Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
AF_UNSPEC is used in calls to getaddrinfo(3) to request either ipv4 or
ipv6 addresses. In the parser, we've been filtering out AF_UNSPEC as an
option. It's a simple enough patch to enable it:
Index: b/common/Make.rules
===
---
** Description changed:
- A kernel bug in user namespaces allows root in a container to ptrace
- host-root-owned tasks during a window of opportunity during lxc-attach /
- 'lxc exec', before they drop privilege by doing setuid to the container
- root uid.
+ ** DISPUTED ** kernel/ptrace.c in the
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
Mitre assigned CVE-2015-8709 for this issue.
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-8709
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-8550
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-8551
** CVE removed:
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
Packages to address the issue in lxc are currently building in the
ubuntu-security-proposed ppa: https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/ ; please test these when they complete to
verify that there aren't any additional regressions that have cropped up
in this update.
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
This has been addressed in all supported Ubuntu releases, closing.
** Changed in: asterisk (Ubuntu)
Status: Confirmed = Fix Released
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Server Team,
This has been addressed in all supported releases of Ubuntu, closing.
** Changed in: asterisk (Ubuntu)
Status: Confirmed = Fix Released
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Server
This has been addressed in all supported Ubuntu releases. closing.
** Changed in: asterisk (Ubuntu)
Status: Confirmed = Fix Released
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Server Team,
Seems to be a dependency conflict that is causing both postfix and exim4
to be installed.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to exim4 in Ubuntu.
https://bugs.launchpad.net/bugs/1483341
Title:
package exim4-config (not
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a regular (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
dhcp3 was superceded by isc-dhcp between lucid and precise and therefore
is not available under any supported ubuntu release. Marking the task
dhcp3 as Won't Fix.
** Changed in: dhcp3 (Ubuntu)
Status: Confirmed = Won't Fix
--
You received this bug notification because you are a member of
dhcp3 was superceded by isc-dhcp between lucid and precise and therefore
is not available under any supported ubuntu release. Marking the task
dhcp3 as Won't Fix.
** Changed in: dhcp3 (Ubuntu)
Status: Confirmed = Won't Fix
--
You received this bug notification because you are a member of
dhcp3 was superceded by isc-dhcp between lucid and precise and therefore
is not available under any supported ubuntu release. Marking the task
dhcp3 as Won't Fix.
** Changed in: dhcp3 (Ubuntu)
Status: Triaged = Won't Fix
--
You received this bug notification because you are a member of
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a regular (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
Moving this back to lxc, as this doesn't appear to be an apparmor
problem.
** Package changed: apparmor (Ubuntu) = lxc (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1446658
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a regular (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a regular (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
** Package changed: openssh (Ubuntu) = xorg (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1450871
Title:
xserver crashes ATI AMD Radeon 7700 driver 12.20
To manage
*** This bug is a duplicate of bug 1438745 ***
https://bugs.launchpad.net/bugs/1438745
Thank you for taking the time to report this bug and helping to make
Ubuntu better. This particular bug has already been reported and is a
duplicate of bug 1438745, so it is being marked as such. Please
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to init-system-helpers in Ubuntu.
https://bugs.launchpad.net/bugs/1441369
Title:
package init-system-helpers 1.22ubuntu5 failed
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a regular (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
** Tags removed: apparmor
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1100877
Title:
lxc-start fails after upgrade to raring
To manage notifications about this bug go to:
So python-oauth2 has some reverse dependencies:
python-oauth2
Reverse Depends:
turses
screenlets-pack-all
python-django-social-auth
python-django-oauth-plus
turses was removed from debian in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779448
python-django-social-auth was removed
Here's the complete sh -xe output from running lxc-net start:
ubuntu@vivid-i386:~$ sudo sh -xe /usr/lib/i386-linux-gnu/lxc/lxc-net start
+ distrosysconfdir=/etc/default
+ localstatedir=/var
+ varrun=/run/lxc
+ USE_LXC_BRIDGE=true
+ LXC_BRIDGE=lxcbr0
+ LXC_ADDR=10.0.3.1
+ LXC_NETMASK=255.255.255.0
Public bug reported:
The lxc-net script in /usr/lib/$archtriplet/lxc/lxc-net attempts to use
ifconfig first and then falls back to trying to use ip(8) in the ifup()
and ifdown() shell functions. This behavior should be reversed, as ip
has been preferred over ifconfig for several years now.
As an
And here's the patch to the lxc-net script to prefer ip(8) over
ifconfig.
** Patch added: lxc-net-prefer_ip.patch
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1424143/+attachment/4323815/+files/lxc-net-prefer_ip.patch
--
You received this bug notification because you are a member of
So the only difference that I can see is that so *without* the added
remount rule, /proc/mounts contains the following entries for
sysfs+/sys/ within the container:
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs ro,nosuid,nodev,noexec,relatime 0 0
with the added rule,
Public bug reported:
When starting up an ubuntu lxc container in vivid, I'm seeing the
following apparmor rejection:
Feb 21 01:30:41 vivid-i386 kernel: [ 2121.606513] audit: type=1400
audit(1424511041.643:125): apparmor=DENIED operation=mount
info=failed flags match error=-13
I think I see this as well, simply doing an 'apt-get install mysql-
server-5.6' on vivid leaves things in the following state after the
installation completes:
$ sudo aa-status
[SNIP]
2 processes are unconfined but have a profile defined.
/usr/sbin/dnsmasq (665)
/usr/sbin/mysqld
= Medium
** Changed in: clamav (Ubuntu)
Assignee: (unassigned) = Steve Beattie (sbeattie)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to clamav in Ubuntu.
https://bugs.launchpad.net/bugs/1420819
Title:
ClamAV 0.98.6 security
Hi Chris,
Did you do a test build on powerpc? Even with not using llvm, I got a
build failure in the unit tests on powerpc. I'll retry the build as
sometimes things can be flaky on the powerpc buildds, but the relevant
bits from the log are as follows:
make[3]: Entering directory
This was addresses in http://www.ubuntu.com/usn/usn-2461-1/ , thanks.
** Changed in: libyaml (Ubuntu)
Status: Confirmed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libyaml in Ubuntu.
This unfortunately doesn't work by default in ubuntu because the setting
for audit.conf in /usr/share/logwatch/services/ points to the 'messages'
logfile which is no longer used in ubuntu. It should either be 'syslog'
or 'kernel'.
A secondary issue is that if auditd is enabled, events will only
Thanks for reporting this, we are aware of it and are working on an
update. Marking as public.
** Changed in: bind9 (Ubuntu)
Importance: Undecided = High
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is
Addressed in Ubuntu 12.10 with keystone
2012.2~rc1~20120906.2517-0ubuntu2.
** Changed in: keystone (Ubuntu)
Status: Triaged = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to keystone in Ubuntu.
This was fixed in Ubuntu 12.04 LTS in
http://www.ubuntu.com/usn/usn-1552-1/ but still needs to be fixed in
quantal (ubuntu 12.10). Attached is a debdiff to do so.
** Patch added: keystone_2012.2~f3-0ubuntu2.debdiff
** Changed in: keystone (Ubuntu)
Status: New = Triaged
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1040626
Title:
Update user's default tenant partially succeeds without
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-2094
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-2144
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to horizon in Ubuntu.
Clint,
FYI, I slightly modified the patch headers to make them DEP-3 compliant
(added Subject: lines with brief descriptions of the issues they
address).
Unsubscribing ubuntu-security-sponsors since there is no more open tasks
for that team to undertake.
Thanks!
--
You received this bug
Clint,
Thanks, debdiff looks good. I'll push this out today.
** Changed in: juju (Ubuntu Precise)
Status: Confirmed = In Progress
** Changed in: juju (Ubuntu Precise)
Assignee: Clint Byrum (clint-fewbar) = Steve Beattie (sbeattie)
--
You received this bug notification because you
Dave, this was fixed for Ubuntu precise in
http://www.ubuntu.com/usn/usn-1466-1/ (2012.1-0ubuntu2.2). Thanks.
** Changed in: nova (Ubuntu Precise)
Status: Confirmed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to
Thanks Scott, I'm reviewing the natty, oneiric, and precise debdiffs
now.
** Changed in: clamav (Ubuntu Natty)
Assignee: (unassigned) = Steve Beattie (sbeattie)
** Changed in: clamav (Ubuntu Precise)
Assignee: (unassigned) = Steve Beattie (sbeattie)
** Changed in: clamav (Ubuntu
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1012
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1014
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-1015
--
You received this bug notification because you are a member
This is a low priority issue due to the required privileges needed to
exploit it.
** Changed in: krb5 (Ubuntu)
Importance: Undecided = Low
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in Ubuntu.
** Changed in: nova (Ubuntu Oneiric)
Status: New = In Progress
** Changed in: nova (Ubuntu Precise)
Status: New = In Progress
** Changed in: nova (Ubuntu Oneiric)
Assignee: (unassigned) = Steve Beattie (sbeattie)
** Changed in: nova (Ubuntu Precise)
Assignee: (unassigned
** Also affects: nova (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1010514
Title:
Source group based security group rule without
This was fixed in oneiric with the introduction of openssl 1.0.0. On
precise:
$ openssl ciphers CAMELLIA
DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ADH-CAMELLIA256-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ADH-CAMELLIA128-SHA:CAMELLIA128-SHA
Marking this bug report
I believe upstream attempted to address this in
https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cobbler in Ubuntu.
Hi,
Sorry for losing track of the issue.
I was getting corrupted headers where because one header had multiple
NULLs in it, when dovecot wrote the message back, it ended up dropping
that header and merging/corrupting another header. The example I came up
with was where the original message
Public bug reported:
The squid (v2) package had all of the hardening options enabled (see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542723) due to squid
receiving and parsing network input and the number of and severity of
prior security issues; however, with the transition to squid3 some
For more details on the hardening options, please see
http://wiki.debian.org/Hardening
Attached is a debdiff for precise-proposed SRU that addresses the issue
as well as fixes the file descriptor limit in bug 986159. I've built and
confirmed both issues locally, as well as performed a modicum of
Hi,
I've attached a debidff to bug 986314 that addresses that issue as well
as this one for an SRU.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid3 in Ubuntu.
https://bugs.launchpad.net/bugs/986159
Title:
squid3 open file
** Changed in: squid3 (Ubuntu)
Importance: Undecided = High
** Tags added: qa-r-t regression-release
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid3 in Ubuntu.
https://bugs.launchpad.net/bugs/986314
Title:
squid3 missing
** Changed in: squid3 (Ubuntu)
Importance: Undecided = Medium
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid3 in Ubuntu.
https://bugs.launchpad.net/bugs/986159
Title:
squid3 open file descriptors limit is set incorrectly
** Bug watch added: Debian Bug tracker #669684
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669684
** Also affects: squid3 (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669684
Importance: Unknown
Status: Unknown
--
You received this bug notification because
Hi, can you attach the profiles in question? That will help in
diagnosing the issue.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/969228
Title:
Unable to load another apparmor
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/956581
Title:
Stack Buffer Overflow in HTTP Manager
To manage notifications about this bug go to:
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/956580
Title:
Remote Crash Vulnerability in Milliwatt Application
To manage notifications about
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to asterisk in Ubuntu.
https://bugs.launchpad.net/bugs/956578
Title:
Remote crash vulnerability in SIP channel driver
To manage notifications about this
Hi Paul,
When compiling with your added patches, a new compiler warning pops up:
+chan_sip.c: In function 'parse_register_contact':
+chan_sip.c:13312:2: warning: implicit declaration of function
'parse_uri_legacy_check' [-Wimplicit-function-declaration]
greping through the source, I don't see
Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a regular (non-security) bug. I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross
This was fixed for Ubuntu 8.04 LTS (hardy) in 2.2.8-1ubuntu0.22 as
referred to in USN http://www.ubuntu.com/usn/usn-1259-1 ; closing.
** Changed in: apache2 (Ubuntu Hardy)
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server
This was addressed in precise in the 5.3.10-1ubuntu1 merge, closing.
** Changed in: php5 (Ubuntu Precise)
Status: Confirmed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
Note that Ubuntu, like many linux distributions, backports security
fixes rather than upgrading to new versions of software to attempt to
prevent the introduction of regressions and changes in behavior in
released versions of software.
CVE-2010-3069 was addressed in
Also, you can check the status yourself of the CVEs we are aware of at
the Ubuntu Security cve tracker: http://people.canonical.com/~ubuntu-
security/cve/
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
Yes, as Ondřej said, all supported releases were affected and the issue
was that ini_get('magic_quotes_gpc') was returning the wrong value,
magic_quotes_gpc would still get set correctly. Also,
get_magic_quotes_gpc() returned the correct value, too.
Fixes for all releases have gone out as
Hakan, note that the php source package includes a quilt series of
patches to be applied in the debian/patches/ directory. This includes
the php-suhosin patch which adds the file that make is reporting
missing. You may wish to read the Quilt for Debian Maintainers page at
Yes, this has been fixed in hardy (8.04 LTS); however, I forgot to
incorporate the bug number in the changelog entry for the hardy version.
You are correct that this issue has not been addressed in precise, yet.
As for CVE-2012-0830, there is no separate bug report; the security team
doesn't
in: php5 (Ubuntu Lucid)
Assignee: Canonical Security Team (canonical-security) = Steve Beattie
(sbeattie)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/930115
Title:
php5 5.3.2
BIll,
The /usr/lib/php5/maxlifetime script is already dividing the result by
60; if you run it with the default settings, you will see that it
returns 24 (the expected number of minutes). So your patch should not be
necessary. Is that not the behavior you see? What does it output if you
run it
** Changed in: php5 (Ubuntu)
Status: Incomplete = Invalid
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/908154
Title:
PHP session garbage collection measured in minutes
Thanks for taking the time to report this issue and help improve Ubuntu.
While from a programmer's perspective, it's unexpected behavior;
however, it is correct as documented at:
http://php.net/manual/en/language.operators.comparison.php
What's happening is that when comparing a string to a
/viewvc?view=revisionrevision=323007, plus there's
an additional memory leak addressed by
http://svn.php.net/viewvc?view=revisionrevision=323013).
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-0830
** Changed in: php5 (Ubuntu Lucid)
Assignee: (unassigned) = Steve Beattie
I was able to reproduce this issue with squid 2.7.STABLE9-2ubuntu5.1,
and have verified that the version in maverick-proposed,
2.7.STABLE9-2ubuntu5.2 appears to fix the issue. After upgrading, squid
continued to function as expected. Marking verification-done.
** Tags removed: verification-needed
Thanks, Michael, I expect packages to go out in the next couple of days.
FYI, the lucid debdiff you posted did not include an edit to
debian/patches/00list, so I don't believe it's getting applied in your
ppa build.
--
You received this bug notification because you are a member of Ubuntu
Server
This appears to be the issue:
ERROR: Module reqtimeout does not exist!
mod_reqtimeout should be provided by the apache2.2-bin package. Is it
installed and in a consistent state?
** Changed in: php5 (Ubuntu)
Status: New = Incomplete
--
You received this bug notification because you
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2202
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-3182
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
: (unassigned) = Steve Beattie (sbeattie)
** Changed in: apache2 (Ubuntu Lucid)
Assignee: (unassigned) = Steve Beattie (sbeattie)
** Changed in: apache2 (Ubuntu Maverick)
Assignee: (unassigned) = Steve Beattie (sbeattie)
** Changed in: apache2 (Ubuntu Natty)
Assignee: (unassigned) = Steve
Unfortunately, the version in oneiric-proposed was superceded by a
security update to krb5 (though the versioning of the proposed version
doesn't correctly reflect that) in USN 1233-1
http://www.ubuntu.com/usn/usn-1233-1/.
Attached is a debdiff against the version of krb5 in oneiric-security,
** Patch added: krb5_1.9.1+dfsg-1ubuntu2.1.debdiff
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/874130/+attachment/2559171/+files/krb5_1.9.1%2Bdfsg-1ubuntu2.1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in
Thanks for reporting this issue. It has been addressed in Ubuntu 10.10
(maverick) and newer. For Ubuntu 10.04 LTS (lucid), I'll be applying the
upstream fix for it. For Ubuntu 8.04 LTS (hardy), upstream never fixed
this issue in the php 5.2 branch, and backporting the fix is non-trivial
and thus
Thanks for reporting this issue. This issue only affects Ubuntu 8.04
LTS, despite what the securityfocus link above says. It will be
addressed in a forthcoming php update.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
(Ubuntu Lucid)
Importance: Undecided = Low
** Changed in: php5 (Ubuntu Lucid)
Assignee: (unassigned) = Steve Beattie (sbeattie)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/852871
** Changed in: php5 (Ubuntu)
Status: Confirmed = Fix Released
** Changed in: php5 (Ubuntu Hardy)
Status: New = In Progress
** Changed in: php5 (Ubuntu Hardy)
Assignee: (unassigned) = Steve Beattie (sbeattie)
** Changed in: php5 (Ubuntu Hardy)
Importance: Undecided = Low
Thanks for reporting this issue, which is CVE-2011-0419. It's a
vulnerability in apache's apr library, which in Ubuntu is shipped in the
separate 'apr' source package, and the apache packages links against it.
It was addressed in USN-1134-1 http://www.ubuntu.com/usn/usn-1134-1.
** CVE added:
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-2484
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in Ubuntu.
https://bugs.launchpad.net/bugs/852865
Title:
strrchr() functions information leak
To manage
Thanks for reporting this issue; however, it was already addressed in
USN 989-1: http://www.ubuntu.com/usn/usn-989-1/.
** Changed in: php5 (Ubuntu)
Status: Confirmed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed
Thanks for teporting this issue. PHP in Ubuntu uses libmysqlclient, not
mysqlnd, and thus was not affected by this vulnerability.
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-4700
** Changed in: php5 (Ubuntu)
Status: Confirmed = Invalid
--
You received this bug
*** This bug is a duplicate of bug 813115 ***
https://bugs.launchpad.net/bugs/813115
Thanks for reporting this issue. It had already been reported as bug
813115, which is in progress and which I'm marking this a duplicate of.
Please address all further comments around this vulnerability
Beattie (sbeattie)
** Changed in: php5 (Ubuntu Lucid)
Assignee: (unassigned) = Steve Beattie (sbeattie)
** Changed in: php5 (Ubuntu Maverick)
Assignee: (unassigned) = Steve Beattie (sbeattie)
** Changed in: php5 (Ubuntu Natty)
Assignee: (unassigned) = Steve Beattie (sbeattie)
--
You
Paweł and Upen, thanks for following up. Based on your comments, I'm
going to close this bug report; please re-open it if you find any
evidence that suggests the fix for CVE-2011-3192 is incomplete.
Stefan, thanks for chiming in.
** CVE added: http://www.cve.mitre.org/cgi-
Paweł,
Can you confirm that sending a request with an overlapping byte range
e.g.:
HEAD / HTTP/1.1
Host: localhost
Range:bytes=1-15,10-35,8-9,14-22,0-5,23-
Accept-Encoding: gzip
Connection: close
returns 200 OK?
Perhaps you could report what modules you have loaded? apache2ctl -t -D
Attached is a debdiff for the merge of apache 2.2.20-1 (I was unable to
do this via bzr due to bug 842144). I've verified that the package
builds on i386 and amd64 and ran the lp:qa-regression-testing tests
against that package, and confirmed that no regressions occur.
** Description changed:
And here is the debdiff of 2.2.20-1ubuntu1 against 2.2.20-1, to show
just the ubuntu changes to the package.
** Patch added: apache2-2.2.20-1_2.2.20-1ubuntu1.diff
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/837991/+attachment/2362703/+files/apache2-2.2.20-1_2.2.20-1ubuntu1.diff
**
** This bug has been flagged as a security vulnerability
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to elinks in Ubuntu.
https://bugs.launchpad.net/bugs/769354
Title:
elinks accepts self-signed ssl certificates without warning
To
1 - 100 of 191 matches
Mail list logo