Linux Today: Linux News On Internet Time.





More on LinuxToday


Advisories, October 10, 2006

Oct 11, 2006, 03:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA-1195-1 security@debian.org
http://www.debian.org/security/ Noah Meyerhans
October 10, 2006


Package : openssl096
Vulnerability : denial of service (multiple)
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-2940 CVE-2006-3738 CVE-2006-4343

Multiple vulnerabilities have been discovered in the OpenSSL cryptographic software package that could allow an attacker to launch a denial of service attack by exhausting system resources or crashing processes on a victim's computer.

CVE-2006-3738

Tavis Ormandy and Will Drewry of the Google Security Team discovered a buffer overflow in SSL_get_shared_ciphers utility function, used by some applications such as exim and mysql. An attacker could send a list of ciphers that would overrun a buffer.

CVE-2006-4343

Tavis Ormandy and Will Drewry of the Google Security Team discovered a possible DoS in the sslv2 client code. Where a client application uses OpenSSL to make a SSLv2 connection to a malicious server that server could cause the client to crash.

CVE-2006-2940

Dr S N Henson of the OpenSSL core team and Open Network Security recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test suite was run against OpenSSL a DoS was discovered. Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack.

For the stable distribution (sarge) these problems have been fixed in version 0.9.6m-1sarge4

This package exists only for compatibility with older software, and is not present in the unstable or testing branches of Debian.

We recommend that you upgrade your openssl096 package. Note that services linking against the openssl shared libraries will need to be restarted. Common examples of such services include most Mail Transport Agents, SSH servers, and web servers.

Upgrade instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian 3.1 (stable)


Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge4.diff.gz
    Size/MD5 checksum: 21115 9019caf796eb866f24d5949503b1cdb5
  http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m.orig.tar.gz
    Size/MD5 checksum: 2184918 1b63bfdca1c37837dddde9f1623498f9
  http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge4.dsc
    Size/MD5 checksum: 617 7d60c6c3ecdf502734068ab2a8b32118

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_alpha.deb
    Size/MD5 checksum: 1966534 9f78dcc0f9685641a7fc3d927370d819

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_amd64.deb
    Size/MD5 checksum: 578632 f1574a0058e85cb0e2c6cff996530c97

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_arm.deb
    Size/MD5 checksum: 519304 66fa4a65d803f0115dd80d5359944a2d

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_hppa.deb
    Size/MD5 checksum: 587946 353d46f3351d5a19dfdaf22f605fc627

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_i386.deb
    Size/MD5 checksum: 1756270 2747688d91dfe1cd00430a74bdef6265

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_ia64.deb
    Size/MD5 checksum: 815662 45a5b6503ed631149fea28b37a980e21

m68k architecture (Motorola Mc680x0)

  http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_m68k.deb
    Size/MD5 checksum: 477288 da4ddff773fd7d6af0604363719b368a

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_mips.deb
    Size/MD5 checksum: 577284 d2bf3c9d86dbba15bbb9d1cb93a6fc51

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_mipsel.deb
    Size/MD5 checksum: 569246 75d69f033f833b7928a8ca521efb95ea

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_powerpc.deb
    Size/MD5 checksum: 582928 72be71aae8b781ca5a7b1d1b2e738541

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_s390.deb
    Size/MD5 checksum: 602874 e671b41d37d34b7d2055eaca112be269

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge4_sparc.deb
    Size/MD5 checksum: 1460162 acfb3e17f005c32268fa1def17ea884b

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Mandriva Linux


Mandriva Linux Security Advisory MDKSA-2006:181
http://www.mandriva.com/security/


Package : python
Date : October 10, 2006
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0


Problem Description:

A vulnerability in python's repr() function was discovered by Benjamin C. Wiley Sittler. It was found that the function did not properly handle UTF-32/UCS-4 strings, so an application that used repr() on certin untrusted data could possibly be exploited to execute arbitrary code with the privileges of the user running the python application.

Updated packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4980


Updated Packages:

Mandriva Linux 2006.0:
a9eb2b13c925cc7e81dd1ba574d8c4c3 2006.0/i586/libpython2.4-2.4.1-5.1.20060mdk.i586.rpm
15c9eead6fd85533159526eed7a6b17e 2006.0/i586/libpython2.4-devel-2.4.1-5.1.20060mdk.i586.rpm
c9fc746fac4125d21b7651043573e4b7 2006.0/i586/python-2.4.1-5.1.20060mdk.i586.rpm
92c82f611c1ef25ea32dcd08104773af 2006.0/i586/python-base-2.4.1-5.1.20060mdk.i586.rpm
016687d3639c92954d181a05b0624359 2006.0/i586/python-docs-2.4.1-5.1.20060mdk.i586.rpm
1d6e5e8f6ce12a7c6e210ab9456f479f 2006.0/i586/tkinter-2.4.1-5.1.20060mdk.i586.rpm
0a76a89bc5835828c8219673cbd0b435 2006.0/SRPMS/python-2.4.1-5.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
3bbf6ed37ce7c4e7529f5fc9d17b7291 2006.0/x86_64/lib64python2.4-2.4.1-5.1.20060mdk.x86_64.rpm
5de894eeb7ec4973bebc25bb1f72d814 2006.0/x86_64/lib64python2.4-devel-2.4.1-5.1.20060mdk.x86_64.rpm
4db5d1a3e39c3f40c4e5050dba3d918a 2006.0/x86_64/python-2.4.1-5.1.20060mdk.x86_64.rpm
4a5a6952e53ab7db8fe5c9471aeae89a 2006.0/x86_64/python-base-2.4.1-5.1.20060mdk.x86_64.rpm
1465a11b9501586f7d9973a2f95fb0cc 2006.0/x86_64/python-docs-2.4.1-5.1.20060mdk.x86_64.rpm
3ff58332759b527310ed3366bad87f04 2006.0/x86_64/tkinter-2.4.1-5.1.20060mdk.x86_64.rpm
0a76a89bc5835828c8219673cbd0b435 2006.0/SRPMS/python-2.4.1-5.1.20060mdk.src.rpm

Mandriva Linux 2007.0:
44c48f7600b0f089117a96e5f4357a0c 2007.0/i586/libpython2.4-2.4.3-3.1mdv2007.0.i586.rpm
a6c07dd5029afd05daf0b5d427f5cef5 2007.0/i586/libpython2.4-devel-2.4.3-3.1mdv2007.0.i586.rpm
4244b1bbd76123e60f19c75764b00e98 2007.0/i586/python-2.4.3-3.1mdv2007.0.i586.rpm
0b694e436e0cd6628d7369f41ffa3fd9 2007.0/i586/python-base-2.4.3-3.1mdv2007.0.i586.rpm
829c1d6b7eb792bcbd3f7ecbe3f972d5 2007.0/i586/python-docs-2.4.3-3.1mdv2007.0.i586.rpm
48bff204449435e63e9cb24da3f77628 2007.0/i586/tkinter-2.4.3-3.1mdv2007.0.i586.rpm
dea3c153d446fb676f7af3ca5c369db3 2007.0/SRPMS/python-2.4.3-3.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
3d068b19380f7fc08adb905186d8ef59 2007.0/x86_64/lib64python2.4-2.4.3-3.1mdv2007.0.x86_64.rpm
9399b2fbd78929a705d5d8fdeaf660f0 2007.0/x86_64/lib64python2.4-devel-2.4.3-3.1mdv2007.0.x86_64.rpm
c06b2b6d69781cfd9bd9cb9fae3f8f7f 2007.0/x86_64/python-2.4.3-3.1mdv2007.0.x86_64.rpm
a7a7ea9f8a6d49f928af411baa3e4087 2007.0/x86_64/python-base-2.4.3-3.1mdv2007.0.x86_64.rpm
4433860f8f42cab135453a2e8eac3f46 2007.0/x86_64/python-docs-2.4.3-3.1mdv2007.0.x86_64.rpm
d5d22b53dc48a4150c6d1285f4bb6f33 2007.0/x86_64/tkinter-2.4.3-3.1mdv2007.0.x86_64.rpm
dea3c153d446fb676f7af3ca5c369db3 2007.0/SRPMS/python-2.4.3-3.1mdv2007.0.src.rpm

Corporate 3.0:
5a2c39e43f59a0e808fdfcec11a843eb corporate/3.0/i586/libpython2.3-2.3.3-2.3.C30mdk.i586.rpm
675afdbb8b04974243da9ba7879d901e corporate/3.0/i586/libpython2.3-devel-2.3.3-2.3.C30mdk.i586.rpm
e858609c19e443be487eb1d43f874e10 corporate/3.0/i586/python-2.3.3-2.3.C30mdk.i586.rpm
2836f6544001bfea5d14e8a83c2711fc corporate/3.0/i586/python-base-2.3.3-2.3.C30mdk.i586.rpm
de9492862633cf0ca0408c536c618a19 corporate/3.0/i586/python-docs-2.3.3-2.3.C30mdk.i586.rpm
91e09f9a6d27c0632994bf89a8fb4822 corporate/3.0/i586/tkinter-2.3.3-2.3.C30mdk.i586.rpm
39b14fc06738e67295a8e1c5e50e3006 corporate/3.0/SRPMS/python-2.3.3-2.3.C30mdk.src.rpm

Corporate 3.0/X86_64:
604a86031285aa8476f791f4467fda00 corporate/3.0/x86_64/lib64python2.3-2.3.3-2.3.C30mdk.x86_64.rpm
6cd54d8501656d40c61e2871b3a9e912 corporate/3.0/x86_64/lib64python2.3-devel-2.3.3-2.3.C30mdk.x86_64.rpm
a44195d776e49f8a9b509b5012a64071 corporate/3.0/x86_64/python-2.3.3-2.3.C30mdk.x86_64.rpm
d5833670de0bdad6f6e475c8c7c94340 corporate/3.0/x86_64/python-base-2.3.3-2.3.C30mdk.x86_64.rpm
f4abca5edfaa50d55f6f728d667affd1 corporate/3.0/x86_64/python-docs-2.3.3-2.3.C30mdk.x86_64.rpm
9a26abb38c938537832cdd272d02c178 corporate/3.0/x86_64/tkinter-2.3.3-2.3.C30mdk.x86_64.rpm
39b14fc06738e67295a8e1c5e50e3006 corporate/3.0/SRPMS/python-2.3.3-2.3.C30mdk.src.rpm

Corporate 4.0:
cfe0f9797465852f67e2d478949d302e corporate/4.0/i586/libpython2.4-2.4.1-5.1.20060mlcs4.i586.rpm
c14e242aa3ea60dfd6c7ba0524a98d11 corporate/4.0/i586/libpython2.4-devel-2.4.1-5.1.20060mlcs4.i586.rpm
542595eed49d7a9abf4891f3643ced62 corporate/4.0/i586/python-2.4.1-5.1.20060mlcs4.i586.rpm
67fdcb87b005d001c04d678416c543a9 corporate/4.0/i586/python-base-2.4.1-5.1.20060mlcs4.i586.rpm
818e3c1c31594c11a1ae6d93896f4800 corporate/4.0/i586/python-docs-2.4.1-5.1.20060mlcs4.i586.rpm
f900fb338b7f134ac22dfee88c0fe886 corporate/4.0/i586/tkinter-2.4.1-5.1.20060mlcs4.i586.rpm
7b2b6581795c3df4c2f1ee84323599b7 corporate/4.0/SRPMS/python-2.4.1-5.1.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
9035ef7c55d505b760a793f35bd5a1b9 corporate/4.0/x86_64/lib64python2.4-2.4.1-5.1.20060mlcs4.x86_64.rpm
1e911935ec4cb22679936deafcef042a corporate/4.0/x86_64/lib64python2.4-devel-2.4.1-5.1.20060mlcs4.x86_64.rpm
1ed352a1529a6776574888b5d8c92767 corporate/4.0/x86_64/python-2.4.1-5.1.20060mlcs4.x86_64.rpm
c1cd58bb170bea659c1473597390a467 corporate/4.0/x86_64/python-base-2.4.1-5.1.20060mlcs4.x86_64.rpm
cc941f3e8b7f8bfe90350202fdfde139 corporate/4.0/x86_64/python-docs-2.4.1-5.1.20060mlcs4.x86_64.rpm
70a8606fa34b86d046a1c2276d46dc30 corporate/4.0/x86_64/tkinter-2.4.1-5.1.20060mlcs4.x86_64.rpm
7b2b6581795c3df4c2f1ee84323599b7 corporate/4.0/SRPMS/python-2.4.1-5.1.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
0cd4a9b86999ad5685b4e44ecaad9ed3 mnf/2.0/i586/libpython2.3-2.3.3-2.3.M20mdk.i586.rpm
c5e4c526e8b32dd61d8153ceaf9be7bf mnf/2.0/i586/libpython2.3-devel-2.3.3-2.3.M20mdk.i586.rpm
97943f39f6ffcb1fd9707a8027b1c23f mnf/2.0/i586/python-2.3.3-2.3.M20mdk.i586.rpm
974ac1a02271c5e59daf4f978d9d14a1 mnf/2.0/i586/python-base-2.3.3-2.3.M20mdk.i586.rpm
fb2f664290a9af406af50f2114e7d33c mnf/2.0/i586/python-docs-2.3.3-2.3.M20mdk.i586.rpm
5820e40a69985f5d9a7da3c639244c21 mnf/2.0/i586/tkinter-2.3.3-2.3.M20mdk.i586.rpm
d4f5afc158538b5424a000ca984aa695 mnf/2.0/SRPMS/python-2.3.3-2.3.M20mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>

Ubuntu


Ubuntu Security Notice USN-360-1 October 10, 2006
awstats vulnerabilities
CVE-2006-3681, CVE-2006-3682

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 5.04:
awstats 6.3-1ubuntu0.4

Ubuntu 5.10:
awstats 6.4-1ubuntu1.3

Ubuntu 6.06 LTS:
awstats 6.5-1ubuntu1.2

In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

awstats did not fully sanitize input, which was passed directly to the user's browser, allowing for an XSS attack. If a user was tricked into following a specially crafted awstats URL, the user's authentication information could be exposed for the domain where awstats was hosted. (CVE-2006-3681)

awstats could display its installation path under certain conditions. However, this might only become a concern if awstats is installed into an user's home directory. (CVE-2006-3682)

Updated packages for Ubuntu 5.04:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubuntu0.4.diff.gz
      Size/MD5: 27234 dfd36e862db2211270ccfcda1b9f4d3a
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubuntu0.4.dsc
      Size/MD5: 595 967d4b14c6a5bb7e2c69c3843d15eb0a
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3.orig.tar.gz
      Size/MD5: 938794 edb73007530a5800d53b9f1f90c88053

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.3-1ubuntu0.4_all.deb
      Size/MD5: 726704 52d471f9299e0bb5495c6e7db4fcc5fd

Updated packages for Ubuntu 5.10:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubuntu1.3.diff.gz
      Size/MD5: 20294 23e7714e08623dd464a76b5d2618c9fa
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubuntu1.3.dsc
      Size/MD5: 595 e4ae507c9fc431a95b43fdc00f4a94e1
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4.orig.tar.gz
      Size/MD5: 918435 056e6fb0c7351b17fe5bbbe0aa1297b1

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.4-1ubuntu1.3_all.deb
      Size/MD5: 728744 ca061e390d9ed9056bb58e14bd8bbece

Updated packages for Ubuntu 6.06 LTS:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubuntu1.2.diff.gz
      Size/MD5: 20075 5bdc75b3b0ae69ee240430b254b529aa
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubuntu1.2.dsc
      Size/MD5: 777 67d418d1283962b1955fffe465ed5d2e
    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5.orig.tar.gz
      Size/MD5: 1051780 aef00b2ff5c5413bd2a868299cabd69a

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/a/awstats/awstats_6.5-1ubuntu1.2_all.deb
      Size/MD5: 853276 6213e0f258c78ce25b73a1f7a0152f4e


Ubuntu Security Notice USN-361-1 October 10, 2006
mozilla vulnerabilities
CVE-2006-2788, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3811, CVE-2006-4340, CVE-2006-4565, CVE-2006-4568, CVE-2006-4570, CVE-2006-4571

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 5.04:

libnspr4 2:1.7.13-0ubuntu05.04.2
libnss3 2:1.7.13-0ubuntu05.04.2
mozilla-browser 2:1.7.13-0ubuntu05.04.2
mozilla-mailnews 2:1.7.13-0ubuntu05.04.2
mozilla-psm 2:1.7.13-0ubuntu05.04.2

Ubuntu 5.10:

libnspr4 2:1.7.13-0ubuntu5.10.2
libnss3 2:1.7.13-0ubuntu5.10.2
mozilla-browser 2:1.7.13-0ubuntu5.10.2
mozilla-mailnews 2:1.7.13-0ubuntu5.10.2
mozilla-psm 2:1.7.13-0ubuntu5.10.2

After a standard system upgrade you need to restart Mozilla to effect the necessary changes.

Details follow:

Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious URL. (CVE-2006-2788, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3811, CVE-2006-4565, CVE-2006-4568, CVE-2006-4571)

A bug was found in the script handler for automatic proxy configuration. A malicious proxy could send scripts which could execute arbitrary code with the user's privileges. (CVE-2006-3808)

The NSS library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge valid signatures without the need of the secret key. (CVE-2006-4340)

Georgi Guninski discovered that even with JavaScript disabled, a malicous email could still execute JavaScript when the message is viewed, replied to, or forwarded by putting the script in a remote XBL file loaded by the message. (CVE-2006-4570)

Updated packages for Ubuntu 5.04:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.13-0ubuntu05.04.2.diff.gz
      Size/MD5: 403767 ad89e14a1a7063ffd40c7966f66f63e6
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.13-0ubuntu05.04.2.dsc
      Size/MD5: 1140 62f9aae0950ae23ab127ed0c608a6cd0
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.13.orig.tar.gz
      Size/MD5: 38788839 db906560b5abe488286ad1edc21d52b6

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr-dev_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 168066 099a54a14163f7ffe0308530d7f513e8
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr4_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 142106 f8c747f219197d2fc62c7be7532dd09e
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss-dev_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 184956 80462134e344661ebcdb10668703c8cf
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss3_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 711066 2b27ce520e6e2c519145592da529d67c
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-browser_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 10618640 187ac84d04bad5af52788263ce85516f
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-calendar_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 403276 72d272889c297249f811744536aece56
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-chatzilla_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 158328 1f81850675d5eb5df3c925b5b1b597ba
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-dev_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 3352872 63a790924643bed33c08e1a461978462
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-dom-inspector_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 121184 1cd6cd71393fad002ac4835bd4d77bc9
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-js-debugger_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 204162 87a317642b4ecce9677cd0ed24efab5a
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-mailnews_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 1935960 adb803a894fa3a15852d0733afc74d4c
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-psm_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 204574 b3469c0df25b7aab832b7980141c5d37
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla_1.7.13-0ubuntu05.04.2_amd64.deb
      Size/MD5: 1036 7e85f8a2bb24b7b598af457fa837a5d9

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr-dev_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 168072 c7690f437e4bd147259cda6352735c39
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr4_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 128792 e6b46d8085bb71e0a02bf4df562d5304
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss-dev_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 184958 e577ec3493ceece312868c1b1525a15f
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss3_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 640944 58e1b7fa33efd64fc7e76882644d4043
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-browser_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 9633508 d1e37ae68a659971781656f6538990a5
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-calendar_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 403276 e50f3bbac2e41bb104eb5cc295faaa6a
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-chatzilla_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 158324 80ee24d10d7096535ca385c31e6c3e15
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-dev_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 3345344 6fabf6cc2e004b1198e020955dd8ae8d
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-dom-inspector_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 115828 914b74534f1f1acc7ef824213e183207
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-js-debugger_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 204166 ef89a748349c8b6d8d34669299826c72
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-mailnews_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 1780872 46d444ebdc9275f2f6af5e44386fda3a
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-psm_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 188690 fccd761b19b934c65b85692f48c1762f
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla_1.7.13-0ubuntu05.04.2_i386.deb
      Size/MD5: 1040 7e8d5ad979310554776283e3214e3fca

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr-dev_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 168068 df3bd44e30b8879676bc16add8f8f8d7
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr4_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 127516 7581cd6555ad4361a5c71712ef033a3b
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss-dev_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 184962 f4acb756cb1e06d318dd47fa116ceb95
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss3_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 715266 eba1496eaefd0d5518fbf760f2ab797d
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-browser_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 9185774 7ffeea84795d0e04d0c8f322986a93bc
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-calendar_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 403266 1a4b5095e6189487f92759c56538a249
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-chatzilla_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 158326 f451a11b17886ab40ffc5a6318a1c3ed
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-dev_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 3340928 84ad67e980f33f3851be557e3925d117
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-dom-inspector_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 114572 f0b66f845fa37fb4fe8446390a9febe2
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-js-debugger_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 204162 dbc4ea2f92922d2c4e971f93c0654a8b
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-mailnews_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 1643070 50861039ddbc58e3af7ea190a3741bc2
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-psm_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 175956 c2ee0dd5fe36227e6ba889f536572404
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla_1.7.13-0ubuntu05.04.2_powerpc.deb
      Size/MD5: 1042 294f7978e129035d0ddd01d5c80a28b7

Updated packages for Ubuntu 5.10:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.13-0ubuntu5.10.2.diff.gz
      Size/MD5: 405485 13b07818d2a9c3a822a3ca8401a7bae1
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.13-0ubuntu5.10.2.dsc
      Size/MD5: 1080 0a4ccbdb5a99be291f96831b89518c40
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla_1.7.13.orig.tar.gz
      Size/MD5: 38788839 db906560b5abe488286ad1edc21d52b6

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr-dev_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 168034 7519d27e8092bb5580b1247f2fc5b5d2
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr4_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 144144 a6dc385f53c79685e2b279cb9e36b5d9
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss-dev_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 184944 7bf1d7cc91284ea519b7b12294ba06f6
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss3_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 719760 d8ad4ba840f6228d44721c4d6659bf03
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-browser_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 10677284 95caf43274622ca4d152b69e41794768
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-calendar_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 403240 36bd0aa4b881b5b5ab233398b94c4b6c
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-chatzilla_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 158304 fdb8c415490ed55058213509bef937a4
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-dev_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 3348658 b9a541dee238a3ae69187d3fc2f86a99
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-dom-inspector_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 122354 3bccc7529278385f8a08218911cb4941
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-js-debugger_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 204136 604e32b34b597cae8e6f5bb467adf760
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-mailnews_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 1962890 9f389ecdb51eae26a216239cc41f7472
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-psm_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 204424 8eb5609b154d3316f93c885869d256af
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla_1.7.13-0ubuntu5.10.2_amd64.deb
      Size/MD5: 1030 3a99313ff3bda75788f3c53a98703568

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr-dev_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 168032 0ac1e3dcf83ed167c4dd5b753fc3f86e
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr4_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 129510 288838a25b84ab3ef0ce8abb78826a70
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss-dev_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 184926 3739546c136ef47131c0c56f215f13b8
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss3_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 635804 f3a85be693448a98f32ade7ccf0d572a
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-browser_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 9192548 87ce9472ff327ee15c061ca894f4c502
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-calendar_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 403242 e10c7357c9abe4ff1c65b98ef04d8cca
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-chatzilla_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 158306 da45278e8bbb9df31482e44355bb3022
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-dev_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 3338184 2dc446ab7c26e4e16c06f39e4181b2d6
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-dom-inspector_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 115300 969aeb4a686fe1706d62cac1a55c88ee
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-js-debugger_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 204136 5c6604b2af81921b94dee9d6ab25fef4
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-mailnews_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 1691542 a26eea78868e8b914fdeb244e0a5ce99
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-psm_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 179006 478f4d4935d60cf5b540bbf2b9584015
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla_1.7.13-0ubuntu5.10.2_i386.deb
      Size/MD5: 1032 b0690b4026428358310227b62e86a201

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr-dev_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 168044 4b49416501a5cf3dde11c85bca9d4003
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr4_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 131208 8ae16b24d772df785f7ac7b45994bf81
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss-dev_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 184944 c605f3e46e6eec714c52bdca024bf5cd
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss3_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 697346 57c40323da49beb71ee92e628c513412
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-browser_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 9271350 ab423ec59fdc70062f5475abdf224450
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-calendar_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 403248 638114d07b0e92e0dbf53889a93db2e9
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-chatzilla_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 158316 82cf9eec804814c40b80743cfaa40c0c
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-dev_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 3337212 c77a728d100e4a814292c1ebf058b206
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-dom-inspector_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 115338 ee431929c1d42fea57deed6af5821222
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-js-debugger_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 204132 d320df4c82bec0dbea9e23eac86e0c52
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-mailnews_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 1671452 6cfcd9843412b61bb38cc8b6e6347d36
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-psm_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 175960 445a0a66e665dd7fa1e19b17ebbc68e7
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla_1.7.13-0ubuntu5.10.2_powerpc.deb
      Size/MD5: 1030 2f1b913bfec084dce97507bcb316184c

sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr-dev_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 168044 b0283b659cac7e9fda0a52903183cc1a
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnspr4_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 127776 dc6a2efef62c01494a86ce8d1db0cf0d
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss-dev_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 184934 216d6c3730e6814bb553319b2c38a4a5
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/libnss3_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 631150 18932e443011e4d18ab953eab47fb9b9
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-browser_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 9017638 35b2c93ab3e9f139971fc78230d8caf6
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-calendar_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 403236 89978443b4a64d64da69b7d771baa4b1
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-chatzilla_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 158310 f8a4927cb65d95afa9a700214d98cf6d
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-dev_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 3336676 0d0b547f174249216f06176b06e6ca1b
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-dom-inspector_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 113838 a676537e1727286d1cdbe93072d120d2
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-js-debugger_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 204134 678ada2642462d3267403d1459e77b54
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla-mailnews_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 1629864 ee75fea2ad24654db58d59a72a4a0086
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla/mozilla-psm_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 170498 95c70a127d1b1c63e8530d1804e71cf2
    http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla/mozilla_1.7.13-0ubuntu5.10.2_sparc.deb
      Size/MD5: 1038 0e2e0a04322e4f24d7982cd10e16669d


Ubuntu Security Notice USN-362-1 October 10, 2006
php4, php5 vulnerabilities
CVE-2006-4485, CVE-2006-4486, CVE-2006-4625, CVE-2006-4812

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 5.04:

libapache2-mod-php4 4:4.3.10-10ubuntu4.8
php4-cgi 4:4.3.10-10ubuntu4.8
php4-cli 4:4.3.10-10ubuntu4.8

Ubuntu 5.10:

libapache2-mod-php5 5.0.5-2ubuntu1.5
php5-cgi 5.0.5-2ubuntu1.5
php5-cli 5.0.5-2ubuntu1.5

Ubuntu 6.06 LTS:

libapache2-mod-php5 5.1.2-1ubuntu3.3
php5-cgi 5.1.2-1ubuntu3.3
php5-cli 5.1.2-1ubuntu3.3

After a standard system upgrade you need to restart Apache with

sudo /etc/init.d/apache2 restart

to effect the necessary changes.

Details follow:

The stripos() function did not check for invalidly long or empty haystack strings. In an application that uses this function on arbitrary untrusted data this could be exploited to crash the PHP interpreter. (CVE-2006-4485)

An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the "memory_limit" setting was not enforced correctly. A remote attacker could exploit this to cause a Denial of Service attack through memory exhaustion. (CVE-2006-4486)

Maksymilian Arciemowicz discovered that security relevant configuration options like open_basedir and safe_mode (which can be configured in Apache's httpd.conf) could be bypassed and reset to their default value in php.ini by using the ini_restore() function.