Ubuntu Tutorials

The following security announcement applies to firefox and xulrunner. If you have firefox and xulrunner installed, please see below for details on the vulnerability and instructions on patching your system:

Several flaws were discovered in the browser engine of Firefox. If a user
were tricked into viewing a malicious website, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2010-0159)

Orlando Barrera II discovered a flaw in the Web Workers implementation of
Firefox. If a user were tricked into posting to a malicious website, an
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2010-0160)

Alin Rad Pop discovered that Firefox’s HTML parser would incorrectly free
memory under certain circumstances. If the browser could be made to access
these freed memory objects, an attacker could exploit this to execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2009-1571)

Hidetake Jo discovered that the showModalDialog in Firefox did not always
honor the same-origin policy. An attacker could exploit this to run
untrusted JavaScript from other domains. (CVE-2009-3988)

Georgi Guninski discovered that the same-origin check in Firefox could be
bypassed by utilizing a crafted SVG image. If a user were tricked into
viewing a malicious website, an attacker could exploit this to read data
from other domains. (CVE-2010-0162)

The above security vulnerabilities apply to the following Ubuntu releases:

• Ubuntu 9.10

If you have this utility installed on your Ubuntu system you’ll need to apply the security update to be protected. Please follow the steps below to ensure your system is properly patched:

Apply Updates

To apply the updates run the following command(s) within your Terminal:

sudo aptitude update
sudo aptitude safe-upgrade

After a standard system upgrade you need to restart Firefox and any applications that use xulrunner to effect the necessary changes.

The following security announcement applies to firefox and xulrunner. If you have firefox and xulrunner installed, please see below for details on the vulnerability and instructions on patching your system:

Several flaws were discovered in the browser engine of Firefox. If a user
were tricked into viewing a malicious website, a remote attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2010-0159)

Orlando Barrera II discovered a flaw in the Web Workers implementation of
Firefox. If a user were tricked into posting to a malicious website, an
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2010-0160)

Alin Rad Pop discovered that Firefox’s HTML parser would incorrectly free
memory under certain circumstances. If the browser could be made to access
these freed memory objects, an attacker could exploit this to execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2009-1571)

Hidetake Jo discovered that the showModalDialog in Firefox did not always
honor the same-origin policy. An attacker could exploit this to run
untrusted JavaScript from other domains. (CVE-2009-3988)

Georgi Guninski discovered that the same-origin check in Firefox could be
bypassed by utilizing a crafted SVG image. If a user were tricked into
viewing a malicious website, an attacker could exploit this to read data
from other domains. (CVE-2010-0162)

The above security vulnerabilities apply to the following Ubuntu releases:

• Ubuntu 8.04 LTS
• Ubuntu 8.10
• Ubuntu 9.04

If you have this utility installed on your Ubuntu system you’ll need to apply the security update to be protected. Please follow the steps below to ensure your system is properly patched:

Apply Updates

To apply the updates run the following command(s) within your Terminal:

sudo aptitude update
sudo aptitude safe-upgrade

After a standard system upgrade you need to restart Firefox and any applications that use xulrunner to effect the necessary changes.

The following security announcement applies to squid. If you have squid installed, please see below for details on the vulnerability and instructions on patching your system:

It was discovered that Squid incorrectly handled certain auth headers. A
remote attacker could exploit this with a specially-crafted auth header
and cause Squid to go into an infinite loop, resulting in a denial of
service. This issue only affected Ubuntu 8.10, 9.04 and 9.10.
(CVE-2009-2855)

It was discovered that Squid incorrectly handled certain DNS packets. A
remote attacker could exploit this with a specially-crafted DNS packet
and cause Squid to crash, resulting in a denial of service. (CVE-2010-0308)

The above security vulnerabilities apply to the following Ubuntu releases:

• Ubuntu 6.06 LTS
• Ubuntu 8.04 LTS
• Ubuntu 8.10
• Ubuntu 9.04
• Ubuntu 9.10

If you have this utility installed on your Ubuntu system you’ll need to apply the security update to be protected. Please follow the steps below to ensure your system is properly patched:

Apply Updates

To apply the updates run the following command(s) within your Terminal:

sudo aptitude update
sudo aptitude safe-upgrade

In general, a standard system upgrade is sufficient to effect the necessary changes.

The following security announcement applies to libruby1.9 and ruby1.9. If you have libruby1.9 and ruby1.9 installed, please see below for details on the vulnerability and instructions on patching your system:

Emmanouel Kellinis discovered that Ruby did not properly handle certain
string operations. An attacker could exploit this issue and possibly
execute arbitrary code with application privileges. (CVE-2009-4124)

Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro discovered that
Ruby did not properly sanitize data written to log files. An attacker could
insert specially-crafted data into log files which could affect certain
terminal emulators and cause arbitrary files to be overwritten, or even
possibly execute arbitrary commands. (CVE-2009-4492)

It was discovered that Ruby did not properly handle string arguments that
represent large numbers. An attacker could exploit this and cause a denial
of service. This issue only affected Ubuntu 9.10. (CVE-2009-1904)

The above security vulnerabilities apply to the following Ubuntu releases:

• Ubuntu 8.10
• Ubuntu 9.04
• Ubuntu 9.10

If you have this utility installed on your Ubuntu system you’ll need to apply the security update to be protected. Please follow the steps below to ensure your system is properly patched:

Apply Updates

To apply the updates run the following command(s) within your Terminal:

sudo aptitude update
sudo aptitude safe-upgrade


In general, a standard system upgrade is sufficient to effect the necessary changes.

The following security announcement applies to libtomcat6-java. If you have libtomcat6-java installed, please see below for details on the vulnerability and instructions on patching your system:

It was discovered that Tomcat did not correctly validate WAR filenames or
paths when deploying. A remote attacker could send a specially crafted WAR
file to be deployed and cause arbitrary files and directories to be
created, overwritten, or deleted.

The above security vulnerabilities apply to the following Ubuntu releases:

• Ubuntu 8.10
• Ubuntu 9.04
• Ubuntu 9.10

If you are have this utility installed on your Ubuntu system you’ll need to apply the security update to be protected. Please follow the steps below to ensure your system is properly patched:

Apply Updates

To apply the updates run the following command(s) within your Terminal:

sudo aptitude update
sudo aptitude safe-upgrade

After a standard system upgrade you need to restart your session to effect the necessary changes.

The following security announcement applies to gnome-screensaver. If you have gnome-screensaver installed, please see below for details on the vulnerability and instructions on patching your system:

It was discovered that gnome-screensaver did not correctly handle monitor
hotplugging. An attacker with physical access could cause gnome-screensaver
to crash and gain access to the locked session.

The above security vulnerabilities apply to the following Ubuntu releases:

• Ubuntu 9.10

If you are have this utility installed on your Ubuntu system you’ll need to apply the security update to be protected. Please follow the steps below to ensure your system is properly patched:

Apply Updates

To apply the updates run the following command(s) within your Terminal:

sudo aptitude update
sudo aptitude safe-upgrade

After a standard system upgrade you need to restart your session to effect the necessary changes.

The following security announcement applies to mysql-server. If you have mysql-server installed, please see below for details on the vulnerability and instructions on patching your system:

It was discovered that MySQL could be made to overwrite existing table
files in the data directory. An authenticated user could use the DATA
DIRECTORY and INDEX DIRECTORY options to possibly bypass privilege checks.
This update alters table creation behaviour by disallowing the use of the
MySQL data directory in DATA DIRECTORY and INDEX DIRECTORY options. This
issue only affected Ubuntu 8.10. (CVE-2008-4098)

It was discovered that MySQL contained a cross-site scripting vulnerability
in the command-line client when the –html option is enabled. An attacker
could place arbitrary web script or html in a database cell, which would
then get placed in the html document output by the command-line tool. This
issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04.
(CVE-2008-4456)

It was discovered that MySQL could be made to overwrite existing table
files in the data directory. An authenticated user could use symlinks
combined with the DATA DIRECTORY and INDEX DIRECTORY options to possibly
bypass privilege checks. This issue only affected Ubuntu 9.10.
(CVE-2008-7247)

It was discovered that MySQL contained multiple format string flaws when
logging database creation and deletion. An authenticated user could use
specially crafted database names to make MySQL crash, causing a denial of
service. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 8.10 and 9.04.
(CVE-2009-2446)

It was discovered that MySQL incorrectly handled errors when performing
certain SELECT statements, and did not preserve correct flags when
performing statements that use the GeomFromWKB function. An authenticated
user could exploit this to make MySQL crash, causing a denial of service.
(CVE-2009-4019)

It was discovered that MySQL incorrectly checked symlinks when using the
DATA DIRECTORY and INDEX DIRECTORY options. A local user could use symlinks
to create tables that pointed to tables known to be created at a later
time, bypassing access restrictions. (CVE-2009-4030)

It was discovered that MySQL contained a buffer overflow when parsing
ssl certificates. A remote attacker could send crafted requests and cause a
denial of service or possibly execute arbitrary code. This issue did not
affect Ubuntu 6.06 LTS and the default compiler options for affected
releases should reduce the vulnerability to a denial of service. In the
default installation, attackers would also be isolated by the AppArmor
MySQL profile. (CVE-2009-4484)

The above security vulnerabilities apply to the following Ubuntu releases:

• Ubuntu 6.06 LTS
• Ubuntu 8.04 LTS
• Ubuntu 8.10
• Ubuntu 9.04
• Ubuntu 9.10

If you are have this utility installed on your Ubuntu system you’ll need to apply the security update to be protected. Please follow the steps below to ensure your system is properly patched:

Apply Updates

To apply the updates run the following command(s) within your Terminal:

sudo aptitude update
sudo aptitude safe-upgrade

In general, a standard system upgrade is sufficient to effect the necessary changes.

I would like to congratulate the KDE Community on the final release of the 4.4.0 series! KDE has very much improved in the 4.x series, and I am becoming more and more of a fan. It provides a very clean, polished interface and well implemented desktop integration. From the release announcement:

Major new technologies have been introduced, including social networking and online collaboration features, a new netbook-oriented interface and infrastructural innovations such as the KAuth authentication framework. According to KDE’s bug-tracking system, 7293 bugs have been fixed and 1433 new feature requests were implemented.

You can find the full release announcement here.

Experience Freedom

Some of the new features and improvements available in the 4.4.x series are:

• Plasma Netbook debuts in 4.4.0. Plasma Netbook is an alternative interface to the Plasma Desktop, specifically designed for ergonomic use on netbooks and smaller notebooks.
• The Social Desktop initiative brings improvements to the Community widget (formerly known as Social Desktop widget), allowing users to send messages and find friends right from within the widget.
• The new tabbing feature in KWin allows the user to group windows together in a tabbed interface, making the handling of large numbers of applications easier and more efficient.
• Much, much more…!

I’m sure many of us will be looking forward to this latest software compilation in the upcoming Ubuntu release. Congratulations!

The following security announcement applies to linux-image. If you have linux-image installed, please see below for details on the vulnerability and instructions on patching your system:

ATTENTION: Due to an unavoidable ABI change (except for Ubuntu 6.06)
the kernel updates have been given a new version number, which requires
you to recompile and reinstall all third party kernel modules you
might have installed. If you use linux-restricted-modules, you have to
update that package as well to get modules which work with the new kernel
version. Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-server, linux-powerpc), a standard system
upgrade will automatically perform this as well.

Details follow:

Amerigo Wang and Eric Sesterhenn discovered that the HFS and ext4
filesystems did not correctly check certain disk structures. If a user
were tricked into mounting a specially crafted filesystem, a remote
attacker could crash the system or gain root privileges. (CVE-2009-4020,
CVE-2009-4308)

It was discovered that FUSE did not correctly check certain requests.
A local attacker with access to FUSE mounts could exploit this to
crash the system or possibly gain root privileges.  Ubuntu 9.10 was not
affected. (CVE-2009-4021)

It was discovered that KVM did not correctly decode certain guest
instructions.  A local attacker in a guest could exploit this to
trigger high scheduling latency in the host, leading to a denial of
service.  Ubuntu 6.06 was not affected. (CVE-2009-4031)

It was discovered that the OHCI fireware driver did not correctly
handle certain ioctls.  A local attacker could exploit this to crash
the system, or possibly gain root privileges.  Ubuntu 6.06 was not
affected. (CVE-2009-4138)

Tavis Ormandy discovered that the kernel did not correctly handle
O_ASYNC on locked files.  A local attacker could exploit this to gain
root privileges.  Only Ubuntu 9.04 and 9.10 were affected. (CVE-2009-4141)

Neil Horman and Eugene Teo discovered that the e1000 and e1000e
network drivers did not correctly check the size of Ethernet frames.
An attacker on the local network could send specially crafted traffic
to bypass packet filters, crash the system, or possibly gain root
privileges. (CVE-2009-4536, CVE-2009-4538)

It was discovered that “print-fatal-signals” reporting could show
arbitrary kernel memory contents.  A local attacker could exploit
this, leading to a loss of privacy.  By default this is disabled in
Ubuntu and did not affect Ubuntu 6.06. (CVE-2010-0003)

Olli Jarva and Tuomo Untinen discovered that IPv6 did not correctly
handle jumbo frames.  A remote attacker could exploit this to crash the
system, leading to a denial of service.  Only Ubuntu 9.04 and 9.10 were
affected. (CVE-2010-0006)

Florian Westphal discovered that bridging netfilter rules could be
modified by unprivileged users.  A local attacker could disrupt network
traffic, leading to a denial of service. (CVE-2010-0007)

Al Viro discovered that certain mremap operations could leak kernel
memory.  A local attacker could exploit this to consume all available
memory, leading to a denial of service. (CVE-2010-0291)

The above security vulnerabilities apply to the following Ubuntu releases:

• Ubuntu 6.06 LTS
• Ubuntu 8.04 LTS
• Ubuntu 8.10
• Ubuntu 9.04
• Ubuntu 9.10

If you are have this utility installed on your Ubuntu system you’ll need to apply the security update to be protected. Please follow the steps below to ensure your system is properly patched:

Apply Updates

To apply the updates run the following command(s) within your Terminal:

sudo aptitude update
sudo aptitude safe-upgrade

After a standard system upgrade you need to reboot your computer to effect the necessary changes.

This article is part of a series entitled “Ubuntu Beginners”, which which walks new users through basic Desktop and Command Line usage. This article will detail how to change the default Firefox home page. As outlined in a previous post: Ubuntu 10.04 to Change Default Search Provider, the default search provider (and home page) in Ubuntu 10.04 will be changing from Google to Yahoo!. This article will outline how to revert that change, or define an alternate preferred search provider.

Change Firefox Home Page

In order to change the preferred home page in Firefox, you’ll need to navigate to the Preferences menu. This can be found, within Firefox, at Edit > Preferences. If you’re migrating from the Windows platform, you’ll notice a difference here. Instead of Tools > Preferences, it is found at Edit > Proferences. The screenshot below demonstrates this location:

Firefox > Edit > Preferences

This will open the Firefox Preferences utility, which allows you to customize a wide range of Firefox settings. The primary setting that we’re looking for is the Home Page. In the default installation in Ubuntu 9.10, the Home Page is set to: chrome://ubufox/content/startpage.html. In future versions the Home Page will be set to Yahoo!. To update your Home Page, simply change the URL defined. The second screenshot below demonstrates defining Google as the preferred Home Page.

Firefox Preferences

Firefox Preferences - Home Page : Google

The change is minor between the two screenshots, but it does make a big difference. A users Home Page is the launching point for all Internet activity. It can allow you to quickly access your favorites sites, or provide you with tools you need. The change from Google to Yahoo! has been a controversial one, but one of the main benefits of Open Source Software is the ability to choose and customize. Changing your default Home Page and Search Provider simple.