This tool reads mail archives from ubuntu-security-archive, then converts the contents to JSON.
This is the very beginning of the mailing list. These data can be readily parsed:
- start of the email itself, by the initial
from xxx
line message-id
id
date
project
These data can be parsed, with some caveats as described below:
cves
safeVersions
No concise description
can be parsed, until 2011-April.
CAN's can be collected from a special section immediately after Message-ID:
.
===========================================================
Ubuntu Security Notice 1-1 October 22, 2004
PNG library vulnerabilities
CAN-2004-0955
===========================================================
CAN's are not limited to a single line, like this:
===========================================================
Ubuntu Security Notice USN-38-1 December 14, 2004
linux-source-2.6.8.1 vulnerabilities
CAN-2004-0814, CAN-2004-1016, CAN-2004-1056, CAN-2004-1058,
CAN-2004-1068, CAN-2004-1069, CAN-2004-1137, CAN-2004-1151
===========================================================
Information about safe package versions need to be extracted from a special textual paragraph.
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
mozilla-thunderbird
mozilla-thunderbird-enigmail
The problem can be corrected by upgrading the affected package to
version 1.0.6-0ubuntu04.10 (for Ubuntu 4.10), or 1.0.6-0ubuntu05.04
(for Ubuntu 5.04). You need to restart Thunderbird after a standard
system upgrade to effect the necessary changes.
The current Enigmail plugin is not compatible any more with the
Thunderbird version shipped in this security update, so the
mozilla-thunderbird-enigmail package needs to be updated as well. An
update is already available for Ubuntu 5.04, and will be delivered
shortly for Ubuntu 4.10.
Details follow:
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
libpng12-0
libpng12-dev
libpng10-0
libpng10-dev
The problem can be corrected by upgrading the affected package to version
1.2.5.0-7ubuntu1 (libpng12-0 and libpng12-dev) or 1.0.15-6ubuntu1
(libpng10-0 and libpng10-dev). In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
The architecture name is spelled out inside the brackets -- we just ignore them.
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
openoffice.org-bin
openoffice.org-l10n-xh
The problem can be corrected by upgrading the affected package to
version 1.1.2-2ubuntu6.1 (for Ubuntu 4.10 on i386 and powerpc),
1.1.2-2ubuntu6.1-1 (for Ubuntu 4.10 on amd64), 1.1.3-8ubuntu2.3 (for
Ubuntu 5.04 on i386 and powerpc), or 1.1.3-8ubuntu2.3-1 (for Ubuntu
5.04 on amd64). In general, a standard system upgrade is sufficient
to effect the necessary changes.
During 2005, some emails have this format:
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
libapache2-mod-php4
php4-pear
The problem can be corrected by upgrading the affected package to
version 4:4.3.8-3ubuntu7.9 (for Ubuntu 4.10), or 4:4.3.10-10ubuntu3.1
(for Ubuntu 5.04). In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
During 2005, some emails have this format:
- starts with
On Ubuntu
- more than one paragraph
- more than 2 versions per paragraph
- sometimes have spaces next to brackets
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
gnumeric
python2.1
python2.2
python2.3
On Ubuntu 4.10, the problem can be corrected by upgrading the affected
package to version 1.2.13-1ubuntu2.1 (gnumeric), 2.1.3-24.ubuntu0.1
(python2.1), 2.2.3-10.ubuntu0.2 (python2.2), and 2.3.4-2.ubuntu0.2
(python2.3).
On Ubuntu 5.04, the problem can be corrected by upgrading the affected
package to version 1.4.2-1ubuntu3.1 (gnumeric), 2.2.3dfsg-1ubuntu0.1
(python2.2), and 2.3.5-2ubuntu0.1 (python2.3).
After performing a standard system upgrade you need to restart
gnumeric and all python server applications to effect the necessary
changes.
Details follow:
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
kerberos4kth-clients
krb5-clients
krb5-kdc
krb5-rsh-server
krb5-telnetd
On Ubuntu 4.10, the problem can be corrected by upgrading the affected
package to version 1.2.2-10ubuntu0.1 (kerberos4kth-clients), and
1.3.4-3ubuntu0.2 (krb5-clients, krb5-kdc, krb5-rsh-server,
krb5-telnetd).
On Ubuntu 5.04, the problem can be corrected by upgrading the affected
package to version 1.2.2-10ubuntu0.1 (kerberos4kth-client ), and
1.3.6-1ubuntu0.1 (krb5-clients, krb5-kdc, krb5-rsh-server,
krb5-telnetd).
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Sometimes the information inside the brackets override the previous listed info.
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
xpdf-reader
xpdf-utils
kpdf
The problem can be corrected by upgrading the affected package to
version 3.00-8ubuntu1.5 (for Ubuntu 4.10), or 3.00-11ubuntu3.1
(xpdf-reader and xpdf-utils for Ubuntu 5.04) and 4:3.4.0-0ubuntu3.1
(kpdf for Ubuntu 5.04). In general, a standard system upgrade is
sufficient to effect the necessary changes.
CVE's start to replace CAN's.
Safe versions can be collected by:
- first looking for a line that starts with
The problem can be corrected by
, and then - looking for a line that starts with
Ubuntu
And we can stop when we find a line that is:
- not blank, and
- doesn't start with spaces, and
- doesn't start with
Ubuntu
The problem can be corrected by upgrading the affected packages to the
following versions:
Ubuntu 5.04:
postgresql: 7.4.7-2ubuntu2.3
postgresql-client: 7.4.7-2ubuntu2.3
postgresql-contrib: 7.4.7-2ubuntu2.3
libpq3: 7.4.7-2ubuntu2.3
python2.3-pgsql: 2.4.0-5ubuntu2.1
python2.4-pgsql: 2.4.0-5ubuntu2.1
python2.3-psycopg: 1.1.18-1ubuntu5.1
python2.4-psycopg: 1.1.18-1ubuntu5.1
Ubuntu 5.10:
postgresql-7.4: 1:7.4.8-17ubuntu1.3
postgresql-client-7.4: 1:7.4.8-17ubuntu1.3
postgresql-contrib-7.4: 1:7.4.8-17ubuntu1.3
libpq3: 1:7.4.8-17ubuntu1.3
postgresql-8.0: 8.0.3-15ubuntu2.2
postgresql-client-8.0: 8.0.3-15ubuntu2.2
postgresql-contrib-8.0: 8.0.3-15ubuntu2.2
libpq4: 8.0.3-15ubuntu2.2
python2.3-pgsql: 2.4.0-6ubuntu1.1
python2.4-pgsql: 2.4.0-6ubuntu1.1
python2.3-psycopg: 1.1.18-1ubuntu6.1
python2.4-psycopg: 1.1.18-1ubuntu6.1
In general, a standard system upgrade is sufficient to effect the
Summary:
section now available, ending in a blank line:
Summary:
An attacker could send crafted input to Konqueror to view sensitive
information.
Software Description:
CVE's can be collected from References:
section, which ends in a blank line. There are two forms:
- not separated by a comma
References:
CVE-2010-3776 CVE-2010-3778 CVE-2011-0053 CVE-2011-0062 CVE-2011-0051 CVE-2011-0055 CVE-2011-0054 CVE-2011-0056 CVE-2011-0057 CVE-2011-0058 CVE-2010-1585 CVE-2011-0059 CVE-2011-0069 CVE-2011-0070 CVE-2011-0080 CVE-2011-0074 CVE-2011-0075 CVE-2011-0077 CVE-2011-0078 CVE-2011-0072 CVE-2011-0065 CVE-2011-0066 CVE-2011-0073 CVE-2011-0067 CVE-2011-0071 CVE-2011-1202
Package Information:
- separated by a comma (standardized till now)
References:
CVE-2010-2954, CVE-2010-2955, CVE-2010-2960, CVE-2010-2962,
CVE-2010-2963, CVE-2010-3079, CVE-2010-3080, CVE-2010-3081,
CVE-2010-3437, CVE-2010-3705, CVE-2010-3848, CVE-2010-3849,
CVE-2010-3850, CVE-2010-3861, CVE-2010-3865, CVE-2010-3873,
CVE-2010-3875, CVE-2010-3876, CVE-2010-3877, CVE-2010-3904,
CVE-2010-4072, CVE-2010-4079, CVE-2010-4158, CVE-2010-4164,
CVE-2010-4165, CVE-2010-4249, CVE-2010-4342, CVE-2010-4346,
CVE-2010-4527, CVE-2010-4529
Package Information:
Safe versions can be collected from the Update instructions:
section, by looking for a line that starts with Ubuntu
, and stopping when we find a:
- non-blank line, that
- doesn't start with spaces, and
- doesn't start with
Ubuntu
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
usb-creator-common 0.2.28.3
Ubuntu 10.10:
usb-creator-common 0.2.25.3
Ubuntu 10.04 LTS:
usb-creator-common 0.2.22.3
In general, a standard system update will make all the necessary changes.