lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100126192354.GA15733@severus.strandboge.com>
Date: Tue, 26 Jan 2010 13:23:55 -0600
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-890-4] PyXML vulnerabilities

===========================================================
Ubuntu Security Notice USN-890-4           January 26, 2010
python-xml vulnerabilities
CVE-2009-3560, CVE-2009-3720
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  python2.4-xml                   0.8.4-1ubuntu3.1

After a standard system upgrade you need to restart any applications that
use PyXML to effect the necessary changes.

Details follow:

USN-890-1 fixed vulnerabilities in Expat. This update provides the
corresponding updates for PyXML.

Original advisory details:

 Jukka Taimisto, Tero Rontti and Rauli Kaksonen discovered that Expat did
 not properly process malformed XML. If a user or application linked against
 Expat were tricked into opening a crafted XML file, an attacker could cause
 a denial of service via application crash. (CVE-2009-2625, CVE-2009-3720)
 
 It was discovered that Expat did not properly process malformed UTF-8
 sequences. If a user or application linked against Expat were tricked into
 opening a crafted XML file, an attacker could cause a denial of service via
 application crash. (CVE-2009-3560)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python-xml_0.8.4-1ubuntu3.1.diff.gz
      Size/MD5:    26092 7b735067d5b8494bfa9479a38b1f971f
    http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python-xml_0.8.4-1ubuntu3.1.dsc
      Size/MD5:      663 064ad0d03d81132088df42f78850bfd7
    http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python-xml_0.8.4.orig.tar.gz
      Size/MD5:   734751 04fc1685542b32c1948c2936dfb6ba0e

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python-xml_0.8.4-1ubuntu3.1_all.deb
      Size/MD5:    11568 253250bca793d626d3f651a116259b00
    http://security.ubuntu.com/ubuntu/pool/universe/p/python-xml/xbel-utils_0.8.4-1ubuntu3.1_all.deb
      Size/MD5:    25206 e73978eb774cf39690739f0908fb32dc
    http://security.ubuntu.com/ubuntu/pool/universe/p/python-xml/xbel_0.8.4-1ubuntu3.1_all.deb
      Size/MD5:    24392 e4bab68a86bd7fb0dd85d39268716a64

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python2.4-xml_0.8.4-1ubuntu3.1_amd64.deb
      Size/MD5:   717460 763ab0e82cbd3767958753060145c5ab

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python2.4-xml_0.8.4-1ubuntu3.1_i386.deb
      Size/MD5:   708074 e34c9a1bdaaef83eb885104360d9e94f

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python2.4-xml_0.8.4-1ubuntu3.1_powerpc.deb
      Size/MD5:   716638 8ee8326bb735b20b18f0335c4485aadb

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-xml/python2.4-xml_0.8.4-1ubuntu3.1_sparc.deb
      Size/MD5:   706208 11751f3c1654c648dd145c88afc3002c




Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ