-
Posts
5611 -
Joined
-
Last visited
-
Days Won
8
Content Type
Profiles
Forums
Events
Posts posted by paul
-
-
A vulnerability was found in xmltok_impl.c (expat) that with
specially crafted XML could be exploited and lead to a denial of
service attack. Related to CVE-2009-2625 (CVE-2009-3720).
This update fixes this vulnerability.
Update:
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
-
The a2ps package as provided in Mandriva Linux 2010.0 contains
improvements concerning paper auto-detection, locale recognition and
security issues. The locale recognition prevented the application to
perform correctly, this update fixes the issue.
-
Mandriva 2010 includes k3b 1.68 (alpha3) and the stable release won't
be ready before a long time, this update introduces the Aplha4 version,
with lot's of bugfixes and some new features including:
New features
* Added close buttons on project tabs (159751)
* Added support for new libmpcdec API (214149)
Bugfixes
* Crash at the beginning of burning (204333)
* Crash during DVD ripping (207958)
* Crash right after burn (195436)
* Crash during Audio CD ripping (198015)
* Crash at the beginning of ripping Audio CD with data tracks
(186555)
* Crash at the beginning of burning cue/bin image (190775)
* Fixed various typos in UI (208401, 209512)
* Fixed potential aliasing issues (210890)
* Show only one entry on the task list even when dialog window
is opened (211680)
* Show correct size when project contains invalid links (212609)
* Show correct elapsed time when burning over midnight (211604)
* Added timeout when checking version number and features of
executable (212582)
* Fixed visually endless busy status when opening an empty folder
(113649)
* Burning double-layer DVDs should be possible again (214115)
This bug also fixes an error in the migration process from 2009.0 to
2010.0 (bug #56493)
-
In mandriva 2010.0, KNetattach was using fish for the ssh connections,
this update makes it use the more suported sftp instead.
-
In mandriva 2010.0, Okular was failing to open files from firefox,
if the URL contained spaces or accents.
This update fixes this issue.
-
In mandriva 2010.0, a beta version of digikam was provided.
This update provides the final version of 1.0.0.
-
Nautilus would sometimes crash, caused by corrupted gvfs metadata.
This updates gvfs to the new fixed version.
-
In Konqueror of Mandriva 2010.0 there is a statusbar rendering a bug
when restoring multiple tabs. This Update fixes this issue.
-
Due to a change in glibc on x86_64, pam_tcb incorrectly handles
negative values in /etc/shadow. When password expiration warning
delay is set to -1, a warning would be displayed to the users saying
that their password will expire in 99999 days. This update resolves
this bug.
-
Dansguardian service, when launched with the stop option, would report
errors on lines 51. This update fixes the issue.
-
Mandriva Linux 2008.0 was released with KDE version 3.5.7.
This update upgrades KDE in Mandriva Linux 2008.0 to version 3.5.10,
which brings many bugfixes, overall improvements and many security
fixes.
kdegraphics contains security fixes for
CVE-2009-3603,3604,3605,3606,3608,3609,0146,0147,0165,0166,0799,0800,1179,1180,1181,1182,1183
kdelibs contains security fixes for
CVE-2009-0689,1687,1690,1698,2702,1725,2537
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
-
This update provides the pcsc-lite packages which were needed by
MDVA-2009:264 but not provided.
-
A vulnerability was discovered and corrected in acl:
The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when
running in recursive (-R) mode, follow symbolic links even when the
--physical (aka -P) or -L option is specified, which might allow
local users to modify the ACL for arbitrary files or directories via
a symlink attack (CVE-2009-4411).
This update provides a fix for this vulnerability.
-
Security vulnerabilities has been identified and fixed in University
of Washington IMAP Toolkit:
Multiple stack-based buffer overflows in (1) University of Washington
IMAP Toolkit 2002 through 2007c, (2) University of Washington Alpine
2.00 and earlier, and (3) Panda IMAP allow (a) local users to gain
privileges by specifying a long folder extension argument on the
command line to the tmail or dmail program; and (B) remote attackers to
execute arbitrary code by sending e-mail to a destination mailbox name
composed of a username and '+' character followed by a long string,
processed by the tmail or possibly dmail program (CVE-2008-5005).
smtp.c in the c-client library in University of Washington IMAP Toolkit
2007b allows remote SMTP servers to cause a denial of service (NULL
pointer dereference and application crash) by responding to the QUIT
command with a close of the TCP connection instead of the expected
221 response code (CVE-2008-5006).
Off-by-one error in the rfc822_output_char function in the RFC822BUFFER
routines in the University of Washington (UW) c-client library, as
used by the UW IMAP toolkit before imap-2007e and other applications,
allows context-dependent attackers to cause a denial of service (crash)
via an e-mail message that triggers a buffer overflow (CVE-2008-5514).
The updated packages have been patched to prevent this. Note that the
software was renamed to c-client starting from Mandriva Linux 2009.0
and only provides the shared c-client library for the imap functions
in PHP.
Update:
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
-
A vulnerability has been found and corrected in mod_auth_mysql:
SQL injection vulnerability in mod_auth_mysql.c in the mod-auth-mysql
(aka libapache2-mod-auth-mysql) module for the Apache HTTP Server
2.x allows remote attackers to execute arbitrary SQL commands via
multibyte character encodings for unspecified input (CVE-2008-2384).
This update provides fixes for this vulnerability.
Update:
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
-
Multiple vulnerabilities was discovered and corrected in perl-DBD-Pg:
Heap-based buffer overflow in the DBD::Pg module for Perl might allow
context-dependent attackers to execute arbitrary code via unspecified
input to an application that uses the getline and pg_getline functions
to read database rows.
Memory leak in the dequote_bytea function in quote.c in the DBD::Pg
(aka DBD-Pg or libdbd-pg-perl) module before 2.0.0 for Perl allows
context-dependent attackers to cause a denial of service (memory
consumption) by fetching data with BYTEA columns (CVE-2009-1341).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
This update provides a fix for these vulnerabilities.
-
A vulnerability was discovered and corrected in xfig:
Xfig in Debian GNU/Linux, possibly 3.2.5, allows local users to
read and write arbitrary files via a symlink attack on the (1)
xfig-eps[PID], (2) xfig-pic[PID].pix, (3) xfig-pic[PID].err,
(4) xfig-pcx[PID].pix, (5) xfig-xfigrc[PID], (6) xfig[PID], (7)
xfig-print[PID], (8) xfig-export[PID].err, (9) xfig-batch[PID], (10)
xfig-exp[PID], or (11) xfig-spell.[PID] temporary files, where [PID]
is a process ID (CVE-2009-1962).
This update provides a solution to this vulnerability.
Update:
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
-
A vulnerability has been found and corrected in acpid:
acpid 1.0.4 sets an unrestrictive umask, which might allow local users
to leverage weak permissions on /var/log/acpid, and obtain sensitive
information by reading this file or cause a denial of service by
overwriting this file, a different vulnerability than CVE-2009-4033
(CVE-2009-4235).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
This update provides a solution to this vulnerability.
-
Multiple vulnerabilities has been found and corrected in acpid:
A certain Red Hat patch for acpid 1.0.4 effectively triggers a call
to the open function with insufficient arguments, which might allow
local users to leverage weak permissions on /var/log/acpid, and obtain
sensitive information by reading this file, cause a denial of service
by overwriting this file, or gain privileges by executing this file
(CVE-2009-4033).
acpid 1.0.4 sets an unrestrictive umask, which might allow local users
to leverage weak permissions on /var/log/acpid, and obtain sensitive
information by reading this file or cause a denial of service by
overwriting this file, a different vulnerability than CVE-2009-4033
(CVE-2009-4235).
This update provides a solution to these vulnerabilities.
-
The firefox extension for the beagle desktop search engine was not
compatible anymore with the latest firefox security update. This
update makes it work with the new firefox.
-
Multiple vulnerabilities has been found and corrected in dstat:
Multiple untrusted search path vulnerabilities in dstat before 0.7.0
allow local users to gain privileges via a Trojan horse Python module
in (1) the current working directory or (2) a certain subdirectory
of the current working directory (CVE-2009-3894, CVE-2009-4081).
This update provides a solution to these vulnerabilities.
-
A vulnerability has been found and corrected in jpgraph:
Multiple cross-site scripting (XSS) vulnerabilities in the
GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph
3.0.6 allow remote attackers to inject arbitrary web script or HTML
via a key to csim_in_html_ex1.php, and other unspecified vectors
(CVE-2009-4422).
This update provides a solution to this vulnerability.
-
In Mandriva 2010.0, krdc was not able to connect to RDP servers as
the rdesktop package was not installed, this update fixes this by
adding rdesktop as runtime dependency for krdc.
-
Security issues were identified and fixed in firefox 3.5.x:
liboggplay in Mozilla Firefox 3.5.x before 3.5.6 and SeaMonkey before
2.0.1 might allow context-dependent attackers to cause a denial of
service (application crash) or execute arbitrary code via unspecified
vectors, related to memory safety issues. (CVE-2009-3388)
Integer overflow in libtheora in Xiph.Org Theora before 1.1, as used
in Mozilla Firefox 3.5 before 3.5.6 and SeaMonkey before 2.0.1, allows
remote attackers to cause a denial of service (application crash)
or possibly execute arbitrary code via a video with large dimensions
(CVE-2009-3389).
Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 3.0.16 and 3.5.x before 3.5.6, SeaMonkey before 2.0.1,
and Thunderbird allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute arbitrary
code via unknown vectors (CVE-2009-3979).
Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird
allow remote attackers to cause a denial of service (memory corruption
and application crash) or possibly execute arbitrary code via unknown
vectors (CVE-2009-3980).
Multiple unspecified vulnerabilities in the JavaScript engine
in Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1,
and Thunderbird allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute arbitrary
code via unknown vectors (CVE-2009-3982).
Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey
before 2.0.1, allows remote attackers to send authenticated requests
to arbitrary applications by replaying the NTLM credentials of a
browser user (CVE-2009-3983).
Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey
before 2.0.1, allows remote attackers to spoof an SSL indicator for
an http URL or a file URL by setting document.location to an https
URL corresponding to a site that responds with a No Content (aka 204)
status code and an empty body (CVE-2009-3984).
Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey
before 2.0.1, allows remote attackers to associate spoofed content
with an invalid URL by setting document.location to this URL, and then
writing arbitrary web script or HTML to the associated blank document,
a related issue to CVE-2009-2654 (CVE-2009-3985).
Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey
before 2.0.1, allows remote attackers to execute arbitrary JavaScript
with chrome privileges by leveraging a reference to a chrome
window from a content window, related to the window.opener property
(CVE-2009-3986).
The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and
3.5.x before 3.5.6, and SeaMonkey before 2.0.1, generates different
exception messages depending on whether the referenced COM object
is listed in the registry, which allows remote attackers to obtain
potentially sensitive information about installed software by making
multiple calls that specify the ProgID values of different COM objects
(CVE-2009-3987).
Additionally, some packages which require so, have been rebuilt and
are being provided as updates.
Advisories MDVA-2010:002: rpmstats
in Mandriva Security Advisories
Posted
rpmstats in 2010.0 displays strange characters for some last modified
file names, this is easy noticed on Drakstats.
This updated package fixes this bug (#56176).