dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Mandrake Linux Advsiories: gdk-pixbuf, mozilla, kdelibs

Mar 10, 2004, 18:29 (0 Talkback[s])

Mandrakelinux Security Update Advisory


Package name: gdk-pixbuf
Advisory ID: MDKSA-2004:020
Date: March 10th, 2004
Affected versions: Corporate Server 2.1


Problem Description:

A vulnerability in gdk-pixbuf versions before 0.20 exists that could allow a malicious BMP file to crash the Evolution mail client. The updated packages have been patched to use gdk-pixbuf 0.22.0's BMPhandling code.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0111


Updated Packages:

Corporate Server 2.1:
307125f2e64e3281a27091e8047cebd2 corporate/2.1/RPMS/gdk-pixbuf-loaders-0.18.0-3.1.C21mdk.i586.rpm
b6f48329e1651f870e455ee76bba549a corporate/2.1/RPMS/libgdk-pixbuf-gnomecanvas1-0.18.0-3.1.C21mdk.i586.rpm
a5b60fb26fba984776edf66148fa4359 corporate/2.1/RPMS/libgdk-pixbuf-xlib2-0.18.0-3.1.C21mdk.i586.rpm
e0881362b84964b4c4f2d1229cdf99bb corporate/2.1/RPMS/libgdk-pixbuf2-0.18.0-3.1.C21mdk.i586.rpm
1b748c4cde03a59eae05a5033384e098 corporate/2.1/RPMS/libgdk-pixbuf2-devel-0.18.0-3.1.C21mdk.i586.rpm
f9b4e50c5628d83f8ecac8d4a86514f4 corporate/2.1/SRPMS/gdk-pixbuf-0.18.0-3.1.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
94f75c462f340cd41fd7502778ffff67 x86_64/corporate/2.1/RPMS/gdk-pixbuf-loaders-0.18.0-3.1.C21mdk.x86_64.rpm
522747580e73376bc9cdda026d4fb768 x86_64/corporate/2.1/RPMS/libgdk-pixbuf-gnomecanvas1-0.18.0-3.1.C21mdk.x86_64.rpm
040fd303c41c248270f93b7f832e94f2 x86_64/corporate/2.1/RPMS/libgdk-pixbuf-xlib2-0.18.0-3.1.C21mdk.x86_64.rpm
0aa13efa52eb4146b1f1ecf33f62107c x86_64/corporate/2.1/RPMS/libgdk-pixbuf2-0.18.0-3.1.C21mdk.x86_64.rpm
f7d53a73b37631855e6630070a20f6d9 x86_64/corporate/2.1/RPMS/libgdk-pixbuf2-devel-0.18.0-3.1.C21mdk.x86_64.rpm
f9b4e50c5628d83f8ecac8d4a86514f4 x86_64/corporate/2.1/SRPMS/gdk-pixbuf-0.18.0-3.1.C21mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesecure.net/en/advisories/

Mandrakesoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com>

Mandrakelinux Security Update Advisory


Package name: mozilla
Advisory ID: MDKSA-2004:021
Date: March 10th, 2004
Affected versions: 9.2


Problem Description:

A number of vulnerabilities were discovered in Mozilla 1.4:

A malicious website could gain access to a user's authentication credentials to a proxy server.

Script.prototype.freeze//thaw could allow an attacker to run arbitrary code on your computer.

A vulnerability was also discovered in the NSS security suite which ships with Mozilla. The S/MIME implementation would allow remote attackers to cause a Denial of Service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, which was demonstrated using the NISCC test suite. NSS version 3.9 corrects these problems and has been included in this package (which shipped with NSS 3.8).

Finally, Corsaire discovered that a number of HTTP user agents contained a flaw in how they handle cookies. This flaw could allow an attacker to avoid the path restrictions specified by a cookie's originator. According to their advisory:

"The cookie specifications detail a path argument that can be used to restrict the areas of a host that will be exposed to a cookie. By using standard traversal techniques this functionality can be subverted, potentially exposing the cookie to scrutiny and use in further attacks."

As well, a bug with Mozilla and Finnish keyboards has been corrected.

The updated packages are patched to correct these vulnerabilities.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0594
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0564
http://www.kb.cert.org/vuls/id/428230
http://bugzilla.mozilla.org/show_bug.cgi?i
d=220122

http://bugzilla.mozilla.org/show_bug.cgi?id=221526
http://bugzilla.mozilla.org/show_bug.cgi?id=213012
http://www.uniras.gov.uk/vuls/2003/006489/smime.htm


Updated Packages:

Mandrakelinux 9.2:
c38912bc7ec63477a99d54ca9d0da6a2 9.2/RPMS/libnspr4-1.4-13.2.92mdk.i586.rpm
0389815c9e7dbe3e10fc0c26375bb3b1 9.2/RPMS/libnspr4-devel-1.4-13.2.92mdk.i586.rpm
7646ec4e16c2c9358dcc98ebabf0a3b9 9.2/RPMS/libnss3-1.4-13.2.92mdk.i586.rpm
63a527da7c61047ba425606e94ecd3be 9.2/RPMS/libnss3-devel-1.4-13.2.92mdk.i586.rpm
e8bbe96aeb65cfab46ffe2aa354d902f 9.2/RPMS/mozilla-1.4-13.2.92mdk.i586.rpm
dfa83fa168d574770a8799c581e18335 9.2/RPMS/mozilla-devel-1.4-13.2.92mdk.i586.rpm
bb2b9c485b566b219749366c62500721 9.2/RPMS/mozilla-dom-inspector-1.4-13.2.92mdk.i586.rpm
ad11d0c4800bd95452d00a8ebaf5d98b 9.2/RPMS/mozilla-enigmail-1.4-13.2.92mdk.i586.rpm
5fc51520069a0eba9f5a53dc93ba4eab 9.2/RPMS/mozilla-enigmime-1.4-13.2.92mdk.i586.rpm
54bc668f3881fc320ee5d7c5a47cf691 9.2/RPMS/mozilla-irc-1.4-13.2.92mdk.i586.rpm
adee5ba7d06873222b272fd5cb4002a6 9.2/RPMS/mozilla-js-debugger-1.4-13.2.92mdk.i586.rpm
8ae4e6c230046102f6fb3718ea89a44c 9.2/RPMS/mozilla-mail-1.4-13.2.92mdk.i586.rpm
1e1d178eb6e1b712ed4172fbcb9645a8 9.2/RPMS/mozilla-spellchecker-1.4-13.2.92mdk.i586.rpm
18dcce51283517af9f1d280e4cc671b2 9.2/SRPMS/mozilla-1.4-13.2.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
5452e154db36916d4e0710001a8c1bf4 amd64/9.2/RPMS/lib64nspr4-1.4-13.2.92mdk.amd64.rpm
0dd5edee872e319e43b055348b439eb3 amd64/9.2/RPMS/lib64nspr4-devel-1.4-13.2.92mdk.amd64.rpm
18d23cac7a7eb9a45c40e484a42665fb amd64/9.2/RPMS/lib64nss3-1.4-13.2.92mdk.amd64.rpm
96e5b7a0bffa68a8a26f0fc0c33179bb amd64/9.2/RPMS/lib64nss3-devel-1.4-13.2.92mdk.amd64.rpm
8f86da0aafcf57ce795935354bfe1284 amd64/9.2/RPMS/mozilla-1.4-13.2.92mdk.amd64.rpm
4294cda22a8639804d64961b5232217b amd64/9.2/RPMS/mozilla-devel-1.4-13.2.92mdk.amd64.rpm
fe1d7bbfcff75ed48276b125e5e07150 amd64/9.2/RPMS/mozilla-dom-inspector-1.4-13.2.92mdk.amd64.rpm
0389b9624511d9bfa8f9873c64e78819 amd64/9.2/RPMS/mozilla-enigmail-1.4-13.2.92mdk.amd64.rpm
f65b2fdf67002011cf138a7fc2a15048 amd64/9.2/RPMS/mozilla-enigmime-1.4-13.2.92mdk.amd64.rpm
3908bf0f64951a31d0b0d13fbed460f1 amd64/9.2/RPMS/mozilla-irc-1.4-13.2.92mdk.amd64.rpm
e75e31efbc498cc11851c75c44233e93 amd64/9.2/RPMS/mozilla-js-debugger-1.4-13.2.92mdk.amd64.rpm
dee877e87556e579d54668a1e3a0bbf2 amd64/9.2/RPMS/mozilla-mail-1.4-13.2.92mdk.amd64.rpm
09155dea70b8b6cf7afdd13a27dede18 amd64/9.2/RPMS/mozilla-spellchecker-1.4-13.2.92mdk.amd64.rpm
18dcce51283517af9f1d280e4cc671b2 amd64/9.2/SRPMS/mozilla-1.4-13.2.92mdk.src.rpm


Bug IDs fixed (see http://bugs.mandrakelinux.com for more information):

376 - mozilla and finnish keyboard give pipe


To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesecure.net/en/advisories/

Mandrakesoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com>

Mandrakelinux Security Update Advisory


Package name: kdelibs
Advisory ID: MDKSA-2004:022
Date: March 10th, 2004
Affected versions: 9.1


Problem Description:

Corsaire discovered that a number of HTTP user agents contained a flaw in how they handle cookies. This flaw could allow an attacker to avoid the path restrictions specified by a cookie's originator. According to their advisory:

"The cookie specifications detail a path argument that can be used to restrict the areas of a host that will be exposed to a cookie. By using standard traversal techniques this functionality can be subverted, potentially exposing the cookie to scrutiny and use in further attacks."

This issue was fixed in KDE 3.1.3; the updated packages are patched to protect against this vulnerability.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0592


Updated Packages:

Mandrakelinux 9.1:
14bd813799d4891d520d1f8e7a525476 9.1/RPMS/kdelibs-3.1-58.3.91mdk.i586.rpm
924fc0bec108f94236c97d640774f8c5 9.1/RPMS/kdelibs-common-3.1-58.3.91mdk.i586.rpm
28bfd2897fb91fadcba14864c5ab85fa 9.1/RPMS/kdelibs-devel-3.1-58.3.91mdk.i586.rpm
a02c4dc06c2122241fe2e4abc77e1c67 9.1/RPMS/kdelibs-static-devel-3.1-58.3.91mdk.i586.rpm
00230239edea7418aa01897d23f5dd07 9.1/SRPMS/kdelibs-3.1-58.3.91mdk.src.rpm

Mandrakelinux 9.1/PPC:
7f42212e4e4198af1460865f585a15cf ppc/9.1/RPMS/kdelibs-3.1-58.3.91mdk.ppc.rpm
d3db934d1ad9b0e9e04e9fab43b7f0c9 ppc/9.1/RPMS/kdelibs-common-3.1-58.3.91mdk.ppc.rpm
71b0d44138e874d8089298594a7e30a8 ppc/9.1/RPMS/kdelibs-devel-3.1-58.3.91mdk.ppc.rpm
318a821a280404541a929b8d3d55339e ppc/9.1/RPMS/kdelibs-static-devel-3.1-58.3.91mdk.ppc.rpm
00230239edea7418aa01897d23f5dd07 ppc/9.1/SRPMS/kdelibs-3.1-58.3.91mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesecure.net/en/advisories/

Mandrakesoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com>