Updated urpmi packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: urpmi
Advisory ID: MDKA-2004:059
Date: December 16th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A bug in the parallel ssh extension in urpmi would prevent parallel installations using ssh; urpmi would crash. The updated packges fix the problem.
Updated wget packages has been released for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: wget
Advisory ID: MDKA-2004:058
Date: December 16th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A problem in wget prevents it from downloading very large data files. The updated packages are patched to fix the problem.
Updated kdelibs and kdebase packages are available for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kdelibs
Advisory ID: MDKSA-2004:150
Date: December 15th, 2004
Affected versions: 10.0, 10.1
______________________________________________________________________
Problem Description:
Daniel Fabian discovered a potential privacy issue in KDE. When creating a link to a remote file from various applications, including Konqueror, the resulting URL may contain the authentication credentials used to access that remote resource. This includes, but is not limited to, browsing SMB (Samba) shares. Upon further investigation, it was found that the SMB protocol handler also unnecessarily exposed authentication credentials (CAN-2004-1171).
Another vulnerability was discovered where a malicious website could abuse Konqueror to load its own content into a window or tab that was opened by a trusted website, or it could trick a trusted website into loading content into an existing window or tab. This could lead to the user being confused as to the origin of a particular webpage and could have the user unknowingly send confidential information intended for a trusted site to the malicious site (CAN-2004-1158).
The updated packages contain a patch from the KDE team to solve this issue.
Additionally, the kdelibs and kdebase packages for Mandrakelinux 10.1 contain numerous bugfixes. New qt3 packages are being provided for Mandrakelinux 10.0 that are required to build the kdebase package.
Updated kde-related packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: kde
Advisory ID: MDKA-2004:057
Date: December 15th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A number of KDE-related packages are being released to address a number of bugs in these packages. Updated packages include kdenetwork (which fixes problems in kget, kopete, and krfb), kdepim (which fixes problems in kmail, knode, knotes, and kontact), kwallet (which fixes problems in kwalleditor and kcmlirc), and kdesdk (which fixes a problem in cervisia).
As well, an updated mandrake_desk package is available which fixes a knode menu bug.
Updated postgresql packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: postgresql
Advisory ID: MDKSA-2004:149
Date: December 13th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
The Trustix development team found insecure temporary file creation problems in a script included in the postgresql package. This could allow an attacker to trick a user into overwriting arbitrary files he has access to.
The updated packages have been patched to prevent this problem.
Updated libpng packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: libpng
Advisory ID: MDKA-2004:054
Date: December 13th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A problem in version 1.2.6 of the libpng library would cause libpng to write an invalid zlib header within the PNG datastream. This can cause some applications to display the images incorrectly.
The updated packages have been patched to fix this problem.
Updated iproute2 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: iproute2
Advisory ID: MDKSA-2004:148
Date: December 13th, 2004
Affected versions: 10.0, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Herbert Xu discovered that iproute can accept spoofed messages sent via the kernel netlink interface by other users on the local machine. This could lead to a local Denial of Service attack.
The updated packages have been patched to prevent this problem.
Updated mdkonline packages are available for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: mdkonline
Advisory ID: MDKA-2004:055
Date: December 13th, 2004
Affected versions: 10.0, 10.1
______________________________________________________________________
Problem Description:
This is a major update of mandrakeonline which fixes several issues and adds more features such as a text wizard for servers without Xwindow capabilities, support for server products, corporate and MNF for instance, errors displaying and md5sum file checks.
Updated Evolution packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: evolution
Advisory ID: MDKA-2004:056
Date: December 13th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
This update provides Evolution 2.0.3 which fixes a number of bugs found in the previous version of Evolution, including the possibility to lose mail when Evolution sends an email message, that fails to send, but Evolution doesn't realize it has failed.
OSDir.com has posted screenshot slideshows of Mandrakelinux 10.1 Offical and Mandrakelinux Move 2.0 Live CD
Updated openssl packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: openssl
Advisory ID: MDKSA-2004:147
Date: December 6th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
The Trustix developers found that the der_chop script, included in the openssl package, created temporary files insecurely. This could allow local users to overwrite files using a symlink attack.
The updated packages have been patched to prevent this problem.
Updated nfs-utils packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: nfs-utils
Advisory ID: MDKSA-2004:146
Date: December 6th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
SGI developers discovered a remote DoS (Denial of Service) condition in the NFS statd server. rpc.statd did not ignore the "SIGPIPE" signal which would cause it to shutdown if a misconfigured or malicious peer terminated the TCP connection prematurely.
The updated packages have been patched to prevent this problem.
Updated rp-pppoe packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: rp-pppoe
Advisory ID: MDKSA-2004:145
Date: December 6th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Max Vozeler discovered a vulnerability in pppoe, part of the rp-pppoe package. When pppoe is running setuid root, an attacker can overwrite any file on the system. Mandrakelinux does not install pppoe setuid root, however the packages have been patched to prevent this problem.
Updated lvm1 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: lvm
Advisory ID: MDKSA-2004:144
Date: December 6th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
The Trustix developers discovered that the lvmcreate_initrd script, part of the lvm1 package, created a temporary directory in an insecure manner. This could allow for a symlink attack to create or overwrite arbitrary files with the privileges of the user running the script.
The updated packages have been patched to prevent this problem.
Updated ImageMagick packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: ImageMagick
Advisory ID: MDKSA-2004:143
Date: December 6th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
A vulnerability was discovered in ImageMagick where, due to a boundary error within the EXIF parsing routine, a specially crafted graphic image could potentially lead to the execution of arbitrary code.
The updated packages have been patched to prevent this problem.
Updated gzip package are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: gzip
Advisory ID: MDKSA-2004:142
Date: December 6th, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
The Trustix developers found some insecure temporary file creation problems in the zdiff, znew, and gzeze supplemental scripts in the gzip package. These flaws could allow local users to overwrite files via a symlink attack.
A similar problem was fixed last year (CAN-2003-0367) in which this same problem was found in znew. At that time, Mandrakesoft also used mktemp to correct the problems in gzexe. This update uses mktemp to handle temporary files in the zdiff script.
Updated dietlibc packages are available for Mandrakelinux 10.0
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: dietlibc
Advisory ID: MDKA-2004:053
Date: December 6th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
There was a problem with dietlibc in Mandrakelinux 10.0/amd64 where it would not provide proper support for the AMD64 architecture. The updated package fixes this.
Updated drakxtools are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: drakxtools
Advisory ID: MDKA-2004:052
Date: December 6th, 2004
Affected versions: 10.1
______________________________________________________________________
Problem Description:
Beginning immediately, all bug reports for stable releases will be handled via Bugzilla at http://qa.mandrakesoft.com/. The drakbug tool has been updated to point users of stable releases to Bugzilla.
Thanks Laurent. Mandrake Linux 10.1 Official is now available for download
Download CD 1 Download CD 2 Download CD 3 MD5 sums
Updated libxpm4 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: libxpm4
Advisory ID: MDKSA-2004:137-1
Date: November 29th, 2004
Original Advisory Date: January 22nd, 2004
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
The previous libxpm4 update had a linking error that resulted in a missing s_popen symbol error running applications dependant on the library. In addition, the file path checking in the security updates prevented some applications, like gimp-2.0 from being able to save xpm format images.
Updated packages are patched to correct all these issues.
