-
Posts
5611 -
Joined
-
Last visited
-
Days Won
8
Content Type
Profiles
Forums
Events
Posts posted by paul
-
-
Tighten required packages versions on mmc.
-
This updates gdcm to version 20.0.14 and corrects some packaging
issues that rendered the python interface non functional.
-
The Gnome Settings Daemon would crash when the multimedia volume keys
were used when the mouse pointer is on the secondary screen. This
updates gtk+ to a new version that also has fixes for crashes in
empathy, eog and other applications.
-
Multiple vulnerabilities was discovered and fixed in clamav:
The cli_pdf function in libclamav/pdf.c in ClamAV before 0.96.1 allows
remote attackers to cause a denial of service (crash) via a malformed
PDF file, related to an inconsistency in the calculated stream length
and the real stream length (CVE-2010-1639).
Off-by-one error in the parseicon function in libclamav/pe_icons.c
in ClamAV 0.96 allows remote attackers to cause a denial of service
(crash) via a crafted PE icon that triggers an out-of-bounds read,
related to improper rounding during scaling (CVE-2010-1640).
Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
This update provides clamav 0.96.1 which is not vulnerable to these
issues.
-
A vulnerability was discovered and fixed in gtk+2.0:
gdk/gdkwindow.c in GTK+ before 2.18.5, as used in gnome-screensaver
before 2.28.1, performs implicit paints on windows of type
GDK_WINDOW_FOREIGN, which triggers an X error in certain circumstances
and consequently allows physically proximate attackers to bypass
screen locking and access an unattended workstation by pressing the
Enter key many times (CVE-2010-0732).
Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
This update fixes this issue.
-
A vulnerability was discovered and fixed in kolab-horde-framework:
Unspecified vulnerability in Kolab Webclient before 1.2.0 in Kolab
Server before 2.2.3 allows attackers to have an unspecified impact
via vectors related to an image upload form. (CVE-2009-4824).
Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
This update fixes this issue.
-
Multiple vulnerabilities has been found and corrected in mysql:
The server failed to check the table name argument of a COM_FIELD_LIST
command packet for validity and compliance to acceptable table name
standards. This could be exploited to bypass almost all forms of
checks for privileges and table-level grants by providing a specially
crafted table name argument to COM_FIELD_LIST (CVE-2010-1848).
The server could be tricked into reading packets indefinitely if
it received a packet larger than the maximum size of one packet
CVE-2010-1849).
The server was susceptible to a buffer-overflow attack due to a
failure to perform bounds checking on the table name argument of a
COM_FIELD_LIST command packet. By sending long data for the table name,
a buffer is overflown, which could be exploited by an authenticated
user to inject malicious code (CVE-2010-1850).
Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program.
Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct these issues.
-
A vulnerability was discovered in aria2 which allows remote attackers
to create arbitrary files via directory traversal sequences in the
name attribute of a file element in a metalink file (CVE-2010-1512).
This update fixes this issue.
Packages for 2009.0 are provided as of the Extended Maintenance
Program.
Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
-
This updates provides a new OpenOffice.org version 3.1.1. It holds
security and bug fixes described as follow:
An integer underflow might allow remote attackers to execute arbitrary
code via crafted records in the document table of a Word document,
leading to a heap-based buffer overflow (CVE-2009-0200).
A heap-based buffer overflow might allow remote attackers to execute
arbitrary code via unspecified records in a crafted Word document,
related to table parsing (CVE-2009-0201).
A heap-based buffer overflow allows remote attackers to execute
arbitrary code via a crafted EMF file (CVE-2009-2139).
Multiple heap-based buffer overflows allow remote attackers to execute
arbitrary code via a crafted EMF+ file (CVE-2009-2140).
OpenOffice's xmlsec uses a bundled Libtool which might load .la
file in the current working directory allowing local users to gain
privileges via a Trojan horse file. For enabling such vulnerability
xmlsec has to use --enable-crypto_dl building flag however it does
not, although the fix keeps protected against this threat whenever
that flag had been enabled (CVE-2009-3736).
Addittionaly this update provides following bug fixes:
OpenOffice.org is not properly configure to use the xdg-email
functionality of the FreeDesktop standard (#52195).
Template desktop icons are not properly set up then they are not
presented under the context menu of applications like Dolphin (#56439).
libia_ora-gnome is added as suggest as long as that package is needed
for a better look (#57385#c28).
It is enabled a fallback logic to properly select an OpenOffice.org
style whenever one is set up but that is not installed (#57530#c1,
#53284, #45133, #39043)
It is enabled the Firefox plugin for viewing OpenOffice.org documents
inside browser.
Further packages were provided to supply OpenOffice.org. 3.1.1
dependencies.
-
This updates digikam and all it's dependencies, fixing some bugs,
notably #56078, and introducing functionalities and boosting up
stability.
-
A vulnerability was discovered and corrected in dovecot:
Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows
remote attackers to cause a denial of service (CPU consumption)
via long headers in an e-mail message (CVE-2010-0745).
This update provides dovecot 1.2.11 which is not vulnerable to this
issue and also holds many bugfixes as well.
-
Multiple vulnerabilities was discovered and corrected in postgresql:
The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL
8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users
to cause a denial of service (daemon crash) or have unspecified
other impact via vectors involving a negative integer in the third
argument, as demonstrated by a SELECT statement that contains a
call to the substring function for a bit string, related to an
overflow. (CVE-2010-0442).
A flaw was found in the way the PostgreSQL server process
enforced permission checks on scripts written in PL/Perl. A remote,
authenticated user, running a specially-crafted PL/Perl script, could
use this flaw to bypass PL/Perl trusted mode restrictions, allowing
them to obtain sensitive information; execute arbitrary Perl scripts;
or cause a denial of service (remove protected, sensitive data)
(CVE-2010-1169).
The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0
before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before
8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads
Tcl code from the pltcl_modules table regardless of the table's
ownership and permissions, which allows remote authenticated users,
with database-creation privileges, to execute arbitrary Tcl code by
creating this table and inserting a crafted Tcl script (CVE-2010-1170).
PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21,
8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not
properly check privileges during certain RESET ALL operations, which
allows remote authenticated users to remove arbitrary parameter
settings via a (1) ALTER USER or (2) ALTER DATABASE statement
(CVE-2010-1975).
Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program.
Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
This update provides a solution to these vulnerabilities.
-
mono as shipped with Mandriva 2010.0 was built with wrong compiler
optimizations that made some applications freeze. The updated package
uses safe compiler flags that prevents the freeze.
-
Multiple vulnerabilities has been found and corrected in clamav:
ClamAV before 0.96 does not properly handle the (1) CAB and (2) 7z file
formats, which allows remote attackers to bypass virus detection via
a crafted archive that is compatible with standard archive utilities
(CVE-2010-0098).
The qtm_decompress function in libclamav/mspack.c in ClamAV before
0.96 allows remote attackers to cause a denial of service (memory
corruption and application crash) via a crafted CAB archive that uses
the Quantum (aka .Q) compression format. NOTE: some of these details
are obtained from third party information (CVE-2010-1311).
This update provides clamav 0.96, which is not vulnerable to these
issues.
Update:
Packages for 2009.0 are provided due to the Extended Maintenance
Program.
-
A vulnerability has been found and corrected in ghostscript:
Stack-based buffer overflow in the parser function in GhostScript 8.70
and 8.64 allows context-dependent attackers to execute arbitrary code
via a crafted PostScript file (CVE-2010-1869).
Packages for 2008.0 and 2009.0 are provided due to the Extended
Maintenance Program for those products.
The updated packages have been patched to correct this issue.
-
A vulnerability has been found and corrected in mysql:
It was possible for DROP TABLE of one MyISAM table to remove the
data and index files of a different MyISAM table (CVE-2010-1626).
Packages for 2008.0 and 2009.0 are provided due to the Extended
Maintenance Program for those products.
The updated packages have been patched to correct this issue.
-
A vulnerability has been found and corrected in krb5:
Certain invalid GSS-API tokens can cause a GSS-API acceptor (server)
to crash due to a null pointer dereference in the GSS-API library
(CVE-2010-1321).
Packages for 2008.0 and 2009.0 are provided due to the Extended
Maintenance Program for those products.
The updated packages have been patched to correct this issue.
-
Multiple vulnerabilities has been discovered and fixed in kget
(kdenetwork4):
Directory traversal vulnerability in KGet in KDE SC 4.0.0 through
4.4.3 allows remote attackers to create arbitrary files via directory
traversal sequences in the name attribute of a file element in a
metalink file (CVE-2010-1000).
KGet 2.4.2 in KDE SC 4.0.0 through 4.4.3 does not properly request
download confirmation from the user, which makes it easier for remote
attackers to overwrite arbitrary files via a crafted metalink file
(CVE-2010-1511).
Packages for 2009.0 are provided due to the Extended Maintenance
Program.
The corrected packages solves these problems.
-
Define /etc/sysconfig/libvirtd as a config file to avoid being
overwritten during upgrades.
-
In Mandriva Linux 2010.0 some widgets, such as the Opendesktop ones,
resulted in plasma crashes.
This update fixes this issue.
-
Previous version of openbox were incorrectly started by the login
windows, causing various settings such as autostart.sh to malfunction.
-
This advisory updates wireshark to the latest version(s), fixing
several bugs and one security issue:
The DOCSIS dissector in Wireshark 0.9.6 through 1.0.12 and 1.2.0
through 1.2.7 allows user-assisted remote attackers to cause a denial
of service (application crash) via a malformed packet trace file
(CVE-2010-1455).
-
A vulnerability has been discovered and fixed in kget (kdenetwork4):
The name attribute of the file element of metalink files is not
properly sanitized before being used to download files. If a user
is tricked into downloading from a specially crafted metalink file,
this can be exploited to download files to directories outside of
the intended download directory via directory traversal attacks
(CVE-2010-1000).
Packages for 2009.0 are provided due to the Extended Maintenance
Program.
The corrected packages solves these problems.
-
The documentation has been updated:
- Monitoring: Cacti configuration added
- Mandriva Directory Server 2.4.0 : Audit Module added
- Mandriva Directory Server 2.4.0 : Password Policy Module added
Advisories MDVA-2010:160: heartbeat
in Mandriva Security Advisories
Posted
The heartbeat package in the 2010.0 release had wrong permissions
and ownership for /usr/bin/cl_status this prevented it from working
correctly. Also when peers were outdated heartbeat didn't failover
gracefully. This update fixes both these issues.