-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.0392
                      x11-xserver-utils vulnerability
                               8 April 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           x11-xserver-utils
Publisher:         Ubuntu
Operating System:  Ubuntu
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Root Compromise                 -- Remote/Unauthenticated
                   Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-0465  

Original Bulletin: 
   https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-April/001300.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Ubuntu. It is recommended that administrators 
         running x11-xserver-utils check for an updated version of the 
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

===========================================================
Ubuntu Security Notice USN-1107-1            April 06, 2011
x11-xserver-utils vulnerability
CVE-2011-0465
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  x11-xserver-utils               7.3+2ubuntu0.1

Ubuntu 9.10:
  x11-xserver-utils               7.4+2ubuntu3.1

Ubuntu 10.04 LTS:
  x11-xserver-utils               7.5+1ubuntu2.1

Ubuntu 10.10:
  x11-xserver-utils               7.5+2ubuntu1.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

Details follow:

Sebastian Krahmer discovered that the xrdb utility incorrectly filtered
crafted hostnames. An attacker could use this flaw with a malicious
DHCP server or with a remote xdmcp login and execute arbitrary code,
resulting in root privilege escalation.


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.3+2ubuntu0.1.dsc
      Size/MD5:     1855 ed72ba7905552c8ad970eb9b6ea65735
    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.3+2ubuntu0.1.tar.gz
      Size/MD5:  1993520 fbcfdc97544d06d5956b553f154024a9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.3+2ubuntu0.1_amd64.deb
      Size/MD5:   188578 55c51ac356a4c206986993426ef9c89a

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.3+2ubuntu0.1_i386.deb
      Size/MD5:   173526 cff268921d0c6c4b0be4bd053c7a32ca

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.3+2ubuntu0.1_lpia.deb
      Size/MD5:   174206 537c0ee33f027fe77b2d988a19addc98

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.3+2ubuntu0.1_powerpc.deb
      Size/MD5:   223124 32704bc7de76ad266f152cd26a20799c

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.3+2ubuntu0.1_sparc.deb
      Size/MD5:   178220 ef7a7a8d0342e3453b00ee574c7f6f8e

Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.4+2ubuntu3.1.dsc
      Size/MD5:     2098 a8f51b5ddeb65b629fb7d3e37921bdb7
    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.4+2ubuntu3.1.tar.gz
      Size/MD5:  2027496 28363c3d291c9f299e40757abbd2ec11

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.4+2ubuntu3.1_amd64.deb
      Size/MD5:   204686 4c3899eabc2a94b9e3885e61aa8b435d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.4+2ubuntu3.1_i386.deb
      Size/MD5:   187160 a4493402abed14adba7e186e33117d86

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.4+2ubuntu3.1_armel.deb
      Size/MD5:   189234 4d203c561b9c8fe91b50099e8c87cc11

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.4+2ubuntu3.1_lpia.deb
      Size/MD5:   185760 7acee417b2aee7c54ff7f3eed1301a9e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.4+2ubuntu3.1_powerpc.deb
      Size/MD5:   197428 4e7151586bc4139098c820c1d1b812a3

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.4+2ubuntu3.1_sparc.deb
      Size/MD5:   196292 29e6bf5806bf8a492dbde60e48281fae

Updated packages for Ubuntu 10.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+1ubuntu2.1.dsc
      Size/MD5:     2053 af668fc46b52cbbb8fce94579db91662
    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+1ubuntu2.1.tar.gz
      Size/MD5:  2017972 d68d1519793de89571ed5c78eae9dd1c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+1ubuntu2.1_amd64.deb
      Size/MD5:   185406 db3596b0abcd26fe8569687bf790d016

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+1ubuntu2.1_i386.deb
      Size/MD5:   170078 7e6ea917d730b4b54bba69e4e3df533c

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+1ubuntu2.1_armel.deb
      Size/MD5:   171114 a3281fd14dea567b7879ebe2c5782087

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+1ubuntu2.1_powerpc.deb
      Size/MD5:   180332 eb5deb911bd3098f6969e4c758bc5a07

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+1ubuntu2.1_sparc.deb
      Size/MD5:   182876 98a7170dd299c3d54b7d1b38f43e1058

Updated packages for Ubuntu 10.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+2ubuntu1.1.dsc
      Size/MD5:     2050 89b42bbb00b6f26578c875da2b0fd26c
    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+2ubuntu1.1.tar.gz
      Size/MD5:  2114046 fd0986fe6eced94861a5b5d012ee5e0b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+2ubuntu1.1_amd64.deb
      Size/MD5:   185918 70308628801d2bca8c67d2941422e4fe

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+2ubuntu1.1_i386.deb
      Size/MD5:   170444 3da72942a1f2351e1f2d9616402b3f9a

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+2ubuntu1.1_armel.deb
      Size/MD5:   180638 dfef48402643a2c0d6d718db0023dcb7

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/x/x11-xserver-utils/x11-xserver-utils_7.5+2ubuntu1.1_powerpc.deb
      Size/MD5:   180626 9e15d1f000b142344835c57179307227

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFNnnHz/iFOrG6YcBERAp3hAKCc2IL4ktVWQX2+1WhMKsAs2NSLtgCgtm04
7NMrWiS3aChaoca2a92C5C4=
=D5bw
-----END PGP SIGNATURE-----