[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 727/06 - Five Mandriva Linux Advisories:



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

 UNIRAS (UK Government CERT) Briefing - 727/06 dated 08.11.06 time 14:15
 UNIRAS is part of NISCC (the UK National Infrastructure Security
 Co-ordination Centre)
______________________________________________________________________________

 UNIRAS material is available from the NISCC website at www.niscc.gov.uk
______________________________________________________________________________

Title
=====


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Five Mandriva Linux Advisories:

1. MDKA-2006:047 - Updated jabber package fix SSL support issue

2. MDKSA-2006:198-1 - Updated imlib2 packages fix several vulnerabilities

3. MDKSA-2006:200 - Updated rpm packages fix vulnerability

4. MDKSA-2006:201 - Updated pam_ldap packages fix PasswordPolicyReponse coding error

5. MDKSA-2006:202 - Updated wv packages fix vulnerabilities

- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRVHlmml7oeQsXfKvEQK9RQCeNOBGZ4HlCgCxoVOuEmnrCuD/NVQAoO71
dnxC5i/VineOjSdKLwZErYuG
=rTfq
- -----END PGP SIGNATURE-----

Detail
======

1.  The OpenSSL library was not properly initialized in the jabber SSL
 support code, which prevented SSL support for incoming client
 connections on the jabber server.  This update corrects this issue.

2.  
 M Joonas Pihlaja discovered several vulnerabilities in the Imlib2
 graphics library.
 The load() function of several of the Imlib2 image loaders does not
 check the width and height of an image before allocating memory. As a
 result, a carefully crafted image file can trigger a segfault when an
 application using Imlib2 attempts to view the image. (CVE-2006-4806)

3.  A heap-based buffer overflow was discovered in librpm when the LANG or
 LC_ALL environment variable is set to ru_RU.UTF-8 (and possibly other
 locales), which could allow for user-assisted attackers to execute
 arbitrary code via crafted RPM packages.

4.  Pam_ldap does not return an error condition when an LDAP directory
 server responds with a PasswordPolicyResponse control response, which
 causes the pam_authenticate function to return a success code even if
 authentication has failed, as originally reported for xscreensaver.
 This might lead to an attacker being able to login into a suspended
 system account.

5.  Multiple integer overflows in the WV library in wvWare (formerly
 mswordview) before 1.2.3, as used by AbiWord?, KWord, and possibly
 other products, allow user-assisted remote attackers to execute
 arbitrary code via a crafted Microsoft Word (DOC) file that produces
 (1) large LFO clfolvl values in the wvGetLFO_records function or (2) a
 large LFO nolfo value in the wvGetFLO_PLF function.




1.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Advisory                                   MDKA-2006:047
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : 
 Date    : November 7, 2006
 Affected: 2007.0
 _______________________________________________________________________
 
 Problem Description:
 
 The OpenSSL library was not properly initialized in the jabber SSL
 support code, which prevented SSL support for incoming client
 connections on the jabber server.  This update corrects this issue.
 _______________________________________________________________________

 Updated Packages:
 
 Mandriva Linux 2007.0:
 1b01cf8eba6b4e994273750fff039f5f  2007.0/i586/jabber-1.4.4-11mdv2007.0.i586.rpm
 ca89fe27743a33838668b3e2c93e51a2  2007.0/i586/jabber-aim-1.4.4-11mdv2007.0.i586.rpm
 1d2423822d1567d6671afcb275f251b6  2007.0/i586/jabber-conference-1.4.4-11mdv2007.0.i586.rpm
 c4da79e0ae444b29f89cb201d0671218  2007.0/i586/jabber-jud-1.4.4-11mdv2007.0.i586.rpm
 6742fc349f2007075d5a3517fad9f09f  2007.0/i586/jabber-msn-1.4.4-11mdv2007.0.i586.rpm
 9ae743de575a9fe4db4894549af8a8ee  2007.0/i586/jabber-yahoo-1.4.4-11mdv2007.0.i586.rpm
 d6c0dbbd5a0f90d57aee35a9fee6e456  2007.0/i586/libjabberd0-1.4.4-11mdv2007.0.i586.rpm
 de2b8428b0a215c2b09e4ddc5d2f72bf  2007.0/i586/libjabberd0-devel-1.4.4-11mdv2007.0.i586.rpm 
 8d2fbd41cdca4f6da009f214a1015e34  2007.0/SRPMS/jabber-1.4.4-11mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 e5ef4a88a4fb1200c2de2cc7e6241aa7  2007.0/x86_64/jabber-1.4.4-11mdv2007.0.x86_64.rpm
 06ada46592f3a972bbd00b90e162ce7a  2007.0/x86_64/jabber-aim-1.4.4-11mdv2007.0.x86_64.rpm
 f6d8fa355a0d33c8a6258a3bf3379cbe  2007.0/x86_64/jabber-conference-1.4.4-11mdv2007.0.x86_64.rpm
 7e57983efaf5a1645f9ce36cb5dde19c  2007.0/x86_64/jabber-jud-1.4.4-11mdv2007.0.x86_64.rpm
 24e34bde838414d3238e289fc9e45ae1  2007.0/x86_64/jabber-msn-1.4.4-11mdv2007.0.x86_64.rpm
 5dacbf2f8f25496e27076da3461fc9b4  2007.0/x86_64/jabber-yahoo-1.4.4-11mdv2007.0.x86_64.rpm
 9f715227f5303fce1fd00fea7d98b8af  2007.0/x86_64/lib64jabberd0-1.4.4-11mdv2007.0.x86_64.rpm
 07a1afb87399a2e2db9a8b8b572ccea3  2007.0/x86_64/lib64jabberd0-devel-1.4.4-11mdv2007.0.x86_64.rpm 
 8d2fbd41cdca4f6da009f214a1015e34  2007.0/SRPMS/jabber-1.4.4-11mdv2007.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD4DBQFFURo0mqjQ0CJFipgRAuluAJiQaxIvUiHV85wePhCqw6bl8WiSAKC8xFYK
RAz3ITd3PIfMMwOuqE9jkQ==
=fI//
- -----END PGP SIGNATURE-----



2.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                       MDKSA-2006:198-1
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : imlib2
 Date    : November 6, 2006
 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0
 _______________________________________________________________________
 
 Problem Description:
 
 M Joonas Pihlaja discovered several vulnerabilities in the Imlib2
 graphics library.

 The load() function of several of the Imlib2 image loaders does not
 check the width and height of an image before allocating memory. As a
 result, a carefully crafted image file can trigger a segfault when an
 application using Imlib2 attempts to view the image. (CVE-2006-4806)

 The tga loader fails to bounds check input data to make sure the input
 data doesn't load outside the memory mapped region. (CVE-2006-4807)

 The RLE decoding loops of the load() function in the tga loader does
 not check that the count byte of an RLE packet doesn't cause a heap
 overflow of the pixel buffer. (CVE-2006-4808)

 The load() function of the pnm loader writes arbitrary length user data
 into a fixed size stack allocated buffer buf[] without bounds checking.
 (CVE-2006-4809)  Updated packages have been patched to correct these
 issues.

 Update:

 An error in the preivous patchset may affect JPEG image handling for
 certain valid images. This new update corrects this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4806
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4807
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4808
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4809
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 4cd544b96a2bcaed32012a3636628b32  2006.0/i586/imlib2-data-1.2.1-1.3.20060mdk.i586.rpm
 da17344a1e28fdfd4be087e9ec092a0c  2006.0/i586/libimlib2_1-1.2.1-1.3.20060mdk.i586.rpm
 f15225db7b1b03b814d263a42a304aad  2006.0/i586/libimlib2_1-devel-1.2.1-1.3.20060mdk.i586.rpm
 fa7f076f50636badeee3bfb7965675ab  2006.0/i586/libimlib2_1-filters-1.2.1-1.3.20060mdk.i586.rpm
 c0d54a209a44785ae720c5a4426dbd64  2006.0/i586/libimlib2_1-loaders-1.2.1-1.3.20060mdk.i586.rpm 
 6ebb0fd9da5156686618d43f2188c8ef  2006.0/SRPMS/imlib2-1.2.1-1.3.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 1be1988c5aea7a22770c5d39675a321b  2006.0/x86_64/imlib2-data-1.2.1-1.3.20060mdk.x86_64.rpm
 fb2293ecdf47bda1e4d1ce67c9539442  2006.0/x86_64/lib64imlib2_1-1.2.1-1.3.20060mdk.x86_64.rpm
 4d8beff4cb21b5e6003c46774ce04cd3  2006.0/x86_64/lib64imlib2_1-devel-1.2.1-1.3.20060mdk.x86_64.rpm
 95ec706c26a480effa71ee7458f0523a  2006.0/x86_64/lib64imlib2_1-filters-1.2.1-1.3.20060mdk.x86_64.rpm
 4f412783aef1934e0e8f7b2523b67b19  2006.0/x86_64/lib64imlib2_1-loaders-1.2.1-1.3.20060mdk.x86_64.rpm 
 6ebb0fd9da5156686618d43f2188c8ef  2006.0/SRPMS/imlib2-1.2.1-1.3.20060mdk.src.rpm

 Mandriva Linux 2007.0:
 e5e136bb1d119892a4a2a4c87e9b3903  2007.0/i586/imlib2-data-1.2.2-3.2mdv2007.0.i586.rpm
 f0c1a6296bc04c896a37a432b9d2ee31  2007.0/i586/libimlib2_1-1.2.2-3.2mdv2007.0.i586.rpm
 edb6a88f3e8a9a268ebc2395919f2b78  2007.0/i586/libimlib2_1-devel-1.2.2-3.2mdv2007.0.i586.rpm
 676be1d6f7d78da826dea6be8535c11e  2007.0/i586/libimlib2_1-filters-1.2.2-3.2mdv2007.0.i586.rpm
 0a9bb4cd967f3286c90c65bd20c35e8a  2007.0/i586/libimlib2_1-loaders-1.2.2-3.2mdv2007.0.i586.rpm 
 ce6b02c1d58cc7a6c7be69c0a84fba82  2007.0/SRPMS/imlib2-1.2.2-3.2mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 26e871cf8a946029fdc8a87d8d8fc16d  2007.0/x86_64/imlib2-data-1.2.2-3.2mdv2007.0.x86_64.rpm
 6bde1a406b60edb87c1b57adbd04b36e  2007.0/x86_64/lib64imlib2_1-1.2.2-3.2mdv2007.0.x86_64.rpm
 c032f45d676b806b57d7b7496b7ba41c  2007.0/x86_64/lib64imlib2_1-devel-1.2.2-3.2mdv2007.0.x86_64.rpm
 e485af5e82b804ffec13ef705a02c2e8  2007.0/x86_64/lib64imlib2_1-filters-1.2.2-3.2mdv2007.0.x86_64.rpm
 4a143c2997b57f00a27bc6c7ecce1e06  2007.0/x86_64/lib64imlib2_1-loaders-1.2.2-3.2mdv2007.0.x86_64.rpm 
 ce6b02c1d58cc7a6c7be69c0a84fba82  2007.0/SRPMS/imlib2-1.2.2-3.2mdv2007.0.src.rpm

 Corporate 3.0:
 ef3cd741c034592c271bfffa31b5fd89  corporate/3.0/i586/libimlib2_1-1.0.6-4.4.C30mdk.i586.rpm
 c808de39609104891a3302b587b2898f  corporate/3.0/i586/libimlib2_1-devel-1.0.6-4.4.C30mdk.i586.rpm
 2cc5b0560275b6917d90fe8f014b466d  corporate/3.0/i586/libimlib2_1-filters-1.0.6-4.4.C30mdk.i586.rpm
 01b3b38db8e92c34167c2fa6ffe647bc  corporate/3.0/i586/libimlib2_1-loaders-1.0.6-4.4.C30mdk.i586.rpm 
 a14e20f0fae8209d5d82d1fb3e28a82d  corporate/3.0/SRPMS/imlib2-1.0.6-4.4.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 a3a3ddac9e0364367134c2981007c96b  corporate/3.0/x86_64/lib64imlib2_1-1.0.6-4.4.C30mdk.x86_64.rpm
 511b57c0bfd6e4e8fcfd1a4f64ce28d4  corporate/3.0/x86_64/lib64imlib2_1-devel-1.0.6-4.4.C30mdk.x86_64.rpm
 1393decfcd932de1e65123d5e76395fb  corporate/3.0/x86_64/lib64imlib2_1-filters-1.0.6-4.4.C30mdk.x86_64.rpm
 b9e803f9ad9c34c1d25e48c9bbf06120  corporate/3.0/x86_64/lib64imlib2_1-loaders-1.0.6-4.4.C30mdk.x86_64.rpm 
 a14e20f0fae8209d5d82d1fb3e28a82d  corporate/3.0/SRPMS/imlib2-1.0.6-4.4.C30mdk.src.rpm

 Corporate 4.0:
 855099dbe15e10e0a9717921a1627976  corporate/4.0/i586/imlib2-data-1.2.1-1.3.20060mlcs4.i586.rpm
 e53b851d8cd7d68193f566c30e71c329  corporate/4.0/i586/libimlib2_1-1.2.1-1.3.20060mlcs4.i586.rpm
 f04d6e820a44f73d97982ff0c191dd74  corporate/4.0/i586/libimlib2_1-devel-1.2.1-1.3.20060mlcs4.i586.rpm
 b978c2cad3d02cd65bdc564992071557  corporate/4.0/i586/libimlib2_1-filters-1.2.1-1.3.20060mlcs4.i586.rpm
 b1eb762b86e4fad4290da6d5ee4573aa  corporate/4.0/i586/libimlib2_1-loaders-1.2.1-1.3.20060mlcs4.i586.rpm 
 7703412328a1508cec0a61661f373c1b  corporate/4.0/SRPMS/imlib2-1.2.1-1.3.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 ccec9056b57574dd17bb56b4b1423567  corporate/4.0/x86_64/imlib2-data-1.2.1-1.3.20060mlcs4.x86_64.rpm
 884dad892370cdbd3e693cbb0ee6cb2d  corporate/4.0/x86_64/lib64imlib2_1-1.2.1-1.3.20060mlcs4.x86_64.rpm
 6832b40e2e31f6244caff8818ee3d91c  corporate/4.0/x86_64/lib64imlib2_1-devel-1.2.1-1.3.20060mlcs4.x86_64.rpm
 1bce9e9f26e43af8625e83cb15792747  corporate/4.0/x86_64/lib64imlib2_1-filters-1.2.1-1.3.20060mlcs4.x86_64.rpm
 57bf86f98c4595cd269723559de2bb9e  corporate/4.0/x86_64/lib64imlib2_1-loaders-1.2.1-1.3.20060mlcs4.x86_64.rpm 
 7703412328a1508cec0a61661f373c1b  corporate/4.0/SRPMS/imlib2-1.2.1-1.3.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFUR6bmqjQ0CJFipgRAtp7AKDF4s3BY9qiPof2ePjFMwheJFCdsgCghARe
V0zoNe+7aaMEQfcN0WFLJ8g=
=1wJ4
- -----END PGP SIGNATURE-----




3. 




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:200
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : rpm
 Date    : November 7, 2006
 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 A heap-based buffer overflow was discovered in librpm when the LANG or
 LC_ALL environment variable is set to ru_RU.UTF-8 (and possibly other
 locales), which could allow for user-assisted attackers to execute
 arbitrary code via crafted RPM packages.

 Updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5466
 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212833
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 b3fe19c583086bcbe6fe1adf8ebd67f9  2006.0/i586/libpopt0-1.10.2-4.1.20060mdk.i586.rpm
 a299990527f43947f04ee849b6ccfe8a  2006.0/i586/libpopt0-devel-1.10.2-4.1.20060mdk.i586.rpm
 530ffd2b719a8a9565ddbd33c73ddc58  2006.0/i586/librpm4.4-4.4.2-4.1.20060mdk.i586.rpm
 52cfd81dc7b1edf2a37a2f473281a456  2006.0/i586/librpm4.4-devel-4.4.2-4.1.20060mdk.i586.rpm
 263429da4f90f2404c7d45f4ed9ab469  2006.0/i586/popt-data-1.10.2-4.1.20060mdk.i586.rpm
 32f2ab6511b34c2483fe08ca510ee185  2006.0/i586/python-rpm-4.4.2-4.1.20060mdk.i586.rpm
 0e1f62683fbc9233fb155e66e50cd405  2006.0/i586/rpm-4.4.2-4.1.20060mdk.i586.rpm
 f8dee8f612d28cdc5a9587289ddbbdd9  2006.0/i586/rpm-build-4.4.2-4.1.20060mdk.i586.rpm 
 5f7eb369ce3e98bf38200249f49ebc51  2006.0/SRPMS/rpm-4.4.2-4.1.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 bb14640ab8713c5b3f44cd15a6cbfd72  2006.0/x86_64/lib64popt0-1.10.2-4.1.20060mdk.x86_64.rpm
 5d4bd203f9844115a53fee6de190dabd  2006.0/x86_64/lib64popt0-devel-1.10.2-4.1.20060mdk.x86_64.rpm
 f242a162132559012189d600c38e21f3  2006.0/x86_64/lib64rpm4.4-4.4.2-4.1.20060mdk.x86_64.rpm
 4a17a2fd93eb74a639c58138396e8b89  2006.0/x86_64/lib64rpm4.4-devel-4.4.2-4.1.20060mdk.x86_64.rpm
 aac88e00af81aafbda4b0170c87871af  2006.0/x86_64/popt-data-1.10.2-4.1.20060mdk.x86_64.rpm
 3b03bfdd11a0d85fe2a8371b41047672  2006.0/x86_64/python-rpm-4.4.2-4.1.20060mdk.x86_64.rpm
 2f13fe1a05869bbc014872ba94adc651  2006.0/x86_64/rpm-4.4.2-4.1.20060mdk.x86_64.rpm
 ab18d859a504eb187f75c1b4485a2faa  2006.0/x86_64/rpm-build-4.4.2-4.1.20060mdk.x86_64.rpm 
 5f7eb369ce3e98bf38200249f49ebc51  2006.0/SRPMS/rpm-4.4.2-4.1.20060mdk.src.rpm

 Mandriva Linux 2007.0:
 a75aec8f4db96e061788e150c3fbd3f3  2007.0/i586/libpopt0-1.10.6-10.1mdv2007.0.i586.rpm
 54633d6a05bafe5a2c6d94849810ac75  2007.0/i586/libpopt0-devel-1.10.6-10.1mdv2007.0.i586.rpm
 5aa3a3c773dd1524e28af4a45d6d6e5c  2007.0/i586/librpm4.4-4.4.6-10.1mdv2007.0.i586.rpm
 ac7d8b20b6e3054b062b6ffe3b652b9d  2007.0/i586/librpm4.4-devel-4.4.6-10.1mdv2007.0.i586.rpm
 76a3d169fa999f3a2051152e875b0808  2007.0/i586/perl-RPM-0.66-16.1mdv2007.0.i586.rpm
 edce96423e51a56fe6803d9722a764d6  2007.0/i586/popt-data-1.10.6-10.1mdv2007.0.i586.rpm
 7245317fdbb0e3d8773a75e5da71d796  2007.0/i586/python-rpm-4.4.6-10.1mdv2007.0.i586.rpm
 d52b92cd397740be24a610fb44bea279  2007.0/i586/rpm-4.4.6-10.1mdv2007.0.i586.rpm
 b149eab9008351135d615b4e69d88d78  2007.0/i586/rpm-build-4.4.6-10.1mdv2007.0.i586.rpm 
 0104fb281a097447faca48e642821df7  2007.0/SRPMS/rpm-4.4.6-10.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 fff2a71466af9a6e23583a4ea854258c  2007.0/x86_64/lib64popt0-1.10.6-10.1mdv2007.0.x86_64.rpm
 97602d4b17422835e55cafad1883cca5  2007.0/x86_64/lib64popt0-devel-1.10.6-10.1mdv2007.0.x86_64.rpm
 a5d31e5202cee164878500d00134eb3d  2007.0/x86_64/lib64rpm4.4-4.4.6-10.1mdv2007.0.x86_64.rpm
 88c90b1670b128e784fda4290973351d  2007.0/x86_64/lib64rpm4.4-devel-4.4.6-10.1mdv2007.0.x86_64.rpm
 bd74199394643d4ef13829fcd4fb27ab  2007.0/x86_64/perl-RPM-0.66-16.1mdv2007.0.x86_64.rpm
 d73e492a7290a6c12f500aff926c22b2  2007.0/x86_64/popt-data-1.10.6-10.1mdv2007.0.x86_64.rpm
 45dc5f66d45a6f4574f9e59d690e711c  2007.0/x86_64/python-rpm-4.4.6-10.1mdv2007.0.x86_64.rpm
 08b83d32b1eddc88dc39ee095ea15a9b  2007.0/x86_64/rpm-4.4.6-10.1mdv2007.0.x86_64.rpm
 18137bb3a65c0685a013f61f8b8aa173  2007.0/x86_64/rpm-build-4.4.6-10.1mdv2007.0.x86_64.rpm 
 0104fb281a097447faca48e642821df7  2007.0/SRPMS/rpm-4.4.6-10.1mdv2007.0.src.rpm

 Corporate 3.0:
 2f46b029bb818d93841b37d554d98475  corporate/3.0/i586/popt-1.8.2-10.1.C30mdk.i586.rpm
 52b641b4a54c58524fd8f57f01f5423b  corporate/3.0/i586/popt-devel-1.8.2-10.1.C30mdk.i586.rpm
 c78959edbe4de59934f77d41d050823e  corporate/3.0/i586/rpm-4.2.2-10.1.C30mdk.i586.rpm
 5c6e0c9d68bff54ab4ca8bff92c70f72  corporate/3.0/i586/rpm-build-4.2.2-10.1.C30mdk.i586.rpm
 5740c2383e15dc9fe63c9a39a8f886af  corporate/3.0/i586/rpm-devel-4.2.2-10.1.C30mdk.i586.rpm
 2da1896a1365e8397093cc4a4a315a17  corporate/3.0/i586/rpm-python-4.2.2-10.1.C30mdk.i586.rpm 
 0c7c6512006a56dcf99f667eb28fadb0  corporate/3.0/SRPMS/rpm-4.2.2-10.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 c7f732b381ff418753de9ba382f42a38  corporate/3.0/x86_64/popt-1.8.2-10.1.C30mdk.x86_64.rpm
 9f343b17fa43f66baeb93f44ac8bd3d9  corporate/3.0/x86_64/popt-devel-1.8.2-10.1.C30mdk.x86_64.rpm
 71f374527714fc2e0be45609d7c9e956  corporate/3.0/x86_64/rpm-4.2.2-10.1.C30mdk.x86_64.rpm
 9ca03a9feb16989ee767450a2cedfad3  corporate/3.0/x86_64/rpm-build-4.2.2-10.1.C30mdk.x86_64.rpm
 988521e1ba9007e3e88d7271a2bcc574  corporate/3.0/x86_64/rpm-devel-4.2.2-10.1.C30mdk.x86_64.rpm
 d6071284bb55b081419470a199f92f27  corporate/3.0/x86_64/rpm-python-4.2.2-10.1.C30mdk.x86_64.rpm 
 0c7c6512006a56dcf99f667eb28fadb0  corporate/3.0/SRPMS/rpm-4.2.2-10.1.C30mdk.src.rpm

 Corporate 4.0:
 60b65100c5078653e358b29b3a70b151  corporate/4.0/i586/libpopt0-1.10.2-4.1.20060mlcs4.i586.rpm
 ab3e365a2f7b6b42e841f265d5c68df8  corporate/4.0/i586/libpopt0-devel-1.10.2-4.1.20060mlcs4.i586.rpm
 e3c3b28c10ae1f448e4f092d7b77b9e5  corporate/4.0/i586/librpm4.4-4.4.2-4.1.20060mlcs4.i586.rpm
 bd659e36ab98b5c97841a82991e42893  corporate/4.0/i586/librpm4.4-devel-4.4.2-4.1.20060mlcs4.i586.rpm
 8a00b925fd10cda6046cac3816efd244  corporate/4.0/i586/popt-data-1.10.2-4.1.20060mlcs4.i586.rpm
 a5af248a596e144895bc57abab04d3ed  corporate/4.0/i586/python-rpm-4.4.2-4.1.20060mlcs4.i586.rpm
 47fdc7ecf5027824b7964c5f5595947e  corporate/4.0/i586/rpm-4.4.2-4.1.20060mlcs4.i586.rpm
 4d3313d1f7d9f5cd5361d344631179a3  corporate/4.0/i586/rpm-build-4.4.2-4.1.20060mlcs4.i586.rpm 
 1270301a80dba2b81e4a0c320fbfbe1c  corporate/4.0/SRPMS/rpm-4.4.2-4.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 548bfdd47ad60fca2c30ab19d4bab7b1  corporate/4.0/x86_64/lib64popt0-1.10.2-4.1.20060mlcs4.x86_64.rpm
 98306a9c291d77934c03d7e42e33f0b6  corporate/4.0/x86_64/lib64popt0-devel-1.10.2-4.1.20060mlcs4.x86_64.rpm
 e09894f0501d95e5357e09afc3713a93  corporate/4.0/x86_64/lib64rpm4.4-4.4.2-4.1.20060mlcs4.x86_64.rpm
 c6143376c0afc117022e6a5b83ac9e70  corporate/4.0/x86_64/lib64rpm4.4-devel-4.4.2-4.1.20060mlcs4.x86_64.rpm
 d83c5d8652dbf5e53f98fb1513cda7ca  corporate/4.0/x86_64/popt-data-1.10.2-4.1.20060mlcs4.x86_64.rpm
 acf21af1fb2b3604f3b88bd37615bbd4  corporate/4.0/x86_64/python-rpm-4.4.2-4.1.20060mlcs4.x86_64.rpm
 f2d402a53ebff90949a4b6dc94ec0e0b  corporate/4.0/x86_64/rpm-4.4.2-4.1.20060mlcs4.x86_64.rpm
 40c08ef5cd6a733e8db92f483bc8e119  corporate/4.0/x86_64/rpm-build-4.4.2-4.1.20060mlcs4.x86_64.rpm 
 1270301a80dba2b81e4a0c320fbfbe1c  corporate/4.0/SRPMS/rpm-4.4.2-4.1.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 9e79dfbf56472d3c8dc0ab385484845b  mnf/2.0/i586/popt-1.8.2-7.1.M20mdk.i586.rpm
 54eb886096865de5dde3e16a19107d73  mnf/2.0/i586/popt-devel-1.8.2-7.1.M20mdk.i586.rpm
 9f0096674b5fd8f0d4b31606bb72699a  mnf/2.0/i586/rpm-4.2.2-7.1.M20mdk.i586.rpm
 fa1f75f9f0ba9d54adde6aaa1034cab8  mnf/2.0/i586/rpm-build-4.2.2-7.1.M20mdk.i586.rpm
 f9259895086c858a718611b5c34ae452  mnf/2.0/i586/rpm-devel-4.2.2-7.1.M20mdk.i586.rpm
 f4665775866409e8d1aae83cd9feaf9b  mnf/2.0/i586/rpm-python-4.2.2-7.1.M20mdk.i586.rpm 
 d0314a43421e91d5955d8bca0f3d35e0  mnf/2.0/SRPMS/rpm-4.2.2-7.1.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFUMMrmqjQ0CJFipgRAhcbAKD217NjTUzIQdMQMNuwn+ArN97/2wCgiD8k
zVsJvCAAcp3sDz6y85AH0UA=
=oYei
- -----END PGP SIGNATURE-----




4.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:201
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : pam_ldap
 Date    : November 7, 2006
 Affected: 2006.0, 2007.0, Corporate 4.0
 _______________________________________________________________________
 
 Problem Description:
 
 Pam_ldap does not return an error condition when an LDAP directory
 server responds with a PasswordPolicyResponse control response, which
 causes the pam_authenticate function to return a success code even if
 authentication has failed, as originally reported for xscreensaver.
 This might lead to an attacker being able to login into a suspended
 system account.

 Updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5170
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 88544f487e0884831e8dca48d9420eca  2006.0/i586/pam_ldap-180-2.1.20060mdk.i586.rpm 
 2873ac0db22512131ad2f4a5d055e035  2006.0/SRPMS/pam_ldap-180-2.1.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 4cdb139a35c0b877fccb62b344292133  2006.0/x86_64/pam_ldap-180-2.1.20060mdk.x86_64.rpm 
 2873ac0db22512131ad2f4a5d055e035  2006.0/SRPMS/pam_ldap-180-2.1.20060mdk.src.rpm

 Mandriva Linux 2007.0:
 338ecc4e0b69209b99f9ad317d6d2385  2007.0/i586/pam_ldap-180-4.1mdv2007.0.i586.rpm 
 3a747dcc317e95fdc9011c1dfc4254ef  2007.0/SRPMS/pam_ldap-180-4.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 079964ab75deaa3a8d723bc63c4e9be7  2007.0/x86_64/pam_ldap-180-4.1mdv2007.0.x86_64.rpm 
 3a747dcc317e95fdc9011c1dfc4254ef  2007.0/SRPMS/pam_ldap-180-4.1mdv2007.0.src.rpm

 Corporate 4.0:
 8e800885b38df7d3b566cea4934cdb24  corporate/4.0/i586/pam_ldap-180-3.1.20060mlcs4.i586.rpm 
 4abf9cd7b032153e407cf487968bc10a  corporate/4.0/SRPMS/pam_ldap-180-3.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 92a60cc8a2d16e7cb305a7665e39e696  corporate/4.0/x86_64/pam_ldap-180-3.1.20060mlcs4.x86_64.rpm 
 4abf9cd7b032153e407cf487968bc10a  corporate/4.0/SRPMS/pam_ldap-180-3.1.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFURi4mqjQ0CJFipgRAv+AAJ9X0lbBUIA1pFc3IbMFw2/ob60zIACfQSN3
HXWy3ifc4tvQC0XYyy4M2f0=
=E4uj
- -----END PGP SIGNATURE-----




5.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:202
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : wv
 Date    : November 7, 2006
 Affected: 2006.0, 2007.0, Corporate 3.0
 _______________________________________________________________________
 
 Problem Description:
 
 Multiple integer overflows in the WV library in wvWare (formerly
 mswordview) before 1.2.3, as used by AbiWord?, KWord, and possibly
 other products, allow user-assisted remote attackers to execute
 arbitrary code via a crafted Microsoft Word (DOC) file that produces
 (1) large LFO clfolvl values in the wvGetLFO_records function or (2) a
 large LFO nolfo value in the wvGetFLO_PLF function.

 Updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4513
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 c176882af438f2855ad1ac719ea9fc04  2006.0/i586/libwv-1.0_3-1.0.3-3.1.20060mdk.i586.rpm
 751dc9e1689833876cb1c2a0feaa507e  2006.0/i586/libwv-1.0_3-devel-1.0.3-3.1.20060mdk.i586.rpm
 3e05943cd2ce03ddd3632ea790ad08fa  2006.0/i586/wv-1.0.3-3.1.20060mdk.i586.rpm 
 3da51e07d25e318ce98d027361ca0d38  2006.0/SRPMS/wv-1.0.3-3.1.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 d66a09a81fdc11a12fe48c1115e247ec  2006.0/x86_64/lib64wv-1.0_3-1.0.3-3.1.20060mdk.x86_64.rpm
 50a02068dcdcbf5238b619d7f22b2490  2006.0/x86_64/lib64wv-1.0_3-devel-1.0.3-3.1.20060mdk.x86_64.rpm
 fba9cbca5c8207417353fd777a1578bf  2006.0/x86_64/wv-1.0.3-3.1.20060mdk.x86_64.rpm 
 3da51e07d25e318ce98d027361ca0d38  2006.0/SRPMS/wv-1.0.3-3.1.20060mdk.src.rpm

 Mandriva Linux 2007.0:
 f99e2be25e5532910e963a46ff34a0f7  2007.0/i586/libwv-1.2_0-1.2.0-6.1mdv2007.0.i586.rpm
 f5ce02431ca181a1d8b4c66fa83fdea2  2007.0/i586/libwv-1.2_0-devel-1.2.0-6.1mdv2007.0.i586.rpm
 eae36b8ab1ffca3528154c9aaf2a1cc0  2007.0/i586/wv-1.2.0-6.1mdv2007.0.i586.rpm 
 605b61cd28794f0e2a1657286e2e9b9f  2007.0/SRPMS/wv-1.2.0-6.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 ffaa9c1620c2219f6729f42098a2f2c7  2007.0/x86_64/lib64wv-1.2_0-1.2.0-6.1mdv2007.0.x86_64.rpm
 218209af9a92f6ff5d061e6cd1004522  2007.0/x86_64/lib64wv-1.2_0-devel-1.2.0-6.1mdv2007.0.x86_64.rpm
 af48a39af76ec32a9c0bda829d3c094e  2007.0/x86_64/wv-1.2.0-6.1mdv2007.0.x86_64.rpm 
 605b61cd28794f0e2a1657286e2e9b9f  2007.0/SRPMS/wv-1.2.0-6.1mdv2007.0.src.rpm

 Corporate 3.0:
 a14668306062c5d70ab19a08cb9c292c  corporate/3.0/i586/libwv-1.0_0-1.0.0-1.3.C30mdk.i586.rpm
 d6ad018517e90969f6dd872610524a7b  corporate/3.0/i586/libwv-1.0_0-devel-1.0.0-1.3.C30mdk.i586.rpm
 c7d9681d497f4f2c48a9f97a997fc142  corporate/3.0/i586/wv-1.0.0-1.3.C30mdk.i586.rpm 
 bcb4a6f8a6795ab806525a788f9aecdb  corporate/3.0/SRPMS/wv-1.0.0-1.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 e57570724d3d286c0f218f0be359de19  corporate/3.0/x86_64/lib64wv-1.0_0-1.0.0-1.3.C30mdk.x86_64.rpm
 f4a7a48698062e11872b962cfce782fe  corporate/3.0/x86_64/lib64wv-1.0_0-devel-1.0.0-1.3.C30mdk.x86_64.rpm
 952c83dee6c42a8d03daa063b8dd4b5d  corporate/3.0/x86_64/wv-1.0.0-1.3.C30mdk.x86_64.rpm 
 bcb4a6f8a6795ab806525a788f9aecdb  corporate/3.0/SRPMS/wv-1.0.0-1.3.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFURrbmqjQ0CJFipgRAohgAJ927nOSUzCaQDYqKrnSVJVOZSOYQQCg28w2
ApMg5+iXASxoGwO/hzCQ1kg=
=sCgz
- -----END PGP SIGNATURE-----



____________________________________________________________________________

NISCC values your feedback.

1. Which of the following most reflects the value of the briefing to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__ 

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our briefings?


Thank you for your contribution.
______________________________________________________________________________

For additional information or assistance, please contact our help desk
by telephone.  You may send Not Protectively Marked information via
e-mail to uniras@xxxxxxxxxxxxx

Office hours:

Mon - Fri: 08:30 - 17:00 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749

On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts

______________________________________________________________________________

UNIRAS wishes to acknowledge the contributions of Mandriva for the
information contained in this briefing.
______________________________________________________________________________

This notice contains information released by the original author.
Some of the information may have changed since it was released. If the
vulnerability affects you, it may be prudent to retrieve the advisory
from the site of the original source to ensure that you receive the most
current information concerning that problem.

Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute or
imply its endorsement, recommendation, or favouring by UNIRAS or NISCC.
The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall not be liable for any loss or damage whatsoever, arising from or
in connection with the usage of information contained within this
notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST) and has contacts with other international Incident Response
Teams (IRTs) in order to foster cooperation and coordination in incident
prevention, to prompt rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.
______________________________________________________________________________

<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRVHlsWl7oeQsXfKvEQK/ZQCgmep0zmXv7AqzNzo9HKXxssnins8AoOb0
DjMBgGMzYV1Wwa2Wwh2eknBW
=Ps4u
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________