From Mandrakesoft:
Mandrakesoft has released updated drakxtools packages for Mandrake Linux 9.1 and 9.2
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: drakxtools
Advisory ID: MDKA-2004:013
Date: March 22nd, 2004
Affected versions: 9.1, 9.2
______________________________________________________________________
Problem Description:
A number of issues have been reported with drakbackup, concerning operation in daemon mode, proper handling of .backupignore files, multisession ISOs, and tape backup/restore. Patches are backported from cooker to 9.1/9.2 to address several these issues. (only tape backup/restore and some GUI issues on 9.1).
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: drakxtools
Advisory ID: MDKA-2004:013
Date: March 22nd, 2004
Affected versions: 9.1, 9.2
______________________________________________________________________
Problem Description:
A number of issues have been reported with drakbackup, concerning operation in daemon mode, proper handling of .backupignore files, multisession ISOs, and tape backup/restore. Patches are backported from cooker to 9.1/9.2 to address several these issues. (only tape backup/restore and some GUI issues on 9.1).
Mandrakesoft has released the first beta of Mandrakelinux 10.0 for AMD64
Mandrakesoft has released updated OpenSSL packages for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: openssl
Advisory ID: MDKSA-2004:023
Date: March 17th, 2004
Affected versions: 9.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A vulnerability was discovered by the OpenSSL group using the Codenomicon TLS Test Tool. The test uncovered a null-pointer assignment in the do_change_cipher_spec() function whih could be abused by a remote attacker crafting a special SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application in question, this could lead to a Denial of Service (DoS). This vulnerability affects both OpenSSL 0.9.6 (0.9.6c-0.9.6k) and 0.9.7 (0.9.7a-0.9.7c). CVE has assigned CAN-2004-0079 to this issue.
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: openssl
Advisory ID: MDKSA-2004:023
Date: March 17th, 2004
Affected versions: 9.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A vulnerability was discovered by the OpenSSL group using the Codenomicon TLS Test Tool. The test uncovered a null-pointer assignment in the do_change_cipher_spec() function whih could be abused by a remote attacker crafting a special SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application in question, this could lead to a Denial of Service (DoS). This vulnerability affects both OpenSSL 0.9.6 (0.9.6c-0.9.6k) and 0.9.7 (0.9.7a-0.9.7c). CVE has assigned CAN-2004-0079 to this issue.
The Mandrake Server Essentials Handbook has been released
Official ISO images of Mandrakelinux 10.0 Community are now available for download
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: gdk-pixbuf
Advisory ID: MDKSA-2004:020
Date: March 10th, 2004
Affected versions: Corporate Server 2.1
______________________________________________________________________
Problem Description:
A vulnerability in gdk-pixbuf versions before 0.20 exists that could allow a malicious BMP file to crash the Evolution mail client. The updated packages have been patched to use gdk-pixbuf 0.22.0's BMP- handling code.
_______________________________________________________________________
Package name: gdk-pixbuf
Advisory ID: MDKSA-2004:020
Date: March 10th, 2004
Affected versions: Corporate Server 2.1
______________________________________________________________________
Problem Description:
A vulnerability in gdk-pixbuf versions before 0.20 exists that could allow a malicious BMP file to crash the Evolution mail client. The updated packages have been patched to use gdk-pixbuf 0.22.0's BMP- handling code.
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: mozilla
Advisory ID: MDKSA-2004:021
Date: March 10th, 2004
Affected versions: 9.2
______________________________________________________________________
Problem Description:
A number of vulnerabilities were discovered in Mozilla 1.4:
A malicious website could gain access to a user's authentication credentials to a proxy server.
Script.prototype.freeze/thaw could allow an attacker to run
arbitrary code on your computer.
_______________________________________________________________________
Package name: mozilla
Advisory ID: MDKSA-2004:021
Date: March 10th, 2004
Affected versions: 9.2
______________________________________________________________________
Problem Description:
A number of vulnerabilities were discovered in Mozilla 1.4:
A malicious website could gain access to a user's authentication credentials to a proxy server.
Script.prototype.freeze/thaw could allow an attacker to run
arbitrary code on your computer.
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kdelibs
Advisory ID: MDKSA-2004:022
Date: March 10th, 2004
Affected versions: 9.1
______________________________________________________________________
Problem Description:
Corsaire discovered that a number of HTTP user agents contained a flaw in how they handle cookies. This flaw could allow an attacker to avoid the path restrictions specified by a cookie's originator. According to their advisory:
"The cookie specifications detail a path argument that can be used to restrict the areas of a host that will be exposed to a cookie. By using standard traversal techniques this functionality can be subverted, potentially exposing the cookie to scrutiny and use in further attacks."
This issue was fixed in KDE 3.1.3; the updated packages are patched to protect against this vulnerability.
_______________________________________________________________________
Package name: kdelibs
Advisory ID: MDKSA-2004:022
Date: March 10th, 2004
Affected versions: 9.1
______________________________________________________________________
Problem Description:
Corsaire discovered that a number of HTTP user agents contained a flaw in how they handle cookies. This flaw could allow an attacker to avoid the path restrictions specified by a cookie's originator. According to their advisory:
"The cookie specifications detail a path argument that can be used to restrict the areas of a host that will be exposed to a cookie. By using standard traversal techniques this functionality can be subverted, potentially exposing the cookie to scrutiny and use in further attacks."
This issue was fixed in KDE 3.1.3; the updated packages are patched to protect against this vulnerability.
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: python
Advisory ID: MDKSA-2004:019
Date: March 9th, 2004
Affected versions: 9.0, Corporate Server 2.1
______________________________________________________________________
Problem Description:
A buffer overflow in python 2.2's getaddrinfo() function was discovered by Sebastian Schmidt. If python 2.2 is built without IPv6 support, an attacker could configure their name server to let a hostname resolve to a special IPv6 address, which could contain a memory address where shellcode is placed. This problem does not affect python versions prior to 2.2 or versions 2.2.2+, and it also doesn't exist if IPv6 support is enabled.
The updated packages have been patched to correct the problem. Thanks to Sebastian for both the discovery and patch.
_______________________________________________________________________
Package name: python
Advisory ID: MDKSA-2004:019
Date: March 9th, 2004
Affected versions: 9.0, Corporate Server 2.1
______________________________________________________________________
Problem Description:
A buffer overflow in python 2.2's getaddrinfo() function was discovered by Sebastian Schmidt. If python 2.2 is built without IPv6 support, an attacker could configure their name server to let a hostname resolve to a special IPv6 address, which could contain a memory address where shellcode is placed. This problem does not affect python versions prior to 2.2 or versions 2.2.2+, and it also doesn't exist if IPv6 support is enabled.
The updated packages have been patched to correct the problem. Thanks to Sebastian for both the discovery and patch.
From the current issue of the Mandrake Newsletter:
BlueHawk has released a new unofficial cooker snapshot based on MandrakeLinux 10.0 Community
Download CD 1
Download CD 2
Download CD 3
Download CD 4
MD5 checksums CD 1-3
MD5 checksums CD 4
Download CD 1
Download CD 2
Download CD 3
Download CD 4
MD5 checksums CD 1-3
MD5 checksums CD 4
Luis Alves has posted a review of Mandrake Linux 10.0 RC
Saw over at OSNews that Mandrake tips for free describes the installation of Mandrake Linux 10.0 Community Edition
Altadena, CA; Paris, France; March 4th, 2004 - Mandrakesoft is proud to announce that its new flagship operating system 'Mandrakelinux 10.0 Community' has been released. 10.0 Community is the first major Linux distribution to take advantage of the new Linux kernel 2.6 while providing one of the most easy to use and attractive Linux operating systems ever.
Mandrakelinux 10.0 Community is now available as a DVD from Mandrakestore.com (Price: 54 EUR/59.90 USD), and also as a download for Mandrakeclub members & contributors. 'Mandrakelinux 10.0 Official' is scheduled to be released in May 2004. 10.0 Official will be used in retail packs tailored for individuals and small businesses, as well as for specialized corporate solutions.
In accordance with Mandrakesoft's new development roadmap, Mandrakelinux 10.0 Community is the ideal product for Linux users who demand the 'latest and greatest' features at the soonest opportunity.
Mandrakelinux 10.0 Community is now available as a DVD from Mandrakestore.com (Price: 54 EUR/59.90 USD), and also as a download for Mandrakeclub members & contributors. 'Mandrakelinux 10.0 Official' is scheduled to be released in May 2004. 10.0 Official will be used in retail packs tailored for individuals and small businesses, as well as for specialized corporate solutions.
In accordance with Mandrakesoft's new development roadmap, Mandrakelinux 10.0 Community is the ideal product for Linux users who demand the 'latest and greatest' features at the soonest opportunity.
