[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 454/05 - Two Mandriva Linux Security Update Advisories:



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 454/05 dated 15.06.05  Time: 14:45  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Two Mandriva Linux Security Update Advisories:

1. MDKSA-2005:099 - gaim
             
2. MDKSA-2005:100 - rsh
             
Detail
====== 

1. More vulnerabilities have been discovered in the gaim IM client.  The
 first is a remote crash with the Yahoo! protocol (CAN-2005-1269) and
 the second is a remote DoS in the MSN protocol (CAN-2005-1934).
 These problems have been corrected in gaim 1.3.1 which is provided with
 this update.

2. A vulnerability in the rcp protocol was discovered that allows a server
 to instruct a client to write arbitrary files outside of the current
 directory, which could potentially be a security concern if a user used
 rcp to copy files from a malicious server.
 The updated packages have been patched to correct this problem



1.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           gaim
 Advisory ID:            MDKSA-2005:099
 Date:                   June 14th, 2005

 Affected versions:	 10.1, 10.2, Corporate 3.0
 ______________________________________________________________________

 Problem Description:

 More vulnerabilities have been discovered in the gaim IM client.  The
 first is a remote crash with the Yahoo! protocol (CAN-2005-1269) and
 the second is a remote DoS in the MSN protocol (CAN-2005-1934).
 
 These problems have been corrected in gaim 1.3.1 which is provided with
 this update.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1269
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1934
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.1:
 6e4fcf0213cb1239d68dd516527e8243  10.1/RPMS/gaim-1.3.1-0.1.101mdk.i586.rpm
 267ef252ba9947e9b64bde9dddebe21e  10.1/RPMS/gaim-devel-1.3.1-0.1.101mdk.i586.rpm
 31e933f06152ce1c6fa9057f1ead1364  10.1/RPMS/gaim-gevolution-1.3.1-0.1.101mdk.i586.rpm
 e49e26277de52b0a2e4abbf3bceb2742  10.1/RPMS/gaim-perl-1.3.1-0.1.101mdk.i586.rpm
 9c8065be22410ada3a470d95a844d881  10.1/RPMS/gaim-tcl-1.3.1-0.1.101mdk.i586.rpm
 9aa758d669e32efdd1f0584f77f9f55d  10.1/RPMS/libgaim-remote0-1.3.1-0.1.101mdk.i586.rpm
 66f4c7bcee4faf74c2ba012cd7ba289f  10.1/RPMS/libgaim-remote0-devel-1.3.1-0.1.101mdk.i586.rpm
 7fc91e876195bb1257ff5b428e306fdf  10.1/SRPMS/gaim-1.3.1-0.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 9876d97be01fe46772f8f80ce28f5ccf  x86_64/10.1/RPMS/gaim-1.3.1-0.1.101mdk.x86_64.rpm
 49750a6aa86e6e09dc16f2317f7e0062  x86_64/10.1/RPMS/gaim-devel-1.3.1-0.1.101mdk.x86_64.rpm
 3ba1aaa598b1a90d2d7dfea3bd744d9e  x86_64/10.1/RPMS/gaim-gevolution-1.3.1-0.1.101mdk.x86_64.rpm
 cb7ef50532ea094e4cf0ebe707931740  x86_64/10.1/RPMS/gaim-perl-1.3.1-0.1.101mdk.x86_64.rpm
 2110f664d1c4e4c3dfcf84c3696b60d3  x86_64/10.1/RPMS/gaim-tcl-1.3.1-0.1.101mdk.x86_64.rpm
 178bd8ac319f10604b8327790743526f  x86_64/10.1/RPMS/lib64gaim-remote0-1.3.1-0.1.101mdk.x86_64.rpm
 db568bc151eb0b6211344c7608dd6099  x86_64/10.1/RPMS/lib64gaim-remote0-devel-1.3.1-0.1.101mdk.x86_64.rpm
 7fc91e876195bb1257ff5b428e306fdf  x86_64/10.1/SRPMS/gaim-1.3.1-0.1.101mdk.src.rpm

 Mandrakelinux 10.2:
 72bed53f4a863d4bb3e7515d7a30adef  10.2/RPMS/gaim-1.3.1-0.1.102mdk.i586.rpm
 9a5ee47f3921ea57a6d3385c60379186  10.2/RPMS/gaim-devel-1.3.1-0.1.102mdk.i586.rpm
 66ba156f6e65011761ddfca073e6dc94  10.2/RPMS/gaim-gevolution-1.3.1-0.1.102mdk.i586.rpm
 1426070274bafd55bdc3eadea2ebfa3a  10.2/RPMS/gaim-perl-1.3.1-0.1.102mdk.i586.rpm
 3b77402203fa59aa449b046a7c58749d  10.2/RPMS/gaim-silc-1.3.1-0.1.102mdk.i586.rpm
 1115565b2f2ba8505c9012ef472b35b8  10.2/RPMS/gaim-tcl-1.3.1-0.1.102mdk.i586.rpm
 af6689ae3b55c35dbd2823b2a7474016  10.2/RPMS/libgaim-remote0-1.3.1-0.1.102mdk.i586.rpm
 5d9bb26bca7d190dfa4f138621a85edf  10.2/RPMS/libgaim-remote0-devel-1.3.1-0.1.102mdk.i586.rpm
 9f397d2a338771fdf24f9d37ce55fd85  10.2/SRPMS/gaim-1.3.1-0.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 4189d6699c1a05c97b170e81d549f8ea  x86_64/10.2/RPMS/gaim-1.3.1-0.1.102mdk.x86_64.rpm
 0a235252f3509b3c3dc15d71482f39b0  x86_64/10.2/RPMS/gaim-devel-1.3.1-0.1.102mdk.x86_64.rpm
 4ed3e16d23379d1a87474d4712671357  x86_64/10.2/RPMS/gaim-gevolution-1.3.1-0.1.102mdk.x86_64.rpm
 0d604302e4abd887e5bf4b46d4ab19d1  x86_64/10.2/RPMS/gaim-perl-1.3.1-0.1.102mdk.x86_64.rpm
 d115b6f98c2c93658810ed35aa54e108  x86_64/10.2/RPMS/gaim-silc-1.3.1-0.1.102mdk.x86_64.rpm
 88ad11a13f42cc093728061437c7de86  x86_64/10.2/RPMS/gaim-tcl-1.3.1-0.1.102mdk.x86_64.rpm
 21e357632a07cc8e8fbcf280384d3642  x86_64/10.2/RPMS/lib64gaim-remote0-1.3.1-0.1.102mdk.x86_64.rpm
 f0971fdfda8337897dfbfb9e0ee04fdb  x86_64/10.2/RPMS/lib64gaim-remote0-devel-1.3.1-0.1.102mdk.x86_64.rpm
 9f397d2a338771fdf24f9d37ce55fd85  x86_64/10.2/SRPMS/gaim-1.3.1-0.1.102mdk.src.rpm

 Corporate 3.0:
 ad4c433c3a75e8b4b24eb0a66caca44f  corporate/3.0/RPMS/gaim-1.3.1-0.1.C30mdk.i586.rpm
 8e279142cc357b43a8c58a3c73ac9b5e  corporate/3.0/RPMS/gaim-devel-1.3.1-0.1.C30mdk.i586.rpm
 661dea400ea206801c3a4434154405b7  corporate/3.0/RPMS/gaim-perl-1.3.1-0.1.C30mdk.i586.rpm
 93090aa5d4a50e578824af9f3a5d4995  corporate/3.0/RPMS/gaim-tcl-1.3.1-0.1.C30mdk.i586.rpm
 9fff14e865ab7667b6a03c7bb406f32b  corporate/3.0/RPMS/libgaim-remote0-1.3.1-0.1.C30mdk.i586.rpm
 067375646e00fb20ab7a2c9b2e48a951  corporate/3.0/RPMS/libgaim-remote0-devel-1.3.1-0.1.C30mdk.i586.rpm
 92a5283dc08a218a563df01b1c6dbe4a  corporate/3.0/SRPMS/gaim-1.3.1-0.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 bf58aaf15a384a62ccdeeac89316e0b9  x86_64/corporate/3.0/RPMS/gaim-1.3.1-0.1.C30mdk.x86_64.rpm
 6539c1d78d9c17c05d33c44036adc1fe  x86_64/corporate/3.0/RPMS/gaim-devel-1.3.1-0.1.C30mdk.x86_64.rpm
 fa92889caa8ce98b40598f0a5e8d12e9  x86_64/corporate/3.0/RPMS/gaim-perl-1.3.1-0.1.C30mdk.x86_64.rpm
 0114367256677963d91e09bffe9bed2f  x86_64/corporate/3.0/RPMS/gaim-tcl-1.3.1-0.1.C30mdk.x86_64.rpm
 8d66f38ed47ae7e5dc093c2086f414de  x86_64/corporate/3.0/RPMS/lib64gaim-remote0-1.3.1-0.1.C30mdk.x86_64.rpm
 fd52dd04761c70fc9a34bd080f60fa9f  x86_64/corporate/3.0/RPMS/lib64gaim-remote0-devel-1.3.1-0.1.C30mdk.x86_64.rpm
 92a5283dc08a218a563df01b1c6dbe4a  x86_64/corporate/3.0/SRPMS/gaim-1.3.1-0.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCr0nemqjQ0CJFipgRAuVGAKCotXpx0966FGW3GHor6Iv7fEKJSgCdE6Az
YTx/D/FFc0AqwJwS8uW8bdk=
=D05A
- -----END PGP SIGNATURE-----



2.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           rsh
 Advisory ID:            MDKSA-2005:100
 Date:                   June 14th, 2005

 Affected versions:	 10.0, 10.1, 10.2, Corporate 3.0,
			 Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 A vulnerability in the rcp protocol was discovered that allows a server
 to instruct a client to write arbitrary files outside of the current
 directory, which could potentially be a security concern if a user used
 rcp to copy files from a malicious server.
 
 The updated packages have been patched to correct this problem.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0175
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 5e6f513e437cc9a5a619f323509ca58a  10.0/RPMS/rsh-0.17-13.1.100mdk.i586.rpm
 aec49c478c37577b6fd795bd9bb4ba67  10.0/RPMS/rsh-server-0.17-13.1.100mdk.i586.rpm
 259dcd458b33d1de12d172e876366165  10.0/SRPMS/rsh-0.17-13.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 fd2d00b91971f0b137696c0ca256b94a  amd64/10.0/RPMS/rsh-0.17-13.1.100mdk.amd64.rpm
 81fffa62d628599cee1f7b590ae4c38e  amd64/10.0/RPMS/rsh-server-0.17-13.1.100mdk.amd64.rpm
 259dcd458b33d1de12d172e876366165  amd64/10.0/SRPMS/rsh-0.17-13.1.100mdk.src.rpm

 Mandrakelinux 10.1:
 de740985b0e213128f8639e3af831b5e  10.1/RPMS/rsh-0.17-13.1.101mdk.i586.rpm
 ff6873ae461a9a12e6a2aeee30a80aa0  10.1/RPMS/rsh-server-0.17-13.1.101mdk.i586.rpm
 2a5d801cdedfa0b0b588d340b79c9473  10.1/SRPMS/rsh-0.17-13.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 716ae1dc777924d462d9c502238bda9e  x86_64/10.1/RPMS/rsh-0.17-13.1.101mdk.x86_64.rpm
 23ea2409d82a32918e5e132d8e1fff90  x86_64/10.1/RPMS/rsh-server-0.17-13.1.101mdk.x86_64.rpm
 2a5d801cdedfa0b0b588d340b79c9473  x86_64/10.1/SRPMS/rsh-0.17-13.1.101mdk.src.rpm

 Mandrakelinux 10.2:
 381a2b0e1418a14b618030f27ac445ea  10.2/RPMS/rsh-0.17-13.1.102mdk.i586.rpm
 d750e7ffcf28e7530e19a294ca9d6bc7  10.2/RPMS/rsh-server-0.17-13.1.102mdk.i586.rpm
 1b576319abe603cfaa12d8ee3e314b0d  10.2/SRPMS/rsh-0.17-13.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 7d9fd388f7fefa1e454b9d938befcfdc  x86_64/10.2/RPMS/rsh-0.17-13.1.102mdk.x86_64.rpm
 decb83a56d54b9d6310f4e1f2aefe555  x86_64/10.2/RPMS/rsh-server-0.17-13.1.102mdk.x86_64.rpm
 1b576319abe603cfaa12d8ee3e314b0d  x86_64/10.2/SRPMS/rsh-0.17-13.1.102mdk.src.rpm

 Corporate Server 2.1:
 a63459af04b29923eff1606742eb9ce4  corporate/2.1/RPMS/rsh-0.17-9.1.C21mdk.i586.rpm
 b655300455ec6bd0fb8c782cfbcbe281  corporate/2.1/RPMS/rsh-server-0.17-9.1.C21mdk.i586.rpm
 c828642735f509a405e4582b9f6f3a29  corporate/2.1/SRPMS/rsh-0.17-9.1.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 14219e4f9ada6336f7b26a86881942e2  x86_64/corporate/2.1/RPMS/rsh-0.17-9.1.C21mdk.x86_64.rpm
 c32ccf5751017c29817fdd485c489f4b  x86_64/corporate/2.1/RPMS/rsh-server-0.17-9.1.C21mdk.x86_64.rpm
 c828642735f509a405e4582b9f6f3a29  x86_64/corporate/2.1/SRPMS/rsh-0.17-9.1.C21mdk.src.rpm

 Corporate 3.0:
 b20aa1eb70c7bfc006c0c946601c9596  corporate/3.0/RPMS/rsh-0.17-13.1.C30mdk.i586.rpm
 7ae577ac25ff29385f99516abd79baaf  corporate/3.0/RPMS/rsh-server-0.17-13.1.C30mdk.i586.rpm
 c6fac5847bb6c80b8c92a22750d1c438  corporate/3.0/SRPMS/rsh-0.17-13.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 37a7576122ea4001257e11d034100c28  x86_64/corporate/3.0/RPMS/rsh-0.17-13.1.C30mdk.x86_64.rpm
 f7e9c14163f5a56b29fc2b17ae172bfb  x86_64/corporate/3.0/RPMS/rsh-server-0.17-13.1.C30mdk.x86_64.rpm
 c6fac5847bb6c80b8c92a22750d1c438  x86_64/corporate/3.0/SRPMS/rsh-0.17-13.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCr0rEmqjQ0CJFipgRAstZAJ9nc3Feivcc7Sf8IK5iKJPb2B8WNgCgsBFc
D0N2xFQ36ZmCMiw2OQZqCvE=
=4e3/
- -----END PGP SIGNATURE-----





- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Mandriva for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQrAwrYpao72zK539AQFq0AP/Ro5Q7CB34FQ/QktQWfWnrOreGc8yj11e
UG4GYF4N3BSo+tP0+vXs+/YnPL/zerH8yovldm2wPXvJbVI8xxFCWun155zk//Ti
hEwmKgBeBdwYaxzVd86pE7+GXQP+OsbXfzKsMBMGHy5suGL35/s0W0RTXs0B1dCW
xAPf8xD6am4=
=KKZ0
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________