paul

November 11, 2010

A dependency problem with the postgresql packages was discovered

which under certain circumstances prevented a smooth upgrade. This

advisory addresses this problem.

November 10, 2010

A vulnerability was discovered and corrected in ISC dhcp:

ISC DHCP server 4.0 before 4.0.2, 4.1 before 4.1.2, and 4.2 before

4.2.0-P1 allows remote attackers to cause a denial of service (crash)

via a DHCPv6 packet containing a Relay-Forward message without an

address in the Relay-Forward link-address field (CVE-2010-3611).

The updated packages have been upgraded to 4.1.2 which is not

vulnerable to this issue.

November 10, 2010

A vulnerability was discovered and corrected in libmbfl (php):

* Fix bug #53273 (mb_strcut() returns garbage with the excessive

length parameter) (CVE-2010-4156).

The updated packages have been patched to correct these issues.

Update:

The MDVSA-2010:225 advisory used the wrong patch to address the

problem, however it did fix the issue. This advisory provides the

correct upstream patch.

November 10, 2010

A vulnerability was discovered and corrected in libmbfl (php):

* Fix bug #53273 (mb_strcut() returns garbage with the excessive

length parameter) (CVE-2010-4156).

The updated packages have been patched to correct these issues.

Update:

The MDVSA-2010:225 advisory used the wrong patch to address the

problem, however it did fix the issue. This advisory provides the

corect upstream patch.

November 9, 2010

A vulnerability was discovered and corrected in libmbfl (php):

* Fix bug #53273 (mb_strcut() returns garbage with the excessive

length parameter) (CVE-2010-4156).

The updated packages have been patched to correct these issues.

November 9, 2010

A vulnerability was discovered and corrected in php:

A flaw in ext/xml/xml.c could cause a cross-site scripting (XSS)

vulnerability (CVE-2010-3870).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

November 9, 2010

Multiple vulnerabilities were discovered and corrected in mysql:

* During evaluation of arguments to extreme-value functions (such

as LEAST() and GREATEST()), type errors did not propagate properly,

causing the server to crash (CVE-2010-3833).

* The server could crash after materializing a derived table that

required a temporary table for grouping (CVE-2010-3834).

* A user-variable assignment expression that is evaluated in a logical

expression context can be precalculated in a temporary table for GROUP

BY. However, when the expression value is used after creation of the

temporary table, it was re-evaluated, not read from the table and a

server crash resulted (CVE-2010-3835).

* Pre-evaluation of LIKE predicates during view preparation could

cause a server crash (CVE-2010-3836).

* GROUP_CONCAT() and WITH ROLLUP together could cause a server crash

(CVE-2010-3837).

* Queries could cause a server crash if the GREATEST() or LEAST()

function had a mixed list of numeric and LONGBLOB arguments, and

the result of such a function was processed using an intermediate

temporary table (CVE-2010-3838).

* Queries with nested joins could cause an infinite loop in the

server when used from stored procedures and prepared statements

(CVE-2010-3839).

* The PolyFromWKB() function could crash the server when improper

WKB data was passed to the function (CVE-2010-3840).

The updated packages have been patched to correct these issues.

November 9, 2010

Multiple vulnerabilities were discovered and corrected in mysql:

* Joins involving a table with with a unique SET column could cause

a server crash (CVE-2010-3677).

* Use of TEMPORARY InnoDB tables with nullable columns could cause

a server crash (CVE-2010-3680).

* The server could crash if there were alternate reads from two

indexes on a table using the HANDLER interface (CVE-2010-3681).

* Using EXPLAIN with queries of the form SELECT ... UNION ... ORDER BY

(SELECT ... WHERE ...) could cause a server crash (CVE-2010-3682).

* During evaluation of arguments to extreme-value functions (such

as LEAST() and GREATEST()), type errors did not propagate properly,

causing the server to crash (CVE-2010-3833).

* The server could crash after materializing a derived table that

required a temporary table for grouping (CVE-2010-3834).

* A user-variable assignment expression that is evaluated in a logical

expression context can be precalculated in a temporary table for GROUP

BY. However, when the expression value is used after creation of the

temporary table, it was re-evaluated, not read from the table and a

server crash resulted (CVE-2010-3835).

* Pre-evaluation of LIKE predicates during view preparation could

cause a server crash (CVE-2010-3836).

* GROUP_CONCAT() and WITH ROLLUP together could cause a server crash

(CVE-2010-3837).

* Queries could cause a server crash if the GREATEST() or LEAST()

function had a mixed list of numeric and LONGBLOB arguments, and

the result of such a function was processed using an intermediate

temporary table (CVE-2010-3838).

* Queries with nested joins could cause an infinite loop in the

server when used from stored procedures and prepared statements

(CVE-2010-3839).

* The PolyFromWKB() function could crash the server when improper

WKB data was passed to the function (CVE-2010-3840).

Additionally the default behaviour of using the mysqlmanager instead

of the mysqld_safe script has been reverted in the SysV init script

because of instability issues with the mysqlmanager.

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been upgraded to mysql 5.0.91 and patched

to correct these issues.

November 8, 2010

Multiple vulnerabilities has been found and corrected in mysql:

MySQL before 5.1.48 allows remote authenticated users with alter

database privileges to cause a denial of service (server crash

and database loss) via an ALTER DATABASE command with a #mysql50#

string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or

similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which

causes MySQL to move certain directories to the server data directory

(CVE-2010-2008).

Additionally many security issues noted in the 5.1.49 release notes

has been addressed with this advisory as well, such as:

* LOAD DATA INFILE did not check for SQL errors and sent an OK packet

even when errors were already reported. Also, an assert related to

client-server protocol checking in debug servers sometimes was raised

when it should not have been. (Bug#52512) (CVE-2010-3683)

* Using EXPLAIN with queries of the form SELECT ... UNION ... ORDER

BY (SELECT ... WHERE ...) could cause a server crash. (Bug#52711)

(CVE-2010-3682)

* The server could crash if there were alternate reads from two indexes

on a table using the HANDLER interface. (Bug#54007) (CVE-2010-3681)

* A malformed argument to the BINLOG statement could result in Valgrind

warnings or a server crash. (Bug#54393) (CVE-2010-3679)

* Incorrect handling of NULL arguments could lead to a crash for IN()

or CASE operations when NULL arguments were either passed explicitly

as arguments (for IN()) or implicitly generated by the WITH ROLLUP

modifier (for IN() and CASE). (Bug#54477) (CVE-2010-3678)

* Joins involving a table with with a unique SET column could cause

a server crash. (Bug#54575) (CVE-2010-3677)

* Use of TEMPORARY InnoDB tables with nullable columns could cause

a server crash. (Bug#54044) (CVE-2010-3680)

The updated packages have been patched to correct these issues.

Update:

Packages for 2009.1 was not provided with the MDVSA-2010:155

advisory. This advisory provides the missing packages.

November 5, 2010

Multiple vulnerabilities was discovered and corrected in the

OpenOffice.org:

Integer overflow allows remote attackers to execute arbitrary code

via a crafted XPM file that triggers a heap-based buffer overflow

(CVE-2009-2949).

Heap-based buffer overflow allows remote attackers to cause a denial

of service (application crash) or possibly execute arbitrary code

via a crafted GIF file, related to LZW decompression (CVE-2009-2950).

Integer underflow allows remote attackers to cause a denial of

service (application crash) or possibly execute arbitrary code via

a crafted sprmTDefTable table property modifier in a Word document

(CVE-2009-3301).

boundary error flaw allows remote attackers to cause a denial of

service (application crash) or possibly execute arbitrary code via

a crafted sprmTSetBrc table property modifier in a Word document

(CVE-2009-3302).

Lack of properly enforcing Visual Basic for Applications (VBA) macro

security settings, which allows remote attackers to run arbitrary

macros via a crafted document (CVE-2010-0136).

User-assisted remote attackers are able to bypass Python macro

security restrictions and execute arbitrary Python code via a crafted

OpenDocument Text (ODT) file that triggers code execution when the

macro directory structure is previewed (CVE-2010-0395).

Impress module does not properly handle integer values associated

with dictionary property items, which allows remote attackers to

cause a denial of service (application crash) or possibly execute

arbitrary code via a crafted PowerPoint document that triggers a

heap-based buffer overflow, related to an integer truncation error

(CVE-2010-2935).

Integer overflow in the Impress allows remote attackers to cause a

denial of service (application crash) or possibly execute arbitrary

code via crafted polygons in a PowerPoint document that triggers a

heap-based buffer overflow (CVE-2010-2936).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

This update provides OpenOffice.org packages have been patched to

correct these issues and additional dependent packages.

November 5, 2010

It was discovered the kipi-plugins packages were not rebuilt (relinked)

against the libkdcraw.so.8 and libkexiv2.so.8 libraries provided by

kdegraphics4-4.3.5-0.7mdv2010.0. This advisory addresses this problem.

November 5, 2010

It was discovered the kdeplasma-addons packages were not rebuilt

(relinked) against the libkdcraw.so.8 and libkexiv2.so.8 libraries

provided by kdegraphics4-4.3.5-0.7mdv2010.0. This advisory addresses

this problem.

November 4, 2010

This is a maintenance and bugfix release of sudo which upgrades sudo

to the latest 1.7.4p4 version.

November 4, 2010

Multiple vulnerabilities were discovered and corrected in pam:

The pam_xauth module did not verify the return values of the setuid()

and setgid() system calls. A local, unprivileged user could use this

flaw to execute the xauth command with root privileges and make it

read an arbitrary input file (CVE-2010-3316).

The pam_mail module used root privileges while accessing users'

files. In certain configurations, a local, unprivileged user could

use this flaw to obtain limited information about files or directories

that they do not have access to (CVE-2010-3435).

The pam_namespace module executed the external script namespace.init

with an unchanged environment inherited from an application calling

PAM. In cases where such an environment was untrusted (for example,

when pam_namespace was configured for setuid applications such as su

or sudo), a local, unprivileged user could possibly use this flaw to

escalate their privileges (CVE-2010-3853).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

November 2, 2010

A vulnerability was discovered and corrected in krb5:

The merge_authdata function in kdc_authdata.c in the Key Distribution

Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does

not properly manage an index into an authorization-data list, which

allows remote attackers to cause a denial of service (daemon crash),

or possibly obtain sensitive information, spoof authorization,

or execute arbitrary code, via a TGS request, as demonstrated by a

request from a Windows Active Directory client (CVE-2010-1322).

The updated packages have been patched to correct this issue.

Update:

Update packages for MES5 were missing with the MDVSA-2010:202

advisory. This advisory provides the update packages.

November 2, 2010

the only real way to tell is to download (from a trusted location) chkrootkit and run it

Do not trust an already existing chkrootkit installation.

let chkrootkit report to you, then post the results here.

November 1, 2010

A security issue was identified and fixed in mozilla-thunderbird:

Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.14

and 3.6.x through 3.6.11, when JavaScript is enabled, allows remote

attackers to execute arbitrary code via unknown vectors, as exploited

in the wild in October 2010 by the Belmoo malware (CVE-2010-3765).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

Additionally, some packages which require so, have been rebuilt and

are being provided as updates.

October 31, 2010

Multiple vulnerabilities were discovered and corrected in php:

Stack consumption vulnerability in the filter_var function in PHP 5.2.x

through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL

mode is used, allows remote attackers to cause a denial of service

(memory consumption and application crash) via a long e-mail address

string (CVE-2010-3710).

A NULL pointer dereference was discovered in

ZipArchive::getArchiveComment (CVE-2010-3709).

A possible flaw was discovered in open_basedir (CVE-2010-3436).

Packages for 2009.0 are provided as of the Extended Maintenance

Program. Please visit this link to learn more:

http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

October 30, 2010

Multiple vulnerabilities was discovered and corrected in dovecot:

Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin

permission to the owner of each mailbox in a non-public namespace,

which might allow remote authenticated users to bypass intended access

restrictions by changing the ACL of a mailbox, as demonstrated by a

symlinked shared mailbox (CVE-2010-3779).

Dovecot 1.2.x before 1.2.15 allows remote authenticated users to

cause a denial of service (master process outage) by simultaneously

disconnecting many (1) IMAP or (2) POP3 sessions (CVE-2010-3780).

The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to

newly created mailboxes in certain configurations, which might allow

remote attackers to read mailboxes that have unintended weak ACLs

(CVE-2010-3304).

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15

and 2.0.x before 2.0.5 interprets an ACL entry as a directive to

add to the permissions granted by another ACL entry, instead of a

directive to replace the permissions granted by another ACL entry,

in certain circumstances involving the private namespace of a user,

which allows remote authenticated users to bypass intended access

restrictions via a request to read or modify a mailbox (CVE-2010-3706).

plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and

2.0.x before 2.0.5 interprets an ACL entry as a directive to add to

the permissions granted by another ACL entry, instead of a directive

to replace the permissions granted by another ACL entry, in certain

circumstances involving more specific entries that occur after less

specific entries, which allows remote authenticated users to bypass

intended access restrictions via a request to read or modify a mailbox

(CVE-2010-3707).

This advisory provides dovecot 1.2.15 which is not vulnerable to

these issues

October 30, 2010

Multiple vulnerabilities was discovered and corrected in python:

The asyncore module in Python before 3.2 does not properly handle

unsuccessful calls to the accept function, and does not have

accompanying documentation describing how daemon applications should

handle unsuccessful calls to the accept function, which makes it

easier for remote attackers to conduct denial of service attacks that

terminate these applications via network connections (CVE-2010-3492).

Multiple race conditions in smtpd.py in the smtpd module in Python 2.6,

2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of

service (daemon outage) by establishing and then immediately closing

a TCP connection, leading to the accept function having an unexpected

return value of None, an unexpected value of None for the address,

or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername

function having an ENOTCONN error, a related issue to CVE-2010-3492

(CVE-2010-3493).

The updated packages have been patched to correct these issues.

October 30, 2010

Multiple vulnerabilities was discovered and corrected in python:

Buffer underflow in the rgbimg module in Python 2.5 allows remote

attackers to cause a denial of service (application crash) via a large

ZSIZE value in a black-and-white (aka B/W) RGB image that triggers

an invalid pointer dereference (CVE-2009-4134).

Integer overflow in rgbimgmodule.c in the rgbimg module in Python

2.5 allows remote attackers to have an unspecified impact via a large

image that triggers a buffer overflow. NOTE: this vulnerability exists

because of an incomplete fix for CVE-2008-3143.12 (CVE-2010-1449).

Multiple buffer overflows in the RLE decoder in the rgbimg module in

Python 2.5 allow remote attackers to have an unspecified impact via an

image file containing crafted data that triggers improper processing

within the (1) longimagedata or (2) expandrow function (CVE-2010-1450).