Search:

September 2005

Mandriva - Four Security Update Advisories

ID: 00815
Ref: 759/05
Date: 21 September 2005:14:18:37
Version: 1

Title: Mandriva - Four Security Update Advisories
Abstract:
Vendors affected: Mandriva
Operating systems affected: Mandriva
Applications affected: Mandriva

Title
=====

Mandriva - Four Security Update Advisories:
1. Updated cups packages fix vulnerability [MDKSA-2005:165]
2. Updated clamav packages fix vulnerabilities [MDKSA-2005:166]
3. Updated util-linux packages fix umount vulnerability [MDKSA-2005:167]
4. Updated masqmail packages fix vulnerabilities [MDKSA-2005:168]

Detail
======

Security update advisory summaries:

1. A vulnerability in CUPS would treat a Location directive in cupsd.conf
as case-sensitive, allowing attackers to bypass intended ACLs via a
printer name containing uppercase or lowercase letters that are
different from that which was specified in the Location directive.
This issue only affects versions of CUPS prior to 1.1.21rc1.

2. A vulnerability was discovered in ClamAV versions prior to 0.87. A
buffer overflow could occur when processing malformed UPX-packed
executables. As well, it could be sent into an infinite loop when
processing specially-crafted FSG-packed executables.

3. David Watson discovered that the umount utility, when using the "-r"
command, could remove some restrictive mount options such as "nosuid".
IF /etc/fstab contained user-mountable removable devices that specified
nosuid, a local attacker could exploit this flaw to execute arbitrary
programs with root privileges by calling "umount -r" on a removable
device.

4. Jens Steube discovered two vulnerabilities in masqmail.

Security update advisory content follows:

1.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: cups
Advisory ID: MDKSA-2005:165
Date: September 15th, 2005

Affected versions: 10.0, Corporate 3.0, Corporate Server 2.1
______________________________________________________________________

Problem Description:

A vulnerability in CUPS would treat a Location directive in cupsd.conf
as case-sensitive, allowing attackers to bypass intended ACLs via a
printer name containing uppercase or lowecase letters that are
different from that which was specified in the Location directive.
This issue only affects versions of CUPS prior to 1.1.21rc1.

The updated packages have been patched to correct this problem.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2154
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.0:
57949999ec0803d9b3950ae663371c2e 10.0/RPMS/cups-1.1.20-5.9.100mdk.i586.rpm
ce7f1071f6c62590a1b6871ab9b17816 10.0/RPMS/cups-common-1.1.20-5.9.100mdk.i586.rpm
f8271f099e17e7fc2a8b8d3707fe4611 10.0/RPMS/cups-serial-1.1.20-5.9.100mdk.i586.rpm
8d0e92e091f01dbfa43c80abc1e5521b 10.0/RPMS/libcups2-1.1.20-5.9.100mdk.i586.rpm
4b7e237ef3ba38546873231937eeaf14 10.0/RPMS/libcups2-devel-1.1.20-5.9.100mdk.i586.rpm
02f0085442de9f53ed52c53372921c54 10.0/SRPMS/cups-1.1.20-5.9.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
c741e915ab4478906c4c0c9975a28199 amd64/10.0/RPMS/cups-1.1.20-5.9.100mdk.amd64.rpm
844f1025e5689bfa1270b46b18092604 amd64/10.0/RPMS/cups-common-1.1.20-5.9.100mdk.amd64.rpm
519d6d527ff35b8589c22a77d01bb89c amd64/10.0/RPMS/cups-serial-1.1.20-5.9.100mdk.amd64.rpm
1409f88c2e6c6b64d2bc98054ba88c56 amd64/10.0/RPMS/lib64cups2-1.1.20-5.9.100mdk.amd64.rpm
49478b1e66b17ed734036f0699a73ace amd64/10.0/RPMS/lib64cups2-devel-1.1.20-5.9.100mdk.amd64.rpm
8d0e92e091f01dbfa43c80abc1e5521b amd64/10.0/RPMS/libcups2-1.1.20-5.9.100mdk.i586.rpm
02f0085442de9f53ed52c53372921c54 amd64/10.0/SRPMS/cups-1.1.20-5.9.100mdk.src.rpm

Corporate Server 2.1:
b382582f3c83bab30c115774033543c6 corporate/2.1/RPMS/cups-1.1.18-2.11.C21mdk.i586.rpm
29c884dd71f8422db48e7d3831eeccb8 corporate/2.1/RPMS/cups-common-1.1.18-2.11.C21mdk.i586.rpm
22b2e3c9e34671ba4c84ec368c0219cb corporate/2.1/RPMS/cups-serial-1.1.18-2.11.C21mdk.i586.rpm
cdc9ca097da2cccf3c67cfe1a7e7d4ec corporate/2.1/RPMS/libcups1-1.1.18-2.11.C21mdk.i586.rpm
7e628218d90f639d24476cb635a64922 corporate/2.1/RPMS/libcups1-devel-1.1.18-2.11.C21mdk.i586.rpm
7be4ece8ab5cba50791771a9065c78ed corporate/2.1/SRPMS/cups-1.1.18-2.11.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
8ebafcbc57a13198165a79082be2a78d x86_64/corporate/2.1/RPMS/cups-1.1.18-2.11.C21mdk.x86_64.rpm
56d85e620b01894f34660eba96d9ee40 x86_64/corporate/2.1/RPMS/cups-common-1.1.18-2.11.C21mdk.x86_64.rpm
8a7fa44f47379d778a1657e5497c34b6 x86_64/corporate/2.1/RPMS/cups-serial-1.1.18-2.11.C21mdk.x86_64.rpm
8e9b8d6c247e091bd8dc38e1733f9c2f x86_64/corporate/2.1/RPMS/libcups1-1.1.18-2.11.C21mdk.x86_64.rpm
45cfd7747e040cee340fec0edf37be0d x86_64/corporate/2.1/RPMS/libcups1-devel-1.1.18-2.11.C21mdk.x86_64.rpm
7be4ece8ab5cba50791771a9065c78ed x86_64/corporate/2.1/SRPMS/cups-1.1.18-2.11.C21mdk.src.rpm

Corporate 3.0:
c0c6fa6731a99d3941ff0a2538b83d2c corporate/3.0/RPMS/cups-1.1.20-5.9.C30mdk.i586.rpm
ad7e66e80f1336beeaef65678dcd06c1 corporate/3.0/RPMS/cups-common-1.1.20-5.9.C30mdk.i586.rpm
715af6b604429210810cb1fcb2d88b11 corporate/3.0/RPMS/cups-serial-1.1.20-5.9.C30mdk.i586.rpm
36d71921d656bb291dfd129d63a2519a corporate/3.0/RPMS/libcups2-1.1.20-5.9.C30mdk.i586.rpm
a06251d040e615159758b548ee5da785 corporate/3.0/RPMS/libcups2-devel-1.1.20-5.9.C30mdk.i586.rpm
7c02299537a6646f6664fc8253895d03 corporate/3.0/SRPMS/cups-1.1.20-5.9.C30mdk.src.rpm

Corporate 3.0/X86_64:
7fd22a6928fcdce24fda3e8de71cf39a x86_64/corporate/3.0/RPMS/cups-1.1.20-5.9.C30mdk.x86_64.rpm
bb37ebd7097e663304baac02e394292a x86_64/corporate/3.0/RPMS/cups-common-1.1.20-5.9.C30mdk.x86_64.rpm
7c79a96dcbae50e6e0b27eb43fa249eb x86_64/corporate/3.0/RPMS/cups-serial-1.1.20-5.9.C30mdk.x86_64.rpm
d013b48caa5339b855ec33d19bdb21db x86_64/corporate/3.0/RPMS/lib64cups2-1.1.20-5.9.C30mdk.x86_64.rpm
10a98e8e62085460bec857e516b7c577 x86_64/corporate/3.0/RPMS/lib64cups2-devel-1.1.20-5.9.C30mdk.x86_64.rpm
36d71921d656bb291dfd129d63a2519a x86_64/corporate/3.0/RPMS/libcups2-1.1.20-5.9.C30mdk.i586.rpm
7c02299537a6646f6664fc8253895d03 x86_64/corporate/3.0/SRPMS/cups-1.1.20-5.9.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDMDt0mqjQ0CJFipgRAvtJAKC6udC6bEZqfHCT/noECHqUCQ8k/gCfV2jb
Cjs7UW5/MI0n/H3/xewhT58=
=A8ev
- -----END PGP SIGNATURE-----

2.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: clamav
Advisory ID: MDKSA-2005:166
Date: September 20th, 2005

Affected versions: 10.1, 10.2, Corporate 3.0
______________________________________________________________________

Problem Description:

A vulnerability was discovered in ClamAV versions prior to 0.87. A
buffer overflow could occure when processing malformed UPX-packed
executables. As well, it could be sent into an infinite loop when
processing specially-crafted FSG-packed executables.

ClamAV version 0.87 is provided with this update which isn't vulnerable
to these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2919
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2920
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.1:
9f85320efe6a337ae46db08b53e0eaba 10.1/RPMS/clamav-0.87-0.1.101mdk.i586.rpm
083a4c5972e960c2a47e598c4626506b 10.1/RPMS/clamav-db-0.87-0.1.101mdk.i586.rpm
c3f10bb7176e61dcded0cee084fd2d24 10.1/RPMS/clamav-milter-0.87-0.1.101mdk.i586.rpm
990c343c993bf7bf44046e773faa9f84 10.1/RPMS/clamd-0.87-0.1.101mdk.i586.rpm
6c67cc650a9808ac1bd95fc7a1d4017a 10.1/RPMS/libclamav1-0.87-0.1.101mdk.i586.rpm
213a5145796b74cf65c983a482072455 10.1/RPMS/libclamav1-devel-0.87-0.1.101mdk.i586.rpm
2d75e236b21dbe8000a7c4b1be93217b 10.1/SRPMS/clamav-0.87-0.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
ef22edfa1aa4502f08000e050de5d36f x86_64/10.1/RPMS/clamav-0.87-0.1.101mdk.x86_64.rpm
e33da1b6f6bcd366801a5e80eeb7c723 x86_64/10.1/RPMS/clamav-db-0.87-0.1.101mdk.x86_64.rpm
04c621676e2832c400c0dda74a498d49 x86_64/10.1/RPMS/clamav-milter-0.87-0.1.101mdk.x86_64.rpm
da9cc77846812a4b34cb8250157d50b1 x86_64/10.1/RPMS/clamd-0.87-0.1.101mdk.x86_64.rpm
950f3adbe1fec12c9792f6c947b7cb76 x86_64/10.1/RPMS/lib64clamav1-0.87-0.1.101mdk.x86_64.rpm
6e53ad5c6d61a9ee3356d919b6589026 x86_64/10.1/RPMS/lib64clamav1-devel-0.87-0.1.101mdk.x86_64.rpm
2d75e236b21dbe8000a7c4b1be93217b x86_64/10.1/SRPMS/clamav-0.87-0.1.101mdk.src.rpm

Mandrakelinux 10.2:
bc2e4234b78790c9b0c5a5efcb15ba98 10.2/RPMS/clamav-0.87-0.1.102mdk.i586.rpm
0a99f74d25235e793a6fe05a56d79f7a 10.2/RPMS/clamav-db-0.87-0.1.102mdk.i586.rpm
b7d275ba651524cc4e3ce5cfacb842e3 10.2/RPMS/clamav-milter-0.87-0.1.102mdk.i586.rpm
c6862f992a927151d1c4c511cb874e0a 10.2/RPMS/clamd-0.87-0.1.102mdk.i586.rpm
303aeaa4d2a5de29f3cc5b0cdc539ab3 10.2/RPMS/libclamav1-0.87-0.1.102mdk.i586.rpm
bcef24beead553b0b7af6a0454365384 10.2/RPMS/libclamav1-devel-0.87-0.1.102mdk.i586.rpm
96e1ce9dffda8199bf1b583bc2d51e60 10.2/SRPMS/clamav-0.87-0.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
fc09b5328e536f426f6edaac04453ca2 x86_64/10.2/RPMS/clamav-0.87-0.1.102mdk.x86_64.rpm
f27bc62247ff84975019f8ed3d6ea5b1 x86_64/10.2/RPMS/clamav-db-0.87-0.1.102mdk.x86_64.rpm
c9fb726280f84da9dd32e30542c29fcd x86_64/10.2/RPMS/clamav-milter-0.87-0.1.102mdk.x86_64.rpm
193644891c29c2973931c01a56e68d60 x86_64/10.2/RPMS/clamd-0.87-0.1.102mdk.x86_64.rpm
9568649a618f654600d78b71027174c9 x86_64/10.2/RPMS/lib64clamav1-0.87-0.1.102mdk.x86_64.rpm
6b54a7ac2e8d743e067bfdaa7638d90f x86_64/10.2/RPMS/lib64clamav1-devel-0.87-0.1.102mdk.x86_64.rpm
96e1ce9dffda8199bf1b583bc2d51e60 x86_64/10.2/SRPMS/clamav-0.87-0.1.102mdk.src.rpm

Corporate 3.0:
f86de5b6055236c9cd1ff173bc6c1d98 corporate/3.0/RPMS/clamav-0.87-0.1.C30mdk.i586.rpm
07071df1c078079e4b7d55f5fa13c7c8 corporate/3.0/RPMS/clamav-db-0.87-0.1.C30mdk.i586.rpm
c96f4eb3cfd2ffb9060961e39c109204 corporate/3.0/RPMS/clamav-milter-0.87-0.1.C30mdk.i586.rpm
2445d80ee9c39b337da36554315b9ac1 corporate/3.0/RPMS/clamd-0.87-0.1.C30mdk.i586.rpm
196a1254be8dce937e17d4b731c5ec19 corporate/3.0/RPMS/libclamav1-0.87-0.1.C30mdk.i586.rpm
a40bfe3465fcdceec2c8d9bfd52ba2b0 corporate/3.0/RPMS/libclamav1-devel-0.87-0.1.C30mdk.i586.rpm
3ff54d614c61c446d645f8a5c8458abb corporate/3.0/SRPMS/clamav-0.87-0.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
9d8b35a818da8a63bbbb6e435b9aeca7 x86_64/corporate/3.0/RPMS/clamav-0.87-0.1.C30mdk.x86_64.rpm
b5e2a4dcbce2882b73c8a561574a4d24 x86_64/corporate/3.0/RPMS/clamav-db-0.87-0.1.C30mdk.x86_64.rpm
cd2da84bd6fe14cfc7822acdbbfb51da x86_64/corporate/3.0/RPMS/clamav-milter-0.87-0.1.C30mdk.x86_64.rpm
cf5b819b5c911ece25afa929124bbbcf x86_64/corporate/3.0/RPMS/clamd-0.87-0.1.C30mdk.x86_64.rpm
7ba558d19e757c2a624e495055e0c218 x86_64/corporate/3.0/RPMS/lib64clamav1-0.87-0.1.C30mdk.x86_64.rpm
ba046627c72dbe187eca48e5e1ae188c x86_64/corporate/3.0/RPMS/lib64clamav1-devel-0.87-0.1.C30mdk.x86_64.rpm
3ff54d614c61c446d645f8a5c8458abb x86_64/corporate/3.0/SRPMS/clamav-0.87-0.1.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDMMjFmqjQ0CJFipgRAi4mAKDi+IhpoZJipa7FHsDsjLS7AmbR+QCgivM1
H8i2PXchCVYAqWKnsG4ADSY=
=8Yn2
- -----END PGP SIGNATURE-----

3.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: util-linux
Advisory ID: MDKSA-2005:167
Date: September 20th, 2005

Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1,
Multi Network Firewall 2.0
______________________________________________________________________

Problem Description:

David Watson disovered that the umount utility, when using the "-r"
cpmmand, could remove some restrictive mount options such as "nosuid".
IF /etc/fstab contained user-mountable removable devices that specified
nosuid, a local attacker could exploit this flaw to execute arbitrary
programs with root privileges by calling "umount -r" on a removable
device.

The updated packages have been patched to ensure that "-r" can only
be called by the root user.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2876
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.0:
e28c42b0a18bf906ea339ffeb02d3320 10.0/RPMS/losetup-2.12-2.1.100mdk.i586.rpm
6dd9d97f688ab7b872dba55b9c427935 10.0/RPMS/mount-2.12-2.1.100mdk.i586.rpm
b23bbbec6f75fbe1f2137f1335f782f9 10.0/RPMS/util-linux-2.12-2.1.100mdk.i586.rpm
0c84336fe4e647fe4b35686e6e938a8f 10.0/SRPMS/util-linux-2.12-2.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
1c972124af9eba5acc9691931e5629c8 amd64/10.0/RPMS/losetup-2.12-2.1.100mdk.amd64.rpm
2a0367d603f4c8e893e7f0ec158132e5 amd64/10.0/RPMS/mount-2.12-2.1.100mdk.amd64.rpm
4fe57def6145640a886feb35deb77a6d amd64/10.0/RPMS/util-linux-2.12-2.1.100mdk.amd64.rpm
0c84336fe4e647fe4b35686e6e938a8f amd64/10.0/SRPMS/util-linux-2.12-2.1.100mdk.src.rpm

Mandrakelinux 10.1:
658b5ee36c137e2533397ac71aa86e0e 10.1/RPMS/losetup-2.12a-5.1.101mdk.i586.rpm
b15ae4dbd367fcd46e38d418bb3d1a86 10.1/RPMS/mount-2.12a-5.1.101mdk.i586.rpm
701b35a4588f4ce5879b651724f72a1d 10.1/RPMS/util-linux-2.12a-5.1.101mdk.i586.rpm
f1bbf1462e0f0987ce110388bd2e8d48 10.1/SRPMS/util-linux-2.12a-5.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
fbd4672670283fd495a652d0338467d4 x86_64/10.1/RPMS/losetup-2.12a-5.1.101mdk.x86_64.rpm
b1773a98c38538db35e2c4fd8aa5e100 x86_64/10.1/RPMS/mount-2.12a-5.1.101mdk.x86_64.rpm
8a4e15cdaaa7efe10c7830a9cda27523 x86_64/10.1/RPMS/util-linux-2.12a-5.1.101mdk.x86_64.rpm
f1bbf1462e0f0987ce110388bd2e8d48 x86_64/10.1/SRPMS/util-linux-2.12a-5.1.101mdk.src.rpm

Mandrakelinux 10.2:
8314ea4ec99e8e603fb2da6941aae1d9 10.2/RPMS/losetup-2.12a-12.1.102mdk.i586.rpm
2a8a83e0e36295db943fc51a4aee863f 10.2/RPMS/mount-2.12a-12.1.102mdk.i586.rpm
01a4abab8ec329a29cf2310d8ee006d9 10.2/RPMS/util-linux-2.12a-12.1.102mdk.i586.rpm
2bedcdeed443ed6438f290dff54038b5 10.2/SRPMS/util-linux-2.12a-12.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
73e23481f84309a90b99394468885e20 x86_64/10.2/RPMS/losetup-2.12a-12.1.102mdk.x86_64.rpm
8dc01cc71d8b32fbba41d1936c861534 x86_64/10.2/RPMS/mount-2.12a-12.1.102mdk.x86_64.rpm
441ce68e9e3b07c807bb5486adde1903 x86_64/10.2/RPMS/util-linux-2.12a-12.1.102mdk.x86_64.rpm
2bedcdeed443ed6438f290dff54038b5 x86_64/10.2/SRPMS/util-linux-2.12a-12.1.102mdk.src.rpm

Multi Network Firewall 2.0:
765b0e93637cce9d5b623a81bdc81e6e mnf/2.0/RPMS/losetup-2.12-2.1.M20mdk.i586.rpm
782d8a37c484ab76ae766dddcce2173e mnf/2.0/RPMS/mount-2.12-2.1.M20mdk.i586.rpm
d6f35d4ccdb1cb9dcd21218ca5d6da72 mnf/2.0/RPMS/util-linux-2.12-2.1.M20mdk.i586.rpm
360a0c2f0e8d383b09a7eb44d1e654a2 mnf/2.0/SRPMS/util-linux-2.12-2.1.M20mdk.src.rpm

Corporate Server 2.1:
d560b7038ca8ae848b24414858fac1ef corporate/2.1/RPMS/losetup-2.11u-5.1.C21mdk.i586.rpm
81bf701d8b8129c0809c37205d4fbad0 corporate/2.1/RPMS/mount-2.11u-5.1.C21mdk.i586.rpm
321463758b000a1e7348111f7bea2959 corporate/2.1/RPMS/util-linux-2.11u-5.1.C21mdk.i586.rpm
b1d2f438863cd5c807548ec4209b0179 corporate/2.1/SRPMS/util-linux-2.11u-5.1.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
141b7b38947d1fd2ef4088ba20e093f1 x86_64/corporate/2.1/RPMS/losetup-2.11u-5.1.C21mdk.x86_64.rpm
ddb3ee3ebe56b399ff881806f9cd8832 x86_64/corporate/2.1/RPMS/mount-2.11u-5.1.C21mdk.x86_64.rpm
a61050516b99231bca46507fa94aa5e8 x86_64/corporate/2.1/RPMS/util-linux-2.11u-5.1.C21mdk.x86_64.rpm
b1d2f438863cd5c807548ec4209b0179 x86_64/corporate/2.1/SRPMS/util-linux-2.11u-5.1.C21mdk.src.rpm

Corporate 3.0:
bbcce593f1b51833383997590a13b834 corporate/3.0/RPMS/losetup-2.12-2.1.C30mdk.i586.rpm
bb38ae724541d9c73ac64d382d4839e8 corporate/3.0/RPMS/mount-2.12-2.1.C30mdk.i586.rpm
55420d5f1fa9c7cc7f6e42f61c0428fc corporate/3.0/RPMS/util-linux-2.12-2.1.C30mdk.i586.rpm
28f6b881c65662695c84ac100ea9d012 corporate/3.0/SRPMS/util-linux-2.12-2.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
3d96c512a6eaf548bef73c7fc3db5012 x86_64/corporate/3.0/RPMS/losetup-2.12-2.1.C30mdk.x86_64.rpm
21d37d4ebb7943cf412a3bb423808fc5 x86_64/corporate/3.0/RPMS/mount-2.12-2.1.C30mdk.x86_64.rpm
75fa21eea372a790a6f1c3a8a120cb7e x86_64/corporate/3.0/RPMS/util-linux-2.12-2.1.C30mdk.x86_64.rpm
28f6b881c65662695c84ac100ea9d012 x86_64/corporate/3.0/SRPMS/util-linux-2.12-2.1.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDMMknmqjQ0CJFipgRApl5AJ0V55xXLK1r3ouZPPIUb8A60mkI7wCgtSbn
J05gUpwFuw1ODdAHxOyfYo4=
=smMW
- -----END PGP SIGNATURE-----

4.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: masqmail
Advisory ID: MDKSA-2005:168
Date: September 20th, 2005

Affected versions: Multi Network Firewall 2.0
______________________________________________________________________

Problem Description:

Jens Steube discovered two vulnerabilities in masqmail:

When sending failed mail messages, the address was not properly
sanitized which could allow a local attacker to execute arbitrary
commands as the mail user (CAN-2005-2662).

When opening the log file, masqmail did not relinquish privileges,
which could allow a local attacker to overwrite arbitrary files via a
symlink attack (CAN-2005-2663).

The updated packages have been patched to address these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2663
______________________________________________________________________

Updated Packages:

Multi Network Firewall 2.0:
368d7259f0d1663f24ab0d96ef316520 mnf/2.0/RPMS/masqmail-0.2.18-3.1.M20mdk.i586.rpm
53c6095a108ea52147909091b262517f mnf/2.0/SRPMS/masqmail-0.2.18-3.1.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDMMmGmqjQ0CJFipgRApDXAJwIW99lzHviDg5Obc+gI6a0Me8vCACfUojK
iLPXki02usAIVZJBAVGsJgM=
=4ieO
- -----END PGP SIGNATURE-----