Updated lvm2 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: lvm2
Advisory ID: MDKA-2005:014
Date: March 14th, 2005
Affected versions: 10.1
______________________________________________________________________
Problem Description:
A bug in the lvm2 packages caused it to recurse symlinked directories indefinitely which caused lvm commands to be really slow or timeout. A patch has been applied to correct this problem.
The first release candidate of Mandrakelinux 10.2 has been released
NewsForge has posted a review on Mandrake Corporate Desktop
Updated dynamic packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: dynamic
Advisory ID: MDKA-2005:013
Date: March 7th, 2005
Affected versions: 10.1
______________________________________________________________________
Problem Description:
Dynamic did not launch kaffeine on insertion of a DVD vide when using KDE as the desktop. The updated version now launches kaffeine.
Updated imap packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: imap
Advisory ID: MDKA-2005:012
Date: March 4th, 2005
Affected versions: 10.0, 10.1, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
The imap package was missing a requires for xinetd, which is required for using the daemon.
Updated packages include this requirement.
Updated kdegraphics packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kdegraphics
Advisory ID: MDKSA-2005:052
Date: March 4th, 2005
Affected versions: 10.0, 10.1, Corporate 3.0
______________________________________________________________________
Problem Description:
Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications like kdegraphics, that use embedded versions of xpdf. (CAN-2005-0206)
In addition, previous libtiff updates overlooked kdegraphics, which contains and embedded libtiff used for kfax. This update includes patches to address: CAN-2004-0803, CAN-2004-0804, CAN-2004-0886, CAN-2004-1183, CAN-2004-1308.
The updated packages are patched to deal with these issues.
Updated gaim packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: gaim
Advisory ID: MDKSA-2005:049
Date: March 4th, 2005
Affected versions: 10.0, 10.1, Corporate 3.0
______________________________________________________________________
Problem Description:
Gaim versions prior to version 1.1.4 suffer from a few security issues such as the HTML parses not sufficiently validating its input. This allowed a remote attacker to crash the Gaim client be sending certain malformed HTML messages (CAN-2005-0208 and CAN-2005-0473).
As well, insufficient input validation was also discovered in the "Oscar" protocol handler, used for ICQ and AIM. By sending specially crafted packets, remote users could trigger an inifinite loop in Gaim causing it to become unresponsive and hang (CAN-2005-0472).
Gaim 1.1.4 is provided and fixes these issues.
Updated cyrus-imapd packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: cyrus-imapd
Advisory ID: MDKSA-2005:051
Date: March 4th, 2005
Affected versions: 10.0, 10.1, Corporate 3.0
______________________________________________________________________
Problem Description:
Several overruns have been fixed in the IMAP annote extension as well as in cached header handling which can be run by an authenticated user. As well, additional bounds checking in fetchnews was improved to avoid exploitation by a peer news admin.
Updated gftp packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: gftp
Advisory ID: MDKSA-2005:050
Date: March 4th, 2005
Affected versions: 10.0, 10.1, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
A vulnerability in gftp could allow a malicious FTP server to overwrite files on the local system as the user running gftp due to improper handling of filenames containing slashes.
The updated packages are patched to deal with these issues.
Updated unixODBC packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: unixODBC
Advisory ID: MDKA-2005:011
Date: March 4th, 2005
Affected versions: 10.1
______________________________________________________________________
Problem Description:
The unixODBC packages shipped with Mandrakelinux 10.1 had a couple of issues with the GUI config tools:
The gtk interface gODBCConfig does not exit when it's window is closed. This results in the application re-opening when resuming a saved window manager session. (Bugzilla 14013)
The qt interface ODBCConfig requires the libraries that are supposed to be in libunixODBC2-qt. Due to a packaging error, libunixODBC2-qt is empty. (Bugzilla 14014)
Updated packages correct these issues.
Updated curl packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: curl
Advisory ID: MDKSA-2005:048
Date: March 4th, 2005
Affected versions: 10.0, 10.1, Corporate 3.0
______________________________________________________________________
Problem Description:
"infamous41md" discovered a buffer overflow vulnerability in libcurl's NTLM authorization base64 decoding. This could allow a remote attacker using a prepared remote server to execute arbitrary code as the user running curl.
The updated packages are patched to deal with these issues.
Mandrakelinux 10.2 for x86-64 Beta 1 has been released
Mandrakesoft today announced an agreement with the French Ministry of Education and Research which allows the distribution of its line of products and services to Higher Education institutions, including universities and research laboratories, throughout France.
Here the complete press release:
Updated squid packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: squid
Advisory ID: MDKSA-2005:047
Date: February 24th, 2005
Affected versions: 10.0, 10.1, 9.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
The squid developers discovered that a remote attacker could cause squid to crash via certain DNS responses.
The updated packages are patched to fix the problem.
Updated uim packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: uim
Advisory ID: MDKSA-2005:046
Date: February 24th, 2005
Affected versions: 10.1
______________________________________________________________________
Problem Description:
Takumi ASAKI discovered that uim always trusts environment variables which can allow a local attacker to obtain elevated privileges when libuim is linked against an suid/sgid application. This problem is only exploitable in 'immodule for Qt' enabled Qt applications.
The updated packages are patched to fix the problem.
Mandrakesoft today is announcing a definitive agreement to acquire Conectiva, the South-American Linux leader. All details for this new acquisition are available in the press-release below.
Mandrakelinux 10.2 Beta 3 has been released
Mandrakelinux 10.2 PPC Beta 1 has been released
Updated cups packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: cups
Advisory ID: MDKSA-2005:041
Date: February 17th, 2005
Affected versions: 9.2, 10.0, 10.1, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications like cups, that use embedded versions of xpdf.
The updated packages are patched to deal with these issues.
Updated PostgreSQL packages are avialable for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: postgresql
Advisory ID: MDKSA-2005:040
Date: February 17th, 2005
Affected versions: 10.0, 10.1, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
A number of vulnerabilities were found and corrected in the PostgreSQL DBMS:
A flaw in the LOAD command could be abused by a local user to load arbitrary shared libraries and as a result execute arbitrary code with the privileges of the user running the postgresql server (CAN-2005-0227).
A permission checking flaw was found where a local user could bypass the EXECUTE permission check for functions using the CREATE AGGREGATE command (CAN-2005-0244).
Multiple buffer overflows were discovered in PL/PgSQL. A database user with permission to create plpgsql functions could trigger these flaws which could then lead to arbitrary code execution with the privileges of the user running the postgresql server (CAN-2005-0245 and CAN-2005-0247).
Finally, a flaw in the integer aggregator (intagg) contrib module was found. A user could create carefully crafted arrays and crash the server, causing a Denial of Service (CAN-2005-0246).
The updated packages have been patched to correct these problems.
