[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 525/05 - Mandriva - Five Update Announcements



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 525/05 dated 12.07.05  Time: 14:45 
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Mandriva - Five Update Announcements:
     1.  Updated drakxtools packages fix various bugs            [MDKA-2005:034]
     2.  Updated clamav packages fix vulnerability               [MDKSA-2005:113]
     3.  Updated leafnode packages fix multiple vulnerabilities  [MDKSA-2005:114]
     4.  Updated mplayer packages fix vulnerabilities            [MDKSA-2005:115]
     5.  Updated cpio packages fix vulnerabilities               [MDKSA-2005:116]


Detail
====== 

Update announcement summaries:

     1.  Three bugs have been corrected in the drakxtools package.

     2.  It has been discovered that a flaw in libmspack's Quantum archive 
         decompressor renders Clam AntiVirus vulnerable to a Denial of Service 
         attack.

     3.  A number of vulnerabilities in the leafnode NNTP server package have
         been found.

     4.  Two heap overflows were discovered in mplayer's code handling the
         RealMedia RTSP and Microsoft Media Services streams over TCP (MMST).
         These vulnerabilities could allow for a malicious server to execute
         arbitrary code on the client computer with the permissions of the
         user running MPlayer.

     5.  A race condition has been found in cpio 2.6 and earlier which allows local 
         users to modify permissions of arbitrary files. via a hard link attack on 
         A vulnerability has been discovered in cpio that allows a malicious cpio 
         file to extract to an arbitrary directory of the attackers choice. 


Update announcement content follows:


1.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                     Mandriva Linux Update Advisory
 _______________________________________________________________________

 Package name:           drakxtools
 Advisory ID:            MDKA-2005:034
 Date:                   July 11th, 2005

 Affected versions:	 10.0, Corporate 3.0
 ______________________________________________________________________

 Problem Description:

 Three bugs have been corrected in the drakxtools package:
 
 drakfirewall: The port range syntax has been corrected for samba. (#16604)
 drakfont:     Uninstalling fonts has been fixed. (#9324)
 drakbackup:   The application has been patched to correctly deal with
               directory names that contain spaces, as well as add more
               restrictive permissions on the backup tarballs. (#12861)
 
 The updated packages correct these issues.
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 37796110219d4630e385cacba14a2ad1  10.0/RPMS/drakxtools-10-34.10.100mdk.i586.rpm
 fb13ab05591d778913e7a4d7a2f419aa  10.0/RPMS/drakxtools-http-10-34.10.100mdk.i586.rpm
 50e784568c523740b70871734b144d3c  10.0/RPMS/drakxtools-newt-10-34.10.100mdk.i586.rpm
 ce9a04da8b9e11ed24b5b627e94fdc16  10.0/RPMS/harddrake-10-34.10.100mdk.i586.rpm
 64a24f233e629d219b6b9d9c21172de2  10.0/RPMS/harddrake-ui-10-34.10.100mdk.i586.rpm
 119dd13a66bbb45f12e1d3788b5b9d05  10.0/RPMS/perl-MDK-Common-1.1.11-3.1.100mdk.i586.rpm
 3b726d8567901d3dceb20cb741ede3fe  10.0/RPMS/perl-MDK-Common-devel-1.1.11-3.1.100mdk.i586.rpm
 2b861a1cf154f37da26e5a78f850adf1  10.0/SRPMS/drakxtools-10-34.10.100mdk.src.rpm
 abc72b322aed89e9b36b9b997409881a  10.0/SRPMS/perl-MDK-Common-1.1.11-3.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 84df12268bc25944d1ad82e9cf369748  amd64/10.0/RPMS/drakxtools-10-34.10.100mdk.amd64.rpm
 f575190629630a2d735a9f6c32807cc5  amd64/10.0/RPMS/drakxtools-http-10-34.10.100mdk.amd64.rpm
 86f22b8dc1cf99c1f9e01e9115d2b5ff  amd64/10.0/RPMS/drakxtools-newt-10-34.10.100mdk.amd64.rpm
 2d1367ded4c4886a6e597c1c88c62170  amd64/10.0/RPMS/harddrake-10-34.10.100mdk.amd64.rpm
 848a50ae5a5b93f1467c0f65bb80137d  amd64/10.0/RPMS/harddrake-ui-10-34.10.100mdk.amd64.rpm
 6751b5a70f8ddf5757a96e86cbcaecf4  amd64/10.0/RPMS/perl-MDK-Common-1.1.11-3.1.100mdk.amd64.rpm
 cf5529fb9607559a05f6af8d2ebd68bf  amd64/10.0/RPMS/perl-MDK-Common-devel-1.1.11-3.1.100mdk.amd64.rpm
 2b861a1cf154f37da26e5a78f850adf1  amd64/10.0/SRPMS/drakxtools-10-34.10.100mdk.src.rpm
 abc72b322aed89e9b36b9b997409881a  amd64/10.0/SRPMS/perl-MDK-Common-1.1.11-3.1.100mdk.src.rpm

 Corporate 3.0:
 3297e8f57f9a6afd719752aa44a642fa  corporate/3.0/RPMS/drakxtools-10-34.10.C30mdk.i586.rpm
 48b6824149e89baf2ddd0a88970f2f31  corporate/3.0/RPMS/drakxtools-http-10-34.10.C30mdk.i586.rpm
 89cf4cdd6822afe954877f8c0f53b691  corporate/3.0/RPMS/drakxtools-newt-10-34.10.C30mdk.i586.rpm
 0a737b8f9a27c6b24a6fb4cb8c79cc09  corporate/3.0/RPMS/harddrake-10-34.10.C30mdk.i586.rpm
 7fa83bdc2ae61cb2da9af1697b92d4fc  corporate/3.0/RPMS/harddrake-ui-10-34.10.C30mdk.i586.rpm
 cc51eb977d90e6cc5a3fa5d0d4baec1b  corporate/3.0/SRPMS/drakxtools-10-34.10.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 4877f7b21fe16416f5f63be6d5201187  x86_64/corporate/3.0/RPMS/drakxtools-10-34.10.C30mdk.x86_64.rpm
 ab331b0e423b1bb8afc7b9d061f3a62e  x86_64/corporate/3.0/RPMS/drakxtools-http-10-34.10.C30mdk.x86_64.rpm
 0f7d14189006e22bb2a7c7b8404cd194  x86_64/corporate/3.0/RPMS/drakxtools-newt-10-34.10.C30mdk.x86_64.rpm
 1e650892860301b34bf719ff8ebd31cf  x86_64/corporate/3.0/RPMS/harddrake-10-34.10.C30mdk.x86_64.rpm
 f1c8fce2ef05495e3fc55342abc1355e  x86_64/corporate/3.0/RPMS/harddrake-ui-10-34.10.C30mdk.x86_64.rpm
 cc51eb977d90e6cc5a3fa5d0d4baec1b  x86_64/corporate/3.0/SRPMS/drakxtools-10-34.10.C30mdk.src.rpm
 _______________________________________________________________________

 Bug IDs fixed (see http://qa.mandriva.com for more information):

  9324 - drakfont does not uninstall fonts
  12861 - drakbackup does not handle directory names with spaces
  16604 - drakfirewall creates incorrect port syntax for samba
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC0ygwmqjQ0CJFipgRAgd0AKDXPHaMNqsXM2qdyzjpvw6UxiAoBwCgg5gk
XJcusYu/p8IgSUOiu87+CJg=
=g03E
- -----END PGP SIGNATURE-----




2.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           clamav
 Advisory ID:            MDKSA-2005:113
 Date:                   July 11th, 2005

 Affected versions:	 10.1, 10.2, Corporate 3.0
 ______________________________________________________________________

 Problem Description:

 Andrew Toller and Stefan Kanthak discovered that a flaw in libmspack's
 Quantum archive decompressor renders Clam AntiVirus vulnerable to a
 Denial of Service attack.
 
 The updated packages have been patched to correct the problem.
 _______________________________________________________________________

 References:

  http://sourceforge.net/project/shownotes.php?release_id=337279
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.1:
 d1a61855ca50e53018e5c65ef380d8dd  10.1/RPMS/clamav-0.81-0.3.101mdk.i586.rpm
 4a73d4428b1c8288192e1880882114f1  10.1/RPMS/clamav-db-0.81-0.3.101mdk.i586.rpm
 ead89b02938223716b68ce51047fd193  10.1/RPMS/clamav-milter-0.81-0.3.101mdk.i586.rpm
 69ab5c876524188f382cb7649949ebcf  10.1/RPMS/clamd-0.81-0.3.101mdk.i586.rpm
 f682ad9ceaab4b22deacce071f685dd7  10.1/RPMS/libclamav1-0.81-0.3.101mdk.i586.rpm
 f74afc4b092506d942bc1c33e978143a  10.1/RPMS/libclamav1-devel-0.81-0.3.101mdk.i586.rpm
 5427d070911966721a7a74e43d5115d1  10.1/SRPMS/clamav-0.81-0.3.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 cef11c2c75f3d931e2fef9018895e410  x86_64/10.1/RPMS/clamav-0.81-0.3.101mdk.x86_64.rpm
 097aa32fc592727a5355872a91f2e53e  x86_64/10.1/RPMS/clamav-db-0.81-0.3.101mdk.x86_64.rpm
 e205ca0a534f2ca20afee6c311c927f2  x86_64/10.1/RPMS/clamav-milter-0.81-0.3.101mdk.x86_64.rpm
 dd5e7b49cc8b442b3ce9285b3b065217  x86_64/10.1/RPMS/clamd-0.81-0.3.101mdk.x86_64.rpm
 1c5d18841912089a2c0788103c81fd47  x86_64/10.1/RPMS/lib64clamav1-0.81-0.3.101mdk.x86_64.rpm
 b4ed80c808515aa78c5b64a90badc208  x86_64/10.1/RPMS/lib64clamav1-devel-0.81-0.3.101mdk.x86_64.rpm
 5427d070911966721a7a74e43d5115d1  x86_64/10.1/SRPMS/clamav-0.81-0.3.101mdk.src.rpm

 Mandrakelinux 10.2:
 40ebaed7490c8c4609d175898a4524a5  10.2/RPMS/clamav-0.83-6.1.102mdk.i586.rpm
 ecba8225d04b3d56b367cd12d1b18041  10.2/RPMS/clamav-db-0.83-6.1.102mdk.i586.rpm
 4c3f83da2c21d5b438fa87c2fc9c2510  10.2/RPMS/clamav-milter-0.83-6.1.102mdk.i586.rpm
 9af96c3025518c85b71382ade35b34c2  10.2/RPMS/clamd-0.83-6.1.102mdk.i586.rpm
 617a8776560de95a5feebdb18beb2f74  10.2/RPMS/libclamav1-0.83-6.1.102mdk.i586.rpm
 bb629f7ef414de49be3bf2fff4fdd949  10.2/RPMS/libclamav1-devel-0.83-6.1.102mdk.i586.rpm
 c1aa9d888990112d8db675a67d65d612  10.2/SRPMS/clamav-0.83-6.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 73b4b991f4b44ff648f4f9730608988c  x86_64/10.2/RPMS/clamav-0.83-6.1.102mdk.x86_64.rpm
 78da41faaaf4a67ecebb2155d20681b8  x86_64/10.2/RPMS/clamav-db-0.83-6.1.102mdk.x86_64.rpm
 104687d7dcd6258e5737e90c6814a0c0  x86_64/10.2/RPMS/clamav-milter-0.83-6.1.102mdk.x86_64.rpm
 afc85c501b6a9aed7f967ed35f2e4540  x86_64/10.2/RPMS/clamd-0.83-6.1.102mdk.x86_64.rpm
 9f831708f8a44ccba75bd0cafc926e0d  x86_64/10.2/RPMS/lib64clamav1-0.83-6.1.102mdk.x86_64.rpm
 f76da72a62e0d94451c5bcfdd4a5ff56  x86_64/10.2/RPMS/lib64clamav1-devel-0.83-6.1.102mdk.x86_64.rpm
 c1aa9d888990112d8db675a67d65d612  x86_64/10.2/SRPMS/clamav-0.83-6.1.102mdk.src.rpm

 Corporate 3.0:
 154457f3913dc4bfcd349e8d7f3d9ed1  corporate/3.0/RPMS/clamav-0.81-0.3.C30mdk.i586.rpm
 aa6d83e73d03464aee591658721017db  corporate/3.0/RPMS/clamav-db-0.81-0.3.C30mdk.i586.rpm
 79ffb7195506c5b0914e10dda8eac35a  corporate/3.0/RPMS/clamav-milter-0.81-0.3.C30mdk.i586.rpm
 1232f43b5272369f1c11ed6c4c173091  corporate/3.0/RPMS/clamd-0.81-0.3.C30mdk.i586.rpm
 05d298da13d32180fcc1c20344b5b8d1  corporate/3.0/RPMS/libclamav1-0.81-0.3.C30mdk.i586.rpm
 f7035cc164562e19743d7be91d6d1a43  corporate/3.0/RPMS/libclamav1-devel-0.81-0.3.C30mdk.i586.rpm
 86bc352ab413fa6232a997d57adf1d1d  corporate/3.0/SRPMS/clamav-0.81-0.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 934b40e521ea1419a9ff4d886feddbf7  x86_64/corporate/3.0/RPMS/clamav-0.81-0.3.C30mdk.x86_64.rpm
 3e133b0bbe1135ef2e3e8092b1a2b499  x86_64/corporate/3.0/RPMS/clamav-db-0.81-0.3.C30mdk.x86_64.rpm
 c8a51fa7450234d845e5b278b13e1eb7  x86_64/corporate/3.0/RPMS/clamav-milter-0.81-0.3.C30mdk.x86_64.rpm
 dc4500f7c4b0bf29d8cb9ca41688965c  x86_64/corporate/3.0/RPMS/clamd-0.81-0.3.C30mdk.x86_64.rpm
 d1e99a1f9accbfc1702c0c3dc1a8dd4c  x86_64/corporate/3.0/RPMS/lib64clamav1-0.81-0.3.C30mdk.x86_64.rpm
 050a0ee0bf1511f62e59b2f42893c580  x86_64/corporate/3.0/RPMS/lib64clamav1-devel-0.81-0.3.C30mdk.x86_64.rpm
 86bc352ab413fa6232a997d57adf1d1d  x86_64/corporate/3.0/SRPMS/clamav-0.81-0.3.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC0yj4mqjQ0CJFipgRAsQJAJ48ZmIrft5xWvKAPpTW9s4nQosTdACgxCvo
WE7YDPVHivWiOHBM/N9SI4Q=
=zQDg
- -----END PGP SIGNATURE-----




3.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           leafnode
 Advisory ID:            MDKSA-2005:114
 Date:                   July 11th, 2005

 Affected versions:	 10.1, 10.2, Corporate 3.0
 ______________________________________________________________________

 Problem Description:

 A number of vulnerabilities in the leafnode NNTP server package have
 been found:
 
 A vulnerability in the fetchnews program that could under some
 circumstances cause a wait for input that never arrives, which in
 turn would cause fetchnews to hang (CAN-2004-2068).
 
 Two vulnerabilities in the fetchnews program can cause fetchnews to
 crash when the upstream server closes the connection and leafnode is
 receiving an article header or an article body, which prevent leafnode
 from querying other servers that are listed after that particular
 server in the configuration file (CAN-2005-1453).
 
 Finally, another vulnerability in the fetchnews program could also
 cuase a wait for input that never arrives, causing fetchnews to
 hang (CAN-2005-1911).
 
 The updated packages have been patched to correct this problem.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2068
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1453
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1911
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.1:
 0d573481e6ba6335c50c7f2c0008c556  10.1/RPMS/leafnode-1.10.4-1.1.101mdk.i586.rpm
 1598ba602b4d7eae524469a4ffa4f363  10.1/SRPMS/leafnode-1.10.4-1.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 6ea053906fce3f66505594c7a300988c  x86_64/10.1/RPMS/leafnode-1.10.4-1.1.101mdk.x86_64.rpm
 1598ba602b4d7eae524469a4ffa4f363  x86_64/10.1/SRPMS/leafnode-1.10.4-1.1.101mdk.src.rpm

 Mandrakelinux 10.2:
 6e1d77530f56d974603dbe5b5b414877  10.2/RPMS/leafnode-1.10.4-1.1.102mdk.i586.rpm
 df3600d2511ec46c90370598664834df  10.2/SRPMS/leafnode-1.10.4-1.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 a2328b9c5fe8d6f273642955dbb9496f  x86_64/10.2/RPMS/leafnode-1.10.4-1.1.102mdk.x86_64.rpm
 df3600d2511ec46c90370598664834df  x86_64/10.2/SRPMS/leafnode-1.10.4-1.1.102mdk.src.rpm

 Corporate 3.0:
 2e31824248a0b72dcd573cc1ce6fd54b  corporate/3.0/RPMS/leafnode-1.9.46-1.1.C30mdk.i586.rpm
 a1154635606b715011ac5a876be60719  corporate/3.0/SRPMS/leafnode-1.9.46-1.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 bbd7bfdc23f029aa8966e1a0b845bc0a  x86_64/corporate/3.0/RPMS/leafnode-1.9.46-1.1.C30mdk.x86_64.rpm
 a1154635606b715011ac5a876be60719  x86_64/corporate/3.0/SRPMS/leafnode-1.9.46-1.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC0yntmqjQ0CJFipgRAj0wAKCN5OUhgoStc1c5eFZXUJXcdRJnsACgmZep
8Fevo0OnFl7PySpZRiAfqSE=
=PnkK
- -----END PGP SIGNATURE-----




4.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           mplayer
 Advisory ID:            MDKSA-2005:115
 Date:                   July 11th, 2005

 Affected versions:	 10.1, 10.2, Corporate 3.0
 ______________________________________________________________________

 Problem Description:

 Two heap overflows were discovered in mplayer's code handling the
 RealMedia RTSP and Microsoft Media Services streams over TCP (MMST).
 These vulnerabilities could allow for a malicious server to execute
 arbitrary code on the client computer with the permissions of the
 user running MPlayer.
 
 The updated packages have been patched to correct this problem.
 _______________________________________________________________________

 References:

  http://www.mplayerhq.hu/homepage/design7/news.html#vuln10
  http://www.mplayerhq.hu/homepage/design7/news.html#vuln11
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.1:
 bd10af1b022eab6c708b798b788d8f8f  10.1/RPMS/libdha1.0-1.0-0.pre5.8.1.101mdk.i586.rpm
 0f045ff30c496287bca8ecb70fd3f9d4  10.1/RPMS/libpostproc0-1.0-0.pre5.8.1.101mdk.i586.rpm
 2d6cc0414095376592ca2f31b530e139  10.1/RPMS/libpostproc0-devel-1.0-0.pre5.8.1.101mdk.i586.rpm
 083b1fd4689665cc07477f87d171d614  10.1/RPMS/mencoder-1.0-0.pre5.8.1.101mdk.i586.rpm
 8428f9c5e8216dc20f92ddccbaaa906c  10.1/RPMS/mplayer-1.0-0.pre5.8.1.101mdk.i586.rpm
 596d46dd4d84deda9e5b38910e4d6f78  10.1/RPMS/mplayer-gui-1.0-0.pre5.8.1.101mdk.i586.rpm
 b74e89d4c606c99857a5a5a4314e2cc3  10.1/SRPMS/mplayer-1.0-0.pre5.8.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 bd10af1b022eab6c708b798b788d8f8f  x86_64/10.1/RPMS/libdha1.0-1.0-0.pre5.8.1.101mdk.i586.rpm
 0f045ff30c496287bca8ecb70fd3f9d4  x86_64/10.1/RPMS/libpostproc0-1.0-0.pre5.8.1.101mdk.i586.rpm
 2d6cc0414095376592ca2f31b530e139  x86_64/10.1/RPMS/libpostproc0-devel-1.0-0.pre5.8.1.101mdk.i586.rpm
 083b1fd4689665cc07477f87d171d614  x86_64/10.1/RPMS/mencoder-1.0-0.pre5.8.1.101mdk.i586.rpm
 8428f9c5e8216dc20f92ddccbaaa906c  x86_64/10.1/RPMS/mplayer-1.0-0.pre5.8.1.101mdk.i586.rpm
 596d46dd4d84deda9e5b38910e4d6f78  x86_64/10.1/RPMS/mplayer-gui-1.0-0.pre5.8.1.101mdk.i586.rpm
 b74e89d4c606c99857a5a5a4314e2cc3  x86_64/10.1/SRPMS/mplayer-1.0-0.pre5.8.1.101mdk.src.rpm

 Mandrakelinux 10.2:
 4c177eb3a8868ef01de7f8f645a8df1e  10.2/RPMS/libdha1.0-1.0-0.pre6.8.1.102mdk.i586.rpm
 e1c7dbc6206e73501b30eb57effdac5a  10.2/RPMS/libpostproc0-1.0-0.pre6.8.1.102mdk.i586.rpm
 2d3e70104fdb6d95895a7ee2bde6595d  10.2/RPMS/libpostproc0-devel-1.0-0.pre6.8.1.102mdk.i586.rpm
 99a4599c171c4d497a846ea04ca17f69  10.2/RPMS/mencoder-1.0-0.pre6.8.1.102mdk.i586.rpm
 c227f20edb5d7918baf3c57bb0873821  10.2/RPMS/mplayer-1.0-0.pre6.8.1.102mdk.i586.rpm
 fbd9082c731f6f2c1ffb9e4f8d34b3b9  10.2/RPMS/mplayer-gui-1.0-0.pre6.8.1.102mdk.i586.rpm
 99eae364cc22227fd060a30c04d16ee0  10.2/SRPMS/mplayer-1.0-0.pre6.8.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 4fac156842e3d8128f3db891176cf5bc  x86_64/10.2/RPMS/lib64postproc0-1.0-0.pre6.8.1.102mdk.x86_64.rpm
 4e400c2a8eec069eb48b174dad260630  x86_64/10.2/RPMS/lib64postproc0-devel-1.0-0.pre6.8.1.102mdk.x86_64.rpm
 4b6be0070a94b344a273c58a72887e09  x86_64/10.2/RPMS/mencoder-1.0-0.pre6.8.1.102mdk.x86_64.rpm
 74c034b62e9a521bc1940a055ed85efa  x86_64/10.2/RPMS/mplayer-1.0-0.pre6.8.1.102mdk.x86_64.rpm
 939796a7a34edfd1a28ede74945f6476  x86_64/10.2/RPMS/mplayer-gui-1.0-0.pre6.8.1.102mdk.x86_64.rpm
 99eae364cc22227fd060a30c04d16ee0  x86_64/10.2/SRPMS/mplayer-1.0-0.pre6.8.1.102mdk.src.rpm

 Corporate 3.0:
 d41099adcaa6d11c38e89b576cd29c0e  corporate/3.0/RPMS/libdha0.1-1.0-0.pre3.14.2.C30mdk.i586.rpm
 957d003a9d6a87dcef47000389cf1718  corporate/3.0/RPMS/libpostproc0-1.0-0.pre3.14.2.C30mdk.i586.rpm
 2e03d433c8c85d92fd5f3b55993657a4  corporate/3.0/RPMS/libpostproc0-devel-1.0-0.pre3.14.2.C30mdk.i586.rpm
 c7db9472c5307cf4b2101cf85258374b  corporate/3.0/RPMS/mencoder-1.0-0.pre3.14.2.C30mdk.i586.rpm
 2ff16f611b2e04279d82d334d22e09b2  corporate/3.0/RPMS/mplayer-1.0-0.pre3.14.2.C30mdk.i586.rpm
 c893a7b1127e6a6b882f8a805197f704  corporate/3.0/RPMS/mplayer-gui-1.0-0.pre3.14.2.C30mdk.i586.rpm
 33af37ca45913f9143a14c54cf599ea9  corporate/3.0/SRPMS/mplayer-1.0-0.pre3.14.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 d56e4c1c37fc14c358679c9965a1a631  x86_64/corporate/3.0/RPMS/lib64postproc0-1.0-0.pre3.14.2.C30mdk.x86_64.rpm
 855ab006ca3e953ff0b2e74dc945ec4e  x86_64/corporate/3.0/RPMS/lib64postproc0-devel-1.0-0.pre3.14.2.C30mdk.x86_64.rpm
 735165e505cd65f4c035778e681b4da1  x86_64/corporate/3.0/RPMS/mencoder-1.0-0.pre3.14.2.C30mdk.x86_64.rpm
 0bbec21ba423cdeb16d1d3a86ce48d70  x86_64/corporate/3.0/RPMS/mplayer-1.0-0.pre3.14.2.C30mdk.x86_64.rpm
 314b912d457e48b4a09ca03e94600310  x86_64/corporate/3.0/RPMS/mplayer-gui-1.0-0.pre3.14.2.C30mdk.x86_64.rpm
 33af37ca45913f9143a14c54cf599ea9  x86_64/corporate/3.0/SRPMS/mplayer-1.0-0.pre3.14.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC0ysCmqjQ0CJFipgRAlNDAJ4lZnvklyyUurdn8Kxq3bu3R2d3eQCcDyXh
yppl4sZhLzPezuTB76yx7Lw=
=Vq9x
- -----END PGP SIGNATURE-----




5.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           cpio
 Advisory ID:            MDKSA-2005:116
 Date:                   July 11th, 2005

 Affected versions:	 10.0, 10.1, 10.2, Corporate 3.0,
			 Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 A race condition has been found in cpio 2.6 and earlier which allows local 
 users to modify permissions of arbitrary files via a hard link attack on 
 a file while it is being decompressed, whose permissions are changed by 
 cpio after the decompression is complete. (CAN-2005-1111)
 
 A vulnerability has been discovered in cpio that allows a malicious cpio 
 file to extract to an arbitrary directory of the attackers choice. 
 Cpio will extract to the path specified in the cpio file, this path can be
 absolute. (CAN-2005-1229)
 
 The updated packages have been patched to address both of these issues.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1111
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1229
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 5e09657806ea7779182c7e5a49c22be8  10.0/RPMS/cpio-2.5-4.2.100mdk.i586.rpm
 407b3cef16e5d7153c3af0a685df7109  10.0/SRPMS/cpio-2.5-4.2.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 4a1947f3c7fc27f0b6cc0d9bdf97cfd8  amd64/10.0/RPMS/cpio-2.5-4.2.100mdk.amd64.rpm
 407b3cef16e5d7153c3af0a685df7109  amd64/10.0/SRPMS/cpio-2.5-4.2.100mdk.src.rpm

 Mandrakelinux 10.1:
 c808f5a1689a006e9049e1d8a37ede70  10.1/RPMS/cpio-2.5-4.3.101mdk.i586.rpm
 907e5f404afe7cdd649f8aeaa8444914  10.1/SRPMS/cpio-2.5-4.3.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 71ab78c534f9552ad081c625e92afb45  x86_64/10.1/RPMS/cpio-2.5-4.3.101mdk.x86_64.rpm
 907e5f404afe7cdd649f8aeaa8444914  x86_64/10.1/SRPMS/cpio-2.5-4.3.101mdk.src.rpm

 Mandrakelinux 10.2:
 9db16a5fa7bfc85aa7bb2d199ab5d825  10.2/RPMS/cpio-2.6-3.1.102mdk.i586.rpm
 131667db822df5a4cec71e24cdc51b69  10.2/SRPMS/cpio-2.6-3.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 4d5b31e9bdd5d1c81fc61ec3a863f7ff  x86_64/10.2/RPMS/cpio-2.6-3.1.102mdk.x86_64.rpm
 131667db822df5a4cec71e24cdc51b69  x86_64/10.2/SRPMS/cpio-2.6-3.1.102mdk.src.rpm

 Corporate Server 2.1:
 fe2a5bdd208f9ce6fcf87b90a87dbbdf  corporate/2.1/RPMS/cpio-2.5-4.2.C21mdk.i586.rpm
 950d0f7e96d109e965fb9d6d8f500813  corporate/2.1/SRPMS/cpio-2.5-4.2.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 826500d3531ce8aff99afaf97eb8a8a7  x86_64/corporate/2.1/RPMS/cpio-2.5-4.2.C21mdk.x86_64.rpm
 950d0f7e96d109e965fb9d6d8f500813  x86_64/corporate/2.1/SRPMS/cpio-2.5-4.2.C21mdk.src.rpm

 Corporate 3.0:
 44667c0001e9da72f56c109f9f451c22  corporate/3.0/RPMS/cpio-2.5-4.2.C30mdk.i586.rpm
 a7beddf04ef0e065dad9af2387393c22  corporate/3.0/SRPMS/cpio-2.5-4.2.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 94803dd8ac6d1a1fc5436c04f097b4a1  x86_64/corporate/3.0/RPMS/cpio-2.5-4.2.C30mdk.x86_64.rpm
 a7beddf04ef0e065dad9af2387393c22  x86_64/corporate/3.0/SRPMS/cpio-2.5-4.2.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC0yyJmqjQ0CJFipgRAoYkAJ9MY1g/YCtZLFFImxllc/04s9t/qgCgjOx0
Nz3fEb5LkdiVSEy+GpgMZIg=
=yysM
- -----END PGP SIGNATURE-----



- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Mandriva for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQtPJKYpao72zK539AQG9HgP7BH9lR30LHwzrm09A16vElBKIQujylmGt
7Oh4nbnSZVXSmBI2Vw7saVuS0KcAVdAL30bY3s1bQ5cCAcv2rAvP8IEiTIfHnl4u
LaM0GrUzPZce/XcSZx7UBL7WMi7a5KkCGGuryqkXu67+IzSu+zVrUor0J7SLJlJB
A37h5APww6Q=
=qRtQ
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________