Date: Wed, 20 Jun 2001 14:18:29 -0600 From: Linux Mandrake Security Team <security@linux-mandrake.com> Subject: MDKSA-2001:060 - rxvt ______________________________________________________________________ Mandrake Linux Security Update Advisory ______________________________________________________________________ Package name: rxvt Date: June 20th, 2001 Advisory ID: MDKSA-2001:060 Affected versions: None ______________________________________________________________________ Problem Description: Samuel Dralet discovered a vulnerability in the rxvt terminal emulator recently, concerning a buffer overflow in the command.c file. This overflow can be exploited to provide elevated privileges on the system if rxvt is installed setgid. Because rxvt has never been installed setgid on any Mandrake Linux system, Mandrake Linux is not vulnerable to the problem. ______________________________________________________________________ References: http://securityportal.com/list-archive/bugtraq/2001/Jun/0217.html ______________________________________________________________________ You can view other security advisories for Mandrake Linux at: http://www.linux-mandrake.com/en/security/ If you want to report vulnerabilities, please contact security@linux-mandrake.com ______________________________________________________________________ Mandrake Linux has two security-related mailing list services that anyone can subscribe to: security-announce@linux-mandrake.com Mandrake Linux's security announcements mailing list. Only announcements are sent to this list and it is read-only. security-discuss@linux-mandrake.com Mandrake Linux's security discussion mailing list. This list is open to anyone to discuss Mandrake Linux security specifically and Linux security in general. To subscribe to either list, send a message to sympa@linux-mandrake.com with "subscribe [listname]" in the body of the message. To remove yourself from either list, send a message to sympa@linux-mandrake.com with "unsubscribe [listname]" in the body of the message. To get more information on either list, send a message to sympa@linux-mandrake.com with "info [listname]" in the body of the message. Optionally, you can use the web interface to subscribe to or unsubscribe from either list: http://www.linux-mandrake.com/en/flists.php3#security
Date: Wed, 20 Jun 2001 14:17:26 -0600 From: Linux Mandrake Security Team <security@linux-mandrake.com> Subject: MDKSA-2001:059 - webmin update ______________________________________________________________________ Mandrake Linux Security Update Advisory ______________________________________________________________________ Package name: webmin Date: June 20th, 2001 Advisory ID: MDKSA-2001:059 Affected versions: 7.1, 7.2, 8.0, Corporate Server 1.0.1, Single Network Firewall 7.2 ______________________________________________________________________ Problem Description: Recently, Caldera found that when webmin starts a system daemon from the web frontend it does not clear its environment variables. Since these variables contain the authorization of the administrator, any daemon would also get these variables. ______________________________________________________________________ References: ______________________________________________________________________ Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig package.rpm You can get the GPG public key of the Mandrake Linux Security Team at http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS If you use MandrakeUpdate, the verification of md5 checksum and GPG signature is performed automatically for you. Linux-Mandrake 7.1: d1eb47d556e908c49e37bed18c3003be 7.1/RPMS/webmin-0.84-7.3mdk.noarch.rpm ad2ece83eed3a87a3f68e9d86ce0414f 7.1/SRPMS/webmin-0.84-7.3mdk.src.rpm Linux-Mandrake 7.2: 960986def47f99d2c4704c1e4158ac7d 7.2/RPMS/webmin-0.84-7.2mdk.noarch.rpm f186b70383aef81502b8c61a0beb5525 7.2/SRPMS/webmin-0.84-7.2mdk.src.rpm Mandrake Linux 8.0: 6034d9ba36ac1908842a2629f196cdff 8.0/RPMS/webmin-0.84-7.1mdk.noarch.rpm 863c8287bc70247012c2b140a75f9552 8.0/SRPMS/webmin-0.84-7.1mdk.src.rpm Corporate Server 1.0.1: d1eb47d556e908c49e37bed18c3003be 1.0.1/RPMS/webmin-0.84-7.3mdk.noarch.rpm ad2ece83eed3a87a3f68e9d86ce0414f 1.0.1/SRPMS/webmin-0.84-7.3mdk.src.rpm Single Network Firewall 7.2: 960986def47f99d2c4704c1e4158ac7d snf7.2/RPMS/webmin-0.84-7.2mdk.noarch.rpm f186b70383aef81502b8c61a0beb5525 snf7.2/SRPMS/webmin-0.84-7.2mdk.src.rpm ______________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ______________________________________________________________________ To upgrade automatically, use MandrakeUpdate. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". You can download the updates directly from one of the mirror sites listed at: http://www.linux-mandrake.com/en/ftp.php3. Updated packages are available in the "updates/[ver]/RPMS/" directory. For example, if you are looking for an updated RPM package for Mandrake Linux 8.0, look for it in "updates/8.0/RPMS/". Updated source RPMs are available as well, but you generally do not need to download them. Please be aware that sometimes it takes the mirrors a few hours to update. You can view other security advisories for Mandrake Linux at: http://www.linux-mandrake.com/en/security/ If you want to report vulnerabilities, please contact security@linux-mandrake.com ______________________________________________________________________ Mandrake Linux has two security-related mailing list services that anyone can subscribe to: security-announce@linux-mandrake.com Mandrake Linux's security announcements mailing list. Only announcements are sent to this list and it is read-only. security-discuss@linux-mandrake.com Mandrake Linux's security discussion mailing list. This list is open to anyone to discuss Mandrake Linux security specifically and Linux security in general. To subscribe to either list, send a message to sympa@linux-mandrake.com with "subscribe [listname]" in the body of the message. To remove yourself from either list, send a message to sympa@linux-mandrake.com with "unsubscribe [listname]" in the body of the message. To get more information on either list, send a message to sympa@linux-mandrake.com with "info [listname]" in the body of the message. Optionally, you can use the web interface to subscribe to or unsubscribe from either list: http://www.linux-mandrake.com/en/flists.php3#security
Date: Wed, 20 Jun 2001 14:16:34 -0600 From: Linux Mandrake Security Team <security@linux-mandrake.com> Subject: MDKSA-2001:058 - ispell update ______________________________________________________________________ Mandrake Linux Security Update Advisory ______________________________________________________________________ Package name: ispell Date: June 20th, 2001 Advisory ID: MDKSA-2001:058 Affected versions: 7.1, 7.2, 8.0, Corporate Server 1.0.1 ______________________________________________________________________ Problem Description: The ispell program uses mktemp() to open temporary files. This makes it vulnerable to symlink attacks. The program now has a patch from OpenBSD applied that uses mkstemp() instead, and switches gets() to fgets() for dealing with user input. ______________________________________________________________________ References: ______________________________________________________________________ Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig package.rpm You can get the GPG public key of the Mandrake Linux Security Team at http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS If you use MandrakeUpdate, the verification of md5 checksum and GPG signature is performed automatically for you. Linux-Mandrake 7.1: 7e0259681eecfea26914f2177aed1622 7.1/RPMS/ispell-3.1.20-10.1mdk.i586.rpm 0c4404521d7490e5c30651d25bf47a96 7.1/RPMS/ispell-de-3.1.20-10.1mdk.i586.rpm 27d507aabb0a76fba7d46359d5490e9e 7.1/RPMS/ispell-en-3.1.20-10.1mdk.i586.rpm 2ecc2af3a167bef1f49180fa8a1cac60 7.1/SRPMS/ispell-3.1.20-10.1mdk.src.rpm Linux-Mandrake 7.2: 3e234ec53b20accf87784622b43aa5df 7.2/RPMS/ispell-3.1.20-13.1mdk.i586.rpm 3f3fe8ec98b34a78c0488c9eefd1f434 7.2/RPMS/ispell-en-3.1.20-13.1mdk.i586.rpm 27131000e3ece80247ecd4d4ac7768c5 7.2/SRPMS/ispell-3.1.20-13.1mdk.src.rpm Mandrake Linux 8.0: dea62fd582831557c0c5bb860e1fdaee 8.0/RPMS/ispell-3.1.20-15.1mdk.i586.rpm 145b269dd5d9b678732f370e99f5b92f 8.0/RPMS/ispell-en-3.1.20-15.1mdk.i586.rpm a6bf8ad149902347b5a7703474e02def 8.0/SRPMS/ispell-3.1.20-15.1mdk.src.rpm Corporate Server 1.0.1: 7e0259681eecfea26914f2177aed1622 1.0.1/RPMS/ispell-3.1.20-10.1mdk.i586.rpm 0c4404521d7490e5c30651d25bf47a96 1.0.1/RPMS/ispell-de-3.1.20-10.1mdk.i586.rpm 27d507aabb0a76fba7d46359d5490e9e 1.0.1/RPMS/ispell-en-3.1.20-10.1mdk.i586.rpm 2ecc2af3a167bef1f49180fa8a1cac60 1.0.1/SRPMS/ispell-3.1.20-10.1mdk.src.rpm ______________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ______________________________________________________________________ To upgrade automatically, use MandrakeUpdate. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". You can download the updates directly from one of the mirror sites listed at: http://www.linux-mandrake.com/en/ftp.php3. Updated packages are available in the "updates/[ver]/RPMS/" directory. For example, if you are looking for an updated RPM package for Mandrake Linux 8.0, look for it in "updates/8.0/RPMS/". Updated source RPMs are available as well, but you generally do not need to download them. Please be aware that sometimes it takes the mirrors a few hours to update. You can view other security advisories for Mandrake Linux at: http://www.linux-mandrake.com/en/security/ If you want to report vulnerabilities, please contact security@linux-mandrake.com ______________________________________________________________________ Mandrake Linux has two security-related mailing list services that anyone can subscribe to: security-announce@linux-mandrake.com Mandrake Linux's security announcements mailing list. Only announcements are sent to this list and it is read-only. security-discuss@linux-mandrake.com Mandrake Linux's security discussion mailing list. This list is open to anyone to discuss Mandrake Linux security specifically and Linux security in general. To subscribe to either list, send a message to sympa@linux-mandrake.com with "subscribe [listname]" in the body of the message. To remove yourself from either list, send a message to sympa@linux-mandrake.com with "unsubscribe [listname]" in the body of the message. To get more information on either list, send a message to sympa@linux-mandrake.com with "info [listname]" in the body of the message. Optionally, you can use the web interface to subscribe to or unsubscribe from either list: http://www.linux-mandrake.com/en/flists.php3#security
Date: Wed, 20 Jun 2001 14:15:52 -0600 From: Linux Mandrake Security Team <security@linux-mandrake.com> Subject: MDKSA-2001:057 - proftpd ______________________________________________________________________ Mandrake Linux Security Update Advisory ______________________________________________________________________ Package name: proftpd Date: June 20th, 2001 Advisory ID: MDKSA-2001:057 Affected versions: None ______________________________________________________________________ Problem Description: CERT released an advisory regarding the incorrect management of buffers in various FTP server that can lead to a remote intruder executing arbitrary code on the FTP server. This incorrect management of buffers is due to the return from the glob() function. ProFTPD is not affected by this vulnerability on the Linux platform and also because it uses the GNU glob() function, which is not vulnerable. The minimum recommended version of ProFTPD, from the ProFTPD team, is 1.2.0rc3 due to security problems in older versions. ______________________________________________________________________ References: www.cert.org/advisories/CA-2001-07.html ______________________________________________________________________ You can view other security advisories for Mandrake Linux at: http://www.linux-mandrake.com/en/security/ If you want to report vulnerabilities, please contact security@linux-mandrake.com ______________________________________________________________________ Mandrake Linux has two security-related mailing list services that anyone can subscribe to: security-announce@linux-mandrake.com Mandrake Linux's security announcements mailing list. Only announcements are sent to this list and it is read-only. security-discuss@linux-mandrake.com Mandrake Linux's security discussion mailing list. This list is open to anyone to discuss Mandrake Linux security specifically and Linux security in general. To subscribe to either list, send a message to sympa@linux-mandrake.com with "subscribe [listname]" in the body of the message. To remove yourself from either list, send a message to sympa@linux-mandrake.com with "unsubscribe [listname]" in the body of the message. To get more information on either list, send a message to sympa@linux-mandrake.com with "info [listname]" in the body of the message. Optionally, you can use the web interface to subscribe to or unsubscribe from either list: http://www.linux-mandrake.com/en/flists.php3#security