paul

dd if=/dev/cdrom of=~/my-old-distro.iso

yes works in all of your cases

A vulnerabilitiy has been found and corrected in apache:

mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not

sent after request headers indicate a request body is incoming;

this is not a case of HTTP_INTERNAL_SERVER_ERROR (CVE-2010-0408).

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

The updated packages have been patched to correct this issue.

A vulnerabilitiy has been found and corrected in sudo:

sudo 1.6.x before 1.6.9p21, when the runas_default option is used,

does not properly set group memberships, which allows local users to

gain privileges via a sudo command (CVE-2010-0427).

The updated packages have been patched to correct this issue.

Fix version file and README.urpmi for MES 5.1

Rsnapshot will automatically add --exclude=xxxx to the rsync

options for backups of the filesystem on which the snapshot-root

is located. This will be added to the rsync command-line AFTER the

rsync_short_args and rsync_long_args, but BEFORE any backup-specific

options. This means that the --exclude=xxxx will override whatever

backup-specific excludes are defined. This can be a problem if the

name of your snapshot-root is something which is common in many file

names. This version resolves this problems.

This new release fix several bug in packaging: default rights on

/etc/cacti.conf, removal of temporary file, fix for cacti.conf

configuration, creation of cacti.log file.

A vulnerabilitiy has been found and corrected in mozilla-thunderbird:

Security researcher Alin Rad Pop of Secunia Research reported that

the HTML parser incorrectly freed used memory when insufficient space

was available to process remaining input. Under such circumstances,

memory occupied by in-use objects was freed and could later be filled

with attacker-controlled text. These conditions could result in the

execution or arbitrary code if methods on the freed objects were

subsequently called (CVE-2009-1571).

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

The updated packages have been patched to correct this issue.

This update fixes a bug in irqbalance that makes it to fail to spread

IRQs in a SMP or a muli core machine (#57523)

Dhcp-server package shipped with Mandriva Linux 2009.1 and 2010.0 was

using incorrect SV_LDAP definitions during the build, which resulted

in ldap support being non-functional. This update fixes the issue.

There was a bug in the ATI X1200 driver, making it show very frequent

screen corruption. This update fixes the issue.

Add a loop around SIGCONT to resume all SIGSTOP'ed process to be able

to process SIGTERM. It will not run SIGKILL if there's no process left

and avoid Sending all processes the KILL signal... [FAILED] message.

This release fixes several important issues to help prevent a detection

bypass and denial of service attacks against ModSecurity. Quite a few

small but notable bugs were fixed. The latest Core Ruleset (2.0.5)

is included.

This update provides mod_security 2.5.12, which is not vulnerable to

these issues.

When LDAP authentication is configured using the drakauth application,

it could result in several bogus error messages related to

'/var/lib/misc/group.db: file not found'. This update fixes this issue.

A vulnerabilitiy has been found and corrected in sudo:

sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a

pseudo-command is enabled, permits a match between the name of the

pseudo-command and the name of an executable file in an arbitrary

directory, which allows local users to gain privileges via a crafted

executable file, as demonstrated by a file named sudoedit in a user's

home directory (CVE-2010-0426).

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

The updated packages have been patched to correct this issue.

glibc 2.10.1 on Mandriva 2010.0 can't resolve names with some buggy

routers. This update includes upstream fixes post glibc 2.10.1 release

that fixes the issue (Mandriva bug #57698). Other glibc resolver fixes

are included too, which addresses also some other upstream opened bugs.

This update allows msec to properly set special file permissions

when changing security levels (bug #57793). Additionally, this update

configures msec to enable sulogin in single user mode by default on

High security level (bug #51517).

python-qt4 packages released for Mandriva 2009.0 as update are

in a higher version than python-qt4 released in Mandriva 2009

Spring. This breaks the kde-python part on a 2009.0 to 2009 Spring

system upgrade. This fixes it by releasing updated python packages

with a higher release number on Mandriva 2009 Spring.

This update allows msec to properly set special file permissions

(such as SUID bits) when changing security levels (bug #57793).

Roundcube 0.3.1 and earlier does not request that the web browser

avoid DNS prefetching of domain names contained in e-mail messages,

which makes it easier for remote attackers to determine the network

location of the webmail user by logging DNS requests (CVE-2010-0464).

The updated packages have been patched to correct this issue.

Updated timezone packages are being provided for older Mandriva Linux

systems that do not contain new Daylight Savings Time information

and Time Zone information for some locations. These updated packages

contain the new information.

Update:

The MDVA-2010:006 advisory did not provide updated timezone packages

for MNF2, CS4 and 2008.0. This advisory provides the missing packages.

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

MMC web interface allows to create isos for user's homes and

shares. With this update, mkisofs has been added as a requirement of

the package.

Update:

It was discovered the cdrkit-genisoimage package was missing with

the MDVA-2010:050 advisory. This advisory provides the missing

dependancies.

In some cases aria2 would crash with a segmentation fault when

encountering file not found errors. This could particularly happen

when installing updates with urpmi.

The rsh package in 2010.0 has several bugs that prevented it from

working correctly, the updated packages fix all those issues.

A vulnerability has been found in ncpfs which can be exploited by

local users to disclose potentially sensitive information, cause a

DoS (Denial of Service), and potentially gain escalated privileges

(CVE-2009-3297).

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

The updated packages have been patched to correct this issue.

A race condition has been found in fuse that could escalate privileges

for local users and lead to a DoS (Denial of Service) (CVE-2009-3297).

The updated packages have been patched to correct this issue.