[ubuntu/lucid-security] dovecot, dovecot (delayed) 1:1.2.9-1ubuntu6.4 (Accepted)

dovecot (1:1.2.9-1ubuntu6.4) lucid-security; urgency=low * SECURITY UPDATE: fix memory corruption when header names included null bytes: - debian/patches/dovecot-CVE-2011-1929.patch: use binary copy rather than a string based copy. - CVE-2011-1929 Date: Tue, 31 May 2011

[ubuntu/lucid-security] pam_1.1.1-2ubuntu5.3_powerpc_translations.tar.gz, pam_1.1.1-2ubuntu5.3_ia64_translations.tar.gz, pam_1.1.1-2ubuntu5.3_armel_translations.tar.gz, pam_1.1.1-2ubuntu5.3_sparc_tran

pam (1.1.1-2ubuntu5.3) lucid-security; urgency=low * SECURITY REGRESSION: - debian/patches/security-dropprivs.patch: updated patch to preserve ABI and prevent daemons from needing to be restarted. (LP: #790538) - debian/patches/autoconf.patch: refreshed Date: Tue, 31 May 2011

[ubuntu/lucid-security] bind9_9.7.0.dfsg.P1-1ubuntu0.2_sparc_translations.tar.gz (delayed), bind9_9.7.0.dfsg.P1-1ubuntu0.2_armel_translations.tar.gz, bind9_9.7.0.dfsg.P1-1ubuntu0.2_amd64_translations.

bind9 (1:9.7.0.dfsg.P1-1ubuntu0.2) lucid-security; urgency=low * SECURITY UPDATE: denial of service via multiple trust anchors for a single zone - lib/dns/validator.c: fix arguments to dns_keytable_findnextkeynode(). - Upstream change 2869. - CVE-2010-3762 * SECURITY UPDATE:

[ubuntu/lucid-security] pam_1.1.1-2ubuntu5.2_ia64_translations.tar.gz, pam_1.1.1-2ubuntu5.2_sparc_translations.tar.gz (delayed), pam_1.1.1-2ubuntu5.2_i386_translations.tar.gz, pam_1.1.1-2ubuntu5.2_amd

pam (1.1.1-2ubuntu5.2) lucid-security; urgency=low * SECURITY UPDATE: multiple issues with lack of adequate privilege dropping - debian/patches/security-dropprivs.patch: introduce new privilege dropping code in libpam/pam_modutil_priv.c, libpam/Makefile.*,

[ubuntu/lucid-security] eucalyptus_1.6.2-0ubuntu30.5_i386_translations.tar.gz, eucalyptus, eucalyptus_1.6.2-0ubuntu30.5_ia64_translations.tar.gz, eucalyptus_1.6.2-0ubuntu30.5_amd64_translations.tar.gz

eucalyptus (1.6.2-0ubuntu30.5) lucid-security; urgency=low * debian/patches/soap-security.patch: SOAP signature replay vulnerability. - add debian/patches/soap-security.patch, thanks to upstream. - CVE-2011-0730 Date: Wed, 11 May 2011 13:11:11 +0100 Changed-By: Dave Walker (Daviey)

[ubuntu/lucid-security] rampart, rampart (delayed) 1.3.0-0ubuntu7.1 (Accepted)

rampart (1.3.0-0ubuntu7.1) lucid-security; urgency=low * Add debian/patches/xml-security.patch, thanks to Eucalyptus upstream, to support XML security. Date: Tue, 26 Apr 2011 15:58:23 -0700 Changed-By: Kees Cook k...@ubuntu.com Maintainer: Michael Vogt m...@ubuntu.com

[ubuntu/lucid-security] dbus-glib (delayed), dbus-glib 0.84-1ubuntu0.2 (Accepted)

dbus-glib (0.84-1ubuntu0.2) lucid-security; urgency=low * SECURITY UPDATE: fix to honor access flag on specified properties - debian/patches/01-CVE-2010-1172.patch: don't allow Set/write calls for readonly properties, or properties not listed in the XML - CVE-2010-1172 - LP:

[ubuntu/lucid-security] modemmanager (delayed), modemmanager 0.3-0ubuntu2.2 (Accepted)

modemmanager (0.3-0ubuntu2.2) lucid-security; urgency=low * no change rebuild for dbus-glib update Date: Thu, 26 May 2011 10:50:21 -0500 Changed-By: Jamie Strandboge ja...@ubuntu.com Maintainer: Ubuntu Network Manager Team ubuntu-devel-disc...@lists.ubuntu.com

[ubuntu/lucid-security] network-manager_0.8-0ubuntu3.2_sparc_translations.tar.gz (delayed), network-manager_0.8-0ubuntu3.2_armel_translations.tar.gz, network-manager, network-manager_0.8-0ubuntu3.2_am

network-manager (0.8-0ubuntu3.2) lucid-security; urgency=low * no change rebuild for dbus-glib update Date: Thu, 26 May 2011 10:49:41 -0500 Changed-By: Jamie Strandboge ja...@ubuntu.com Maintainer: Ubuntu Core Dev Team ubuntu-devel-disc...@lists.ubuntu.com

[ubuntu/lucid-security] rdesktop, rdesktop (delayed) 1.6.0-2ubuntu3.1 (Accepted)

rdesktop (1.6.0-2ubuntu3.1) lucid-security; urgency=low * SECURITY UPDATE: arbitrary file disclosure via directory traversal - debian/patches/81_CVE-2011-1595.dpatch: check path for /.. in disk.c. - CVE-2011-1595 Date: Tue, 24 May 2011 15:04:28 -0400 Changed-By: Marc Deslauriers

[ubuntu/lucid-security] exim4_4.71-3ubuntu1.3_sparc_translations.tar.gz (delayed), exim4_4.71-3ubuntu1.3_armel_translations.tar.gz, exim4, exim4_4.71-3ubuntu1.3_ia64_translations.tar.gz, exim4_4.71-3u

exim4 (4.71-3ubuntu1.3) lucid-security; urgency=low * SECURITY UPDATE: arbitrary code execution via DKIM identities - debian/patches/86_CVE-2011-1407.patch: don't use match_isinlist() for simple string list matching in src/receive.c. - CVE-2011-1407 Date: Tue, 24 May 2011

[ubuntu/lucid-security] apr, apr (delayed) 1.3.8-1ubuntu0.3 (Accepted)

apr (1.3.8-1ubuntu0.3) lucid-security; urgency=low * SECURITY UPDATE: denial of service in apr_fnmatch exploitable via apache's mod_index - debian/patches/028_fnmatch_CVE-2011-0419.dpatch: rewrite apr_fnmatch to have a better time bounds on execution. - CVE-2011-0419 -

[ubuntu/lucid-security] mahara, mahara_1.2.4-1ubuntu0.3_i386_translations.tar.gz (delayed) 1.2.4-1ubuntu0.3 (Accepted)

mahara (1.2.4-1ubuntu0.3) lucid-security; urgency=low * SECURITY UPDATE: fixes to session key validation (CSRF) - debian/patches/CVE-2011-1403.patch: upstream patch * SECURITY UPDATE: privilege escalations - debian/patches/CVE-2011-1402.patch: upstream patch * SECURITY UPDATE:

[ubuntu/lucid-security] flashplugin-nonfree, flashplugin-nonfree_10.3.181.14ubuntu0.10.04.1_amd64_translations.tar.gz, flashplugin-nonfree_10.3.181.14ubuntu0.10.04.1_i386_translations.tar.gz (delayed)

flashplugin-nonfree (10.3.181.14ubuntu0.10.04.1) lucid-security; urgency=low * SECURITY UPDATE: New upstream release 10.3.181.14 - debian/config, debian/postinst: Updated sha256sums and path. - CVE-2011-0579 - CVE-2011-0618 - CVE-2011-0619 - CVE-2011-0620 - CVE-2011-0621

[ubuntu/lucid-security] apturl, apturl_0.4.1ubuntu4.1_i386_translations.tar.gz (delayed) 0.4.1ubuntu4.1 (Accepted)

apturl (0.4.1ubuntu4.1) lucid-security; urgency=low * SECURITY UPDATE: denial of service via long apt URL (LP: #783594) - check URL for length and shorten it for error dialog in AptUrl/AptUrl.py, AptUrl/Parser.py, tests/apturlparse.py. - Patch thanks to Micheal Vogt - CVE

[ubuntu/lucid-security] postfix_2.7.0-1ubuntu0.2_sparc_translations.tar.gz (delayed), postfix_2.7.0-1ubuntu0.2_armel_translations.tar.gz, postfix, postfix_2.7.0-1ubuntu0.2_i386_translations.tar.gz, po

postfix (2.7.0-1ubuntu0.2) lucid-security; urgency=low * SECURITY UPDATE: SASL memory corruption - src/smtpd/smtpd_sasl_proto.c: don't reuse the SASL handle after auth failure. - Origin: backported from postfix-2.7-patch04.gz - CVE-2011-1720 Date: Tue, 10 May 2011 08:37:13

[ubuntu/lucid-security] exim4_4.71-3ubuntu1.2_amd64_translations.tar.gz, exim4_4.71-3ubuntu1.2_sparc_translations.tar.gz (delayed), exim4, exim4_4.71-3ubuntu1.2_armel_translations.tar.gz, exim4_4.71-3

exim4 (4.71-3ubuntu1.2) lucid-security; urgency=low * SECURITY UPDATE: format string vulnerability (LP: #779391) - debian/patches/85_CVE-2011-1764.patch: patch from upstream - CVE-2011-1764 Date: Sun, 08 May 2011 15:31:05 +0200 Changed-By: Felix Geyer debfx-...@fobos.de Maintainer:

[ubuntu/lucid-security] loop-aes-utils_2.15.1~rc1-2ubuntu1.1_ia64_translations.tar.gz, loop-aes-utils_2.15.1~rc1-2ubuntu1.1_sparc_translations.tar.gz (delayed), loop-aes-utils_2.15.1~rc1-2ubuntu1.1_i3

loop-aes-utils (2.15.1~rc1-2ubuntu1.1) lucid-security; urgency=low * debian/patches/30no-canonicalize.dpatch: Backport mount/umount --no-canonicalize option from util-linux (LP: #727220). Patch from Colin Watson. * debian/patches/31umount-fake.dpatch: Backport umount --fake option

[ubuntu/lucid-security] php5_5.3.2-1ubuntu4.9_armel_translations.tar.gz, php5_5.3.2-1ubuntu4.9_sparc_translations.tar.gz (delayed), php5_5.3.2-1ubuntu4.9_i386_translations.tar.gz, php5_5.3.2-1ubuntu4.

php5 (5.3.2-1ubuntu4.9) lucid-security; urgency=low * debian/patches/php5-pear-CVE-2011-1144-regression.patch: fix mkdir parenthesis issue and PEAR::raiseErro typo (LP: #774452) Date: Mon, 02 May 2011 09:21:53 -0700 Changed-By: Steve Beattie sbeat...@ubuntu.com Maintainer: Ubuntu

[ubuntu/lucid-security] perl (delayed), perl 5.10.1-8ubuntu2.1 (Accepted)

perl (5.10.1-8ubuntu2.1) lucid-security; urgency=low * SECURITY UPDATE: multiple intended restriction bypasses in Safe.pm - debian/patches/debian/CVE-2010-1168.diff: update Safe.pm to version 2.29 to fix multiple issues. - CVE-2010-1168 - CVE-2010-1447 * SECURITY UPDATE:

[ubuntu/lucid-security] usb-creator_0.2.22.3_i386_translations.tar.gz (delayed), usb-creator 0.2.22.3 (Accepted)

] * Guard UnmountFile with PolicyKit (LP: #771553). Date: Fri, 29 Apr 2011 13:15:02 -0400 Changed-By: Marc Deslauriers marc.deslauri...@ubuntu.com Maintainer: Ubuntu Installer Team ubuntu-instal...@lists.ubuntu.com https://launchpad.net/ubuntu/lucid/+source/usb-creator/0.2.22.3 Format: 1.8 Date

[ubuntu/lucid-security] vino_2.28.2-0ubuntu2.1_sparc_translations.tar.gz (delayed), vino, vino_2.28.2-0ubuntu2.1_powerpc_translations.tar.gz, vino_2.28.2-0ubuntu2.1_armel_translations.tar.gz, vino_2.2

vino (2.28.2-0ubuntu2.1) lucid-security; urgency=low * SECURITY UPDATE: denial of service or possible code execution via crafted framebuffer update request - debian/patches/04_CVE-2011-090x.patch: validate update rectangle in server/libvncserver/rfbserver.c. - CVE-2011-0904

[ubuntu/lucid-security] php5_5.3.2-1ubuntu4.8_amd64_translations.tar.gz, php5_5.3.2-1ubuntu4.8_i386_translations.tar.gz, php5_5.3.2-1ubuntu4.8_powerpc_translations.tar.gz, php5_5.3.2-1ubuntu4.8_armel_

php5 (5.3.2-1ubuntu4.8) lucid-security; urgency=low * SECURITY UPDATE: arbitrary files removal via cronjob - debian/php5-common.php5.cron.d: take greater care when removing session files. -

[ubuntu/lucid-security] rsync, rsync (delayed) 3.0.7-1ubuntu1.1 (Accepted)

rsync (3.0.7-1ubuntu1.1) lucid-security; urgency=low * SECURITY UPDATE: denial of service and possible arbitrary code execution via malformed data - debian/patches/security-CVE-2011-1097.diff: introduce and use FLAG_OWNED_BY_US in flist.c, generator.c, log.c, rsync.*. -

[ubuntu/lucid-security] pcsc-lite (delayed), pcsc-lite 1.5.3-1ubuntu4.2 (Accepted)

pcsc-lite (1.5.3-1ubuntu4.2) lucid-security; urgency=low * SECURITY UPDATE: arbitrary code execution via long attribute value - src/atrhandler.c: verify against maximum attribute size. - http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html -

[ubuntu/lucid-security] tiff (delayed), tiff 3.9.2-2ubuntu0.7 (Accepted)

tiff (3.9.2-2ubuntu0.7) lucid-security; urgency=low * SECURITY UPDATE: arbitrary code execution via malformed JPEG - debian/patches/CVE-2009-5022.patch: check width in libtiff/tif_ojpeg.c. - CVE-2009-5022 Date: Wed, 20 Apr 2011 13:06:34 -0400 Changed-By: Marc Deslauriers

[ubuntu/lucid-security] openslp-dfsg_1.2.1-7.6ubuntu0.1_i386_translations.tar.gz, openslp-dfsg_1.2.1-7.6ubuntu0.1_sparc_translations.tar.gz (delayed), openslp-dfsg_1.2.1-7.6ubuntu0.1_armel_translation

openslp-dfsg (1.2.1-7.6ubuntu0.1) lucid-security; urgency=low * SECURITY UPDATE: denial of service via circular reference - debian/patches/CVE-2010-3609.patch: detect circular reference in common/slp_message.c. Patch thanks to SUSE. - CVE-2010-3609 * debian/rules: add

[ubuntu/lucid-security] dhcp3_3.1.3-2ubuntu3.2_ia64_translations.tar.gz, dhcp3, dhcp3_3.1.3-2ubuntu3.2_armel_translations.tar.gz, dhcp3_3.1.3-2ubuntu3.2_sparc_translations.tar.gz (delayed), dhcp3_3.1.

dhcp3 (3.1.3-2ubuntu3.2) lucid-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted hostname - Patch for CVE-2011-0997 was getting reverted during the build because of special quilt handling in debian/rules for the ldap patches. -

[ubuntu/lucid-security] ia32-libs (delayed), ia32-libs 2.7ubuntu26.1 (Accepted)

ia32-libs (2.7ubuntu26.1) lucid-security; urgency=low * SECURITY UPDATE: Refresh packages to pull in security fixes, including: - lcms buffer overflow, CVE-2009-0793 (LP: #700198) - openssl: multiple issues, including CVE-2009-3555, CVE-2009-3245, and CVE-2010-2939 -

[ubuntu/lucid-security] krb5, krb5_1.8.1+dfsg-2ubuntu0.9_armel_translations.tar.gz, krb5_1.8.1+dfsg-2ubuntu0.9_sparc_translations.tar.gz (delayed), krb5_1.8.1+dfsg-2ubuntu0.9_amd64_translations.tar.gz

krb5 (1.8.1+dfsg-2ubuntu0.9) lucid-security; urgency=low * SECURITY UPDATE: kadmind denial of service from freeing of uninitialized pointer. - src/kadmin/server/{network,schpw}.c: fix, thanks to upstream. - CVE-2011-0285 - MITKRB5-SA-2011-004 Date: Mon, 18 Apr 2011 15:40:24

[ubuntu/lucid-security] policykit-1_0.96-2ubuntu0.1_powerpc_translations.tar.gz, policykit-1_0.96-2ubuntu0.1_ia64_translations.tar.gz, policykit-1_0.96-2ubuntu0.1_sparc_translations.tar.gz (delayed),

policykit-1 (0.96-2ubuntu0.1) lucid-security; urgency=low * SECURITY UPDATE: avoid /proc race conditions when checking privileges for pkexec. - 10_fix_proc_race.patch - CVE-2011-1485 Date: Tue, 19 Apr 2011 12:38:05 -0700 Changed-By: Kees Cook k...@ubuntu.com Maintainer: Ubuntu

[ubuntu/lucid-security] postfix_2.7.0-1ubuntu0.1_sparc_translations.tar.gz (delayed), postfix, postfix_2.7.0-1ubuntu0.1_amd64_translations.tar.gz, postfix_2.7.0-1ubuntu0.1_i386_translations.tar.gz, po

postfix (2.7.0-1ubuntu0.1) lucid-security; urgency=low * SECURITY UPDATE: man-in-the-middle via plaintext command injection - src/smtp/smtp_proto.c, src/smtpd/smtpd.c: discard the contents of the stream buffer so there is no pending plaintext. - Origin: backported from

[ubuntu/lucid-security] kdepimlibs_4.4.5-0ubuntu1.1_powerpc_translations.tar.gz, kdepimlibs_4.4.5-0ubuntu1.1_amd64_translations.tar.gz, kdepimlibs_4.4.5-0ubuntu1.1_sparc_translations.tar.gz (delayed),

kdepimlibs (4:4.4.5-0ubuntu1.1) lucid-security; urgency=low * no change rebuild for kdenetwork security update Date: Fri, 15 Apr 2011 09:21:38 -0500 Changed-By: Jamie Strandboge ja...@ubuntu.com Maintainer: Kubuntu Developers kubuntu-de...@lists.ubuntu.com

[ubuntu/lucid-security] kdenetwork_4.4.5-0ubuntu1.1_sparc_translations.tar.gz (delayed), kdenetwork_4.4.5-0ubuntu1.1_armel_translations.tar.gz, kdenetwork_4.4.5-0ubuntu1.1_i386_translations.tar.gz, kd

kdenetwork (4:4.4.5-0ubuntu1.1) lucid-security; urgency=low * SECURITY UPDATE: file name directory traversal attack (LP: #757526) - Add debian/patches/kubuntu_06_kget_metalinker.diff: check if the filename is well formed, without traversal opportunities - CVE-2011- (an

[ubuntu/lucid-security] flashplugin-nonfree, flashplugin-nonfree_10.2.159.1ubuntu0.10.04.1_amd64_translations.tar.gz, flashplugin-nonfree_10.2.159.1ubuntu0.10.04.1_i386_translations.tar.gz (delayed) 1

flashplugin-nonfree (10.2.159.1ubuntu0.10.04.1) lucid-security; urgency=low * SECURITY UPDATE: New upstream release 10.2.159.1 - debian/config, debian/postinst: Updated sha256sums and path. - CVE-2011-0611 Date: Sat, 16 Apr 2011 07:37:05 -0400 Changed-By: Marc Deslauriers

[ubuntu/lucid-security] vlc, vlc_1.0.6-1ubuntu1.6_i386_translations.tar.gz, vlc_1.0.6-1ubuntu1.6_sparc_translations.tar.gz (delayed), vlc_1.0.6-1ubuntu1.6_ia64_translations.tar.gz, vlc_1.0.6-1ubuntu1.

vlc (1.0.6-1ubuntu1.6) lucid-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted width - debian/patches/CVE-2010-327x.patch: limit video size to 8192x8192 in src/video_output/video_output.c. - CVE-2010-3275 - CVE-2010-3276 * SECURITY UPDATE:

[ubuntu/lucid-security] kde4libs_4.4.5-0ubuntu1.1_armel_translations.tar.gz, kde4libs, kde4libs_4.4.5-0ubuntu1.1_amd64_translations.tar.gz, kde4libs_4.4.5-0ubuntu1.1_i386_translations.tar.gz, kde4libs

kde4libs (4:4.4.5-0ubuntu1.1) lucid-security; urgency=low [ Felix Geyer ] * SECURITY UPDATE: fix XSS vulnerability in Konqueror's error pages - debian/patches/security_02_CVE-2011-1168.diff: upstream patch - CVE-2011-1168 - LP: #743669 [ Jamie Strandboge ] * SECURITY UPDATE:

[ubuntu/lucid-security] dhcp3_3.1.3-2ubuntu3.1_amd64_translations.tar.gz, dhcp3, dhcp3_3.1.3-2ubuntu3.1_sparc_translations.tar.gz (delayed), dhcp3_3.1.3-2ubuntu3.1_i386_translations.tar.gz, dhcp3_3.1.

dhcp3 (3.1.3-2ubuntu3.1) lucid-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted hostname - debian/patches/CVE-2011-0997.dpatch: filter strings in client/dhclient.c, common/options.c. - CVE-2011-0997 Date: Mon, 11 Apr 2011 08:57:21 -0400 Changed-By:

[ubuntu/lucid-security] mahara_1.2.4-1ubuntu0.2_i386_translations.tar.gz (delayed), mahara 1.2.4-1ubuntu0.2 (Accepted)

mahara (1.2.4-1ubuntu0.2) lucid-security; urgency=low * SECURITY UPDATE: cross-site scripting vulnerability - debian/patches/CVE-2011-0439.dpatch: upstream patch - CVE-2011-0439 - LP: #676336 * SECURITY UPDATE: possible cross-site request forgery (deleting blogs) -

[ubuntu/lucid-security] ffmpeg-extra, ffmpeg-extra (delayed) 4:0.5.1-1ubuntu1.1 (Accepted)

ffmpeg-extra (4:0.5.1-1ubuntu1.1) lucid-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted flic file - debian/patches/CVE-2010-3429.patch: add checks to libavcodec/flicvideo.c. - CVE-2010-3429 * SECURITY UPDATE: arbitrary code execution via crafted wmv

[ubuntu/lucid-security] x11-xserver-utils, x11-xserver-utils (delayed) 7.5+1ubuntu2.1 (Accepted)

x11-xserver-utils (7.5+1ubuntu2.1) lucid-security; urgency=low * SECURITY UPDATE: root escalation via rogue hostname (LP: #752315) - xrdb: Create shell-escape-safe cpp options in the non-pathetic-cpp case. -

[ubuntu/lucid-security] tiff (delayed), tiff 3.9.2-2ubuntu0.6 (Accepted)

tiff (3.9.2-2ubuntu0.6) lucid-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted THUNDER_2BITDELTAS data - debian/patches/CVE-2011-1167.patch: validate bitspersample and make sure npixels is sane in libtiff/tif_thunder.c. - CVE-2011-1167 Date: Wed,

[ubuntu/lucid-security] ffmpeg (delayed), ffmpeg 4:0.5.1-1ubuntu1.1 (Accepted)

ffmpeg (4:0.5.1-1ubuntu1.1) lucid-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted flic file - debian/patches/CVE-2010-3429.patch: add checks to libavcodec/flicvideo.c. - CVE-2010-3429 * SECURITY UPDATE: arbitrary code execution via crafted wmv file

[ubuntu/lucid-security] tex-common_2.06ubuntu0.1_i386_translations.tar.gz (delayed), tex-common 2.06ubuntu0.1 (Accepted)

tex-common (2.06ubuntu0.1) lucid-security; urgency=low * SECURITY UPDATE: arbitrary code execution via crafted TeX document - conf/texmf.d/95NonPath.cnf: disable shell_escape completely as in Debian 2.08.1 version. - CVE-2011-1400 Date: Fri, 01 Apr 2011 10:11:00 -0400 Changed-By:

[ubuntu/lucid-security] openldap_2.4.21-0ubuntu5.4_powerpc_translations.tar.gz, openldap_2.4.21-0ubuntu5.4_amd64_translations.tar.gz, openldap_2.4.21-0ubuntu5.4_sparc_translations.tar.gz (delayed), op

openldap (2.4.21-0ubuntu5.4) lucid-security; urgency=low * SECURITY UPDATE: fix successful anonymous bind via chain overlay when using forwarded authentication failures - debian/patches/CVE-2011-1024 - CVE-2011-1024 * SECURITY UPDATE: verify password when authenticating to rootdn

[ubuntu/lucid-security] gdm_2.30.2.is.2.30.0-0ubuntu5.1_amd64_translations.tar.gz, gdm_2.30.2.is.2.30.0-0ubuntu5.1_ia64_translations.tar.gz, gdm_2.30.2.is.2.30.0-0ubuntu5.1_powerpc_translations.tar.gz

gdm (2.30.2.is.2.30.0-0ubuntu5.1) lucid-security; urgency=low * SECURITY UPDATE: race condition allowing privilege escalation - debian/patches/34_CVE-2011-0727.patch: fix daemon/gdm-session-worker.c to copy files as session user rather than root followed by a subsequent chown.

[ubuntu/lucid-security] libvirt, libvirt_0.7.5-5ubuntu27.9_amd64_translations.tar.gz, libvirt_0.7.5-5ubuntu27.9_ia64_translations.tar.gz, libvirt_0.7.5-5ubuntu27.9_i386_translations.tar.gz, libvirt_0.

libvirt (0.7.5-5ubuntu27.9) lucid-security; urgency=low * SECURITY UPDATE: debian/patches/9904-CVE-2011-1146.patch: Add missing checks for read only connections. - CVE-2011-1146 Date: Tue, 15 Mar 2011 16:21:40 -0500 Changed-By: Jamie Strandboge ja...@ubuntu.com Maintainer: Ubuntu

[ubuntu/lucid-security] tomcat6, tomcat6 (delayed) 6.0.24-2ubuntu1.7 (Accepted)

tomcat6 (6.0.24-2ubuntu1.7) lucid-security; urgency=low * SECURITY UPDATE: directory traversal via incorrect ServetContext attribute (LP: #717396) - debian/patches/0012-CVE-2010-3718.patch: mark as read only in java/org/apache/catalina/core/StandardContext.java. -

[ubuntu/lucid-security] subversion_1.6.6dfsg-2ubuntu1.2_powerpc_translations.tar.gz, subversion_1.6.6dfsg-2ubuntu1.2_sparc_translations.tar.gz (delayed), subversion, subversion_1.6.6dfsg-2ubuntu1.2_ar

subversion (1.6.6dfsg-2ubuntu1.2) lucid-security; urgency=low * SECURITY UPDATE: denial of service via request containing lock token - debian/patches/CVE-2011-0715.patch: correctly handle locks being passed when authn isn't enabled in subversion/mod_dav_svn/repos.c,

[ubuntu/lucid-security] quagga_0.99.15-1ubuntu0.2_ia64_translations.tar.gz, quagga_0.99.15-1ubuntu0.2_amd64_translations.tar.gz, quagga, quagga_0.99.15-1ubuntu0.2_sparc_translations.tar.gz (delayed),

quagga (0.99.15-1ubuntu0.2) lucid-security; urgency=low * SECURITY UPDATE: denial of service via malformed extended communities - debian/patches/99_quagga-extcom.dpatch: ignore malformed extended communities in bgpd/bgp_attr.c. - CVE-2010-1674 * SECURITY UPDATE: denial of

[ubuntu/lucid-security] loggerhead, loggerhead (delayed) 1.17+bzr400-1ubuntu0.1 (Accepted)

loggerhead (1.17+bzr400-1ubuntu0.1) lucid-security; urgency=low * SECURITY UPDATE: Cross-site scripting vulnerabilities by crafted branch contents. (LP: #740142) - debian/patches/bug-740142.diff: improve escaping of filenames. - CVE-2011-0728 Date: Thu, 24 Mar 2011 13:39:43 +1100

[ubuntu/lucid-security] flashplugin-nonfree, flashplugin-nonfree_10.2.153.1ubuntu0.10.04.1_amd64_translations.tar.gz, flashplugin-nonfree_10.2.153.1ubuntu0.10.04.1_i386_translations.tar.gz (delayed) 1

flashplugin-nonfree (10.2.153.1ubuntu0.10.04.1) lucid-security; urgency=low * SECURITY UPDATE: New upstream release 10.2.153.1 - debian/config, debian/postinst: Updated sha256sums and path. - CVE-2011-0609 * debian/postinst: make wget use the proxy defined for apt and decrease

[ubuntu/lucid-security] krb5, krb5_1.8.1+dfsg-2ubuntu0.8_ia64_translations.tar.gz, krb5_1.8.1+dfsg-2ubuntu0.8_i386_translations.tar.gz, krb5_1.8.1+dfsg-2ubuntu0.8_amd64_translations.tar.gz, krb5_1.8.1

krb5 (1.8.1+dfsg-2ubuntu0.8) lucid-security; urgency=low * SECURITY UPDATE: kdc denial of service due to double-free if PKINIT capability is used. - src/kdc/do_as_req.c: clear fields on allocation; applied inline, thanks to upstream - CVE-2011-0284 - MITKRB5-SA-2011-003

[ubuntu/lucid-security] kvirc_4.0.0~svn3900+rc2-1ubuntu0.2_amd64_translations.tar.gz, kvirc, kvirc_4.0.0~svn3900+rc2-1ubuntu0.2_sparc_translations.tar.gz (delayed), kvirc_4.0.0~svn3900+rc2-1ubuntu0.2

kvirc (4:4.0.0~svn3900+rc2-1ubuntu0.2) lucid-security; urgency=low * SECURITY UPDATE: The IRC Protocol component in KVIrc 3.x and 4.x before r4693 does not properly handle \ (backslash) characters, which allows remote authenticated users to execute arbitrary CTCP commands via vectors

[ubuntu/lucid-security] tiff (delayed), tiff 3.9.2-2ubuntu0.5 (Accepted)

tiff (3.9.2-2ubuntu0.5) lucid-security; urgency=low * debian/patches/CVE-2011-0192.patch: update for regression in processing of certain CCITTFAX4 files (LP: #731540). - http://bugzilla.maptools.org/show_bug.cgi?id=2297 Date: Mon, 14 Mar 2011 10:47:02 -0700 Changed-By: Kees Cook

[ubuntu/lucid-security] tiff (delayed), tiff 3.9.2-2ubuntu0.4 (Accepted)

tiff (3.9.2-2ubuntu0.4) lucid-security; urgency=low * SECURITY UPDATE: denial of service via invalid td_stripbytecount field (LP: #597246) - debian/patches/CVE-2010-2482.patch: look for missing strip byte counts in libtiff/tif_ojpeg.c, tools/tiffsplit.c. - CVE-2010-2482 *

[ubuntu/lucid-security] avahi_0.6.25-1ubuntu6.2_amd64_translations.tar.gz, avahi_0.6.25-1ubuntu6.2_i386_translations.tar.gz, avahi_0.6.25-1ubuntu6.2_sparc_translations.tar.gz (delayed), avahi_0.6.25-1

avahi (0.6.25-1ubuntu6.2) lucid-security; urgency=low * SECURITY UPDATE: denial of service via NULL packet - debian/patches/CVE-2011-1002.patch: still read corrupt packets from sockets in avahi-core/socket.c. - CVE-2011-1002 Date: Fri, 04 Mar 2011 14:11:47 -0500 Changed-By: Marc

[ubuntu/lucid-security] pango1.0, pango1.0 (delayed) 1.28.0-0ubuntu2.2 (Accepted)

pango1.0 (1.28.0-0ubuntu2.2) lucid-security; urgency=low * SECURITY UPDATE: denial of service and possible code execution via crafted font file (LP: #696616) - debian/patches/20_CVE-2011-0020.patch: check for overflow in pango/pangoft2-render.c. - CVE-2011-0020 * SECURITY

[ubuntu/lucid-security] fuse, fuse (delayed) 2.8.1-1.1ubuntu3.1 (Accepted)

fuse (2.8.1-1.1ubuntu3.1) lucid-security; urgency=low * SECURITY UPDATE: arbitrary unprivileged unmount - debian/patches/CVE-2011-0541.dpatch: don't follow symlinks when unmounting in case of a failed mtab update in util/fusermount.c. - debian/patches/CVE-2011-0542.dpatch: chdir

[ubuntu/lucid-security] clamav_0.96.5+dfsg-1ubuntu1.10.04.2_amd64_translations.tar.gz, clamav_0.96.5+dfsg-1ubuntu1.10.04.2_powerpc_translations.tar.gz, clamav, clamav_0.96.5+dfsg-1ubuntu1.10.04.2_ia64

clamav (0.96.5+dfsg-1ubuntu1.10.04.2) lucid-security; urgency=low * SECURITY UPDATE: denial of service via double free in vba processing - libclamav/vba_extract.c: set buf to NULL when it gets freed. -

[ubuntu/lucid-security] samba_3.4.7~dfsg-1ubuntu3.4_ia64_translations.tar.gz, samba, samba_3.4.7~dfsg-1ubuntu3.4_armel_translations.tar.gz, samba_3.4.7~dfsg-1ubuntu3.4_amd64_translations.tar.gz, samba

samba (2:3.4.7~dfsg-1ubuntu3.4) lucid-security; urgency=low * SECURITY UPDATE: denial of service via missing range checks on file descriptors - debian/patches/security-CVE-2011-0719.patch: validate miscellaneous file descriptors. - CVE-2011-0719 Date: Wed, 23 Feb 2011

[ubuntu/lucid-security] logwatch, logwatch (delayed) 7.3.6.cvs20090906-1ubuntu2.1 (Accepted)

logwatch (7.3.6.cvs20090906-1ubuntu2.1) lucid-security; urgency=low * SECURITY UPDATE: privileged code execution via badly named logfiles - scripts/logwatch.pl: encapsulate logfiles in 's and ensure logfile names don't contain '. -

[ubuntu/lucid-security] openjdk-6, openjdk-6 (delayed) 6b20-1.9.7-0ubuntu1~10.04.1 (Accepted)

openjdk-6 (6b20-1.9.7-0ubuntu1~10.04.1) lucid-security; urgency=low * IcedTea6 1.9.7 release. - SECURITY UPDATE: + S4421494, CVE-2010-4476: infinite loop while parsing double literal. + S6878713, CVE-2010-4469: Hotspot backward jsr heap corruption + S6907662,

[ubuntu/lucid-security] mailman_2.1.13-1ubuntu0.2_sparc_translations.tar.gz (delayed), mailman_2.1.13-1ubuntu0.2_armel_translations.tar.gz, mailman, mailman_2.1.13-1ubuntu0.2_i386_translations.tar.gz,

mailman (1:2.1.13-1ubuntu0.2) lucid-security; urgency=low * SECURITY UPDATE: Cross-Site Scripting vulnerability in confirm.py - debian/patches/80_CVE-2011-0707.patch: properly clean strings in Mailman/Cgi/confirm.py. - CVE-2011-0707 * SECURITY UPDATE: Cross-Site Scripting

[ubuntu/lucid-security] cgiirc, cgiirc (delayed) 0.5.9-3squeeze1build0.10.04.1 (Accepted)

cgiirc (0.5.9-3squeeze1build0.10.04.1) lucid-security; urgency=low * fake sync from Debian cgiirc (0.5.9-3squeeze1) stable-security; urgency=high * Non-maintainer upload by The Security Team. * Fixed XSS flaw in handling clients who have Javascript disabled. [CVE-2011-0050] Date:

[ubuntu/lucid-security] python-django_1.1.1-2ubuntu1.3_i386_translations.tar.gz (delayed), python-django 1.1.1-2ubuntu1.3 (Accepted)

python-django (1.1.1-2ubuntu1.3) lucid-security; urgency=low * SECURITY UPDATE: flaw in CSRF handling (LP: #719031) - debian/patches/10_CVE-2011-0696.diff: apply full CSRF validation to all requests, regardless of apparent AJAX origin. This is technically backwards-incompatible,

[ubuntu/lucid-security] telepathy-gabble, telepathy-gabble (delayed) 0.8.12-0ubuntu1.1 (Accepted)

telepathy-gabble (0.8.12-0ubuntu1.1) lucid-security; urgency=low * SECURITY UPDATE: don't process google:jingleinfo updates from contacts - debian/patches/0001-ignore-google-jingleinfo-from-contacts.patch: don't accept jingleinfo except from self or server - CVE-2011- Date:

[ubuntu/lucid-security] vlc_1.0.6-1ubuntu1.5_armel_translations.tar.gz, vlc_1.0.6-1ubuntu1.5_sparc_translations.tar.gz (delayed), vlc, vlc_1.0.6-1ubuntu1.5_i386_translations.tar.gz, vlc_1.0.6-1ubuntu1

vlc (1.0.6-1ubuntu1.5) lucid-security; urgency=low * SECURITY UPDATE: memory corruption, code execution (LP: #714089) - debian/patches/mkv-input-validation.diff: Fix MKV improper input validation, thanks to Steve Lhomme - CVE-2011-0531 - VideoLAN-SA-1102 Date: Thu, 10 Feb

[ubuntu/lucid-security] openssl_0.9.8k-7ubuntu8.6_i386_translations.tar.gz, openssl_0.9.8k-7ubuntu8.6_ia64_translations.tar.gz, openssl_0.9.8k-7ubuntu8.6_powerpc_translations.tar.gz, openssl_0.9.8k-7u

openssl (0.9.8k-7ubuntu8.6) lucid-security; urgency=low * SECURITY UPDATE: OCSP stapling vulnerability - debian/patched/openssl-CVE-2011-0014-secadv_20110208.patch: stricter parsing of ClientHello message in ssl/t1_lib.c - CVE-2011-0014 * Forward TLS version interop patch -

[ubuntu/lucid-security] shadow_4.1.4.2-1ubuntu2.2_ia64_translations.tar.gz, shadow_4.1.4.2-1ubuntu2.2_powerpc_translations.tar.gz, shadow_4.1.4.2-1ubuntu2.2_armel_translations.tar.gz, shadow, shadow_4

shadow (1:4.1.4.2-1ubuntu2.2) lucid-security; urgency=low * SECURITY UPDATE: could inject NIS groups memberships into /etc/passwd. - debian/patches/900_locale_env_sanity: actually set locale environment variables correctly. - debian/patches/901_reject_newline: reject newlines in

[ubuntu/lucid-security] qemu-kvm, qemu-kvm (delayed) 0.12.3+noroms-0ubuntu9.4 (Accepted)

qemu-kvm (0.12.3+noroms-0ubuntu9.4) lucid-security; urgency=low * SECURITY UPDATE: Setting VNC password to empty string silently disables all authentication (LP: #697197) - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the change introduced in Qemu by git commit

[ubuntu/lucid-security] krb5, krb5_1.8.1+dfsg-2ubuntu0.6_i386_translations.tar.gz, krb5_1.8.1+dfsg-2ubuntu0.6_ia64_translations.tar.gz, krb5_1.8.1+dfsg-2ubuntu0.6_powerpc_translations.tar.gz, krb5_1.8

krb5 (1.8.1+dfsg-2ubuntu0.6) lucid-security; urgency=low * SECURITY UPDATE: kpropd denial of service via invalid network input - src/slave/kpropd.c: don't return on kpropd child exit; applied inline. - CVE-2010-4022 - MITKRB5-SA-2011-001 * SECURITY UPDATE: kdc denial of

[ubuntu/lucid-security] italc_1.0.9.1-0ubuntu18.10.04.1_powerpc_translations.tar.gz, italc_1.0.9.1-0ubuntu18.10.04.1_i386_translations.tar.gz, italc_1.0.9.1-0ubuntu18.10.04.1_armel_translations.tar.gz

italc (1:1.0.9.1-0ubuntu18.10.04.1) lucid-security; urgency=low * SECURITY UPDATE: private keys potentially reused from liveCD. - debian/italc-client.postinst: re-generate the private and public keys when they match one of the Edubuntu Live DVD ones (LP: #714864) - CVE-2011-0724

[ubuntu/lucid-security] flashplugin-nonfree, flashplugin-nonfree_10.2.152.27ubuntu0.10.04.1_i386_translations.tar.gz (delayed), flashplugin-nonfree_10.2.152.27ubuntu0.10.04.1_amd64_translations.tar.gz

flashplugin-nonfree (10.2.152.27ubuntu0.10.04.1) lucid-security; urgency=low * SECURITY UPDATE: New upstream release 10.2.152.27 - debian/config, debian/postinst: Updated sha256sums and path. - CVE-2011-0558 - CVE-2011-0559 - CVE-2011-0560 - CVE-2011-0561 - CVE-2011-0571

[ubuntu/lucid-security] dovecot, dovecot (delayed) 1:1.2.9-1ubuntu6.3 (Accepted)

dovecot (1:1.2.9-1ubuntu6.3) lucid-security; urgency=low * SECURITY UPDATE: information disclosure via newly created mailboxes with incorrect ACLs - debian/patches/CVE-2010-3304.patch: verify the directory isn't the same as the INBOX's directory in

[ubuntu/lucid-security] openoffice.org, openoffice.org_3.2.0-7ubuntu4.2_amd64_translations.tar.gz, openoffice.org_3.2.0-7ubuntu4.2_armel_translations.tar.gz, openoffice.org_3.2.0-7ubuntu4.2_powerpc_tr

openoffice.org (1:3.2.0-7ubuntu4.2) lucid-security; urgency=low * SECURITY UPDATE: multiple OpenOffice.org vulnerabilities. - debian/patches/SA40775.diff: buffer overflow fixes from upstream, patch thanks to Rene Engelhard (CVE-2010-2935, CVE-2010-2936). -

[ubuntu/lucid-security] subversion_1.6.6dfsg-2ubuntu1.1_amd64_translations.tar.gz, subversion_1.6.6dfsg-2ubuntu1.1_powerpc_translations.tar.gz, subversion_1.6.6dfsg-2ubuntu1.1_ia64_translations.tar.gz

subversion (1.6.6dfsg-2ubuntu1.1) lucid-security; urgency=low * SECURITY UPDATE: restriction bypass via named repo as a rule scope - debian/patches/CVE-2010-3315.patch: use repo_basename in subversion/mod_dav_svn/authz.c. - CVE-2010-3315 * SECURITY UPDATE: denial of service via

[ubuntu/lucid-security] openjdk-6b18 (delayed), openjdk-6b18 6b18-1.8.5-0ubuntu1~10.04.1 (Accepted)

openjdk-6b18 (6b18-1.8.5-0ubuntu1~10.04.1) lucid-security; urgency=low * IcedTea6 1.8.5 release. - CVE-2011-0025: IcedTea jarfile signature verification bypass. Date: Thu, 27 Jan 2011 10:30:52 +0100 Changed-By: Matthias Klose d...@ubuntu.com Maintainer: OpenJDK Team

[ubuntu/lucid-security] openjdk-6, openjdk-6 (delayed) 6b20-1.9.5-0ubuntu1~10.04.1 (Accepted)

openjdk-6 (6b20-1.9.5-0ubuntu1~10.04.1) lucid-security; urgency=low * IcedTea6 1.9.5 release. - CVE-2011-0025: IcedTea jarfile signature verification bypass. Date: Thu, 27 Jan 2011 10:13:13 +0100 Changed-By: Matthias Klose d...@ubuntu.com Maintainer: OpenJDK Team

[ubuntu/lucid-security] openjdk-6b18 (delayed), openjdk-6b18 6b18-1.8.4-0ubuntu1~10.04.1 (Accepted)

openjdk-6b18 (6b18-1.8.4-0ubuntu1~10.04.1) lucid-security; urgency=low * IcedTea6 1.8.4 release. - Fix CVE-2010-4351: IcedTea JNLP SecurityManager bypass. Date: Fri, 07 Jan 2011 11:40:12 +0100 Changed-By: Matthias Klose d...@ubuntu.com Maintainer: OpenJDK Team open...@lists.launchpad.net

[ubuntu/lucid-security] openjdk-6, openjdk-6 (delayed) 6b20-1.9.4-0ubuntu1~10.04.1 (Accepted)

openjdk-6 (6b20-1.9.4-0ubuntu1~10.04.1) lucid-security; urgency=low * IcedTea6 1.9.4 release. - CVE-2010-4351: IcedTea JNLP SecurityManager bypass. Date: Thu, 06 Jan 2011 23:39:28 +0100 Changed-By: Matthias Klose d...@ubuntu.com Maintainer: OpenJDK Team open...@lists.launchpad.net

[ubuntu/lucid-security] hplip_3.10.2-2ubuntu2.2_armel_translations.tar.gz, hplip_3.10.2-2ubuntu2.2_sparc_translations.tar.gz (delayed), hplip_3.10.2-2ubuntu2.2_i386_translations.tar.gz, hplip, hplip_3

hplip (3.10.2-2ubuntu2.2) lucid-security; urgency=low * SECURITY UPDATE: denial of service and possible arbitrary code execution via long SNMP response - debian/patches/CVE-2010-4267.dpatch: validate dLen in io/hpmud/pml.c. - CVE-2010-4267 Date: Mon, 24 Jan 2011 11:25:11 -0500

[ubuntu/lucid-security] vlc_1.0.6-1ubuntu1.4_i386_translations.tar.gz, vlc_1.0.6-1ubuntu1.4_amd64_translations.tar.gz, vlc, vlc_1.0.6-1ubuntu1.4_powerpc_translations.tar.gz, vlc_1.0.6-1ubuntu1.4_armel

vlc (1.0.6-1ubuntu1.4) lucid-security; urgency=low * SECURITY UPDATE: heap overflow in CDG decoder (LP: #707154) - debian/patches/cdg-heap-overflow.diff: Fix heap overflow in CDG decoder, thanks to Dan Rosenberg * SECURITY UPDATE: heap corruption in some XML based subtitles decoder

[ubuntu/lucid-security] tomcat6, tomcat6 (delayed) 6.0.24-2ubuntu1.6 (Accepted)

tomcat6 (6.0.24-2ubuntu1.6) lucid-security; urgency=low * SECURITY UPDATE: cross-site scripting in Manager application - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to java/org/apache/catalina/manager/JspHelper.java,

[ubuntu/lucid-security] awstats, awstats (delayed) 6.9~dfsg-1ubuntu3.10.04.1 (Accepted)

awstats (6.9~dfsg-1ubuntu3.10.04.1) lucid-security; urgency=low * SECURITY UPDATE: directory traversal via crafted LoadPlugin directory - debian/patches/3000_CVE-2010-4369.patch: properly sanitize plugin name in wwwroot/cgi-bin/awstats.pl. - CVE-2010-4369 Date: Tue, 11 Jan 2011

[ubuntu/lucid-security] xpdf, xpdf (delayed) 3.02-2ubuntu1.1 (Accepted)

xpdf (3.02-2ubuntu1.1) lucid-security; urgency=low * SECURITY UPDATE: Gfx::getPos function allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference. (LP: #701220) - cve-2010-3702.dpatch: Patch

[ubuntu/lucid-security] asterisk (delayed), asterisk 1:1.6.2.5-0ubuntu1.3 (Accepted)

asterisk (1:1.6.2.5-0ubuntu1.3) lucid-security; urgency=low * SECURITY UPDATE: Stack buffer overflow in SIP channel driver. (LP: #705014) - debian/patches/AST-2011-001-1.6.2: The size of the output buffer passed to the ast_uri_encode function is now properly respected in main/utils.c.

[ubuntu/lucid-security] mumble_1.2.2-1ubuntu1.1_ia64_translations.tar.gz, mumble_1.2.2-1ubuntu1.1_i386_translations.tar.gz, mumble_1.2.2-1ubuntu1.1_amd64_translations.tar.gz, mumble_1.2.2-1ubuntu1.1_p

mumble (1.2.2-1ubuntu1.1) lucid-security; urgency=low * SECURITY UPDATE: /etc/mumble-server.ini is world readable. (LP: #704674) - debian/mumble-server.postinst: Set permissions of mumble-server.ini to 0640 and the owner to root:mumble-server. Date: Thu, 20 Jan 2011 12:56:28 +0100

[ubuntu/lucid-security] sudo, sudo (delayed) 1.7.2p1-1ubuntu5.3 (Accepted)

sudo (1.7.2p1-1ubuntu5.3) lucid-security; urgency=low * SECURITY UPDATE: privilege escalation via -g when using group Runas_List - pwutil.c, sudo.h: add user_in_group(), backported from upstream commits 48ca8c2eddf8, 72df368a8a0e and 6ebc55d4716b. This is intended to be used

[ubuntu/lucid-security] dbus, dbus (delayed) 1.2.16-2ubuntu4.1 (Accepted)

dbus (1.2.16-2ubuntu4.1) lucid-security; urgency=low * SECURITY UPDATE: fix DoS with too deeply nested messages - debian/patches/99-CVE-2010-4352.patch: Limit nesting to 64 for dynamic message variants. Backported from upstream. - CVE-2010-4352 - LP: #688992 Date: Tue, 04 Jan

[ubuntu/lucid-security] php5_5.3.2-1ubuntu4.7_armel_translations.tar.gz, php5_5.3.2-1ubuntu4.7_ia64_translations.tar.gz, php5_5.3.2-1ubuntu4.7_sparc_translations.tar.gz (delayed), php5_5.3.2-1ubuntu4.

php5 (5.3.2-1ubuntu4.7) lucid-security; urgency=low * debian/patches/php5-CVE-2010-3436-regression.patch: update main/fopen_wrappers.c to include fix for open_basedir restriction regression (LP: #701896) Date: Wed, 12 Jan 2011 07:28:55 -0800 Changed-By: Steve Beattie

[ubuntu/lucid-security] eglibc_2.11.1-0ubuntu7.7_sparc_translations.tar.gz (delayed), eglibc_2.11.1-0ubuntu7.7_amd64_translations.tar.gz, eglibc_2.11.1-0ubuntu7.7_ia64_translations.tar.gz, eglibc, egl

eglibc (2.11.1-0ubuntu7.7) lucid-security; urgency=low * SECURITY UPDATE: setuid iconv users could load arbitrary libraries. - debian/patches/any/dst-expansion-fix.diff: refresh with new proposed solution, avoiding iconv issues. - any/cvs-check-setuid-on-audit.diff: upstream fix

[ubuntu/lucid-security] php5_5.3.2-1ubuntu4.6_armel_translations.tar.gz, php5_5.3.2-1ubuntu4.6_amd64_translations.tar.gz, php5_5.3.2-1ubuntu4.6_i386_translations.tar.gz, php5_5.3.2-1ubuntu4.6_ia64_tra

php5 (5.3.2-1ubuntu4.6) lucid-security; urgency=low * SECURITY UPDATE: open_basedir bypass - debian/patches/php5-CVE-2010-3436.patch: more strict checking in php_check_specific_open_basedir() - CVE-2010-3436 * SECURITY UPDATE: NULL pointer dereference crash -

[ubuntu/lucid-security] lcms (delayed), lcms 1.18.dfsg-1ubuntu2.10.04.1 (Accepted)

lcms (1.18.dfsg-1ubuntu2.10.04.1) lucid-security; urgency=low * debian/patches/CVE-2009-0793.dpatch: SECURITY UPDATE: (LP: #700198) - Fix DoS via a crafted image that triggers execution of incorrect code for transformations of monochrome profiles. - CVE-2009-0073 Date: Sat, 08

[ubuntu/lucid-security] libapache2-mod-fcgid (delayed), libapache2-mod-fcgid 1:2.3.4-2ubuntu0.2 (Accepted)

libapache2-mod-fcgid (1:2.3.4-2ubuntu0.2) lucid-security; urgency=low * SECURITY UPDATE: possible stack buffer overwrite (LP: #698060) - modules/fcgid/fcgid_bucket.c: patch from upstream - CVE-2010-3872 Date: Thu, 06 Jan 2011 13:04:02 +0100 Changed-By: Felix Geyer debfx-...@fobos.de

[ubuntu/lucid-security] dpkg_1.15.5.6ubuntu4.5_powerpc_translations.tar.gz, dpkg_1.15.5.6ubuntu4.5_sparc_translations.tar.gz (delayed), dpkg_1.15.5.6ubuntu4.5_i386_translations.tar.gz, dpkg_1.15.5.6ub

dpkg (1.15.5.6ubuntu4.5) lucid-security; urgency=low * SECURITY UPDATE: relative directory and symlink following in source pkgs. - scripts/Dpkg/Source/Archive.pm, scripts/Dpkg/Source/Patch.pm, scripts/Dpkg/Source/Package/V2.pm: applied fixes from Raphael Hertzog, thanks to

[ubuntu/lucid-security] ifupdown_0.6.8ubuntu29.2_i386_translations.tar.gz, ifupdown_0.6.8ubuntu29.2_amd64_translations.tar.gz, ifupdown, ifupdown_0.6.8ubuntu29.2_powerpc_translations.tar.gz, ifupdown_

ifupdown (0.6.8ubuntu29.2) lucid-security; urgency=low * debian/ifupdown.network-interface{,-security}.upstart: handle race condition when loading AppArmor profiles for interfaces (LP: #689892). Patch by Kees Cook. Date: Tue, 04 Jan 2011 12:48:52 -0600 Changed-By: Jamie Strandboge

[ubuntu/lucid-security] vlc_1.0.6-1ubuntu1.3_i386_translations.tar.gz, vlc, vlc_1.0.6-1ubuntu1.3_armel_translations.tar.gz, vlc_1.0.6-1ubuntu1.3_amd64_translations.tar.gz, vlc_1.0.6-1ubuntu1.3_ia64_tr

vlc (1.0.6-1ubuntu1.3) lucid-security; urgency=low * SECURITY UPDATE: Buffer overflow in Real demuxer (LP: #690173) - modules/demux/real.c: Fix heap buffer overflow, thanks to Rémi Denis-Courmont - CVE-2010-3907 - VideoLAN-SA-1007 Date: Thu, 30 Dec 2010 01:14:56 +0100

[ubuntu/lucid-security] apparmor_2.5.1-0ubuntu0.10.04.2_i386_translations.tar.gz, apparmor_2.5.1-0ubuntu0.10.04.2_powerpc_translations.tar.gz, apparmor, apparmor_2.5.1-0ubuntu0.10.04.2_armel_translat

apparmor (2.5.1-0ubuntu0.10.04.2) lucid-security; urgency=low * Fix for apparmor_parser not generating correct policy when mixing exec transitions with and without unconfined fallback transitions. - debian/patches/0013-lp693082.patch: adjust dfa match flag table size and fix index

[ubuntu/lucid-security] evince_2.30.3-0ubuntu1.2_powerpc_translations.tar.gz, evince_2.30.3-0ubuntu1.2_ia64_translations.tar.gz, evince_2.30.3-0ubuntu1.2_static_translations.tar.gz (delayed), evince,

evince (2.30.3-0ubuntu1.2) lucid-security; urgency=low * SECURITY UPDATE: arbitrary code execution via multiple dvi backend overflows - debian/patches/02_CVE-2010-264x.patch: add bounds checking in backend/dvi/mdvi-lib/{afmparse,dviread,pk,tfmfile,vf}.c. - CVE-2010-2640 -

  1   2   3   4   5   6   7   8   9   10   >