A new release of the Ubuntu Cloud Images for stable Ubuntu release 8.04 LTS (Hardy Heron) is available at [1]. Images are available for download or immediate use on EC2 via published AMI ids. Users who wish to update their existing installations can do so with: 'apt-get update && sudo apt-get dist-upgrade && reboot'.
linux-image has been updated to 2.6.24-31.100 [3].
In order to support the new S3-backed mirrors, these images have an
updated apt configuration that is not managed by any package. All
EC2 Cloud Image users should run the following command on their
existing Ubuntu 8.04 LTS (Hardy Heron) AMIs:
$ echo 'Acquire::http::Pipeline-Depth "0";' |
sudo tee /etc/apt/apt.conf.d/99-no-pipelining
See [4] for more information.
The following packages have been updated. Please see the full changelogs
for a complete listing of changes:
- apt: 0.7.9ubuntu17.3 => 0.7.9ubuntu17.4
- bind9: 1:9.4.2.dfsg.P2-2ubuntu0.8 => 1:9.4.2.dfsg.P2-2ubuntu0.9
- bzip2: 1.0.4-2ubuntu4.1 => 1.0.4-2ubuntu4.2
- glibc: 2.7-10ubuntu8 => 2.7-10ubuntu8.1
- linux: 2.6.24-29.93 => 2.6.24-31.100
- linux-meta: 2.6.24.29.31 => 2.6.24.31.33
- linux-restricted-modules-2.6.24: 2.6.24.18-29.9 => 2.6.24.18-31.12
- openssl: 0.9.8g-4ubuntu3.13 => 0.9.8g-4ubuntu3.15
- pam: 0.99.7.1-5ubuntu6.4 => 0.99.7.1-5ubuntu6.5
- python-apt: 0.7.4ubuntu7.5 => 0.7.4ubuntu7.7
- tzdata: 2011j~repack-0ubuntu0.8.04 => 2012b~repack-0ubuntu0.8.04
- update-manager: 1:0.87.31 => 1:0.87.33
New Packages:
- linux-restricted-modules-2.6.24-31-xen
- linux-ubuntu-modules-2.6.24-31-xen
CVE Updates:
* bind9
- denial of service via specially crafted packet
CVE-2011-4313
* bzip2
- Fix temporary file creation race condition
CVE-2011-4089
* glibc: 2.7-10ubuntu8 => 2.7-10ubuntu8.1
- timezone header parsing integer overflow (LP: #906961)
CVE-2009-5029
- remove encrypted passwords from passwd entries, and add them
in shadow entries and fix incorrect password overwriting
CVE-2010-0015
- memory consumption denial of service in fnmatch
CVE-2011-1071
- /etc/mtab corruption denial of service
CVE-2011-1089
- insufficient locale environment sanitization
CVE-2011-1095
- ld.so insecure handling of privileged programs' RPATHs with $ORIGIN
CVE-2011-1658
- fnmatch integer overflow
CVE-2011-1659
- signedness bug in memcpy_ssse3
CVE-2011-2702
- DoS in RPC implementation (LP: #901716)
CVE-2011-4609
- vfprintf nargs overflow leading to FORTIFY check bypass
CVE-2012-0864
* openssl
- ECDSA private key timing attack
CVE-2011-1945
- ECDH ciphersuite denial of service
CVE-2011-3210
- DTLS plaintext recovery attack (LP: #922229)
CVE-2011-4108
- policy check double free vulnerability
CVE-2011-4019
- incorrect elliptic curve computation TLS key exposure
CVE-2011-4354
- SSL 3.0 block padding exposure
CVE-2011-4576
- malformed RFC 3779 data denial of service attack
CVE-2011-4577
- Server Gated Cryptography (SGC) denial of service
CVE-2011-4619
- fix for CVE-2011-4108 denial of service attack
CVE-2012-0050
* pam
- possible code execution via incorrect environment file
CVE-2011-3148
- denial of service via overflowed environment variable
CVE-2011-3149
* update-manager
- arbitrary code execution via directory traversal
CVE-2011-3152
- information leak via insecure temp file (LP: #881541)
CVE-2011-3154
--
[1]
http://cloud-images-images.ubuntu.com/server/releases/hardy/release-20120405/
[2]
http://cloud-images-images.ubuntu.com/server/releases/hardy/release-20111003/
[3] https://launchpad.net/ubuntu/+source/linux/2.6.24-31.100
[4] https://lists.ubuntu.com/archives/ubuntu-cloud/2012-April/000752.html
--
Ben Howard
[email protected]
Canonical USA, Inc
GPG ID 0x5406A866
signature.asc
Description: OpenPGP digital signature
-- Ubuntu-cloud mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-cloud
