:Advisories, October 2, 2006
Advisories, October 2, 2006 0 Talkback[s]
Debian GNU/Linux
Debian Security Advisory DSA 1185-2 security@debian.org http://www.debian.org/security/ Noah Meyerhanshttp://www.debian.org/security/faq
Package : openssl
The fix used to correct CVE-2006-2940 introduced code that could lead to
the use of uninitialized memory. Such use is likely to cause the
application using the openssl library to crash, and has the potential to
allow an attacker to cause the execution of arbitrary code.
For the stable distribution (sarge) these problems have been fixed in
version 0.9.7e-3sarge4.
For the unstable and testing distributions (sid and etch,
respectively), these problems will be fixed in version 0.9.7k-3 of the
openssl097 compatibility libraries, and version 0.9.8c-3 of the
openssl package.
We recommend that you upgrade your openssl package. Note that
services linking against the openssl shared libraries will need to be
restarted. Common examples of such services include most Mail
Transport Agents, SSH servers, and web servers.
Upgrade Instructions
wget url
will fetch the file for you
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
Source archives:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.dsc http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.diff.gz http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz
Alpha architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_alpha.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_alpha.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_alpha.deb
AMD64 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_amd64.deb
ARM architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_arm.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_arm.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_arm.deb
HP Precision architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_hppa.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_hppa.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_hppa.deb
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_i386.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_i386.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_i386.deb
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_ia64.deb
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_m68k.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_m68k.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_m68k.deb
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_mips.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_mips.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_mips.deb
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_mipsel.deb
PowerPC architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_powerpc.deb
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_s390.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_s390.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_s390.deb
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_sparc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_sparc.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_sparc.deb
These files will probably be moved into the stable distribution on
its next update.
http://security.debian.org/ stable/updates mainftp://security.debian.org/debian-security dists/stable/updates/maindebian-security-announce@lists.debian.org http://packages.debian.org/<pkg>
Mandriva Linux
Mandriva Linux Security Advisory MDKSA-2006:172-1http://www.mandriva.com/security/
Package : openssl
Problem Description:
Dr S N Henson of the OpenSSL core team and Open Network Security
recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk ).
When the test suite was run against OpenSSL two denial of service
vulnerabilities were discovered.
During the parsing of certain invalid ASN1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory. (CVE-2006-2937)
Certain types of public key can take disproportionate amounts of time
to process. This could be used by an attacker in a denial of service
attack. (CVE-2006-2940)
Tavis Ormandy and Will Drewry of the Google Security Team discovered a
buffer overflow in the SSL_get_shared_ciphers utility function, used by
some applications such as exim and mysql. An attacker could send a
list of ciphers that would overrun a buffer. (CVE-2006-3738)
Tavis Ormandy and Will Drewry of the Google Security Team discovered a
possible DoS in the sslv2 client code. Where a client application uses
OpenSSL to make a SSLv2 connection to a malicious server that server
could cause the client to crash. (CVE-2006-4343)
Updated packages are patched to address these issues.
Update:
There was an error in the original published patches for CVE-2006-2940.
New packages have corrected this issue.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
Updated Packages:
Mandriva Linux 2006.0:
Mandriva Linux 2006.0/X86_64:
Mandriva Linux 2007.0:
Mandriva Linux 2007.0/X86_64:
Corporate 3.0:
Corporate 3.0/X86_64:
Corporate 4.0:
Corporate 4.0/X86_64:
Multi Network Firewall 2.0:
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Type Bits/KeyID Date User ID
Mandriva Linux Security Advisory MDKSA-2006:177http://www.mandriva.com/security/
Package : MySQL
Problem Description:
Openssl recently had several vulnerabilities which were patched
(CVE-2006-2937,2940,3738,4339, 4343). Some MySQL versions are built
against a static copy of the SSL libraries. As a precaution an updated
copy built against the new libraries in being made available.
Updated Packages:
Mandriva Linux 2006.0:
Mandriva Linux 2006.0/X86_64:
Corporate 3.0:
Corporate 3.0/X86_64:
Multi Network Firewall 2.0:
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Type Bits/KeyID Date User ID
Mandriva Linux Security Advisory MDKSA-2006:178http://www.mandriva.com/security/
Package : ntp
Problem Description:
Openssl recently had several vulnerabilities which were patched
(CVE-2006-2937,2940,3738,4339, 4343). Some versions of ntp are built
against a static copy of the SSL libraries. As a precaution an updated
copy built against the new libraries in being made available.
Updated Packages:
Mandriva Linux 2006.0:
Mandriva Linux 2006.0/X86_64:
Mandriva Linux 2007.0:
Mandriva Linux 2007.0/X86_64:
Corporate 4.0:
Corporate 4.0/X86_64:
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
Type Bits/KeyID Date User ID
Ubuntu
A security issue affects the following Ubuntu releases:
Ubuntu 5.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.10:
firefox 1.5.dfsg+1.5.0.7-0ubuntu5.10.3
After a standard system upgrade you need to restart Firefox to effect
the necessary changes. Since the 1.0.x series of Firefox is not
supported any more, this update introduces the firefox 1.5 series into
Ubuntu 5.10. Please check whether all your extensions still work as
expected.
Details follow:
Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious URL. (CVE-2006-3113, CVE-2006-3677, CVE-2006-3801,
CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807,
CVE-2006-3809, CVE-2006-3811, CVE-2006-3812, CVE-2006-4253,
CVE-2006-4565, CVE-2006-4566, CVE-2006-4568, CVE-2006-4569
CVE-2006-4571)
Cross-site scripting vulnerabilities were found in the
XPCNativeWrapper() function and native DOM method handlers. A
malicious web site could exploit these to modify the contents or steal
confidential data (such as passwords) from other opened web pages.
(CVE-2006-3802, CVE-2006-3810)
A bug was found in the script handler for automatic proxy
configuration. A malicious proxy could send scripts which could
execute arbitrary code with the user's privileges. (CVE-2006-3808)
The NSS library did not sufficiently check the padding of PKCS #1 v1.5
signatures if the exponent of the public key is 3 (which is widely
used for CAs). This could be exploited to forge valid signatures
without the need of the secret key. (CVE-2006-4340)
Jon Oberheide reported a way how a remote attacker could trick users
into downloading arbitrary extensions with circumventing the normal
SSL certificate check. The attacker would have to be in a position to
spoof the victim's DNS, causing them to connect to sites of the
attacker's choosing rather than the sites intended by the victim. If
they gained that control and the victim accepted the attacker's cert
for the Mozilla update site, then the next update check could be
hijacked and redirected to the attacker's site without
detection. (CVE-2006-4567)
Packages which embed or extend Firefox have been updated to work with
the new version.
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-0ubuntu5.10.3.diff.gz http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-0ubuntu5.10.3.dsc http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7.orig.tar.gz http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.10-1ubuntu2.1.diff.gz http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.10-1ubuntu2.1.dsc http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.10.orig.tar.gz http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.8.2-0ubuntu1.1.diff.gz http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.8.2-0ubuntu1.1.dsc http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.8.2.orig.tar.gz http://security.ubuntu.com/ubuntu/pool/main/g/gnome-app-install/gnome-app-install_0+20051005.1.dsc http://security.ubuntu.com/ubuntu/pool/main/g/gnome-app-install/gnome-app-install_0+20051005.1.tar.gz http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-all_1.5-ubuntu5.10-1.diff.gz http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-all_1.5-ubuntu5.10-1.dsc http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-all_1.5-ubuntu5.10.orig.tar.gz http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.12.1-0ubuntu1.1.diff.gz http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.12.1-0ubuntu1.1.dsc http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.12.1.orig.tar.gz
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_all.deb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_all.deb http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp-common_0.10-1ubuntu2.1_all.deb http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser-dev_1.8.2-0ubuntu1.1_all.deb http://security.ubuntu.com/ubuntu/pool/main/g/gnome-app-install/gnome-app-install_0+20051005.1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-af-za_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-ast-es_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-bg-bg_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-cs-cz_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-da-dk_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-de-de_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-de_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-en-gb_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-es-ar_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-es-es_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-es_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-fi-fi_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-fr-fr_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-fr_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-ga-ie_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-gu-in_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-he-il_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-hu-hu_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-mk-mk_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-nl-nl_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-pa-in_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-pl-pl_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-pl_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-pt-br_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-pt-pt_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-ro-ro_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-ru-ru_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-sl-si_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-sq-al_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-sv-se_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox-locale-all/mozilla-firefox-locale-sv_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-tr-tr_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-xh-za_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-zh-cn_1.5-ubuntu5.10-1_all.deb http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox-locale-all/mozilla-firefox-locale-zh-tw_1.5-ubuntu5.10-1_all.deb
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_amd64.deb http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.10-1ubuntu2.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.8.2-0ubuntu1.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-0_0.10-1ubuntu2.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-dev_0.10-1ubuntu2.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.12.1-0ubuntu1.1_amd64.deb
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_i386.deb http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_i386.deb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_i386.deb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_i386.deb http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.10-1ubuntu2.1_i386.deb http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.8.2-0ubuntu1.1_i386.deb http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-0_0.10-1ubuntu2.1_i386.deb http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-dev_0.10-1ubuntu2.1_i386.deb http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.12.1-0ubuntu1.1_i386.deb
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_powerpc.deb http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.7-0ubuntu5.10.3_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/devhelp_0.10-1ubuntu2.1_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/e/epiphany-browser/epiphany-browser_1.8.2-0ubuntu1.1_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-0_0.10-1ubuntu2.1_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/d/devhelp/libdevhelp-1-dev_0.10-1ubuntu2.1_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/y/yelp/yelp_2.12.1-0ubuntu1.1_powerpc.deb
A security issue affects the following Ubuntu releases:
Ubuntu 5.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.04:
Ubuntu 5.10:
Ubuntu 6.06 LTS:
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Tavis Ormandy discovered that the SSH daemon did not properly handle
authentication packets with duplicated blocks. By sending specially
crafted packets, a remote attacker could exploit this to cause the ssh
daemon to drain all available CPU resources until the login grace time
expired. (CVE-2006-4924)
Mark Dowd discovered a race condition in the server's signal handling.
A remote attacker could exploit this to crash the server.
(CVE-2006-5051)
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.3.diff.gz http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.3.dsc http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1.orig.tar.gz
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.9p1-1ubuntu2.3_all.deb
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.3_amd64.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.3_amd64.deb http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.3_amd64.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.3_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.3_amd64.deb
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.3_i386.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.3_i386.deb http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.3_i386.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.3_i386.deb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.3_i386.deb
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.9p1-1ubuntu2.3_powerpc.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.9p1-1ubuntu2.3_powerpc.deb http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.9p1-1ubuntu2.3_powerpc.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.9p1-1ubuntu2.3_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.9p1-1ubuntu2.3_powerpc.deb
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.2.diff.gz http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1-7ubuntu4.2.dsc http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.1p1.orig.tar.gz
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.1p1-7ubuntu4.2_all.deb
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.2_amd64.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.2_amd64.deb http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.2_amd64.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.2_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.2_amd64.deb
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.2_i386.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.2_i386.deb http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.2_i386.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.2_i386.deb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.2_i386.deb
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.2_powerpc.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.2_powerpc.deb http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.2_powerpc.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.2_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.2_powerpc.deb
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.1p1-7ubuntu4.2_sparc.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.1p1-7ubuntu4.2_sparc.deb http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.1p1-7ubuntu4.2_sparc.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.1p1-7ubuntu4.2_sparc.deb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.1p1-7ubuntu4.2_sparc.deb
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.1.diff.gz http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.1.dsc http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1.orig.tar.gz
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.2p1-7ubuntu3.1_all.deb
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.1_amd64.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.1_amd64.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.1_amd64.deb
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.1_i386.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.1_i386.deb http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.1_i386.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.1_i386.deb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.1_i386.deb
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.1_powerpc.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.1_powerpc.deb http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.1_powerpc.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.1_powerpc.deb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.1_powerpc.deb
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.1_sparc.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.1_sparc.deb http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.1_sparc.udeb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.1_sparc.deb http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.1_sparc.deb
A security issue affects the following Ubuntu releases:
Ubuntu 5.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.04:
Ubuntu 5.10:
Ubuntu 6.06 LTS:
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Will Drewry, of the Google Security Team, discovered buffer overflows
in GDB's DWARF processing. This would allow an attacker to execute
arbitrary code with user privileges by tricking the user into using
GDB to load an executable that contained malicious debugging
information.
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-5ubuntu1.2.diff.gz http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-5ubuntu1.2.dsc http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3.orig.tar.gz
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-5ubuntu1.2_amd64.deb
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-5ubuntu1.2_i386.deb
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-5ubuntu1.2_powerpc.deb
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-6ubuntu2.1.diff.gz http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-6ubuntu2.1.dsc http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3.orig.tar.gz
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-6ubuntu2.1_amd64.deb
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-6ubuntu2.1_i386.deb
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-6ubuntu2.1_powerpc.deb
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.3-6ubuntu2.1_sparc.deb
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4-1ubuntu5.1.diff.gz http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4-1ubuntu5.1.dsc http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4.orig.tar.gz
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4-1ubuntu5.1_amd64.deb
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4-1ubuntu5.1_i386.deb
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4-1ubuntu5.1_powerpc.deb
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_6.4-1ubuntu5.1_sparc.deb
