"Ubuntu Security Notice USN-732-1 March 10, 2009
dash vulnerability
CVE-2009-0854
==========================
==========================
=========
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
dash 0.5.4-8ubuntu1.1
Ubuntu 8.10:
dash 0.5.4-9ubuntu1.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Wolfgang M. Reimer discovered that dash, when invoked as a login shell, wou=
ld
source .profile files from the current directory. Local users may be able t=
o
bypass security restrictions and gain root privileges by placing specially
crafted .profile files where they might get sourced by other dash users.
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.=
1.diff.gz
Size/MD5: 171656 5f74e0a922546193a9e6279ad8680c76
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.=
1.dsc
Size/MD5: 697 e78236937fea17c0c7a43427321b1ce6
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4.orig.tar.=
gz
Size/MD5: 212145 bc457e490a589d2f87f2333616b67931
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/d/dash/ash_0.5.4-8ubunt=
u1.1_all.deb
Size/MD5: 22068 82557822348627c1b240069e431886e2
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.=
1_amd64.deb
Size/MD5: 96918 b8d43124e5353042c7fd93fcc5c19cc9
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-8ubuntu1.=
1_i386.deb
Size/MD5: 87952 6bc4578aea92450f8e00625fd7a7755a
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_lpia.deb
Size/MD5: 88194 a90de1a5dedb9cbaeb65537e8e933356
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_powerpc.=
deb
Size/MD5: 97400 5e2187820648d980b4edaa4e4a71b6c5
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-8ubuntu1.1_sparc.de=
b
Size/MD5: 91072 dc5e22376445e185eacdaa049421c866
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.=
1.diff.gz
Size/MD5: 129759 b5363e9ff9550e89dec4be8ddc408607
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.=
1.dsc
Size/MD5: 1083 dc87a11f64c53960ffb1f55dc42a253f
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4.orig.tar.=
gz
Size/MD5: 212145 bc457e490a589d2f87f2333616b67931
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/d/dash/ash_0.5.4-9ubunt=
u1.1_all.deb
Size/MD5: 22286 9a34d34a67d46b8fa42584a2a7d61f76
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.=
1_amd64.deb
Size/MD5: 99406 8703819fce4bc25f65caa350de05763c
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/d/dash/dash_0.5.4-9ubuntu1.=
1_i386.deb
Size/MD5: 90266 9d8931f5ef08f4d649127db0ab644f8e
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_lpia.deb
Size/MD5: 90322 a0db897e7a7c5a7706d71674bad025ee
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_powerpc.=
deb
Size/MD5: 99500 a583f4a7fc59a7495cb3615c4af54b05
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/d/dash/dash_0.5.4-9ubuntu1.1_sparc.de=
b
Size/MD5: 93030 1bd3a8c0907e56cb2ed17c572e61842b
--=-UJW/IxyRJzuGmm9cjozh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAkm2m1gACgkQLMAs/0C4zNqpSgCeLpcCwv2HxQbBl47MmmbGyyJn
FHIAnAqxJRRcam0OyXgwgOY+WuUpfvld
=cZeU
-----END PGP SIGNATURE-----
"
Slash wins round in lawsuit over house
(AP)
Kanye West: Being a Sex Addict Fueled Success
(E! Online)
DSA 1737-1: New wesnoth packages fix several vulnerabilities
DSA 1735-1: New znc packages fix privilege escalation
This entry was posted
on 11:27 PM
.
Archives
-
▼
2009
(488)
-
▼
March
(44)
- DSA 1760-1: New openswan packages fix denial of se...
- USN-750-1: OpenSSL vulnerability
- USN-748-1: OpenJDK vulnerabilities
- DSA 1756-1: New xulrunner packages fix multiple vu...
- RHSA-2009:0373-01 Moderate: systemtap security update
- RHSA-2009:0397-01 Critical: firefox security update
- RHSA-2009:0295-01 Moderate: net-snmp security update
- DSA 1755-1: New systemtap packages fix local privi...
- GLSA 200903-39 pam_krb5: Privilege escalation
- RHSA-2009:0394-01 Critical: java-1.5.0-sun securit...
- RHSA-2009:0376-01 Critical: acroread security update
- GLSA 200903-38 Squid: Multiple Denial of Service ...
- DSA 1753-1: End-of-life announcement for Iceweasel...
- GLSA 200903-35 Muttprint: Insecure temporary file...
- DSA 1747-1: New glib2.0 packages fix arbitrary cod...
- DSA 1750-1: New libpng packages fix several vulner...
- DSA 1748-1: New libsoup packages fix arbitrary cod...
- GLSA 200903-34 Amarok: User-assisted execution of...
- RHSA-2009:0345-01 Moderate: ghostscript security u...
- USN-742-1: JasPer vulnerabilities
- DSA 1749-1: New Linux 2.6.26 packages fix several ...
- RHSA-2009:0341-01 Moderate: curl security update
- GLSA 200903-32 phpMyAdmin: Multiple vulnerabilities
- DSA 1744-1: New weechat packages fix denial of ser...
- GLSA 200903-29 BlueZ: Arbitrary code execution
- RHSA-2009:0355-01 Moderate: evolution and evolutio...
- USN-737-1: libsoup vulnerability
- DSA 1743-1: New libtk-img packages fix arbitrary c...
- DSA 1740-1: New yaws packages fix denial of service
- DSA 1741-1: New psi packages fix denial of service
- DSA 1742-1: New libsnd packages fix arbitrary code...
- GLSA 200903-25 Courier Authentication Library: SQ...
- USN-731-1: Apache vulnerabilities
- GLSA 200903-26 TMSNC: Execution of arbitrary code
- DSA 1738-1: New curl packages fix arbitrary file a...
- DSA 1739-1: New mldonkey packages fix information ...
- RHSA-2009:0331-01 Important: kernel security and b...
- GLSA 200903-21 cURL: Arbitrary file access
- GLSA 200903-23 Adobe Flash Player: Multiple vulne...
- DSA 1735-1: New znc packages fix privilege escalation
- USN-732-1: dash vulnerability
- DSA 1737-1: New wesnoth packages fix several vulne...
- Media player targets embedded Linux devices
- TI die-shrinks OMAP3
-
▼
March
(44)