An updated autofs package is available for Mandrake Corporate Server 2.1
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: autofs
Advisory ID: MDKA-2004:032
Date: July 2nd, 2004
Affected versions: Corporate Server 2.1
______________________________________________________________________
Problem Description:
The version of autofs as shipped with Corporate Server 2.1/x86_64 had a problem where it would stall when attempting to connect to NFS servers. This problem has been corrected with this update.
A press release from Mandrakesoft:
Moreno Valley, CA; Paris, France ; July, 1st 2004 - Mandrakesoft, publisher of the Mandrakelinux distribution, and Edge IT a provider of support and services in the Linux market, reached a definitive agreement by which Mandrakesoft will acquire all outstanding shares of Edge-IT.
Founded in 2003, by some of the key employees of Open Care, the first European Linux support company, Edge-IT focuses on the delivery of services and support to the corporate market in France. It has 6 employees and counts among its customers, OECD, the world economic organization, Fondation Nationale des Sciences Politiques, an elite French Political Science School, and Prisma Presse, one of the top press group in France.
New OpenOffice.org 1.1.2 and Mozilla 1.7 packages are available on Mandrakeclub
Updated Apache2 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: apache2
Advisory ID: MDKSA-2004:064
Date: June 29th, 2004
Affected versions: 10.0, 9.1, 9.2
______________________________________________________________________
Problem Description:
A Denial of Service (Dos) condition was discovered in Apache 2.x by George Guninski. Exploiting this can lead to httpd consuming an arbitrary amount of memory. On 64bit systems with more than 4GB of virtual memory, this may also lead to a heap-based overflow.
The updated packages contain a patch from the ASF to correct the problem.
It is recommended that you stop Apache prior to updating and then restart it again once the update is complete ("service httpd stop" and "service httpd start" respectively).
Updated libpng packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: libpng
Advisory ID: MDKSA-2004:063
Date: June 29th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A buffer overflow vulnerability was discovered in libpng due to a wrong calculation of some loop offset values. This buffer overflow can lead to Denial of Service or even remote compromise.
This vulnerability was initially patched in January of 2003, but it has since been noted that fixes were required in two additional places that had not been corrected with the earlier patch. This update uses an updated patch to fix all known issues.
After the upgrade, all applications that use libpng should be restarted. Many applications are linked to libpng, so if you are unsure of what applications to restart, you may wish to reboot the system. Mandrakesoft encourages all users to upgrade immediately.
Updated Apache packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: apache
Advisory ID: MDKSA-2004:065
Date: June 29th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
A buffer overflow vulnerability was found by George Guninski in Apache's mod_proxy module, which can be exploited by a remote user to potentially execute arbitrary code with the privileges of an httpd child process (user apache). This can only be exploited, however, if mod_proxy is actually in use.
It is recommended that you stop Apache prior to updating and then restart it again once the update is complete ("service httpd stop" and "service httpd start" respectively).
An initscripts update is available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: initscripts
Advisory ID: MDKA-2004:031
Date: June 25th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
A number of bugs have been corrected in this updated initscripts package: A bug in the lang.sh and lang.csh files would overwrite locales every time they were launched; the ifdown-aliases script did not work properly; translated keys were not used during fsck question at boot; usb was not being fully loaded if certain usb devices were pre-loaded prior to calling the usb initscript; a bug in checking the loopback filesystems has also been addressed.
The updated packages fix this problems.
From Mandrakesoft:
Mandrakelinux Club Silver Members and above can now download Mandrakelinux 10.0 Official for Athlon(TM)64 and Opteron(TM).
This is the Mandrakelinux 10.0 Official system ported to the AMD64 architecture, and is one of the very few full-featured operating systems currently available for this plateform.
In addition to a powerful desktop system, this innovative new release offers high-end features such as world-class server capabilities and comprehensive development tools. Mandrakelinux 10.0 Official for AMD64 is an ideal solution for data-intensive tasks such as high-performance databases, video/audio/3D processing, and for applications that require mathematical precision and accuracy
Details about Mandrakelinux 10.0 for AMD64 are available online at:
http://www.mandrakesoft.com/products/10/amd64The 4-CD set ISO images can be downloaded right now through Bittorrent on:
http://www.mandrakeclub.com.
Not yet a Club Member? Subscribe now at:
http://www.mandrakelinux.com/en/club/
Updated kernel packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kernel
Advisory ID: MDKSA-2004:062
Date: June 23rd, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A vulnerability in the e1000 driver for the Linux kernel 2.4.26 and earlier was discovered by Chris Wright. The e1000 driver does not properly reset memory or restrict the maximum length of a data structure, which can allow a local user to read portions of kernel memory (CAN-2004-0535).
A vulnerability was also discovered in the kernel were a certain C program would trigger a floating point exception that would crash the kernel. This vulnerability can only be triggered locally by users with shell access (CAN-2004-0554).
Updated dhcp packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: dhcp
Advisory ID: MDKSA-2004:061
Date: June 22nd, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
A vulnerability in how ISC's DHCPD handles syslog messages can allow a malicious attacker with the ability to send special packets to the DHCPD listening port to crash the daemon, causing a Denial of Service. It is also possible that they may be able to execute arbitrary code on the vulnerable server with the permissions of the user running DHCPD, which is usually root.
A similar vulnerability also exists in the way ISC's DHCPD makes use of the vsnprintf() function on system that do not support vsnprintf(). This vulnerability could also be used to execute arbitrary code and/or perform a DoS attack. The vsnprintf() statements that have this problem are defined after the vulnerable code noted above, which would trigger the previous problem rather than this one.
PCLinuxOnline has published the release schedule for Mandrakelinux 10.1
Read more
Mandrakesoft send a press-release about "rentalinux", a new Nexedi+Mandrakesoft development:
June, 15th 2004 - Nexedi and Mandrakesoft announce a revolution in Linux Desktop: rentalinux Desktop Linux Server. For the first time, organisations can benefit from the power of Mandrakelinux Desktop with no investment, no software installation and no changes to existing hardware or network. "rentalinux Desktop Linux Server" is a full featured turnkey solution which provides the power of 500+ Mandrakelinux Desktop applications to legacy PCs, Macintosh, Unix Workstations or to thin clients. Nexedi rentalinux Desktop Linux Server solution combines server hardware rental, software setup, custom configuration, support and maintenance service in a single package which makes it the easiest, least intrusive and most effective way to provide Linux Desktop applications for small to medium-sized networks. rentalinux service is available immediately in the European Union for a flat rate of 95 EUR / month and is expected to become available in the United States and Japan by the end of 2004.
Updated ksymoops packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: ksymoops
Advisory ID: MDKSA-2004:060
Date: June 10th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
Geoffrey Lee discovered a problem with the ksymoops-gznm script distributed with Mandrakelinux. The script fails to do proper checking when copying a file to the /tmp directory. Because of this, a local attacker can setup a symlink to point to a file that they do not have permission to remove. The problem is difficult to exploit because someone with root privileges needs to run ksymoops on a particular module for which a symlink for the same filename already exists.
Saw over at DistroWatch that Mandrakesoft has released the AMD64 edition of Mandrakelinux 10.0 for Mandrakeclub members
Updated squid packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: squid
Advisory ID: MDKSA-2004:059
Date: June 9th, 2004
Affected versions: 10.0, 9.1, 9.2
______________________________________________________________________
Problem Description:
A vulnerability exists in squid's NTLM authentication helper. This buffer overflow can be exploited by a remote attacker by sending an overly long password, thus overflowing the buffer and granting the ability to execute arbitrary code. This can only be exploited, however, if NTLM authentication is used. NTLM authentication is built by default in Mandrakelinux packages, but is not enabled in the default configuration.
The vulnerability exists in 2.5.*-STABLE and 3.*-PRE. The provided packages are patched to fix this problem.
Updated cvs packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: cvs
Advisory ID: MDKSA-2004:058
Date: June 9th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
Another vulnerability was discovered related to "Entry" lines in cvs, by the development team (CAN-2004-0414).
As well, Stefan Esser and Sebastian Krahmer performed an audit on the cvs source code and discovered a number of other problems, including:
A double-free condition in the server code is exploitable
(CAN-2004-0416).
By sending a large number of arguments to the CVS server, it is possible to cause it to allocate a huge amount of memory which does not fit into the address space, causing an error (CAN-2004-0417).
It was found that the serve_notify() function would write data out of bounds (CAN-2004-0418).
The provided packages update cvs to 1.11.16 and include patches to correct all of these problems.
Updated krb5 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: krb5
Advisory ID: MDKSA-2004:056-1
Date: June 9th, 2004
Original Advisory Date: June 3rd, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
Multiple buffer overflows exist in the krb5_aname_to_localname() library function that if exploited could lead to unauthorized root privileges. In order to exploit this flaw, an attacker must first successfully authenticate to a vulnerable service, which must be configured to enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname, which is not a default configuration.
Mandrakesoft encourages all users to upgrade to these patched krb5 packages.
Update:
The original patch provided contained a bug where rule-based entries on systems without HAVE_REGCOMP would not work. These updated packages provide the second patch provided by Kerberos development team which fixes that behaviour.
Updated mdkonline packages are available for Mandrakelinux
______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: mdkonline
Advisory ID: MDKA-2004:029-1
Date: June 9th, 2004
Original Advisory Date: June 1st, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
Mdkonline as shipped in 10.0 has some issues comparing squid release versions. This package is a mandatory upgrade to get fully functional Mandrake Online services.
Update:
The previous update did not parse noarch packages, and new archs have been added (ia64, amd64, x86_64, ppc64) as well. As well, the mdkapplet now forces a restart when changes to itself have occurred.
A press release from Mandrakesoft:
O'Reilly and Mandrakesoft Enter Strategic Reselling Agreement
Sebastopol, CA--O'Reilly Media is now a U.S. and Canadian reseller for Mandrakesoft, creators of Mandrakelinux.
A user-friendly Linux distribution, Mandrakelinux is ideal for the growing legions of first-time Linux users. Linux's share of the desktop PC market is increasing, a trend being accelerated by the recent rise in the number of companies buying new computers. Major computer companies--including HP and IBM--have begun installing Linux instead of Windows on some of the models they build.
zero0w has posted a how-to on the message forum about modifying the UI font of gtk1 and gtk2 application under Mandrakelinux 10
