Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Advisories, September 28, 2006

Sep 29, 2006, 03:45 (0 Talkback[s])

Debian GNU/Linux


Debian Security Advisory DSA 1185-1 security@debian.org
http://www.debian.org/security/ Noah Meyerhans
September 28th, 2006 http://www.debian.org/security/faq


Package : openssl
Vulnerability : denial of service
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-2940 CVE-2006-3738 CVE-2006-4343 CVE-2006-2937

Multiple vulnerabilities have been discovered in the OpenSSL cryptographic software package that could allow an attacker to launch a denial of service attack by exhausting system resources or crashing processes on a victim's computer.

CVE-2006-2937

Dr S N Henson of the OpenSSL core team and Open Network Security recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test suite was run against OpenSSL two denial of service vulnerabilities were discovered. During the parsing of certain invalid ASN1 structures an error condition is mishandled. This can result in an infinite loop which consumes system memory. Any code which uses OpenSSL to parse ASN1 data from untrusted sources is affected. This includes SSL servers which enable client authentication and S/MIME applications.

CVE-2006-3738

Tavis Ormandy and Will Drewry of the Google Security Team discovered a buffer overflow in SSL_get_shared_ciphers utility function, used by some applications such as exim and mysql. An attacker could send a list of ciphers that would overrun a buffer.

CVE-2006-4343

Tavis Ormandy and Will Drewry of the Google Security Team discovered a possible DoS in the sslv2 client code. Where a client application uses OpenSSL to make a SSLv2 connection to a malicious server that server could cause the client to crash.

CVE-2006-2940

Dr S N Henson of the OpenSSL core team and Open Network Security recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test suite was run against OpenSSL a DoS was discovered. Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack.

For the stable distribution (sarge) these problems have been fixed in version 0.9.7e-3sarge3.

For the unstable and testing distributions (sid and etch, respectively), these problems will be fixed in version 0.9.7k-2 of the openssl097 compatibility libraries, and version 0.9.8c-2 of the openssl package.

We recommend that you upgrade your openssl package. Note that services linking against the openssl shared libraries will need to be restarted. Common examples of such services include most Mail Transport Agents, SSH servers, and web servers.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3.dsc
      Size/MD5 checksum: 639 fbf460591348b14103a3819d23164aee
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3.diff.gz
      Size/MD5 checksum: 29882 25e5c57ee6c86d1e4cc335937040f251
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz
      Size/MD5 checksum: 3043231 a8777164bca38d84e5eb2b1535223474

Alpha architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_alpha.deb
      Size/MD5 checksum: 3341810 73ef8e1cafbfd142a903bd93535a2428
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_alpha.deb
      Size/MD5 checksum: 2448006 b42d228cd1cb48024b25f5bd7c6724b8
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_alpha.deb
      Size/MD5 checksum: 930188 b0b9a46a47a1992ed455f993b6007450

AMD64 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_amd64.deb
      Size/MD5 checksum: 2693668 7a6d9f9ad43192bcfe9ed22bd4c227cb
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_amd64.deb
      Size/MD5 checksum: 703308 239e07d0029b78d339da49ea8dacb554
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_amd64.deb
      Size/MD5 checksum: 903744 de3413bf58707040d19a606311548ec7

ARM architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_arm.deb
      Size/MD5 checksum: 2556374 4f3d5a82ab27e46f6174616dd2f0818c
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_arm.deb
      Size/MD5 checksum: 690118 80812ffefacc7d9800ce5286909aa815
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_arm.deb
      Size/MD5 checksum: 894114 053579483c0d83c11a4b15ade5e09d3b

HP Precision architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_hppa.deb
      Size/MD5 checksum: 2695876 bee86edc3db3ac76a32efb84b1a1cfab
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_hppa.deb
      Size/MD5 checksum: 791316 5dfd66672700232356a26258a76bcffa
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_hppa.deb
      Size/MD5 checksum: 914574 bc996d3cd86b18090ee4c2f3f31dbdbc

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_i386.deb
      Size/MD5 checksum: 2553694 ceea98c69ca44649ee2c98cff0364e4b
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_i386.deb
      Size/MD5 checksum: 2264996 111668559caa8ea95ad3100af67e163e
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_i386.deb
      Size/MD5 checksum: 902750 39b743a6a47517245c3fba9289c86ddf

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_ia64.deb
      Size/MD5 checksum: 3396192 54868b4f5c27f5dc0a65b82594aa8bb0
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_ia64.deb
      Size/MD5 checksum: 1038386 7fcec764f3b3d3ee53588791f7588ad9
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_ia64.deb
      Size/MD5 checksum: 975118 18239f1932f399df0396e81a1e57e5e3

Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_m68k.deb
      Size/MD5 checksum: 2317346 cf221d4a25c8913c1183078f1974b46b
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_m68k.deb
      Size/MD5 checksum: 661672 1a1e72d032cbd37400a65ef7ddf9af6d
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_m68k.deb
      Size/MD5 checksum: 889874 6eaaf9b7b9651b37437b78d7a95a562a

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_mips.deb
      Size/MD5 checksum: 2779474 383cc3f4bd2c75515e415c48fc6c66eb
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_mips.deb
      Size/MD5 checksum: 706660 aaa773471c553fd971b3158e35ceb675
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_mips.deb
      Size/MD5 checksum: 896780 21c648b8e817ce098d9d85f311163e34

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_mipsel.deb
      Size/MD5 checksum: 2767338 bc2e40477ad28b1eedb69e6542b1ab08
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_mipsel.deb
      Size/MD5 checksum: 694486 8c31bcea415ae3d725844e45a733d7fe
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_mipsel.deb
      Size/MD5 checksum: 895860 8af869dc9a903f8a226d33cdcffc7eab

PowerPC architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_powerpc.deb
      Size/MD5 checksum: 2775400 91f923d2f4f3938ef8a786b291865f0a
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_powerpc.deb
      Size/MD5 checksum: 779452 3b094894ca6d75b7c86684c7cd62f5bf
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_powerpc.deb
      Size/MD5 checksum: 908316 b93dffc572d91d9e4154b73c57b41e88

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_s390.deb
      Size/MD5 checksum: 2717840 a96fb19009ddc10b1901f34e232109ae
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_s390.deb
      Size/MD5 checksum: 813968 1cf6dbddb023dfe8c55d30d19bc0ff57
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_s390.deb
      Size/MD5 checksum: 918504 73d2f71ec2c8ebd4cc3f481096202664

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_sparc.deb
      Size/MD5 checksum: 2630560 059abd03c994e3d6851f38f6f7dd5446
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_sparc.deb
      Size/MD5 checksum: 1886038 4900a7af6cbef9e37c902a3c14ac33ac
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_sparc.deb
      Size/MD5 checksum: 924472 27f194ff2250fc91d0375c02d6686272

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Gentoo Linux


Gentoo Linux Security Advisory [ERRATA UPDATE] GLSA 200609-17:02

http://security.gentoo.org/


Severity: Normal
Title: OpenSSH: Denial of Service
Date: September 27, 2006
Updated: September 27, 2006
Bugs: #148228
ID: 200609-17:02


Errata

The Resolution proposed in the original version of this Security Advisory listed a wrong version number.

The corrected section appear below.

Resolution

All OpenSSH users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.3_p2-r5"

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200609-17.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200609-18

http://security.gentoo.org/


Severity: Normal
Title: Opera: RSA signature forgery
Date: September 28, 2006
Bugs: #147838
ID: 200609-18


Synopsis

Opera fails to correctly verify certain signatures.

Background

Opera is a multi-platform web browser.

Affected packages


     Package           /  Vulnerable  /                     Unaffected

  1  www-client/opera       < 9.0.2                           >= 9.0.2

Description

Opera makes use of OpenSSL, which fails to correctly verify PKCS #1 v1.5 RSA signatures signed by a key with exponent 3. Some CAs in Opera's list of trusted signers are using root certificates with exponent 3.

Impact

An attacker could forge certificates which will appear valid and signed by a trusted CA.

Workaround

There is no known workaround at this time.

Resolution

All Opera users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/opera-9.0.2"

References

[ 1 ] Opera Advisory

http://www.opera.com/support/search/supsearch.dml?index=845

[ 2 ] GLSA 200609-05

http://www.gentoo.org/security/en/glsa/glsa-200609-05.xml

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200609-18.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200609-19

http://security.gentoo.org/


Severity: Normal
Title: Mozilla Firefox: Multiple vulnerabilities
Date: September 28, 2006
Bugs: #147652
ID: 200609-19


Synopsis

The Mozilla Foundation has reported numerous vulnerabilities in Mozilla Firefox, including one that may allow execution of arbitrary code.

Background

Mozilla Firefox is a redesign of the Mozilla Navigator component. The goal is to produce a cross-platform, stand-alone browser application.

Affected packages


     Package                         /  Vulnerable  /       Unaffected


1 www-client/mozilla-firefox < 1.5.0.7 >= 1.5.0.7 2 www-client/mozilla-firefox-bin < 1.5.0.7 >= 1.5.0.7 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures.

Description

A number of vulnerabilities were found and fixed in Mozilla Firefox. For details please consult the references below.

Impact

The most severe vulnerability involves enticing a user to visit a malicious website, crashing the browser and executing arbitrary code with the rights of the user running the application.

Workaround

There is no known workaround at this time.

Resolution

All Mozilla Firefox users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.7"

Users of the binary package should upgrade as well:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.7"

References

[ 1 ] CVE-2006-4253

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4253

[ 2 ] CVE-2006-4340

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4340

[ 3 ] CVE-2006-4565

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4565

[ 4 ] CVE-2006-4566

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4566

[ 5 ] CVE-2006-4567

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4567

[ 6 ] CVE-2006-4568

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4568

[ 7 ] CVE-2006-4569

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4569

[ 8 ] CVE-2006-4571

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4571

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200609-19.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200609-20

http://security.gentoo.org/


Severity: High
Title: DokuWiki: Shell command injection and Denial of Service
Date: September 28, 2006
Bugs: #149266
ID: 200609-20


Synopsis

DokuWiki is vulnerable to shell command injection and Denial of Service attacks when using ImageMagick.

Background

DokuWiki is a wiki targeted at developer teams, workgroups and small companies. It does not use a database backend.

Affected packages


     Package            /   Vulnerable   /                  Unaffected

  1  www-apps/dokuwiki      < 20060309e                   >= 20060309e

Description

Input validation flaws have been discovered in the image handling of fetch.php if ImageMagick is used, which is not the default method.

Impact

A remote attacker could exploit the flaws to execute arbitrary shell commands with the rights of the web server daemon or cause a Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All DokuWiki users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20060309e"

References

[ 1 ] DokuWiki Announcement

http://www.freelists.org/archives/dokuwiki/09-2006/msg00278.html

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200609-20.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Mandriva Linux


Mandriva Linux Security Advisory MDKSA-2006:157-1
http://www.mandriva.com/security/


Package : musicbrainz
Date : September 28, 2006
Affected: 2007.0


Problem Description:

Multiple buffer overflows in libmusicbrainz (aka mb_client or MusicBrainz Client Library) 2.1.2 and earlier, and SVN 8406 and earlier, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) a long Location header by the HTTP server, which triggers an overflow in the MBHttp::Download function in lib/http.cpp; and (2) a long URL in RDF data, as demonstrated by a URL in an rdf:resource field in an RDF XML document, which triggers overflows in many functions in lib/rdfparse.c.

The updated packages have been patched to correct this issue.

Update:

Packages are now available for Mandriva Linux 2007.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4197


Updated Packages:

Mandriva Linux 2007.0:
73a88b181ad4f3f3dbfc68c2b66b3ed8 2007.0/i586/libmusicbrainz4-2.1.3-1.1mdv2007.0.i586.rpm
3cba7290aac1c3f04f0e77e96f791a1f 2007.0/i586/libmusicbrainz4-devel-2.1.3-1.1mdv2007.0.i586.rpm
4ec74f67c8d272f163c7f1be738a7da7 2007.0/i586/python-musicbrainz-2.1.3-1.1mdv2007.0.i586.rpm
afa5cb48e3700cade99e436ed34c0949 2007.0/SRPMS/musicbrainz-2.1.3-1.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
db2a146cdfe148918466821ebf4b91df 2007.0/x86_64/lib64musicbrainz4-2.1.3-1.1mdv2007.0.x86_64.rpm
e0fc3bd55e63e77ead8c163aa3c8ca50 2007.0/x86_64/lib64musicbrainz4-devel-2.1.3-1.1mdv2007.0.x86_64.rpm
e85b97f1b561d7699cf918e005b0f7a0 2007.0/x86_64/python-musicbrainz-2.1.3-1.1mdv2007.0.x86_64.rpm
afa5cb48e3700cade99e436ed34c0949 2007.0/SRPMS/musicbrainz-2.1.3-1.1mdv2007.0.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:170-1
http://www.mandriva.com/security/


Package : webmin
Date : September 27, 2006
Affected: 2007.0


Problem Description:

Webmin before 1.296 and Usermin before 1.226 does not properly handle a URL with a null ("%00") character, which allows remote attackers to conduct cross-site scripting (XSS), read CGI program source code, list directories, and possibly execute programs.

Updated packages have been patched to correct this issue.

Update:

Packages are now available for Mandriva Linux 2007.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4542


Updated Packages:

Mandriva Linux 2007.0:
e47e91c741de0fa6fabb1653784c0400 2007.0/i586/webmin-1.290-4.1mdv2007.0.noarch.rpm
5796c775e71e3aef04bd6fd356ea049e 2007.0/SRPMS/webmin-1.290-4.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
e6042ec6b4e74f560e9a05f8b05fafd5 2007.0/x86_64/webmin-1.290-4.1mdv2007.0.noarch.rpm
5796c775e71e3aef04bd6fd356ea049e 2007.0/SRPMS/webmin-1.290-4.1mdv2007.0.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:171
http://www.mandriva.com/security/


Package : openldap
Date : September 28, 2006
Affected: 2006.0


Problem Description:

slapd in OpenLDAP before 2.3.25 allows remote authenticated users with selfwrite Access Control List (ACL) privileges to modify arbitrary Distinguished Names (DN).

Packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4600


Updated Packages:

Mandriva Linux 2006.0:
c706d14413946af2519c7c6d94a01abf 2006.0/i586/libldap2.3_0-2.3.6-4.2.20060mdk.i586.rpm
3965f77fd18143cfc633c1c99df5bf1a 2006.0/i586/libldap2.3_0-devel-2.3.6-4.2.20060mdk.i586.rpm
113f7420a055bd5ca3a96831a9cc9278 2006.0/i586/libldap2.3_0-static-devel-2.3.6-4.2.20060mdk.i586.rpm
5f5faaba51ab019a3c9f63f2f8a8f744 2006.0/i586/openldap-2.3.6-4.2.20060mdk.i586.rpm
2ad7ac18504abec70360d98eb16ee6c7 2006.0/i586/openldap-clients-2.3.6-4.2.20060mdk.i586.rpm
627931509c00600752d92f8aaa05f885 2006.0/i586/openldap-doc-2.3.6-4.2.20060mdk.i586.rpm
294b5514bfcedbcffb4bf5f9836049d6 2006.0/i586/openldap-servers-2.3.6-4.2.20060mdk.i586.rpm
52f284965fe7f122a7bcf096a047bcbc 2006.0/SRPMS/openldap-2.3.6-4.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
f4edce61b93bf08c449a1b5a4daa7a43 2006.0/x86_64/lib64ldap2.3_0-2.3.6-4.2.20060mdk.x86_64.rpm
b3c6032b3e9158f6a18fd6bd80fe0622 2006.0/x86_64/lib64ldap2.3_0-devel-2.3.6-4.2.20060mdk.x86_64.rpm
8e9d02346e203604002b2412629b91d8 2006.0/x86_64/lib64ldap2.3_0-static-devel-2.3.6-4.2.20060mdk.x86_64.rpm
c706d14413946af2519c7c6d94a01abf 2006.0/x86_64/libldap2.3_0-2.3.6-4.2.20060mdk.i586.rpm
3965f77fd18143cfc633c1c99df5bf1a 2006.0/x86_64/libldap2.3_0-devel-2.3.6-4.2.20060mdk.i586.rpm
113f7420a055bd5ca3a96831a9cc9278 2006.0/x86_64/libldap2.3_0-static-devel-2.3.6-4.2.20060mdk.i586.rpm
60f55f26379d16ebe85f91fb7a003e6f 2006.0/x86_64/openldap-2.3.6-4.2.20060mdk.x86_64.rpm
cb4b4754e31b2a719fc12d560756bda7 2006.0/x86_64/openldap-clients-2.3.6-4.2.20060mdk.x86_64.rpm
0e91c088d674caf27ac83608d634e266 2006.0/x86_64/openldap-doc-2.3.6-4.2.20060mdk.x86_64.rpm
ef405896401993b3fc7a866deaccfb02 2006.0/x86_64/openldap-servers-2.3.6-4.2.20060mdk.x86_64.rpm
52f284965fe7f122a7bcf096a047bcbc 2006.0/SRPMS/openldap-2.3.6-4.2.20060mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:172
http://www.mandriva.com/security/


Package : openssl
Date : September 28, 2006
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0


Problem Description:

Dr S N Henson of the OpenSSL core team and Open Network Security recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test suite was run against OpenSSL two denial of service vulnerabilities were discovered.

During the parsing of certain invalid ASN1 structures an error condition is mishandled. This can result in an infinite loop which consumes system memory. (CVE-2006-2937)

Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack. (CVE-2006-2940)

Tavis Ormandy and Will Drewry of the Google Security Team discovered a buffer overflow in the SSL_get_shared_ciphers utility function, used by some applications such as exim and mysql. An attacker could send a list of ciphers that would overrun a buffer. (CVE-2006-3738)

Tavis Ormandy and Will Drewry of the Google Security Team discovered a possible DoS in the sslv2 client code. Where a client application uses OpenSSL to make a SSLv2 connection to a malicious server that server could cause the client to crash. (CVE-2006-4343)

Updated packages are patched to address these issues.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343


Updated Packages:

Mandriva Linux 2006.0:
17e2d82c3f6c0afbf48eccbfbcc17b55 2006.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm
8c3f89e1900f069d4a4ad3162a9f7d78 2006.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm
3a68c653ba0339ba99162459385c72e2 2006.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm
8291bde3bd9aa95533aabc07280203b8 2006.0/i586/openssl-0.9.7g-2.4.20060mdk.i586.rpm
52b3fbfc1389bcd73e406d6ff741e9dc 2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
b2ce6e6bb7e3114663d3a074d0cc7da5 2006.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mdk.x86_64.rpm
f7c8dbc2eda0c90547d43661454d1068 2006.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mdk.x86_64.rpm
7c9ebd9f9179f4e93627dcf0f3442335 2006.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.x86_64.rpm
17e2d82c3f6c0afbf48eccbfbcc17b55 2006.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm
8c3f89e1900f069d4a4ad3162a9f7d78 2006.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm
3a68c653ba0339ba99162459385c72e2 2006.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm
6ce5832a59b8b67425cb7026ea9dc876 2006.0/x86_64/openssl-0.9.7g-2.4.20060mdk.x86_64.rpm
52b3fbfc1389bcd73e406d6ff741e9dc 2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm

Mandriva Linux 2007.0:
1bfeff47c8d2f6c020c459881be68207 2007.0/i586/libopenssl0.9.8-0.9.8b-2.1mdv2007.0.i586.rpm
1e1a4db54ddfaedb08a6d847422099ff 2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.1mdv2007.0.i586.rpm
59c80405f33b2e61ffd3cef025635e21 2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.i586.rpm
3a6657970a2e7661bd869d221a69c8da 2007.0/i586/openssl-0.9.8b-2.1mdv2007.0.i586.rpm
aad29e57ddceb66105af5d6434de9a62 2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
af679c647d97214244a8423dc1a766b7 2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.1mdv2007.0.x86_64.rpm
d7b1ed07df4115b3bcc3907e00d25a89 2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm
5bd3ece2c0ec7a3201c29fa84e25a75a 2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm
9b028020dba009eddbf06eeb8607b87f 2007.0/x86_64/openssl-0.9.8b-2.1mdv2007.0.x86_64.rpm
aad29e57ddceb66105af5d6434de9a62 2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm

Corporate 3.0:
c99ea58f6f4959a4c36398cc6b2b4ee2 corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm
98a925c5ba2ecc9d704b1e730035755e corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.C30mdk.i586.rpm
151493a50693e3b9cc67bfafadb9ce42 corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.i586.rpm
82b4709bdbb9128746887013a724356a corporate/3.0/i586/openssl-0.9.7c-3.6.C30mdk.i586.rpm
a5bdbe6afa52005a734dc18aa951677d corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm

Corporate 3.0/X86_64:
01a922d80d6fc9d1b36dde15ee27747e corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.6.C30mdk.x86_64.rpm
30268f0b70862d1f5998694ac8b4addc corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.6.C30mdk.x86_64.rpm
e0388ff1efa34ea55d033e95b4e9bb63 corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.x86_64.rpm
c99ea58f6f4959a4c36398cc6b2b4ee2 corporate/3.0/x86_64/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm
83759622f0cc8ea9c0f6d32671283354 corporate/3.0/x86_64/openssl-0.9.7c-3.6.C30mdk.x86_64.rpm
a5bdbe6afa52005a734dc18aa951677d corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm

Corporate 4.0:
6d71d2358738be9967b2dfe19d3642f1 corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm
22890554d3096ce596eeec7393ee3fcf corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm
679fe740859fa35b2bb77b19c4a0e787 corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm
d8477333b67ec3a36ba46c50e6183993 corporate/4.0/i586/openssl-0.9.7g-2.4.20060mlcs4.i586.rpm
b65dbbd9fb3d74d302478640476a2cd2 corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
746e5e916d1e05379373138a5db20923 corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mlcs4.x86_64.rpm
a2b1d750075a32fe8badbdf1f7febafe corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm
47c464cf890a004f772c1db3e839fa12 corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm
6d71d2358738be9967b2dfe19d3642f1 corporate/4.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm
22890554d3096ce596eeec7393ee3fcf corporate/4.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm
679fe740859fa35b2bb77b19c4a0e787 corporate/4.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm
1030a6124a9fa4fd5a41bdff077301bf corporate/4.0/x86_64/openssl-0.9.7g-2.4.20060mlcs4.x86_64.rpm
b65dbbd9fb3d74d302478640476a2cd2 corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
19055eda58e1f75814e594ce7709a710 mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.6.M20mdk.i586.rpm
abfe548617969f619aec5b0e807f1f67 mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.M20mdk.i586.rpm
92e7515c9125367a79fdb490f5b39cd4 mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.M20mdk.i586.rpm
847eecb1d07e4cab3d1de1452103c3a0 mnf/2.0/i586/openssl-0.9.7c-3.6.M20mdk.i586.rpm
b6b67fa82d7119cde7ab7816aed17059 mnf/2.0/SRPMS/openssl-0.9.7c-3.6.M20mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:173
http://www.mandriva.com/security/


Package : ffmpeg
Date : September 28, 2006
Affected: 2006.0, Corporate 3.0, Corporate 4.0


Problem Description:

Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple unspecified vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE: it is likely that this is a different vulnerability than CVE-2005-4048 and CVE-2006-2802.

Updated packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4800


Updated Packages:

Mandriva Linux 2006.0:
70f951cfb00bd1a976ffd682f71c23ef 2006.0/i586/ffmpeg-0.4.9-0.pre1.5.2.20060mdk.i586.rpm
0de2a4efb5beb153e13a46ef160076b3 2006.0/i586/libffmpeg0-0.4.9-0.pre1.5.2.20060mdk.i586.rpm
80a876fead4c2f1fda335964b84407fd 2006.0/i586/libffmpeg0-devel-0.4.9-0.pre1.5.2.20060mdk.i586.rpm
8a22beb958201500862541f9cc18c399 2006.0/SRPMS/ffmpeg-0.4.9-0.pre1.5.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
dc1aed466f6b4064765a1a333c7c4710 2006.0/x86_64/ffmpeg-0.4.9-0.pre1.5.2.20060mdk.x86_64.rpm
299a9fcfdce014cc13b906df6fe133f6 2006.0/x86_64/lib64ffmpeg0-0.4.9-0.pre1.5.2.20060mdk.x86_64.rpm
9b2483e5edb8cf196b0df877706c315f 2006.0/x86_64/lib64ffmpeg0-devel-0.4.9-0.pre1.5.2.20060mdk.x86_64.rpm
8a22beb958201500862541f9cc18c399 2006.0/SRPMS/ffmpeg-0.4.9-0.pre1.5.2.20060mdk.src.rpm

Corporate 3.0:
ebebfa31e3817060e6f1862e7bb673a2 corporate/3.0/i586/ffmpeg-0.4.8-7.3.C30mdk.i586.rpm
51e303559d0d07ff86af703906065e19 corporate/3.0/i586/libffmpeg0-0.4.8-7.3.C30mdk.i586.rpm
6375f7c63d7c53d18d5ea16c8d96e9c1 corporate/3.0/i586/libffmpeg0-devel-0.4.8-7.3.C30mdk.i586.rpm
b089b6a12c6390aed83c5dd412e35da7 corporate/3.0/SRPMS/ffmpeg-0.4.8-7.3.C30mdk.src.rpm

Corporate 3.0/X86_64:
85c5aa0a8021680bfa987a652f94cde5 corporate/3.0/x86_64/ffmpeg-0.4.8-7.3.C30mdk.x86_64.rpm
e26a80cc7d31cdcccda6e4d69eb13722 corporate/3.0/x86_64/lib64ffmpeg0-0.4.8-7.3.C30mdk.x86_64.rpm
35194873a8a53e71950d5c042245b03a corporate/3.0/x86_64/lib64ffmpeg0-devel-0.4.8-7.3.C30mdk.x86_64.rpm
b089b6a12c6390aed83c5dd412e35da7 corporate/3.0/SRPMS/ffmpeg-0.4.8-7.3.C30mdk.src.rpm

Corporate 4.0:
064b1663a622879bf77f6f565b83cb96 corporate/4.0/i586/libffmpeg0-0.4.9-0.pre1.5.2.20060mlcs4.i586.rpm
c558365bbaf260429be0a6f51a5f3875 corporate/4.0/i586/libffmpeg0-devel-0.4.9-0.pre1.5.2.20060mlcs4.i586.rpm
91d0e04a3df240ecd67c74b64a48bb62 corporate/4.0/SRPMS/ffmpeg-0.4.9-0.pre1.5.2.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
5563813e75db69e560e32729f872a2a8 corporate/4.0/x86_64/lib64ffmpeg0-0.4.9-0.pre1.5.2.20060mlcs4.x86_64.rpm
7f5c2f384e711027ad1e9fd76f4abe3f corporate/4.0/x86_64/lib64ffmpeg0-devel-0.4.9-0.pre1.5.2.20060mlcs4.x86_64.rpm
91d0e04a3df240ecd67c74b64a48bb62 corporate/4.0/SRPMS/ffmpeg-0.4.9-0.pre1.5.2.20060mlcs4.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:174
http://www.mandriva.com/security/


Package : gstreamer-ffmpeg
Date : September 28, 2006
Affected: 2006.0, 2007.0


Problem Description:

Gstreamer-ffmpeg uses an embedded copy of ffmpeg and as such has been updated to address the following issue: Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple unspecified vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE: it is likely that this is a different vulnerability than CVE-2005-4048 and CVE-2006-2802.

Updated packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4800


Updated Packages:

Mandriva Linux 2006.0:
c49b397719d1143231cb030f9e9cd003 2006.0/i586/gstreamer-ffmpeg-0.8.6-1.2.20060mdk.i586.rpm
a0afe9ef876a409ca594b4fdb75921ad 2006.0/SRPMS/gstreamer-ffmpeg-0.8.6-1.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
03003e5d2ee3f613a7ccd9552fdc7124 2006.0/x86_64/gstreamer-ffmpeg-0.8.6-1.2.20060mdk.x86_64.rpm
a0afe9ef876a409ca594b4fdb75921ad 2006.0/SRPMS/gstreamer-ffmpeg-0.8.6-1.2.20060mdk.src.rpm

Mandriva Linux 2007.0:
884a134c1ded68502a461754b51dce85 2007.0/i586/gstreamer-ffmpeg-0.8.7-3.1mdv2007.0.i586.rpm
d30f67740f6f6b9769609e613fd44b59 2007.0/SRPMS/gstreamer-ffmpeg-0.8.7-3.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
90b711e579e72a96441b16b5e38bb5ff 2007.0/x86_64/gstreamer-ffmpeg-0.8.7-3.1mdv2007.0.x86_64.rpm
d30f67740f6f6b9769609e613fd44b59 2007.0/SRPMS/gstreamer-ffmpeg-0.8.7-3.1mdv2007.0.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:175
http://www.mandriva.com/security/


Package : mplayer
Date : September 28, 2006
Affected: 2006.0, Corporate 3.0


Problem Description:

Mplayer uses an embedded copy of ffmpeg and as such has been updated to address the following issue: Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple unspecified vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE: it is likely that this is a different vulnerability than CVE-2005-4048 and CVE-2006-2802.

Updated packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4800


Updated Packages:

Mandriva Linux 2006.0:
ba2fe0a33637c9b56c18b42ddd1f5baa 2006.0/i586/libdha1.0-1.0-1.pre7.12.4.20060mdk.i586.rpm
b0ff5a0592dd789ead011359a14d232c 2006.0/i586/libpostproc0-1.0-1.pre7.12.4.20060mdk.i586.rpm
a9f6f27f005603ad305933a593d52c6c 2006.0/i586/libpostproc0-devel-1.0-1.pre7.12.4.20060mdk.i586.rpm
a327015bb156971a727dc6b08f3c6205 2006.0/i586/mencoder-1.0-1.pre7.12.4.20060mdk.i586.rpm
fbdcb5720e94ebe5d48f9bde3943629c 2006.0/i586/mplayer-1.0-1.pre7.12.4.20060mdk.i586.rpm
e5ade5cfbefe54bb8db5f6ec55c3e703 2006.0/i586/mplayer-gui-1.0-1.pre7.12.4.20060mdk.i586.rpm
15261692bbcc0c8326c99f9404b021be 2006.0/SRPMS/mplayer-1.0-1.pre7.12.4.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
a1b2195873fc74dee070f8f1dd7c7972 2006.0/x86_64/lib64postproc0-1.0-1.pre7.12.4.20060mdk.x86_64.rpm
48630b15e0d33eb51566783a55c29561 2006.0/x86_64/lib64postproc0-devel-1.0-1.pre7.12.4.20060mdk.x86_64.rpm
ba2fe0a33637c9b56c18b42ddd1f5baa 2006.0/x86_64/libdha1.0-1.0-1.pre7.12.4.20060mdk.i586.rpm
b0ff5a0592dd789ead011359a14d232c 2006.0/x86_64/libpostproc0-1.0-1.pre7.12.4.20060mdk.i586.rpm
a9f6f27f005603ad305933a593d52c6c 2006.0/x86_64/libpostproc0-devel-1.0-1.pre7.12.4.20060mdk.i586.rpm
1b1d5655127cb355a650b63fb2ccf786 2006.0/x86_64/mencoder-1.0-1.pre7.12.4.20060mdk.x86_64.rpm
53762878ca52dfad5fece2de9fc29f65 2006.0/x86_64/mplayer-1.0-1.