---

Advisories, September 28, 2006

Debian GNU/Linux


Debian Security Advisory DSA 1185-1 security@debian.org
http://www.debian.org/security/
Noah Meyerhans
September 28th, 2006 http://www.debian.org/security/faq


Package : openssl
Vulnerability : denial of service
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-2940 CVE-2006-3738 CVE-2006-4343
CVE-2006-2937

Multiple vulnerabilities have been discovered in the OpenSSL
cryptographic software package that could allow an attacker to
launch a denial of service attack by exhausting system resources or
crashing processes on a victim’s computer.

CVE-2006-2937

Dr S N Henson of the OpenSSL core team and Open Network Security
recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test
suite was run against OpenSSL two denial of service vulnerabilities
were discovered. During the parsing of certain invalid ASN1
structures an error condition is mishandled. This can result in an
infinite loop which consumes system memory. Any code which uses
OpenSSL to parse ASN1 data from untrusted sources is affected. This
includes SSL servers which enable client authentication and S/MIME
applications.

CVE-2006-3738

Tavis Ormandy and Will Drewry of the Google Security Team
discovered a buffer overflow in SSL_get_shared_ciphers utility
function, used by some applications such as exim and mysql. An
attacker could send a list of ciphers that would overrun a
buffer.

CVE-2006-4343

Tavis Ormandy and Will Drewry of the Google Security Team
discovered a possible DoS in the sslv2 client code. Where a client
application uses OpenSSL to make a SSLv2 connection to a malicious
server that server could cause the client to crash.

CVE-2006-2940

Dr S N Henson of the OpenSSL core team and Open Network Security
recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test
suite was run against OpenSSL a DoS was discovered. Certain types
of public key can take disproportionate amounts of time to process.
This could be used by an attacker in a denial of service
attack.

For the stable distribution (sarge) these problems have been
fixed in version 0.9.7e-3sarge3.

For the unstable and testing distributions (sid and etch,
respectively), these problems will be fixed in version 0.9.7k-2 of
the openssl097 compatibility libraries, and version 0.9.8c-2 of the
openssl package.

We recommend that you upgrade your openssl package. Note that
services linking against the openssl shared libraries will need to
be restarted. Common examples of such services include most Mail
Transport Agents, SSH servers, and web servers.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge


Source archives:

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3.dsc

      Size/MD5 checksum: 639
fbf460591348b14103a3819d23164aee
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3.diff.gz

      Size/MD5 checksum: 29882
25e5c57ee6c86d1e4cc335937040f251
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz

      Size/MD5 checksum: 3043231
a8777164bca38d84e5eb2b1535223474

Alpha architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_alpha.deb

      Size/MD5 checksum: 3341810
73ef8e1cafbfd142a903bd93535a2428
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_alpha.deb

      Size/MD5 checksum: 2448006
b42d228cd1cb48024b25f5bd7c6724b8
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_alpha.deb

      Size/MD5 checksum: 930188
b0b9a46a47a1992ed455f993b6007450

AMD64 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_amd64.deb

      Size/MD5 checksum: 2693668
7a6d9f9ad43192bcfe9ed22bd4c227cb
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_amd64.deb

      Size/MD5 checksum: 703308
239e07d0029b78d339da49ea8dacb554
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_amd64.deb

      Size/MD5 checksum: 903744
de3413bf58707040d19a606311548ec7

ARM architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_arm.deb

      Size/MD5 checksum: 2556374
4f3d5a82ab27e46f6174616dd2f0818c
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_arm.deb

      Size/MD5 checksum: 690118
80812ffefacc7d9800ce5286909aa815
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_arm.deb

      Size/MD5 checksum: 894114
053579483c0d83c11a4b15ade5e09d3b

HP Precision architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_hppa.deb

      Size/MD5 checksum: 2695876
bee86edc3db3ac76a32efb84b1a1cfab
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_hppa.deb

      Size/MD5 checksum: 791316
5dfd66672700232356a26258a76bcffa
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_hppa.deb

      Size/MD5 checksum: 914574
bc996d3cd86b18090ee4c2f3f31dbdbc

Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_i386.deb

      Size/MD5 checksum: 2553694
ceea98c69ca44649ee2c98cff0364e4b
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_i386.deb

      Size/MD5 checksum: 2264996
111668559caa8ea95ad3100af67e163e
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_i386.deb

      Size/MD5 checksum: 902750
39b743a6a47517245c3fba9289c86ddf

Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_ia64.deb

      Size/MD5 checksum: 3396192
54868b4f5c27f5dc0a65b82594aa8bb0
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_ia64.deb

      Size/MD5 checksum: 1038386
7fcec764f3b3d3ee53588791f7588ad9
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_ia64.deb

      Size/MD5 checksum: 975118
18239f1932f399df0396e81a1e57e5e3

Motorola 680×0 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_m68k.deb

      Size/MD5 checksum: 2317346
cf221d4a25c8913c1183078f1974b46b
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_m68k.deb

      Size/MD5 checksum: 661672
1a1e72d032cbd37400a65ef7ddf9af6d
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_m68k.deb

      Size/MD5 checksum: 889874
6eaaf9b7b9651b37437b78d7a95a562a

Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_mips.deb

      Size/MD5 checksum: 2779474
383cc3f4bd2c75515e415c48fc6c66eb
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_mips.deb

      Size/MD5 checksum: 706660
aaa773471c553fd971b3158e35ceb675
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_mips.deb

      Size/MD5 checksum: 896780
21c648b8e817ce098d9d85f311163e34

Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_mipsel.deb

      Size/MD5 checksum: 2767338
bc2e40477ad28b1eedb69e6542b1ab08
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_mipsel.deb

      Size/MD5 checksum: 694486
8c31bcea415ae3d725844e45a733d7fe
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_mipsel.deb

      Size/MD5 checksum: 895860
8af869dc9a903f8a226d33cdcffc7eab

PowerPC architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_powerpc.deb

      Size/MD5 checksum: 2775400
91f923d2f4f3938ef8a786b291865f0a
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_powerpc.deb

      Size/MD5 checksum: 779452
3b094894ca6d75b7c86684c7cd62f5bf
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_powerpc.deb

      Size/MD5 checksum: 908316
b93dffc572d91d9e4154b73c57b41e88

IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_s390.deb

      Size/MD5 checksum: 2717840
a96fb19009ddc10b1901f34e232109ae
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_s390.deb

      Size/MD5 checksum: 813968
1cf6dbddb023dfe8c55d30d19bc0ff57
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_s390.deb

      Size/MD5 checksum: 918504
73d2f71ec2c8ebd4cc3f481096202664

Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_sparc.deb

      Size/MD5 checksum: 2630560
059abd03c994e3d6851f38f6f7dd5446
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_sparc.deb

      Size/MD5 checksum: 1886038
4900a7af6cbef9e37c902a3c14ac33ac
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_sparc.deb

      Size/MD5 checksum: 924472
27f194ff2250fc91d0375c02d6686272

These files will probably be moved into the stable distribution
on its next update.


For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Gentoo Linux


Gentoo Linux Security Advisory [ERRATA UPDATE] GLSA 200609-17:02


http://security.gentoo.org/


Severity: Normal
Title: OpenSSH: Denial of Service
Date: September 27, 2006
Updated: September 27, 2006
Bugs: #148228
ID: 200609-17:02


Errata

The Resolution proposed in the original version of this Security
Advisory listed a wrong version number.

The corrected section appear below.

Resolution

All OpenSSH users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/openssh-4.3_p2-r5"

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200609-17.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200609-18


http://security.gentoo.org/


Severity: Normal
Title: Opera: RSA signature forgery
Date: September 28, 2006
Bugs: #147838
ID: 200609-18


Synopsis

Opera fails to correctly verify certain signatures.

Background

Opera is a multi-platform web browser.

Affected packages


     Package           /  Vulnerable  /                     Unaffected

  1  www-client/opera       < 9.0.2                           >= 9.0.2

Description

Opera makes use of OpenSSL, which fails to correctly verify PKCS
#1 v1.5 RSA signatures signed by a key with exponent 3. Some CAs in
Opera’s list of trusted signers are using root certificates with
exponent 3.

Impact

An attacker could forge certificates which will appear valid and
signed by a trusted CA.

Workaround

There is no known workaround at this time.

Resolution

All Opera users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/opera-9.0.2"

References

[ 1 ] Opera Advisory

http://www.opera.com/support/search/supsearch.dml?index=845

[ 2 ] GLSA 200609-05

http://www.gentoo.org/security/en/glsa/glsa-200609-05.xml

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200609-18.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200609-19


http://security.gentoo.org/


Severity: Normal
Title: Mozilla Firefox: Multiple vulnerabilities
Date: September 28, 2006
Bugs: #147652
ID: 200609-19


Synopsis

The Mozilla Foundation has reported numerous vulnerabilities in
Mozilla Firefox, including one that may allow execution of
arbitrary code.

Background

Mozilla Firefox is a redesign of the Mozilla Navigator
component. The goal is to produce a cross-platform, stand-alone
browser application.

Affected packages


     Package                         /  Vulnerable  /       Unaffected


1 www-client/mozilla-firefox < 1.5.0.7 >= 1.5.0.7 2 www-client/mozilla-firefox-bin < 1.5.0.7 >= 1.5.0.7 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures.

Description

A number of vulnerabilities were found and fixed in Mozilla
Firefox. For details please consult the references below.

Impact

The most severe vulnerability involves enticing a user to visit
a malicious website, crashing the browser and executing arbitrary
code with the rights of the user running the application.

Workaround

There is no known workaround at this time.

Resolution

All Mozilla Firefox users should upgrade to the latest
version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.7"

Users of the binary package should upgrade as well:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.7"

References

[ 1 ] CVE-2006-4253

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4253

[ 2 ] CVE-2006-4340

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4340

[ 3 ] CVE-2006-4565

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4565

[ 4 ] CVE-2006-4566

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4566

[ 5 ] CVE-2006-4567

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4567

[ 6 ] CVE-2006-4568

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4568

[ 7 ] CVE-2006-4569

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4569

[ 8 ] CVE-2006-4571

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4571

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200609-19.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Gentoo Linux Security Advisory GLSA 200609-20


http://security.gentoo.org/


Severity: High
Title: DokuWiki: Shell command injection and Denial of Service
Date: September 28, 2006
Bugs: #149266
ID: 200609-20


Synopsis

DokuWiki is vulnerable to shell command injection and Denial of
Service attacks when using ImageMagick.

Background

DokuWiki is a wiki targeted at developer teams, workgroups and
small companies. It does not use a database backend.

Affected packages


     Package            /   Vulnerable   /                  Unaffected

  1  www-apps/dokuwiki      < 20060309e                   >= 20060309e

Description

Input validation flaws have been discovered in the image
handling of fetch.php if ImageMagick is used, which is not the
default method.

Impact

A remote attacker could exploit the flaws to execute arbitrary
shell commands with the rights of the web server daemon or cause a
Denial of Service.

Workaround

There is no known workaround at this time.

Resolution

All DokuWiki users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-apps/dokuwiki-20060309e"

References

[ 1 ] DokuWiki Announcement

http://www.freelists.org/archives/dokuwiki/09-2006/msg00278.html

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200609-20.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Mandriva Linux


Mandriva Linux Security Advisory MDKSA-2006:157-1
http://www.mandriva.com/security/


Package : musicbrainz
Date : September 28, 2006
Affected: 2007.0


Problem Description:

Multiple buffer overflows in libmusicbrainz (aka mb_client or
MusicBrainz Client Library) 2.1.2 and earlier, and SVN 8406 and
earlier, allow remote attackers to cause a denial of service
(crash) or execute arbitrary code via (1) a long Location header by
the HTTP server, which triggers an overflow in the MBHttp::Download
function in lib/http.cpp; and (2) a long URL in RDF data, as
demonstrated by a URL in an rdf:resource field in an RDF XML
document, which triggers overflows in many functions in
lib/rdfparse.c.

The updated packages have been patched to correct this
issue.

Update:

Packages are now available for Mandriva Linux 2007.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4197


Updated Packages:

Mandriva Linux 2007.0:
73a88b181ad4f3f3dbfc68c2b66b3ed8
2007.0/i586/libmusicbrainz4-2.1.3-1.1mdv2007.0.i586.rpm
3cba7290aac1c3f04f0e77e96f791a1f
2007.0/i586/libmusicbrainz4-devel-2.1.3-1.1mdv2007.0.i586.rpm
4ec74f67c8d272f163c7f1be738a7da7
2007.0/i586/python-musicbrainz-2.1.3-1.1mdv2007.0.i586.rpm
afa5cb48e3700cade99e436ed34c0949
2007.0/SRPMS/musicbrainz-2.1.3-1.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
db2a146cdfe148918466821ebf4b91df
2007.0/x86_64/lib64musicbrainz4-2.1.3-1.1mdv2007.0.x86_64.rpm
e0fc3bd55e63e77ead8c163aa3c8ca50
2007.0/x86_64/lib64musicbrainz4-devel-2.1.3-1.1mdv2007.0.x86_64.rpm

e85b97f1b561d7699cf918e005b0f7a0
2007.0/x86_64/python-musicbrainz-2.1.3-1.1mdv2007.0.x86_64.rpm
afa5cb48e3700cade99e436ed34c0949
2007.0/SRPMS/musicbrainz-2.1.3-1.1mdv2007.0.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:170-1
http://www.mandriva.com/security/


Package : webmin
Date : September 27, 2006
Affected: 2007.0


Problem Description:

Webmin before 1.296 and Usermin before 1.226 does not properly
handle a URL with a null (“%00”) character, which allows remote
attackers to conduct cross-site scripting (XSS), read CGI program
source code, list directories, and possibly execute programs.

Updated packages have been patched to correct this issue.

Update:

Packages are now available for Mandriva Linux 2007.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4542


Updated Packages:

Mandriva Linux 2007.0:
e47e91c741de0fa6fabb1653784c0400
2007.0/i586/webmin-1.290-4.1mdv2007.0.noarch.rpm
5796c775e71e3aef04bd6fd356ea049e
2007.0/SRPMS/webmin-1.290-4.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
e6042ec6b4e74f560e9a05f8b05fafd5
2007.0/x86_64/webmin-1.290-4.1mdv2007.0.noarch.rpm
5796c775e71e3aef04bd6fd356ea049e
2007.0/SRPMS/webmin-1.290-4.1mdv2007.0.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:171
http://www.mandriva.com/security/


Package : openldap
Date : September 28, 2006
Affected: 2006.0


Problem Description:

slapd in OpenLDAP before 2.3.25 allows remote authenticated
users with selfwrite Access Control List (ACL) privileges to modify
arbitrary Distinguished Names (DN).

Packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4600


Updated Packages:

Mandriva Linux 2006.0:
c706d14413946af2519c7c6d94a01abf
2006.0/i586/libldap2.3_0-2.3.6-4.2.20060mdk.i586.rpm
3965f77fd18143cfc633c1c99df5bf1a
2006.0/i586/libldap2.3_0-devel-2.3.6-4.2.20060mdk.i586.rpm
113f7420a055bd5ca3a96831a9cc9278
2006.0/i586/libldap2.3_0-static-devel-2.3.6-4.2.20060mdk.i586.rpm

5f5faaba51ab019a3c9f63f2f8a8f744
2006.0/i586/openldap-2.3.6-4.2.20060mdk.i586.rpm
2ad7ac18504abec70360d98eb16ee6c7
2006.0/i586/openldap-clients-2.3.6-4.2.20060mdk.i586.rpm
627931509c00600752d92f8aaa05f885
2006.0/i586/openldap-doc-2.3.6-4.2.20060mdk.i586.rpm
294b5514bfcedbcffb4bf5f9836049d6
2006.0/i586/openldap-servers-2.3.6-4.2.20060mdk.i586.rpm
52f284965fe7f122a7bcf096a047bcbc
2006.0/SRPMS/openldap-2.3.6-4.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
f4edce61b93bf08c449a1b5a4daa7a43
2006.0/x86_64/lib64ldap2.3_0-2.3.6-4.2.20060mdk.x86_64.rpm
b3c6032b3e9158f6a18fd6bd80fe0622
2006.0/x86_64/lib64ldap2.3_0-devel-2.3.6-4.2.20060mdk.x86_64.rpm

8e9d02346e203604002b2412629b91d8
2006.0/x86_64/lib64ldap2.3_0-static-devel-2.3.6-4.2.20060mdk.x86_64.rpm

c706d14413946af2519c7c6d94a01abf
2006.0/x86_64/libldap2.3_0-2.3.6-4.2.20060mdk.i586.rpm
3965f77fd18143cfc633c1c99df5bf1a
2006.0/x86_64/libldap2.3_0-devel-2.3.6-4.2.20060mdk.i586.rpm
113f7420a055bd5ca3a96831a9cc9278
2006.0/x86_64/libldap2.3_0-static-devel-2.3.6-4.2.20060mdk.i586.rpm

60f55f26379d16ebe85f91fb7a003e6f
2006.0/x86_64/openldap-2.3.6-4.2.20060mdk.x86_64.rpm
cb4b4754e31b2a719fc12d560756bda7
2006.0/x86_64/openldap-clients-2.3.6-4.2.20060mdk.x86_64.rpm
0e91c088d674caf27ac83608d634e266
2006.0/x86_64/openldap-doc-2.3.6-4.2.20060mdk.x86_64.rpm
ef405896401993b3fc7a866deaccfb02
2006.0/x86_64/openldap-servers-2.3.6-4.2.20060mdk.x86_64.rpm
52f284965fe7f122a7bcf096a047bcbc
2006.0/SRPMS/openldap-2.3.6-4.2.20060mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:172
http://www.mandriva.com/security/


Package : openssl
Date : September 28, 2006
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0, Multi
Network Firewall 2.0


Problem Description:

Dr S N Henson of the OpenSSL core team and Open Network Security
recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk). When the test
suite was run against OpenSSL two denial of service vulnerabilities
were discovered.

During the parsing of certain invalid ASN1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory. (CVE-2006-2937)

Certain types of public key can take disproportionate amounts of
time to process. This could be used by an attacker in a denial of
service attack. (CVE-2006-2940)

Tavis Ormandy and Will Drewry of the Google Security Team
discovered a buffer overflow in the SSL_get_shared_ciphers utility
function, used by some applications such as exim and mysql. An
attacker could send a list of ciphers that would overrun a buffer.
(CVE-2006-3738)

Tavis Ormandy and Will Drewry of the Google Security Team
discovered a possible DoS in the sslv2 client code. Where a client
application uses OpenSSL to make a SSLv2 connection to a malicious
server that server could cause the client to crash.
(CVE-2006-4343)

Updated packages are patched to address these issues.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343


Updated Packages:

Mandriva Linux 2006.0:
17e2d82c3f6c0afbf48eccbfbcc17b55
2006.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm
8c3f89e1900f069d4a4ad3162a9f7d78
2006.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm
3a68c653ba0339ba99162459385c72e2
2006.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm

8291bde3bd9aa95533aabc07280203b8
2006.0/i586/openssl-0.9.7g-2.4.20060mdk.i586.rpm
52b3fbfc1389bcd73e406d6ff741e9dc
2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
b2ce6e6bb7e3114663d3a074d0cc7da5
2006.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mdk.x86_64.rpm
f7c8dbc2eda0c90547d43661454d1068
2006.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mdk.x86_64.rpm

7c9ebd9f9179f4e93627dcf0f3442335
2006.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.x86_64.rpm

17e2d82c3f6c0afbf48eccbfbcc17b55
2006.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm
8c3f89e1900f069d4a4ad3162a9f7d78
2006.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm

3a68c653ba0339ba99162459385c72e2
2006.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm

6ce5832a59b8b67425cb7026ea9dc876
2006.0/x86_64/openssl-0.9.7g-2.4.20060mdk.x86_64.rpm
52b3fbfc1389bcd73e406d6ff741e9dc
2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm

Mandriva Linux 2007.0:
1bfeff47c8d2f6c020c459881be68207
2007.0/i586/libopenssl0.9.8-0.9.8b-2.1mdv2007.0.i586.rpm
1e1a4db54ddfaedb08a6d847422099ff
2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.1mdv2007.0.i586.rpm
59c80405f33b2e61ffd3cef025635e21
2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.i586.rpm

3a6657970a2e7661bd869d221a69c8da
2007.0/i586/openssl-0.9.8b-2.1mdv2007.0.i586.rpm
aad29e57ddceb66105af5d6434de9a62
2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
af679c647d97214244a8423dc1a766b7
2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.1mdv2007.0.x86_64.rpm
d7b1ed07df4115b3bcc3907e00d25a89
2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm

5bd3ece2c0ec7a3201c29fa84e25a75a
2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm

9b028020dba009eddbf06eeb8607b87f
2007.0/x86_64/openssl-0.9.8b-2.1mdv2007.0.x86_64.rpm
aad29e57ddceb66105af5d6434de9a62
2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm

Corporate 3.0:
c99ea58f6f4959a4c36398cc6b2b4ee2
corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm
98a925c5ba2ecc9d704b1e730035755e
corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.C30mdk.i586.rpm

151493a50693e3b9cc67bfafadb9ce42
corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.i586.rpm

82b4709bdbb9128746887013a724356a
corporate/3.0/i586/openssl-0.9.7c-3.6.C30mdk.i586.rpm
a5bdbe6afa52005a734dc18aa951677d
corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm

Corporate 3.0/X86_64:
01a922d80d6fc9d1b36dde15ee27747e
corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.6.C30mdk.x86_64.rpm

30268f0b70862d1f5998694ac8b4addc
corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.6.C30mdk.x86_64.rpm

e0388ff1efa34ea55d033e95b4e9bb63
corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.x86_64.rpm

c99ea58f6f4959a4c36398cc6b2b4ee2
corporate/3.0/x86_64/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm
83759622f0cc8ea9c0f6d32671283354
corporate/3.0/x86_64/openssl-0.9.7c-3.6.C30mdk.x86_64.rpm
a5bdbe6afa52005a734dc18aa951677d
corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm

Corporate 4.0:
6d71d2358738be9967b2dfe19d3642f1
corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm

22890554d3096ce596eeec7393ee3fcf
corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm

679fe740859fa35b2bb77b19c4a0e787
corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm

d8477333b67ec3a36ba46c50e6183993
corporate/4.0/i586/openssl-0.9.7g-2.4.20060mlcs4.i586.rpm
b65dbbd9fb3d74d302478640476a2cd2
corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
746e5e916d1e05379373138a5db20923
corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mlcs4.x86_64.rpm

a2b1d750075a32fe8badbdf1f7febafe
corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm

47c464cf890a004f772c1db3e839fa12
corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm

6d71d2358738be9967b2dfe19d3642f1
corporate/4.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm

22890554d3096ce596eeec7393ee3fcf
corporate/4.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm

679fe740859fa35b2bb77b19c4a0e787
corporate/4.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm

1030a6124a9fa4fd5a41bdff077301bf
corporate/4.0/x86_64/openssl-0.9.7g-2.4.20060mlcs4.x86_64.rpm
b65dbbd9fb3d74d302478640476a2cd2
corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
19055eda58e1f75814e594ce7709a710
mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.6.M20mdk.i586.rpm
abfe548617969f619aec5b0e807f1f67
mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.M20mdk.i586.rpm
92e7515c9125367a79fdb490f5b39cd4
mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.M20mdk.i586.rpm

847eecb1d07e4cab3d1de1452103c3a0
mnf/2.0/i586/openssl-0.9.7c-3.6.M20mdk.i586.rpm
b6b67fa82d7119cde7ab7816aed17059
mnf/2.0/SRPMS/openssl-0.9.7c-3.6.M20mdk.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:173
http://www.mandriva.com/security/


Package : ffmpeg
Date : September 28, 2006
Affected: 2006.0, Corporate 3.0, Corporate 4.0


Problem Description:

Multiple buffer overflows in libavcodec in ffmpeg before
0.4.9_p20060530 allow remote attackers to cause a denial of service
or possibly execute arbitrary code via multiple unspecified vectors
in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5)
smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c,
(10)shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE:
it is likely that this is a different vulnerability than
CVE-2005-4048 and CVE-2006-2802.

Updated packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4800


Updated Packages:

Mandriva Linux 2006.0:
70f951cfb00bd1a976ffd682f71c23ef
2006.0/i586/ffmpeg-0.4.9-0.pre1.5.2.20060mdk.i586.rpm
0de2a4efb5beb153e13a46ef160076b3
2006.0/i586/libffmpeg0-0.4.9-0.pre1.5.2.20060mdk.i586.rpm
80a876fead4c2f1fda335964b84407fd
2006.0/i586/libffmpeg0-devel-0.4.9-0.pre1.5.2.20060mdk.i586.rpm
8a22beb958201500862541f9cc18c399
2006.0/SRPMS/ffmpeg-0.4.9-0.pre1.5.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
dc1aed466f6b4064765a1a333c7c4710
2006.0/x86_64/ffmpeg-0.4.9-0.pre1.5.2.20060mdk.x86_64.rpm
299a9fcfdce014cc13b906df6fe133f6
2006.0/x86_64/lib64ffmpeg0-0.4.9-0.pre1.5.2.20060mdk.x86_64.rpm
9b2483e5edb8cf196b0df877706c315f
2006.0/x86_64/lib64ffmpeg0-devel-0.4.9-0.pre1.5.2.20060mdk.x86_64.rpm

8a22beb958201500862541f9cc18c399
2006.0/SRPMS/ffmpeg-0.4.9-0.pre1.5.2.20060mdk.src.rpm

Corporate 3.0:
ebebfa31e3817060e6f1862e7bb673a2
corporate/3.0/i586/ffmpeg-0.4.8-7.3.C30mdk.i586.rpm
51e303559d0d07ff86af703906065e19
corporate/3.0/i586/libffmpeg0-0.4.8-7.3.C30mdk.i586.rpm
6375f7c63d7c53d18d5ea16c8d96e9c1
corporate/3.0/i586/libffmpeg0-devel-0.4.8-7.3.C30mdk.i586.rpm
b089b6a12c6390aed83c5dd412e35da7
corporate/3.0/SRPMS/ffmpeg-0.4.8-7.3.C30mdk.src.rpm

Corporate 3.0/X86_64:
85c5aa0a8021680bfa987a652f94cde5
corporate/3.0/x86_64/ffmpeg-0.4.8-7.3.C30mdk.x86_64.rpm
e26a80cc7d31cdcccda6e4d69eb13722
corporate/3.0/x86_64/lib64ffmpeg0-0.4.8-7.3.C30mdk.x86_64.rpm
35194873a8a53e71950d5c042245b03a
corporate/3.0/x86_64/lib64ffmpeg0-devel-0.4.8-7.3.C30mdk.x86_64.rpm

b089b6a12c6390aed83c5dd412e35da7
corporate/3.0/SRPMS/ffmpeg-0.4.8-7.3.C30mdk.src.rpm

Corporate 4.0:
064b1663a622879bf77f6f565b83cb96
corporate/4.0/i586/libffmpeg0-0.4.9-0.pre1.5.2.20060mlcs4.i586.rpm

c558365bbaf260429be0a6f51a5f3875
corporate/4.0/i586/libffmpeg0-devel-0.4.9-0.pre1.5.2.20060mlcs4.i586.rpm

91d0e04a3df240ecd67c74b64a48bb62
corporate/4.0/SRPMS/ffmpeg-0.4.9-0.pre1.5.2.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
5563813e75db69e560e32729f872a2a8
corporate/4.0/x86_64/lib64ffmpeg0-0.4.9-0.pre1.5.2.20060mlcs4.x86_64.rpm

7f5c2f384e711027ad1e9fd76f4abe3f
corporate/4.0/x86_64/lib64ffmpeg0-devel-0.4.9-0.pre1.5.2.20060mlcs4.x86_64.rpm

91d0e04a3df240ecd67c74b64a48bb62
corporate/4.0/SRPMS/ffmpeg-0.4.9-0.pre1.5.2.20060mlcs4.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:174
http://www.mandriva.com/security/


Package : gstreamer-ffmpeg
Date : September 28, 2006
Affected: 2006.0, 2007.0


Problem Description:

Gstreamer-ffmpeg uses an embedded copy of ffmpeg and as such has
been updated to address the following issue: Multiple buffer
overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow
remote attackers to cause a denial of service or possibly execute
arbitrary code via multiple unspecified vectors in (1) dtsdec.c,
(2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c,
(7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c,
(12) snow.c, and (13) tta.c. NOTE: it is likely that this is a
different vulnerability than CVE-2005-4048 and CVE-2006-2802.

Updated packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4800


Updated Packages:

Mandriva Linux 2006.0:
c49b397719d1143231cb030f9e9cd003
2006.0/i586/gstreamer-ffmpeg-0.8.6-1.2.20060mdk.i586.rpm
a0afe9ef876a409ca594b4fdb75921ad
2006.0/SRPMS/gstreamer-ffmpeg-0.8.6-1.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
03003e5d2ee3f613a7ccd9552fdc7124
2006.0/x86_64/gstreamer-ffmpeg-0.8.6-1.2.20060mdk.x86_64.rpm
a0afe9ef876a409ca594b4fdb75921ad
2006.0/SRPMS/gstreamer-ffmpeg-0.8.6-1.2.20060mdk.src.rpm

Mandriva Linux 2007.0:
884a134c1ded68502a461754b51dce85
2007.0/i586/gstreamer-ffmpeg-0.8.7-3.1mdv2007.0.i586.rpm
d30f67740f6f6b9769609e613fd44b59
2007.0/SRPMS/gstreamer-ffmpeg-0.8.7-3.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
90b711e579e72a96441b16b5e38bb5ff
2007.0/x86_64/gstreamer-ffmpeg-0.8.7-3.1mdv2007.0.x86_64.rpm
d30f67740f6f6b9769609e613fd44b59
2007.0/SRPMS/gstreamer-ffmpeg-0.8.7-3.1mdv2007.0.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>


Mandriva Linux Security Advisory MDKSA-2006:175
http://www.mandriva.com/security/


Package : mplayer
Date : September 28, 2006
Affected: 2006.0, Corporate 3.0


Problem Description:

Mplayer uses an embedded copy of ffmpeg and as such has been
updated to address the following issue: Multiple buffer overflows
in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote
attackers to cause a denial of service or possibly execute
arbitrary code via multiple unspecified vectors in (1) dtsdec.c,
(2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c,
(7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c,
(12) snow.c, and (13) tta.c. NOTE: it is likely that this is a
different vulnerability than CVE-2005-4048 and CVE-2006-2802.

Updated packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4800


Updated Packages:

Mandriva Linux 2006.0:
ba2fe0a33637c9b56c18b42ddd1f5baa
2006.0/i586/libdha1.0-1.0-1.pre7.12.4.20060mdk.i586.rpm
b0ff5a0592dd789ead011359a14d232c
2006.0/i586/libpostproc0-1.0-1.pre7.12.4.20060mdk.i586.rpm
a9f6f27f005603ad305933a593d52c6c
2006.0/i586/libpostproc0-devel-1.0-1.pre7.12.4.20060mdk.i586.rpm

a327015bb156971a727dc6b08f3c6205
2006.0/i586/mencoder-1.0-1.pre7.12.4.20060mdk.i586.rpm
fbdcb5720e94ebe5d48f9bde3943629c
2006.0/i586/mplayer-1.0-1.pre7.12.4.20060mdk.i586.rpm
e5ade5cfbefe54bb8db5f6ec55c3e703
2006.0/i586/mplayer-gui-1.0-1.pre7.12.4.20060mdk.i586.rpm
15261692bbcc0c8326c99f9404b021be
2006.0/SRPMS/mplayer-1.0-1.pre7.12.4.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
a1b2195873fc74dee070f8f1dd7c7972
2006.0/x86_64/lib64postproc0-1.0-1.pre7.12.4.20060mdk.x86_64.rpm

48630b15e0d33eb51566783a55c29561
2006.0/x86_64/lib64postproc0-devel-1.0-1.pre7.12.4.20060mdk.x86_64.rpm

ba2fe0a33637c9b56c18b42ddd1f5baa
2006.0/x86_64/libdha1.0-1.0-1.pre7.12.4.20060mdk.i586.rpm
b0ff5a0592dd789ead011359a14d232c
2006.0/x86_64/libpostproc0-1.0-1.pre7.12.4.20060mdk.i586.rpm
a9f6f27f005603ad305933a593d52c6c
2006.0/x86_64/libpostproc0-devel-1.0-1.pre7.12.4.20060mdk.i586.rpm

1b1d5655127cb355a650b63fb2ccf786
2006.0/x86_64/mencoder-1.0-1.pre7.12.4.20060mdk.x86_64.rpm
53762878ca52dfad5fece2de9fc29f65 2006.0/x86_64/mplayer-1.0-1.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis