Mandrake Linux Security Update Advisory
| Package name: | ethereal |
| Advisory ID: | MDKSA-2003:067 |
| Date: | June 16th, 2003 |
| Affected versions: | 9.1 |
Problem Description:
Several vulnerabilities in ethereal were discovered by Timo
Sirainen. Integer overflows were found in the Mount and PPP
dissectors, as well as one-byte buffer overflows in the AIM, GIOP
Gryphon, OSPF, PPTP, Quake, Quake2, Quake3, Rsync, SMB, SMPP, and
TSP dissectors. These vulnerabilties were corrected in ethereal
0.9.12.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0357
http://www.ethereal.com/appnotes/enpa-sa-00009.html
Updated Packages:
Mandrake Linux 9.1:
d039c495347d612fce4685ee3bec4d87
9.1/RPMS/ethereal-0.9.12-1.2mdk.i586.rpm
5873c050db02b2bf0f914299553d059b
9.1/SRPMS/ethereal-0.9.12-1.2mdk.src.rpm
Mandrake Linux 9.1/PPC:
87bf6388f0299a419726362742499be7
ppc/9.1/RPMS/ethereal-0.9.12-1.2mdk.ppc.rpm
5873c050db02b2bf0f914299553d059b
ppc/9.1/SRPMS/ethereal-0.9.12-1.2mdk.src.rpm
Bug IDs fixed (see https://qa.mandrakesoft.com for
more information):
To upgrade automatically, use MandrakeUpdate. The verification
of md5 checksums and GPG signatures is performed automatically for
you.
If you want to upgrade manually, download the updated package
from one of our FTP server mirrors and upgrade with “rpm -Fvh
*.rpm”. A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
Please verify the update prior to upgrading to ensure the
integrity of the downloaded package. You can do this with the
command:
rpm –checksig <filename>
All packages are signed by MandrakeSoft for security. You can
obtain the GPG public key of the Mandrake Linux Security Team
from:
https://www.mandrakesecure.net/RPM-GPG-KEYS
Please be aware that sometimes it takes the mirrors a few hours
to update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services
that anyone can subscribe to. Information on these lists can be
obtained by visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
| Type | Bits/KeyID | Date | User ID |
| pub | 1024D/22458A98 | 2000-07-10 | Linux Mandrake Security Team |
<security linux-mandrake.com>
Mandrake Linux Security Update Advisory
| Package name: | gzip |
| Advisory ID: | MDKSA-2003:068 |
| Date: | June 16th, 2003 |
| Affected versions: | 8.2, 9.0, 9.1, Corporate Server 2.1, Multi Network Firewall 8.2 |
Problem Description:
A vulnerability exists in znew, a script included with gzip,
that would create temporary files without taking precautions to
avoid a symlink attack. Patches have been applied to make use of
mktemp to generate unique filenames, and properly make use of
noclobber in the script. Likewise, a fix for gzexe which had been
applied previously was incomplete. It has been fixed to make full
use of mktemp everywhere a temporary file is created.
The znew problem was initially reported by Michal Zalewski and
was again reported more recently to Debian by Paul Szabo.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1332
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0367
http://marc.theaimsgroup.com/?l=bugtraq&m=88998519803911&w=2
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193375
Updated Packages:
Corporate Server 2.1:
3e7bff9e74dfacdb5708fdf60b8f18c6
corporate/2.1/RPMS/gzip-1.2.4a-11.2mdk.i586.rpm
ddf940b835e0718d80840694b65067bc
corporate/2.1/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm
Mandrake Linux 8.2:
e114d1ff62fe8456d945a11d91362855
8.2/RPMS/gzip-1.2.4a-11.2mdk.i586.rpm
ddf940b835e0718d80840694b65067bc
8.2/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm
Mandrake Linux 8.2/PPC:
0d290a3f2a22396bcc5a6fc7c77aaeaa
ppc/8.2/RPMS/gzip-1.2.4a-11.2mdk.ppc.rpm
ddf940b835e0718d80840694b65067bc
ppc/8.2/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm
Mandrake Linux 9.0:
3e7bff9e74dfacdb5708fdf60b8f18c6
9.0/RPMS/gzip-1.2.4a-11.2mdk.i586.rpm
ddf940b835e0718d80840694b65067bc
9.0/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm
Mandrake Linux 9.1:
fe732815834057c64e3c4e311ee9462d
9.1/RPMS/gzip-1.2.4a-11.2mdk.i586.rpm
ddf940b835e0718d80840694b65067bc
9.1/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm
Mandrake Linux 9.1/PPC:
c4947b2e7a4de6f2e72c038e953a402f
ppc/9.1/RPMS/gzip-1.2.4a-11.2mdk.ppc.rpm
ddf940b835e0718d80840694b65067bc
ppc/9.1/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm
Multi Network Firewall 8.2:
e114d1ff62fe8456d945a11d91362855
mnf8.2/RPMS/gzip-1.2.4a-11.2mdk.i586.rpm
ddf940b835e0718d80840694b65067bc
mnf8.2/SRPMS/gzip-1.2.4a-11.2mdk.src.rpm
Bug IDs fixed (see https://qa.mandrakesoft.com for
more information):
To upgrade automatically, use MandrakeUpdate. The verification
of md5 checksums and GPG signatures is performed automatically for
you.
If you want to upgrade manually, download the updated package
from one of our FTP server mirrors and upgrade with “rpm -Fvh
*.rpm”. A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
Please verify the update prior to upgrading to ensure the
integrity of the downloaded package. You can do this with the
command:
rpm –checksig <filename>
All packages are signed by MandrakeSoft for security. You can
obtain the GPG public key of the Mandrake Linux Security Team
from:
https://www.mandrakesecure.net/RPM-GPG-KEYS
Please be aware that sometimes it takes the mirrors a few hours
to update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services
that anyone can subscribe to. Information on these lists can be
obtained by visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
| Type | Bits/KeyID | Date | User ID |
| pub | 1024D/22458A98 | 2000-07-10 | Linux Mandrake Security Team |
<security linux-mandrake.com>