USN-981-1: libwww-perl vulnerability

Referenced CVEs: 
CVE-2010-2253

Description: 
===========================================================
Ubuntu Security Notice USN-981-1 August 31, 2010
libwww-perl vulnerability
CVE-2010-2253
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
libwww-perl 5.803-4ubuntu0.1

Ubuntu 8.04 LTS:
libwww-perl 5.808-1ubuntu0.1

Ubuntu 9.04:
libwww-perl 5.820-1ubuntu0.1

Ubuntu 9.10:
libwww-perl 5.831-1ubuntu0.1

Ubuntu 10.04 LTS:
libwww-perl 5.834-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that libwww-perl incorrectly filtered filenames suggested
by Content-Disposition headers. If a user were tricked into downloading a
file from a malicious site, a remote attacker could overwrite hidden files
in the user’s directory.

Articoli Correlati

  • No Related Posts

USN-980-1: bogofilter vulnerability

Referenced CVEs: 
CVE-2010-2494

Description: 
===========================================================
Ubuntu Security Notice USN-980-1 August 31, 2010
bogofilter vulnerability
CVE-2010-2494
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
bogofilter-bdb 1.1.5-2ubuntu5.1
bogofilter-sqlite 1.1.5-2ubuntu5.1

Ubuntu 9.04:
bogofilter-bdb 1.1.7-1ubuntu1.1
bogofilter-sqlite 1.1.7-1ubuntu1.1

Ubuntu 9.10:
bogofilter-bdb 1.2.0-3ubuntu1.1
bogofilter-sqlite 1.2.0-3ubuntu1.1

Ubuntu 10.04 LTS:
bogofilter-bdb 1.2.1-0ubuntu1.1
bogofilter-sqlite 1.2.1-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

Details follow:

Julius Plenz discovered that bogofilter incorrectly handled certain
malformed encodings. By sending a specially crafted email, a remote
attacker could exploit this and cause bogofilter to crash, resulting in a
denial of service.

Articoli Correlati

  • No Related Posts

USN-979-1: okular vulnerability

Referenced CVEs: 
CVE-2010-2575

Description: 
===========================================================
Ubuntu Security Notice USN-979-1 August 27, 2010
kdegraphics vulnerability
CVE-2010-2575
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.04:
okular 4:4.2.2-0ubuntu2.1

Ubuntu 9.10:
okular 4:4.3.2-0ubuntu1.1

Ubuntu 10.04 LTS:
okular 4:4.4.2-0ubuntu1.1

After a standard system update you need to restart any running instances
of okular to make all the necessary changes.

Details follow:

Stefan Cornelius of Secunia Research discovered a boundary error during
RLE decompression in the “TranscribePalmImageToJPEG()” function in
generators/plucker/inplug/image.cpp of okular when processing images
embedded in PDB files, which can be exploited to cause a heap-based
buffer overflow. (CVE-2010-2575)

Articoli Correlati

  • No Related Posts

USN-974-2: Linux kernel regression

Description: 
===========================================================
Ubuntu Security Notice USN-974-2 August 26, 2010
linux regression
https://launchpad.net/bugs/620994
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
linux-image-2.6.24-28-386 2.6.24-28.77
linux-image-2.6.24-28-generic 2.6.24-28.77
linux-image-2.6.24-28-hppa32 2.6.24-28.77
linux-image-2.6.24-28-hppa64 2.6.24-28.77
linux-image-2.6.24-28-itanium 2.6.24-28.77
linux-image-2.6.24-28-lpia 2.6.24-28.77
linux-image-2.6.24-28-lpiacompat 2.6.24-28.77
linux-image-2.6.24-28-mckinley 2.6.24-28.77
linux-image-2.6.24-28-openvz 2.6.24-28.77
linux-image-2.6.24-28-powerpc 2.6.24-28.77
linux-image-2.6.24-28-powerpc-smp 2.6.24-28.77
linux-image-2.6.24-28-powerpc64-smp 2.6.24-28.77
linux-image-2.6.24-28-rt 2.6.24-28.77
linux-image-2.6.24-28-server 2.6.24-28.77
linux-image-2.6.24-28-sparc64 2.6.24-28.77
linux-image-2.6.24-28-sparc64-smp 2.6.24-28.77
linux-image-2.6.24-28-virtual 2.6.24-28.77
linux-image-2.6.24-28-xen 2.6.24-28.77

After a standard system update you need to reboot your computer to make
all the necessary changes.

Details follow:

USN-974-1 fixed vulnerabilities in the Linux kernel. The fixes for
CVE-2010-2240 caused failures for Xen hosts. This update fixes the
problem.

We apologize for the inconvenience.

Original advisory details:

Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory
manager did not properly handle when applications grow stacks into adjacent
memory regions. A local attacker could exploit this to gain control of
certain applications, potentially leading to privilege escalation, as
demonstrated in attacks against the X server. (CVE-2010-2240)

Kees Cook discovered that under certain situations the ioctl subsystem for
DRM did not properly sanitize its arguments. A local attacker could exploit
this to read previously freed kernel memory, leading to a loss of privacy.
(CVE-2010-2803)

Ben Hawkes discovered an integer overflow in the Controller Area Network
(CAN) subsystem when setting up frame content and filtering certain
messages. An attacker could send specially crafted CAN traffic to crash the
system or gain root privileges. (CVE-2010-2959)

Articoli Correlati

  • No Related Posts

The CAVE: il mito della caverna di Platone e del quaderno degli errori

Titolo un po’ strano vero?

Tutto nasce dalla lettura del supplemento Nova del Sole 24 ore di oggi.

Leggo spesso questo supplemento, in quanto  fanatico di tecnologia e di applicazioni all’avanguardia, e devo dire che mi piace. Ogni tanto pero’ bisognerebbe leggerlo con giudizio (come bisognerebbe leggere tutto con giudizio e senso critico).

Ma ritorniamo al fatto: sto sfogliando l’inserto e mi imbatto in un articolo , “la Caverna delle Idee” di Gianni Rusconi. Vedendo le immagini il mio primo pensiero: hanno fatto un articolo sul CAVE. E leggo l’articolo. Bello ma con molte insesatezze e soprattutto è un articolo per fare pubblicità, nessun accenno, nessun link di storia. Il sistema, leggendo l’articolo, sembra nato dalla società T-Systems che spiega sarà utilizzato per fare business e che difficilmente si troveranno installazioni in ambito pubblico o privato (al massimo, dicono i manager, solo con due o tre pareti, proprio per porre l’accento sulla complessità del loro sistema).

Bene ma che è il CAVE? Il CAVE è l’acronimo di Computer Advanced Visualisation Environment ed è nato qui e anche molti anni fa come vedete se visualizzate il link appena proposto. In sostanza una scatola cubica le cui pareti sono in realtà degli schermi gestiti da computer che proiettano lo spettator ein una vera realtà artificiale immersiva (almeno visiva), con o senza occhialini 3d. Realtà con la quale si puo’ interagire in svariati modi (comandi tipo joystick tridimennsionali, sensori, altro).

In sostanza ho trovato il classico articolo fatto per stupire pieno di inesatezze. Queste le ho scoperte in quanto mi sono interessato al sistema gia’ nel lontano 1996 per un mio progetto visionario, ma chissà quante altre inesatezze ci propinano ogni giorno su gionali (reali o elettronici) senza che ce ne accorgessimo.

Curiosità sul progetto visionario? Bene eccolo:

Riqualificazione del Centro Candiani di Mestre (in realtà all’epoca solo un oggetto incompiuto di due grandi architetti veneziani). L’idea (non completamente mia, ma portata all’estremo per l’epoca da me) era semplicemente questa: facciamo del Candiani un museo interattivo dell’arte digitale sulla falsariga di alcune realizzazioni simili che stavano nascendo a Tokio, Karlsruhe e Linz. In sostanza un grande videogioco il cui soggetto variava di volta in volta: Una mostra di quadri (veri) con un avatar artificiale che mi appare quando mi soffermo davanti ad un’opera, una rappresentazione artistica in cui anche il pubblico manipola gli artisti e cose del genere. Il CAVE faceva parte del gioco (e molte altre cose che all’epoca mi ispiravano). C’era anche il ritorno economico: la tecnologia costava tantissimo all’epoca e si dovevano utilizzare macchine estremamente potenti e allora perchè non le noleggiamo alle società private per fare ricerca quando queste sono inattive? (anche questa idea non originale, l’aveva inventata penso un certo Ross Perot se non sbaglio) . In quel periodo si era ispirati da rare riviste ormai sparite che precorrevano i tempi

Purtroppo progetto troppo avanti nel tempo che ovviamente non è stato portato avanti.

Comunque grazie Nova, pur nella tua superficialità (solo per questo articolo, intendiamoci) mi hai fatto ripercorrere alcuni dei miei progetti più cari.

Articoli Correlati

USN-977-1: MoinMoin vulnerabilities

Referenced CVEs: 
CVE-2010-2487, CVE-2010-2969, CVE-2010-2970

Description: 
===========================================================
Ubuntu Security Notice USN-977-1 August 25, 2010
moin vulnerabilities
CVE-2010-2487, CVE-2010-2969, CVE-2010-2970
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
python2.4-moinmoin 1.5.2-1ubuntu2.7

Ubuntu 8.04 LTS:
python-moinmoin 1.5.8-5.1ubuntu2.5

Ubuntu 9.04:
python-moinmoin 1.8.2-2ubuntu2.5

Ubuntu 9.10:
python-moinmoin 1.8.4-1ubuntu1.3

Ubuntu 10.04 LTS:
python-moinmoin 1.9.2-2ubuntu3.1

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that MoinMoin did not properly sanitize its input,
resulting in cross-site scripting (XSS) vulnerabilities. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data, within the same
domain.

Articoli Correlati

  • No Related Posts

USN-976-1: Tomcat vulnerability

Referenced CVEs: 
CVE-2010-2227

Description: 
===========================================================
Ubuntu Security Notice USN-976-1 August 25, 2010
tomcat6 vulnerability
CVE-2010-2227
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.04:
libtomcat6-java 6.0.18-0ubuntu6.3

Ubuntu 9.10:
libtomcat6-java 6.0.20-2ubuntu2.2

Ubuntu 10.04 LTS:
libtomcat6-java 6.0.24-2ubuntu1.3

In general, a standard system update will make all the necessary changes.

Details follow:

It was discovered that Tomcat incorrectly handled invalid Transfer-Encoding
headers. A remote attacker could send specially crafted requests containing
invalid headers to the server and cause a denial of service, or possibly
obtain sensitive information from other requests.

Articoli Correlati

  • No Related Posts

USN-974-1: Linux kernel vulnerabilities

Referenced CVEs: 
CVE-2010-2240, CVE-2010-2803, CVE-2010-2959

Description: 
===========================================================
Ubuntu Security Notice USN-974-1 August 19, 2010
linux, linux-{ec2,fsl-imx51,mvl-dove,source-2.6.15,ti-omap} vulnerabilities
CVE-2010-2240, CVE-2010-2803, CVE-2010-2959
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
linux-image-2.6.15-55-386 2.6.15-55.87
linux-image-2.6.15-55-686 2.6.15-55.87
linux-image-2.6.15-55-amd64-generic 2.6.15-55.87
linux-image-2.6.15-55-amd64-k8 2.6.15-55.87
linux-image-2.6.15-55-amd64-server 2.6.15-55.87
linux-image-2.6.15-55-amd64-xeon 2.6.15-55.87
linux-image-2.6.15-55-hppa32 2.6.15-55.87
linux-image-2.6.15-55-hppa32-smp 2.6.15-55.87
linux-image-2.6.15-55-hppa64 2.6.15-55.87
linux-image-2.6.15-55-hppa64-smp 2.6.15-55.87
linux-image-2.6.15-55-itanium 2.6.15-55.87
linux-image-2.6.15-55-itanium-smp 2.6.15-55.87
linux-image-2.6.15-55-k7 2.6.15-55.87
linux-image-2.6.15-55-mckinley 2.6.15-55.87
linux-image-2.6.15-55-mckinley-smp 2.6.15-55.87
linux-image-2.6.15-55-powerpc 2.6.15-55.87
linux-image-2.6.15-55-powerpc-smp 2.6.15-55.87
linux-image-2.6.15-55-powerpc64-smp 2.6.15-55.87
linux-image-2.6.15-55-server 2.6.15-55.87
linux-image-2.6.15-55-server-bigiron 2.6.15-55.87
linux-image-2.6.15-55-sparc64 2.6.15-55.87
linux-image-2.6.15-55-sparc64-smp 2.6.15-55.87

Ubuntu 8.04 LTS:
linux-image-2.6.24-28-386 2.6.24-28.75
linux-image-2.6.24-28-generic 2.6.24-28.75
linux-image-2.6.24-28-hppa32 2.6.24-28.75
linux-image-2.6.24-28-hppa64 2.6.24-28.75
linux-image-2.6.24-28-itanium 2.6.24-28.75
linux-image-2.6.24-28-lpia 2.6.24-28.75
linux-image-2.6.24-28-lpiacompat 2.6.24-28.75
linux-image-2.6.24-28-mckinley 2.6.24-28.75
linux-image-2.6.24-28-openvz 2.6.24-28.75
linux-image-2.6.24-28-powerpc 2.6.24-28.75
linux-image-2.6.24-28-powerpc-smp 2.6.24-28.75
linux-image-2.6.24-28-powerpc64-smp 2.6.24-28.75
linux-image-2.6.24-28-rt 2.6.24-28.75
linux-image-2.6.24-28-server 2.6.24-28.75
linux-image-2.6.24-28-sparc64 2.6.24-28.75
linux-image-2.6.24-28-sparc64-smp 2.6.24-28.75
linux-image-2.6.24-28-virtual 2.6.24-28.75
linux-image-2.6.24-28-xen 2.6.24-28.75

Ubuntu 9.04:
linux-image-2.6.28-19-generic 2.6.28-19.64
linux-image-2.6.28-19-imx51 2.6.28-19.64
linux-image-2.6.28-19-iop32x 2.6.28-19.64
linux-image-2.6.28-19-ixp4xx 2.6.28-19.64
linux-image-2.6.28-19-lpia 2.6.28-19.64
linux-image-2.6.28-19-server 2.6.28-19.64
linux-image-2.6.28-19-versatile 2.6.28-19.64
linux-image-2.6.28-19-virtual 2.6.28-19.64

Ubuntu 9.10:
linux-image-2.6.31-214-dove 2.6.31-214.30
linux-image-2.6.31-214-dove-z0 2.6.31-214.30
linux-image-2.6.31-22-386 2.6.31-22.63
linux-image-2.6.31-22-generic 2.6.31-22.63
linux-image-2.6.31-22-generic-pae 2.6.31-22.63
linux-image-2.6.31-22-ia64 2.6.31-22.63
linux-image-2.6.31-22-lpia 2.6.31-22.63
linux-image-2.6.31-22-powerpc 2.6.31-22.63
linux-image-2.6.31-22-powerpc-smp 2.6.31-22.63
linux-image-2.6.31-22-powerpc64-smp 2.6.31-22.63
linux-image-2.6.31-22-server 2.6.31-22.63
linux-image-2.6.31-22-sparc64 2.6.31-22.63
linux-image-2.6.31-22-sparc64-smp 2.6.31-22.63
linux-image-2.6.31-22-virtual 2.6.31-22.63
linux-image-2.6.31-307-ec2 2.6.31-307.17

Ubuntu 10.04 LTS:
linux-image-2.6.31-608-imx51 2.6.31-608.19
linux-image-2.6.32-208-dove 2.6.32-208.24
linux-image-2.6.32-24-386 2.6.32-24.41
linux-image-2.6.32-24-generic 2.6.32-24.41
linux-image-2.6.32-24-generic-pae 2.6.32-24.41
linux-image-2.6.32-24-ia64 2.6.32-24.41
linux-image-2.6.32-24-lpia 2.6.32-24.41
linux-image-2.6.32-24-powerpc 2.6.32-24.41
linux-image-2.6.32-24-powerpc-smp 2.6.32-24.41
linux-image-2.6.32-24-powerpc64-smp 2.6.32-24.41
linux-image-2.6.32-24-preempt 2.6.32-24.41
linux-image-2.6.32-24-server 2.6.32-24.41
linux-image-2.6.32-24-sparc64 2.6.32-24.41
linux-image-2.6.32-24-sparc64-smp 2.6.32-24.41
linux-image-2.6.32-24-versatile 2.6.32-24.41
linux-image-2.6.32-24-virtual 2.6.32-24.41
linux-image-2.6.32-308-ec2 2.6.32-308.15
linux-image-2.6.33-502-omap 2.6.33-502.10

After a standard system update you need to reboot your computer to make
all the necessary changes.

Details follow:

Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory
manager did not properly handle when applications grow stacks into adjacent
memory regions. A local attacker could exploit this to gain control of
certain applications, potentially leading to privilege escalation, as
demonstrated in attacks against the X server. (CVE-2010-2240)

Kees Cook discovered that under certain situations the ioctl subsystem for
DRM did not properly sanitize its arguments. A local attacker could exploit
this to read previously freed kernel memory, leading to a loss of privacy.
(CVE-2010-2803)

Ben Hawkes discovered an integer overflow in the Controller Area Network
(CAN) subsystem when setting up frame content and filtering certain
messages. An attacker could send specially crafted CAN traffic to crash the
system or gain root privileges. (CVE-2010-2959)

Articoli Correlati

  • No Related Posts

USN-973-1: KOffice vulnerabilities

Referenced CVEs: 
CVE-2009-0146, CVE-2009-0147, CVE-2009-0165, CVE-2009-0166, CVE-2009-0195, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181, CVE-2009-3606, CVE-2009-3608, CVE-2009-3609

Description: 
===========================================================
Ubuntu Security Notice USN-973-1 August 17, 2010
koffice vulnerabilities
CVE-2009-0146, CVE-2009-0147, CVE-2009-0165, CVE-2009-0166,
CVE-2009-0195, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179,
CVE-2009-1180, CVE-2009-1181, CVE-2009-3606, CVE-2009-3608,
CVE-2009-3609
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.04:
kword 1:1.6.3-7ubuntu6.1

In general, a standard system update will make all the necessary changes.

Details follow:

Will Dormann, Alin Rad Pop, Braden Thomas, and Drew Yao discovered that the
Xpdf used in KOffice contained multiple security issues in its JBIG2
decoder. If a user or automated system were tricked into opening a crafted
PDF file, an attacker could cause a denial of service or execute arbitrary
code with privileges of the user invoking the program. (CVE-2009-0146,
CVE-2009-0147, CVE-2009-0166, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179,
CVE-2009-1180, CVE-2009-1181)

It was discovered that the Xpdf used in KOffice contained multiple security
issues when parsing malformed PDF documents. If a user or automated system
were tricked into opening a crafted PDF file, an attacker could cause a
denial of service or execute arbitrary code with privileges of the user
invoking the program. (CVE-2009-3606, CVE-2009-3608, CVE-2009-3609)

KOffice in Ubuntu 9.04 uses a very old version of Xpdf to import PDFs into
KWord. Upstream KDE no longer supports PDF import in KOffice and as a
result it was dropped in Ubuntu 9.10. While an attempt was made to fix the
above issues, the maintenance burden for supporting this very old version
of Xpdf outweighed its utility, and PDF import is now also disabled in
Ubuntu 9.04.

Articoli Correlati

  • No Related Posts

USN-972-1: FreeType vulnerabilities

Referenced CVEs: 
CVE-2010-1797, CVE-2010-2541, CVE-2010-2805, CVE-2010-2806, CVE-2010-2807, CVE-2010-2808

Description: 
===========================================================
Ubuntu Security Notice USN-972-1 August 17, 2010
freetype vulnerabilities
CVE-2010-1797, CVE-2010-2541, CVE-2010-2805, CVE-2010-2806,
CVE-2010-2807, CVE-2010-2808
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.04
Ubuntu 9.10
Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
libfreetype6 2.1.10-1ubuntu2.8

Ubuntu 8.04 LTS:
libfreetype6 2.3.5-1ubuntu4.8.04.4

Ubuntu 9.04:
libfreetype6 2.3.9-4ubuntu0.3

Ubuntu 9.10:
libfreetype6 2.3.9-5ubuntu0.2

Ubuntu 10.04 LTS:
libfreetype6 2.3.11-1ubuntu2.2

After a standard system update you need to restart your session to make
all the necessary changes.

Details follow:

It was discovered that FreeType did not correctly handle certain malformed
font files. If a user were tricked into using a specially crafted font
file, a remote attacker could cause FreeType to crash or possibly execute
arbitrary code with user privileges.

Articoli Correlati

  • No Related Posts