Jump to content

aru

Members
 View Profile  See their activity

  • Posts

    2022

  • Joined

  • Last visited

 Content Type 

Everything posted by aru

  1. aru
    Mandriva Advisories MDKSA-2006:055 : gnupg Updated gnupg packages fix signature file verification vulnerability March 13th, 2006 Another vulnerability, different from that fixed in MDKSA-2006:043 (CVE-2006-0455), was discovered in gnupg in the handling of signature files. This vulnerability is corrected in gnupg 1.4.2.2 which is being provided with this update. The released versions of Mandriva GNU/Linux affected are: CS3.0 MNF2.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:055 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0049 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  2. aru
    Mandriva Advisories MDKSA-2006:035-1 : php Updated php packages fix vulnerability March 9th, 2006 A flaw in the PHP gd extension in versions prior to 4.4.1 could allow a remote attacker to bypass safe_mode and open_basedir restrictions via unknown attack vectors. Update: A regression was introduced with the backported patch from PHP 4.4.1 that would prevent PHP from creating a new file with imagepng(), imagejpeg(), etc.Thanks to Tibor Pittich for bringing this to our attention. The updated packages have been patched to correct this issue. The released versions of Mandriva GNU/Linux affected are: CS3.0 MNF2.0 10.2 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:035-1 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3391 http://bugs.php.net/bug.php?id=35071 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  3. aru
    Mandriva Advisories MDKSA-2006:054 : kdegraphics Updated kdegraphics packages fixes overflow vulnerabilities March 8th, 2006 Marcelo Ricardo Leitner discovered the official published kpdf patches for several previous xpdf vulnerabilities were lacking some hunks published by upstream xpdf. As a result, kpdf is still vulnerable to certain carefully crafted pdf files. Although previous updates captured most of these changes, this new update picks up some of the missing patches. The updated packages have been patched to correct these problems. The released versions of Mandriva GNU/Linux affected are: CS3.0 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:054 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0746 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  4. aru
    Mandriva Advisories MDKSA-2006:053 : freeciv Updated freeciv packages fix DoS vulnerabilities March 7th, 2006 A Denial of Service vulnerability was discovered in the civserver component of the freeciv game on certain incoming packets. The updated packages have been patched to fix this issue. The released versions of Mandriva GNU/Linux affected are: 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:053 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0047 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  5. aru
    Mandriva Advisories MDKA-2006:021 : samba Updated samba packages fix bugs March 7th, 2006 Samba provides SMB/CIFS services (such as file and printer sharing) used by clients compatible with Microsoft Windows. This update introduces a new version of Samba for CS3.0 users. Main changes include: - fix for password change when using the LDAP backend problem introduced in the last update (3.0.10); - update to version 3.0.14a - update of the vscan layer to version 0.3.6 - update of smbldap-tools to version 0.8.7 - removal of sql authentication modules Details ======= a) Outdated samba.schema file in the openldap-servers package The samba.schema file from the previous openldap-servers package did not include support for the password history feature samba uses. When using the LDAP backend, this would cause password changes to fail. To fix this, a new openldap-servers package is being provided with the correct samba.schema file. b) Default ACLs in openldap-servers The /etc/openldap/slapd.access.conf file from the openldap-servers package has been updated to deal with the new samba password history attribute. The post-installation procedure of the package will automatically make the necessary adjustments to that file. c) Samba 3.0.14a highlights include: - new privilege model which allows assignment of certain privileges to users and groups so that the administrator account is no longer needed for certain operations. Please see the Samba-HOWTO-Collection for details. - large directory support: samba now can handle large directories with many thousand of files much better. See the Samba-HOWTO-Collection for details. - fixes for compatibility issues between winbind and w2k3-sp1 domain controllers For more detailed changes, please refer to the WHATSNEW.txt file in the samba-doc package. d) smbldap-tools details A missing dependency on perl-IO-Socket-SSL has been added which affects sites using SSL/TLS between smbldap-tools and the LDAP server. Additionally, a new dependency had to be added: perl-Crypt-SmbHash, which is being supplied with this update. Finally, smbldap-tools has been moved into its own package. The upgrade should pull in this new package automatically. e) mount-cifs The mount.cifs utility has been moved to a package of its own called "mount-cifs". Upgrades should automatically pull in this new package if it was being used before. f) SQL modules are deprecated The sql authentication modules (pgsql and mysql) have been removed due to lack of maintenance and several serious issues. Please see https://bugzilla.samba.org/show_bug.cgi?id=3375 for an overview of the problems and the reasons for why its support has been dropped for the time being. Upgrade issues ============== a) smbldap-tools smbldap-tools has been updated to version 0.8.7, which is the version that comes with samba-3.0.14a.This new version has a different configuration layout: now all configuration files are stored under the /etc/smbldap-tools directory. The upgrade process will try to convert any existing configuration to this new format, but at least the following parameters will have to be reviewed in the /etc/smbldap-tools/smbldap.conf file: - ldapTLS may be set to 1 regardless of how ldapSSL was set in the previous configuration; - sambaUnixIdPooldn may still be using the default "example" domain in it After reviewing the /etc/smbldap-tools/smbldap.conf configuration file for any remaining issues, the "smbldap-populate" script has to be rerun in order to add new attributes to the directory server. This will complete the smbldap-tools migration process. If the smbldap-tools configuration file is not converted automatically, please run the script /usr/share/samba/scripts/migrate-smbldap manually and then proceed to the review of the /etc/smbldap-tools-foo configuration file. Known issues ============ Some smbldap-tools configuration directives can not be left empty, even though the configuration file says so. These are: - _userSmbHome - _userHomeDrive - _userProfile This may be fixed in a future update. The released versions of Mandriva GNU/Linux affected are: CS3.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKA-2006:021 Other references: https://bugzilla.samba.org/show_bug.cgi?id=3375 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  6. aru
    Mandriva Advisories MDKA-2006:020 : libaio New libaio packages provide Oracle Express support March 6th, 2006 The libaio package is being made available as an official/main package to provide out-of-the-box support for Oracle Express in Mandriva Linux 2006. The released versions of Mandriva GNU/Linux affected are: 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKA-2006:020 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  7. aru
    Mandriva Advisories MDKSA-2006:052 : mozilla-thunderbird Updated mozilla-thunderbird packages fix vulnerability March 2nd, 2006 The WYSIWYG rendering engine in Mozilla Thunderbird 1.0.7 and earlier allows user-complicit attackers to bypass javascript security settings and obtain sensitive information or cause a crash via an e-mail containing a javascript URI in the SRC attribute of an IFRAME tag, which is executed when the user edits the e-mail. Updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:052 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0884 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  8. aru
    Mandriva Advisories MDKSA-2006:051 : gettext Updated gettext packages fix temporary file vulnerabilities February 28th, 2006 The Trustix developers discovered temporary file vulnerabilities in the autopoint and gettextize scripts, part of GNU gettext.These scripts insecurely created temporary files which could allow a malicious user to overwrite another user's files via a symlink attack. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: CS3.0 MNF2.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:051 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0966 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  9. aru
    Mandriva Advisories MDKSA-2006:050 : unzip Updated unzip packages fix vulnerabilities February 27th, 2006 A buffer overflow was foiund in how unzip handles file name arguments. If a user could tricked into processing a specially crafted, excessively long file name with unzip, an attacker could execute arbitrary code with the user's privileges. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: CS3.0 MNF2.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:050 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4667 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  10. aru
    Mandriva Advisories MDKSA-2006:048 : mplayer Updated mplayer packages fix integer overflow vulnerabilities February 24th, 2006 Multiple integer overflows in (1) the new_demux_packet function in demuxer.h and (2) the demux_asf_read_packet function in demux_asf.c in MPlayer 1.0pre7try2 and earlier allow remote attackers to execute arbitrary code via an ASF file with a large packet length value. The updated packages have been patched to prevent this problem. The released versions of Mandriva GNU/Linux affected are: CS3.0 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:048 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0579 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  11. aru
    Mandriva Advisories MDKSA-2006:049 : squirrelmail Updated squirrelmail packages fix vulnerabilities February 27th, 2006 Webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. (CVE-2006-0188) Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer. (CVE-2006-0195) CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection." (CVE-2006-0377) Updated packages are patched to address these issues. The released versions of Mandriva GNU/Linux affected are: CS3.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:049 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  12. aru
    Mandriva Advisories MDKSA-2006:047 : metamail Updated metamail packages fix vulnerability February 22nd, 2006 Ulf Harnhammar discovered a buffer overflow vulnerability in the way that metamail handles certain mail messages.An attacker could create a carefully-crafted message that, when parsed via metamail, could execute arbitrary code with the privileges of the user running metamail. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:047 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0709 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  13. aru
    Mandriva Advisories MDKSA-2006:046 : tar Updated tar packages fix vulnerability February 21st, 2006 Gnu tar versions 1.14 and above have a buffer overflow vulnerability and some other issues including: - Carefully crafted invalid headers can cause buffer overrun. - Invalid header fields go undiagnosed. - Some valid time strings are ignored. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:046 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0300 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  14. aru
    Mandriva Advisories MDKSA-2006:045 : MySQL Updated MySQL packages fix temporary file vulnerability February 21st, 2006 Eric Romang discovered a temporary file vulnerability in the mysql_install_db script provided with MySQL.This vulnerability only affects versions of MySQL 4.1.x prior to 4.1.12. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.2 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:045 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1636 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  15. aru
    Mandriva Advisories MDKSA-2006:044 : kernel Updated kernel packages fix multiple vulnerabilities February 21st, 2006 A number of vulnerabilities have been discovered and corrected in the Linux 2.4 kernel: A numeric casting discrepancy in sdla_xfer could allow a local user to read portions of kernel memory via a large len argument (CVE-2004-2607). The traps.c file executes stack segment faults on an exception stack, which could allow a local user to cause an oops and stack fault exception (CVE-2005-1767). The find_target function in ptrace32.c does not properly handle a NULL return value from another function, allowing local users to cause a kernel crash/oops by running a 32-bit ltrace program with the -i option on a 64-bit executable program (CVE-2005-2553). A race condition in ip_vs_conn_flush, when running on SMP systems, could allow a local attacker to cause null dereference DoS by causing a connection timer to expire while the connection table is being flushed before the appropriate lock is acquired (CVE-2005-3274). The NAT code in ip_nat_proto_tcp.c and ip_nat_proto_udp.c incorrectly declares a variable to be static, which could allow a remote attacker to cause a Denial of Service via memory corruption by causing two packets for the same protocol to be NATed at the same time (CVE-2005-3275). The IPv6 flowlabel handling code modified the wrong variable in certain circumstances, which could allow a local user to corrupt kernel memory or cause a Denial of Service (crash) by triggering a free of non- allocated memory (CVE-2005-3806). The wan/sdla.c file does not require CAP_SYS_RAWIO privilege for an SDLA firmware upgrade with unknown impact and local attack vectors (CVE-2006-0096). The provided packages are patched to fix these vulnerabilities.All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate The released versions of Mandriva GNU/Linux affected are: CS2.1 CS3.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:044 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2607 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2553 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3275 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3806 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0096 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  16. aru
    Mandriva Advisories MDKSA-2006:043 : gnupg Updated gnupg packages fix signature file verification vulnerability February 17th, 2006 Tavis Ormandy discovered it is possible to make gpg incorrectly return success when verifying an invalid signature file. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS2.1 CS3.0 MNF2.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:043 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0455 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  17. aru
    Mandriva Advisories MDKSA-2006:042 : libtiff Updated libtiff packages fix vulnerability February 17th, 2006 Stack-based buffer overflow in libTIFF before 3.7.2 allows remote attackers to execute arbitrary code via a TIFF file with a malformed BitsPerSample tag.Although some of the previous updates appear to already catch this issue, this update adds some additional checks. The updated packages have been patched to correct this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS2.1 CS3.0 MNF2.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:042 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1544 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  18. aru
    Mandriva Advisories MDKSA-2006:041 : bluez-hcidump Updated bluez-hcidump packages fix buffer overflow vulnerability February 17th, 2006 Buffer overflow in l2cap.c in hcidump allows remote attackers to cause a denial of service (crash) through a wireless Bluetooth connection via a malformed Logical Link Control and Adaptation Protocol (L2CAP) packet. The updated packages have been patched to correct this issue. The released versions of Mandriva GNU/Linux affected are: CS3.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:041 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0670 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  19. aru
    Mandriva Advisories MDKSA-2006:040 : kernel Updated kernel packages fix multiple vulnerabilities February 17th, 2006 A number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel: The udp_v6_get_port function in udp.c, when running IPv6, allows local users to cause a Denial of Service (infinite loop and crash) (CVE-2005-2973). The mq_open system call in certain situations can decrement a counter twice as a result of multiple calls to the mntput function when the dentry_open function call fails, allowing a local user to cause a DoS (panic) via unspecified attack vectors (CVE-2005-3356). The procfs code allows attackers to read sensitive kernel memory via unspecified vectors in which a signed value is added to an unsigned value (CVE-2005-4605). A buffer overflow in sysctl allows local users to cause a DoS and possibly execute arbitrary code via a long string, which causes sysctl to write a zero byte outside the buffer (CVE-2005-4618). A buffer overflow in the CA-driver for TwinHan DST Frontend/Card allows local users to cause a DoS (crash) and possibly execute arbitrary code by reading more than eight bytes into an eight byte long array (CVE-2005-4639). dm-crypt does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key (CVE-2006-0095). Remote attackers can cause a DoS via unknown attack vectors related to an "extra dst release when ip_options_echo fails" in icmp.c (CVE-2006-0454). In addition to these security fixes, other fixes have been included such as: - support for mptsas - fix for IPv6 with sis190 - a problem with the time progressing twice as fast - a fix for Audigy 2 ZS Video Editor sample rates - a fix for a supermount crash when accessing a supermount-ed CD/DVD drive - a fix for improperly unloading sbp2 module The provided packages are patched to fix these vulnerabilities.All users are encouraged to upgrade to these updated kernels. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate The released versions of Mandriva GNU/Linux affected are: 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:040 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2973 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4605 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4618 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0454 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  20. aru
    Mandriva Advisories MDKA-2006:019 : postgresql Updated postgresql packages fix various bugs February 14th, 2006 Various bugs in the PostgreSQL 8.0.x branch have been corrected with the latest 8.0.7 maintenance release which is being provided for Mandriva Linux 2006 users. The released versions of Mandriva GNU/Linux affected are: 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKA-2006:019 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  21. aru
    Mandriva Advisories MDKSA-2006:039 : gnutls Updated gnutls packages fix libtasn1 out-of-bounds access vulnerabilities February 13th, 2006 Evgeny Legerov discovered cases of possible out-of-bounds access in the DER decoding schemes of libtasn1, when provided with invalid input.This library is bundled with gnutls. The provided packages have been patched to correct these issues. The released versions of Mandriva GNU/Linux affected are: 10.1 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:039 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0645 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  22. aru
    Mandriva Advisories MDKA-2006:018 : ghostscript Updated ghostscript packages fix various bugs February 10th, 2006 A number of bugs have been corrected with this latest ghostscript package including a fix when rendering imaged when converting PostScript to PDF with ps2pdf, a crash when generating PDF files with the pdfwrite device, several segfaults, a fix for vertical japanese text, and a number of other fixes. The released versions of Mandriva GNU/Linux affected are: 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKA-2006:018 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  23. aru
    Mandriva Advisories MDKSA-2006:038 : groff Updated groff packages fix temporary file vulnerabilities February 8th, 2006 The Trustix Secure Linux team discovered a vulnerability in the groffer utility, part of the groff package.It created a temporary directory in an insecure way which allowed for the exploitation of a race condition to create or overwrite files the privileges of the user invoking groffer. Likewise, similar temporary file issues were fixed in the pic2graph and eqn2graph programs which now use mktemp to create temporary files, as discovered by Javier Fernandez-Sanguino Pena. The updated packages have been patched to correct this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:038 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0969 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  24. aru
    Mandriva Advisories MDKSA-2006:037 : mozilla-firefox Updated mozilla-firefox packages to address DoS vulnerability February 7th, 2006 Mozilla and Mozilla Firefox allow remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. (CVE-2005-4134) The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. (CVE-2006-0292) The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file. (CVE-2006-0296) Updated packages are patched to address these issues. The released versions of Mandriva GNU/Linux affected are: 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:037 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4134 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
  25. aru
    Mandriva Advisories MDKSA-2006:036 : mozilla Updated mozilla packages to address DoS vulnerability February 7th, 2006 Mozilla and Mozilla Firefox allow remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. (CVE-2005-4134) The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. (CVE-2006-0292) The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file. (CVE-2006-0296) Updated packages are patched to address these issues. The released versions of Mandriva GNU/Linux affected are: CS3.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:036 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4134 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0296 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $)
×
×
  • Create New...