A press release from Mandrakesoft:
Mandrakelinux Corporate Server 3.0 receives LSB 2.0 certification
Moreno Valley, Ca; Paris, France - February, 7th 2005 - Mandrakesoft today announced that its newly released Mandrakelinux Corporate Server 3.0 server solution has received LSB 2.0 certification, following its longstanding tradition of support for open standards.
Updated vim packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: vim
Advisory ID: MDKSA-2005:029
Date: February 2nd, 2005
Affected versions: 10.0, 10.1, Corporate Server 2.1,
Corporate Server 3.0
______________________________________________________________________
Problem Description:
Javier Fernandez-Sanguino Pena discovered two vulnerabilities in scripts included with the vim editor. The two scripts, "tcltags" and "vimspell.sh" created temporary files in an insecure manner which could allow a malicious user to execute a symbolic link attack or to create, or overwrite, arbitrary files with the privileges of the user invoking the scripts.
The updated packages are patched to prevent this problem.
Updated chbg packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: chbg
Advisory ID: MDKSA-2005:027
Date: February 1st, 2005
Affected versions: 10.0, 10.1, Corporate Server 3.0
______________________________________________________________________
Problem Description:
A vulnerability in chbg was discovered by Danny Lungstrom. A maliciously-crafted configuration/scenario file could overflow a buffer leading to the potential execution of arbitrary code.
The updated packages are patched to prevent the problem.
Updated imap packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: imap
Advisory ID: MDKSA-2005:026
Date: February 1st, 2005
Affected versions: 10.0, 10.1, Corporate Server 3.0
______________________________________________________________________
Problem Description:
A vulnerability was discovered in the CRAM-MD5 authentication in UW-IMAP where, on the fourth failed authentication attempt, a user would be able to access the IMAP server regardless. This problem exists only if you are using CRAM-MD5 authentication and have an /etc/cram-md5.pwd file. This is not the default setup.
The updated packages have been patched to prevent these problems.
Updated KDE packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: kdebase
Advisory ID: MDKA-2005:005-1
Date: January 31st, 2005
Original Advisory Date: January 27th, 2005
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A problem with the previous update prevented users from updating kdebase due to a missing file and incomplete rpm header information. The updated kdebase packages fix this problem.
Updated clamav packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: clamav
Advisory ID: MDKSA-2005:025
Date: January 31st, 2005
Affected versions: 10.1, Corporate Server 3.0
______________________________________________________________________
Problem Description:
Two problems were discovered in versions of clamav prior to 0.81. An attacker could evade virus scanning by sending a base64-encoded imaege file in a URL. Also, by sending a specially-crafted ZIP file, an attacker could cause a DoS (Denial of Service) by crashing the clamd daemon.
An updated Clamav package has been released for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: clamav
Advisory ID: MDKA-2005:008-1
Date: January 28th, 2005
Original Advisory Date: January 27th, 2005
Affected versions: 10.1, Corporate Server 3.0
______________________________________________________________________
Problem Description:
The clamav databases for clamav version 0.80 no longer update, but rather return an error that the user needs to upgrade immediately.
This update provides clamav 0.81 which allows for the databases to be updated.
Update:
A problem in the initscript prevented clamd from starting properly. These new packages fix that problem.
An updated mdkonline package has been released for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: mdkonline
Advisory ID: MDKA-2005:006
Date: January 27th, 2005
Affected versions: 10.0, 10.1, Corporate Server 3.0
______________________________________________________________________
Problem Description:
A permissions flaw was found on /etc/sysconfig/mdkonline which prevented users from reading the file. This has been fixed in the updated packages. Better x86_64 support has also been added, as well as other minor fixes.
Updated evolution packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: evolution
Advisory ID: MDKSA-2005:024
Date: January 27th, 2005
Affected versions: 10.0, 10.1, Corporate Server 3.0
______________________________________________________________________
Problem Description:
Max Vozeler discovered an integer overflow in the camel-lock-helper application. This application is installed setgid mail by default. A local attacker could exploit this to execute malicious code with the privileges of the "mail" group; likewise a remote attacker could setup a malicious POP server to execute arbitrary code when an Evolution user connects to it.
The updated packages have been patched to prevent this problem.
An updated nut package has been released for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: nut
Advisory ID: MDKA-2005:007
Date: January 27th, 2005
Affected versions: 10.0, 10.1, Corporate Server 3.0
______________________________________________________________________
Problem Description:
A bug in the upsd initscript used by nut exists where it starts the upsd/powerdown script earlier in the halt/shutdown process to ensure it still has access to USB. However, this was done too earlier, while the root partition was still mounted in read/write mode. Due to this delay, it was possible that the UPS would run out of power before a clean halt. The updated packages are fixed to remove the delay that could cause the problem.
It is important to note that users make sure their UPS has at least a 15 second delay before shutting down; most UPS units have this feature by default, but not all. Users can also manage the shutdown delay in the nut configuration file if their nut-driver supports it.
Updated KDE packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: kde
Advisory ID: MDKA-2005:005
Date: January 27th, 2005
Affected versions: 10.1
______________________________________________________________________
Problem Description:
New KDE packages are available to address various bugs. The details are as follows.
Kdebase:
- Fix kicker kde bug #86489/#88940/81438/#96768
- Fix menu-method to create ~/tmp when it doesn't exist (potential bug)
- Fix some errors in kde menu methods
- Fix kdmrc: force VT7
Kdelibs:
- Fix kabc kde bug #96263/#97335
- Fix khtml kde bug #89356
- Fix dom_string crash
- Fix khtml kde bug #97185
- Fix don't add tmp file into recent document
- Fix kate kde bug #97373
- Fix kdeprint kde bug #40635, #58381 and #80825
Kdepim:
- Fix libkcal kde bug #94310/#96903.
- Fix kaddressbook kde bug #96792.
- Fix kalarm spinbox + plastik style.
- Fix kontact dialog size.
- Fix kmail forward, forward attachment.
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: bind
Advisory ID: MDKSA-2005:023
Date: January 26th, 2005
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A vulnerability was discovered in BIND version 9.3.0 where a remote attacker may be able to cause named to exit prematurely, causing a Denial of Service due to an incorrect assumption in the validator function authvalidated().
The updated packages have been patched to prevent this problem.
OSDir has posted a screenshot slideshow of Mandrakelinux 10.2 Beta 1
Updated kernel packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kernel
Advisory ID: MDKSA-2005:022
Date: January 25th, 2005
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Corporate Server 3.0,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A number of vulnerabilities are fixed in the 2.4 and 2.6 kernels with this advisory:
- Multiple race conditions in the terminal layer of 2.4 and 2.6 kernels (prior to 2.6.9) can allow a local attacker to obtain portions of kernel data or allow remote attackers to cause a kernel panic by switching from console to PPP line discipline, then quickly sending data that is received during the switch (CAN-2004-0814)
Updated kdegraphics packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kdegraphics
Advisory ID: MDKSA-2005:020
Date: January 25th, 2005
Affected versions: 10.0, 10.1, Corporate Server 3.0
______________________________________________________________________
Problem Description:
A buffer overflow vulnerability was discovered in the xpdf PDF code, which could allow for arbitrary code execution as the user viewing a PDF file. The vulnerability exists due to insufficient bounds checking while processing a PDF file that provides malicious values in the /Encrypt /Length tag. Kdegraphics uses xpdf code and is susceptible to the same vulnerability.
10.1 packages also include a fix for ksvg kde bug #74457.
The updated packages have been patched to prevent these problems.
Updated kdegraphics packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kdegraphics
Advisory ID: MDKSA-2005:020
Date: January 25th, 2005
Affected versions: 10.0, 10.1, Corporate Server 3.0
______________________________________________________________________
Problem Description:
A buffer overflow vulnerability was discovered in the xpdf PDF code, which could allow for arbitrary code execution as the user viewing a PDF file. The vulnerability exists due to insufficient bounds checking while processing a PDF file that provides malicious values in the /Encrypt /Length tag. Kdegraphics uses xpdf code and is susceptible to the same vulnerability.
10.1 packages also include a fix for ksvg kde bug #74457.
The updated packages have been patched to prevent these problems.
Updated koffice packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: koffice
Advisory ID: MDKSA-2005:019
Date: January 25th, 2005
Affected versions: 10.0, 10.1, Corporate Server 3.0
______________________________________________________________________
Problem Description:
A buffer overflow vulnerability was discovered in the xpdf PDF code, which could allow for arbitrary code execution as the user viewing a PDF file. The vulnerability exists due to insufficient bounds checking while processing a PDF file that provides malicious values in the /Encrypt /Length tag. Koffice uses xpdf code and is susceptible to the same vulnerability.
The updated packages have been patched to prevent these problems.
Updated gpdf packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: gpdf
Advisory ID: MDKSA-2005:016
Date: January 25th, 2005
Affected versions: 10.0, 10.1, Corporate Server 3.0
______________________________________________________________________
Problem Description:
A buffer overflow vulnerability was discovered in the xpdf PDF code, which could allow for arbitrary code execution as the user viewing a PDF file. The vulnerability exists due to insufficient bounds checking while processing a PDF file that provides malicious values in the /Encrypt /Length tag. Gpdf uses xpdf code and is susceptible to the same vulnerability.
The updated packages have been patched to prevent these problems.
Updated tetex packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: tetex
Advisory ID: MDKSA-2005:021
Date: January 25th, 2005
Affected versions: 10.0, 10.1, Corporate Server 3.0
______________________________________________________________________
Problem Description:
A buffer overflow vulnerability was discovered in the xpdf PDF code, which could allow for arbitrary code execution as the user viewing a PDF file. The vulnerability exists due to insufficient bounds checking while processing a PDF file that provides malicious values in the /Encrypt /Length tag. Tetex uses xpdf code and is susceptible to the same vulnerability.
The updated packages have been patched to prevent these problems.
Updated CUPS packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: cups
Advisory ID: MDKSA-2005:018
Date: January 25th, 2005
Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
Corporate Server 3.0
______________________________________________________________________
Problem Description:
A buffer overflow vulnerability was discovered in the xpdf PDF code, which could allow for arbitrary code execution as the user viewing a PDF file. The vulnerability exists due to insufficient bounds checking while processing a PDF file that provides malicious values in the /Encrypt /Length tag. Cups uses xpdf code and is susceptible to the same vulnerability.
The updated packages have been patched to prevent these problems.
