Updated kdepim packages has been released for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: kdepim
Advisory ID: MDKA-2004:051
Date: November 26th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A number of bugs in kdepim are fixed with this update:
- kde bug #75323: fix libkdepim bug where when attempting to change the start or end time of an event with the mouse wheel the time would jump to 12:00
- kde bug #90877: korganizer fix for the sound directory in the event editor
- kde bug #92416: fix kmail "Correctly end new-mail-check when a folder reports an error"
- kde bug #92874: fix libkdepim "LDAP completion only works once"
- kde bug #93465: fix kresource exchange
- fix kmail antispam and bogofilter 0.92 and 0.93
- fix certmanager memory leak
- fix korganizer show checkbox
- fix kmail email "getNameAndMail("foo bar") should return email="bar", not email="bar>""
- fix kmail "Notice a manual change of the external editor command line"
- fix kmail speed up when we import contact
- fix mem leak in kamil "Delete the Encrypt/Sign checkboxes when the corresponding KMAtmListViewItem is deleted."
- fix dimap folder "fix the problem with disappearing dimap folders"
- fix kmail antispam wizard mem leak
Updated kdelibs packages has been released for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: kdelibs
Advisory ID: MDKA-2004:050
Date: November 25th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A number of bugs in kdelibs are fixed with this update:
- kde bug #53005: fix khtml auto width table
- kde bug #63351: fix khtml rtl "Inverted logic for text-indent in RTL"
- kde bug #75771: link to url without trailing slash is not marked as a visited link
- kde bug #79269: fix khtml "ignore height element for input elements that are not image"
- kde bug #87466: fix listbox in khtml
- kde bug #91327: fixing the default margins for H{1-6} as they are in mozilla, IE, and Safari
- kde bug #91439: fix kdatepicker reset toggle button
- kde bug #91444: fix kdatepicker "show the uer what he's supposed to do"
- kde bug #92066: fix khtml crash
- kde bug #93193: clicking in textarea causes text to scroll
- fix khtml iframe support "allow iframe SRC="" .." (src is null)
Updated kdebase packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: kdebase
Advisory ID: MDKA-2004:049
Date: November 25th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A number of bugs in kdebase are fixed with this update:
- fix screensaver duplicate entry
- fix shortcut conflicts with OOo
- fix device icon showing up when user doesn't want it to show up
- fix kioslave fish encoding
- fix kioslave smb "don't keep the password as part of the URL."
- fix kicker applet proxy "delete the applet when the proxy goes away so that applet dtors get run!"
- fix safari user agent (support new safari)
- kde bug #68173: klipper workaround for acroread
- kde bug #81833: "Fixed increasing memory usage when reloading a fullpage nsplugin"
- kde bug #93832: kwin
Updated zip packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: zip
Advisory ID: MDKSA-2004:141
Date: November 25th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
A vulnerability in zip was discovered where zip would not check the resulting path length when doing recursive folder compression, which could allow a malicious person to convince a user to create an archive containing a specially-crafted path name. By doing so, arbitrary code could be executed with the permissions of the user running zip.
The updated packages are patched to prevent this problem.
Updated a2ps packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: a2ps
Advisory ID: MDKSA-2004:140
Date: November 25th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitray commands with the privileges of the user running the vulnerable application.
The updated packages have been patched to prevent this problem.
Updated cyrus-imapd packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: cyrus-imapd
Advisory ID: MDKSA-2004:139
Date: November 25th, 2004
Affected versions: 10.0, 10.1
______________________________________________________________________
Problem Description:
A number of vulnerabilities in the Cyrus-IMAP server were found by Stefan Esser. Due to insufficient checking within the argument parser of the 'partial' and 'fetch' commands, a buffer overflow could be exploited to execute arbitrary attacker-supplied code. Another exploitable buffer overflow could be triggered in situations when memory allocation files.
The provided packages have been patched to prevent these problems.
Updated libxpm4 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: libxpm4
Advisory ID: MDKSA-2004:137
Date: November 22nd, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
The XPM library which is part of the XFree86/XOrg project is used by several GUI applications to process XPM image files.
A source code review of the XPM library, done by Thomas Biege of the SuSE Security-Team revealed several different kinds of bugs. These bugs include integer overflows, out-of-bounds memory access, shell command execution, path traversal, and endless loops.
These bugs can be exploited by remote and/or local attackers to gain access to the system or to escalate their local privileges, by using a specially crafted xpm image.
Updated packages are patched to correct all these issues.
Updated XFree86 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: XFree86
Advisory ID: MDKSA-2004:138
Date: November 22nd, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
The XPM library which is part of the XFree86/XOrg project is used by several GUI applications to process XPM image files.
A source code review of the XPM library, done by Thomas Biege of the SuSE Security-Team revealed several different kinds of bugs. These bugs include integer overflows, out-of-bounds memory access, shell command execution, path traversal, and endless loops.
These bugs can be exploited by remote and/or local attackers to gain access to the system or to escalate their local privileges, by using a specially crafted xpm image.
Updated packages are patched to correct all these issues.
Updated samba packages are available for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: samba
Advisory ID: MDKSA-2004:136
Date: November 18th, 2004
Affected versions: 10.0, 10.1
______________________________________________________________________
Problem Description:
Steffan Esser discovered that invalid bounds checking in reply to certain trans2 requests could result in a buffer overrun in smbd. This can only be exploited by a malicious user able to create files with very specific Unicode filenames on a samba share.
The updated packages have been patched to prevent this problem.
Updated qt3 packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: qt3
Advisory ID: MDKA-2004:048
Date: November 18th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A problem exits in qt3 on the x86_64 platform when trying to switch an application to fullscreen mode. The updated packages correct the issue.
Updated kdeutils packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: kdeutils
Advisory ID: MDKA-2004:047
Date: November 18th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A problem with kfloppy and udev exists that prevent users from formatting floppy disks. The updated packages correct the issue.
An updated clamav package has been released for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: clamav
Advisory ID: MDKA-2004:046
Date: November 18th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
The clamav databases for clamav version 0.75.1 no longer update, but rather return an error that the user needs to upgrade immediately.
This update provides clamav 0.80 which allows for the databases to be updated.
Updated drakxtools are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: drakxtools
Advisory ID: MDKA-2004:045
Date: November 17th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A number of fixes are available in the updated drakxtools package:
- in drakconnect, ifcfg files are only readble by root when a WEP key is set
- add support for Philips Semiconductors DSL card in drakconnect
- update/add ADSL ISP entries in drakconnect
- create cfg dir if needed in drakTermServ
- ignore vmnet for broadcast address in drakTermServ
- use xorg.conf file in drakTermServ
- touch dhcp.conf.etherboot.kernel in drakTermServ
- fix configuration fcitx IM in localedrake
Fixes for ldetect-lst include:
- do not wrongly detect some sound cards
- disambiguate media devices (eg: TV cards vs SAT cards)
- add a few PCMCIA, SATA and centrino entries
- add a few missing description
- add Sagem Fast 800 E3
An updated totem package is available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: totem
Advisory ID: MDKA-2004:044
Date: November 17th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
There is a problem in the totem package where in some cases when running totem a blue screen would appear. Resizing the screen seems to fix the problem temporarily, however upon minimizing or maximizing the screen it would once again become blue.
The updated packages are patched to correct this problem.
Updated bootloader-utils are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: bootloader-utils
Advisory ID: MDKA-2004:043
Date: November 17th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A problem with generating kernel headers exists when using the newer kernel-i686-up-64GB package. The updated bootloader-utils package corrects the issue.
Updated Apache 2 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: apache2
Advisory ID: MDKSA-2004:135
Date: November 15th, 2004
Affected versions: 10.0, 10.1, 9.2
______________________________________________________________________
Problem Description:
A vulnerability in apache 2.0.35-2.0.52 was discovered by Chintan Trivedi; he found that by sending a large amount of specially- crafted HTTP GET requests, a remote attacker could cause a Denial of Service on the httpd server. This vulnerability is due to improper enforcement of the field length limit in the header-parsing code.
The updated packages have been patched to prevent this problem.
Updated Apache packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: apache
Advisory ID: MDKSA-2004:134
Date: November 15th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A possible buffer overflow exists in the get_tag() function of mod_include, and if SSI (Server Side Includes) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process. This could be done with a special HTML document using malformed SSI.
The updated packages have been patched to prevent this problem.
Updated sudo packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: sudo
Advisory ID: MDKSA-2004:133
Date: November 15th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Liam Helmer discovered a flow in sudo's environment sanitizing. This flaw could allow a malicious users with permission to run a shell script that uses the bash shell to run arbitrary commands.
The problem is fixed in sudo 1.6.8p2; the provided packages have been patched to correct the issue.
Updated gd packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: gd
Advisory ID: MDKSA-2004:132
Date: November 15th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
Integer overflows were reported in the GD Graphics Library (libgd) 2.0.28, and possibly other versions. These overflows allow remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx() function.
The updated packages have been patched to prevent these issues.
A press release from Mandrakesoft:
Conectiva, Mandrakesoft, Progeny, and Turbolinux announce agreement to base products on common implementation of LSB 2.0.
Curitiba, Brazil; Paris, France; Indianapolis, Indiana, USA; Tokyo, Japan - November 17, 2004. Linux vendors from Europe, Asia, and North and South America have teamed up to create a common core implementation of the Linux Standard Base (LSB) 2.0. This implementation will serve as the core for each company's future Linux distribution products. The Linux Core Consortium (LCC) has the backing of Linux supporters including Computer Associates, the Free Standards Group (FSG), HP, Novell, the Open Source Development Labs (OSDL), Red Hat, and Sun Microsystems.
