=========================================================== Ubuntu Security Notice USN-412-1 January 23, 2007 geoip vulnerability CVE-2007-0159 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: geoip-bin 1.3.10-1ubuntu0.1 Ubuntu 6.06 LTS: geoip-bin 1.3.14-2ubuntu0.1 Ubuntu 6.10: geoip-bin 1.3.17-1ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Dean Gaudet discovered that the GeoIP update tool did not validate the filename responses from the update server. A malicious server, or man-in-the-middle system posing as a server, could write to arbitrary files with user privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.10-1ubuntu0.1.diff.gz Size/MD5: 19361 1577a4756cbfcbc08fee1d6ab88df63c http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.10-1ubuntu0.1.dsc Size/MD5: 619 718ec1b30033bf8c552d0dec546cae84 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.10.orig.tar.gz Size/MD5: 623578 617adbadc30525ed1b76bd85d2df0848 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.10-1ubuntu0.1_amd64.deb Size/MD5: 21740 d82e390d020ae7f038972d1e93c7770b http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.10-1ubuntu0.1_amd64.deb Size/MD5: 46110 39942b4693519b7e8163726f06938fa4 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.10-1ubuntu0.1_amd64.deb Size/MD5: 442618 a5347051848d76f56f60cac3160d4133 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.10-1ubuntu0.1_i386.deb Size/MD5: 20480 5b54a91e89477e3c0b1c360235ce35ec http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.10-1ubuntu0.1_i386.deb Size/MD5: 44040 49d5b66ff34b12e0c927e64467878cbb http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.10-1ubuntu0.1_i386.deb Size/MD5: 439838 fcc414ff57cd78588d02f6a7c24b666f powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.10-1ubuntu0.1_powerpc.deb Size/MD5: 24108 3a17f77d1d50e6d8cb8ab04d094fcea9 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.10-1ubuntu0.1_powerpc.deb Size/MD5: 44786 8db0863a597193c3b8e0455fe38c1cd6 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.10-1ubuntu0.1_powerpc.deb Size/MD5: 444540 9769bd03d33543296cbd721bd3fd758b sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.10-1ubuntu0.1_sparc.deb Size/MD5: 20914 aa9e3b039820f95c96555710223b1088 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.10-1ubuntu0.1_sparc.deb Size/MD5: 44958 5aa013e81f5f505f2fb5acae3138e75b http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.10-1ubuntu0.1_sparc.deb Size/MD5: 440072 c331d12a7f45e1f2467b8dccd13e70dc Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.14-2ubuntu0.1.diff.gz Size/MD5: 37644 fffce27f110b11f57ac1180483672245 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.14-2ubuntu0.1.dsc Size/MD5: 621 b27f07aad2bc0bc6249d345cf57a1b97 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.14.orig.tar.gz Size/MD5: 676699 b0bb68858586e44b30539751c1c2eb72 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.14-2ubuntu0.1_amd64.deb Size/MD5: 17250 25a504fbc7a804c6b2c9e9bb031d11fe http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.14-2ubuntu0.1_amd64.deb Size/MD5: 48244 6540d56fa4091c3f5f0e097315e60068 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.14-2ubuntu0.1_amd64.deb Size/MD5: 457716 60c072459d9c964acd028521e28a749d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.14-2ubuntu0.1_i386.deb Size/MD5: 16696 a1d3b8d0a16b5d9fea8531232c41c8ee http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.14-2ubuntu0.1_i386.deb Size/MD5: 46362 b7312b4899edffba1b05c7845ba7175b http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.14-2ubuntu0.1_i386.deb Size/MD5: 455014 c1de51f98c8840450505d9955d2136cd powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.14-2ubuntu0.1_powerpc.deb Size/MD5: 19610 b259e96b0f7b6875771b4c4b513dc331 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.14-2ubuntu0.1_powerpc.deb Size/MD5: 47086 0789205be3acaf2f679116e413134fc0 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.14-2ubuntu0.1_powerpc.deb Size/MD5: 458658 39d545b4555018fb6cfcc00c2c30405c sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.14-2ubuntu0.1_sparc.deb Size/MD5: 16890 b73477c481d785d917dff731a9039371 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.14-2ubuntu0.1_sparc.deb Size/MD5: 47712 fdea5cabbd70f9af016514688b1a10f9 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.14-2ubuntu0.1_sparc.deb Size/MD5: 455872 3dae362b3c420556c1b30b7dc3dc5827 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.17-1ubuntu0.1.diff.gz Size/MD5: 32292 88f5e421958604218e8fd28265f78ddc http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.17-1ubuntu0.1.dsc Size/MD5: 621 a4ad466ec23c97646dee1ebd3ff0085f http://security.ubuntu.com/ubuntu/pool/main/g/geoip/geoip_1.3.17.orig.tar.gz Size/MD5: 777923 513c0a2e93179790c465206e70ddda74 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.17-1ubuntu0.1_amd64.deb Size/MD5: 17652 2ee948b5c67f643f375431df37926db0 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.17-1ubuntu0.1_amd64.deb Size/MD5: 48162 ecc9d206bf9e0db424afeb84df18ced7 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.17-1ubuntu0.1_amd64.deb Size/MD5: 478240 6130b7c288bb9bf2a04d3a8f7d694b9e i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.17-1ubuntu0.1_i386.deb Size/MD5: 17106 a95144d6b85f7e494f772d35e44ffee3 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.17-1ubuntu0.1_i386.deb Size/MD5: 47452 fec7b87ac2baef74654373ffb54cc9e0 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.17-1ubuntu0.1_i386.deb Size/MD5: 476192 af001d792625ff40d7ea51e2bf688c88 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.17-1ubuntu0.1_powerpc.deb Size/MD5: 20126 5b336326b1754e61765f6b9b53647178 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.17-1ubuntu0.1_powerpc.deb Size/MD5: 47766 e3a67bbaae13a8d0f04a860c0526d775 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.17-1ubuntu0.1_powerpc.deb Size/MD5: 479884 e3c1da145ec64ebcb30f31864dfd7a2d sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/g/geoip/geoip-bin_1.3.17-1ubuntu0.1_sparc.deb Size/MD5: 17308 d0719e919c096d850e8e46cc8f6f6c61 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip-dev_1.3.17-1ubuntu0.1_sparc.deb Size/MD5: 47464 14bc103daa37d153c931d2a005ad5d45 http://security.ubuntu.com/ubuntu/pool/main/g/geoip/libgeoip1_1.3.17-1ubuntu0.1_sparc.deb Size/MD5: 475804 db29457bd10e259c16ff020c49513cab