Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > July 2005 > Mandriva - Two Security Update Advisories

July 2005

Mandriva - Two Security Update Advisories

ID: 00603
Ref: 560/05
Date: 21 July 2005:12:14:44
Version: 1
Title: Mandriva - Two Security Update Advisories
Abstract: 1. Updated kdelibs packages fix vulnerability in kate and kwrite [MDKSA-2005:122], 2. Updated shorewall packages fix vulnerability [MDKSA-2005:123]
Vendors affected: Mandriva
Operating systems affected: Mandriva
Applications affected: Mandriva

Title
=====

Mandriva - Two Security Update Advisories:
1. Updated kdelibs packages fix vulnerability in kate and kwrite [MDKSA-2005:122]
2. Updated shorewall packages fix vulnerability [MDKSA-2005:123]


Detail
======

Security update advisory summaries:

1. The Kate and Kwrite programs create a file backup before saving a
modified file. These backup files are created with default system
permissions, even if the original file had more strict permissions
set.

2. A vulnerability was discovered in all versions of shorewall where a
client accepted by MAC address filtering is able to bypass any other
rule.


Security update advisory content follows:


1.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: kdelibs
Advisory ID: MDKSA-2005:122
Date: July 20th, 2005

Affected versions: 10.1, 10.2, Corporate 3.0
______________________________________________________________________

Problem Description:

The Kate and Kwrite programs create a file backup before saving a
modified file. These backup files are created with default system
permissions, even if the original file had more strict permissions
set.

The updated packages have been patched to address this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1920
http://www.kde.org/info/security/advisory-20050718-1.txt
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.1:
a0f1efe07bb5841847108cc0daf12217 10.1/RPMS/kdelibs-common-3.2.3-106.2.101mdk.i586.rpm
f7862670574e110f1f1c057e3469fc7a 10.1/RPMS/libkdecore4-3.2.3-106.2.101mdk.i586.rpm
237a0ae8464e3bfd53c92f5c0de55393 10.1/RPMS/libkdecore4-devel-3.2.3-106.2.101mdk.i586.rpm
e8a3cf31cbead94c2cae9b0354b8519b 10.1/SRPMS/kdelibs-3.2.3-106.2.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
58459812a658d852c9e687dc1f9b4330 x86_64/10.1/RPMS/kdelibs-common-3.2.3-106.2.101mdk.x86_64.rpm
5d6bfa6646edbc3ad2eca04ad9fdc327 x86_64/10.1/RPMS/lib64kdecore4-3.2.3-106.2.101mdk.x86_64.rpm
504c65d12c4688b4cd37309e6d989062 x86_64/10.1/RPMS/lib64kdecore4-devel-3.2.3-106.2.101mdk.x86_64.rpm
f7862670574e110f1f1c057e3469fc7a x86_64/10.1/RPMS/libkdecore4-3.2.3-106.2.101mdk.i586.rpm
237a0ae8464e3bfd53c92f5c0de55393 x86_64/10.1/RPMS/libkdecore4-devel-3.2.3-106.2.101mdk.i586.rpm
e8a3cf31cbead94c2cae9b0354b8519b x86_64/10.1/SRPMS/kdelibs-3.2.3-106.2.101mdk.src.rpm

Mandrakelinux 10.2:
b87de63cf909821c607ad96a9fe4d214 10.2/RPMS/kdelibs-common-3.3.2-124.2.102mdk.i586.rpm
afd0981056261c82daf24cd8225b12d6 10.2/RPMS/libkdecore4-3.3.2-124.2.102mdk.i586.rpm
8102a00c4778222972484fa92a3f125e 10.2/RPMS/libkdecore4-devel-3.3.2-124.2.102mdk.i586.rpm
0574a1270ad44837e35afb7c15f7d1c0 10.2/SRPMS/kdelibs-3.3.2-124.2.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
4d55b8d9aa6108bc94a8d1151136d01d x86_64/10.2/RPMS/kdelibs-common-3.3.2-124.2.102mdk.x86_64.rpm
0576c9fe5bc43927f3cea421e7d2301a x86_64/10.2/RPMS/lib64kdecore4-3.3.2-124.2.102mdk.x86_64.rpm
c65120ab7eaab75027d8e39e0f434b65 x86_64/10.2/RPMS/lib64kdecore4-devel-3.3.2-124.2.102mdk.x86_64.rpm
afd0981056261c82daf24cd8225b12d6 x86_64/10.2/RPMS/libkdecore4-3.3.2-124.2.102mdk.i586.rpm
8102a00c4778222972484fa92a3f125e x86_64/10.2/RPMS/libkdecore4-devel-3.3.2-124.2.102mdk.i586.rpm
0574a1270ad44837e35afb7c15f7d1c0 x86_64/10.2/SRPMS/kdelibs-3.3.2-124.2.102mdk.src.rpm

Corporate 3.0:
e45c3989a48dc0ec233aab73bbeeb8b0 corporate/3.0/RPMS/kdelibs-common-3.2-36.14.C30mdk.i586.rpm
c0b72328b43a17d765554c1dddaa7602 corporate/3.0/RPMS/libkdecore4-3.2-36.14.C30mdk.i586.rpm
8f53a7b7cfd1ffd2d16e47f54a8b21e9 corporate/3.0/RPMS/libkdecore4-devel-3.2-36.14.C30mdk.i586.rpm
def69e2c45825276eceae1ad9a3e34cd corporate/3.0/SRPMS/kdelibs-3.2-36.14.C30mdk.src.rpm

Corporate 3.0/X86_64:
5d7c3a0ee26395542ce0560c29c9872d x86_64/corporate/3.0/RPMS/kdelibs-common-3.2-36.14.C30mdk.x86_64.rpm
b37a1651ba33fdb2bb6e8bbd1c15b0be x86_64/corporate/3.0/RPMS/lib64kdecore4-3.2-36.14.C30mdk.x86_64.rpm
32cee9a6d31ff7e57ebad83ab3c292ef x86_64/corporate/3.0/RPMS/lib64kdecore4-devel-3.2-36.14.C30mdk.x86_64.rpm
c0b72328b43a17d765554c1dddaa7602 x86_64/corporate/3.0/RPMS/libkdecore4-3.2-36.14.C30mdk.i586.rpm
def69e2c45825276eceae1ad9a3e34cd x86_64/corporate/3.0/SRPMS/kdelibs-3.2-36.14.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC3t51mqjQ0CJFipgRAi2yAKDrp/EUhavta8Of1140P5zGlKkSEACcDOkS
TtUwKi4VR4Mkht/DA3ZN6io=
=eM7a
- -----END PGP SIGNATURE-----




2.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: shorewall
Advisory ID: MDKSA-2005:123
Date: July 20th, 2005

Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Multi Network Firewall 2.0
______________________________________________________________________

Problem Description:

A vulnerability was discovered in all versions of shorewall where a
client accepted by MAC address filtering is able to bypass any other
rule. If MACLIST_TTL is set to a value greater than 0 or
MACLIST_DISPOSITION is set to ACCEPT in shorewall.conf, and a client
is positively identified through its MAC address, it bypasses all other
policies and rules in place, gaining access to all open services on the
firewall.

Shorewall 2.0.17 is provided which fixes this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2317
http://shorewall.net/News.htm#20050717
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.0:
c79cc264cd137ff9b43453ad118f86d8 10.0/RPMS/shorewall-2.0.17-1.1.100mdk.noarch.rpm
2dc01e35a2f4e9c06978b89a0c500fd7 10.0/RPMS/shorewall-doc-2.0.17-1.1.100mdk.noarch.rpm
ecbadb7b380e1fe28446e42459f8f866 10.0/SRPMS/shorewall-2.0.17-1.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
382209c91385b210f98af3757eb57ca0 amd64/10.0/RPMS/shorewall-2.0.17-1.1.100mdk.noarch.rpm
867db86742b343bfe793d90e5ca3bb25 amd64/10.0/RPMS/shorewall-doc-2.0.17-1.1.100mdk.noarch.rpm
ecbadb7b380e1fe28446e42459f8f866 amd64/10.0/SRPMS/shorewall-2.0.17-1.1.100mdk.src.rpm

Mandrakelinux 10.1:
52c9528635ecb77dd2926ff034e3da49 10.1/RPMS/shorewall-2.0.17-1.1.101mdk.noarch.rpm
2bd3af575e109773eb9e4a22b961f14f 10.1/RPMS/shorewall-doc-2.0.17-1.1.101mdk.noarch.rpm
af84aa6c42f562ba53663d9ba5d103d5 10.1/SRPMS/shorewall-2.0.17-1.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
ffe670f9812013f46f7c7ac3c62e7457 x86_64/10.1/RPMS/shorewall-2.0.17-1.1.101mdk.noarch.rpm
26871efc7e8d853d033f02258f849d95 x86_64/10.1/RPMS/shorewall-doc-2.0.17-1.1.101mdk.noarch.rpm
af84aa6c42f562ba53663d9ba5d103d5 x86_64/10.1/SRPMS/shorewall-2.0.17-1.1.101mdk.src.rpm

Mandrakelinux 10.2:
68358bdb82da0346d962639b8e34bd3b 10.2/RPMS/shorewall-2.0.17-1.1.102mdk.noarch.rpm
82cc68acf5f6433a376cd655af383bf5 10.2/RPMS/shorewall-doc-2.0.17-1.1.102mdk.noarch.rpm
616436e7fee5da63d8a23e690c6f4592 10.2/SRPMS/shorewall-2.0.17-1.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
8491649c643b10489a66c00a16e4bbd7 x86_64/10.2/RPMS/shorewall-2.0.17-1.1.102mdk.noarch.rpm
e4c204d6c6d1a8c24ecdf2bdb5a41e56 x86_64/10.2/RPMS/shorewall-doc-2.0.17-1.1.102mdk.noarch.rpm
616436e7fee5da63d8a23e690c6f4592 x86_64/10.2/SRPMS/shorewall-2.0.17-1.1.102mdk.src.rpm

Multi Network Firewall 2.0:
27d2a34beb323bc074793ce1c040c26a mnf/2.0/RPMS/shorewall-2.0.17-1.1.M20mdk.noarch.rpm
6c5984b6bbe0cc07e368a197abfa6a12 mnf/2.0/RPMS/shorewall-doc-2.0.17-1.1.M20mdk.noarch.rpm
1dad701e2f3ef45a082dbca1662af127 mnf/2.0/SRPMS/shorewall-2.0.17-1.1.M20mdk.src.rpm

Corporate 3.0:
d40a41fe04b08d36e56c77586d19f5f0 corporate/3.0/RPMS/shorewall-2.0.17-1.1.C30mdk.noarch.rpm
dea5d0cd79767a5275ab60540b8e1958 corporate/3.0/RPMS/shorewall-doc-2.0.17-1.1.C30mdk.noarch.rpm
60fa0503a50cc1e13e624e1f4b8d0504 corporate/3.0/SRPMS/shorewall-2.0.17-1.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
f851108f517370ff74b13a7837728257 x86_64/corporate/3.0/RPMS/shorewall-2.0.17-1.1.C30mdk.noarch.rpm
611704186851b67d28cdf27c8995d90d x86_64/corporate/3.0/RPMS/shorewall-doc-2.0.17-1.1.C30mdk.noarch.rpm
60fa0503a50cc1e13e624e1f4b8d0504 x86_64/corporate/3.0/SRPMS/shorewall-2.0.17-1.1.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC3t9qmqjQ0CJFipgRAndUAJ9oJdbHk6wMaEGm2//UrVU4Wj2ukACeOMdS
Go9oDYSyAbUKX9CRB/BMkzI=
=jKjn
- -----END PGP SIGNATURE-----



  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |