Linux Compatible - Mandriva (Page 12)

MDKSA-2004:151 - Updated php packages

Mandriva 1277 Published 2004-12-18 08:00 by Philipp Esselbach 0

Updated php packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: php
Advisory ID: MDKSA-2004:151
Date: December 17th, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________

Problem Description:

A number of vulnerabilities in PHP versions prior to 4.3.10 were discovered by Stefan Esser. Some of these vulnerabilities were not deemed to be severe enough to warrant CVE names, however the packages provided, with the exception of the Corporate Server 2.1 packages, include fixes for all of the vulnerabilities, thanks to the efforts of the OpenPKG team who extracted and backported the fixes.

The vulnerabilities fixed in all provided packages include a fix for a possible information disclosure, double free, and negative reference index array underflow in deserialization code (CAN-2004-1019). As well, the exif_read_data() function suffers from an overflow on a long sectionname; this vulnerability was discovered by Ilia Alshanetsky (CAN-2004-1065).

The other fixes that appear in Mandrakelinux 9.2 and newer packages include a fix for out of bounds memory write access in shmop_write() and integer overflow/underflows in the pack() and unpack() functions. The addslashes() function did not properly escape "\0" correctly. A directory bypass issue existed in safe_mode execution. There is an issue of arbitrary file access through path truncation. Finally, the "magic_quotes_gpc" functionality could lead to one level directory traversal with file uploads.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1019
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1065
http://www.php.net/release_4_3_10.php
http://www.hardened-php.net/advisories/012004.txt
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.0:
06b5483f89fd3cf9950299b628adc000 10.0/RPMS/libphp_common432-4.3.4-4.3.100mdk.i586.rpm
475b1f1ccd3cf87eb5c6cea410c6b925 10.0/RPMS/php-cgi-4.3.4-4.3.100mdk.i586.rpm
5f74765dc38dda891ce56fa4b275cce1 10.0/RPMS/php-cli-4.3.4-4.3.100mdk.i586.rpm
0d96970f65d9d53dfbb56bef9c7cf920 10.0/RPMS/php432-devel-4.3.4-4.3.100mdk.i586.rpm
3d9fd1b025b49d8b064c785982d8491f 10.0/SRPMS/php-4.3.4-4.3.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
a4302c774ce5e22e5910b1d1a130de3e amd64/10.0/RPMS/lib64php_common432-4.3.4-4.3.100mdk.amd64.rpm
aced2cc932e30532ca0243aa3bb08d68 amd64/10.0/RPMS/php-cgi-4.3.4-4.3.100mdk.amd64.rpm
49893a1fab6fbcc7a2e315784a1917ed amd64/10.0/RPMS/php-cli-4.3.4-4.3.100mdk.amd64.rpm
3ae39ad55fcc27d41e5c98c49839151d amd64/10.0/RPMS/php432-devel-4.3.4-4.3.100mdk.amd64.rpm
3d9fd1b025b49d8b064c785982d8491f amd64/10.0/SRPMS/php-4.3.4-4.3.100mdk.src.rpm

Mandrakelinux 10.1:
137904a75605f52241c384d2bc3b0c0c 10.1/RPMS/libphp_common432-4.3.8-3.2.101mdk.i586.rpm
1c9ca0459cdd747f528da02d6eca7452 10.1/RPMS/php-cgi-4.3.8-3.2.101mdk.i586.rpm
130d7a25c3a10398d993cef9319b29c8 10.1/RPMS/php-cli-4.3.8-3.2.101mdk.i586.rpm
2e4ba28a72bb6e178d06a5d85cd21948 10.1/RPMS/php432-devel-4.3.8-3.2.101mdk.i586.rpm
db09ea993e41794e44bc843054232794 10.1/SRPMS/php-4.3.8-3.2.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
a2ecb5c9c811a003a72200fe271ff1b2 x86_64/10.1/RPMS/lib64php_common432-4.3.8-3.2.101mdk.x86_64.rpm
24e125f79016925ef37e7a960482d7ee x86_64/10.1/RPMS/php-cgi-4.3.8-3.2.101mdk.x86_64.rpm
7f34cabe684c335fc8febad447d9973a x86_64/10.1/RPMS/php-cli-4.3.8-3.2.101mdk.x86_64.rpm
ea97f3e1cfe9c56ce277bb59b36c559d x86_64/10.1/RPMS/php432-devel-4.3.8-3.2.101mdk.x86_64.rpm
db09ea993e41794e44bc843054232794 x86_64/10.1/SRPMS/php-4.3.8-3.2.101mdk.src.rpm

Corporate Server 2.1:
bd0081a43d13ab1df8bb0d277172f669 corporate/2.1/RPMS/php-4.2.3-4.3.C21mdk.i586.rpm
399d388aba15e1f848aea9a6e9829a39 corporate/2.1/RPMS/php-common-4.2.3-4.3.C21mdk.i586.rpm
c28686b72864d3fdeace7cbe938dc1cc corporate/2.1/RPMS/php-devel-4.2.3-4.3.C21mdk.i586.rpm
7b65a50eb77e88581c916471d3b6ea1a corporate/2.1/RPMS/php-pear-4.2.3-4.3.C21mdk.i586.rpm
38d6e460a3372044d524cece0c9f426e corporate/2.1/SRPMS/php-4.2.3-4.3.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
3234c6addd5d8d854fda9e6ec415fed7 x86_64/corporate/2.1/RPMS/php-4.2.3-4.3.C21mdk.x86_64.rpm
43001648d6a67bfa204c8a6988572f78 x86_64/corporate/2.1/RPMS/php-common-4.2.3-4.3.C21mdk.x86_64.rpm
fc41173cc7f6007168eacef722239151 x86_64/corporate/2.1/RPMS/php-devel-4.2.3-4.3.C21mdk.x86_64.rpm
bd63181af60e3010cfac7ca096cbdff3 x86_64/corporate/2.1/RPMS/php-pear-4.2.3-4.3.C21mdk.x86_64.rpm
38d6e460a3372044d524cece0c9f426e x86_64/corporate/2.1/SRPMS/php-4.2.3-4.3.C21mdk.src.rpm

Mandrakelinux 9.2:
a2efac8a1ee14a3dcfa94c6f623a1b4c 9.2/RPMS/libphp_common432-4.3.3-2.3.92mdk.i586.rpm
b85f3c02d2bba76ebbced0b64b369cd0 9.2/RPMS/php-cgi-4.3.3-2.3.92mdk.i586.rpm
0b3fca9527b45ee79ed2b8ba9c90b299 9.2/RPMS/php-cli-4.3.3-2.3.92mdk.i586.rpm
cca3b9b83930e7a96dfe26114b0008a3 9.2/RPMS/php432-devel-4.3.3-2.3.92mdk.i586.rpm
d55f284624ac1223f114c720eb7df18b 9.2/SRPMS/php-4.3.3-2.3.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
0d9742db43fdcf601b2f58e7fbc2cc05 amd64/9.2/RPMS/lib64php_common432-4.3.3-2.3.92mdk.amd64.rpm
05bb8c70036b427d0a52015dafd20c80 amd64/9.2/RPMS/php-cgi-4.3.3-2.3.92mdk.amd64.rpm
8fe4fba4ccbd6a44667d368b0cd064ea amd64/9.2/RPMS/php-cli-4.3.3-2.3.92mdk.amd64.rpm
334c12194b2d22b3a97e2dbfab1acde4 amd64/9.2/RPMS/php432-devel-4.3.3-2.3.92mdk.amd64.rpm
d55f284624ac1223f114c720eb7df18b amd64/9.2/SRPMS/php-4.3.3-2.3.92mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesoft.com/security/advisories

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

MDKA-2004:059-1 - Updated urpmi packages

Mandriva 1277 Published 2004-12-18 07:59 by Philipp Esselbach 0

Updated urpmi packages are available for Mandrakelinux 10.1
_______________________________________________________________________

Mandrakelinux Update Advisory
_______________________________________________________________________

Package name: urpmi
Advisory ID: MDKA-2004:059-1
Date: December 17th, 2004
Original Advisory Date: December 16th, 2004
Affected versions: 10.1
______________________________________________________________________

Problem Description:

A bug in the parallel ssh extension in urpmi would prevent parallel installations using ssh; urpmi would crash. The updated pacakges fix the problem.

Update:

The previous perl-URPM packages for x86 were incorrectly signed. This update bumps the version and provides updated packages for both x86 and x86_64.

MDKA-2004:059 - Updated urpmi packages

Mandriva 1277 Published 2004-12-17 06:11 by Philipp Esselbach 0

Updated urpmi packages are available for Mandrakelinux 10.1
_______________________________________________________________________

Mandrakelinux Update Advisory
_______________________________________________________________________

Package name: urpmi
Advisory ID: MDKA-2004:059
Date: December 16th, 2004

Affected versions: 10.1
______________________________________________________________________

Problem Description:

A bug in the parallel ssh extension in urpmi would prevent parallel installations using ssh; urpmi would crash. The updated packges fix the problem.

MDKA-2004:058 - Updated wget packages

Mandriva 1277 Published 2004-12-17 06:10 by Philipp Esselbach 0

Updated wget packages has been released for Mandrakelinux 10.1
_______________________________________________________________________

Mandrakelinux Update Advisory
_______________________________________________________________________

Package name: wget
Advisory ID: MDKA-2004:058
Date: December 16th, 2004

Affected versions: 10.1
______________________________________________________________________

Problem Description:

A problem in wget prevents it from downloading very large data files. The updated packages are patched to fix the problem.

MDKSA-2004:150 - Updated kdelibs and kdebase

Mandriva 1277 Published 2004-12-15 18:55 by Philipp Esselbach 0

Updated kdelibs and kdebase packages are available for Mandrakelinux 10.0 and 10.1

_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: kdelibs
Advisory ID: MDKSA-2004:150
Date: December 15th, 2004

Affected versions: 10.0, 10.1
______________________________________________________________________

Problem Description:

Daniel Fabian discovered a potential privacy issue in KDE. When creating a link to a remote file from various applications, including Konqueror, the resulting URL may contain the authentication credentials used to access that remote resource. This includes, but is not limited to, browsing SMB (Samba) shares. Upon further investigation, it was found that the SMB protocol handler also unnecessarily exposed authentication credentials (CAN-2004-1171).

Another vulnerability was discovered where a malicious website could abuse Konqueror to load its own content into a window or tab that was opened by a trusted website, or it could trick a trusted website into loading content into an existing window or tab. This could lead to the user being confused as to the origin of a particular webpage and could have the user unknowingly send confidential information intended for a trusted site to the malicious site (CAN-2004-1158).

The updated packages contain a patch from the KDE team to solve this issue.

Additionally, the kdelibs and kdebase packages for Mandrakelinux 10.1 contain numerous bugfixes. New qt3 packages are being provided for Mandrakelinux 10.0 that are required to build the kdebase package.

MDKA-2004:057 - Updated kde-related packages

Mandriva 1277 Published 2004-12-15 18:53 by Philipp Esselbach 0

Updated kde-related packages are available for Mandrakelinux 10.1
_______________________________________________________________________

Mandrakelinux Update Advisory
_______________________________________________________________________

Package name: kde
Advisory ID: MDKA-2004:057
Date: December 15th, 2004

Affected versions: 10.1
______________________________________________________________________

Problem Description:

A number of KDE-related packages are being released to address a number of bugs in these packages. Updated packages include kdenetwork (which fixes problems in kget, kopete, and krfb), kdepim (which fixes problems in kmail, knode, knotes, and kontact), kwallet (which fixes problems in kwalleditor and kcmlirc), and kdesdk (which fixes a problem in cervisia).

As well, an updated mandrake_desk package is available which fixes a knode menu bug.

MDKSA-2004:149 - Updated postgresql packages

Mandriva 1277 Published 2004-12-14 05:54 by Philipp Esselbach 0

Updated postgresql packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: postgresql
Advisory ID: MDKSA-2004:149
Date: December 13th, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________

Problem Description:

The Trustix development team found insecure temporary file creation problems in a script included in the postgresql package. This could allow an attacker to trick a user into overwriting arbitrary files he has access to.

The updated packages have been patched to prevent this problem.

MDKA-2004:054 - Updated libpng packages fix

Mandriva 1277 Published 2004-12-14 05:52 by Philipp Esselbach 0

Updated libpng packages are available for Mandrakelinux 10.1
_______________________________________________________________________

Mandrakelinux Update Advisory
_______________________________________________________________________

Package name: libpng
Advisory ID: MDKA-2004:054
Date: December 13th, 2004

Affected versions: 10.1
______________________________________________________________________

Problem Description:

A problem in version 1.2.6 of the libpng library would cause libpng to write an invalid zlib header within the PNG datastream. This can cause some applications to display the images incorrectly.

The updated packages have been patched to fix this problem.

MDKSA-2004:148 - Updated iproute2 packages

Mandriva 1277 Published 2004-12-14 05:51 by Philipp Esselbach 0

Updated iproute2 packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: iproute2
Advisory ID: MDKSA-2004:148
Date: December 13th, 2004

Affected versions: 10.0, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________

Problem Description:

Herbert Xu discovered that iproute can accept spoofed messages sent via the kernel netlink interface by other users on the local machine. This could lead to a local Denial of Service attack.

The updated packages have been patched to prevent this problem.

MDKA-2004:055 - Updated mdkonline packages

Mandriva 1277 Published 2004-12-14 05:50 by Philipp Esselbach 0

Updated mdkonline packages are available for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________

Mandrakelinux Update Advisory
_______________________________________________________________________

Package name: mdkonline
Advisory ID: MDKA-2004:055
Date: December 13th, 2004

Affected versions: 10.0, 10.1
______________________________________________________________________

Problem Description:

This is a major update of mandrakeonline which fixes several issues and adds more features such as a text wizard for servers without Xwindow capabilities, support for server products, corporate and MNF for instance, errors displaying and md5sum file checks.

MDKA-2004:056 - Updated evolution packages

Mandriva 1277 Published 2004-12-14 05:49 by Philipp Esselbach 0

Updated Evolution packages are available for Mandrakelinux 10.1
_______________________________________________________________________

Mandrakelinux Update Advisory
_______________________________________________________________________

Package name: evolution
Advisory ID: MDKA-2004:056
Date: December 13th, 2004

Affected versions: 10.1
______________________________________________________________________

Problem Description:

This update provides Evolution 2.0.3 which fixes a number of bugs found in the previous version of Evolution, including the possibility to lose mail when Evolution sends an email message, that fails to send, but Evolution doesn't realize it has failed.

Mandrakelinux 10.1 Offical: A great selection of software

Mandriva 1277 Published 2004-12-13 05:35 by Philipp Esselbach 0

OSDir.com has posted screenshot slideshows of Mandrakelinux 10.1 Offical and Mandrakelinux Move 2.0 Live CD

MDKSA-2004:147 - Updated openssl packages

Mandriva 1277 Published 2004-12-07 07:02 by Philipp Esselbach 0

Updated openssl packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: openssl
Advisory ID: MDKSA-2004:147
Date: December 6th, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________

Problem Description:

The Trustix developers found that the der_chop script, included in the openssl package, created temporary files insecurely. This could allow local users to overwrite files using a symlink attack.

The updated packages have been patched to prevent this problem.

MDKSA-2004:146 - Updated nfs-utils packages

Mandriva 1277 Published 2004-12-07 06:42 by Philipp Esselbach 0

Updated nfs-utils packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: nfs-utils
Advisory ID: MDKSA-2004:146
Date: December 6th, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________

Problem Description:

SGI developers discovered a remote DoS (Denial of Service) condition in the NFS statd server. rpc.statd did not ignore the "SIGPIPE" signal which would cause it to shutdown if a misconfigured or malicious peer terminated the TCP connection prematurely.

The updated packages have been patched to prevent this problem.

MDKSA-2004:145 - Updated rp-pppoe packages

Mandriva 1277 Published 2004-12-07 06:41 by Philipp Esselbach 0

Updated rp-pppoe packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: rp-pppoe
Advisory ID: MDKSA-2004:145
Date: December 6th, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________

Problem Description:

Max Vozeler discovered a vulnerability in pppoe, part of the rp-pppoe package. When pppoe is running setuid root, an attacker can overwrite any file on the system. Mandrakelinux does not install pppoe setuid root, however the packages have been patched to prevent this problem.

MDKSA-2004:144 - Updated lvm1 packages

Mandriva 1277 Published 2004-12-07 06:40 by Philipp Esselbach 0

Updated lvm1 packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: lvm
Advisory ID: MDKSA-2004:144
Date: December 6th, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________

Problem Description:

The Trustix developers discovered that the lvmcreate_initrd script, part of the lvm1 package, created a temporary directory in an insecure manner. This could allow for a symlink attack to create or overwrite arbitrary files with the privileges of the user running the script.

The updated packages have been patched to prevent this problem.

MDKSA-2004:143 - Updated ImageMagick packages

Mandriva 1277 Published 2004-12-07 06:39 by Philipp Esselbach 0

Updated ImageMagick packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: ImageMagick
Advisory ID: MDKSA-2004:143
Date: December 6th, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________

Problem Description:

A vulnerability was discovered in ImageMagick where, due to a boundary error within the EXIF parsing routine, a specially crafted graphic image could potentially lead to the execution of arbitrary code.

The updated packages have been patched to prevent this problem.

MDKSA-2004:142 - Updated gzip packages fix

Mandriva 1277 Published 2004-12-07 06:38 by Philipp Esselbach 0

Updated gzip package are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: gzip
Advisory ID: MDKSA-2004:142
Date: December 6th, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________

Problem Description:

The Trustix developers found some insecure temporary file creation problems in the zdiff, znew, and gzeze supplemental scripts in the gzip package. These flaws could allow local users to overwrite files via a symlink attack.

A similar problem was fixed last year (CAN-2003-0367) in which this same problem was found in znew. At that time, Mandrakesoft also used mktemp to correct the problems in gzexe. This update uses mktemp to handle temporary files in the zdiff script.

MDKA-2004:053 - Updated dietlibc packages fix

Mandriva 1277 Published 2004-12-07 06:24 by Philipp Esselbach 0

Updated dietlibc packages are available for Mandrakelinux 10.0
_______________________________________________________________________

Mandrakelinux Update Advisory
_______________________________________________________________________

Package name: dietlibc
Advisory ID: MDKA-2004:053
Date: December 6th, 2004

Affected versions: 10.0
______________________________________________________________________

Problem Description:

There was a problem with dietlibc in Mandrakelinux 10.0/amd64 where it would not provide proper support for the AMD64 architecture. The updated package fixes this.

MDKA-2004:052 - Updated drakxtools packages

Mandriva 1277 Published 2004-12-07 06:23 by Philipp Esselbach 0

Updated drakxtools are available for Mandrakelinux 10.1
_______________________________________________________________________

Mandrakelinux Update Advisory
_______________________________________________________________________

Package name: drakxtools
Advisory ID: MDKA-2004:052
Date: December 6th, 2004

Affected versions: 10.1
______________________________________________________________________

Problem Description:

Beginning immediately, all bug reports for stable releases will be handled via Bugzilla at http://qa.mandrakesoft.com/. The drakbug tool has been updated to point users of stable releases to Bugzilla.