Fedora Update Notification
FEDORA-2005-338
2005-04-22
Product : Fedora Core 3
Name : evolution
Version : 2.0.4
Release : 4
Summary : GNOME’s next-generation groupware suite
Description :
Evolution is the GNOME mailer, calendar, contact manager and
communications tool. The tools which make up Evolution will be
tightly integrated with one another and act as a seamless personal
information-management tool.
This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/
d1d9f7e91d2dcabe95b96f17dbc6e955
SRPMS/evolution-2.0.4-4.src.rpm
de9c927756f2e3c416c1e90173d64cac
x86_64/evolution-2.0.4-4.x86_64.rpm
056c4eec55e773f143426867c488352c
x86_64/evolution-devel-2.0.4-4.x86_64.rpm
53767f18bfc52fcac846f1b4f6bde00a
x86_64/debug/evolution-debuginfo-2.0.4-4.x86_64.rpm
683dad62220397672ef9449dbb77950a
i386/evolution-2.0.4-4.i386.rpm
49a25ecfc03f69b2b218da9a69dc4adb
i386/evolution-devel-2.0.4-4.i386.rpm
b33c58c7f38880d075352bba8e66e7fc
i386/debug/evolution-debuginfo-2.0.4-4.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.
Gentoo Linux Security Advisory GLSA 200504-21
Severity: Normal
Title: RealPlayer, Helix Player: Buffer overflow vulnerability
Date: April 22, 2005
Bugs: #89862
ID: 200504-21
RealPlayer and Helix Player are vulnerable to a buffer overflow
that could lead to remote execution of arbitrary code.
RealPlayer is a multimedia player capable of handling multiple
multimedia file formats. Helix Player is the Open Source version of
RealPlayer.
Package / Vulnerable / Unaffected
1 media-video/realplayer < 10.0.4 >= 10.0.4
2 media-video/helixplayer < 1.0.4 >= 1.0.4
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
Piotr Bania has discovered a buffer overflow vulnerability in
RealPlayer and Helix Player when processing malicious RAM
files.
By enticing a user to play a specially crafted RAM file an
attacker could execute arbitrary code with the permissions of the
user running the application.
There is no known workaround at this time.
All RealPlayer users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/realplayer-10.0.4"
All Helix Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/helixplayer-1.0.4"
[ 1 ] CAN-2005-0755
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0755
[ 2 ] RealNetworks Advisory
http://service.real.com/help/faq/security/050419_player/EN/
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200504-21.xml
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).
The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
Gentoo Linux Security Advisory GLSA 200504-22
Severity: Normal
Title: KDE kimgio: PCX handling buffer overflow
Date: April 22, 2005
Bugs: #88862
ID: 200504-22
KDE fails to properly validate input when handling PCX images,
potentially resulting in the execution of arbitrary code.
KDE is a feature-rich graphical desktop environment for Linux
and Unix-like Operating Systems. kimgio is the KDE image handler
provided by kdelibs.
Package / Vulnerable / Unaffected
1 kde-base/kdelibs < 3.3.2-r8 *>= 3.2.3-r9
>= 3.3.2-r8
kimgio fails to properly validate input when handling PCX
files.
By enticing a user to load a specially-crafted PCX image in a
KDE application, an attacker could execute arbitrary code.
There is no known workaround at this time.
All kdelibs users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdelibs
[ 1 ] CAN-2005-1046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1046
[ 2 ] KDE Security Advisory: kimgio input validation errors
http://www.kde.org/info/security/advisory-20050421-1.txt
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200504-22.xml
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).
The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
Gentoo Linux Security Advisory GLSA 200504-23
Severity: Normal
Title: Kommander: Insecure remote script execution
Date: April 22, 2005
Bugs: #89092
ID: 200504-23
Kommander executes remote scripts without confirmation,
potentially resulting in the execution of arbitrary code.
KDE is a feature-rich graphical desktop environment for Linux
and Unix-like Operating Systems. Kommander is a visual dialog
editor and interpreter for KDE applications, part of the kdewebdev
package.
Package / Vulnerable / Unaffected
1 kde-base/kdewebdev < 3.3.2-r1 >= 3.3.2-r1
Kommander executes data files from possibly untrusted locations
without user confirmation.
An attacker could exploit this to execute arbitrary code with
the permissions of the user running Kommander.
There is no known workaround at this time.
All kdewebdev users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kdewebdev-3.3.2-r1"
[ 1 ] CAN-2005-0754
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0754
[ 2 ] KDE Security Advisory: Kommander untrusted code
execution
http://www.kde.org/info/security/advisory-20050420-1.txt
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200504-23.xml
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).
The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
Peachtree Linux Security Notice PLSN-0003 April 20, 2005
Remote buffer overflow and possible code execution in
mplayer
http://www.mplayerhq.hu/homepage/design7/news.html#vuln10
http://www.mplayerhq.hu/homepage/design7/news.html#vuln11
The following Peachtree Linux releases are affected:
Peachtree Linux release 1 (“Atlanta”)
Description:
http://www.mplayerhq.hu/homepage/design7/news.html#vuln10:
A buffer overflow vulnerability exists in the RTSP stream module,
which could allow a malicious RealMedia server to execute arbitrary
code.
http://www.mplayerhq.hu/homepage/design7/news.html#vuln11:
A buffer overflow vulnerability exists in the MMST stream module,
which could allow malicious servers of MMS or TCP streams to
execute arbitrary code.
Packages:
alpha
MPlayer did not ship in rel1 for Alpha. Alpha is not affected by
this vulnerability, and therefore no update is provided.
i386
4e71851034e4263a12f9000bdc3c461e mplayer-1.0pre7.i686.dist
ppc
901e0de5cc04cdddf94ff1cad9521776 mplayer-1.0pre7.ppc.dist
Solution:
Download the appropriate package for your release of Peachtree
Linux. Upgrade your system to the new package:
distadd -u packagename
Where package name is the name of the package file from the list
above.
—
Peachtree Linux Security Team
http://peachtree.burdell.org/
[slackware-security] CVS (SSA:2005-111-01)
New CVS packages are available for Slackware 8.1, 9.0, 9.1,
10.0, 10.1, and -current to fix security issues.
More details about this issue may be found in the Common
Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753
Here are the details from the Slackware 10.1 ChangeLog:
+————————–+
patches/packages/cvs-1.11.20-i486-1.tgz: Upgraded to
cvs-1.11.20.
From cvshome.org: “This version fixes many minor security issues in
the CVS server executable including a potentially serious buffer
overflow vulnerability with no known exploit. We recommend this
upgrade for all CVS servers!”
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0753
(* Security fix *)
+————————–+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/cvs-1.11.20-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/cvs-1.11.20-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/cvs-1.11.20-i486-1.tgz
Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/cvs-1.11.20-i486-1.tgz
Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/cvs-1.11.20-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/cvs-1.11.20-i486-1.tgz
Slackware 8.1 package:
c94fb036f87d31bb78cb70f97802ef4a cvs-1.11.20-i386-1.tgz
Slackware 9.0 package:
180fe0ba92cc5ee557f5468823c0e365 cvs-1.11.20-i386-1.tgz
Slackware 9.1 package:
11aec60a9dd42ed9b6cd5bd1e13f7f00 cvs-1.11.20-i486-1.tgz
Slackware 10.0 package:
ae181089d20698948d294facad010cbe cvs-1.11.20-i486-1.tgz
Slackware 10.1 package:
893c9053b6f38c429d386fb70bea19e0 cvs-1.11.20-i486-1.tgz
Slackware -current package:
4f6f74e6fdfe259a2c3f6088ee84d5c8 cvs-1.11.20-i486-1.tgz
First, shut down the cvs server if you are running one.
Upgrade the packages as root:
# upgradepkg cvs-1.11.20-i486-1.tgz
Finally, restart the CVS server.
+—–+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
[slackware-security] Python SimpleXMLRPCServer module
(SSA:2005-111-02)
New Python packages are available for Slackware 8.1, 9.0, 9.1,
10.0, 10.1, and -current to fix a security issue in the
SimpleXMLRPCServer library module.
Here are the details from the Slackware 10.1 ChangeLog:
+————————–+
patches/packages/python-2.4.1-i486-1.tgz: Upgraded to
python-2.4.1.
From the python.org site: “The Python development team has
discovered a flaw in the SimpleXMLRPCServer library module which
can give remote attackers access to internals of the registered
object or its module or possibly other modules. The flaw only
affects Python XML-RPC servers that use the register_instance()
method to register an object without a _dispatch() method. Servers
using only register_function() are not affected.”
For more details, see:
http://python.org/security/PSF-2005-001/
(* Security fix *)
patches/packages/python-demo-2.4.1-noarch-1.tgz: Upgraded to
python-2.4.1 demos.
patches/packages/python-tools-2.4.1-noarch-1.tgz: Upgraded to
python-2.4.1 tools.
+————————–+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/python-2.2.3-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/python-2.2.3-i386-1.tgz
Updated packages for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/python-2.3.5-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/python-demo-2.3.5-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/python-tools-2.3.5-noarch-1.tgz
Updated packages for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/python-2.3.5-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/python-demo-2.3.5-noarch-1.tgz
Updated packages for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/python-2.4.1-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/python-demo-2.4.1-noarch-1.tgz
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/python-2.4.1-i486-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/python-demo-2.4.1-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/python-tools-2.4.1-noarch-1.tgz
Slackware 8.1 package:
b90d20f1c90a39407fae3346e17befd0 python-2.2.3-i386-1.tgz
Slackware 9.0 package:
fb39a3367b130440b5f8a64c3468eec2 python-2.2.3-i386-1.tgz
Slackware 9.1 packages:
897fe07abe99fc1f1a4095cacecd697f python-2.3.5-i486-1.tgz
34a3cd2b3fe85810964a13fce7c5d9fc python-demo-2.3.5-noarch-1.tgz
c48b074dcf6a76818e181764ce7e41ee
python-tools-2.3.5-noarch-1.tgz
Slackware 10.0 packages:
11c483e44089d7aae954c62eada1108c python-2.3.5-i486-1.tgz
b1dbd8eeca44c048dd83f505b2c69fdb python-demo-2.3.5-noarch-1.tgz
554e9cc2cb5c3f9d02cb57ee07025681
python-tools-2.3.5-noarch-1.tgz
Slackware 10.1 packages:
b78837244ef3c145cb9c354729d2954f python-2.4.1-i486-1.tgz
83b8a735c638a64f0f348a95fd58847a python-demo-2.4.1-noarch-1.tgz
83f0b4a65b44de14e475faa4087e5268
python-tools-2.4.1-noarch-1.tgz
Slackware -current packages:
7b2695497611d592ca756a074084bcbc python-2.4.1-i486-1.tgz
81f77f0063c79aa9cb78c7d03c2a762b python-demo-2.4.1-noarch-1.tgz
4008585cd345feb544de5ffae574a449
python-tools-2.4.1-noarch-1.tgz
Upgrade the packages as root:
# upgradepkg python-2.4.1-i486-1.tgz python-demo-2.4.1-noarch-1.tgz
python-tools-2.4.1-noarch-1.tgz
+—–+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
[slackware-security] gaim (SSA:2005-111-03)
New gaim packages are available for Slackware 9.0, 9.1, 10.0,
10.1, and -current to fix several security issues. Sites that use
GAIM should upgrade to the new version.
Here are the details from the Slackware 10.1 ChangeLog:
+————————–+
patches/packages/gaim-1.2.1-i486-1.tgz: Upgraded to gaim-1.2.1.
According to gaim.sf.net/, this
fixes a few denial-of-service flaws.
(* Security fix *)
+————————–+
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/gaim-1.2.1-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/gaim-1.2.1-i486-1.tgz
Updated package for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/gaim-1.2.1-i486-1.tgz
Updated package for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/gaim-1.2.1-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/gaim-1.2.1-i486-1.tgz
Slackware 9.0 package:
630bced584023b81372126df5eb03eb5 gaim-1.2.1-i386-1.tgz
Slackware 9.1 package:
4c3f57658bf1371230b35e63967800d5 gaim-1.2.1-i486-1.tgz
Slackware 10.0 package:
b8a6585f6e3cd90d8324b49c8399d8dc gaim-1.2.1-i486-1.tgz
Slackware 10.1 package:
1d58b6f3e5b202152b0b7dc968b0c6f5 gaim-1.2.1-i486-1.tgz
Slackware -current package:
d4d07ba8e57b0fe2b45c8eb1109e9fbc gaim-1.2.1-i486-1.tgz
Upgrade the package as root:
# upgradepkg gaim-1.2.1-i486-1.tgz/
+—–+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
[slackware-security] Mozilla/Firefox (SSA:2005-111-04)
New Mozilla packages are available for Slackware 10.0, 10.1, and
-current to fix various security issues and bugs. See the Mozilla
site for a complete list of the issues patched:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Mozilla
Also updated is Firefox in Slackware -current.
New versions of the mozilla-plugins symlink creation package are
also out for Slackware 10.0 and 10.1, and a new version of the
jre-symlink package for Slackware -current.
Here are the details from the Slackware 10.1 ChangeLog:
+————————–+
patches/packages/mozilla-1.7.7-i486-1.tgz: Upgraded to
mozilla-1.7.7. This fixes some security issues. For complete
details, see:
http://www.mozilla.org/projects/security/known-vulnerabilities.html
(* Security fix *)
patches/packages/mozilla-plugins-1.7.7-noarch-1.tgz: Upgraded
Java(TM) symlink for Mozilla.
+————————–+
Updated packages for Slackware 10.0:
ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/mozilla-1.7.7-i486-1.tgz
Updated packages for Slackware 10.1:
ftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/mozilla-1.7.7-i486-1.tgz
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/jre-symlink-1.0.3-noarch-1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/mozilla-1.7.7-i486-1.tgz
Slackware 10.0 packages:
ce858e8818a5446f77a65eb3596f169e mozilla-1.7.7-i486-1.tgz
273a55ae2b6549a708d373ce41d22dcc
mozilla-plugins-1.7.7-noarch-1.tgz
Slackware 10.1 packages:
88067d3dd9b05424993eeecf4ec439dd mozilla-1.7.7-i486-1.tgz
f1f2d581553911f219ee985a93b10b62
mozilla-plugins-1.7.7-noarch-1.tgz
Slackware -current packages:
200c44ab49c175cd45366e0faaf0979f jre-symlink-1.0.3-noarch-1.tgz
39b5dd6559802159cc6d8bbf6bdecbdc mozilla-1.7.7-i486-1.tgz
10abe6ae734d8ccaa2c77946df794b21
mozilla-firefox-1.0.3-i686-1.tgz
Upgrade the packages as root:
# upgradepkg mozilla-1.7.7-i486-1.tgz
mozilla-plugins-1.7.7-noarch-1.tgz
+—–+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.