Ian Semmel wrote:
> On Wed, 15 Nov 2006 00:57:05 +0000, Roy Schestowitz wrote:
>
> > Microsoft warns of 5 "critical" security holes
> >
> > ,----[ Quote ]
> > | Microsoft Corp. on Tuesday issued five
> > | "critical" security patches to fix flaws in its software
> > | that the company warned could allow attackers to takec
> > | ontrol of a user's computer.
> > `----
> >
> > http://news.yahoo.com/s/nm/20061114/tc_nm/microsoft_security_dc
> >
> > Does you bank have Windows servers...? How about your hospital...?
> >
> > 5 holes.
> >
> > Critical.
> >
> > Unpatched.
> >
> > Exploits 'in the wild'.
>
> So the security patches that ubuntu loaded down to my machine yesterday
> weren't critical ? Why do they bother then ?
I'm guessing that these are the same updates that my Ubuntu machine
needed. (Someone ought to tell Roy about this new concept... Operating
Systems need updates. He seems to think that only Windows gets updated.
After all, it's "News" to him.)
All together Ubu is reporting that I need to download 406-Megs. But
that's only for the updates that it's able to install. There are
several items (see below) that can't be updated. It appears that it
wants me to "update your system completely."
Version 2.16.1cvs20060117-1ubuntu2.1:
* SECURITY UPDATE: Crash and possible arbitrary code execution in
apps using
libbfd (such as 'strings').
* Add debian/patches/130_tekhex_buffer_overflow.dpatch:
- Fix buffer overflow on hexadecimal number parsing in the
Tektronix Hex
Format BFD library backend.
- Patch ported from CVS HEAD.
* CVE-2006-2362
Version 1:9.3.2-2ubuntu1.1:
* SECURITY UPDATE:
* bin/named/query.c, lib/dns/resolver.c: Apply upstream patch from
9.3.2-P1
to fix the following flaws:
- A remote user (DNS server) can send specially crafted RRset
responses in
return to a recursive SIG query to cause the requesting named
service to
crash [CVE-2006-4095].
- A remote user can also send specially crafted queries to trigger
an
INSIST failure and cause the requesting service(s) to crash
[CVE-2006-4096].
Version 1.5.dfsg+1.5.0.7-ubuntu0.6.06:
* New upstream security update:
- MFSA 2006-64, CVE-2006-4571: Crashes with evidence of memory
corruption
(rv:1.8.0.7)
- MFSA 2006-62, CVE-2006-4569: Popup-blocker cross-site scripting
(XSS)
- MFSA 2006-61, CVE-2006-4568: Frame spoofing using document.open()
- MFSA 2006-60, CVE-2006-4340: RSA Signature Forgery
- MFSA 2006-59, CVE-2006-4253: Concurrency-related vulnerability
- MFSA 2006-58, CVE-2006-4567: Auto-Update compromise through DNS
and SSL
spoofing
- MFSA 2006-57, CVE-2006-4565, CVE-2006-4566: JavaScript Regular
Expression
Heap Corruption
Version 2.14.6-0ubuntu2.1:
* SECURITY UPDATE: Configure gdm as normal user.
* Add debian/patches/91_from_cvs_no_configure_as_user.patch:
- Prevent normal users from configuring gdm by clicking on their
name on
the userlist and entering their own (instead of the root)
password.
Version 3.0.22-1ubuntu3.1:
* SECURITY UPDATE: Remote DoS.
* Add debian/patches/track_connection_dos.patch:
- Limit active connections to 2048 to avoid DoS due to unbound
array
growing when tracking active connections.
- CVE-2006-3403
etc, etc.
****** Here's the part where it has problems *****
<quote>
Cannot install all available updates
Some updates require the removal of further software. Use the function
"Smart Upgrade" of the package manager "Synaptic" or run "sudo apt-get
dist-upgrade" in a terminal to update your system completely.
The following updates will be skipped:
dmsetup
eject
gnome-app-install
gstreamer0.10-plugins-good
imake
librdf0
linux-image-386
linux-restricted-modules-386
lvm2
notification-daemon
openoffice.org-gnome
python-mysqldb
python2.4-mysqldb
ubuntu-desktop
ubuntu-minimal
udev
update-manager
xserver-xorg-input-all
</quote>
|
|
