Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > January 2006 > Nine Mandriva Linux Advisories

January 2006

Nine Mandriva Linux Advisories

ID: 00092
Ref: 91/2006
Date: 27 January 2006:14:16:38
Version: 1
Title: Nine Mandriva Linux Advisories
Abstract:
Vendors affected: Mandriva
Operating systems affected: Mandriva
Applications affected: Mandriva
Title
=====


-----BEGIN PGP SIGNED MESSAGE-----

Nine Mandriva Linux Advisories:

1. MDKA-2006:013 - mdkonline

2. MDKA-2006:014 - dynamic

3. MDKA-2006:015 - gthumb

4. MDKA-2006:016 - libgphoto

5. MDKSA-2006:021 - mozilla-Thunderbird

6. MDKSA-2006:022 - perl-Convert-UUlib

7. MDKSA-2006:023 - perl-Net_SSLeay

8. MDKSA-2006:024 - ImageMagick

9. MDKSA-2006:025 - net-snmp

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQCVAwUBQ9onaIpao72zK539AQHULQQAjxVsPYDhpzhHbyM1P1FJVMNxxrplFGso
Hyi+KEqUaGqMjMEASu4pyObe7aBkL+Y6JGUIcxZcMChL9fhIl8WFXAIhZe64NrTD
l/y8zzq0bfcQMOapd7X/HNOdqFzFy0MHlTf1uIqgG0M9fIgk6EQ0DM30Q5sKUf7R
2MEXFelu/Pw=
=igBB
-----END PGP SIGNATURE-----

Detail
======

1. The mdkonline package for MNF2 was incorrectly connecting to
mandrivaonline.net rather than mandrivaonline.com. This update
corrects the problem.

2. Dynamic was not calling scripts correctly when hardware was
plugged/unplugged. Plugging a digital camera (not usb mass storage,
like a Canon camera) was not creating an icon on Desktop (for GNOME)
or in the Devices window (for KDE).

3. A bug was discovered in gthumb were the UI (User Interface) can
get corrupted when importing photos in some non-UTF8 locales (such
as French). Some text strings (returned from libgphoto) where not
converted into UTF-8 before being used by GTK+.

4. A bug was discovered with libgphoto which was preventing the removal
of icons on the desktop (in GNOME) or in the Devices window (in KDE)
when a digital camera was unplugged.

5. GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6,
and 1.0.7 allows user-complicit attackers to execute arbitrary code via an
attachment with a filename containing a large number of spaces ending with
a dangerous extension that is not displayed by Thunderbird, along with an
inconsistent Content-Type header, which could be used to trick a user into
downloading dangerous content by dragging or saving the attachment.

6. A buffer overflow was discovered in the perl Convert::UUlib module in
versions prior to 1.051, which could allow remote attackers to execute
arbitrary code via a malformed parameter to a read operation.

7. Javier Fernandez-Sanguino Pena discovered that the perl Net::SSLeay
module used the file /tmp/entropy as a fallback entropy source if a
proper source was not set via the environment variable EGD_PATH. This
could potentially lead to weakened cryptographic operations if an
attacker was able to provide a /tmp/entropy file with known content.

8. The delegate code in ImageMagick 6.2.4.x allows remote attackers to
execute arbitrary commands via shell metacharacters in a filename that
is processed by the display command. (CVE-2005-4601)

9. The fixproc application in Net-SNMP creates temporary files with
predictable file names which could allow a malicious local attacker to
change the contents of the temporary file by exploiting a race
condition, which could possibly lead to the execution of arbitrary
code. As well, a local attacker could create symbolic links in the
/tmp directory that point to a valid file that would then be
overwritten when fixproc is executed (CVE-2005-1740).




1.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Advisory MDKA-2006:013
http://www.mandriva.com/security/
_______________________________________________________________________

Package : mdkonline
Date : January 26, 2006
Affected: Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

The mdkonline package for MNF2 was incorrectly connecting to
mandrivaonline.net rather than mandrivaonline.com. This update
corrects the problem.

_______________________________________________________________________

Updated Packages:

Multi Network Firewall 2.0:
df46f42dbe161a92450c7f19decbedc5 mnf/2.0/RPMS/mdkonline-1.2-2.1.M20mdk.noarch.rpm
a3d240e96d7580b8bdcdb669959b699d mnf/2.0/SRPMS/mdkonline-1.2-2.1.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD2UFomqjQ0CJFipgRAlGNAKDhF4IoPmyHvlml94LZ2UQGYx7R0QCeNRpE
6xpGtwjhaqHmmi2iA7j9nvE=
=3kFe
-----END PGP SIGNATURE-----



2.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Advisory MDKA-2006:014
http://www.mandriva.com/security/
_______________________________________________________________________

Package : dynamic
Date : January 26, 2006
Affected: 2006.0
_______________________________________________________________________

Problem Description:

Dynamic was not calling scripts correctly when hardware was
plugged/unplugged. Plugging a digital camera (not usb mass storage,
like a Canon camera) was not creating an icon on Desktop (for GNOME)
or in the Devices window (for KDE).

Dynamic was also creating a "pilot" symlink in / (in addition to
/dev/pilot) when a Palm was connected, and this file was not removed
when the Palm was unplugged. Now, this file is not longer created.
If the symlink is already on the user's system, it can safely be
removed manually.

Updated packages have been patched to correct the issue.
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
c9f3e2c3ad649f6e547834062cd51a6f 2006.0/RPMS/dynamic-0.26.2-1.1.20060mdk.noarch.rpm
103cfe8a21bbacf5ea86cab020acc683 2006.0/SRPMS/dynamic-0.26.2-1.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
c1bcf1ddac84a10c17b83d9cb2288b4c x86_64/2006.0/RPMS/dynamic-0.26.2-1.1.20060mdk.noarch.rpm
103cfe8a21bbacf5ea86cab020acc683 x86_64/2006.0/SRPMS/dynamic-0.26.2-1.1.20060mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD2VR5mqjQ0CJFipgRAnA2AJ964Sr7g6Vd0RDfP612pn3GG8OwtACfX0Ek
atdRarRql1uuJWKz0a+Tydk=
=YB8A
-----END PGP SIGNATURE-----



3.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Advisory MDKA-2006:015
http://www.mandriva.com/security/
_______________________________________________________________________

Package : gthumb
Date : January 26, 2006
Affected: 2006.0
_______________________________________________________________________

Problem Description:

A bug was discovered in gthumb were the UI (User Interface) can
get corrupted when importing photos in some non-UTF8 locales (such
as French). Some text strings (returned from libgphoto) where not
converted into UTF-8 before being used by GTK+.

Updated packages have been patched to correct the issue.
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
ede9fd26ce79936b8e47790106d8d6cf 2006.0/RPMS/gthumb-2.6.6-2.1.20060mdk.i586.rpm
07185dd9759cde08f2e17fd136f98068 2006.0/SRPMS/gthumb-2.6.6-2.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
e3020f6543aba12e30d50451585c2667 x86_64/2006.0/RPMS/gthumb-2.6.6-2.1.20060mdk.x86_64.rpm
07185dd9759cde08f2e17fd136f98068 x86_64/2006.0/SRPMS/gthumb-2.6.6-2.1.20060mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD2VU3mqjQ0CJFipgRAkdoAJ92iJ4lO7uxRU6xTUtSz35fMjEZ6QCfSfts
XPAoUHgOQ1NcY9U64t4AT18=
=ZQqx
-----END PGP SIGNATURE-----


4.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Advisory MDKA-2006:016
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libgphoto
Date : January 26, 2006
Affected: 2006.0
_______________________________________________________________________

Problem Description:

A bug was discovered with libgphoto which was preventing the removal
of icons on the desktop (in GNOME) or in the Devices window (in KDE)
when a digital camera was unplugged.

Updated packages have been patched to correct the issue.
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
99c18f0fce7ea77e811c75674fe64316 2006.0/RPMS/libgphoto2-2.1.6-8.3.20060mdk.i586.rpm
14b479dc73bdf7357470d9d3b878dd34 2006.0/RPMS/libgphoto2-devel-2.1.6-8.3.20060mdk.i586.rpm
b6b4c4c58c40da82eb07eb23ad84b0ec 2006.0/RPMS/libgphoto-hotplug-2.1.6-8.3.20060mdk.i586.rpm
2e3ec543157ebf5dbcbb2932372ae6ff 2006.0/SRPMS/libgphoto-2.1.6-8.3.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
4db9b401c6d1d6657a778467744b864d x86_64/2006.0/RPMS/lib64gphoto2-2.1.6-8.3.20060mdk.x86_64.rpm
d644a26a51e82b038c44da3f52adf47b x86_64/2006.0/RPMS/lib64gphoto2-devel-2.1.6-8.3.20060mdk.x86_64.rpm
d7655761984c11a35a7fc85b0e266616 x86_64/2006.0/RPMS/libgphoto-hotplug-2.1.6-8.3.20060mdk.x86_64.rpm
2e3ec543157ebf5dbcbb2932372ae6ff x86_64/2006.0/SRPMS/libgphoto-2.1.6-8.3.20060mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD2VXkmqjQ0CJFipgRAnNcAJ9kaP8ecfIlLwv1Jjc9M8S7vpNzQgCeNdpB
4dpUaLZoWFQbrWln3zpG7vk=
=tjth
-----END PGP SIGNATURE-----


5.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:021
http://www.mandriva.com/security/
_______________________________________________________________________

Package : mozilla-thunderbird
Date : January 25, 2006
Affected: 2006.0
_______________________________________________________________________

Problem Description:

GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6,
and 1.0.7 allows user-complicit attackers to execute arbitrary code via an
attachment with a filename containing a large number of spaces ending with
a dangerous extension that is not displayed by Thunderbird, along with an
inconsistent Content-Type header, which could be used to trick a user into
downloading dangerous content by dragging or saving the attachment.

The updated packages have been patched to correct this problem.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0236
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
ec5571737dd8a0908f6532d657ccc378 2006.0/RPMS/mozilla-thunderbird-1.0.6-7.3.20060mdk.i586.rpm
6ad6aa5666f6ba499c3e78a9e24f4917 2006.0/RPMS/mozilla-thunderbird-enigmail-1.0.6-7.3.20060mdk.i586.rpm
a89fceffe0e0429c634b0b76120ee36a 2006.0/RPMS/mozilla-thunderbird-enigmime-1.0.6-7.3.20060mdk.i586.rpm
8babd434a3fe12a7134239ca36658743 2006.0/SRPMS/mozilla-thunderbird-1.0.6-7.3.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
5df5db7c2e45cf30d3d5f0209a7b0cd8 x86_64/2006.0/RPMS/mozilla-thunderbird-1.0.6-7.3.20060mdk.x86_64.rpm
58595fbd0a66345df85e4e586ee2bbd8 x86_64/2006.0/RPMS/mozilla-thunderbird-enigmail-1.0.6-7.3.20060mdk.x86_64.rpm
351d08e5ca2c990fd6496f857b2b1fb0 x86_64/2006.0/RPMS/mozilla-thunderbird-enigmime-1.0.6-7.3.20060mdk.x86_64.rpm
8babd434a3fe12a7134239ca36658743 x86_64/2006.0/SRPMS/mozilla-thunderbird-1.0.6-7.3.20060mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD19mcmqjQ0CJFipgRAomfAJ9Sc31DJhW3p3Uz8Hkn6IpbsyorkQCgxj0/
i4dbanmhBAKfdTfe1OYTJfo=
=Apkn
-----END PGP SIGNATURE-----


6.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:022
http://www.mandriva.com/security/
_______________________________________________________________________

Package : perl-Convert-UUlib
Date : January 26, 2006
Affected: 10.2, Corporate 3.0
_______________________________________________________________________

Problem Description:

A buffer overflow was discovered in the perl Convert::UUlib module in
versions prior to 1.051, which could allow remote attackers to execute
arbitrary code via a malformed parameter to a read operation.

This update provides version 1.051 which is not vulnerable to this
flaw.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349
_______________________________________________________________________

Updated Packages:

Mandriva Linux 10.2:
8e567c359c242c406e1a11505c6dc05f 10.2/RPMS/perl-Convert-UUlib-1.051-0.1.102mdk.i586.rpm
077efc401869c15350c816d917bf4341 10.2/SRPMS/perl-Convert-UUlib-1.051-0.1.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
3effe93cf49660d069bbd77040d1108b x86_64/10.2/RPMS/perl-Convert-UUlib-1.051-0.1.102mdk.x86_64.rpm
077efc401869c15350c816d917bf4341 x86_64/10.2/SRPMS/perl-Convert-UUlib-1.051-0.1.102mdk.src.rpm

Corporate 3.0:
e1399f028bbce62afd8db464c5add10e corporate/3.0/RPMS/perl-Convert-UUlib-1.051-0.1.C30mdk.i586.rpm
064f8c621fa2bfb2396ed6fcfa8f1d51 corporate/3.0/SRPMS/perl-Convert-UUlib-1.051-0.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
f2d768502d5a5181b865d8e200373470 x86_64/corporate/3.0/RPMS/perl-Convert-UUlib-1.051-0.1.C30mdk.x86_64.rpm
064f8c621fa2bfb2396ed6fcfa8f1d51 x86_64/corporate/3.0/SRPMS/perl-Convert-UUlib-1.051-0.1.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD2R5jmqjQ0CJFipgRAttFAKDYUvrwp0/BDu3HT0//RvtV88Rv9wCguOvt
WqwortAufgYzVOj6qFr13Ao=
=TfKG
-----END PGP SIGNATURE-----



7.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:023
http://www.mandriva.com/security/
_______________________________________________________________________

Package : perl-Net_SSLeay
Date : January 26, 2006
Affected: 10.1, 10.2, 2006.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

Javier Fernandez-Sanguino Pena discovered that the perl Net::SSLeay
module used the file /tmp/entropy as a fallback entropy source if a
proper source was not set via the environment variable EGD_PATH. This
could potentially lead to weakened cryptographic operations if an
attacker was able to provide a /tmp/entropy file with known content.

The updated packages have been patched to correct this problem.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0106
_______________________________________________________________________

Updated Packages:

Mandriva Linux 10.1:
745c88ffafb7cec13b0db84911bd82e1 10.1/RPMS/perl-Net_SSLeay-1.25-4.1.101mdk.i586.rpm
87d1a8df8d27efa75bed071293321bc0 10.1/SRPMS/perl-Net_SSLeay-1.25-4.1.101mdk.src.rpm

Mandriva Linux 10.1/X86_64:
1959cfe8f68e744a99f6f8191b4a6093 x86_64/10.1/RPMS/perl-Net_SSLeay-1.25-4.1.101mdk.x86_64.rpm
87d1a8df8d27efa75bed071293321bc0 x86_64/10.1/SRPMS/perl-Net_SSLeay-1.25-4.1.101mdk.src.rpm

Mandriva Linux 10.2:
e1bcdfb33a1010725f67cb64a045c716 10.2/RPMS/perl-Net_SSLeay-1.25-4.1.102mdk.i586.rpm
ac2647e198657a97a7745ebb7f80049e 10.2/SRPMS/perl-Net_SSLeay-1.25-4.1.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
88c10a807674653ce10317ce49614c21 x86_64/10.2/RPMS/perl-Net_SSLeay-1.25-4.1.102mdk.x86_64.rpm
ac2647e198657a97a7745ebb7f80049e x86_64/10.2/SRPMS/perl-Net_SSLeay-1.25-4.1.102mdk.src.rpm

Mandriva Linux 2006.0:
340b4d2ad0d1d77764899221e317dc5e 2006.0/RPMS/perl-Net_SSLeay-1.25-4.1.20060mdk.i586.rpm
c08d4032e9c9d7fb81749ffc7b8f8b7f 2006.0/SRPMS/perl-Net_SSLeay-1.25-4.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
30b18d4d798dc2b9354a2fac2e938802 x86_64/2006.0/RPMS/perl-Net_SSLeay-1.25-4.1.20060mdk.x86_64.rpm
c08d4032e9c9d7fb81749ffc7b8f8b7f x86_64/2006.0/SRPMS/perl-Net_SSLeay-1.25-4.1.20060mdk.src.rpm

Corporate 3.0:
52a48ee590bf9b386af74308f74d1569 corporate/3.0/RPMS/perl-Net_SSLeay-1.25-4.1.C30mdk.i586.rpm
5f10e7c1355d60304f43ae04c896b363 corporate/3.0/SRPMS/perl-Net_SSLeay-1.25-4.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
344dfac9fc97b91fa1b2827e3408a02d x86_64/corporate/3.0/RPMS/perl-Net_SSLeay-1.25-4.1.C30mdk.x86_64.rpm
5f10e7c1355d60304f43ae04c896b363 x86_64/corporate/3.0/SRPMS/perl-Net_SSLeay-1.25-4.1.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD2R7CmqjQ0CJFipgRAhhuAJ9Jvcp1imygN1GjS6tqHVlqex/FaACgso3J
plG3CeP2GPxGNBuIm+5ur+Q=
=q2iH
-----END PGP SIGNATURE-----


8.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:024
http://www.mandriva.com/security/
_______________________________________________________________________

Package : ImageMagick
Date : January 26, 2006
Affected: 2006.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

The delegate code in ImageMagick 6.2.4.x allows remote attackers to
execute arbitrary commands via shell metacharacters in a filename that
is processed by the display command. (CVE-2005-4601)

A format string vulnerability in the SetImageInfo function in image.c for
ImageMagick 6.2.3, and other versions, allows user-complicit attackers
to cause a denial of service (crash) and possibly execute arbitrary
code via a numeric format string specifier such as %d in the file name,
a variant of CVE-2005-0397, and as demonstrated using the convert program.
(CVE-2006-0082)

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0082
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
c4a8dbb0c78f5a7bf916249963c2b159 2006.0/RPMS/ImageMagick-6.2.4.3-1.1.20060mdk.i586.rpm
b9af05a8427ed951286f51345b98c393 2006.0/RPMS/ImageMagick-doc-6.2.4.3-1.1.20060mdk.i586.rpm
9d0d37ebd857d01a2d06a8bc1dedb852 2006.0/RPMS/libMagick8.4.2-6.2.4.3-1.1.20060mdk.i586.rpm
057983a9ced52fbbfbe3e290ad4035af 2006.0/RPMS/libMagick8.4.2-devel-6.2.4.3-1.1.20060mdk.i586.rpm
e54224a7c3029af1d277018eec729dcb 2006.0/RPMS/perl-Image-Magick-6.2.4.3-1.1.20060mdk.i586.rpm
251689f39a92cdb7aaf8799976d86c92 2006.0/SRPMS/ImageMagick-6.2.4.3-1.1.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
8836b5a35dd4c1c39b671828ba80e6d7 x86_64/2006.0/RPMS/ImageMagick-6.2.4.3-1.1.20060mdk.x86_64.rpm
5b6c180b0a43570eda2a89fc790f2e38 x86_64/2006.0/RPMS/ImageMagick-doc-6.2.4.3-1.1.20060mdk.x86_64.rpm
efd097268b8e3dbd6421988a6f125660 x86_64/2006.0/RPMS/lib64Magick8.4.2-6.2.4.3-1.1.20060mdk.x86_64.rpm
fd8374927f02d1eaa96dcb40485a246d x86_64/2006.0/RPMS/lib64Magick8.4.2-devel-6.2.4.3-1.1.20060mdk.x86_64.rpm
49cc6e373ec62eb10fec9ac21ad5cab7 x86_64/2006.0/RPMS/perl-Image-Magick-6.2.4.3-1.1.20060mdk.x86_64.rpm
251689f39a92cdb7aaf8799976d86c92 x86_64/2006.0/SRPMS/ImageMagick-6.2.4.3-1.1.20060mdk.src.rpm

Corporate 3.0:
021439b9cb4a5c27e6852fcc2af5d531 corporate/3.0/RPMS/ImageMagick-5.5.7.15-6.5.C30mdk.i586.rpm
8dedbc0bed9a4550bff68240e038ed62 corporate/3.0/RPMS/ImageMagick-doc-5.5.7.15-6.5.C30mdk.i586.rpm
8d9164870b6138c13b19f281e3c677db corporate/3.0/RPMS/libMagick5.5.7-5.5.7.15-6.5.C30mdk.i586.rpm
0f16cd8c20c413b243ed15652a5f4f3a corporate/3.0/RPMS/libMagick5.5.7-devel-5.5.7.15-6.5.C30mdk.i586.rpm
76af97eaf355909f11f18fe2794b0052 corporate/3.0/RPMS/perl-Magick-5.5.7.15-6.5.C30mdk.i586.rpm
8ec1dda65d54f92c98538b6fd5a8e359 corporate/3.0/SRPMS/ImageMagick-5.5.7.15-6.5.C30mdk.src.rpm

Corporate 3.0/X86_64:
ead9e8f8e105cbfe79d26735e9417e51 x86_64/corporate/3.0/RPMS/ImageMagick-5.5.7.15-6.5.C30mdk.x86_64.rpm
468eb78d6d64082b8749edcb200cf945 x86_64/corporate/3.0/RPMS/ImageMagick-doc-5.5.7.15-6.5.C30mdk.x86_64.rpm
de31d5f60855911e1ebad3b8c2bf8fdf x86_64/corporate/3.0/RPMS/lib64Magick5.5.7-5.5.7.15-6.5.C30mdk.x86_64.rpm
0970d0cb5697dccfbf01ebac4b6b6851 x86_64/corporate/3.0/RPMS/lib64Magick5.5.7-devel-5.5.7.15-6.5.C30mdk.x86_64.rpm
91621062d0940a69eec9abd42e5029d3 x86_64/corporate/3.0/RPMS/perl-Magick-5.5.7.15-6.5.C30mdk.x86_64.rpm
8ec1dda65d54f92c98538b6fd5a8e359 x86_64/corporate/3.0/SRPMS/ImageMagick-5.5.7.15-6.5.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD2SMxmqjQ0CJFipgRAlGDAJ0dPiCn5klynsmPCTIFtQ/3ZHWVuACdHndJ
KTz/jQks3wx3UiG7y6ZR/gY=
=LY2x
-----END PGP SIGNATURE-----


9.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:025
http://www.mandriva.com/security/
_______________________________________________________________________

Package : net-snmp
Date : January 26, 2006
Affected: 10.1, 10.2, Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

The fixproc application in Net-SNMP creates temporary files with
predictable file names which could allow a malicious local attacker to
change the contents of the temporary file by exploiting a race
condition, which could possibly lead to the execution of arbitrary
code. As well, a local attacker could create symbolic links in the
/tmp directory that point to a valid file that would then be
overwritten when fixproc is executed (CVE-2005-1740).

A remote Denial of Service vulnerability was also discovered in the
SNMP library that could be exploited by a malicious SNMP server to
crash the agent, if the agent uses TCP sockets for communication
(CVE-2005-2177).

The updated packages have been patched to correct these problems.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2177
_______________________________________________________________________

Updated Packages:

Mandriva Linux 10.1:
5e45d435f1d54d5e3090782b6abba68d 10.1/RPMS/libnet-snmp5-5.1.2-6.1.101mdk.i586.rpm
0bfb669d7aa43f082748130de49566d9 10.1/RPMS/libnet-snmp5-devel-5.1.2-6.1.101mdk.i586.rpm
6c893808aef9ee5bc260097f85f59a8c 10.1/RPMS/libnet-snmp5-static-devel-5.1.2-6.1.101mdk.i586.rpm
9990e6a604e33077001acd83ef992839 10.1/RPMS/net-snmp-5.1.2-6.1.101mdk.i586.rpm
6cde654363177bcbce43e0629c4410df 10.1/RPMS/net-snmp-mibs-5.1.2-6.1.101mdk.i586.rpm
00a8209096eead381f4b92d6c5610d35 10.1/RPMS/net-snmp-trapd-5.1.2-6.1.101mdk.i586.rpm
71f10f045162b00f15574d86a1ac4042 10.1/RPMS/net-snmp-utils-5.1.2-6.1.101mdk.i586.rpm
bafa69a28faf8e3f926e4791eca78afe 10.1/RPMS/perl-NetSNMP-5.1.2-6.1.101mdk.i586.rpm
9336accac13fed9119b8d53e1ce18842 10.1/SRPMS/net-snmp-5.1.2-6.1.101mdk.src.rpm

Mandriva Linux 10.1/X86_64:
fb7f15b0ce19d694d187c8d245b7eb39 x86_64/10.1/RPMS/lib64net-snmp5-5.1.2-6.1.101mdk.x86_64.rpm
2eb7bfbb87d50036f59d40c8f74013af x86_64/10.1/RPMS/lib64net-snmp5-devel-5.1.2-6.1.101mdk.x86_64.rpm
91f01ccb844bfe0fc288d0d2ae0a6b92 x86_64/10.1/RPMS/lib64net-snmp5-static-devel-5.1.2-6.1.101mdk.x86_64.rpm
19727111e192d653497dfd95788d605b x86_64/10.1/RPMS/net-snmp-5.1.2-6.1.101mdk.x86_64.rpm
c8accd70d2ee97c8e96d7621614bab4a x86_64/10.1/RPMS/net-snmp-mibs-5.1.2-6.1.101mdk.x86_64.rpm
67fe7b2332127afe6ca19111c5ac0527 x86_64/10.1/RPMS/net-snmp-trapd-5.1.2-6.1.101mdk.x86_64.rpm
3d36801e15db09a37115c5299f0f8ed2 x86_64/10.1/RPMS/net-snmp-utils-5.1.2-6.1.101mdk.x86_64.rpm
9abc3a1c0109487a99491c0586410b5b x86_64/10.1/RPMS/perl-NetSNMP-5.1.2-6.1.101mdk.x86_64.rpm
9336accac13fed9119b8d53e1ce18842 x86_64/10.1/SRPMS/net-snmp-5.1.2-6.1.101mdk.src.rpm

Mandriva Linux 10.2:
d094f32e704563d30bacb2c4555313bd 10.2/RPMS/libnet-snmp5-5.2.1-3.1.102mdk.i586.rpm
d1f446814f498f188add32de07b119bd 10.2/RPMS/libnet-snmp5-devel-5.2.1-3.1.102mdk.i586.rpm
9b75d6a1d06f29377e4ddb01e9dd77ca 10.2/RPMS/libnet-snmp5-static-devel-5.2.1-3.1.102mdk.i586.rpm
709bbe1ab3ade1d812451a0e95dbc74c 10.2/RPMS/net-snmp-5.2.1-3.1.102mdk.i586.rpm
70ab9c54aad572ef98bc05722b792dfa 10.2/RPMS/net-snmp-mibs-5.2.1-3.1.102mdk.i586.rpm
f63e29921d9a996859803e1bacfa12b1 10.2/RPMS/net-snmp-trapd-5.2.1-3.1.102mdk.i586.rpm
9e7acc9c5e689d52ca713e70ae210fdf 10.2/RPMS/net-snmp-utils-5.2.1-3.1.102mdk.i586.rpm
4ce882e9f770d3b0703758f07de93d33 10.2/RPMS/perl-NetSNMP-5.2.1-3.1.102mdk.i586.rpm
274a211bc0310147425dde0177933b3a 10.2/SRPMS/net-snmp-5.2.1-3.1.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
029c14c17368523ea88d25d62c357e05 x86_64/10.2/RPMS/lib64net-snmp5-5.2.1-3.1.102mdk.x86_64.rpm
5eac46a96bdaf1bd184095931c3fd7dc x86_64/10.2/RPMS/lib64net-snmp5-devel-5.2.1-3.1.102mdk.x86_64.rpm
0081e952f8cdb2cda6f9c5c3bbfcd824 x86_64/10.2/RPMS/lib64net-snmp5-static-devel-5.2.1-3.1.102mdk.x86_64.rpm
5750dfbeb765a8a9cc5edea0367136ef x86_64/10.2/RPMS/net-snmp-5.2.1-3.1.102mdk.x86_64.rpm
0bb727dd060f69e722e2d9119b09c920 x86_64/10.2/RPMS/net-snmp-mibs-5.2.1-3.1.102mdk.x86_64.rpm
bed3ea77aedda99248cf505004cd7ce2 x86_64/10.2/RPMS/net-snmp-trapd-5.2.1-3.1.102mdk.x86_64.rpm
5b15725662b555b200599babd751202e x86_64/10.2/RPMS/net-snmp-utils-5.2.1-3.1.102mdk.x86_64.rpm
c302bf9154a851284ec75845f2d16fbb x86_64/10.2/RPMS/perl-NetSNMP-5.2.1-3.1.102mdk.x86_64.rpm
274a211bc0310147425dde0177933b3a x86_64/10.2/SRPMS/net-snmp-5.2.1-3.1.102mdk.src.rpm

Corporate 3.0:
af2cfb8c941c61e09e90f972e196fc7c corporate/3.0/RPMS/libnet-snmp5-5.1-7.2.C30mdk.i586.rpm
398eb8a624998f3269fd921097e040b8 corporate/3.0/RPMS/libnet-snmp5-devel-5.1-7.2.C30mdk.i586.rpm
0654942277f25a812438356840d69063 corporate/3.0/RPMS/libnet-snmp5-static-devel-5.1-7.2.C30mdk.i586.rpm
b50cee131b9255792bbfe4c785b7869b corporate/3.0/RPMS/net-snmp-5.1-7.2.C30mdk.i586.rpm
dee0feb110fda0312fdcc05db315007a corporate/3.0/RPMS/net-snmp-mibs-5.1-7.2.C30mdk.i586.rpm
e22ca26b96609e60b15459290dd5f37d corporate/3.0/RPMS/net-snmp-trapd-5.1-7.2.C30mdk.i586.rpm
1a35259e34c7f14c4618a712718db361 corporate/3.0/RPMS/net-snmp-utils-5.1-7.2.C30mdk.i586.rpm
8f3c4ead1bd79a6826dae2dfc279b972 corporate/3.0/SRPMS/net-snmp-5.1-7.2.C30mdk.src.rpm

Corporate 3.0/X86_64:
ff618e405dea0563a6e35680993ceb9b x86_64/corporate/3.0/RPMS/lib64net-snmp5-5.1-7.2.C30mdk.x86_64.rpm
aea5952fc98d667280f2cc9595482fde x86_64/corporate/3.0/RPMS/lib64net-snmp5-devel-5.1-7.2.C30mdk.x86_64.rpm
877dd4ca90a79a07f22c3c91e523877c x86_64/corporate/3.0/RPMS/lib64net-snmp5-static-devel-5.1-7.2.C30mdk.x86_64.rpm
f2f83c224b85bbc57d493085baed30d2 x86_64/corporate/3.0/RPMS/net-snmp-5.1-7.2.C30mdk.x86_64.rpm
e6016001da2e93385d9bb33714dc3b5b x86_64/corporate/3.0/RPMS/net-snmp-mibs-5.1-7.2.C30mdk.x86_64.rpm
43a28bf6e34b44616a185d355ba33108 x86_64/corporate/3.0/RPMS/net-snmp-trapd-5.1-7.2.C30mdk.x86_64.rpm
53a861ab75ef7806ba59977f644ecc62 x86_64/corporate/3.0/RPMS/net-snmp-utils-5.1-7.2.C30mdk.x86_64.rpm
8f3c4ead1bd79a6826dae2dfc279b972 x86_64/corporate/3.0/SRPMS/net-snmp-5.1-7.2.C30mdk.src.rpm

Multi Network Firewall 2.0:
283d5163bf181f98318a18575d823d41 mnf/2.0/RPMS/libnet-snmp5-5.1-7.1.M20mdk.i586.rpm
71783daec5bd3a6045d7337330f09ba2 mnf/2.0/SRPMS/net-snmp-5.1-7.1.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD2Wg6mqjQ0CJFipgRAkqFAJ9pS+KWFCf2nCCOOGBD9NwOblfy0gCeLp4e
LX+wEvcbjV7TrErPjNxo0wM=
=/TNu
-----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |