---

Mandrake Linux Advisories: cvs, screen


Mandrake Linux Security Update Advisory


Package name: cvs
Advisory ID: MDKSA-2003:112
Date: December 8th, 2003
Affected versions: 9.0, 9.1, 9.2, Corporate Server 2.1

Problem Description:

A vulnerability was discovered in the CVS server < 1.11.10
where a malformed module request could cause the CVS server to
attempt to create directories and possibly files at the root of the
filesystem holding the CVS repository.

Updated packages are available that fix the vulnerability by
providing CVS 1.11.10 on all supported distributions.


References:


http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84&JServSessionIdservlets=8u3x1myav1


Updated Packages:

Corporate Server 2.1:
3df2e61371a43ace630867b785bdd2c8
corporate/2.1/RPMS/cvs-1.11.10-0.1.C21mdk.i586.rpm
60da7875867b5162d6289124e20f56f3
corporate/2.1/SRPMS/cvs-1.11.10-0.1.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
2a052c43d454d6b5839c45106ebd78c6
x86_64/corporate/2.1/RPMS/cvs-1.11.10-0.1.C21mdk.x86_64.rpm
60da7875867b5162d6289124e20f56f3
x86_64/corporate/2.1/SRPMS/cvs-1.11.10-0.1.C21mdk.src.rpm

Mandrake Linux 9.0:
5806c1f58d1a4b50071c4e8eabf8ca70
9.0/RPMS/cvs-1.11.10-0.1.90mdk.i586.rpm
34d0619fb9a4b33bc267077ec53c4325
9.0/SRPMS/cvs-1.11.10-0.1.90mdk.src.rpm

Mandrake Linux 9.1:
09a0e4a98785f7c280721f8da9464d56
9.1/RPMS/cvs-1.11.10-0.1.91mdk.i586.rpm
bdc1ec67c325d52513e363a65d4966f4
9.1/SRPMS/cvs-1.11.10-0.1.91mdk.src.rpm

Mandrake Linux 9.1/PPC:
a98001e93bb247876fb43da2b605bec6
ppc/9.1/RPMS/cvs-1.11.10-0.1.91mdk.ppc.rpm
bdc1ec67c325d52513e363a65d4966f4
ppc/9.1/SRPMS/cvs-1.11.10-0.1.91mdk.src.rpm

Mandrake Linux 9.2:
449dd893fe2f4be99720e6429291bcd9
9.2/RPMS/cvs-1.11.10-0.1.92mdk.i586.rpm
65182f4e05d59d8fc849e638b938cf25
9.2/SRPMS/cvs-1.11.10-0.1.92mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security. You can
obtain the GPG public key of the Mandrake Linux Security Team by
executing:

gpg –recv-keys –keyserver www.mandrakesecure.net
0x22458A98

Please be aware that sometimes it takes the mirrors a few hours
to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services
that anyone can subscribe to. Information on these lists can be
obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security
linux-mandrake.com>

Mandrake Linux Security Update Advisory


Package name: screen
Advisory ID: MDKSA-2003:113
Date: December 8th, 2003
Affected versions: 9.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall
8.2

Problem Description:

A vulnerability was discovered and fixed in screen by Timo
Sirainen who found an exploitable buffer overflow that allowed
privilege escalation. This vulnerability also has the potential to
allow attackers to gain control of another user’s screen session.
The ability to exploit is not trivial and requires approximately
2GB of data to be transferred in order to do so.

Updated packages are available that fix the vulnerability.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0972


http://marc.theaimsgroup.com/?l=bugtraq&m=106995837813873&w=2


Updated Packages:

Corporate Server 2.1:
757d420f6d823e26a487eff794490bbe
corporate/2.1/RPMS/screen-3.9.11-4.1.C21mdk.i586.rpm
54336329e042b03ebca3c00ca0a1f0c3
corporate/2.1/SRPMS/screen-3.9.11-4.1.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
bf60dabe82228d7f879c1fa232df2e20
x86_64/corporate/2.1/RPMS/screen-3.9.11-4.1.C21mdk.x86_64.rpm
54336329e042b03ebca3c00ca0a1f0c3
x86_64/corporate/2.1/SRPMS/screen-3.9.11-4.1.C21mdk.src.rpm

Mandrake Linux 9.0:
2ed29228596116d87146cb2f1eb75ad3
9.0/RPMS/screen-3.9.11-4.1.90mdk.i586.rpm
db59e945ca7dabc7d81df3388566feb9
9.0/SRPMS/screen-3.9.11-4.1.90mdk.src.rpm

Mandrake Linux 9.1:
4d1ce0bb5f0b8335b9f3da4520280fdb
9.1/RPMS/screen-3.9.13-2.1.91mdk.i586.rpm
025da8fcc964f065afb0c51d2716d472
9.1/SRPMS/screen-3.9.13-2.1.91mdk.src.rpm

Mandrake Linux 9.1/PPC:
b8570b8b63461c8f444dcdbe2c4f6e99
ppc/9.1/RPMS/screen-3.9.13-2.1.91mdk.ppc.rpm
025da8fcc964f065afb0c51d2716d472
ppc/9.1/SRPMS/screen-3.9.13-2.1.91mdk.src.rpm

Mandrake Linux 9.2:
656ca2f3bf4796052972997c214d7909
9.2/RPMS/screen-3.9.15-2.1.92mdk.i586.rpm
4d078d5d3b28c417a51e3a8bfe622f45
9.2/SRPMS/screen-3.9.15-2.1.92mdk.src.rpm

Multi Network Firewall 8.2:
c4b0b5a690692dac14eaeb8590fe2d8f
mnf8.2/RPMS/screen-3.9.11-4.1.M82mdk.i586.rpm
9a363746316958e58a843f4d838b0cf0
mnf8.2/SRPMS/screen-3.9.11-4.1.M82mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security. You can
obtain the GPG public key of the Mandrake Linux Security Team by
executing:

gpg –recv-keys –keyserver www.mandrakesecure.net
0x22458A98

Please be aware that sometimes it takes the mirrors a few hours
to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services
that anyone can subscribe to. Information on these lists can be
obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security
linux-mandrake.com>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis