[Admins] Ubuntu Package Updates on infiltrator

root root at stdlib.net
Wed May 2 07:35:28 IST 2007


apticron report [Wed, 02 May 2007 07:35:16 +0100]
========================================================================

apticron has detected that some packages need upgrading on: 

	infiltrator.gizzard.com 
	[ 127.0.1.1 85.91.5.16 2001:770:100:77::2 ]

The following packages are currently pending an upgrade:

	app-install-data-commercial 5.5
	libapache2-mod-php5 5.1.2-1ubuntu3.7
	libfreetype6 2.1.10-1ubuntu2.3
	libfreetype6-dev 2.1.10-1ubuntu2.3
	libkrb53 1.4.3-5ubuntu0.3
	libpq4 8.1.9-0ubuntu0.6.06
	libx11-6 2:1.0.0-0ubuntu9.1
	libxfont1 1:1.0.0-0ubuntu3.3
	linux-image-2.6.15-28-sparc64-smp 2.6.15-28.53
	locales 2.3.18.3
	php5 5.1.2-1ubuntu3.7
	php5-cgi 5.1.2-1ubuntu3.7
	php5-cli 5.1.2-1ubuntu3.7
	php5-common 5.1.2-1ubuntu3.7
	php5-gd 5.1.2-1ubuntu3.7
	php5-mysql 5.1.2-1ubuntu3.7
	php5-mysqli 5.1.2-1ubuntu3.7
	php5-pgsql 5.1.2-1ubuntu3.7
	rdesktop 1.4.1-1.1ubuntu0.6.06
	xserver-xorg-core 1:1.0.2-0ubuntu10.6

========================================================================

Package Details:

Reading changelogs...
--- Changes for linux-source-2.6.15 (linux-image-2.6.15-28-sparc64-smp) ---
linux-source-2.6.15 (2.6.15-28.53) dapper-security; urgency=low

  [ Kyle McMartin ]

  * Disable irqs while applying alternative insns (i386/x86_64)

  [ David S. Miller ]

  * Fix mach64 with gcc-4.1 and later...

 -- Kyle McMartin <kyle at ubuntu.com>  Tue, 13 Mar 2007 14:34:21 -0400

linux-source-2.6.15 (2.6.15-28.52) dapper-security; urgency=medium

  [ security ]

  * CVE-2007-0772: Fix a free-wrong-pointer bug in nfs/acl server
  * CVE-2007-0006: Fix key serial number collision handling
  * CVE-2007-0958: [PATCH] core-dumping unreadable binaries via PT_INTERP

 -- Kyle McMartin <kyle at ubuntu.com>  Wed, 28 Feb 2007 11:49:37 -0500

--- Changes for app-install-data-commercial ---
app-install-data-commercial (5.5) dapper-updates; urgency=low

  * uploading to dapper-updates after successful SRU verification
    by Brian Murray  (LP#105847)

 -- Michael Vogt <michael.vogt at ubuntu.com>  Thu, 12 Apr 2007 23:22:21 +0200

app-install-data-commercial (5.4) dapper-proposed; urgency=low

  * added db2 

 -- Michael Vogt <michael.vogt at ubuntu.com>  Thu, 12 Apr 2007 12:43:32 +0200

--- Changes for freetype (libfreetype6 libfreetype6-dev) ---
freetype (2.1.10-1ubuntu2.3) dapper-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via integer overflows.
  * Add debian/patches/404-bdf-integer.patch from upstream changes.
  * References
    CVE-2007-1351

 -- Kees Cook <kees at ubuntu.com>  Mon,  2 Apr 2007 15:52:43 -0700

--- Changes for krb5 (libkrb53) ---
krb5 (1.4.3-5ubuntu0.3) dapper-security; urgency=low

  * SECURITY UPDATE: arbitrary login via telnet, arbitrary code execution
    via syslog buffer overflows, and heap corruption via GSS api.
  * src/appl/telnet/telnetd/{state,sys_term}.c: MIT-SA-2007-1 fix from
    upstream (CVE-2007-0956).
  * src/lib/kadm5/logger.c: MIT-SA-2007-2 fix from Debian, based on
    upstream fixes (CVE-2007-0957).
  * src/lib/gssapi/krb5/k5unseal.c: MIT-SA-2007-3 fix from upstream
    (CVE-2007-1216).
  * References
    http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-001-telnetd.txt
    http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-002-syslog.txt
    http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-003.txt

 -- Kees Cook <kees at ubuntu.com>  Tue,  3 Apr 2007 15:50:20 -0700

--- Changes for langpack-locales (locales) ---
langpack-locales (2.3.18.3) dapper-updates; urgency=low

  * Upload to dapper-updates, thanks to Michael Vogt for the verification.
    (LP: #96244)

 -- Martin Pitt <martin.pitt at ubuntu.com>  Thu, 19 Apr 2007 12:26:43 +0200

langpack-locales (2.3.18.3~prop1) dapper-proposed; urgency=low

  * Replace debian/tzdata2007b.tar.gz with new version tzdata2007e:
    - Updates some DST rules. (LP: #96244)
    - Introduces two new time zones (America/Indiana/Winamac and
      America/Resolute).
    - No removals/merges/splits.

 -- Martin Pitt <martin.pitt at ubuntu.com>  Tue, 17 Apr 2007 15:31:13 +0200

--- Changes for libx11 (libx11-6) ---
libx11 (2:1.0.0-0ubuntu9.1) dapper-security; urgency=low

  * SECURITY UPDATE: Multiple integer overflows in the XGetPixel()
    and XInitImage functions.
  * src/ImUtil.c: upstream fix.
  * References
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414045
    CVE-2007-1667

 -- Timo Aaltonen <tepsipakki at ubuntu.com>  Wed,  4 Apr 2007 00:55:10 +0300

--- Changes for libxfont (libxfont1) ---
libxfont (1:1.0.0-0ubuntu3.3) dapper-security; urgency=low

  * SECURITY UPDATE: root privilege escalation with BDF font overflows.
  * src/bitmap/bdfread.c, src/fontfile/fontdir.c: upstream fixes to stop
    integer overflows.
  * References
    CVE-2007-1351 CVE-2007-1352

 -- Kees Cook <kees at ubuntu.com>  Thu, 29 Mar 2007 18:07:27 -0700

--- Changes for php5 (libapache2-mod-php5 php5 php5-cgi php5-cli php5-common php5-gd php5-mysql php5-mysqli php5-pgsql) ---
php5 (5.1.2-1ubuntu3.7) dapper-security; urgency=low

  * SECURITY UPDATE: multiple security vulnerabilities fixed.  Thanks to
    Moritz Muehlenhoff and Sean Finney.
  * MOPB-10.patch: php_binary Session Deserialization Information Leak
    (CVE-2007-1380)
  * MOPB-14.patch: substr_compare() Information Leak (CVE-2007-1375)
  * MOPB-15.patch: shmop Functions Resource Verification (CVE-2007-1376)
  * MOPB-22.patch: session_regenerate_id() Double Free (CVE-2007-1521)
  * MOPB-24.patch: array_user_key_compare() Double DTOR (CVE-2007-1484)
  * MOPB-26.patch: mb_parse_str() register_globals Activation
    (CVE-2007-1583)
  * MOPB-30.patch: _SESSION unset() (CVE-2007-1700)
  * MOPB-34.patch: mail() Header Injection (CVE-2007-1718)
  * MOPB-41.patch: sqlite_udf_decode_binary() Buffer Overflow
    (CVE-2007-1887 CVE-2007-1888)
  * MOPB-42.patch: php_stream_filter_create() Off By One (CVE-2007-1824)

 -- Kees Cook <kees at ubuntu.com>  Mon, 23 Apr 2007 16:38:58 -0700

--- Changes for postgresql-8.1 (libpq4) ---
postgresql-8.1 (8.1.9-0ubuntu0.6.06) dapper-security; urgency=low

  * New upstream security/bugfix release:
    - Support explicit placement of the temporary-table schema within
      search_path, and disable searching it for functions and operators.
      This is needed to allow a security-definer function to set a truly
      secure value of search_path. Without it, an unprivileged SQL user
      can use temporary objects to execute code with the privileges of
      the security-definer function (CVE-2007-2138). See "CREATE
      FUNCTION" for more information.
    - "/contrib/tsearch2" crash fixes.
    - Require "COMMIT PREPARED" to be executed in the same database as
      the transaction was prepared in.
    - Fix potential-data-corruption bug in how "VACUUM FULL" handles
      "UPDATE" chains.
    - Planner fixes, including improving outer join and bitmap scan
      selection logic.
    - Fix PANIC during enlargement of a hash index (bug introduced in
      8.1.6).
    - Fix POSIX-style timezone specs to follow new USA DST rules.

 -- Martin Pitt <martin.pitt at ubuntu.com>  Mon, 23 Apr 2007 09:44:15 +0200

--- Changes for rdesktop ---
rdesktop (1.4.1-1.1ubuntu0.6.06) dapper-security; urgency=low

  * Fix API usage mistake uncovered by libx11 security update.
  * xwin.c: apply patch from upstream cvs, thanks to upstream Michael Gernoth,
    Reinhard Tartler (LP: #104332).
  * References
    http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/xwin.c?r1=1.222&r2=1.223&view=patch

 -- Kees Cook <kees at ubuntu.com>  Mon, 23 Apr 2007 09:12:58 -0700

--- Changes for xorg-server (xserver-xorg-core) ---
xorg-server (1:1.0.2-0ubuntu10.6) dapper-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution with root privileges via
    integer overflows in MISC-XC.
  * Add debian/patches/994_misc_xc_overflows.dpatch: upstream fixes.
  * References
    CVE-2007-1003

 -- Kees Cook <kees at ubuntu.com>  Thu, 29 Mar 2007 18:18:37 -0700

========================================================================

You can perform the upgrade by issuing the command:

	apt-get dist-upgrade

as root on infiltrator.gizzard.com

It is recommended that you simulate the upgrade first to confirm that
the actions that would be taken are reasonable. The upgrade may be 
simulated by issuing the command:

	apt-get -s dist-upgrade

-- 
apticron



More information about the Admins mailing list