Jump to content

paul

Admin
  • Content Count

    5598
  • Joined

  • Last visited

  • Days Won

    6

Posts posted by paul


  1.  

    Hi Paul

    Good news, at least we have our new server, we don't need to bother you anymore :)

    thanks for your help !

    so we just need to install on this new server phpbb3 !

    i will do that during the night, we did not have any post for the moment so no need to save the db.

    do you want to be admin of this forum ?

    Raphaël

     

    oh well that was fun for a week .. looks like they don't want our help, or our 20,000 users .. they would prefer doing it them selves


  2. my last email

    but they don't seem to be listening. they seem to want control.

    The discussion I had with Anne lead me to believeforum.mageia.org will not offer support to "end users" as it competeswith the very community that is supposed to supporting the project.

     

    If Mageia offers its' own support then why shouldcommunity leaders (such as myself) bother?

     

    This is the same problem mandriva had.

     

    If this forum is for developers, and the support is offeredthrough the community, then this "competition" does not happen.

     

    In any case, the dns has changed over the last 24 hours.Forum.mageia.org does not resolve

     

    Paul Willard.


  3. Multiple vulnerabilities has been found and corrected in pcsc-lite:

     

    The MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart

    Card daemon (aka PCSCD) in MUSCLE PCSC-Lite before 1.5.4 might allow

    local users to cause a denial of service (daemon crash) via crafted

    SCARD_SET_ATTRIB message data, which is improperly demarshalled

    and triggers a buffer over-read, a related issue to CVE-2010-0407

    (CVE-2009-4901).

     

    Buffer overflow in the MSGFunctionDemarshall function in winscard_svc.c

    in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite 1.5.4

    and earlier might allow local users to gain privileges via crafted

    SCARD_CONTROL message data, which is improperly demarshalled. NOTE:

    this vulnerability exists because of an incorrect fix for CVE-2010-0407

    (CVE-2009-4902).

     

    Multiple buffer overflows in the MSGFunctionDemarshall function in

    winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE

    PCSC-Lite before 1.5.4 allow local users to gain privileges via

    crafted message data, which is improperly demarshalled (CVE-2010-0407).

     

    Packages for 2008.0 and 2009.0 are provided as of the Extended

    Maintenance Program. Please visit this link to learn more:

    http://store.mandriva.com/product_info.php?cPath=149&products_id=490

     

    The updated packages have been patched to correct these issues.

     

    Update:

     

    The previous MDVSA-2010:189 advisory was missing the packages for CS4,

    this advisory corrects the problem.


  4. Multiple vulnerabilities has been found and corrected in pcsc-lite:

     

    The MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart

    Card daemon (aka PCSCD) in MUSCLE PCSC-Lite before 1.5.4 might allow

    local users to cause a denial of service (daemon crash) via crafted

    SCARD_SET_ATTRIB message data, which is improperly demarshalled

    and triggers a buffer over-read, a related issue to CVE-2010-0407

    (CVE-2009-4901).

     

    Buffer overflow in the MSGFunctionDemarshall function in winscard_svc.c

    in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite 1.5.4

    and earlier might allow local users to gain privileges via crafted

    SCARD_CONTROL message data, which is improperly demarshalled. NOTE:

    this vulnerability exists because of an incorrect fix for CVE-2010-0407

    (CVE-2009-4902).

     

    Multiple buffer overflows in the MSGFunctionDemarshall function in

    winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE

    PCSC-Lite before 1.5.4 allow local users to gain privileges via

    crafted message data, which is improperly demarshalled (CVE-2010-0407).

     

    Packages for 2008.0 and 2009.0 are provided as of the Extended

    Maintenance Program. Please visit this link to learn more:

    http://store.mandriva.com/product_info.php?cPath=149&products_id=490

     

    The updated packages have been patched to correct these issues.


  5. Some vulnerabilities were discovered and corrected in the Linux

    2.6 kernel:

     

    fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always

    follow NFS automount symlinks, which allows attackers to have an

    unknown impact, related to LOOKUP_FOLLOW. (CVE-2010-1088)

     

    The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem

    in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9

    does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure

    members, which might allow local users to obtain sensitive information

    from kernel memory via unspecified vectors. (CVE-2009-3228)

     

    The do_pages_move function in mm/migrate.c in the Linux kernel before

    2.6.33-rc7 does not validate node values, which allows local users

    to read arbitrary kernel memory locations, cause a denial of service

    (OOPS), and possibly have unspecified other impact by specifying a

    node that is not part of the kernel node set. (CVE-2010-0415)

     

    The ATI Rage 128 (aka r128) driver in the Linux kernel before

    2.6.31-git11 does not properly verify Concurrent Command Engine (CCE)

    state initialization, which allows local users to cause a denial of

    service (NULL pointer dereference and system crash) or possibly gain

    privileges via unspecified ioctl calls. (CVE-2009-3620)

     

    The wake_futex_pi function in kernel/futex.c in the Linux kernel

    before 2.6.33-rc7 does not properly handle certain unlock operations

    for a Priority Inheritance (PI) futex, which allows local users to

    cause a denial of service (OOPS) and possibly have unspecified other

    impact via vectors involving modification of the futex value from

    user space. (CVE-2010-0622)

     

    The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel

    2.6 before 2.6.30, when running on x86 systems, does not validate

    the page table root in a KVM_SET_SREGS call, which allows local

    users to cause a denial of service (crash or hang) via a crafted cr3

    value, which triggers a NULL pointer dereference in the gfn_to_rmap

    function. (CVE-2009-2287)

     

    The handle_dr function in arch/x86/kvm/vmx.c in the KVM subsystem

    in the Linux kernel before 2.6.31.1 does not properly verify the

    Current Privilege Level (CPL) before accessing a debug register,

    which allows guest OS users to cause a denial of service (trap)

    on the host OS via a crafted application. (CVE-2009-3722)

     

    The ext4_decode_error function in fs/ext4/super.c in the ext4

    filesystem in the Linux kernel before 2.6.32 allows user-assisted

    remote attackers to cause a denial of service (NULL pointer

    dereference), and possibly have unspecified other impact, via a

    crafted read-only filesystem that lacks a journal. (CVE-2009-4308)

     

    The eisa_eeprom_read function in the parisc isa-eeprom component

    (drivers/parisc/eisa_eeprom.c) in the Linux kernel before 2.6.31-rc6

    allows local users to access restricted memory via a negative ppos

    argument, which bypasses a check that assumes that ppos is positive

    and causes an out-of-bounds read in the readb function. (CVE-2009-2846)

     

    Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the

    XDR implementation in the NFS server in the Linux kernel before

    2.6.34-rc6 allow remote attackers to cause a denial of service (panic)

    or possibly execute arbitrary code via a crafted NFSv4 compound

    WRITE request, related to the read_buf and nfsd4_decode_compound

    functions. (CVE-2010-2521)

     

    mm/shmem.c in the Linux kernel before 2.6.28-rc8, when strict

    overcommit is enabled and CONFIG_SECURITY is disabled, does not

    properly handle the export of shmemfs objects by knfsd, which allows

    attackers to cause a denial of service (NULL pointer dereference and

    knfsd crash) or possibly have unspecified other impact via unknown

    vectors. NOTE: this vulnerability exists because of an incomplete

    fix for CVE-2010-1643. (CVE-2008-7256)

     

    The release_one_tty function in drivers/char/tty_io.c in the

    Linux kernel before 2.6.34-rc4 omits certain required calls to the

    put_pid function, which has unspecified impact and local attack

    vectors. (CVE-2010-1162)

     

    mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict

    overcommit is enabled, does not properly handle the export of shmemfs

    objects by knfsd, which allows attackers to cause a denial of service

    (NULL pointer dereference and knfsd crash) or possibly have unspecified

    other impact via unknown vectors. (CVE-2010-1643)

     

    The sctp_process_unk_param function in net/sctp/sm_make_chunk.c

    in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled,

    allows remote attackers to cause a denial of service (system crash)

    via an SCTPChunkInit packet containing multiple invalid parameters

    that require a large amount of error data. (CVE-2010-1173)

     

    The Transparent Inter-Process Communication (TIPC) functionality in

    Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions,

    allows local users to cause a denial of service (kernel OOPS) by

    sending datagrams through AF_TIPC before entering network mode,

    which triggers a NULL pointer dereference. (CVE-2010-1187)

     

    The sctp_process_unk_param function in net/sctp/sm_make_chunk.c

    in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled,

    allows remote attackers to cause a denial of service (system crash)

    via an SCTPChunkInit packet containing multiple invalid parameters

    that require a large amount of error data. (CVE-2010-1173)

     

    fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel

    before 2.6.34-rc4 allows remote attackers to cause a denial of service

    (panic) via an SMB response packet with an invalid CountHigh value,

    as demonstrated by a response from an OS/2 server, related to the

    CIFSSMBWrite and CIFSSMBWrite2 functions. (CVE-2010-2248)

     

    Buffer overflow in the ecryptfs_uid_hash macro in

    fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux

    kernel before 2.6.35 might allow local users to gain privileges

    or cause a denial of service (system crash) via unspecified

    vectors. (CVE-2010-2492)

     

    The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel

    before 2.6.35 does not properly check the file descriptors passed

    to the SWAPEXT ioctl, which allows local users to leverage write

    access and obtain read access by swapping one file into another

    file. (CVE-2010-2226)

     

    The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux

    kernel before 2.6.35 uses an incorrect size value in calculations

    associated with sentinel directory entries, which allows local

    users to cause a denial of service (NULL pointer dereference and

    panic) and possibly have unspecified other impact by renaming a

    file in a GFS2 filesystem, related to the gfs2_rename function in

    fs/gfs2/ops_inode.c. (CVE-2010-2798)

     

    The do_anonymous_page function in mm/memory.c in the Linux kernel

    before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4,

    and 2.6.35.x before 2.6.35.2 does not properly separate the stack

    and the heap, which allows context-dependent attackers to execute

    arbitrary code by writing to the bottom page of a shared memory

    segment, as demonstrated by a memory-exhaustion attack against the

    X.Org X server. (CVE-2010-2240)

     

    The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct

    Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53,

    2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x

    before 2.6.35.4 allows local users to obtain potentially sensitive

    information from kernel memory by requesting a large memory-allocation

    amount. (CVE-2010-2803)

     

    Integer overflow in net/can/bcm.c in the Controller Area Network (CAN)

    implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before

    2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4

    allows attackers to execute arbitrary code or cause a denial of service

    (system crash) via crafted CAN traffic. (CVE-2010-2959)

     

    Double free vulnerability in the snd_seq_oss_open function

    in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before

    2.6.36-rc4 might allow local users to cause a denial of service or

    possibly have unspecified other impact via an unsuccessful attempt

    to open the /dev/sequencer device. (CVE-2010-3080)

     

    A vulnerability in Linux kernel caused by insecure allocation of user

    space memory when translating system call inputs to 64-bit. A stack

    pointer underflow can occur when using the compat_alloc_user_space

    method with an arbitrary length input. (CVE-2010-3081)

     

    The IA32 system call emulation functionality in

    arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2

    on the x86_64 platform does not zero extend the %eax register after

    the 32-bit entry path to ptrace is used, which allows local users to

    gain privileges by triggering an out-of-bounds access to the system

    call table using the %rax register. NOTE: this vulnerability exists

    because of a CVE-2007-4573 regression. (CVE-2010-3301)

     

    To update your kernel, please follow the directions located at:

     

    http://www.mandriva.com/en/security/kernelupdate


  6. A vulnerability has been found and corrected in squid:

     

    The string-comparison functions in String.cci in Squid 3.x before

    3.1.8 and 3.2.x before 3.2.0.2 allow remote attackers to cause a

    denial of service (NULL pointer dereference and daemon crash) via a

    crafted request (CVE-2010-3072).

     

    Packages for 2008.0 and 2009.0 are provided as of the Extended

    Maintenance Program. Please visit this link to learn more:

    http://store.mandriva.com/product_info.php?cPath=149&products_id=490

     

    The updated packages have been patched to correct this issue.


  7. one step forward, two steps back ... who knows what's going on.

     

    If somebody wants to represent us in IRC whilst I sleep (timezone differences) let me know.

     

    Tux99 has been doing well in IRC :)


  8. so the word from on high is mageia would prefer to start "afresh" with zero registered users, rather than leverage on the existing mandrivausers.org community

     

    I'll report back as I discover info


  9. An integer overflow has been found and corrected in bzip2 which could

    be exploited by using a specially crafted bz2 file and cause a denial

    of service attack (CVE-2010-0405).

     

    Additionally clamav has been upgraded to 0.96.2 and has been patched

    for this issue. perl-Compress-Bzip2 in MES5 has been linked against

    the system bzip2 library to resolv this issue.

     

    Packages for 2008.0 and 2009.0 are provided as of the Extended

    Maintenance Program. Please visit this link to learn more:

    http://store.mandriva.com/product_info.php?cPath=149&products_id=490

     

    The updated packages have been patched to correct this issue.


  10. This is a maintenance release of mozilla firefox and thunderbird that

    upgrades firefox to 3.6.10 and thunderbird to 3.0.8.

     

    Packages for 2008.0 and 2009.0 are provided as of the Extended

    Maintenance Program. Please visit this link to learn more:

    http://store.mandriva.com/product_info.php?cPath=149&products_id=490

     

    Additionally, some packages which require so, have been rebuilt and

    are being provided as updates.


  11. A vulnerability has been found and corrected in samba:

     

    Stack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse

    functions in Samba before 3.5.5 allows remote attackers to cause a

    denial of service (crash) and possibly execute arbitrary code via a

    crafted Windows Security ID (SID) on a file share (CVE-2010-3069).

     

    The updated packages have been patched to correct this issue.


  12. This from the MUGS mailing list

    This is a message from LuismaGo, from Blogdrake.net:

     

    "I think we are going through the hardest part in the life of Mandriva, even harder than when Mandrake broke and the Club had to be brought up. At least, there was no desktop distribution that could meet Mandrake during that crisis, and the Community (yes, with upper "C") responded in the right way: supporting Mandrake economically when the Club was created as a financing method.

     

    Now there is no possibility of economic recovery, if we consider the rumors coming from the company itself. Mandriva company has made several moves all over the place: the purchase of Conectiva, using a weird name to the distro, buying Lycoris, changing the names of the releases, switching to an annual release, firing Gaël Duval, switching back to two releases by year, believing that Spring happens at the same time in France and in the rest of the world, dissolution of the Club, giving diversity of versions of the same distribution that confuse users (One, Free, Powerpack), major restructuring changes like the one that made Adam Williamson leave, many CEO changes, payments suspensions, company bankruptcy and main developers fleeing the company.

     

    The current situation is that the distro is abandoned by the company until the next board meeting decides what should be done about it. But even if the decision is made to move forward with the distro there is one problem: the developers have left.

     

    I think that none of those that belong to the communities have now the same knowledge of how developments that were done by them work, and although this can be fixed (the source code is there to be studied) it takes time, and it may take a long time. We need them if we want to create the Community fork of Mandriva, so here are the two possibilities that can co-exist:

     

    1.- Mandriva-company creates a foundation, just like Fedora, and gives the Community certain tools to enable the development of a base that they can later polish and then use it for their servers distributions.

     

    2.- The community continues on its own and creates a distribution, following the CentOS model, identical (or almost) with the Mandriva-company one but with another name. This would be the fork, strictly speaking.

     

    Although the first option seems easier due to the support in infrastructure received by the company, we have to bear in mind that without the current developers, who obviously won't cooperate with the company that kicked them off, the base distribution will be very poor and can take a long time to go back to the level of the current distro, and the level could even get worse instead of improving.

     

    The second option is more feasible but only if the current developers have a job that allows them to cooperate as part of the community and open the path so that the community gets involved as fast as possible.

     

    Anyway, both options need the Community to get involved in the development. The first thing to do is to change the concept of Community. It should not be a simple "alliance" between MUGs or separated groups. The Community should be all of us, the users of the current Mandriva-distro, some more active than others, but not separated in independent groups. We all know that not everybody can, want or know how to cooperate, but that level of involvement is not necessary. All that's necessary is a critical mass that will be involved in development, translation, tests and bugs hunting or just propaganda.

     

    We have to forget about MIB, MUD or BDK-packagers. Now we can't go on our own. Now all the participants of these projects have to stop being a complement to the packages that Mandriva provides, but they will have to provide the packages that Mandriva provided, and not separately but as a single one homogeneous Community. Therefore a key aspect is to count on the help of the current developers who left. Their leadership and their knowledge is what that can unify all this. And, of course, there is still a lot to discuss about how to finance all this.

     

    I finish with a third option: the current developers of Mandriva end up working for another distro and they integrate the MCC and all the Drakes in it. I think that the solution here is pretty clear for all of us."

     

    We are interested in the views of all of you to act accordingly.

×
×
  • Create New...