Mandrakesoft has released Mandrakelinux 10.1 Alpha 1 for PPC
Download CD #1
Download CD #2
Download CD #3
MD5 checksums
Download CD #1
Download CD #2
Download CD #3
MD5 checksums
Updated krb5 packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: krb5
Advisory ID: MDKSA-2004:088
Date: August 31st, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A double-free vulnerability exists in the MIT Kerberos 5's KDC program that could potentially allow a remote attacker to execute arbitrary code on the KDC host. As well, multiple double-free vulnerabilities exist in the krb5 library code, which makes client programs and application servers vulnerable. The MIT Kerberos 5 development team believes that exploitation of these bugs would be difficult and no known vulnerabilities are believed to exist. The vulnerability in krb524d was discovered by Marc Horowitz; the other double-free vulnerabilities were discovered by Will Fiveash and Nico Williams at Sun.
Will Fiveash and Nico Williams also found another vulnerability in the ASN.1 decoder library. This makes krb5 vulnerable to a DoS (Denial of Service) attack causing an infinite loop in the decoder. The KDC is vulnerable to this attack.
The MIT Kerberos 5 team has provided patches which have been applied to the updated software to fix these issues. Mandrakesoft encourages all users to upgrade immediately.
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: krb5
Advisory ID: MDKSA-2004:088
Date: August 31st, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A double-free vulnerability exists in the MIT Kerberos 5's KDC program that could potentially allow a remote attacker to execute arbitrary code on the KDC host. As well, multiple double-free vulnerabilities exist in the krb5 library code, which makes client programs and application servers vulnerable. The MIT Kerberos 5 development team believes that exploitation of these bugs would be difficult and no known vulnerabilities are believed to exist. The vulnerability in krb524d was discovered by Marc Horowitz; the other double-free vulnerabilities were discovered by Will Fiveash and Nico Williams at Sun.
Will Fiveash and Nico Williams also found another vulnerability in the ASN.1 decoder library. This makes krb5 vulnerable to a DoS (Denial of Service) attack causing an infinite loop in the decoder. The KDC is vulnerable to this attack.
The MIT Kerberos 5 team has provided patches which have been applied to the updated software to fix these issues. Mandrakesoft encourages all users to upgrade immediately.
Updated kernel packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kernel
Advisory ID: MDKSA-2004:087
Date: August 26th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A race condition was discovered in the 64bit file offset handling by Paul Starzetz from iSEC. The file offset pointer (f_pos) is changed during reading, writing, and seeking through a file in order to point to the current position of a file. The value conversion between both the 32bit and 64bit API in the kernel, as well as access to the f_pos pointer, is defective. As a result, a local attacker can abuse this vulnerability to gain access to uninitialized kernel memory, mostly via entries in the /proc filesystem. This kernel memory can possibly contain information like the root password, and other sensitive data.
The updated kernel packages provided are patched to protect against this vulnerability, and all users are encouraged to upgrade immediately.
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kernel
Advisory ID: MDKSA-2004:087
Date: August 26th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A race condition was discovered in the 64bit file offset handling by Paul Starzetz from iSEC. The file offset pointer (f_pos) is changed during reading, writing, and seeking through a file in order to point to the current position of a file. The value conversion between both the 32bit and 64bit API in the kernel, as well as access to the f_pos pointer, is defective. As a result, a local attacker can abuse this vulnerability to gain access to uninitialized kernel memory, mostly via entries in the /proc filesystem. This kernel memory can possibly contain information like the root password, and other sensitive data.
The updated kernel packages provided are patched to protect against this vulnerability, and all users are encouraged to upgrade immediately.
Updated mkinitrd packages are available for Mandrakelinux 10.0 _______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: mkinitrd
Advisory ID: MDKA-2004:038
Date: August 26th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
A bug existed in mkinitrd where depmod-24 would generate a modules.dep file containing "\\\n" if there is more than one module listed as a dependency. Because of this, when mkinitrd is called, it will miss the dependencies of certain modules and as a result the modules that need to be loaded first will be loaded last and the kernel will complain about some missing symbols.
This problem only affects systems using the 2.4 kernel with SCSI devices. The updated packages are fixed to correct the problem.
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: mkinitrd
Advisory ID: MDKA-2004:038
Date: August 26th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
A bug existed in mkinitrd where depmod-24 would generate a modules.dep file containing "\\\n" if there is more than one module listed as a dependency. Because of this, when mkinitrd is called, it will miss the dependencies of certain modules and as a result the modules that need to be loaded first will be loaded last and the kernel will complain about some missing symbols.
This problem only affects systems using the 2.4 kernel with SCSI devices. The updated packages are fixed to correct the problem.
A press release from Mandrakesoft:
Mandrakesoft and LaCie introduce GlobeTrotter: a 40GB mobile desktop
Moreno Valley, CA; Paris, France - August, 26th 2004 : GlobeTrotter, a new product by Mandrakesoft based on the LaCie Mobile Hard Drive designed by FA Porsche, is set to change the way users think about mobile computing. GlobeTrotter is a USB mobile hard drive loaded with a specially tuned version of Mandrakesoft's award-winning Mandrakelinux operating system. Combined with the power and unique design of LaCie hardware, GlobeTrotter allows users to turn any computer into their personal Linux desktop - for just 219 dollars (199 euros).
Mandrakesoft and LaCie introduce GlobeTrotter: a 40GB mobile desktop
Moreno Valley, CA; Paris, France - August, 26th 2004 : GlobeTrotter, a new product by Mandrakesoft based on the LaCie Mobile Hard Drive designed by FA Porsche, is set to change the way users think about mobile computing. GlobeTrotter is a USB mobile hard drive loaded with a specially tuned version of Mandrakesoft's award-winning Mandrakelinux operating system. Combined with the power and unique design of LaCie hardware, GlobeTrotter allows users to turn any computer into their personal Linux desktop - for just 219 dollars (199 euros).
Updated kdelibs/kdebase packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kdelibs/kdebase
Advisory ID: MDKSA-2004:086
Date: August 20th, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
A number of vulnerabilities were discovered in KDE that are corrected with these update packages.
The integrity of symlinks used by KDE are not ensured and as a result can be abused by local attackers to create or truncate arbitrary files or to prevent KDE applications from functioning correctly (CAN-2004-0689).
The DCOPServer creates temporary files in an insecure manner. These temporary files are used for authentication-related purposes, so this could potentially allow a local attacker to compromise the account of any user running a KDE application (CAN-2004-0690). Note that only
KDE 3.2.x is affected by this vulnerability.
The Konqueror web browser allows websites to load web pages into a frame of any other frame-based web page that the user may have open. This could potentially allow a malicious website to make Konqueror insert its own frames into the page of an otherwise trusted website (CAN-02004-0721).
The Konqueror web browser also allows websites to set cookies for certain country-specific top-level domains. This can be done to make Konqueror send the cookies to all other web sites operating under the same domain, which can be abused to become part of a session fixation attack. All country-specific secondary top-level domains that use more than 2 characters in the secondary part of the domain name, and that use a secondary part other than com, net, mil, org, gove, edu, or int are affected (CAN-2004-0746).
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kdelibs/kdebase
Advisory ID: MDKSA-2004:086
Date: August 20th, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
A number of vulnerabilities were discovered in KDE that are corrected with these update packages.
The integrity of symlinks used by KDE are not ensured and as a result can be abused by local attackers to create or truncate arbitrary files or to prevent KDE applications from functioning correctly (CAN-2004-0689).
The DCOPServer creates temporary files in an insecure manner. These temporary files are used for authentication-related purposes, so this could potentially allow a local attacker to compromise the account of any user running a KDE application (CAN-2004-0690). Note that only
KDE 3.2.x is affected by this vulnerability.
The Konqueror web browser allows websites to load web pages into a frame of any other frame-based web page that the user may have open. This could potentially allow a malicious website to make Konqueror insert its own frames into the page of an otherwise trusted website (CAN-02004-0721).
The Konqueror web browser also allows websites to set cookies for certain country-specific top-level domains. This can be done to make Konqueror send the cookies to all other web sites operating under the same domain, which can be abused to become part of a session fixation attack. All country-specific secondary top-level domains that use more than 2 characters in the secondary part of the domain name, and that use a secondary part other than com, net, mil, org, gove, edu, or int are affected (CAN-2004-0746).
Mandrakelinux 10.0.2 is available for download at Mandrakeclub
Updated qt packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: qt3
Advisory ID: MDKSA-2004:085
Date: August 18th, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
Chris Evans discovered a heap-based overflow in the QT library when handling 8-bit RLE encoded BMP files. This vulnerability could allow for the compromise of the account used to view or browse malicious BMP files. On subsequent investigation, it was also found that the handlers for XPM, GIF, and JPEG image types were also faulty.
These problems affect all applications that use QT to handle image files, such as QT-based image viewers, the Konqueror web browser, and others.
The updated packages have been patched to correct these problems.
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: qt3
Advisory ID: MDKSA-2004:085
Date: August 18th, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
Chris Evans discovered a heap-based overflow in the QT library when handling 8-bit RLE encoded BMP files. This vulnerability could allow for the compromise of the account used to view or browse malicious BMP files. On subsequent investigation, it was also found that the handlers for XPM, GIF, and JPEG image types were also faulty.
These problems affect all applications that use QT to handle image files, such as QT-based image viewers, the Konqueror web browser, and others.
The updated packages have been patched to correct these problems.
Updated galeon and epiphany packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: galeon/epiphany
Advisory ID: MDKA-2004:037
Date: August 18th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
Some of the security changes made to Mozilla in MDKSA-2004:082 had an adverse effect on the galeon and epiphany browsers in Mandrakelinux 10.0, and as a result right- and middle-clicks would no longer work properly.
The updated packages are rebuilt against the latest Mozilla from security updates to bring this necessary functionality back.
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: galeon/epiphany
Advisory ID: MDKA-2004:037
Date: August 18th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
Some of the security changes made to Mozilla in MDKSA-2004:082 had an adverse effect on the galeon and epiphany browsers in Mandrakelinux 10.0, and as a result right- and middle-clicks would no longer work properly.
The updated packages are rebuilt against the latest Mozilla from security updates to bring this necessary functionality back.
Updated SpamAssassin packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: spamassassin
Advisory ID: MDKSA-2004:084
Date: August 18th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
Security fix prevents a denial of service attack open to certain malformed messages; this DoS affects all SpamAssassin 2.5x and 2.6x versions to date.
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: spamassassin
Advisory ID: MDKSA-2004:084
Date: August 18th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1
______________________________________________________________________
Problem Description:
Security fix prevents a denial of service attack open to certain malformed messages; this DoS affects all SpamAssassin 2.5x and 2.6x versions to date.
Updated rsync packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: rsync
Advisory ID: MDKSA-2004:083
Date: August 17th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
An advisory was sent out by the rsync team regarding a security vulnerability in all versions of rsync prior to and including 2.6.2. If rsync is running in daemon mode, and not in a chrooted environment, it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it. This vulnerability allows a remote attacker to possibly read/write to/from files outside of the rsync directory.
The updated packages are patched to prevent this problem.
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: rsync
Advisory ID: MDKSA-2004:083
Date: August 17th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
An advisory was sent out by the rsync team regarding a security vulnerability in all versions of rsync prior to and including 2.6.2. If rsync is running in daemon mode, and not in a chrooted environment, it is possible for a remote attacker to trick rsyncd into creating an absolute pathname while sanitizing it. This vulnerability allows a remote attacker to possibly read/write to/from files outside of the rsync directory.
The updated packages are patched to prevent this problem.
Updated gaim packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: gaim
Advisory ID: MDKSA-2004:081
Date: August 12th, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
Sebastian Krahmer discovered two remotely exploitable buffer overflow vulnerabilities in the gaim instant messenger. The updated packages are patched to correct the problems.
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: gaim
Advisory ID: MDKSA-2004:081
Date: August 12th, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
Sebastian Krahmer discovered two remotely exploitable buffer overflow vulnerabilities in the gaim instant messenger. The updated packages are patched to correct the problems.
Updated mozilla packages are available for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: mozilla
Advisory ID: MDKSA-2004:082
Date: August 12th, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
A number of security vulnerabilities in mozilla are addressed by this update for Mandrakelinux 10.0 users, including a fix for frame spoofing, a fixed popup XPInstall/security dialog bug, a fix for untrusted chrome calls, a fix for SSL certificate spoofing, a fix for stealing secure HTTP Auth passwords via DNS spoofing, a fix for insecure matching of cert names for non-FQDNs, a fix for focus redefinition from another domain, a fix for a SOAP parameter overflow, a fix for text drag on file entry, a fix for certificate DoS, and a fix for lock icon and cert spoofing.
Additionally, mozilla for both Mandrakelinux 9.2 and 10.0 have been rebuilt to use the system libjpeg and libpng which addresses vulnerabilities discovered in libpng (ref: MDKSA-2004:079).
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: mozilla
Advisory ID: MDKSA-2004:082
Date: August 12th, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
A number of security vulnerabilities in mozilla are addressed by this update for Mandrakelinux 10.0 users, including a fix for frame spoofing, a fixed popup XPInstall/security dialog bug, a fix for untrusted chrome calls, a fix for SSL certificate spoofing, a fix for stealing secure HTTP Auth passwords via DNS spoofing, a fix for insecure matching of cert names for non-FQDNs, a fix for focus redefinition from another domain, a fix for a SOAP parameter overflow, a fix for text drag on file entry, a fix for certificate DoS, and a fix for lock icon and cert spoofing.
Additionally, mozilla for both Mandrakelinux 9.2 and 10.0 have been rebuilt to use the system libjpeg and libpng which addresses vulnerabilities discovered in libpng (ref: MDKSA-2004:079).
Updated shorewall packages has been released for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: shorewall
Advisory ID: MDKSA-2004:080
Date: August 9th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
The shorewall package has a vulnerability when creating temporary files and directories, which could allow non-root users to overwrite arbitrary files on the system. The updated packages are patched to fix the problem.
As well, for Mandrakelinux 10.0, the updated packages have been fixed to start shorewall after the network, rather than before.
After updating the package, if shorewall was previously running, you may need to issue a "service shorewall restart".
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: shorewall
Advisory ID: MDKSA-2004:080
Date: August 9th, 2004
Affected versions: 10.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
The shorewall package has a vulnerability when creating temporary files and directories, which could allow non-root users to overwrite arbitrary files on the system. The updated packages are patched to fix the problem.
As well, for Mandrakelinux 10.0, the updated packages have been fixed to start shorewall after the network, rather than before.
After updating the package, if shorewall was previously running, you may need to issue a "service shorewall restart".
Updated printer-drivers has been released for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: printer-drivers
Advisory ID: MDKA-2004:036
Date: August 9th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
Updated printer-drivers packages are now available that fix a number of bugs and provide new drivers/functionality for existing drivers, including:
- bug fixes in Foomatic, including a bug which prevented OpenOffice.org versions >1.1.0 from printing correctly.
- higher quality of black text printing on HP DeskJets, Business InkJets, and OfficeJets; also more support models (HPIJS 1.6.1)
- more Epson Inkets printers supported, bug fixes, and better photo quality (Gimp-Print 4.2.7 final)
- update of the PostScript printer PPDs from HP and Kyocera
- PostScript printer PPDs from Okidata
- Epson-Kowa laser printer driver updated to support the newest workgroup and high-volume laser printers from Epson
- many driver updates, including complete support for MicroDry printers (Alps MD-XXXX, Citizen printiva, Okidata DP-xxxx)
- new drivers added, including support for a wide range of laser winprinters: Minolta PagePro 12xxW, 13xxW, magicolor 2300W, Canon LBP-460, LBP-660, Lexmark X74, X75, and some Casio label printers
_______________________________________________________________________
Mandrakelinux Update Advisory
_______________________________________________________________________
Package name: printer-drivers
Advisory ID: MDKA-2004:036
Date: August 9th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
Updated printer-drivers packages are now available that fix a number of bugs and provide new drivers/functionality for existing drivers, including:
- bug fixes in Foomatic, including a bug which prevented OpenOffice.org versions >1.1.0 from printing correctly.
- higher quality of black text printing on HP DeskJets, Business InkJets, and OfficeJets; also more support models (HPIJS 1.6.1)
- more Epson Inkets printers supported, bug fixes, and better photo quality (Gimp-Print 4.2.7 final)
- update of the PostScript printer PPDs from HP and Kyocera
- PostScript printer PPDs from Okidata
- Epson-Kowa laser printer driver updated to support the newest workgroup and high-volume laser printers from Epson
- many driver updates, including complete support for MicroDry printers (Alps MD-XXXX, Citizen printiva, Okidata DP-xxxx)
- new drivers added, including support for a wide range of laser winprinters: Minolta PagePro 12xxW, 13xxW, magicolor 2300W, Canon LBP-460, LBP-660, Lexmark X74, X75, and some Casio label printers
LinuxBeta.com has posted a screenshot slideshow of Mandrakelinux 10.1 beta 1
Updated rpmdrake packages has been released for Mandrakelinux 10.0
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: rpmdrake
Advisory ID: MDKA-2004:034
Date: August 4th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
When rpmdrake would come across a package name containing the string "-h" it would print out the help usage instead of installing or upgrading a package.
The updated packages fix this. It is recommended that all users upgrade immediately.
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: rpmdrake
Advisory ID: MDKA-2004:034
Date: August 4th, 2004
Affected versions: 10.0
______________________________________________________________________
Problem Description:
When rpmdrake would come across a package name containing the string "-h" it would print out the help usage instead of installing or upgrading a package.
The updated packages fix this. It is recommended that all users upgrade immediately.
