paul

A security vulnerability has been identified and fixed in pidgin:

Directory traversal vulnerability in slp.c in the MSN protocol

plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows

remote attackers to read arbitrary files via a .. (dot dot) in an

application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request,

a related issue to CVE-2004-0122. NOTE: it could be argued that

this is resultant from a vulnerability in which an emoticon download

request is processed even without a preceding text/x-mms-emoticon

message that announced availability of the emoticon (CVE-2010-0013).

This update provides pidgin 2.6.5, which is not vulnerable to this

issue.

A incorrect initialisation in consolekit daemon could prevent automount

of removable media under GNOME or KDE environment. This package update

fixes this issue (it requires restarting the system to take effect).

It was dicovered that the kde4ff theme for firefox 3.5

(firefox-theme-kde4ff) did not work, to address this problem the

kfirefox theme (firefox-theme-kfirefox) is provided as a drop in

replacement.

It was discovered that the beagle extension for firefox

(firefox-ext-beagle) had the wrong release number which prevented it

from being upgraded.

This advisory addresses these problems.

A vulnerability was discovered and corrected in squid:

The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7

allows remote attackers to cause a denial of service via a crafted

auth header with certain comma delimiters that trigger an infinite

loop of calls to the strcspn function (CVE-2009-2855).

This update provides a solution to this vulnerability.

Update:

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

Multiple vulnerabilities has been found and corrected in squidGuard:

Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows remote

attackers to cause a denial of service (application hang or loss of

blocking functionality) via a long URL with many / (slash) characters,

related to emergency mode. (CVE-2009-3700).

Multiple buffer overflows in squidGuard 1.4 allow remote attackers

to bypass intended URL blocking via a long URL, related to (1)

the relationship between a certain buffer size in squidGuard and a

certain buffer size in Squid and (2) a redirect URL that contains

information about the originally requested URL (CVE-2009-3826).

squidGuard was upgraded to 1.2.1 for MNF2/CS3/CS4 with additional

upstream security and bug fixes patches applied.

This update fixes these vulnerabilities.

Update:

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

A vulnerability has been found and corrected in freeradius:

The rad_decode function in FreeRADIUS before 1.1.8 allows remote

attackers to cause a denial of service (radiusd crash) via zero-length

Tunnel-Password attributes. NOTE: this is a regression error related

to CVE-2003-0967 (CVE-2009-3111).

This update provides a solution to this vulnerability.

Update:

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

Security issues were identified and fixed in firefox 3.5.x:

The nsObserverList::FillObserverArray function in

xpcom/ds/nsObserverList.cpp in Mozilla Firefox before 3.5.7 allows

remote attackers to cause a denial of service (application crash)

via a crafted web site that triggers memory consumption and an

accompanying Low Memory alert dialog, and also triggers attempted

removal of an observer from an empty observers array (CVE-2010-0220).

Additionally, some packages which require so, have been rebuilt and

are being provided as updates.

A regression was discovered with 3.0.16 when using NTLM authentication.

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

Additionally, some packages which require so, have been rebuilt and

are being provided as updates.

A bug was discovered in the FH_DATE_PAST_20XX rules that affects

vanilla spamassassin 3.2 installations after the first of January 2010

(aka. the y2k10 rule bug).

This update fixes this issue.

A vulnerability has been found and corrected in expat:

The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,

as used in the XML-Twig module for Perl, allows context-dependent

attackers to cause a denial of service (application crash) via an

XML document with malformed UTF-8 sequences that trigger a buffer

over-read, related to the doProlog function in lib/xmlparse.c,

a different vulnerability than CVE-2009-2625 and CVE-2009-3720

(CVE-2009-3560).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

This update provides a solution to these vulnerabilities.

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

Update:

The previous (MDVSA-2009:316-2) updates provided packages for

2008.0/2009.0/2009.1/2010.0/mes5 that did not have an increased

release number which prevented the packages from hitting the mirrors.

A vulnerability has been found and corrected in expat:

The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,

as used in the XML-Twig module for Perl, allows context-dependent

attackers to cause a denial of service (application crash) via an

XML document with malformed UTF-8 sequences that trigger a buffer

over-read, related to the doProlog function in lib/xmlparse.c,

a different vulnerability than CVE-2009-2625 and CVE-2009-3720

(CVE-2009-3560).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

This update provides a solution to these vulnerabilities.

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

Update:

SUSE discovered a regression with the previous patch fixing

CVE-2009-3560. This regression is now being addressed with this update.

In kde4.3 this is not possible to execute a bash script when double

clicking on it.

This update fixes this issue.

In mandriva 2010.0, there was a layout pb in the Kontact Planner

plugin.

In Korganizer, in the TODO Mode, the first line of text wasn't viewable

in non rich text mode.

This update fixes these issues.

A vulnerability has been found and corrected in expat:

The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1,

as used in the XML-Twig module for Perl, allows context-dependent

attackers to cause a denial of service (application crash) via an

XML document with malformed UTF-8 sequences that trigger a buffer

over-read, related to the doProlog function in lib/xmlparse.c,

a different vulnerability than CVE-2009-2625 and CVE-2009-3720

(CVE-2009-3560).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

This update provides a solution to these vulnerabilities.

Update:

This vulnerability was discovered in the bundled expat code in

various softwares besides expat itself. As a precaution the affected

softwares has preemptively been patched to prevent presumptive future

exploitations of this issue.

This is a maintenance and bugfix release of apache-conf that mainly

fixes so that the httpd service is handled more gracefully when

reloading the apache server (#56857).

Other fixes (where appliable):

- fix #53887 (obsolete favicon.ico file in Apache default www pages)

- workaround #47992 (apache does not start occasionally)

- added logic to make it possible to set limits from the init

script in an attempt to address #30849 and similar problems

- added logic to easy debugging with gdb in the initscript

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

-In mandriva 2010.0 under KDE, the scrollbar was too small to be used

in some cases, this update adds a minimum size to 21 for the scrollbar

(bug #56018).

-In mandriva 2010.0 under KDE, Quassel could crash when highlighting

links.

-This update fixes the titlebar colors to make it friendly with ia

ora specs.

A vulnerability was discovered and corrected in apache-conf:

The Apache HTTP Server enables the HTTP TRACE method per default

which allows remote attackers to conduct cross-site scripting (XSS)

attacks via unspecified web client software (CVE-2009-2823).

This update provides a solution to this vulnerability.

Update:

The wrong package was uploaded for 2009.1. This update addresses

that problem.

A vulnerability was discovered and corrected in apache-conf:

The Apache HTTP Server enables the HTTP TRACE method per default

which allows remote attackers to conduct cross-site scripting (XSS)

attacks via unspecified web client software (CVE-2009-2823).

This update provides a solution to this vulnerability.

Update:

Packages for 2008.0 are provided for Corporate Desktop 2008.0

customers.

This update provides a newer version of run-parts as current version

in MES5 is very old and options are missing such as --list required

by logcheck

Fix man pages build for broken man pages.

In mandriva 2010.0 there was some missing translations.

This update fixes this issue.

Updated timezone packages are being provided for older Mandriva Linux

systems that do not contain new Daylight Savings Time information

and Time Zone information for some locations. These updated packages

contain the new information.

This update fixes two issues with msec:

- some error messages could result in msec trowing an exception

instead of logging the corresponding text (bug #56180)

- security report about group-writable files belonging to gdm user

was silenced by default (bug #56064)

This update only reverts two testing patches, fixing some font issues

in the folderview-applet.

In mandriva 2010.0, when listening to a web stream while you lose

your internet connection can make Amarok to crash. This update fixes

this bug.