Updated Samba packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: samba
Advisory ID: MDKSA-2004:131
Date: November 10th, 2004
Affected versions: 10.0, 10.1
______________________________________________________________________
Problem Description:
Karol Wiesek discovered a bug in the input validation routines in Samba 3.x used to match filename strings containing wildcard characters. This bug may allow a user to consume more than normal amounts of CPU cycles which would impact the performance and response of the server. In some cases it could also cause the server to become entirely unresponsive.
The updated packages are patched to prevent this problem with patches from the Samba team. This vulnerability is fixed in samba 3.0.8.
Updated speedtouch packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: speedtouch
Advisory ID: MDKSA-2004:130
Date: November 10th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
The Speedtouch USB driver contains a number of format string vulnerabilities due to improperly made syslog() system calls. These vulnerabilities can be abused by a local user to potentially allow the execution of arbitray code with elevated privileges.
The updated packages have been patched to prevent this problem.
Updated ez-ipupdate packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: ez-ipupdate
Advisory ID: MDKSA-2004:129
Date: November 10th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Ulf Harnhammar discovered a format string vulnerability in ez-ipupdate, a client for many dynamic DNS services. The updated packages are patched to protect against this problem.
Updated Webmin packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: webmin
Advisory ID: MDKA-2004:042
Date: November 10th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
There was a problem with two modules in the webmin package that did not work correctly: the cron and backup modules. The updates packages fix the problem so the modules will again work.
Mandrakelinux 10.1 for x86-64 is now available. HEre the press release:
Moreno Valley, CA; Paris, France; November 10th, 2004 - Mandrakesoft has just released Mandrakelinux 10.1 for x86-64, a version of its Linux Operating System that runs on AMD x86-64 and Intel EMT architectures. Linux has always been ahead of the competition in this area: it was the first operating system to support 64-bit architectures. This new release of Mandrakelinux, featuring EVP and mixed software support, will help ensure Linux is the only reasonable choice when it comes to 64-bit - the future of computing.
Two weeks ago, Mandrakesoft released Mandrakelinux 10.1 Official, the main branch of its operating system. This release featured extended support for mobile devices, better hardware compatibility, and major application upgrades. Mandrakelinux 10.1 for x86-64 has all of these features, and new features of its own: Mandrakelinux now supports Intel EMT processors, EVP, and mixed 32/64 bit software management. It ships with a large amount of quality Open Source and commercial software, and should be perfectly suited to any kind of 64-bit workstation.
Updated ruby packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: ruby
Advisory ID: MDKSA-2004:128
Date: November 8th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
Andres Salomon noticed a problem with the CGI session management in Ruby. The CGI:Session's FileStore implementations store session information in an insecure manner by just creating files and ignoring permission issues (CAN-2004-0755).
The ruby developers have corrected a problem in the ruby CGI module that can be triggered remotely and cause an inifinite loop on the server (CAN-2004-0983).
The updated packages are patched to prevent these problems.
A libxml/libxml2 update has been released for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: libxml/libxml2
Advisory ID: MDKSA-2004:127
Date: November 4th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
Multiple buffer overflows were reported in the libxml XML parsing library. These vulnerabilities may allow remote attackers to execute arbitray code via a long FTP URL that is not properly handled by the xmlNanoFTPScanURL() function, a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy() function, and other overflows in the code that resolves names via DNS.
The updated packages have been patched to prevent these issues.
An updated shadow-utils package has been released for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: shadow-utils
Advisory ID: MDKSA-2004:126
Date: November 4th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A vulnerability in the shadow suite was discovered by Martin Schulze that can be exploited by local users to bypass certain security restrictions due to an input validation error in the passwd_check() function. This function is used by the chfn and chsh tools.
The updated packages have been patched to prevent this problem.
Updated iptables packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: iptables
Advisory ID: MDKSA-2004:125
Date: November 4th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Faheem Mitha discovered that the iptables tool would not always load the required modules on its own as it should have, which could in turn lead to firewall rules not being loaded on system startup in some cases.
The updated packages are patched to prevent this problem.
Updated KDE packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: KDE
Advisory ID: MDKA-2004:041
Date: November 4th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
Various packages are now available that fix certain bugs in KDE-related packages in Mandrakelinux 10.1 Official edition:
- Konqueror and/or KDE itself would freeze when plugging in a USB key
- LIBDIR was improperly set for x86_64 in KDE
- Konqueror fixes: fix loading nsplugins to load external module and fix a creash in keditbookmark
- a bug in kaffeine would delete the temporary file for a downloaded web file before it was read
- fixed improper naming of the krozat screensaver in french
- a bug in knotes prevented notes from being written to the correct location
- kwrite menu generation was broken
- the audiocd.desktop for kcontrol was in the wrong location
Note that some of these packages are fixed in the 10.1/x86_64 official version already and so are not included here.
Updated xorg-x11 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: xorg-x11
Advisory ID: MDKSA-2004:124
Date: November 4th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
Chris Evans found several stack and integer overflows in the libXpm code of X.Org/XFree86:
Stack overflows (CAN-2004-0687):
Careless use of strcat() in both the XPMv1 and XPMv2/3 xpmParseColors code leads to a stack based overflow (parse.c).
Stack overflow reading pixel values in ParseAndPutPixels (create.c) as well as ParsePixels (parse.c).
Integer Overflows (CAN-2004-0688):
Integer overflow allocating colorTable in xpmParseColors (parse.c) - probably a crashable but not exploitable offence.
Additionally, the xorg-x11 packages have been patched with a backport from cvs to resolve a failure running the lsb-test-vsw4 test suite, which will soon be required for LSB2.0 compliance.
The updated packages have patches from Chris Evans and Matthieu Herrb to address these vulnerabilities.
A press release from Mandrakesoft:
Ucopia and Mandrakesoft to extend the boundaries of mobility
Paris, November 3rd 2004 : Ucopia, Mandrakesoft and the University of Paris' LIP6 research laboratory have just been granted a 1 million euro research grant to collaborate in advanced mobility research. The project, led by WiFi specialist Ucopia, aims at finding new ways of enabling and managing mobility in IT.
The importance mobility has taken in today's information technologies can hardly be overstressed. Laptops comprise an ever-growing part of the desktop market-share and a new generation of WiFi-enabled portable devices promises to flood the marketplace. Mobile devices are extremely widely-spread, and more and more organizations rely on wireless connectivity - the need for more advanced ways to leverage and manage the possibilities open by Wi-Fi technologies is starting to be felt. This is what GITAN is all about.
Updated mod_ssl packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: mod_ssl/apache2-mod_ssl
Advisory ID: MDKSA-2004:122
Date: November 1st, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A vulnerability in mod_ssl was discovered by Hartmut Keil. After a renegotiation, mod_ssl would fail to ensure that the requested cipher suite is actually negotiated. The provided packages have been patched to prevent this problem.
Updated perl-MIME-tools packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: perl-MIME-tools
Advisory ID: MDKSA-2004:123
Date: November 1st, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
There's a bug in MIME-tools, where it mis-parses things like boundary="". Some viruses use an empty boundary, which may allow unapproved parts through MIMEDefang.
The updated packages are patched to fix this problem.
As well, the Updated perl-MIME-tools requires MIME::Base64 version 3.03. Since MIME::Base64 is integrated in the perl package on Mandakelinux, these updates now provide the newer version.
Updated netatalk packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: netatalk
Advisory ID: MDKSA-2004:121
Date: November 1st, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
The etc2ps.sh script, part of the netatalk package, creates files in /tmp with predicatable names which could allow a local attacker to use symbolic links to point to a valid file on the filesystem which could lead to the overwriting of arbitrary files if etc2ps.sh is executed by someone with enough privilege.
The updated packages are patched to prevent this problem.
Updated mpg123 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: mpg123
Advisory ID: MDKSA-2004:120
Date: November 1st, 2004
Affected versions: 10.0, 10.1, Corporate Server 2.1
______________________________________________________________________
Problem Description:
Carlos Barros discovered two buffer overflow vulnerabilities in mpg123; the first in the getauthfromURL() function and the second in the http_open() function. These vulnerabilities could be exploited to possibly execute arbitrary code with the privileges of the user running mpg123.
The provided packages are patched to fix these issues, as well additional boundary checks that were lacking have been included (thanks to the Gentoo Linux Sound Team for these additional fixes).
Updated MySQL packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: MySQL
Advisory ID: MDKSA-2004:119
Date: November 1st, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
A number of problems have been discovered in the MySQL database server:
Jeroen van Wolffelaar discovered an insecure temporary file vulnerability in the mysqlhotcopy script when using the scp method (CAN-2004-0457).
Oleksandr Byelkin discovered that the "ALTER TABLE ... RENAME" would check the CREATE/INSERT rights of the old table rather than the new one (CAN-2004-0835).
Lukasz Wojtow discovered a buffer overrun in the mysql_real_connect function (CAN-2004-0836).
Dean Ellis discovered that multiple threads ALTERing the same (or different) MERGE tables to change the UNION can cause the server to crash or stall (CAN-2004-0837).
The updated MySQL packages have been patched to protect against these issues.
Updated perl-Archive-Zip packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: perl-Archive-Zip
Advisory ID: MDKSA-2004:118
Date: November 1st, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
Recently, it was noticed that several antivirus programs miss viruses that are contained in ZIP archives with manipulated directory data. The global archive directory of these ZIP file have been manipulated to indicate zero file sizes.
Archive::Zip produces files of zero length when decompressing this type of ZIP file. This causes AV products that use Archive::ZIP to fail to detect viruses in manipulated ZIP archives. One of these products is amavisd-new.
The updated packages are patched to fix this problem.
Updated gaim packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: gaim
Advisory ID: MDKSA-2004:117
Date: November 1st, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A vulnerability in the MSN protocol handler in the gaim instant messenger application was discovered. When receiving unexpected sequences of MSNSLP messages, it is possible that an attacker could trigger an internal buffer overflow which could lead to a crash or even code execution as the user running gaim.
The updated packages are patched to fix this problem. This problem does not affect Mandrakelinux 10.0 installations.
A press release from Mandrakesoft
Moreno Valley, CA; Paris, France; October 27th, 2004 - Mandrakesoft announced today the release of Mandrakelinux 10.1 Official, the latest version of its leading Linux Operating System. Notable new features include extended support for mobile devices, better hardware compatibility, and major application upgrades. Following a successful "Community" release, 10.1 Official will be the basis for a large part of Mandrakesoft's range of products. The value-added packs (Discovery, PowerPack and PowerPack+) are available now for pre-orders and through the Mandrakeclub on-line service. Prices start at EUR 44.90 / $49.90.
