dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


Advisories, April 11, 2006

Apr 12, 2006, 03:45 (0 Talkback[s])

Mandriva Linux


Mandriva Linux Security Advisory MDKSA-2006:069
http://www.mandriva.com/security/


Package : openvpn
Date : April 10, 2006
Affected: 2006.0, Multi Network Firewall 2.0


Problem Description:

A vulnerability in OpenVPN 2.0 through 2.0.5 allows a malicious server to execute arbitrary code on the client by using setenv with the LD_PRELOAD environment variable.

Updated packages have been patched to correct this issue by removing setenv support.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1629


Updated Packages:

Mandriva Linux 2006.0:
699824d9aa9e42bf579165599268efbb 2006.0/RPMS/openvpn-2.0.1-2.2.20060mdk.i586.rpm
38bb27a8f28546fe9cdf06213a172868 2006.0/SRPMS/openvpn-2.0.1-2.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
4e8a99c3997f8ecd7e41aee1594a02dc x86_64/2006.0/RPMS/openvpn-2.0.1-2.2.20060mdk.x86_64.rpm
38bb27a8f28546fe9cdf06213a172868 x86_64/2006.0/SRPMS/openvpn-2.0.1-2.2.20060mdk.src.rpm

Multi Network Firewall 2.0:
04b0406ea806da8e1f941910b0f19659 mnf/2.0/RPMS/openvpn-2.0.1-0.3.M20mdk.i586.rpm
825a02efe56ddc34fcdc49784c50b1e1 mnf/2.0/SRPMS/openvpn-2.0.1-0.3.M20mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:070
http://www.mandriva.com/security/


Package : sash
Date : April 10, 2006
Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0


Problem Description:

Tavis Ormandy of the Gentoo Security Project discovered a vulnerability in zlib where a certain data stream would cause zlib to corrupt a data structure, resulting in the linked application to dump core (CVE-2005-2096).

Markus Oberhumber discovered additional ways that a specially-crafted compressed stream could trigger an overflow. An attacker could create such a stream that would cause a linked application to crash if opened by a user (CVE-2005-1849).

Both of these issues have previously been fixed in zlib, but sash links statically against zlib and is thus also affected by these issues. New sash packages are available that link against the updated zlib packages.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096


Updated Packages:

Mandriva Linux 10.2:
290e5d895235afaaa1548d4898c5cde8 10.2/RPMS/sash-3.7-3.1.102mdk.i586.rpm
6cb36fc925f8793ef0f22a1d0adacb24 10.2/SRPMS/sash-3.7-3.1.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
4088008711f30343c6ddbd45dd4429f0 x86_64/10.2/RPMS/sash-3.7-3.1.102mdk.x86_64.rpm
6cb36fc925f8793ef0f22a1d0adacb24 x86_64/10.2/SRPMS/sash-3.7-3.1.102mdk.src.rpm

Mandriva Linux 2006.0:
6a8ef8036ca25661d6e1e18e826b7cf7 2006.0/RPMS/sash-3.7-3.1.20060mdk.i586.rpm
ebfdd661247a673a536d14b57bd1494f 2006.0/SRPMS/sash-3.7-3.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
f3ace9f835ba2bcf3358404ec3b35863 x86_64/2006.0/RPMS/sash-3.7-3.1.20060mdk.x86_64.rpm
ebfdd661247a673a536d14b57bd1494f x86_64/2006.0/SRPMS/sash-3.7-3.1.20060mdk.src.rpm

Corporate 3.0:
76d84869521a8231bde684d29c909f77 corporate/3.0/RPMS/sash-3.6-5.1.C30mdk.i586.rpm
5a52429713ca8dabda8fe0462eedbf41 corporate/3.0/SRPMS/sash-3.6-5.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
5fdfa411aaa588d14e3f92d877b31e0b x86_64/corporate/3.0/RPMS/sash-3.6-5.1.C30mdk.x86_64.rpm
5a52429713ca8dabda8fe0462eedbf41 x86_64/corporate/3.0/SRPMS/sash-3.6-5.1.C30mdk.src.rpm

Multi Network Firewall 2.0:
b1d67ff8736048c8687708ff614d995b mnf/2.0/RPMS/sash-3.6-5.1.M20mdk.i586.rpm
df79ea5562d8e2d45f98ead903f1b4c7 mnf/2.0/SRPMS/sash-3.6-5.1.M20mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:071
http://www.mandriva.com/security/


Package : xscreensaver
Date : April 11, 2006
Affected: Corporate 3.0


Problem Description:

Rdesktop, with xscreensaver < 4.18, does not release the keyboard focus when xscreensaver starts, which causes the password to be entered into the active window when the user unlocks the screen.

Updated xscreensaver packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2655


Updated Packages:

Corporate 3.0:
7fca69b43dc054e02d1e635558a2871f corporate/3.0/RPMS/xscreensaver-4.14-4.1.C30mdk.i586.rpm
fcf51ed223e82ab32136b0ab40348300 corporate/3.0/RPMS/xscreensaver-extrusion-4.14-4.1.C30mdk.i586.rpm
edfeccdb0f1406af612d97a7e0ee5a62 corporate/3.0/RPMS/xscreensaver-gl-4.14-4.1.C30mdk.i586.rpm
d6c61c9ea67ee99f619c9abaa96ec133 corporate/3.0/SRPMS/xscreensaver-4.14-4.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
a03034b99a097249c616935bc5e9706c x86_64/corporate/3.0/RPMS/xscreensaver-4.14-4.1.C30mdk.x86_64.rpm
ca12d4e28f3db44a9018dbc19b8243e9 x86_64/corporate/3.0/RPMS/xscreensaver-extrusion-4.14-4.1.C30mdk.x86_64.rpm
1d7534873b19a4497e7f577c03585460 x86_64/corporate/3.0/RPMS/xscreensaver-gl-4.14-4.1.C30mdk.x86_64.rpm
d6c61c9ea67ee99f619c9abaa96ec133 x86_64/corporate/3.0/SRPMS/xscreensaver-4.14-4.1.C30mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>

Ubuntu Linux


Ubuntu Security Notice USN-269-1 April 11, 2006
xscreensaver vulnerability
CVE-2004-2655

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

xscreensaver
xscreensaver-gl
xscreensaver-gnome
xscreensaver-nognome

The problem can be corrected by upgrading the affected package to version 4.16-1ubuntu3.1 (for Ubuntu 4.10), or 4.16-1ubuntu11.1 (for Ubuntu 5.04). After a standard system upgrade you need to restart your session to effect the necessary changes.

Details follow:

In some cases, xscreensaver did not properly grab the keyboard when reading the password for unlocking the screen, so that the password was typed into the currently active application window.

The only known vulnerable case was when xscreensaver activated while an rdesktop session was currently active.

Updated packages for Ubuntu 4.10:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver_4.16-1ubuntu3.1.diff.gz
      Size/MD5: 529361 213c8f135c4571b7a7166f6dd9ad8c23
    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver_4.16-1ubuntu3.1.dsc
      Size/MD5: 826 f0d1078ed40504e6127c7f89eca383ae
    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver_4.16.orig.tar.gz
      Size/MD5: 4211337 e715ca402fc1218a078d65b7e7922082

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/x/xscreensaver/xscreensaver-gnome_4.16-1ubuntu3.1_all.deb
      Size/MD5: 2206 0b2607875557fe48ede97a5c587d478c
    http://security.ubuntu.com/ubuntu/pool/universe/x/xscreensaver/xscreensaver-nognome_4.16-1ubuntu3.1_all.deb
      Size/MD5: 2210 62f2fc29169656b5bebd7df95dbab5b5

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver-gl_4.16-1ubuntu3.1_amd64.deb
      Size/MD5: 2820564 173539848f930775f01b37c252c5ac97
    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver_4.16-1ubuntu3.1_amd64.deb
      Size/MD5: 3818740 e128aac305d6e3b065fdaabc39324c49

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver-gl_4.16-1ubuntu3.1_i386.deb
      Size/MD5: 2600412 88a5c98a3522ddcd90cf46fd71dbc617
    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver_4.16-1ubuntu3.1_i386.deb
      Size/MD5: 3363300 c383a848568378155b02444edb23f2f8

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver-gl_4.16-1ubuntu3.1_powerpc.deb
      Size/MD5: 2915204 0189383bd5605aad6bc992dc8679547a
    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver_4.16-1ubuntu3.1_powerpc.deb
      Size/MD5: 4037264 d287b3216588e52f98adcd48f490e43a

Updated packages for Ubuntu 5.04:

Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver_4.16-1ubuntu11.1.diff.gz
      Size/MD5: 547000 9989541afef980609228f502b80fe016
    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver_4.16-1ubuntu11.1.dsc
      Size/MD5: 841 da2704fe834001ce529dc43cba5c8745
    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver_4.16.orig.tar.gz
      Size/MD5: 4211337 e715ca402fc1218a078d65b7e7922082

Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/x/xscreensaver/xscreensaver-gnome_4.16-1ubuntu11.1_all.deb
      Size/MD5: 2208 43dc3e2c1a2b8df84cdabb2c0c3d5d19
    http://security.ubuntu.com/ubuntu/pool/universe/x/xscreensaver/xscreensaver-nognome_4.16-1ubuntu11.1_all.deb
      Size/MD5: 2212 7fa5d0f1e0b071ba304b48ced30f452d

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver-gl_4.16-1ubuntu11.1_amd64.deb
      Size/MD5: 2833530 f34243177312d26fb3d3e8793c5b62f9
    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver_4.16-1ubuntu11.1_amd64.deb
      Size/MD5: 3489802 3c8ab6178e1e777c299ea05b30c56d83

i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver-gl_4.16-1ubuntu11.1_i386.deb
      Size/MD5: 2595466 1c88b8e9f4044df306923b6fbf836f15
    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver_4.16-1ubuntu11.1_i386.deb
      Size/MD5: 2997488 0c893d4a7a0458e309029f8d5203dd04

powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver-gl_4.16-1ubuntu11.1_powerpc.deb
      Size/MD5: 2925960 df13450ced11ef1434bdd5b9ae3d8ea5
    http://security.ubuntu.com/ubuntu/pool/main/x/xscreensaver/xscreensaver_4.16-1ubuntu11.1_powerpc.deb
      Size/MD5: 3706970 413be7444c4739c4e17cd2f4d00c741d