Canonical Adds Advanced Enterprise Features to Latest Version of Systems Management Tool New 'Landscape' supports Ubuntu 10.04 LTS migration and cloud deployments for enterprises

London 25th May 2010: Canonical today announced the latest version of its Ubuntu-dedicated systems management tool that simplifies enterprise deployments with tools to configure multiple servers, connect with single sign on (SSO) authentication systems and manage cloud topologies.  

read more

Referenced CVEs:  CVE-2008-1391, CVE-2010-0296, CVE-2010-0830 Description:  =========================================================== Ubuntu Security Notice USN-944-1 May 25, 2010 glibc, eglibc vulnerabilities CVE-2008-1391, CVE-2010-0296, CVE-2010-0830 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libc6 2.3.6-0ubuntu20.6 Ubuntu 8.04 LTS: libc6 2.7-10ubuntu6 Ubuntu 9.04: libc6 2.9-4ubuntu6.2 Ubuntu 9.10: libc6 2.10.1-0ubuntu17 Ubuntu 10.04 LTS: libc6 2.11.1-0ubuntu7.1 After a standard system update you need to restart all services to make the necessary changes. Details follow: Maksymilian Arciemowicz discovered that the GNU C library did not correctly handle integer overflows in the strfmon function. If a user or automated system were tricked into processing a specially crafted format string, a remote attacker could crash applications, leading to a denial of service. (Ubuntu 10.04 was not affected.) (CVE-2008-1391) Jeff Layton and Dan Rosenberg discovered that the GNU C library did not correctly handle newlines in the mntent family of functions. If a local attacker were able to inject newlines into a mount entry through other vulnerable mount helpers, they could disrupt the system or possibly gain root privileges. (CVE-2010-0296) Dan Rosenberg discovered that the GNU C library did not correctly validate certain ELF program headers. If a user or automated system were tricked into verifying a specially crafted ELF program, a remote attacker could execute arbitrary code with user privileges. (CVE-2010-0830)

Referenced CVEs:  CVE-2010-1169, CVE-2010-1170, CVE-2010-1975 Description:  =========================================================== Ubuntu Security Notice USN-942-1 May 21, 2010 postgresql-8.1, postgresql-8.3, postgresql-8.4 vulnerabilities CVE-2010-1169, CVE-2010-1170, CVE-2010-1975 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: postgresql-plperl-8.1 8.1.21-0ubuntu0.6.06 postgresql-pltcl-8.1 8.1.21-0ubuntu0.6.06 Ubuntu 8.04 LTS: postgresql-plperl-8.3 8.3.11-0ubuntu8.04 postgresql-pltcl-8.3 8.3.11-0ubuntu8.04 Ubuntu 9.04: postgresql-plperl-8.3 8.3.11-0ubuntu9.04 postgresql-pltcl-8.3 8.3.11-0ubuntu9.04 Ubuntu 9.10: postgresql-plperl-8.4 8.4.4-0ubuntu9.10 postgresql-pltcl-8.4 8.4.4-0ubuntu9.10 Ubuntu 10.04 LTS: postgresql-plperl-8.4 8.4.4-0ubuntu10.04 postgresql-pltcl-8.4 8.4.4-0ubuntu10.04 This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes. Details follow: It was discovered that the Safe.pm module as used by PostgreSQL did not properly restrict PL/perl procedures. If PostgreSQL was configured to use Perl stored procedures, a remote authenticated attacker could exploit this to execute arbitrary Perl code. (CVE-2010-1169) It was discovered that PostgreSQL did not properly check permissions to restrict PL/Tcl procedures. If PostgreSQL was configured to use Tcl stored procedures, a remote authenticated attacker could exploit this to execute arbitrary Tcl code. (CVE-2010-1170) It was discovered that PostgreSQL did not properly check privileges during certain RESET ALL operations. A remote authenticated attacker could exploit this to remove all special parameter settings for a user or database. (CVE-2010-1975)

Referenced CVEs:  CVE-2009-4762 Description:  =========================================================== Ubuntu Security Notice USN-941-1 May 20, 2010 moin vulnerability CVE-2009-4762 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.04: python-moinmoin 1.8.2-2ubuntu2.4 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that MoinMoin incorrectly handled hierarchical access control lists. Users could bypass intended access controls under certain circumstances.

Referenced CVEs:  CVE-2007-5902, CVE-2007-5971, CVE-2007-5972, CVE-2010-1320, CVE-2010-1321 Description:  =========================================================== Ubuntu Security Notice USN-940-1 May 19, 2010 krb5 vulnerabilities CVE-2007-5902, CVE-2007-5971, CVE-2007-5972, CVE-2010-1320, CVE-2010-1321 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: krb5-kdc 1.4.3-5ubuntu0.11 libkrb53 1.4.3-5ubuntu0.11 Ubuntu 8.04 LTS: krb5-admin-server 1.6.dfsg.3~beta1-2ubuntu1.5 krb5-kdc 1.6.dfsg.3~beta1-2ubuntu1.5 Ubuntu 9.04: krb5-admin-server 1.6.dfsg.4~beta1-5ubuntu2.4 krb5-kdc 1.6.dfsg.4~beta1-5ubuntu2.4 Ubuntu 9.10: krb5-admin-server 1.7dfsg~beta3-1ubuntu0.6 krb5-kdc 1.7dfsg~beta3-1ubuntu0.6 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Kerberos did not correctly free memory in the GSSAPI and kdb libraries. If a remote attacker were able to manipulate an application using these libraries carefully, the service could crash, leading to a denial of service. (Only Ubuntu 6.06 LTS was affected.) (CVE-2007-5902, CVE-2007-5971, CVE-2007-5972) Joel Johnson, Brian Almeida, and Shawn Emery discovered that Kerberos did not correctly verify certain packet structures. An unauthenticated remote attacker could send specially crafted traffic to cause the KDC or kadmind services to crash, leading to a denial of service. (CVE-2010-1320, CVE-2010-1321)

Referenced CVEs:  CVE-2009-1573, CVE-2010-1166 Description:  =========================================================== Ubuntu Security Notice USN-939-1 May 18, 2010 xorg-server vulnerabilities CVE-2009-1573, CVE-2010-1166 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: xserver-xorg-core 2:1.4.1~git20080131-1ubuntu9.3 xvfb 2:1.4.1~git20080131-1ubuntu9.3 Ubuntu 9.04: xserver-xorg-core 2:1.6.0-0ubuntu14.2 xvfb 2:1.6.0-0ubuntu14.2 Ubuntu 9.10: xserver-xorg-core 2:1.6.4-2ubuntu4.3 After a standard system update you need to restart your session to make all the necessary changes. Details follow: Loïc Minier discovered that xvfb-run did not correctly keep the X.org session cookie private. A local attacker could gain access to any local sessions started by xvfb-run. Ubuntu 9.10 was not affected. (CVE-2009-1573) It was discovered that the X.org server did not correctly handle certain calculations. A remote attacker could exploit this to crash the X.org session or possibly run arbitrary code with root privileges. (CVE-2010-1166)