Updated htdig packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: htdig
Advisory ID: MDKSA-2005:063
Date: March 31st, 2005
Affected versions: 10.0, 10.1, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
A cross-site scripting vulnerability in
ht://dig was discovered by Michael Krax. The updated packages have been patched to correct this issue.
Updated libexif packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: libexif
Advisory ID: MDKSA-2005:064
Date: March 31st, 2005
Affected versions: 10.0, 10.1, Corporate 3.0
______________________________________________________________________
Problem Description:
A buffer overflow was discovered in the way libexif parses EXIF tags. An attacker could exploit this by creating a special EXIF image file which could cause image viewers linked against libexif to crash.
The updated packages have been patched to correct these issues.
Updated ipsec-tools packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: ipsec-tools
Advisory ID: MDKSA-2005:062
Date: March 31st, 2005
Affected versions: 10.0, 10.1
______________________________________________________________________
Problem Description:
A bug was discovered in the way that the racoon daemon handled incoming ISAKMP requests. It is possible that an attacker could crash the racoon daemon by sending a specially crafted ISAKMP packet.
The updated packages have been patched to correct these issues.
From Mandrakesoft:
A press release from Mandrakesoft:
Mandrakesoft introduces new Mandrakelinux Clustering HPC Linux solution
Moreno Valley, Ca; Paris, France; March, 30th 2005 -- Following recent major successful deployments of Mandrakelinux Clustering, Mandrakesoft today announces a new version of its intensive calculation solution. Dedicated to research laboratories and other computing-intensive industries, the new Mandrakelinux Clustering provides major updates such as Infiniband support and version 2.6 of the Linux kernel by default. Apart from its performance and affordable cost, Mandrakelinux Clustering provides unrivaled methods and tools for easy installation and administration of the system.
Updated krb5 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: krb5
Advisory ID: MDKSA-2005:061
Date: March 29th, 2005
Affected versions: 10.0, 10.1, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
Two buffer overflow issues were discovered in the way telnet clients handle messages from a server. Because of these issues, an attacker may be able to execute arbitray code on the victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Kerberos package contains a telnet client and is patched to deal with these issues.
Saw over at OSNews that both Mandrakelinux 10.2-RC2 for x86 and 10.2-RC1 for x86-64 are available for download
OSDir has posted a screenshot slideshow of Mandrakelinux 10.2 RC1
Mandrakesoft today announces a partnership with O'Reilly to distribute Mandrakelinux 10.1 Discovery & Powerpack software in the USA through major retailers such as Border, Barnes & Nobles and Frys.
Two new books empower United States users to go further with Mandrakelinux
Moreno Valley, Ca; Tuesday, March 22nd - Mandrakesoft today announced the release of two new books for beginners and more advanced users of the Mandrakelinux operating system: 'Discovery 10.1 - Your First Linux Desktop' and 'PowerPack 10.1 - The Full Power of Linux Desktop'. These highly informative guides are both bundled with a copy of Mandrakelinux, and include support services. Thanks to an exclusive distribution agreement with O'Reilly, the leading wholesaler of technical books, customers can get the guides at a great number of retail outlets nationwide. Major retailers include Borders, Barnes & Nobles and Frys. Both titles are also available for purchase online at Amazon.com.
Updated MySQL packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: MySQL
Advisory ID: MDKSA-2005:060
Date: March 21st, 2005
Affected versions: 10.0, 10.1, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
A number of vulnerabilities were discovered by Stefano Di Paola in the MySQL server:
If an authenticated user had INSERT privileges on the 'mysql' database, the CREATE FUNCTION command allowed that user to use libc functions to execute arbitrary code with the privileges of the user running the database server (mysql) (CAN-2005-0709).
If an authenticated user had INSERT privileges on the 'mysql' database, it was possible to load a library located in an arbitrary directory by using INSERT INTO mysql.func instead of CREATE FUNCTION. This also would allow the user to execute arbitrary code with the privileges of the user running the database server (CAN-2005-0710).
Finally, temporary files belonging to tables created with CREATE TEMPORARY TABLE were handled in an insecure manner, allowing any local user to overwrite arbitrary files with the privileges of the database server (CAN-2005-0711).
The updated packages have been patched to correct these issues.
Updated KDE packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: kde
Advisory ID: MDKA-2005:015
Date: March 21st, 2005
Affected versions: 10.1
______________________________________________________________________
Problem Description:
New KDE packages are available to address various bugs. The details are as follows.
Kdebase:
- fix kate kde bug #99171
- fix kate kde bug #82281
- fix kcontrol style kde bug #95925
- fix nsplugins kde bug #99401
- fix kcontrol style regression
- fix konqueror launch by kfmclient
- fix kdeprintfax kde bug #40294
- fix nsplugins crash kde bug #100863
Kdepim:
- fix libical kde bug #94937
- fix knode kde bug #93756
- fix kontact kde bug #91676
- fix kmail kde bug #97274
Mandrakesoft today announces adjustments in the 2005 Mandrakelinux release schedule. All details are available in the press-release below:
Moreno Valley, CA; Paris, France - Mandrakesoft, publisher of the Mandrakelinux operating system, today announces adjustments in the 2005 Mandrakelinux release schedule. Several changes will occur: (1) a new release cycle for retail products, (2) a new naming scheme, (3) the integration of Conectiva's technology into Mandrakelinux, and (4) the immediate availability of a transitional product.
Mandrakelinux 10.2 RC1 has been released
Updated kdelibs packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kdelibs
Advisory ID: MDKSA-2005:058
Date: March 16th, 2005
Affected versions: 10.0, 10.1, Corporate 3.0
______________________________________________________________________
Problem Description:
A vulnerability in dcopserver was discovered by Sebastian Krahmer of the SUSE security team. A local user can lock up the dcopserver of other users on the same machine by stalling the DCOP authentication process, causing a local Denial of Service. dcopserver is the KDE Desktop Communication Procotol daemon (CAN-2005-0396).
As well, the IDN (International Domain Names) support in Konqueror is vulnerable to a phishing technique known as a Homograph attack. This attack is made possible due to IDN allowing a website to use a wide range of international characters that have a strong resemblance to other characters. This can be used to trick users into thinking they are on a different trusted site when they are in fact on a site mocked up to look legitimate using these other characters, known as homographs. This can be used to trick users into providing personal information to a site they think is trusted (CAN-2005-0237).
Finally, it was found that the dcopidlng script was vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files of a user when the script is run on behalf of that user. However, this script is only used as part of the build process of KDE itself and may also be used by the build processes of third- party KDE applications (CAN-2005-0365).
The updated packages are patched to deal with these issues and Mandrakesoft encourages all users to upgrade immediately.
Updated evolution packages are available for Mandrakelinux 10.1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: evolution
Advisory ID: MDKSA-2005:059
Date: March 16th, 2005
Affected versions: 10.1
______________________________________________________________________
Problem Description:
It was discovered that certain types of messages could be used to crash the Evolution mail client. Fixes have been applied to correct this behaviour.
Mandrakelinux 10.2 for x86-64 Beta 2 has been released
Updated openslp packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: openslp
Advisory ID: MDKSA-2005:055
Date: March 15th, 2005
Affected versions: 10.0, 10.1, Corporate 3.0
______________________________________________________________________
Problem Description:
An audit by the SUSE Security Team of critical parts of the OpenSLP package revealed various buffer overflow and out of bounds memory access issues. These problems can be triggered by remote attackers by sending malformed SLP packets.
The packages have been patched to prevent these problems.
Updated ethereal packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: ethereal
Advisory ID: MDKSA-2005:053
Date: March 15th, 2005
Affected versions: 10.0, 10.1
______________________________________________________________________
Problem Description:
A number of issues were discovered in Ethereal versions prior to 0.10.10, which is provided by this update. Matevz Pustisek discovered a buffer overflow in the Etheric dissector (CAN-2005-0704); the GPRS-LLC dissector could crash if the "ignore cipher bit" was enabled (CAN-2005-0705); Diego Giago found a buffer overflow in the 3GPP2 A11 dissector (CAN-2005-0699); Leon Juranic found a buffer overflow in the IAPP dissector (CAN-2005-0739); and bugs in the JXTA and sFlow dissectors could make Ethereal crash.
Updated gnupg packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: gnupg
Advisory ID: MDKSA-2005:057
Date: March 15th, 2005
Affected versions: 10.0, 10.1, 9.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________
Problem Description:
The OpenPGP protocol is vulnerable to a timing-attack in order to gain plain text from cipher text. The timing difference appears as a side effect of the so-called "quick scan" and is only exploitable on systems that accept an arbitrary amount of cipher text for automatic decryption.
The updated packages have been patched to disable the quick check for all public key-encrypted messages and files.
Updated cyrus-sasl packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: cyrus-sasl
Advisory ID: MDKSA-2005:054
Date: March 15th, 2005
Affected versions: 10.0, Corporate 3.0
______________________________________________________________________
Problem Description:
A buffer overflow was discovered in cyrus-sasl's digestmd5 code. This could lead to a remote attacker executing code in the context of the service using SASL authentication. This vulnerability was fixed upstream in version 2.1.19.
The updated packages are patched to deal with this issue.
