paul

Multiple vulnerabilities were discovered and corrected in freetype2:

An error within the "Ins_SHZ()" function in src/truetype/ttinterp.c

when handling the "SHZ" bytecode instruction can be exploited to

cause a crash and potentially execute arbitrary code via a specially

crafted font (CVE-2010-3814).

An error exists in the "ft_var_readpackedpoints()" function in

src/truetype/ttgxvar.c when processing TrueType GX fonts and can

be exploited to cause a heap-based buffer overflow via a specially

crafted font (CVE-2010-3855).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

Multiple vulnerabilities were discovered and corrected in freetype2:

An error exists in the "ft_var_readpackedpoints()" function in

src/truetype/ttgxvar.c when processing TrueType GX fonts and can

be exploited to cause a heap-based buffer overflow via a specially

crafted font (CVE-2010-3855).

The updated packages have been patched to correct these issues.

Multiple vulnerabilities were discovered and corrected in cups:

Cross-site request forgery (CSRF) vulnerability in the web interface

in CUPS, allows remote attackers to hijack the authentication of

administrators for requests that change settings (CVE-2010-0540).

The _WriteProlog function in texttops.c in texttops in the Text Filter

subsystem in CUPS before 1.4.4 does not check the return values

of certain calloc calls, which allows remote attackers to cause a

denial of service (NULL pointer dereference or heap memory corruption)

or possibly execute arbitrary code via a crafted file (CVE-2010-0542).

The web interface in CUPS, reads uninitialized memory during handling

of form variables, which allows context-dependent attackers to obtain

sensitive information from cupsd process memory via unspecified vectors

(CVE-2010-1748).

The cupsFileOpen function in CUPS before 1.4.4 allows local users,

with lp group membership, to overwrite arbitrary files via a

symlink attack on the (1) /var/cache/cups/remote.cache or (2)

/var/cache/cups/job.cache file (CVE-2010-2431).

ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate

memory for attribute values with invalid string data types, which

allows remote attackers to cause a denial of service (use-after-free

and application crash) or possibly execute arbitrary code via a

crafted IPP request (CVE-2010-2941).

The updated packages have been upgraded to cups 1.3.10 and patched

to correct these issues.

Multiple vulnerabilities were discovered and corrected in cups:

Cross-site request forgery (CSRF) vulnerability in the web interface

in CUPS, allows remote attackers to hijack the authentication of

administrators for requests that change settings (CVE-2010-0540).

The _WriteProlog function in texttops.c in texttops in the Text Filter

subsystem in CUPS before 1.4.4 does not check the return values

of certain calloc calls, which allows remote attackers to cause a

denial of service (NULL pointer dereference or heap memory corruption)

or possibly execute arbitrary code via a crafted file (CVE-2010-0542).

The web interface in CUPS, reads uninitialized memory during handling

of form variables, which allows context-dependent attackers to obtain

sensitive information from cupsd process memory via unspecified vectors

(CVE-2010-1748).

The cupsFileOpen function in CUPS before 1.4.4 allows local users,

with lp group membership, to overwrite arbitrary files via a

symlink attack on the (1) /var/cache/cups/remote.cache or (2)

/var/cache/cups/job.cache file (CVE-2010-2431).

ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate

memory for attribute values with invalid string data types, which

allows remote attackers to cause a denial of service (use-after-free

and application crash) or possibly execute arbitrary code via a

crafted IPP request (CVE-2010-2941).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

Multiple vulnerabilities were discovered and corrected in cups:

Cross-site request forgery (CSRF) vulnerability in the web interface

in CUPS, allows remote attackers to hijack the authentication of

administrators for requests that change settings (CVE-2010-0540).

ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate

memory for attribute values with invalid string data types, which

allows remote attackers to cause a denial of service (use-after-free

and application crash) or possibly execute arbitrary code via a

crafted IPP request (CVE-2010-2941).

The updated packages have been patched to correct these issues.

This updates fixes one bug:

In file

/usr/lib/perl5/vendor_perl/5.10.0/Ocsinventory/LoggerBackend/Syslog.pm

the third argument ({'USER'}) doesn't respect the

syslog protocol RFC 5424. It should be one listed in

http://perldoc.perl.org/Sys/Syslog.html#Facilities, in our case

LOG_USER.

Multiple vulnerabilities were discovered and corrected in poppler:

The Gfx::getPos function in the PDF parser in poppler, allows

context-dependent attackers to cause a denial of service (crash)

via unknown vectors that trigger an uninitialized pointer dereference

(CVE-2010-3702).

The PostScriptFunction::PostScriptFunction function in

poppler/Function.cc in the PDF parser in poppler, allows

context-dependent attackers to cause a denial of service (crash)

via a PDF file that triggers an uninitialized pointer dereference

(CVE-2010-3703).

The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser

in poppler, allows context-dependent attackers to cause a denial

of service (crash) and possibly execute arbitrary code via a PDF

file with a crafted Type1 font that contains a negative array index,

which bypasses input validation and which triggers memory corruption

(CVE-2010-3704).

The updated packages have been patched to correct these issues.

Multiple vulnerabilities were discovered and corrected in poppler:

The Gfx::getPos function in the PDF parser in poppler, allows

context-dependent attackers to cause a denial of service (crash)

via unknown vectors that trigger an uninitialized pointer dereference

(CVE-2010-3702).

The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser

in poppler, allows context-dependent attackers to cause a denial

of service (crash) and possibly execute arbitrary code via a PDF

file with a crafted Type1 font that contains a negative array index,

which bypasses input validation and which triggers memory corruption

(CVE-2010-3704).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

Multiple vulnerabilities were discovered and corrected in kdegraphics:

The Gfx::getPos function in the PDF parser in kdegraphics, allows

context-dependent attackers to cause a denial of service (crash)

via unknown vectors that trigger an uninitialized pointer dereference

(CVE-2010-3702).

The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser

in kdegraphics, allows context-dependent attackers to cause a denial

of service (crash) and possibly execute arbitrary code via a PDF

file with a crafted Type1 font that contains a negative array index,

which bypasses input validation and which triggers memory corruption

(CVE-2010-3704).

The updated packages have been patched to correct these issues.

Multiple vulnerabilities were discovered and corrected in xpdf:

The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5,

allows context-dependent attackers to cause a denial of service (crash)

via unknown vectors that trigger an uninitialized pointer dereference

(CVE-2010-3702).

The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser

in xpdf before 3.02pl5, allows context-dependent attackers to cause a

denial of service (crash) and possibly execute arbitrary code via a PDF

file with a crafted Type1 font that contains a negative array index,

which bypasses input validation and which triggers memory corruption

(CVE-2010-3704).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

Due to bug in nss_updatedb package old BDB transaction logs were

not removed from /var/lib/misc directory, possibly filling the /var

filesystem. The fixed package corrects this bug, and will also remove

all leftover transaction logs from the system.

Thus is a bug and maintenance release of snort that fixes numerous

of issues such as:

* Fix installer packages to include correct version of sensitive data

preprocessor for linux and Windows

* Eliminate false positives when using fast_pattern:only and having

only one http content in the pattern matcher.

* Address false positives in FTP preprocessor with string format

verification.

This advisory provides snort v2.8.6.1 where these problems has been

resolved.

This updates fixes two major bugs:

- applog subcription/unsubscription needed to get a thread safe usage

of applog were buggy and not thread safe themselves.

- disabling slog usage form printout level > error was not respected.

Multiple vulnerabilities were discovered and corrected in proftpd:

Multiple directory traversal vulnerabilities in the mod_site_misc

module in ProFTPD before 1.3.3c allow remote authenticated users to

create directories, delete directories, create symlinks, and modify

file timestamps via directory traversal sequences in a (1) SITE

MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command

(CVE-2010-3867).

Multiple stack-based buffer overflows in the pr_netio_telnet_gets

function in netio.c in ProFTPD before 1.3.3c allow remote attackers

to execute arbitrary code via vectors involving a TELNET IAC escape

character to a (1) FTP or (2) FTPS server (CVE-2010-4221).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

Users who have migrated from gnote to tomboy and use online note

syncing could lose their notes. This update fixes the note parsing

to prevent data loss.

A dependency problem with the postgresql packages was discovered

which under certain circumstances prevented a smooth upgrade. This

advisory addresses this problem.

A vulnerability was discovered and corrected in ISC dhcp:

ISC DHCP server 4.0 before 4.0.2, 4.1 before 4.1.2, and 4.2 before

4.2.0-P1 allows remote attackers to cause a denial of service (crash)

via a DHCPv6 packet containing a Relay-Forward message without an

address in the Relay-Forward link-address field (CVE-2010-3611).

The updated packages have been upgraded to 4.1.2 which is not

vulnerable to this issue.

A vulnerability was discovered and corrected in libmbfl (php):

* Fix bug #53273 (mb_strcut() returns garbage with the excessive

length parameter) (CVE-2010-4156).

The updated packages have been patched to correct these issues.

Update:

The MDVSA-2010:225 advisory used the wrong patch to address the

problem, however it did fix the issue. This advisory provides the

correct upstream patch.

A vulnerability was discovered and corrected in libmbfl (php):

* Fix bug #53273 (mb_strcut() returns garbage with the excessive

length parameter) (CVE-2010-4156).

The updated packages have been patched to correct these issues.

Update:

The MDVSA-2010:225 advisory used the wrong patch to address the

problem, however it did fix the issue. This advisory provides the

corect upstream patch.

A vulnerability was discovered and corrected in libmbfl (php):

* Fix bug #53273 (mb_strcut() returns garbage with the excessive

length parameter) (CVE-2010-4156).

The updated packages have been patched to correct these issues.

Multiple vulnerabilities were discovered and corrected in mysql:

* During evaluation of arguments to extreme-value functions (such

as LEAST() and GREATEST()), type errors did not propagate properly,

causing the server to crash (CVE-2010-3833).

* The server could crash after materializing a derived table that

required a temporary table for grouping (CVE-2010-3834).

* A user-variable assignment expression that is evaluated in a logical

expression context can be precalculated in a temporary table for GROUP

BY. However, when the expression value is used after creation of the

temporary table, it was re-evaluated, not read from the table and a

server crash resulted (CVE-2010-3835).

* Pre-evaluation of LIKE predicates during view preparation could

cause a server crash (CVE-2010-3836).

* GROUP_CONCAT() and WITH ROLLUP together could cause a server crash

(CVE-2010-3837).

* Queries could cause a server crash if the GREATEST() or LEAST()

function had a mixed list of numeric and LONGBLOB arguments, and

the result of such a function was processed using an intermediate

temporary table (CVE-2010-3838).

* Queries with nested joins could cause an infinite loop in the

server when used from stored procedures and prepared statements

(CVE-2010-3839).

* The PolyFromWKB() function could crash the server when improper

WKB data was passed to the function (CVE-2010-3840).

The updated packages have been patched to correct these issues.

A vulnerability was discovered and corrected in php:

A flaw in ext/xml/xml.c could cause a cross-site scripting (XSS)

vulnerability (CVE-2010-3870).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

Multiple vulnerabilities were discovered and corrected in mysql:

* Joins involving a table with with a unique SET column could cause

a server crash (CVE-2010-3677).

* Use of TEMPORARY InnoDB tables with nullable columns could cause

a server crash (CVE-2010-3680).

* The server could crash if there were alternate reads from two

indexes on a table using the HANDLER interface (CVE-2010-3681).

* Using EXPLAIN with queries of the form SELECT ... UNION ... ORDER BY

(SELECT ... WHERE ...) could cause a server crash (CVE-2010-3682).

* During evaluation of arguments to extreme-value functions (such

as LEAST() and GREATEST()), type errors did not propagate properly,

causing the server to crash (CVE-2010-3833).

* The server could crash after materializing a derived table that

required a temporary table for grouping (CVE-2010-3834).

* A user-variable assignment expression that is evaluated in a logical

expression context can be precalculated in a temporary table for GROUP

BY. However, when the expression value is used after creation of the

temporary table, it was re-evaluated, not read from the table and a

server crash resulted (CVE-2010-3835).

* Pre-evaluation of LIKE predicates during view preparation could

cause a server crash (CVE-2010-3836).

* GROUP_CONCAT() and WITH ROLLUP together could cause a server crash

(CVE-2010-3837).

* Queries could cause a server crash if the GREATEST() or LEAST()

function had a mixed list of numeric and LONGBLOB arguments, and

the result of such a function was processed using an intermediate

temporary table (CVE-2010-3838).

* Queries with nested joins could cause an infinite loop in the

server when used from stored procedures and prepared statements

(CVE-2010-3839).

* The PolyFromWKB() function could crash the server when improper

WKB data was passed to the function (CVE-2010-3840).

Additionally the default behaviour of using the mysqlmanager instead

of the mysqld_safe script has been reverted in the SysV init script

because of instability issues with the mysqlmanager.

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been upgraded to mysql 5.0.91 and patched

to correct these issues.

Multiple vulnerabilities has been found and corrected in mysql:

MySQL before 5.1.48 allows remote authenticated users with alter

database privileges to cause a denial of service (server crash

and database loss) via an ALTER DATABASE command with a #mysql50#

string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or

similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which

causes MySQL to move certain directories to the server data directory

(CVE-2010-2008).

Additionally many security issues noted in the 5.1.49 release notes

has been addressed with this advisory as well, such as:

* LOAD DATA INFILE did not check for SQL errors and sent an OK packet

even when errors were already reported. Also, an assert related to

client-server protocol checking in debug servers sometimes was raised

when it should not have been. (Bug#52512) (CVE-2010-3683)

* Using EXPLAIN with queries of the form SELECT ... UNION ... ORDER

BY (SELECT ... WHERE ...) could cause a server crash. (Bug#52711)

(CVE-2010-3682)

* The server could crash if there were alternate reads from two indexes

on a table using the HANDLER interface. (Bug#54007) (CVE-2010-3681)

* A malformed argument to the BINLOG statement could result in Valgrind

warnings or a server crash. (Bug#54393) (CVE-2010-3679)

* Incorrect handling of NULL arguments could lead to a crash for IN()

or CASE operations when NULL arguments were either passed explicitly

as arguments (for IN()) or implicitly generated by the WITH ROLLUP

modifier (for IN() and CASE). (Bug#54477) (CVE-2010-3678)

* Joins involving a table with with a unique SET column could cause

a server crash. (Bug#54575) (CVE-2010-3677)

* Use of TEMPORARY InnoDB tables with nullable columns could cause

a server crash. (Bug#54044) (CVE-2010-3680)

The updated packages have been patched to correct these issues.

Update:

Packages for 2009.1 was not provided with the MDVSA-2010:155

advisory. This advisory provides the missing packages.

Multiple vulnerabilities was discovered and corrected in the

OpenOffice.org:

Integer overflow allows remote attackers to execute arbitrary code

via a crafted XPM file that triggers a heap-based buffer overflow

(CVE-2009-2949).

Heap-based buffer overflow allows remote attackers to cause a denial

of service (application crash) or possibly execute arbitrary code

via a crafted GIF file, related to LZW decompression (CVE-2009-2950).

Integer underflow allows remote attackers to cause a denial of

service (application crash) or possibly execute arbitrary code via

a crafted sprmTDefTable table property modifier in a Word document

(CVE-2009-3301).

boundary error flaw allows remote attackers to cause a denial of

service (application crash) or possibly execute arbitrary code via

a crafted sprmTSetBrc table property modifier in a Word document

(CVE-2009-3302).

Lack of properly enforcing Visual Basic for Applications (VBA) macro

security settings, which allows remote attackers to run arbitrary

macros via a crafted document (CVE-2010-0136).

User-assisted remote attackers are able to bypass Python macro

security restrictions and execute arbitrary Python code via a crafted

OpenDocument Text (ODT) file that triggers code execution when the

macro directory structure is previewed (CVE-2010-0395).

Impress module does not properly handle integer values associated

with dictionary property items, which allows remote attackers to

cause a denial of service (application crash) or possibly execute

arbitrary code via a crafted PowerPoint document that triggers a

heap-based buffer overflow, related to an integer truncation error

(CVE-2010-2935).

Integer overflow in the Impress allows remote attackers to cause a

denial of service (application crash) or possibly execute arbitrary

code via crafted polygons in a PowerPoint document that triggers a

heap-based buffer overflow (CVE-2010-2936).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

This update provides OpenOffice.org packages have been patched to

correct these issues and additional dependent packages.