-3ubuntu0.1) karmic-security; urgency=low * SECURITY UPDATE: man-in-the-middle via plaintext command injection - src/smtp/smtp_proto.c, src/smtpd/smtpd.c: discard the contents of the stream buffer so there is no pending plaintext. - Origin: backported from

[ubuntu/karmic-security] kdenetwork_4.3.2-0ubuntu4.5_armel_translations.tar.gz, kdenetwork_4.3.2-0ubuntu4.5_sparc_translations.tar.gz (delayed), kdenetwork_4.3.2-0ubuntu4.5_i386_translations.tar.gz, k

kdenetwork (4:4.3.2-0ubuntu4.5) karmic-security; urgency=low * SECURITY UPDATE: fix directory traversal in kget - debian/patches/kubuntu_06_CVE-2010-1000b.diff: more input validation due to incomplete fix for CVE-2010-1000 - CVE-2011- - LP: #757526 Date: Fri, 15 Apr 2011

[ubuntu/karmic-security] flashplugin-nonfree, flashplugin-nonfree_10.2.159.1ubuntu0.9.10.1_amd64_translations.tar.gz, flashplugin-nonfree_10.2.159.1ubuntu0.9.10.1_lpia_translations.tar.gz (delayed),

flashplugin-nonfree (10.2.159.1ubuntu0.9.10.1) karmic-security; urgency=low * SECURITY UPDATE: New upstream release 10.2.159.1 - debian/config, debian/postinst: Updated sha256sums and path. - CVE-2011-0611 Date: Sat, 16 Apr 2011 07:38:40 -0400 Changed-By: Marc Deslauriers

[ubuntu/karmic-security] gimp_2.6.7-1ubuntu1.2_sparc_translations.tar.gz (delayed), gimp_2.6.7-1ubuntu1.2_armel_translations.tar.gz, gimp_2.6.7-1ubuntu1.2_ia64_translations.tar.gz, gimp_2.6.7-1ubuntu1

gimp (2.6.7-1ubuntu1.2) karmic-security; urgency=low * SECURITY UPDATE: denial of service and possible code execution via malformed plugin configuration files - debian/patches/06_security_CVE-2010-454x.patch: fix format strings in plug-ins/{common/sphere-designer,gfig/gfig-style,

[ubuntu/karmic-security] kde4libs, kde4libs_4.3.2-0ubuntu7.3_sparc_translations.tar.gz (delayed), kde4libs_4.3.2-0ubuntu7.3_amd64_translations.tar.gz, kde4libs_4.3.2-0ubuntu7.3_ia64_translations.tar.g

kde4libs (4:4.3.2-0ubuntu7.3) karmic-security; urgency=low * SECURITY UPDATE: fix XSS vulnerability in Konqueror's error pages - debian/patches/security_03_CVE-2011-1168.diff: upstream patch - CVE-2011-1168 - LP: #743669 * SECURITY UPDATE: fix certificate verification for

[ubuntu/karmic-security] ffmpeg-extra, ffmpeg-extra (delayed) 4:0.5+svn20090706-2ubuntu3.1 (Accepted)

ffmpeg-extra (4:0.5+svn20090706-2ubuntu3.1) karmic-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted flic file - debian/patches/CVE-2010-3429.patch: add checks to libavcodec/flicvideo.c. - CVE-2010-3429 * SECURITY UPDATE: arbitrary code execution via

[ubuntu/karmic-security] dhcp3, dhcp3_3.1.2-1ubuntu7.2_ia64_translations.tar.gz, dhcp3_3.1.2-1ubuntu7.2_armel_translations.tar.gz, dhcp3_3.1.2-1ubuntu7.2_lpia_translations.tar.gz, dhcp3_3.1.2-1ubuntu7

dhcp3 (3.1.2-1ubuntu7.2) karmic-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted hostname - debian/patches/CVE-2011-0997.dpatch: filter strings in client/dhclient.c, common/options.c. - CVE-2011-0997 Date: Mon, 11 Apr 2011 08:58:41 -0400 Changed-By:

[ubuntu/karmic-security] x11-xserver-utils, x11-xserver-utils (delayed) 7.4+2ubuntu3.1 (Accepted)

x11-xserver-utils (7.4+2ubuntu3.1) karmic-security; urgency=low * SECURITY UPDATE: root escalation via rogue hostname (LP: #752315) - xrdb: Create shell-escape-safe cpp options in the non-pathetic-cpp case. -

[ubuntu/karmic-security] tiff (delayed), tiff 3.8.2-13ubuntu0.6 (Accepted)

tiff (3.8.2-13ubuntu0.6) karmic-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted THUNDER_2BITDELTAS data - debian/patches/CVE-2011-1167.patch: validate bitspersample and make sure npixels is sane in libtiff/tif_thunder.c. - CVE-2011-1167 Date:

[ubuntu/karmic-security] ffmpeg (delayed), ffmpeg 4:0.5+svn20090706-2ubuntu2.3 (Accepted)

ffmpeg (4:0.5+svn20090706-2ubuntu2.3) karmic-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted flic file - debian/patches/CVE-2010-3429.patch: add checks to libavcodec/flicvideo.c. - CVE-2010-3429 * SECURITY UPDATE: arbitrary code execution via

[ubuntu/karmic-security] openldap_2.4.18-0ubuntu1.2_lpia_translations.tar.gz, openldap_2.4.18-0ubuntu1.2_armel_translations.tar.gz, openldap_2.4.18-0ubuntu1.2_amd64_translations.tar.gz, openldap_2.4.1

openldap (2.4.18-0ubuntu1.2) karmic-security; urgency=low * SECURITY UPDATE: fix successful anonymous bind via chain overlay when using forwarded authentication failures - debian/patches/CVE-2011-1024 - CVE-2011-1024 * SECURITY UPDATE: verify password when authenticating to rootdn

[ubuntu/karmic-security] gdm_2.28.1-0ubuntu2.3_amd64_translations.tar.gz, gdm_2.28.1-0ubuntu2.3_sparc_translations.tar.gz, gdm_2.28.1-0ubuntu2.3_ia64_translations.tar.gz, gdm_2.28.1-0ubuntu2.3_static_

gdm (2.28.1-0ubuntu2.3) karmic-security; urgency=low * SECURITY UPDATE: race condition allowing privilege escalation - debian/patches/27_CVE-2011-0727.patch: fix daemon/gdm-session-worker.c to copy files as session user rather than root followed by a subsequent chown. -

[ubuntu/karmic-security] libvirt_0.7.0-1ubuntu13.3_armel_translations.tar.gz, libvirt_0.7.0-1ubuntu13.3_lpia_translations.tar.gz, libvirt, libvirt_0.7.0-1ubuntu13.3_ia64_translations.tar.gz, libvirt_0

libvirt (0.7.0-1ubuntu13.3) karmic-security; urgency=low * SECURITY UPDATE: debian/patches/9902-CVE-2011-1146.patch: Add missing checks for read only connections. - CVE-2011-1146 Date: Tue, 15 Mar 2011 16:23:44 -0500 Changed-By: Jamie Strandboge ja...@ubuntu.com Maintainer: Ubuntu

[ubuntu/karmic-security] tomcat6, tomcat6 (delayed) 6.0.20-2ubuntu2.4 (Accepted)

tomcat6 (6.0.20-2ubuntu2.4) karmic-security; urgency=low * SECURITY UPDATE: directory traversal via incorrect ServetContext attribute (LP: #717396) - debian/patches/0012-CVE-2010-3718.patch: mark as read only in java/org/apache/catalina/core/StandardContext.java. -

[ubuntu/karmic-security] subversion_1.6.5dfsg-1ubuntu1.2_i386_translations.tar.gz, subversion_1.6.5dfsg-1ubuntu1.2_amd64_translations.tar.gz, subversion, subversion_1.6.5dfsg-1ubuntu1.2_powerpc_trans

subversion (1.6.5dfsg-1ubuntu1.2) karmic-security; urgency=low * SECURITY UPDATE: denial of service via request containing lock token - debian/patches/CVE-2011-0715.patch: correctly handle locks being passed when authn isn't enabled in subversion/mod_dav_svn/repos.c,

[ubuntu/karmic-security] quagga_0.99.13-1ubuntu0.2_amd64_translations.tar.gz, quagga_0.99.13-1ubuntu0.2_ia64_translations.tar.gz, quagga_0.99.13-1ubuntu0.2_i386_translations.tar.gz, quagga_0.99.13-1ub

quagga (0.99.13-1ubuntu0.2) karmic-security; urgency=low * SECURITY UPDATE: denial of service via malformed extended communities - debian/patches/99_quagga-extcom.dpatch: ignore malformed extended communities in bgpd/bgp_attr.c. - CVE-2010-1674 * SECURITY UPDATE: denial of

[ubuntu/karmic-security] vsftpd_2.2.0-1ubuntu2.1_lpia_translations.tar.gz, vsftpd_2.2.0-1ubuntu2.1_armel_translations.tar.gz, vsftpd_2.2.0-1ubuntu2.1_amd64_translations.tar.gz, vsftpd, vsftpd_2.2.0-1u

vsftpd (2.2.0-1ubuntu2.1) karmic-security; urgency=low * SECURITY UPDATE: denial of service via crafted glob expressions - debian/patches/11-CVE-2011-0762.patch: limit number of iterations in access.c, defs.h, ls.*. - CVE-2011-0762 Date: Fri, 25 Mar 2011 14:52:24 -0400

[ubuntu/karmic-security] loggerhead, loggerhead (delayed) 1.17-0ubuntu1.1 (Accepted)

loggerhead (1.17-0ubuntu1.1) karmic-security; urgency=low * SECURITY UPDATE: Cross-site scripting vulnerabilities by crafted branch contents. (LP: #740142) - debian/patches/bug-740142.diff: improve escaping of filenames. - CVE-2011-0728 Date: Thu, 24 Mar 2011 14:01:44 +1100

[ubuntu/karmic-security] flashplugin-nonfree, flashplugin-nonfree_10.2.153.1ubuntu0.9.10.1_amd64_translations.tar.gz, flashplugin-nonfree_10.2.153.1ubuntu0.9.10.1_i386_translations.tar.gz, flashplug

flashplugin-nonfree (10.2.153.1ubuntu0.9.10.1) karmic-security; urgency=low * SECURITY UPDATE: New upstream release 10.2.153.1 - debian/config, debian/postinst: Updated sha256sums and path. - CVE-2011-0609 * debian/postinst: make wget use the proxy defined for apt and decrease

[ubuntu/karmic-security] tiff (delayed), tiff 3.8.2-13ubuntu0.5 (Accepted)

tiff (3.8.2-13ubuntu0.5) karmic-security; urgency=low * debian/patches/CVE-2011-0192.patch: update for regression in processing of certain CCITTFAX4 files (LP: #731540). - http://bugzilla.maptools.org/show_bug.cgi?id=2297 Date: Mon, 14 Mar 2011 10:53:22 -0700 Changed-By: Kees Cook

[ubuntu/karmic-security] dtc, dtc_0.29.17-1+lenny1build0.9.10.1_i386_translations.tar.gz (delayed) 0.29.17-1+lenny1build0.9.10.1 (Accepted)

dtc (0.29.17-1+lenny1build0.9.10.1) karmic-security; urgency=low * fake sync from Debian dtc (0.29.17-1+lenny1) lenny-security; urgency=low * Fixes: CVE-2011-0434: SQL injection in bw_per_month.php graph * Fixes: CVE-2011-0435: Bandwidth information disclosure in bw_per_month.php

[ubuntu/karmic-security] tiff (delayed), tiff 3.8.2-13ubuntu0.4 (Accepted)

tiff (3.8.2-13ubuntu0.4) karmic-security; urgency=low * SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite values - debian/patches/CVE-2010-2595.patch: validate values in libtiff/tif_color.c. - CVE-2010-2595 * SECURITY UPDATE: denial of service via

[ubuntu/karmic-security] avahi_0.6.25-1ubuntu5.3_amd64_translations.tar.gz, avahi_0.6.25-1ubuntu5.3_sparc_translations.tar.gz (delayed), avahi_0.6.25-1ubuntu5.3_powerpc_translations.tar.gz, avahi_0.6.

avahi (0.6.25-1ubuntu5.3) karmic-security; urgency=low * SECURITY UPDATE: denial of service via NULL packet - debian/patches/CVE-2011-1002.patch: still read corrupt packets from sockets in avahi-core/socket.c. - CVE-2011-1002 Date: Fri, 04 Mar 2011 14:13:34 -0500 Changed-By: Marc

[ubuntu/karmic-security] pango1.0, pango1.0 (delayed) 1.26.0-1ubuntu0.1 (Accepted)

pango1.0 (1.26.0-1ubuntu0.1) karmic-security; urgency=low * SECURITY UPDATE: denial of service via crafted font file - debian/patches/20_CVE-2010-0421.patch: initialize memory and properly calculate size in pango/opentype/hb-ot-layout.cc. - CVE-2010-0421 * SECURITY UPDATE:

[ubuntu/karmic-security] clamav_0.95.3+dfsg-1ubuntu0.09.10.4_armel_translations.tar.gz, clamav_0.95.3+dfsg-1ubuntu0.09.10.4_i386_translations.tar.gz, clamav_0.95.3+dfsg-1ubuntu0.09.10.4_amd64_translat

clamav (0.95.3+dfsg-1ubuntu0.09.10.4) karmic-security; urgency=low * SECURITY UPDATE: denial of service via double free in vba processing - libclamav/vba_extract.c: set buf to NULL when it gets freed. -

[ubuntu/karmic-security] samba, samba_3.4.0-3ubuntu5.8_amd64_translations.tar.gz, samba_3.4.0-3ubuntu5.8_lpia_translations.tar.gz, samba_3.4.0-3ubuntu5.8_ia64_translations.tar.gz, samba_3.4.0-3ubuntu5

samba (2:3.4.0-3ubuntu5.8) karmic-security; urgency=low * SECURITY UPDATE: denial of service via missing range checks on file descriptors - debian/patches/security-CVE-2011-0719.patch: validate miscellaneous file descriptors. - CVE-2011-0719 Date: Wed, 23 Feb 2011 16:21:11

[ubuntu/karmic-security] logwatch, logwatch (delayed) 7.3.6.cvs20090906-1ubuntu1.1 (Accepted)

logwatch (7.3.6.cvs20090906-1ubuntu1.1) karmic-security; urgency=low * SECURITY UPDATE: privileged code execution via badly named logfiles - scripts/logwatch.pl: encapsulate logfiles in 's and ensure logfile names don't contain '. -

[ubuntu/karmic-security] openjdk-6, openjdk-6 (delayed) 6b20-1.9.7-0ubuntu1~9.10.1 (Accepted)

openjdk-6 (6b20-1.9.7-0ubuntu1~9.10.1) karmic-security; urgency=low * IcedTea6 1.9.7 release. - SECURITY UPDATE: + S4421494, CVE-2010-4476: infinite loop while parsing double literal. + S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption + S6907662,

[ubuntu/karmic-security] sun-java6_6.24-1build0.9.10.1_amd64_translations.tar.gz, sun-java6_6.24-1build0.9.10.1_lpia_translations.tar.gz (delayed), sun-java6_6.24-1build0.9.10.1_i386_translations.tar.

sun-java6 (6.24-1build0.9.10.1) karmic-security; urgency=low * Fake sync from Debian (LP: #716689) * Removed debian/source dir reverting back to 1.0 packaging format as 3.0 (quilt) isn't available prior to Lucid Date: Mon, 21 Feb 2011 15:42:33 -0500 Changed-By: Brian Thomason

[ubuntu/karmic-security] mailman_2.1.12-2ubuntu0.2_armel_translations.tar.gz, mailman_2.1.12-2ubuntu0.2_lpia_translations.tar.gz, mailman, mailman_2.1.12-2ubuntu0.2_amd64_translations.tar.gz, mailman_

mailman (1:2.1.12-2ubuntu0.2) karmic-security; urgency=low * SECURITY UPDATE: Cross-Site Scripting vulnerability in confirm.py - debian/patches/80_CVE-2011-0707.patch: properly clean strings in Mailman/Cgi/confirm.py. - CVE-2011-0707 * SECURITY UPDATE: Cross-Site Scripting

[ubuntu/karmic-security] cgiirc, cgiirc (delayed) 0.5.9-3squeeze1build0.9.10.1 (Accepted)

cgiirc (0.5.9-3squeeze1build0.9.10.1) karmic-security; urgency=low * fake sync from Debian cgiirc (0.5.9-3squeeze1) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Fixed XSS flaw in handling clients who have Javascript disabled. [CVE-2011-0050] Date:

[ubuntu/karmic-security] spamass-milter, spamass-milter (delayed) 0.3.1-8+lenny2build0.9.10.1 (Accepted)

spamass-milter (0.3.1-8+lenny2build0.9.10.1) karmic-security; urgency=low * fake sync from Debian spamass-milter (0.3.1-8+lenny2) stable-security; urgency=low * Fix zombies which were happening with previous patch to fix -x due to lack of a proper call to waitpid(). (closes: #575019)

[ubuntu/karmic-security] python-django_1.1.1-1ubuntu1.2_i386_translations.tar.gz (delayed), python-django 1.1.1-1ubuntu1.2 (Accepted)

python-django (1.1.1-1ubuntu1.2) karmic-security; urgency=low * SECURITY UPDATE: flaw in CSRF handling (LP: #719031) - debian/patches/24_CVE-2011-0696.diff: apply full CSRF validation to all requests, regardless of apparent AJAX origin. This is technically

[ubuntu/karmic-security] telepathy-gabble, telepathy-gabble (delayed) 0.8.7-1ubuntu1.1 (Accepted)

telepathy-gabble (0.8.7-1ubuntu1.1) karmic-security; urgency=low * SECURITY UPDATE: don't process google:jingleinfo updates from contacts - debian/patches/security-ignore-google-jingleinfo-from-contacts.patch: don't accept jingleinfo except from self or server - CVE-2011-

[ubuntu/karmic-security] shadow_4.1.4.1-1ubuntu2.2_amd64_translations.tar.gz, shadow_4.1.4.1-1ubuntu2.2_armel_translations.tar.gz, shadow_4.1.4.1-1ubuntu2.2_sparc_translations.tar.gz (delayed), shadow

shadow (1:4.1.4.1-1ubuntu2.2) karmic-security; urgency=low * SECURITY UPDATE: could inject NIS groups memberships into /etc/passwd. - debian/patches/900_locale_env_sanity: actually set locale environment variables correctly. - debian/patches/901_reject_newline: reject newlines in

[ubuntu/karmic-security] qemu-kvm, qemu-kvm (delayed) 0.11.0-0ubuntu6.4 (Accepted)

qemu-kvm (0.11.0-0ubuntu6.4) karmic-security; urgency=low * SECURITY UPDATE: Setting VNC password to empty string silently disables all authentication (LP: #697197) - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the change introduced in Qemu by git commit

[ubuntu/karmic-security] krb5, krb5_1.7dfsg~beta3-1ubuntu0.9_lpia_translations.tar.gz, krb5_1.7dfsg~beta3-1ubuntu0.9_sparc_translations.tar.gz (delayed), krb5_1.7dfsg~beta3-1ubuntu0.9_armel_translatio

krb5 (1.7dfsg~beta3-1ubuntu0.9) karmic-security; urgency=low * SECURITY UPDATE: kpropd denial of service via invalid network input - src/slave/kpropd.c: don't return on kpropd child exit; applied inline. - CVE-2010-4022 - MITKRB5-SA-2011-001 * SECURITY UPDATE: kdc denial of

[ubuntu/karmic-security] italc_1.0.9.1-0ubuntu16.1_powerpc_translations.tar.gz, italc_1.0.9.1-0ubuntu16.1_sparc_translations.tar.gz (delayed), italc_1.0.9.1-0ubuntu16.1_ia64_translations.tar.gz, italc

italc (1:1.0.9.1-0ubuntu16.1) karmic-security; urgency=low * SECURITY UPDATE: private keys potentially reused from liveCD. - debian/italc-client.postinst: re-generate the private and public keys when they match one of the Edubuntu Live DVD ones (LP: #714864) - CVE-2011-0724 Date:

[ubuntu/karmic-security] flashplugin-nonfree, flashplugin-nonfree_10.2.152.27ubuntu0.9.10.1_amd64_translations.tar.gz, flashplugin-nonfree_10.2.152.27ubuntu0.9.10.1_i386_translations.tar.gz, flashplu

flashplugin-nonfree (10.2.152.27ubuntu0.9.10.1) karmic-security; urgency=low * SECURITY UPDATE: New upstream release 10.2.152.27 - debian/config, debian/postinst: Updated sha256sums and path. - CVE-2011-0558 - CVE-2011-0559 - CVE-2011-0560 - CVE-2011-0561 - CVE-2011-0571

[ubuntu/karmic-security] openoffice.org_3.1.1-5ubuntu1.3_powerpc_translations.tar.gz, openoffice.org_3.1.1-5ubuntu1.3_sparc_translations.tar.gz (delayed), openoffice.org, openoffice.org_3.1.1-5ubuntu1

openoffice.org (1:3.1.1-5ubuntu1.3) karmic-security; urgency=low * SECURITY UPDATE: multiple OpenOffice.org vulnerabilities. - ooo-build/patches/dev300/SA40775.diff: buffer overflow fixes from upstream, patch thanks to Rene Engelhard (CVE-2010-2935, CVE-2010-2936). -

[ubuntu/karmic-security] subversion_1.6.5dfsg-1ubuntu1.1_i386_translations.tar.gz, subversion_1.6.5dfsg-1ubuntu1.1_powerpc_translations.tar.gz, subversion_1.6.5dfsg-1ubuntu1.1_armel_translations.tar.g

subversion (1.6.5dfsg-1ubuntu1.1) karmic-security; urgency=low * SECURITY UPDATE: restriction bypass via named repo as a rule scope - debian/patches/CVE-2010-3315.patch: use repo_basename in subversion/mod_dav_svn/authz.c. - CVE-2010-3315 * SECURITY UPDATE: denial of service via

[ubuntu/karmic-security] openjdk-6b18 (delayed), openjdk-6b18 6b18-1.8.5-0ubuntu1~9.10.1 (Accepted)

openjdk-6b18 (6b18-1.8.5-0ubuntu1~9.10.1) karmic-security; urgency=low * IcedTea6 1.8.5 release. - CVE-2011-0025: IcedTea jarfile signature verification bypass. Date: Thu, 27 Jan 2011 11:00:24 -0800 Changed-By: Steve Beattie sbeat...@ubuntu.com Maintainer: OpenJDK Team

[ubuntu/karmic-security] openjdk-6, openjdk-6 (delayed) 6b20-1.9.5-0ubuntu1~9.10.1 (Accepted)

openjdk-6 (6b20-1.9.5-0ubuntu1~9.10.1) karmic-security; urgency=low * IcedTea6 1.9.5 release. - CVE-2011-0025: IcedTea jarfile signature verification bypass. Date: Thu, 27 Jan 2011 11:56:02 -0800 Changed-By: Steve Beattie sbeat...@ubuntu.com Maintainer: OpenJDK Team

[ubuntu/karmic-security] openjdk-6b18 (delayed), openjdk-6b18 6b18-1.8.4-0ubuntu1~9.10.1 (Accepted)

openjdk-6b18 (6b18-1.8.4-0ubuntu1~9.10.1) karmic-security; urgency=low * IcedTea6 1.8.4 release. - Fix CVE-2010-4351: IcedTea JNLP SecurityManager bypass. Date: Fri, 07 Jan 2011 11:40:12 +0100 Changed-By: Matthias Klose d...@ubuntu.com Maintainer: OpenJDK Team open...@lists.launchpad.net

[ubuntu/karmic-security] openjdk-6, openjdk-6 (delayed) 6b20-1.9.4-0ubuntu1~9.10.1 (Accepted)

openjdk-6 (6b20-1.9.4-0ubuntu1~9.10.1) karmic-security; urgency=low * IcedTea6 1.9.4 release. - CVE-2010-4351: IcedTea JNLP SecurityManager bypass. Date: Thu, 06 Jan 2011 23:39:28 +0100 Changed-By: Matthias Klose d...@ubuntu.com Maintainer: OpenJDK Team open...@lists.launchpad.net

[ubuntu/karmic-security] hplip_3.9.8-1ubuntu2.1_ia64_translations.tar.gz, hplip, hplip_3.9.8-1ubuntu2.1_i386_translations.tar.gz, hplip_3.9.8-1ubuntu2.1_amd64_translations.tar.gz, hplip_3.9.8-1ubuntu2

hplip (3.9.8-1ubuntu2.1) karmic-security; urgency=low * SECURITY UPDATE: denial of service and possible arbitrary code execution via long SNMP response - debian/patches/CVE-2010-4267.dpatch: validate dLen in io/hpmud/pml.c. - CVE-2010-4267 Date: Mon, 24 Jan 2011 11:26:42 -0500

[ubuntu/karmic-security] tomcat6, tomcat6 (delayed) 6.0.20-2ubuntu2.3 (Accepted)

tomcat6 (6.0.20-2ubuntu2.3) karmic-security; urgency=low * SECURITY UPDATE: cross-site scripting in Manager application - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to java/org/apache/catalina/manager/JspHelper.java,

[ubuntu/karmic-security] awstats, awstats (delayed) 6.9~dfsg-1ubuntu3.9.10.1 (Accepted)

awstats (6.9~dfsg-1ubuntu3.9.10.1) karmic-security; urgency=low * SECURITY UPDATE: directory traversal via crafted LoadPlugin directory - debian/patches/3000_CVE-2010-4369.patch: properly sanitize plugin name in wwwroot/cgi-bin/awstats.pl. - CVE-2010-4369 Date: Tue, 11 Jan 2011

[ubuntu/karmic-security] mumble_1.1.8-3ubuntu0.1_amd64_translations.tar.gz, mumble_1.1.8-3ubuntu0.1_ia64_translations.tar.gz, mumble_1.1.8-3ubuntu0.1_lpia_translations.tar.gz, mumble_1.1.8-3ubuntu0.1_

mumble (1.1.8-3ubuntu0.1) karmic-security; urgency=low * SECURITY UPDATE: /etc/mumble-server.ini is world readable. (LP: #704674) - debian/mumble-server.postinst: Set permissions of mumble-server.ini to 0640 and the owner to root:mumble-server. Date: Thu, 20 Jan 2011 13:02:46 +0100

[ubuntu/karmic-security] xpdf, xpdf (delayed) 3.02-1.4ubuntu2.9.10.2 (Accepted)

xpdf (3.02-1.4ubuntu2.9.10.2) karmic-security; urgency=low * SECURITY UPDATE: Gfx::getPos function allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference. - cve-2010-3702.dpatch: Patch provided by

[ubuntu/karmic-security] sudo, sudo (delayed) 1.7.0-1ubuntu2.6 (Accepted)

sudo (1.7.0-1ubuntu2.6) karmic-security; urgency=low * SECURITY UPDATE: privilege escalation via -g when using group Runas_List - pwutil.c, sudo.h: add user_in_group(), backported from upstream commits 48ca8c2eddf8, 72df368a8a0e and 6ebc55d4716b. This is intended to be used only

[ubuntu/karmic-security] dbus, dbus (delayed) 1.2.16-0ubuntu9.1 (Accepted)

dbus (1.2.16-0ubuntu9.1) karmic-security; urgency=low * SECURITY UPDATE: fix DoS with too deeply nested messages - debian/patches/99-CVE-2010-4352.patch: Limit nesting to 64 for dynamic message variants. Backported from upstream. - CVE-2010-4352 - LP: #688992 *

[ubuntu/karmic-security] php5_5.2.10.dfsg.1-2ubuntu6.7_sparc_translations.tar.gz (delayed), php5_5.2.10.dfsg.1-2ubuntu6.7_i386_translations.tar.gz, php5_5.2.10.dfsg.1-2ubuntu6.7_ia64_translations.tar.

php5 (5.2.10.dfsg.1-2ubuntu6.7) karmic-security; urgency=low * debian/patches/php5-CVE-2010-3436-regression.patch: update main/fopen_wrappers.c to include fix for open_basedir restriction regression (LP: #701896) Date: Wed, 12 Jan 2011 07:51:41 -0800 Changed-By: Steve Beattie

[ubuntu/karmic-security] eglibc_2.10.1-0ubuntu19_armel_translations.tar.gz, eglibc_2.10.1-0ubuntu19_i386_translations.tar.gz, eglibc_2.10.1-0ubuntu19_amd64_translations.tar.gz, eglibc_2.10.1-0ubuntu19

eglibc (2.10.1-0ubuntu19) karmic-security; urgency=low * SECURITY UPDATE: setuid iconv users could load arbitrary libraries. - debian/patches/any/dst-expansion-fix.diff: refresh with new proposed solution, avoiding iconv issues. - any/cvs-check-setuid-on-audit.diff: upstream fix

[ubuntu/karmic-security] lcms (delayed), lcms 1.18.dfsg-1ubuntu1.1 (Accepted)

lcms (1.18.dfsg-1ubuntu1.1) karmic-security; urgency=low * debian/patches/CVE-2009-0793.dpatch: SECURITY UPDATE: (LP: #700198) - Fix DoS via a crafted image that triggers execution of incorrect code for transformations of monochrome profiles. - CVE-2009-0073 Date: Sat, 08 Jan

[ubuntu/karmic-security] libapache2-mod-fcgid (delayed), libapache2-mod-fcgid 1:2.2-1ubuntu0.9.10.1 (Accepted)

libapache2-mod-fcgid (1:2.2-1ubuntu0.9.10.1) karmic-security; urgency=low * SECURITY UPDATE: possible stack buffer overwrite (LP: #698060) - fcgid_bucket.c: patch from upstream - CVE-2010-3872 Date: Thu, 06 Jan 2011 12:57:47 +0100 Changed-By: Felix Geyer debfx-...@fobos.de Maintainer:

[ubuntu/karmic-security] dpkg_1.15.4ubuntu2.3_amd64_translations.tar.gz, dpkg_1.15.4ubuntu2.3_i386_translations.tar.gz, dpkg_1.15.4ubuntu2.3_ia64_translations.tar.gz, dpkg_1.15.4ubuntu2.3_lpia_transla

dpkg (1.15.4ubuntu2.3) karmic-security; urgency=low * SECURITY UPDATE: relative directory and symlink following in source pkgs. - scripts/Dpkg/Source/Archive.pm, scripts/Dpkg/Source/Patch.pm, scripts/Dpkg/Source/Package/V2.pm: applied fixes from Raphael Hertzog, thanks to

[ubuntu/karmic-security] apparmor_2.3.1+1403-0ubuntu27.4_ia64_translations.tar.gz, apparmor_2.3.1+1403-0ubuntu27.4_armel_translations.tar.gz, apparmor_2.3.1+1403-0ubuntu27.4_powerpc_translations.tar.g

apparmor (2.3.1+1403-0ubuntu27.4) karmic-security; urgency=low * Fix for apparmor_parser not generating correct policy when mixing exec transitions with and without unconfined fallback transitions. - parser/immunix.h, parser/libapparmor_re/regexp.y: adjust dfa match flag table

[ubuntu/karmic-security] python-django_1.1.1-1ubuntu1.1_i386_translations.tar.gz (delayed), python-django 1.1.1-1ubuntu1.1 (Accepted)

python-django (1.1.1-1ubuntu1.1) karmic-security; urgency=low * SECURITY UPDATE: information leak in admin interface - debian/patches/21_security_admin_infoleak.diff: validate querystring lookup arguments either specify only fields on the model being viewed, or cross relations

[ubuntu/karmic-security] evince_2.28.1-0ubuntu1.3_powerpc_translations.tar.gz, evince_2.28.1-0ubuntu1.3_amd64_translations.tar.gz, evince_2.28.1-0ubuntu1.3_sparc_translations.tar.gz, evince_2.28.1-0ub

evince (2.28.1-0ubuntu1.3) karmic-security; urgency=low * SECURITY UPDATE: arbitrary code execution via multiple dvi backend overflows - debian/patches/91_CVE-2010-264x.patch: add bounds checking in backend/dvi/mdvi-lib/{afmparse,dviread,pk,tfmfile,vf}.c. - CVE-2010-2640 -

[ubuntu/karmic-security] git-core_1.6.3.3-2ubuntu0.1_lpia_translations.tar.gz, git-core_1.6.3.3-2ubuntu0.1_powerpc_translations.tar.gz, git-core_1.6.3.3-2ubuntu0.1_armel_translations.tar.gz, git-core_

git-core (1:1.6.3.3-2ubuntu0.1) karmic-security; urgency=low * SECURITY UPDATE: gitweb cross-site scripting vulnerability - debian/diff/0034-gitweb-Introduce-esc_attr...diff: from upstream: gitweb: do not parrot filenames or other arguments given in a request without proper

[ubuntu/karmic-security] camlimages (delayed), camlimages 1:3.0.1-3ubuntu0.1 (Accepted)

camlimages (1:3.0.1-3ubuntu0.1) karmic-security; urgency=low * SECURITY UPDATE: Add a patch to fix integer overflows in tiffread.c - Patch taken from Debian - CVE-2009-3296 Date: Thu, 16 Dec 2010 17:00:40 -0600 Changed-By: Jamie Strandboge ja...@ubuntu.com Maintainer: Ubuntu MOTU

[ubuntu/karmic-security] advi (delayed), advi 1.6.0-14ubuntu0.1 (Accepted)

advi (1.6.0-14ubuntu0.1) karmic-security; urgency=low * SECURITY UPDATE: Rebuild and tighten build-depends against camlimages to get fixes for integer overflows. Based on Debian update. - CVE-2009-2295 - CVE-2009-3296 Date: Thu, 16 Dec 2010 17:06:53 -0600 Changed-By: Jamie

[ubuntu/karmic-security] krb5, krb5_1.7dfsg~beta3-1ubuntu0.7_amd64_translations.tar.gz, krb5_1.7dfsg~beta3-1ubuntu0.7_i386_translations.tar.gz, krb5_1.7dfsg~beta3-1ubuntu0.7_armel_translations.tar.gz,

krb5 (1.7dfsg~beta3-1ubuntu0.7) karmic-security; urgency=low * SECURITY UPDATE: message forgery and privilege escalation via unacceptable checksums - src/lib/crypto/krb/dk/derive.c, src/lib/crypto/krb/keyed_checksum_types.c, src/lib/gssapi/krb5/util_crypt.c,

[ubuntu/karmic-security] quagga_0.99.13-1ubuntu0.1_i386_translations.tar.gz, quagga_0.99.13-1ubuntu0.1_powerpc_translations.tar.gz, quagga, quagga_0.99.13-1ubuntu0.1_sparc_translations.tar.gz (delayed

quagga (0.99.13-1ubuntu0.1) karmic-security; urgency=low * SECURITY UPDATE: denial of service and possible arbitrary code execution via malformed Outbound Route Filtering (ORF) record - debian/patches/91_CVE-2010-2948.dpatch: improve bounds checking in bgpd/bgp_packet.c. -

[ubuntu/karmic-security] openssl_0.9.8g-16ubuntu3.5_powerpc_translations.tar.gz, openssl_0.9.8g-16ubuntu3.5_ia64_translations.tar.gz, openssl_0.9.8g-16ubuntu3.5_sparc_translations.tar.gz (delayed), op

openssl (0.9.8g-16ubuntu3.5) karmic-security; urgency=low * SECURITY UPDATE: ciphersuite downgrade vulnerability - ssl/s3_clnt.c, ssl/s3_srvr.c: disable workaround for Netscape cipher suite bug - http://openssl.org/news/secadv_20101202.txt - CVE-2010-4180 Date: Fri, 03 Dec

[ubuntu/karmic-security] bind9_9.6.1.dfsg.P1-3ubuntu0.4_armel_translations.tar.gz, bind9_9.6.1.dfsg.P1-3ubuntu0.4_lpia_translations.tar.gz, bind9_9.6.1.dfsg.P1-3ubuntu0.4_i386_translations.tar.gz, bin

bind9 (1:9.6.1.dfsg.P1-3ubuntu0.4) karmic-security; urgency=low * SECURITY UPDATE: denial of service via ncache entry and a rrsig for the same type - lib/dns/rbtdb.c: properly mark existing RRSIG records as stale. - bin/tests/system/resolver/*: added tests. - CVE-2010-3613 *

[ubuntu/karmic-security] openjdk-6, openjdk-6 (delayed) 6b18-1.8.3-0ubuntu1~9.10.1 (Accepted)

openjdk-6 (6b18-1.8.3-0ubuntu1~9.10.1) karmic-security; urgency=low * Rebuilt for karmic Date: Mon, 22 Nov 2010 14:46:28 -0500 Changed-By: Marc Deslauriers marc.deslauri...@ubuntu.com Maintainer: OpenJDK Team open...@lists.launchpad.net

[ubuntu/karmic-security] linux-ec2 (delayed), linux-ec2 2.6.31-307.22 (Accepted)

linux-ec2 (2.6.31-307.22) karmic-security; urgency=low [ Upstream Kernel Changes ] * Rebased to 2.6.31-22.69 [ Ubuntu: 2.6.31-22.69 ] * SAUCE: AF_ECONET prevent kernel stack overflow - CVE-2010-3848 * SAUCE: AF_ECONET SIOCSIFADDR ioctl does not check privileges -

[ubuntu/karmic-security] linux (delayed), linux 2.6.31-22.69 (Accepted)

linux (2.6.31-22.69) karmic-security; urgency=low [ Leann Ogasawara ] * SAUCE: AF_ECONET prevent kernel stack overflow - CVE-2010-3848 * SAUCE: AF_ECONET SIOCSIFADDR ioctl does not check privileges - CVE-2010-3850 * SAUCE: AF_ECONET saddr-cookie prevent NULL pointer dereference

[ubuntu/karmic-security] php-htmlpurifier, php-htmlpurifier (delayed) 3.3.0-1ubuntu0.1 (Accepted)

php-htmlpurifier (3.3.0-1ubuntu0.1) karmic-security; urgency=low * SECURITY UPDATE (LP: #582576). * A vulnerability has been reported in HTML Purifier, which can be exploited by malicious people to conduct cross-site scripting attacks. * CVE-2010-2479 Date: Wed, 24 Nov 2010

[ubuntu/karmic-security] apr-util, apr-util (delayed) 1.3.9+dfsg-1ubuntu1.1 (Accepted)

apr-util (1.3.9+dfsg-1ubuntu1.1) karmic-security; urgency=low * SECURITY UPDATE: denial of service via memory leak in apr_brigade_split_line function. - debian/patches/016_CVE-2010-1623.dpatch: properly destroy bucket in buckets/apr_brigade.c. - CVE-2010-1623 Date: Thu, 18

[ubuntu/karmic-security] apache2 (delayed), apache2 2.2.12-1ubuntu2.4 (Accepted)

apache2 (2.2.12-1ubuntu2.4) karmic-security; urgency=low * SECURITY UPDATE: denial of service via request that lacks a path in mod_dav. - debian/patches/906_CVE-2010-1452.dpatch: fix path handling in modules/dav/main/util.c. - CVE-2010-1452 Date: Thu, 18 Nov 2010 14:02:43

[ubuntu/karmic-security] flashplugin-nonfree, flashplugin-nonfree_10.1.102.65ubuntu0.9.10.1_amd64_translations.tar.gz, flashplugin-nonfree_10.1.102.65ubuntu0.9.10.1_i386_translations.tar.gz, flashplu

flashplugin-nonfree (10.1.102.65ubuntu0.9.10.1) karmic-security; urgency=low * REGRESSION FIX: New upstream release 10.1.102.65 that fixes a regression with a previous security update. - debian/config, debian/postinst: Updated sha256sums and path Date: Thu, 18 Nov 2010 08:34:43 -0500

[ubuntu/karmic-security] mysql-dfsg-5.1_5.1.37-1ubuntu5.5_armel_translations.tar.gz, mysql-dfsg-5.1_5.1.37-1ubuntu5.5_powerpc_translations.tar.gz, mysql-dfsg-5.1_5.1.37-1ubuntu5.5_amd64_translations.t

mysql-dfsg-5.1 (5.1.37-1ubuntu5.5) karmic-security; urgency=low * SECURITY UPDATE: denial of service via UPGRADE DATA DIRECTORY NAME command - debian/patches/60_CVE-2010-2008.dpatch: correctly filter prefixes and paths in sql/table.cc, sql/sql_table.cc, sql/mysql_priv.h. Add

[ubuntu/karmic-security] libxml2, libxml2 (delayed) 2.7.5.dfsg-1ubuntu1.2 (Accepted)

libxml2 (2.7.5.dfsg-1ubuntu1.2) karmic-security; urgency=low * SECURITY UPDATE: fix invalid memory read by fixing the semantic of XPath axis for namespace/attribute context nodes - http://git.gnome.org/browse/libxml2/patch/?id=91d19754d46acd4a639a8b9e31f50f31c78f8c9c -

[ubuntu/karmic-security] pidgin_2.6.2-1ubuntu7.3_sparc_translations.tar.gz (delayed), pidgin_2.6.2-1ubuntu7.3_i386_translations.tar.gz, pidgin_2.6.2-1ubuntu7.3_amd64_translations.tar.gz, pidgin_2.6.2-

pidgin (1:2.6.2-1ubuntu7.3) karmic-security; urgency=low * SECURITY UPDATE: denial of service via custom emoticon - debian/patches/68_CVE-2010-1624.patch: make sure body is valid in libpurple/protocols/msn/slp.c. - CVE-2010-1624 * SECURITY UPDATE: denial of service via base64

[ubuntu/karmic-security] freetype, freetype (delayed) 2.3.9-5ubuntu0.4 (Accepted)

freetype (2.3.9-5ubuntu0.4) karmic-security; urgency=low * SECURITY UPDATE: denial of service and possible arbitrary code execution via libXft overflow. - debian/patches/CVE-2010-3311.patch: correctly validate position in src/base/ftstream.c. - CVE-2010-3311 * SECURITY

[ubuntu/karmic-security] cups_1.4.1-5ubuntu2.7_ia64_translations.tar.gz, cups_1.4.1-5ubuntu2.7_i386_translations.tar.gz, cups_1.4.1-5ubuntu2.7_amd64_translations.tar.gz, cups_1.4.1-5ubuntu2.7_sparc_tr

cups (1.4.1-5ubuntu2.7) karmic-security; urgency=low * SECURITY UPDATE: denial of service and possible code execution via invalid free - debian/patches/CVE-2010-2941.dpatch: skip over and reserve unused tags in cups/ipp.{c,h}. - CVE-2010-2941 Date: Tue, 02 Nov 2010 11:10:37

[ubuntu/karmic-security] flashplugin-nonfree, flashplugin-nonfree_10.1.102.64ubuntu0.9.10.1_amd64_translations.tar.gz, flashplugin-nonfree_10.1.102.64ubuntu0.9.10.1_i386_translations.tar.gz, flashplu

flashplugin-nonfree (10.1.102.64ubuntu0.9.10.1) karmic-security; urgency=low * SECURITY UPDATE: New upstream release 10.1.102.64 (LP: #667887) - debian/config, debian/postinst: Updated sha256sums and path - CVE-2010-3654 Date: Thu, 04 Nov 2010 14:52:46 -0400 Changed-By: Marc

[ubuntu/karmic-security] eglibc_2.10.1-0ubuntu18_ia64_translations.tar.gz, eglibc_2.10.1-0ubuntu18_amd64_translations.tar.gz, eglibc_2.10.1-0ubuntu18_powerpc_translations.tar.gz (delayed), eglibc_2.10

eglibc (2.10.1-0ubuntu18) karmic-security; urgency=low * SECURITY UPDATE: root escalation via LD_AUDIT DST expansion. - debian/patches/any/dst-expansion-fix.diff: upstream fixes. - CVE-2010-3847 - debian/patches/any/disable-ld_audit.diff: turn off LD_AUDIT for setuid binaries.

[ubuntu/karmic-security] libvirt_0.7.0-1ubuntu13.2_powerpc_translations.tar.gz, libvirt_0.7.0-1ubuntu13.2_sparc_translations.tar.gz (delayed), libvirt_0.7.0-1ubuntu13.2_ia64_translations.tar.gz, libvi

libvirt (0.7.0-1ubuntu13.2) karmic-security; urgency=low * SECURITY UPDATE: force qemu-img backing stores creation to have a defined disk format. - debian/patches/CVE-2010-2239: explicitly set the user defined backing store format when creating a new image - CVE-2010-2239 *

[ubuntu/karmic-security] poppler (delayed), poppler 0.12.0-0ubuntu2.3 (Accepted)

poppler (0.12.0-0ubuntu2.3) karmic-security; urgency=low * SECURITY UPDATE: possible arbitrary code execution via malformed PDF - debian/patches/13_security_CVE-2010-3702.patch: properly initialize parser in poppler/Gfx.cc. - CVE-2010-3702 * SECURITY UPDATE: possible arbitrary

[ubuntu/karmic-security] linux-ec2 (delayed), linux-ec2 2.6.31-307.21 (Accepted)

linux-ec2 (2.6.31-307.21) karmic-security; urgency=low [ John Johansen ] * Rebased to 2.6.31-22.67 [ Ubuntu: 2.6.31-22.67 ] * Local privilege escalation vulnerability in RDS sockets - CVE-2010-3904 * v4l: disable dangerous buggy compat function - CVE-2010-2963 * mm: Do not

[ubuntu/karmic-security] linux (delayed), linux 2.6.31-22.67 (Accepted)

linux (2.6.31-22.67) karmic-security; urgency=low [ Upstream Kernel Changes ] * Local privilege escalation vulnerability in RDS sockets - CVE-2010-3904 * v4l: disable dangerous buggy compat function - CVE-2010-2963 * mm: Do not assume ENOMEM when looking at a split stack vma

[ubuntu/karmic-security] postgresql-8.4_8.4.5-0ubuntu9.10_lpia_translations.tar.gz, postgresql-8.4, postgresql-8.4_8.4.5-0ubuntu9.10_sparc_translations.tar.gz (delayed), postgresql-8.4_8.4.5-0ubuntu9.

postgresql-8.4 (8.4.5-0ubuntu9.10) karmic-security; urgency=low * New upstream security/bug fix update: (LP: #655293) - Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl. This change prevents security problems that can be caused by subverting

[ubuntu/karmic-security] openssl_0.9.8g-16ubuntu3.3_i386_translations.tar.gz, openssl_0.9.8g-16ubuntu3.3_ia64_translations.tar.gz, openssl_0.9.8g-16ubuntu3.3_powerpc_translations.tar.gz, openssl_0.9.8

openssl (0.9.8g-16ubuntu3.3) karmic-security; urgency=low * SECURITY UPDATE: denial of service and possible code execution via unchecked bn_wexpand return values. (LP: #655884) - crypto/bn/{bn_mul,bn_div,bn_gf2m}.c, crypto/ec/ec2_smpl.c, engines/e_ubsec.c: check return values.

[ubuntu/karmic-security] lvm2_2.02.39-0ubuntu11.1_ia64_translations.tar.gz, lvm2_2.02.39-0ubuntu11.1_powerpc_translations.tar.gz, lvm2, lvm2_2.02.39-0ubuntu11.1_amd64_translations.tar.gz, lvm2_2.02.39

lvm2 (2.02.39-0ubuntu11.1) karmic-security; urgency=low * SECURITY UPDATE: unprivileged logical volume manipulation with clvmd - debian/patches/CVE-2010-2526.patch: revert to using a pathname-based socket in order to enforce correct permissions. - CVE-2010-2526 Date: Thu, 23 Sep

[ubuntu/karmic-security] mistelix_0.30-0ubuntu1.1_armel_translations.tar.gz, mistelix_0.30-0ubuntu1.1_sparc_translations.tar.gz (delayed), mistelix_0.30-0ubuntu1.1_i386_translations.tar.gz, mistelix_0

mistelix (0.30-0ubuntu1.1) karmic-security; urgency=low * SECURITY UPDATE: insecure LD_LIBRARY_PATH redefinition (LP: #651054) - Add debian/patches/insecure-library-loading.patch - Patch based on work by Siegfried-Angel Gevatter Pujals - CVE-2010-3365 Date: Mon, 04 Oct 2010

[ubuntu/karmic-security] xpdf, xpdf (delayed) 3.02-1.4ubuntu2.9.10.1 (Accepted)

xpdf (3.02-1.4ubuntu2.9.10.1) karmic-security; urgency=low [ Nicolas Valcárcel Scerpella ] * SECURITY UPDATE: Integer overflow in SplashBitmap::SplashBitmap which might allow remote attackers to execute arbitrary code or an application crash via a crafted PDF document. -

[ubuntu/karmic-security] smbind_0.4.7-3+lenny1build0.9.10.1_i386_translations.tar.gz (delayed), smbind 0.4.7-3+lenny1build0.9.10.1 (Accepted)

smbind (0.4.7-3+lenny1build0.9.10.1) karmic-security; urgency=low * fake sync from Debian smbind (0.4.7-3+lenny1) stable-security; urgency=high * Fix sql injection in src/include.php Date: Fri, 01 Oct 2010 17:42:47 -0700 Changed-By: Kees Cook k...@ubuntu.com Maintainer: Giuseppe Iuculano

  1   2   3   4   5   6   7   8   9   10   >