An updated apache package is available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: apache
Advisory ID: MDKSA-2004:046
Date: May 17th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Four security vulnerabilities were fixed with the 1.3.31 release of Apache. All of these issues have been backported and applied to the provided packages. Thanks to Ralf Engelschall of OpenPKG for providing the patches.
Apache 1.3 prior to 1.3.30 did not filter terminal escape sequences from its error logs. This could make it easier for attackers to insert those sequences into the terminal emulators of administrators viewing the error logs that contain vulnerabilities related to escape sequence handling (CAN-2003-0020).
mod_digest in Apache 1.3 prior to 1.3.31 did not properly verify the nonce of a client response by using an AuthNonce secret. Apache now verifies the nonce returned in the client response to check whether it was issued by itself by means of a "AuthDigestRealmSeed" secret exposed as an MD5 checksum (CAN-2004-0987).
mod_acces in Apache 1.3 prior to 1.3.30, when running on big-endian 64-bit platforms, did not properly parse Allow/Deny rules using IP addresses without a netmask. This could allow a remote attacker to bypass intended access restrictions (CAN-2003-0993).
Apache 1.3 prior to 1.3.30, when using multiple listening sockets on certain platforms, allows a remote attacker to cause a DoS by blocking new connections via a short-lived connection on a rarely-accessed listening socket (CAN-2004-0174). While this particular vulnerability
does not affect Linux, we felt it prudent to include the fix.
Updated libuser packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: libuser
Advisory ID: MDKSA-2004:044
Date: May 17th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
Steve Grubb discovered a number of problems in the libuser library that can lead to a crash in applications linked to it, or possibly write 4GB of garbage to the disk.
The updated packages provide a patched libuser to correct these problems.
Updated passwd packages has been released for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: passwd
Advisory ID: MDKSA-2004:045
Date: May 17th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Steve Grubb found some problems in the passwd program. Passwords given to passwd via stdin are one character shorter than they are supposed to be. He also discovered that pam may not have been sufficiently initialized to ensure safe and proper operation. A few small memory
leaks have been fixed as well.
The updated packages are patched to correct these problems.
An updated lsb-release package is available for Mandrakelinux 10.0
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: lsb-release
Advisory ID: MDKA-2004:025
Date: May 17th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
/etc/lsb-release still had data referencing the 9.2 release and the old Mandrakesoft naming.
Updated xmms packages are available for Mandrakelinux 10.0 AMD64
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: xmms
Advisory ID: MDKA-2004:024
Date: May 14th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
XMMS on amd64 was not built against the GTK libraries which can cause some problems with applications such as mencoder. The updated packages correct the problem.
Updated apache2 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: apache2
Advisory ID: MDKSA-2004:043
Date: May 10th, 2004
Affected versions: 10.0, 9.1, 9.2
______________________________________________________________________
Problem Description:
A memory leak in mod_ssl in the Apache HTTP Server prior to version 2.0.49 allows a remote denial of service attack against an SSL-enabled server.
The updated packages provide a patched mod_ssl to correct these problems.
Updated rsync packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: rsync
Advisory ID: MDKSA-2004:042
Date: May 10th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, allows remote attackers to write files outside of the module's path.
The updated packages provide a patched rsync to correct this problem.
An updated kdepim package is available for Mandrakelinux 10.0
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: kdepim
Advisory ID: MDKA-2004:023
Date: May 10th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
When kaddressbook is called from kmail, an endless loop would occur if kaddressbook was already open. This update fixes the problem.
An updated Evolution package is available for Mandrakelinux 9.2
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: evolution
Advisory ID: MDKA-2004:022
Date: May 10th, 2004
Affected versions: 9.2
______________________________________________________________________
Problem Description:
A number of bugs have been corrected in updated packages for Evolution:
- Evolution drops hyphens for sequences > 2 in saved drafts.
- Evolution slows when reading messages with attached .jpg files.
- Evolution creates excessive loading on IMAP server with large (>100GB) mail folders.
- Evolution source had a function prototype mismatch that generates an error on startup after initial configuration.
- Evolution has an issue with date display for New Zealand during their daylight savings time period.
- When correcting a word with a quote, the portion of the word preceding the quote is duplicated.
- When starting evolution for the first time, the preferred character set is the empty string, causing Evolution to send mail with "Content-type: text/plain; charset=".
Mandrakelinux 10.0 for AMD64 is now available. Here the press release:
Altadena, CA; Paris; France - June, 4th 2004 - Mandrakesoft today announced the availability of Mandrakelinux 10.0 Official for the AMD64 platform (Athlon64 and Opteron). Mandrakelinux 10.0 for AMD64 delivers all the features and robustness of Mandrakelinux 10.0 Official to the 64-bit platform from AMD, with an average performance gain of 20% compared to the IA32 version.
Updated ProFTPD packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: proftpd
Advisory ID: MDKSA-2004:041
Date: April 30th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
A portability workaround that was applied in version 1.2.9 of the ProFTPD FTP server caused CIDR based ACL entries in "Allow" and "Deny" directives to act like an "AllowAll" directive. This granted FTP clients access to files and directories that the server configuration may have been explicitly denying.
This problem only exists in version 1.2.9 and has been fixed upstream. A patch has been applied to correct the problem.
Updated libpng packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: libpng
Advisory ID: MDKSA-2004:040
Date: April 29th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Steve Grubb discovered that libpng would access memory that is out of bounds when creating an error message. The impact of this bug is not clear, but it could lead to a core dump in a program using libpng, or could result in a DoS (Denial of Service) condition in a daemon that uses libpng to process PNG imagaes.
The updated packages are patched to correct the vulnerability.
Updated mc packages has been released for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: mc
Advisory ID: MDKSA-2004:039
Date: April 29th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
Several vulnerabilities in Midnight Commander were found by Jacub Jelinek. This includes several buffer overflows (CAN-2004-0226), as well as a format string issue (CAN-2004-0232), and an issue with temporary file and directory creation (CAN-2004-0231). Most of the included fixes are backports from CVS, done by Andrew V. Samoilov and Pavel Roskin.
The updated packages are patched to correct these problems.
Updated sysklogd packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: sysklogd
Advisory ID: MDKSA-2004:038
Date: April 28th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Steve Grubb discovered a bug in sysklogd where it allocates an insufficient amount of memory which causes sysklogd to write to unallocated memory. This could allow for a malicious user to crash sysklogd.
The updated packages provide a patched sysklogd using patches from Openwall to correct the problem and also corrects the use of an unitialized variable (a previous use of "count").
Updated qt3 packages are available for Mandrakelinux 10.0
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: qt3
Advisory ID: MDKA-2004:021
Date: April 28th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
Using qprinter with cups was impossible because qprinter was trying to load "libcups.so" rather than "libcups.so.2". The updated packages correct this problem.
Updated shorewall packages has been released for Mandrakelinux 10.0
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: shorewall
Advisory ID: MDKA-2004:020
Date: April 28th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
This new version of shorewall provides updated RFC1918 and bogons files that are needed for proper operation of the firewall.
Mandrakesoft has released updated rpmdrake packages for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: rpmdrake
Advisory ID: MDKA-2004:019
Date: April 28th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
When MandrakeUpdate was unable to retrieve the hdlist or the synthesis file from an update medium, it used to continue without alerting the user. Now MandrakeUpdate will alert the user and indicate to them to retry the operation later or to delete and re-add the medium in case the directory layout has changed.
MandrakeSoft has just released its half-year results ending March.
Updated xchat packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: xchat
Advisory ID: MDKSA-2004:036
Date: April 21st, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
A remotely exploitable vulnerability was discovered in the Socks-5 proxy code in XChat. By default, socks5 traversal is disabled, and one would also need to connect to an attacker's own custom proxy server in order for this to be exploited. Successful exploitation could lead to arbitrary code execution as the user running XChat.
The provided packages are patched to prevent this problem.
The first release candidate of Mandrakelinux 10.0 for AMD 64 has been released
