Mandrake Linux Security Update Advisory
| Package name: | kdelibs |
| Advisory ID: | MDKSA-2003:079 |
| Date: | July 31st, 2003 |
| Affected versions: | 9.0, 9.1, Corporate Server 2.1 |
Problem Description:
A vulnerability in Konqueror was discovered where it could
inadvertently send authentication credentials to websites other
than the intended site in clear text via the HTTP-referer header
when authentication credentials are passed as part of a URL in the
form http://user:password@host/.
The provided packages have a patch that corrects this issue.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0459
http://www.kde.org/info/security/advisory-20030729-1.txt
Updated Packages:
Corporate Server 2.1:
b8bc8c31085b3953081b68e84563eafb
corporate/2.1/RPMS/kdelibs-3.0.5a-1.3mdk.i586.rpm
2c202cd237dd49f4f722c5566bd987cc
corporate/2.1/RPMS/kdelibs-devel-3.0.5a-1.3mdk.i586.rpm
fbdd8d3ee582d77450254a7e20c5edf5
corporate/2.1/SRPMS/kdelibs-3.0.5a-1.3mdk.src.rpm
Corporate Server 2.1/x86_64:
a57625bd5ba6e06c4bbd6c0a9a31338e
x86_64/corporate/2.1/RPMS/kdelibs-3.0.5-2.1mdk.x86_64.rpm
05c01ebdeed267aa9a45201880907fb9
x86_64/corporate/2.1/RPMS/kdelibs-devel-3.0.5-2.1mdk.x86_64.rpm
72279bba0e9901ddd8d17d7db35998ef
x86_64/corporate/2.1/SRPMS/kdelibs-3.0.5-2.1mdk.src.rpm
Mandrake Linux 9.0:
b8bc8c31085b3953081b68e84563eafb
9.0/RPMS/kdelibs-3.0.5a-1.3mdk.i586.rpm
2c202cd237dd49f4f722c5566bd987cc
9.0/RPMS/kdelibs-devel-3.0.5a-1.3mdk.i586.rpm
fbdd8d3ee582d77450254a7e20c5edf5
9.0/SRPMS/kdelibs-3.0.5a-1.3mdk.src.rpm
Mandrake Linux 9.1:
407505c85c575715048509488bcf9137
9.1/RPMS/kdelibs-3.1-58.2mdk.i586.rpm
52921509997a7688377a6000d00711b7
9.1/RPMS/kdelibs-common-3.1-58.2mdk.i586.rpm
3ab334a2170fe9bd8fc035327d0ff178
9.1/RPMS/kdelibs-devel-3.1-58.2mdk.i586.rpm
7c5f0501a362ac2c89e3ea8ef882990a
9.1/RPMS/kdelibs-static-devel-3.1-58.2mdk.i586.rpm
ee3757404d902cfe682f0da6e7fbebd0
9.1/SRPMS/kdelibs-3.1-58.2mdk.src.rpm
Mandrake Linux 9.1/PPC:
e7092f9cf6c55fc0a7008e04e01e6d2c
ppc/9.1/RPMS/kdelibs-3.1-58.2mdk.ppc.rpm
3db061e6d33b8f6c52450d81bfdd8350
ppc/9.1/RPMS/kdelibs-common-3.1-58.2mdk.ppc.rpm
310c9f897ec102364c4c3cdcd316489e
ppc/9.1/RPMS/kdelibs-devel-3.1-58.2mdk.ppc.rpm
759658ab119a0f16ea1d159e2e5a1f04
ppc/9.1/RPMS/kdelibs-static-devel-3.1-58.2mdk.ppc.rpm
ee3757404d902cfe682f0da6e7fbebd0
ppc/9.1/SRPMS/kdelibs-3.1-58.2mdk.src.rpm
Bug IDs fixed (see https://qa.mandrakesoft.com for
more information):
To upgrade automatically, use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by MandrakeSoft for security. You can
obtain the GPG public key of the Mandrake Linux Security Team by
executing:
gpg –recv-keys –keyserver www.mandrakesecure.net
0x22458A98
Please be aware that sometimes it takes the mirrors a few hours
to update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services
that anyone can subscribe to. Information on these lists can be
obtained by visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
| Type | Bits/KeyID | Date | User ID |
| pub | 1024D/22458A98 | 2000-07-10 | Linux Mandrake Security Team |
<security linux-mandrake.com>
Mandrake Linux Security Update Advisory
| Package name: | wu-ftpd |
| Advisory ID: | MDKSA-2003:080 |
| Date: | July 31st, 2003 |
| Affected versions: | 8.2 |
Problem Description:
A vulnerability was discovered by Janusz Niewiadomski and
Wojciech Purczynski in the wu-ftpd FTP server package. They found
an off-by one bug in the fb_realpath() function which could be used
by a remote attacker to obtain root privileges on the server. This
bug can only be successfully accomplished by using wu-ftpd binaries
compiled on Linux 2.0.x and later 2.4.x kernels because the 2.2.x
and earlier 2.4.x kernels define PATH_MAX to be 4095
characters.
wu-ftpd is no longer shipped with Mandrake Linux, however
Mandrake Linux 8.2 did come with wu-ftpd. If you use wu-ftpd, you
are encouraged to upgrade to these patched packages.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466
Updated Packages:
Mandrake Linux 8.2:
77260fab82a32fd204e29160c11f1e30
8.2/RPMS/wu-ftpd-2.6.2-1.1mdk.i586.rpm
3fd974bd1e718accf048e489dbd52d55
8.2/SRPMS/wu-ftpd-2.6.2-1.1mdk.src.rpm
Mandrake Linux 8.2/PPC:
283cf3a7797ca19c8e83ae22c0415fd5
ppc/8.2/RPMS/wu-ftpd-2.6.2-1.1mdk.ppc.rpm
3fd974bd1e718accf048e489dbd52d55
ppc/8.2/SRPMS/wu-ftpd-2.6.2-1.1mdk.src.rpm
Bug IDs fixed (see https://qa.mandrakesoft.com for
more information):
To upgrade automatically, use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by MandrakeSoft for security. You can
obtain the GPG public key of the Mandrake Linux Security Team by
executing:
gpg –recv-keys –keyserver www.mandrakesecure.net
0x22458A98
Please be aware that sometimes it takes the mirrors a few hours
to update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services
that anyone can subscribe to. Information on these lists can be
obtained by visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
| Type | Bits/KeyID | Date | User ID |
| pub | 1024D/22458A98 | 2000-07-10 | Linux Mandrake Security Team |
<security linux-mandrake.com>