Linux Compatible - Mandriva (Page 13)

Mandrakesoft to liven up the corporate Linux world

Mandriva 1275 Published 2005-01-04 14:33 by Philipp Esselbach 0

Mandrakesoft has just released two new "enterprise" Linux products: Corporate Server and Corporate Desktop. These products have received specific development and testing efforts to make them as fit as possible for use in a business environment.

The new Corporate Server is meant to facilitate deployment through its auto-installation and easy configuration capabilities. It can be used for any kind of server tasks, from LDAP to Web.

Corporate Desktop was designed for the coming wave of Linux on the desktop. The problem of over-abounding, sometimes immature Open Source software has been solved in this product through careful testing and screening of software applications. That makes Corporate Desktop immediately usable.

MDKSA-2004:164 - Updated cups packages

Mandriva 1275 Published 2004-12-30 03:57 by Philipp Esselbach 0

Updated cups packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: cups
Advisory ID: MDKSA-2004:164
Date: December 29th, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________

Problem Description:

iDefense reported a buffer overflow vulnerability, which affects versions of xpdf

MDKSA-2004:166 - Updated tetex packages

Mandriva 1275 Published 2004-12-30 03:56 by Philipp Esselbach 0

Updated tetex packages are available for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: tetex
Advisory ID: MDKSA-2004:166
Date: December 29th, 2004

Affected versions: 10.0, 10.1
______________________________________________________________________

Problem Description:

Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code, such as tetex (CAN-2004-0888).

Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0. Also programs like tetex which have embedded versions of xpdf. These can result in writing an arbitrary byte to an attacker controlled location which probably could lead to arbitrary code execution.

iDefense also reported a buffer overflow vulnerability, which affects versions of xpdf

MDKSA-2004:165 - Updated koffice packages

Mandriva 1275 Published 2004-12-30 03:55 by Philipp Esselbach 0

Updated koffice packages are available for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: koffice
Advisory ID: MDKSA-2004:165
Date: December 29th, 2004

Affected versions: 10.0, 10.1
______________________________________________________________________

Problem Description:

Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code, such as koffice (CAN-2004-0888).

Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0. Also programs like koffice which have embedded versions of xpdf. These can result in writing an arbitrary byte to an attacker controlled location which probably could lead to arbitrary code execution.

iDefense also reported a buffer overflow vulnerability, which affects versions of xpdf

MDKSA-2004:162 - Updated gpdf packages

Mandriva 1275 Published 2004-12-30 03:52 by Philipp Esselbach 0

Updated gpdf packages are available for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: gpdf
Advisory ID: MDKSA-2004:162
Date: December 29th, 2004

Affected versions: 10.0, 10.1
______________________________________________________________________

Problem Description:

iDefense reported a buffer overflow vulnerability, which affects versions of xpdf

MDKSA-2004:161 - Updated xpdf packages

Mandriva 1275 Published 2004-12-30 03:51 by Philipp Esselbach 0

Updated xpdf packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: xpdf
Advisory ID: MDKSA-2004:161
Date: December 29th, 2004

Affected versions: 10.0, 10.1, Corporate Server 2.1
______________________________________________________________________

Problem Description:

iDefense reported a buffer overflow vulnerability, which affects versions of xpdf

MDKSA-2004:160 - Updated kdelibs packages

Mandriva 1275 Published 2004-12-30 03:50 by Philipp Esselbach 0

Updated kdelibs packages are available for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: kdelibs
Advisory ID: MDKSA-2004:160
Date: December 29th, 2004

Affected versions: 10.0, 10.1
______________________________________________________________________

Problem Description:

A vulnerability in the Konqueror web browser was discovered that would allow a malicious web site to take advantage of a flaw in kio_ftp to send email messages without user interaction.

The updated packages are patched to correct the problem.

MDKSA-2004:159 - Updated glibc packages

Mandriva 1275 Published 2004-12-30 03:49 by Philipp Esselbach 0

Updated glibc packages are available for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: glibc
Advisory ID: MDKSA-2004:159
Date: December 29th, 2004

Affected versions: 10.0, 10.1
______________________________________________________________________

Problem Description:

The Trustix developers discovered that the catchsegv and glibcbug utilities, part of the glibc package, created temporary files in an insecure manner. This could allow for a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the program.

The updated packages have been patched to correct this issue.

MDKA-2004:060 - Updated udev packages

Mandriva 1275 Published 2004-12-30 03:48 by Philipp Esselbach 0

Updated udev packages has been released for Mandrakelinux 10.1
_______________________________________________________________________

Mandrakelinux Update Advisory
_______________________________________________________________________

Package name: udev
Advisory ID: MDKA-2004:060
Date: December 29th, 2004

Affected versions: 10.1
______________________________________________________________________

Problem Description:

A problem in udev existed where a user would not be able to use a firewire camera because the required device was never created. This update forces udev to pre-create the device allowing the use of firewire cameras.

Mandrakelinux 10.2 Christmas Cooker Snapshot

Mandriva 1275 Published 2004-12-28 07:24 by Philipp Esselbach 0

An early development snapshot of Mandrakelinux 10.2 is available

MDKSA-2004:158 - Updated samba packages

Mandriva 1275 Published 2004-12-28 04:26 by Philipp Esselbach 0

Updated samba packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: samba
Advisory ID: MDKSA-2004:158
Date: December 27th, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________

Problem Description:

Remote exploitation of an integer overflow vulnerability in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to and including 3.0.9 could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges.

In order to exploit this vulnerability an attacker must possess credentials that allow access to a share on the Samba server. Unsuccessful exploitation attempts will cause the process serving the request to crash with signal 11, and may leave evidence of an attack in logs.

The updated packages have been patched to correct this issue.

MDKSA-2004:157 - Updated mplayer packages

Mandriva 1275 Published 2004-12-22 18:45 by Philipp Esselbach 0

Updated mplayer packages are avaiable for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: mplayer
Advisory ID: MDKSA-2004:157
Date: December 22nd, 2004

Affected versions: 10.0, 10.1
______________________________________________________________________

Problem Description:

A number of vulnerabilities were discovered in the MPlayer program by iDEFENSE, Ariel Berkman, and the MPlayer development team. These vulnerabilities include potential heap overflows in Real RTSP and pnm streaming code, stack overflows in MMST streaming code, and multiple buffer overflows in the BMP demuxer and mp3lib code.

The updated packages have been patched to prevent these problems.

MDKSA-2004:155 - Updated logcheck packages

Mandriva 1275 Published 2004-12-22 18:44 by Philipp Esselbach 0

Updated logcheck packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: logcheck
Advisory ID: MDKSA-2004:155
Date: December 22nd, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________

Problem Description:

A vulnerability was discovered in the logcheck program by Christian Jaeger. This could potentially lead to a local attacker overwriting files with root privileges.

The updated packages have been patched to prevent the problem.

MDKSA-2004:154 - Updated kdelibs packages

Mandriva 1275 Published 2004-12-22 18:43 by Philipp Esselbach 0

Updated kdelibs packages has been released for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: kdelibs
Advisory ID: MDKSA-2004:154
Date: December 22nd, 2004

Affected versions: 10.0, 10.1
______________________________________________________________________

Problem Description:

A vulnerability in the Konqueror webbrowser was discovered where an untrusted java applet could escalate privileges (through JavaScript calling into Java code). This includes the reading and writing of files with the privileges of the user running the applet.

The provided packages have been patched to correct this problem.

MDKSA-2004:156 - Updated krb5 packages fix

Mandriva 1275 Published 2004-12-22 18:41 by Philipp Esselbach 0

Updated krb5 packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: krb5
Advisory ID: MDKSA-2004:156
Date: December 22nd, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________

Problem Description:

Michael Tautschnig discovered a heap buffer overflow in the history handling code of libkadm5srv which could be exploited by an authenticated user to execute arbitrary code on a Key Distribution Center (KDC) server.

The updated packages have been patched to prevent this problem.

Mandrakesoft to lead 3.4-million-euro research project

Mandriva 1275 Published 2004-12-21 08:06 by Philipp Esselbach 0

Mandrakesoft, through its Edge-IT subsidiary, will lead an international consortium of four universities, two research institutes, and four private sector companies in the three-year EDOS project. Here the press release:

EDOS Project to boost quality and productivity in software development

Paris, France; December 21, 2004. Major European research institutions and Open Source software companies today announced the launch of EDOS, a project dealing with complexity management in the field of Open Source software. The participants will collaborate in the development of theoretical and technical solutions to the management of large-scale, modular software projects. EDOS will receive EUR 2.2 million in European Union funding, in a total budget of EUR 3.4 million.

MDKSA-2004:153 - Updated aspell packages

Mandriva 1275 Published 2004-12-20 17:10 by Philipp Esselbach 0

Updated aspell packages are available for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: aspell
Advisory ID: MDKSA-2004:153
Date: December 20th, 2004

Affected versions: 10.0, 10.1
______________________________________________________________________

Problem Description:

A vulnerability was discovered in the aspell word-list-compress utility that can allow an attacker to execute arbitrary code.

The updated packages have been patched to correct this problem.

MDKSA-2004:152 - Updated ethereal packages

Mandriva 1275 Published 2004-12-20 17:09 by Philipp Esselbach 0

Updated ethereal packages are available for Mandrakelinux 10.0 and 10.1
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: ethereal
Advisory ID: MDKSA-2004:152
Date: December 20th, 2004

Affected versions: 10.0, 10.1
______________________________________________________________________

Problem Description:

A number of vulnerabilities were discovered in Ethereal:

- Matthew Bing discovered a bug in DICOM dissection that could make Ethereal crash (CAN-2004-1139)
- An invalid RTP timestamp could make Ethereal hang and create a large temporary file, possibly filling available disk space (CAN-2004-1140)
- The HTTP dissector could access previously-freed memory, causing a crash (CAN-2004-1141)
- Brian Caswell discovered that an improperly formatted SMB packet could make Ethereal hang, maximizing CPU utilization (CAN-2004-1142)

Ethereal 0.10.8 was released to correct these problems and is being provided.

MDKSA-2004:151 - Updated php packages

Mandriva 1275 Published 2004-12-18 08:00 by Philipp Esselbach 0

Updated php packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: php
Advisory ID: MDKSA-2004:151
Date: December 17th, 2004

Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1
______________________________________________________________________

Problem Description:

A number of vulnerabilities in PHP versions prior to 4.3.10 were discovered by Stefan Esser. Some of these vulnerabilities were not deemed to be severe enough to warrant CVE names, however the packages provided, with the exception of the Corporate Server 2.1 packages, include fixes for all of the vulnerabilities, thanks to the efforts of the OpenPKG team who extracted and backported the fixes.

The vulnerabilities fixed in all provided packages include a fix for a possible information disclosure, double free, and negative reference index array underflow in deserialization code (CAN-2004-1019). As well, the exif_read_data() function suffers from an overflow on a long sectionname; this vulnerability was discovered by Ilia Alshanetsky (CAN-2004-1065).

The other fixes that appear in Mandrakelinux 9.2 and newer packages include a fix for out of bounds memory write access in shmop_write() and integer overflow/underflows in the pack() and unpack() functions. The addslashes() function did not properly escape "\0" correctly. A directory bypass issue existed in safe_mode execution. There is an issue of arbitrary file access through path truncation. Finally, the "magic_quotes_gpc" functionality could lead to one level directory traversal with file uploads.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1019
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1065
http://www.php.net/release_4_3_10.php
http://www.hardened-php.net/advisories/012004.txt
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.0:
06b5483f89fd3cf9950299b628adc000 10.0/RPMS/libphp_common432-4.3.4-4.3.100mdk.i586.rpm
475b1f1ccd3cf87eb5c6cea410c6b925 10.0/RPMS/php-cgi-4.3.4-4.3.100mdk.i586.rpm
5f74765dc38dda891ce56fa4b275cce1 10.0/RPMS/php-cli-4.3.4-4.3.100mdk.i586.rpm
0d96970f65d9d53dfbb56bef9c7cf920 10.0/RPMS/php432-devel-4.3.4-4.3.100mdk.i586.rpm
3d9fd1b025b49d8b064c785982d8491f 10.0/SRPMS/php-4.3.4-4.3.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
a4302c774ce5e22e5910b1d1a130de3e amd64/10.0/RPMS/lib64php_common432-4.3.4-4.3.100mdk.amd64.rpm
aced2cc932e30532ca0243aa3bb08d68 amd64/10.0/RPMS/php-cgi-4.3.4-4.3.100mdk.amd64.rpm
49893a1fab6fbcc7a2e315784a1917ed amd64/10.0/RPMS/php-cli-4.3.4-4.3.100mdk.amd64.rpm
3ae39ad55fcc27d41e5c98c49839151d amd64/10.0/RPMS/php432-devel-4.3.4-4.3.100mdk.amd64.rpm
3d9fd1b025b49d8b064c785982d8491f amd64/10.0/SRPMS/php-4.3.4-4.3.100mdk.src.rpm

Mandrakelinux 10.1:
137904a75605f52241c384d2bc3b0c0c 10.1/RPMS/libphp_common432-4.3.8-3.2.101mdk.i586.rpm
1c9ca0459cdd747f528da02d6eca7452 10.1/RPMS/php-cgi-4.3.8-3.2.101mdk.i586.rpm
130d7a25c3a10398d993cef9319b29c8 10.1/RPMS/php-cli-4.3.8-3.2.101mdk.i586.rpm
2e4ba28a72bb6e178d06a5d85cd21948 10.1/RPMS/php432-devel-4.3.8-3.2.101mdk.i586.rpm
db09ea993e41794e44bc843054232794 10.1/SRPMS/php-4.3.8-3.2.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
a2ecb5c9c811a003a72200fe271ff1b2 x86_64/10.1/RPMS/lib64php_common432-4.3.8-3.2.101mdk.x86_64.rpm
24e125f79016925ef37e7a960482d7ee x86_64/10.1/RPMS/php-cgi-4.3.8-3.2.101mdk.x86_64.rpm
7f34cabe684c335fc8febad447d9973a x86_64/10.1/RPMS/php-cli-4.3.8-3.2.101mdk.x86_64.rpm
ea97f3e1cfe9c56ce277bb59b36c559d x86_64/10.1/RPMS/php432-devel-4.3.8-3.2.101mdk.x86_64.rpm
db09ea993e41794e44bc843054232794 x86_64/10.1/SRPMS/php-4.3.8-3.2.101mdk.src.rpm

Corporate Server 2.1:
bd0081a43d13ab1df8bb0d277172f669 corporate/2.1/RPMS/php-4.2.3-4.3.C21mdk.i586.rpm
399d388aba15e1f848aea9a6e9829a39 corporate/2.1/RPMS/php-common-4.2.3-4.3.C21mdk.i586.rpm
c28686b72864d3fdeace7cbe938dc1cc corporate/2.1/RPMS/php-devel-4.2.3-4.3.C21mdk.i586.rpm
7b65a50eb77e88581c916471d3b6ea1a corporate/2.1/RPMS/php-pear-4.2.3-4.3.C21mdk.i586.rpm
38d6e460a3372044d524cece0c9f426e corporate/2.1/SRPMS/php-4.2.3-4.3.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
3234c6addd5d8d854fda9e6ec415fed7 x86_64/corporate/2.1/RPMS/php-4.2.3-4.3.C21mdk.x86_64.rpm
43001648d6a67bfa204c8a6988572f78 x86_64/corporate/2.1/RPMS/php-common-4.2.3-4.3.C21mdk.x86_64.rpm
fc41173cc7f6007168eacef722239151 x86_64/corporate/2.1/RPMS/php-devel-4.2.3-4.3.C21mdk.x86_64.rpm
bd63181af60e3010cfac7ca096cbdff3 x86_64/corporate/2.1/RPMS/php-pear-4.2.3-4.3.C21mdk.x86_64.rpm
38d6e460a3372044d524cece0c9f426e x86_64/corporate/2.1/SRPMS/php-4.2.3-4.3.C21mdk.src.rpm

Mandrakelinux 9.2:
a2efac8a1ee14a3dcfa94c6f623a1b4c 9.2/RPMS/libphp_common432-4.3.3-2.3.92mdk.i586.rpm
b85f3c02d2bba76ebbced0b64b369cd0 9.2/RPMS/php-cgi-4.3.3-2.3.92mdk.i586.rpm
0b3fca9527b45ee79ed2b8ba9c90b299 9.2/RPMS/php-cli-4.3.3-2.3.92mdk.i586.rpm
cca3b9b83930e7a96dfe26114b0008a3 9.2/RPMS/php432-devel-4.3.3-2.3.92mdk.i586.rpm
d55f284624ac1223f114c720eb7df18b 9.2/SRPMS/php-4.3.3-2.3.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
0d9742db43fdcf601b2f58e7fbc2cc05 amd64/9.2/RPMS/lib64php_common432-4.3.3-2.3.92mdk.amd64.rpm
05bb8c70036b427d0a52015dafd20c80 amd64/9.2/RPMS/php-cgi-4.3.3-2.3.92mdk.amd64.rpm
8fe4fba4ccbd6a44667d368b0cd064ea amd64/9.2/RPMS/php-cli-4.3.3-2.3.92mdk.amd64.rpm
334c12194b2d22b3a97e2dbfab1acde4 amd64/9.2/RPMS/php432-devel-4.3.3-2.3.92mdk.amd64.rpm
d55f284624ac1223f114c720eb7df18b amd64/9.2/SRPMS/php-4.3.3-2.3.92mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesoft.com/security/advisories

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

MDKA-2004:059-1 - Updated urpmi packages

Mandriva 1275 Published 2004-12-18 07:59 by Philipp Esselbach 0

Updated urpmi packages are available for Mandrakelinux 10.1
_______________________________________________________________________

Mandrakelinux Update Advisory
_______________________________________________________________________

Package name: urpmi
Advisory ID: MDKA-2004:059-1
Date: December 17th, 2004
Original Advisory Date: December 16th, 2004
Affected versions: 10.1
______________________________________________________________________

Problem Description:

A bug in the parallel ssh extension in urpmi would prevent parallel installations using ssh; urpmi would crash. The updated pacakges fix the problem.

Update:

The previous perl-URPM packages for x86 were incorrectly signed. This update bumps the version and provides updated packages for both x86 and x86_64.