%package tar Update: Mon Oct 15 16:07:08 2007 Importance: security ID: MDKSA-2007:197 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:197 %pre A buffer overflow in GNU tar has unspecified attack vectors and impact, resulting in a crashing stack. Updated packages fix this issue. %description The GNU tar program saves many files together into one archive and can restore individual files (or all of the files) from the archive. Tar can also be used to add supplemental files to an archive and to update or list files in the archive. Tar includes multivolume support, automatic archive compression/ decompression, the ability to perform remote archives and the ability to perform incremental and full backups. If you want to use Tar for remote backups, you'll also need to install the rmt package. You should install the tar package, because you'll find its compression and decompression utilities essential for working with files. %package util-linux-ng Update: Mon Oct 15 16:15:13 2007 Importance: security ID: MDKSA-2007:198 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:198 %pre The mount and umount programs in util-linux called the setuid() and setgid() functions in the wrong order and did not check the return values, which could allow attackers to grain privileges via helper applications such as mount.nfs. Updated packages have been patched to fix this issue. %description The util-linux-ng package contains a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, Util-linux contains the fdisk configuration tool and the login program. %package libtk-devel libtk8.5 tk Update: Thu Oct 18 12:56:05 2007 Importance: security ID: MDKSA-2007:200 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:200 %pre A vulnerablity in Tk was found that could be used to overrun a buffer when loading certain GIF images. If a user were tricked into opening a specially crafted GIF file, it could lead to a denial of service condition or possibly the execution of arbitrary code with the user's privileges. Updated packages have been patched to prevent this issue. %description Tk is a X Windows widget set designed to work closely with the tcl scripting language. It allows you to write simple programs with full featured GUI's in only a little more time then it takes to write a text based interface. Tcl/Tk applications can also be run on Windows and Macintosh platforms. %package hplip hplip-doc hplip-hpijs hplip-hpijs-ppds hplip-model-data libhpip0 libhpip0-devel libsane-hpaio1 Update: Mon Oct 22 16:48:33 2007 Importance: security ID: MDKSA-2007:201 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:201 %pre A vulnerability in the hpssd tool was discovered where it did not correctly handle shell meta-characters. A local attacker could use this flaw to execute arbitrary commands as the hplip user. As well, this update fixes a problem with some HP scanners on Mandriva Linux 2007.1, particularly HP PSC 1315, which wouldn't be detected and also fixes a problem with HP 1220 and possibly other models when scanning via the OpenOffice.org suite. Updated packages have been patched to prevent these issues. %description This is the HP driver package to supply Linux support for most Hewlett-Packard DeskJet, LaserJet, PSC, OfficeJet, and PhotoSmart printers and all-in-one peripherals (also known as Multi-Function Peripherals or MFPs), which can print, scan, copy, fax, and/or access flash memory cards. It is work in progress, but printing, scanning, memory card access, ink/toner/battery/consumable level checking, and inkjet printer maintenance are supported on most models, when either connected to the USB or LAN (built-in interfaces or selected HP JetDirect models) on a Linux workstation with CUPS printing system. For status and consumable checking and also for inkjet maintenance there is the graphical tool "hp-toolbox" available (Menu: "System"/"Monitoring"/"HP Printer Toolbox"). %package devhelp devhelp-plugins epiphany epiphany-devel galeon gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gksu gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell libdevhelp-1-devel libdevhelp-1_0 libmozilla-firefox2.0.0.8 libmozilla-firefox2.0.0.8-devel libtotem-plparser-devel libtotem-plparser7 mozilla-firefox mozilla-firefox-ar mozilla-firefox-bg mozilla-firefox-br_FR mozilla-firefox-ca mozilla-firefox-cs mozilla-firefox-da mozilla-firefox-de mozilla-firefox-el mozilla-firefox-es_AR mozilla-firefox-es_ES mozilla-firefox-et_EE mozilla-firefox-eu mozilla-firefox-ext-blogrovr mozilla-firefox-ext-foxmarks mozilla-firefox-ext-scribefire mozilla-firefox-fi mozilla-firefox-fr mozilla-firefox-fy mozilla-firefox-ga mozilla-firefox-gnome-support mozilla-firefox-gu_IN mozilla-firefox-he mozilla-firefox-hu mozilla-firefox-it mozilla-firefox-ja mozilla-firefox-ko mozilla-firefox-lt mozilla-firefox-mk mozilla-firefox-nb_NO mozilla-firefox-nl mozilla-firefox-nn_NO mozilla-firefox-pl mozilla-firefox-pt_BR mozilla-firefox-pt_PT mozilla-firefox-ru mozilla-firefox-sk mozilla-firefox-sl mozilla-firefox-sv_SE mozilla-firefox-tr mozilla-firefox-uk_UA mozilla-firefox-zh_CN mozilla-firefox-zh_TW totem totem-common totem-gstreamer totem-mozilla totem-mozilla-gstreamer yelp Update: Tue Oct 23 08:59:08 2007 Importance: security ID: MDKSA-2007:202 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:202 %pre A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.8. This update provides the latest Firefox to correct these issues. As well, it provides Firefox 2.0.0.8 for older products. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package irssi irssi-debug irssi-devel irssi-perl Update: Wed Oct 24 10:39:44 2007 Importance: bugfix ID: MDKA-2007:095 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:095 %pre The irssi IRC client provided with Mandriva 2007.1 and 2008.0 did not contain SSL support. This update enables that support. %description Irssi is a modular and flexible IRC client for UNIX that has only a text mode user interface (but as 80-90% of the code isn't text mode specific, other UIs could be created pretty easily). Also, Irssi isn't really even IRC specific anymore, there are already working SILC and ICB modules available. Support for other protocols like ICQ and Jabber could be created some day too. Irssi is one of the most popular IRC clients at the moment. %package shared-mime-info shared-mime-info-debug Update: Wed Oct 24 11:03:41 2007 Importance: bugfix ID: MDKA-2007:097 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:097 %pre The freedesktop.org MIME type database contains a wrong MIME type for HTML documents. This information is used by GNOME and other desktop environments to identify files and could cause trouble with the beagle desktop search and other applications. This update corrects this issue. %description This is the freedesktop.org shared MIME info database. Many programs and desktops use the MIME system to represent the types of files. Frequently, it is necessary to work out the correct MIME type for a file. This is generally done by examining the file's name or contents, and looking up the correct MIME type in a database. For interoperability, it is useful for different programs to use the same database so that different programs agree on the type of a file, and new rules for determining the type apply to all programs. This specification attempts to unify the type-guessing systems currently in use by GNOME, KDE and ROX. Only the name-to-type and contents-to-type mappings are covered by this spec; other MIME type information, such as the default handler for a particular type, or the icon to use to display it in a file manager, are not covered since these are a matter of style. In addition, freedesktop.org provides a shared database in this format to avoid inconsistencies between desktops. This database has been created by converting the existing KDE and GNOME databases to the new format and merging them together. %package openoffice.org openoffice.org-devel openoffice.org-devel-doc openoffice.org-galleries openoffice.org-gnome openoffice.org-kde openoffice.org-l10n-af openoffice.org-l10n-ar openoffice.org-l10n-bg openoffice.org-l10n-br openoffice.org-l10n-bs openoffice.org-l10n-ca openoffice.org-l10n-cs openoffice.org-l10n-cy openoffice.org-l10n-da openoffice.org-l10n-de openoffice.org-l10n-el openoffice.org-l10n-en_GB openoffice.org-l10n-es openoffice.org-l10n-et openoffice.org-l10n-eu openoffice.org-l10n-fi openoffice.org-l10n-fr openoffice.org-l10n-he openoffice.org-l10n-hi openoffice.org-l10n-hu openoffice.org-l10n-it openoffice.org-l10n-ja openoffice.org-l10n-ko openoffice.org-l10n-mk openoffice.org-l10n-nb openoffice.org-l10n-nl openoffice.org-l10n-nn openoffice.org-l10n-pl openoffice.org-l10n-pt openoffice.org-l10n-pt_BR openoffice.org-l10n-ru openoffice.org-l10n-sk openoffice.org-l10n-sl openoffice.org-l10n-sv openoffice.org-l10n-ta openoffice.org-l10n-tr openoffice.org-l10n-zh_CN openoffice.org-l10n-zh_TW openoffice.org-l10n-zu openoffice.org-mono openoffice.org-ooqstart Update: Mon Oct 29 15:27:31 2007 Importance: bugfix ID: MDKA-2007:098 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:098 %pre OpenOffice.org packages shipped with 2008.0 contain a serious syntax error in /etc/profile.d/openoffice.org.csh which prevents csh users to even login on the system. This update corrects this issue. %description OpenOffice.org is an Open Source, community-developed, multi-platform office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet, presentation manager, formula editing and drawing program, with a user interface and feature set similar to other office suites. Sophisticated and flexible, OpenOffice.org also works transparently with a variety of file formats, including Microsoft Office. %package python-imaging python-imaging-devel Update: Mon Oct 29 16:02:36 2007 Importance: bugfix ID: MDKA-2007:099 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:099 %pre The python-imaging package didn't include the Tk extension, this update fixes the package build and readds the _imagingtk module. %description Python Imaging Library version 1.1.6 The Python Imaging Library (PIL) adds image processing capabilities to your Python interpreter. This library provides extensive file format support, an efficient internal representation, and powerful image processing capabilities. %package gtk+2.0 libgdk_pixbuf2.0_0 libgdk_pixbuf2.0_0-devel libgtk+-x11-2.0_0 libgtk+2.0_0 libgtk+2.0_0-devel Update: Tue Oct 30 09:22:19 2007 Importance: bugfix ID: MDKA-2007:100 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:100 %pre A bug in gtk+ toolkit was causing a crash in Firefox web browser, when using Print Preview. The updated package fixes this problem and includes other stability fixes and translation updates. %description The gtk+ package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. GTK+ was originally written for the GIMP (GNU Image Manipulation Program) image processing program, but is now used by several other programs as well. If you are planning on using the GIMP or another program that uses GTK+, you'll need to have the gtk+ package installed. %package cups cups-common cups-serial libcups2 libcups2-devel php-cups Update: Thu Nov 01 11:30:17 2007 Importance: security ID: MDKSA-2007:204 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:204 %pre Alin Rad Pop of Secunia Research discovered a vulnerability in CUPS that can be exploited by malicious individuals to execute arbitrary code. This flaw is due to a boundary error when processing IPP (Internet Printing Protocol) tags. Updated packages have been patched to prevent these issues. %description CUPS 1.2 is fully compatible with CUPS-1.1 machines in the network and with software built against CUPS-1.1 libraries. The Common Unix Printing System provides a portable printing layer for UNIX(TM) operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. This is the main package needed for CUPS servers (machines where a printer is connected to or which host a queue for a network printer). It can also be used on CUPS clients so that they simply pick up broadcasted printer information from other CUPS servers and do not need to be assigned to a specific CUPS server by an /etc/cups/client.conf file. %package libpwlib1 libpwlib1-devel libpwlib1-plugins libpwlib1-plugins-avc libpwlib1-plugins-dc Update: Fri Nov 02 13:12:10 2007 Importance: security ID: MDKSA-2007:206 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:206 %pre A memory management flaw was discovered in PWLib, that an attacker could use to crash an application linked with it, such as Ekiga. Updated packages have been patched to prevent these issues. %description PWLib is a moderately large class library that has its genesis many years ago asa method to product applications to run on both Microsoft Windows and Unix X-Window systems. It also was to have a Macintosh port as well but this never eventeated. Unfortunately this package contains no GUI code. %package drakfirsttime drakx-finish-install drakxtools drakxtools-backend drakxtools-curses drakxtools-http harddrake harddrake-ui Update: Fri Nov 02 14:41:45 2007 Importance: bugfix ID: MDKA-2007:102 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:102 %pre The drakxtools and drakfirsttime packages in the 2008.0 mirror tree were older than those packages provided in the release media. This update syncs the packages with the official versions from the CD/DVD media. %description Contains many Mandriva Linux applications simplifying users and administrators life on a Mandriva Linux machine. Nearly all of them work both under XFree (graphical environment) and in console (text environment), allowing easy distant work. - drakbug: interactive bug report tool - drakbug_report: help find bugs in DrakX - drakclock: date & time configurator - drakfloppy: boot disk creator - drakfont: import fonts in the system - draklog: show extracted information from the system logs - drakperm: msec GUI (permissions configurator) - draksec: security options managment / msec frontend - draksplash: bootsplash themes creation %package libcairo-devel libcairo-static-devel libcairo2 Update: Mon Nov 05 07:22:03 2007 Importance: bugfix ID: MDKA-2007:103 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:103 %pre Cairo library could not render correctly some PDF files with evince, causing text to be displayed with white color (freedesktop.org bug #8399). Update package fixes this issue. %description Cairo provides anti-aliased vector-based rendering for X. Paths consist of line segments and cubic splines and can be rendered at any width with various join and cap styles. All colors may be specified with optional translucence (opacity/alpha) and combined using the extended Porter/Duff compositing algebra as found in the X Render Extension. Cairo exports a stateful rendering API similar in spirit to the path construction, text, and painting operators of PostScript, (with the significant addition of translucence in the imaging model). When complete, the API is intended to support the complete imaging model of PDF 1.4. Cairo relies on the Xc library for backend rendering. Xc provides an abstract interface for rendering to multiple target types. As of this writing, Xc allows Cairo to target X drawables as well as generic image buffers. Future backends such as PostScript, PDF, and perhaps OpenGL are currently being planned. %package mandriva-doc-DVD-Booklet-en mandriva-doc-DVD-Booklet-fr mandriva-doc-DVD-Booklet-pt_br mandriva-doc-Drakxtools-Guide-de mandriva-doc-Drakxtools-Guide-en mandriva-doc-Drakxtools-Guide-es mandriva-doc-Drakxtools-Guide-fr mandriva-doc-Drakxtools-Guide-it mandriva-doc-Drakxtools-Guide-pt_br mandriva-doc-Starter-de mandriva-doc-Starter-en mandriva-doc-Starter-es mandriva-doc-Starter-fr mandriva-doc-Starter-it mandriva-doc-common mandriva-doc-installer-help Update: Mon Nov 05 09:31:02 2007 Importance: normal ID: MDKA-2007:104 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:104 %pre The Mandriva documentation as shipped in Mandriva Linux 2008.0 did not contain the full pt_BR translation. This update provides it and some other minor documentation fixes. %description This package contains some useful documentation for Mandriva Linux systems. This documentation is directly accessible through the menus. %package mdk-menu-messages Update: Mon Nov 05 09:56:16 2007 Importance: bugfix ID: MDKA-2007:105 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:105 %pre The spanish translation was not up-to-date which resulted in the More sections not being translated in the es_ES locale. A bug in the menu-messages Makefile led to translations of contrib overriding those of main. The updated packages solve these problems and also contains some updated translations from translators. %description This package includes that translations of the main menu used by the different desktops and window managers of the distribution; as well as translations used by specifically added features. %package perl perl-base perl-devel perl-doc perl-suid Update: Mon Nov 05 19:28:17 2007 Importance: security ID: MDKSA-2007:207 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:207 %pre Tavis Ormandy and Will Drewry discovered a flaw in Perl's regular expression engine. Specially crafted input to a regular expression can cause Perl to improperly allocate memory, resulting in the possible execution of arbitrary code with the permissions of the user running Perl. Updated packages have been patched to prevent these issues. %description Perl is a high-level programming language with roots in C, sed, awk and shell scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most common applications (and what it excels at) are probably system administration utilities and web programming. A large proportion of the CGI scripts on the web are written in Perl. You need the perl package installed on your system so that your system can handle Perl scripts. You need perl-base to have a full perl. %package ghostscript ghostscript-X ghostscript-common ghostscript-doc ghostscript-dvipdf ghostscript-module-X libgs8 libgs8-devel libijs1 libijs1-devel Update: Mon Nov 05 19:36:41 2007 Importance: security ID: MDKSA-2007:208 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:208 %pre A function in the JasPer JPEG-2000 library before 1.900 could allow a remote user-assisted attack to cause a crash and possibly corrupt the heap via malformed image files. Newer versions of ghostscript contain an embedded copy of libjasper and as such is vulnerable to this issue. Updated packages have been patched to prevent this issue. %description Ghostscript is a set of software tools that provide a PostScript(TM) interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. Ghostscript translates PostScript code into many common, bitmapped and vector formats, like those understood by your printer or screen. Ghostscript is normally used to display PostScript files and to print PostScript files to non-PostScript printers. You should install ghostscript if you need to display PostScript or PDF files, or if you have a non-PostScript printer. %package libnetpbm-devel libnetpbm-static-devel libnetpbm10 netpbm Update: Mon Nov 05 19:37:41 2007 Importance: security ID: MDKSA-2007:209 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:209 %pre A function in the JasPer JPEG-2000 library before 1.900 could allow a remote user-assisted attack to cause a crash and possibly corrupt the heap via malformed image files. netpbm contains an embedded copy of libjasper and as such is vulnerable to this issue. Updated packages have been patched to prevent this issue. %description The netpbm package contains a library of functions which support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps) and others. %package autofs Update: Tue Nov 06 09:59:06 2007 Importance: bugfix ID: MDKA-2007:106 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:106 %pre The autofs init script was missing a dependency on ypbind, preventing a correct initialisation order in parallel mode, when storing autofs configuration in NIS (bug #34559). The updated package fixes this issue. %description autofs is a daemon which automatically mounts filesystems when you use them, and unmounts them later when you are not using them. This can include network filesystems, CD-ROMs, floppies, and so forth. %package flac libflac++-devel libflac++6 libflac-devel libflac8 Update: Thu Nov 08 14:08:31 2007 Importance: security ID: MDKSA-2007:214 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:214 %pre A security vulnerability was discovered in how flac processed audio data. An attacker could create a carefully crafted FLAC audio file that could cause an application linked against the flac libraries to crash or execute arbitrary code when opened. Updated packages have been patched to prevent this issue. %description FLAC is an Open Source lossless audio codec developed by Josh Coalson. FLAC is comprised of 1) `libFLAC', a library which implements reference encoders and decoders, licensed under the GNU Lesser General Public License (LGPL); 2) `flac', a command-line program for encoding and decoding files, licensed under the GNU General public License (GPL); 3) `metaflac', a command-line program for editing FLAC metadata, licensed under the GPL; 4) player plugins for XMMS and Winamp, licensed under the GPL; and 5) documentation, licensed under the GNU Free Documentation License. %package libldap2.3_0 libldap2.3_0-devel libldap2.3_0-static-devel openldap openldap-clients openldap-doc openldap-servers openldap-testprogs openldap-tests Update: Thu Nov 08 18:19:34 2007 Importance: security ID: MDKSA-2007:215 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:215 %pre A flaw in the way OpenLDAP's slapd daemon handled malformed objectClasses LDAP attributes was discovered. A local or remote attacker could create an LDAP request that could cause a denial of service by crashing slapd. Updated packages have been patched to prevent this issue. %description OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The suite includes a stand-alone LDAP server (slapd) and stand-alone LDAP replication server (slurpd) which are in the -servers package, libraries for implementing the LDAP protocol (in the lib packages), and utilities, tools, and sample clients (in the -clients package). The openldap binary package includes configuration files used by the libraries. Install openldap if you need LDAP applications and tools. %package timezone Update: Fri Nov 09 15:11:57 2007 Importance: normal ID: MDKA-2007:107 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:107 %pre Updated timezone packages are being provided for older Mandriva Linux systems that do not contain the new Daylight Savings Time information for 2007 and later for certain time zones. These updated packages contain the new information. %description This package contains data files with rules for various timezones around the world. %package kdetoys kdetoys-kweather libkdetoys1-devel libkdetoys1-kweather Update: Fri Nov 09 15:57:42 2007 Importance: bugfix ID: MDKA-2007:108 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:108 %pre The kdetoys package, as released with Mandriva Linux 2008.0, missed some binaries required by the KWeather Kicker applet, preventing KWeather to be used. This update package fixes the issue by installing the missing binaries. %description Toys for the K Desktop Environment. Software included in this package are: - amor: Amusing Misuse Of Resources put's comic figures above your windows - eyesapplet: a kicker applet similar to XEyes - fifteenapplet: kicker applet, order 15 pieces in a 4x4 square by moving them - kmoon: system tray applet showing the moon phase - kodo: mouse movement meter - kscore: kicker applet with a sports ticker - kteatime: system tray applet that makes sure your tea doesn't get too strong - ktux: Tux-in-a-Spaceship screen saver - kweather: kicker applet that will display the current weather outside - kworldwatch: application and kicker applet showing daylight area on the world globe %package cups cups-common cups-serial libcups2 libcups2-devel php-cups Update: Mon Nov 12 11:49:18 2007 Importance: security ID: MDKSA-2007:204-1 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:204-1 %pre Alin Rad Pop of Secunia Research discovered a vulnerability in CUPS that can be exploited by malicious individuals to execute arbitrary code. This flaw is due to a boundary error when processing IPP (Internet Printing Protocol) tags. Update: Due to incorrect build requirements/conflicts, the cups-config in Mandriva Linux 2008.0 was displaying the full CFLAGS and libs instead of just the libraries when 'cups-config --libs' was invoked. This update corrects the cups-config behaviour. %description CUPS 1.2 is fully compatible with CUPS-1.1 machines in the network and with software built against CUPS-1.1 libraries. The Common Unix Printing System provides a portable printing layer for UNIX(TM) operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. This is the main package needed for CUPS servers (machines where a printer is connected to or which host a queue for a network printer). It can also be used on CUPS clients so that they simply pick up broadcasted printer information from other CUPS servers and do not need to be assigned to a specific CUPS server by an /etc/cups/client.conf file. %package autofs Update: Mon Nov 12 15:57:41 2007 Importance: bugfix ID: MDKA-2007:106 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:106 %pre The autofs init script was missing a dependency on ypbind, preventing a correct initialisation order in parallel mode, when storing autofs configuration in NIS (bug #34559). Update: The previous update shipped with an incorrect LDAP lookup module that would prevent the automount daemon from starting. This update corrects that problem. %description autofs is a daemon which automatically mounts filesystems when you use them, and unmounts them later when you are not using them. This can include network filesystems, CD-ROMs, floppies, and so forth. %package beagle beagle-crawl-system beagle-epiphany beagle-evolution beagle-gui libbeagle-devel libbeagle0 python-beagle Update: Tue Nov 13 09:31:09 2007 Importance: bugfix ID: MDKA-2007:109 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:109 %pre A missing path in the beagle command line tools made beagle-info crash. This update corrects the problem. %description Beagle is an indexing sub-system and search aggregator built on top of Lucene.Net. It can index your files, mailboxes, your web browsing behaviour and other things. %package libpng-devel libpng-source libpng-static-devel libpng3 Update: Tue Nov 13 10:45:07 2007 Importance: security ID: MDKSA-2007:217 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:217 %pre Multiple vulnerabilities were discovered in libpng: An off-by-one error when handling ICC profile chunks in the png_set_iCCP() function (CVE-2007-5266; only affects Mandriva Linux 2008.0). George Cook and Jeff Phillips reported several errors in pngrtran.c, such as the use of logical instead of bitwise functions and incorrect comparisons (CVE-2007-5268; only affects Mandriva Linux 2008.0). Tavis Ormandy reported out-of-bounds read errors in several PNG chunk handling functions (CVE-2007-5269). Updated packages have been patched to correct these issues. For Mandriva Linux 2008.0, libpng 1.2.22 is being provided which corrects all three issues. %description The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. PNG is a bit-mapped graphics format similar to the GIF format. PNG was created to replace the GIF format, since GIF uses a patented data compression algorithm. Libpng should be installed if you need to manipulate PNG format image files. %package jay libmono-devel libmono0 mono mono-bytefx-data-mysql mono-data mono-data-firebird mono-data-oracle mono-data-postgresql mono-data-sqlite mono-data-sybase mono-doc mono-extras mono-ibm-data-db2 mono-jscript mono-locale-extras mono-nunit mono-web mono-winforms Update: Wed Nov 14 07:24:11 2007 Importance: security ID: MDKSA-2007:218 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:218 %pre IOActive Inc. found a buffer overflow in Mono.Math.BigInteger class in Mono 1.2.5.1 and previous versions, which allows arbitrary code execution by context-dependent attackers. Updated packages fix this issue. %description Mono is an implementation of the ECMA Common Language Infrastructure, it contains both a just-in-time compiler for maximum performance, and an interpeter. It can also be used to run programs from the .NET Framework. This package contains the core of the Mono runtime including its Virtual Machine, Just-in-time compiler, C# compiler, security tools and libraries (corlib, XML, System.Security, System.Drawing, ZipLib, I18N, Cairo and Mono.*). %package kdebase kdebase-common kdebase-devel-doc kdebase-kate kdebase-kdeprintfax kdebase-kdm kdebase-kmenuedit kdebase-konsole kdebase-ksysguard kdebase-nsplugins kdebase-progs kdebase-session-plugins libkdebase4 libkdebase4-devel libkdebase4-kate libkdebase4-kmenuedit libkdebase4-konsole Update: Wed Nov 14 13:51:40 2007 Importance: bugfix ID: MDKA-2007:110 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:110 %pre KDM users were unable to login remotelly using XDMCP, because of a bug in the consolekit support. This update package fixes the issue. %description Core applications for the K Desktop Environment. Here is an overview of the directories: - drkonqi: if ever an app crashes (heaven forbid!) then Dr.Konqi will be so kind and make a stack trace. This is a great help for the developers to fix the bug. - kappfinder: searches your hard disk for non-KDE applications, e.g. Acrobat Reader (tm) and installs those apps under the K start button - kate: a fast and advanced text editor with nice plugins - kcheckpass: small program to enter and check passwords, only to be used by other programs - kcontrol: the KDE Control Center allows you to tweak the KDE settings - kdcop: GUI app to browse for DCOP interfaces, can also execute them - kdebugdialog: allows you to specify which debug messages you want to see - kdeprint: the KDE printing system - kdesktop: you guessed it: the desktop above the panel - kdesu: a graphical front end to "su" - kdm: replacement for XDM, for those people that like graphical logins - kfind: find files - khelpcenter: the app to read all great documentation about KDE - khotkeys: intercepts keys and can call applications - kicker: the panel at the botton with the K start button and the taskbar etc - kioslave: infrastructure that helps make every application internet enabled e.g. to directly save a file to ftp://place.org/dir/file.txt - klipper: enhances and extenses the X clipboard - kmenuedit: edit for the menu below the K start button - konqueror: the file manager and web browser you get easily used to - kpager: applet to show the contents of the virtual desktops - kpersonalizer: the customization wizard you get when you first start KDE - kreadconfig: a tool for shell scripts to get info from KDE's config files - kscreensaver: the KDE screensaver environment and lot's of savers - ksmserver: the KDE session manager (saves program status on login, restarts those program at the next login) - ksplash: the screen displayed while KDE starts - kstart: to launch applications with special window properties such as iconified etc - ksysguard: task manager and system monitor, even for remote systems - ksystraycmd: allows to run any application in the system tray - ktip: gives you tips how to use KDE - kwin: the KDE window manager - kxkb: a keyboard map tool - legacyimport: odd name for a cute program to load GTK themes - libkonq: some libraries needed by Konqueror - nsplugins: together with OSF/Motif or Lesstif allows you to use Netscape (tm) plugins in Konqueror %package xpdf xpdf-common xpdf-tools Update: Thu Nov 15 10:06:15 2007 Importance: security ID: MDKSA-2007:219 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:219 %pre Alin Rad Pop found several flaws in how PDF files are handled in xpdf. An attacker could create a malicious PDF file that would cause xpdf to crash or potentially execute arbitrary code when opened. The updated packages have been patched to correct this issue. %description Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. PDF files are sometimes called Acrobat files, after Adobe Acrobat (Adobe's PDF viewer). Xpdf is a small and efficient program which uses standard X fonts. %package kdegraphics kdegraphics-common kdegraphics-kcolorchooser kdegraphics-kcoloredit kdegraphics-kdvi kdegraphics-kfax kdegraphics-kghostview kdegraphics-kiconedit kdegraphics-kolourpaint kdegraphics-kooka kdegraphics-kpdf kdegraphics-kpovmodeler kdegraphics-kruler kdegraphics-ksnapshot kdegraphics-ksvg kdegraphics-kuickshow kdegraphics-kview kdegraphics-mrmlsearch libkdegraphics0-common libkdegraphics0-common-devel libkdegraphics0-kghostview libkdegraphics0-kghostview-devel libkdegraphics0-kooka libkdegraphics0-kooka-devel libkdegraphics0-kpovmodeler libkdegraphics0-kpovmodeler-devel libkdegraphics0-ksvg libkdegraphics0-ksvg-devel libkdegraphics0-kview libkdegraphics0-kview-devel Update: Thu Nov 15 18:00:51 2007 Importance: security ID: MDKSA-2007:221 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:221 %pre Alin Rad Pop found several flaws in how PDF files are handled in kpdf. An attacker could create a malicious PDF file that would cause kpdf to crash or potentially execute arbitrary code when opened. The updated packages have been patched to correct this issue. %description Graphical tools for the K Desktop Environment. kdegraphics is a collection of graphic oriented applications: - kamera: digital camera io_slave for Konqueror. Together gPhoto this allows you to access your camera's picture with the URL kamera:/ - kcoloredit: contains two programs: a color value editor and also a color picker - kdvi: program (and embeddable KPart) to display *.DVI files from TeX - kfax: a program to display raw and tiffed fax images (g3, g3-2d, g4) - kfaxview: an embeddable KPart to display tiffed fax images - kfile-plugins: provide meta information for graphic files - kghostview: program (and embeddable KPart) to display *.PDF and *.PS - kiconedit: an icon editor - kooka: a raster image scan program, based on SANE and libkscan - kruler: a ruler in inch, centimeter and pixel to check distances on the screen - ksnapshot: make snapshots of the screen contents - kuickshow: fast and comfortable imageviewer - kview: picture viewer, provided as standalone program and embeddable KPart - kviewshell: generic framework for viewer applications %package koffice koffice-karbon koffice-kexi koffice-kformula koffice-kivio koffice-koshell koffice-kplato koffice-kpresenter koffice-krita koffice-kspread koffice-kugar koffice-kword koffice-progs libkoffice2-karbon libkoffice2-karbon-devel libkoffice2-kexi libkoffice2-kexi-devel libkoffice2-kformula libkoffice2-kformula-devel libkoffice2-kivio libkoffice2-kivio-devel libkoffice2-koshell libkoffice2-kplato libkoffice2-kpresenter libkoffice2-kpresenter-devel libkoffice2-krita libkoffice2-krita-devel libkoffice2-kspread libkoffice2-kspread-devel libkoffice2-kugar libkoffice2-kugar-devel libkoffice2-kword libkoffice2-kword-devel libkoffice2-progs libkoffice2-progs-devel Update: Sat Nov 17 09:55:38 2007 Importance: security ID: MDKSA-2007:222 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:222 %pre Alin Rad Pop found several flaws in how PDF files are handled in koffice. An attacker could create a malicious PDF file that would cause koffice to crash or potentially execute arbitrary code when opened. The updated packages have been patched to correct this issue. %description Office applications for the K Desktop Environment. KOffice contains: * KWord: word processor * KSpread: spreadsheet * KPresenter: presentations * KChart: diagram generator * Kugar: A tool for generating business quality reports. * Kivio: A Visio(r)-style flowcharting application. * Kexi: an integrated environment for managing data * Some filters (Excel 97, Winword 97/2000, etc.) * karbon: the scalable vector drawing application for KDE. * kformula: a formula editor for KOffice. * krita: painting and image editing application. * koshell * kplato: a project management. %package libsmbclient0 libsmbclient0-devel libsmbclient0-static-devel mount-cifs nss_wins samba-client samba-common samba-doc samba-server samba-smbldap-tools samba-swat samba-vscan-clamav samba-vscan-icap samba-winbind Update: Sat Nov 17 10:59:02 2007 Importance: security ID: MDKSA-2007:224 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:224 %pre The samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. If samba is configured as a Primary or Backup Domain Controller, this could be used by a remote attacker to send malicious logon requests and possibly cause a denial of service (CVE-2007-4572). As well, Alin Rad Pop of Secunia Research found that nmbd did not properly check the length of netbios packets. If samba is configured as a WINS server, this could be used by a remote attacker able to send multiple crafted requests to nmbd, resulting in the execution of arbitrary code with root privileges (CVE-2007-5398). The updated packages have been patched to correct these issues. %description Samba provides an SMB server which can be used to provide network services to SMB (sometimes called "Lan Manager") clients, including various versions of MS Windows, OS/2, and other Linux machines. Samba also provides some SMB clients, which complement the built-in SMB filesystem in Linux. Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI (Microsoft Raw NetBIOS frame) protocol. Samba-3.0 features working NT Domain Control capability and includes the SWAT (Samba Web Administration Tool) that allows samba's smb.conf file to be remotely managed using your favourite web browser. For the time being this is being enabled on TCP port 901 via xinetd. SWAT is now included in it's own subpackage, samba-swat. Please refer to the WHATSNEW.txt document for fixup information. This binary release includes encrypted password support. Please read the smb.conf file and ENCRYPTION.txt in the docs directory for implementation details. %package kernel-2.6.22.9-2mdv kernel-desktop-2.6.22.9-2mdv kernel-desktop-devel-2.6.22.9-2mdv kernel-desktop-devel-latest kernel-desktop-latest kernel-desktop586-2.6.22.9-2mdv kernel-desktop586-devel-2.6.22.9-2mdv kernel-desktop586-devel-latest kernel-desktop586-latest kernel-doc kernel-laptop-2.6.22.9-2mdv kernel-laptop-devel-2.6.22.9-2mdv kernel-laptop-devel-latest kernel-laptop-latest kernel-server-2.6.22.9-2mdv kernel-server-devel-2.6.22.9-2mdv kernel-server-devel-latest kernel-server-latest kernel-source-2.6.22.9-2mdv kernel-source-latest Update: Mon Nov 19 13:40:42 2007 Importance: security ID: MDKSA-2007:226 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:226 %pre Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: The minix filesystem code allows local users to cause a denial of service (hang) via a malformed minix file stream (CVE-2006-6058). An integer underflow in the Linux kernel prior to 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set (CVE-2007-4997). To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate %description %package libpoppler-devel libpoppler-glib-devel libpoppler-glib2 libpoppler-qt-devel libpoppler-qt2 libpoppler-qt4-2 libpoppler-qt4-devel libpoppler2 poppler Update: Mon Nov 19 16:09:27 2007 Importance: security ID: MDKSA-2007:227 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:227 %pre Alin Rad Pop found several flaws in how PDF files are handled in poppler. An attacker could create a malicious PDF file that would cause poppler to crash or potentially execute arbitrary code when opened. The updated packages have been patched to correct this issue. %description Poppler is a PDF rendering library based on the xpdf-3.0 code base. %package cups cups-common cups-serial libcups2 libcups2-devel php-cups Update: Mon Nov 19 16:16:19 2007 Importance: security ID: MDKSA-2007:228 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:228 %pre Alin Rad Pop found several flaws in how PDF files are handled in cups. An attacker could create a malicious PDF file that would cause cups to crash or potentially execute arbitrary code when opened. The updated packages have been patched to correct this issue. %description CUPS 1.2 is fully compatible with CUPS-1.1 machines in the network and with software built against CUPS-1.1 libraries. The Common Unix Printing System provides a portable printing layer for UNIX(TM) operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. This is the main package needed for CUPS servers (machines where a printer is connected to or which host a queue for a network printer). It can also be used on CUPS clients so that they simply pick up broadcasted printer information from other CUPS servers and do not need to be assigned to a specific CUPS server by an /etc/cups/client.conf file. %package jadetex tetex tetex-afm tetex-context tetex-devel tetex-doc tetex-dvilj tetex-dvipdfm tetex-dvips tetex-latex tetex-mfwin tetex-texi2html tetex-usrlocal tetex-xdvi xmltex Update: Tue Nov 20 15:14:26 2007 Importance: security ID: MDKSA-2007:230 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:230 %pre A flaw in the t1lib library where an attacker could create a malicious file that would cause tetex to crash or possibly execute arbitrary code when opened (CVE-2007-4033). Alin Rad Pop found several flaws in how PDF files are handled in tetex. An attacker could create a malicious PDF file that would cause tetex to crash or potentially execute arbitrary code when opened (CVE-2007-4352, CVE-2007-5392, CVE-2007-5393). A stack-based buffer overflow in dvips in tetex allows for user-assisted attackers to execute arbitrary code via a DVI file with a long href tag (CVE-2007-5935). A vulnerability in dvips in tetex allows local users to obtain sensitive information and modify certain data by creating certain temporary files before they are processed by dviljk, which can then be read or modified in place (CVE-2007-5936). Multiple buffer overflows in dviljk in tetext may allow users-assisted attackers to execute arbitrary code via a crafted DVI input file (CVE-2007-5937). The updated packages have been patched to correct this issue. %description teTeX is an implementation of TeX for Linux or UNIX systems. TeX takes a text file and a set of formatting commands as input and creates a typesetter independent .dvi (DeVice Independent) file as output. Usually, TeX is used in conjunction with a higher level formatting package like LaTeX or PlainTeX, since TeX by itself is not very user-friendly. Install teTeX if you want to use the TeX text formatting system. If you are installing teTeX, you will also need to install tetex-afm (a PostScript(TM) font converter for TeX), tetex-dvilj (for converting .dvi files to HP PCL format for printing on HP and HP compatible printers), tetex-dvips (for converting .dvi files to PostScript format for printing on PostScript printers), tetex-latex (a higher level formatting package which provides an easier-to-use interface for TeX) and tetex-xdvi (for previewing .dvi files in X). Unless you're an expert at using TeX, you'll also want to install the tetex-doc package, which includes the documentation for TeX. %package glibc glibc-devel glibc-doc glibc-doc-pdf glibc-i18ndata glibc-profile glibc-static-devel glibc-utils nscd Update: Wed Nov 21 12:17:35 2007 Importance: bugfix ID: MDKA-2007:111 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:111 %pre Two issues were discovered in the glibc package, after Mandriva Linux 2008.0 release. First is a bug, reported in glibc-utils package, that cause the memusage and xtrace utilities to not run correctly. The second is a minor problem with file integrity check when using rpm -V, that gives a false positive entry for one packaged file. This update package fixes these issues. %description The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. The glibc package also contains national language (locale) support. This package now also provides ldconfig which was package seperately in the past. Ldconfig is a basic system program which determines run-time link bindings between ld.so and shared libraries. Ldconfig scans a running system and sets up the symbolic links that are used to load shared libraries properly. It also creates a cache (/etc/ld.so.cache) which speeds the loading of programs which use shared libraries. %package libsmbclient0 libsmbclient0-devel libsmbclient0-static-devel mount-cifs nss_wins samba-client samba-common samba-doc samba-server samba-smbldap-tools samba-swat samba-vscan-clamav samba-vscan-icap samba-winbind Update: Wed Nov 21 14:31:00 2007 Importance: security ID: MDKSA-2007:224-1 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:224-1 %pre The samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. If samba is configured as a Primary or Backup Domain Controller, this could be used by a remote attacker to send malicious logon requests and possibly cause a denial of service (CVE-2007-4572). As well, Alin Rad Pop of Secunia Research found that nmbd did not properly check the length of netbios packets. If samba is configured as a WINS server, this could be used by a remote attacker able to send multiple crafted requests to nmbd, resulting in the execution of arbitrary code with root privileges (CVE-2007-5398). Update: The patch that fixed CVE-2007-4572 introduced a regression that would prevent shares from being mounted properly and would cause the remote (patched) smbd to crash. This update contains another fix from upstream to correct the problem. %description Samba provides an SMB server which can be used to provide network services to SMB (sometimes called "Lan Manager") clients, including various versions of MS Windows, OS/2, and other Linux machines. Samba also provides some SMB clients, which complement the built-in SMB filesystem in Linux. Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI (Microsoft Raw NetBIOS frame) protocol. Samba-3.0 features working NT Domain Control capability and includes the SWAT (Samba Web Administration Tool) that allows samba's smb.conf file to be remotely managed using your favourite web browser. For the time being this is being enabled on TCP port 901 via xinetd. SWAT is now included in it's own subpackage, samba-swat. Please refer to the WHATSNEW.txt document for fixup information. This binary release includes encrypted password support. Please read the smb.conf file and ENCRYPTION.txt in the docs directory for implementation details. %package python-reportlab Update: Wed Nov 21 15:50:52 2007 Importance: bugfix ID: MDKA-2007:112 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:112 %pre The python-reportlab package shipped in Mandriva 2008.0 caused xend to crash on each call to the xm tool, for invalid pointer usage in the python interpretter. This update provides version 2.1 and corrects this issue. %description ReportLab is a library that lets you directly create documents in Adobe's Portable Document Format (PDF) using the Python programming language. ReportLab library creates PDF based on graphics commands without intervening steps. It's therefore extremely fast, and flexible (since you're using a full-blown programming language). Sample use cases are: * Dynamic PDF generation on the web * High-volume corporate reporting and database publishing * As embeddable print engine for other applications, including a 'report language' so that users can customize their own reports. * As 'build system' for complex documents with charts, tables and text such as management accounts, statistical reports and scientific papers * from XML to PDF in one step %package dosfstools Update: Wed Nov 21 15:51:23 2007 Importance: bugfix ID: MDKA-2007:113 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:113 %pre The program mkdosfs was compiled without large file support and as a result couldn't check for bad blocks on filesystems greater than 2GB in size. This update rebuilds the program with the right flags. %description Inside of this package there are two utilities to create and to check MS-DOS FAT filesystems on either harddisks or floppies under Linux. This version uses the enhanced boot sector/superblock format of DOS 3.3+ as well as provides a default dummy boot sector code. %package eclipse-cvs-client eclipse-ecj eclipse-jdt eclipse-pde eclipse-pde-runtime eclipse-platform eclipse-rcp libswt3-gtk2 Update: Wed Nov 21 21:48:14 2007 Importance: bugfix ID: MDKA-2007:114 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:114 %pre The Eclipse IDE provided with 2008.0 does not run, instead outputting a glibc error or JVM termination error. This update fixes that, and some other bugs in the package. %description The Eclipse Platform is designed for building integrated development environments (IDEs) that can be used to create applications as diverse as web sites, embedded Java(tm) programs, C++ programs, and Enterprise JavaBeans(tm). %package sound-juicer Update: Thu Nov 22 09:53:41 2007 Importance: bugfix ID: MDKA-2007:115 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:115 %pre A bug in sound-juicer could lead to locking the CD drive, preventing erasing or rewriting rewritable medias in it. This package fixes this bug and includes other stability fixes and translation updates. %description This is Sound Juicer, a CD ripping tool using GTK+ and GStreamer. %package gdm gdm-Xnest Update: Thu Nov 22 11:01:24 2007 Importance: bugfix ID: MDKA-2007:116 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:116 %pre A bug in IPv6 handling prevented gdm from connecting properly to IPv4 XDMCP server (Mdv bug #35522). Default language list in gdm was not using UTF-8 as default encoding (#35133). gdmsetup program was always outputing debug information (Mdv bug #34304). Tab key could not be used as Enter when typing username (Mdv bug #31589). The update package fixes those issues, and provides additional translations. %description Gdm (the GNOME Display Manager) is a highly configurable reimplementation of xdm, the X Display Manager. Gdm allows you to log into your system with the X Window System running and supports running several different X sessions on your local machine at the same time. %package xman Update: Thu Nov 22 12:54:57 2007 Importance: bugfix ID: MDKA-2007:117 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:117 %pre The xman program was looking for the man pages in the wrong location, and did not support LZMA compression format. This update package fixes both issues. %description Xman is a manual page display program for the X Window System. %package libgphoto-common libgphoto-devel libgphoto-hotplug libgphoto2 Update: Thu Nov 22 14:24:34 2007 Importance: bugfix ID: MDKA-2007:112 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:112 %pre Communication with some Canon digital cameras could not be established reliably, preventing photo import in various software such as DigiKam or F-Spot. This update package fixes this issue. %description The gPhoto2 project is a universal, free application and library framework that lets you download images from several different digital camera models, including the newer models with USB connections. Note that a) for some older camera models you must use the old "gphoto" package. b) for USB mass storage models you must use the driver in the kernel This package contains the library that digital camera applications can use. Frontends (GUI and command line) are available separately. %package kbd Update: Fri Nov 23 07:50:26 2007 Importance: bugfix ID: MDKA-2007:119 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:119 %pre On a Mandriva Linux 2008 text console, for some locales with unicode enabled, in some cases the typed characters were not displayed correctly. This update to kbd package fixes the problem. %description This package contains utilities to load console fonts and keyboard maps. It also includes a number of different fonts and keyboard maps. %package util-linux-ng Update: Fri Nov 23 08:31:14 2007 Importance: bugfix ID: MDKA-2007:120 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:120 %pre The mount program failed to mount Samba mountpoints if the path of the Samba share existed on the local system. When calling mount -t smbfs //foo/bar /mnt/foo, mount.smbfs would be called with /foo/bar if /foo/bar existed locally, and would display its usage. This update package fixes the issue. %description The util-linux-ng package contains a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, Util-linux contains the fdisk configuration tool and the login program. %package cups-drivers-foo2zjs Update: Fri Nov 23 12:00:16 2007 Importance: bugfix ID: MDKA-2007:121 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:121 %pre Due to a change of URLs on foo2zjs project, the firmware download for some common printers was failing, when configuring such printers with printerdrake. This update packages fix the issue by updating those URLs. %description foo2zjs is an open source printer driver for printers that use the Zenographics ZjStream wire protocol for their print data, such as the Minolta/QMS magicolor 2300 DL. These printers are often erroneously referred to as winprinters or GDI printers. foo2zjs: a linux printer driver for ZjStream protocol e.g. Minolta magicolor 2200/2300/2430 DL, HP LaserJet 1018/1020/1022 This package provides foomatic and cups drivers for the following printers: o Generic OAKT Printer o Generic ZjStream Printer o HP Color LaserJet 1500 o HP Color LaserJet 1600 o HP Color LaserJet 2600n o HP LaserJet 1000 o HP LaserJet 1005 o HP LaserJet 1018 o HP LaserJet 1020 o HP LaserJet 1022 o HP LaserJet M1005 MFP o KonicaMinolta magicolor 2480 MF o KonicaMinolta magicolor 2490 MF o KonicaMinolta magicolor 2530 DL o Minolta Color PageWorks/Pro L o Minolta magicolor 2200 DL o Minolta magicolor 2300 DL o Minolta magicolor 2430 DL o Samsung CLP-300 o Samsung CLP-600 o Samsung CLX-3160 o Xerox Phaser 6110 o Xerox Phaser 6115MFP %package kernel-2.6.22.12-1mdv kernel-desktop-2.6.22.12-1mdv kernel-desktop-devel-2.6.22.12-1mdv kernel-desktop-devel-latest kernel-desktop-latest kernel-desktop586-2.6.22.12-1mdv kernel-desktop586-devel-2.6.22.12-1mdv kernel-desktop586-devel-latest kernel-desktop586-latest kernel-doc kernel-laptop-2.6.22.12-1mdv kernel-laptop-devel-2.6.22.12-1mdv kernel-laptop-devel-latest kernel-laptop-latest kernel-server-2.6.22.12-1mdv kernel-server-devel-2.6.22.12-1mdv kernel-server-devel-latest kernel-server-latest kernel-source-2.6.22.12-1mdv kernel-source-latest Update: Wed Nov 28 10:45:46 2007 Importance: security ID: MDKSA-2007:232 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:232 %pre Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: The minix filesystem code allows local users to cause a denial of service (hang) via a malformed minix file stream (CVE-2006-6058). An integer underflow in the Linux kernel prior to 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set (CVE-2007-4997). To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate %description The kernel package contains the Linux kernel (vmlinuz), the core of your Mandriva Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. For instructions for update, see: http://www.mandriva.com/security/kernelupdate %package cpio Update: Wed Nov 28 12:34:51 2007 Importance: security ID: MDKSA-2007:233 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:233 %pre %description GNU cpio copies files into or out of a cpio or tar archive. Archives are files which contain a collection of other files plus information about them, such as their file name, owner, timestamps, and access permissions. The archive can be another file on the disk, a magnetic tape, or a pipe. GNU cpio supports the following archive formats: binary, old ASCII, new ASCII, crc, HPUX binary, HPUX old ASCII, old tar and POSIX.1 tar. By default, cpio creates binary format archives, so that they are compatible with older cpio programs. When it is extracting files from archives, cpio automatically recognizes which kind of archive it is reading and can read archives created on machines with a different byte-order. Install cpio if you need a program to manage file archives. archives %package gurpmi urpmi urpmi-ldap urpmi-parallel-ka-run urpmi-parallel-ssh urpmi-recover Update: Thu Nov 29 08:15:26 2007 Importance: bugfix ID: MDKA-2007:123 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:123 %pre The package included with Mandriva Linux 2008 for urpmi, the Mandriva package management tool, has regressions in the behaviour of the --src and --install-src parameters. The --install-src parameter fails to work at all. The --src parameter does not download and install the actual .src.rpm as it did in previous releases, it only installs the necessary build dependencies. This update fixes these issues. %description urpmi is Mandriva Linux's console-based software installation tool. You can use it to install software from the console in the same way as you use the graphical Install Software tool (rpmdrake) to install software from the desktop. urpmi will follow package dependencies -- in other words, it will install all the other software required by the software you ask it to install -- and it's capable of obtaining packages from a variety of media, including the Mandriva Linux installation CD-ROMs, your local hard disk, and remote sources such as web or FTP sites. %package libsmbclient0 libsmbclient0-devel libsmbclient0-static-devel mount-cifs nss_wins samba-client samba-common samba-doc samba-server samba-smbldap-tools samba-swat samba-vscan-clamav samba-vscan-icap samba-winbind Update: Thu Nov 29 18:56:47 2007 Importance: security ID: MDKSA-2007:224-3 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:224-3 %pre The samba developers discovered that nmbd could be made to overrun a buffer during the processing of GETDC logon server requests. If samba is configured as a Primary or Backup Domain Controller, this could be used by a remote attacker to send malicious logon requests and possibly cause a denial of service (CVE-2007-4572). As well, Alin Rad Pop of Secunia Research found that nmbd did not properly check the length of netbios packets. If samba is configured as a WINS server, this could be used by a remote attacker able to send multiple crafted requests to nmbd, resulting in the execution of arbitrary code with root privileges (CVE-2007-5398). Update: This update corrects all known regressions with previous Samba updates due to the security fixes to correct CVE-2007-4572. %description Samba provides an SMB server which can be used to provide network services to SMB (sometimes called "Lan Manager") clients, including various versions of MS Windows, OS/2, and other Linux machines. Samba also provides some SMB clients, which complement the built-in SMB filesystem in Linux. Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI (Microsoft Raw NetBIOS frame) protocol. Samba-3.0 features working NT Domain Control capability and includes the SWAT (Samba Web Administration Tool) that allows samba's smb.conf file to be remotely managed using your favourite web browser. For the time being this is being enabled on TCP port 901 via xinetd. SWAT is now included in it's own subpackage, samba-swat. Please refer to the WHATSNEW.txt document for fixup information. This binary release includes encrypted password support. Please read the smb.conf file and ENCRYPTION.txt in the docs directory for implementation details. %package dkms-libafs libopenafs1 libopenafs1-devel openafs openafs-client openafs-doc openafs-server Update: Fri Nov 30 11:40:03 2007 Importance: bugfix ID: MDKA-2007:124 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:124 %pre This update addresses the following bugs in the openafs package: The openafs kernel module does not work on the x86_64 platform, triggering a kernel oops as soon as it is loaded. The openafs package was compiled with wrong gcc 4.2 compiler optimisations which prevented it from listing directory contents. This update fixes these issues. %description AFS is a distributed filesystem allowing cross-platform sharing of files among multiple computers. Facilities are provided for access control, authentication, backup and administrative management. This package provides common files shared across all the various OpenAFS packages but are not necessarily tied to a client or server. %package ia_ora-gnome libia_ora-gnome Update: Mon Dec 03 09:31:33 2007 Importance: bugfix ID: MDKA-2007:125 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:125 %pre An invalid memory disallocation in the Ia_Ora GTK theme could cause a crash in the GIMP when using the GIMP Small theme. This updated package corrects the issue. %description Mandriva Ia Ora GNOME theme %package vixie-cron Update: Mon Dec 03 13:30:42 2007 Importance: security ID: MDKSA-2007:234 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:234 %pre Raphael Marichez discovered a denial of service bug in how vixie-cron verifies crontab file integrity. A local user with the ability to create a hardlink to /etc/crontab could prevent vixie-cron from executing certain system cron jobs. The updated packages have been patched to correct this issue. %description The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. Vixie cron adds better security and more powerful configuration options to the standard version of cron. %package f-spot Update: Tue Dec 04 06:13:29 2007 Importance: bugfix ID: MDKA-2007:126 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:126 %pre Several bugs in f-spot prevented the photo import in case of an upgrade from an older distribution release. This update fixes them. %description F-Spot is a full-featured personal photo management application for the GNOME desktop. Features: * Simple user interface * Photo editor * Color adjustments * Tag icon editor * Create photo cd * Export to web %package libopenssl0.9.8 libopenssl0.9.8-devel libopenssl0.9.8-static-devel openssl Update: Tue Dec 04 17:21:59 2007 Importance: security ID: MDKSA-2007:237 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:237 %pre A buffer overflow in the DTLS implementation of OpenSSL 0.9.8 could be exploited by attackers to potentially execute arbitrary code. It is questionable as to whether the DTLS support even worked or is used in any applications; as a result this flaw most likely does not affect most Mandriva users. The updated packages have been patched to correct these issue. %description The openssl certificate management tool and the shared libraries that provide various encryption and decription algorithms and protocols, including DES, RC4, RSA and SSL. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). %package tomcat5 tomcat5-admin-webapps tomcat5-common-lib tomcat5-jasper tomcat5-jasper-javadoc tomcat5-jsp-2.0-api tomcat5-jsp-2.0-api-javadoc tomcat5-server-lib tomcat5-servlet-2.4-api tomcat5-servlet-2.4-api-javadoc tomcat5-webapps Update: Mon Dec 10 13:17:00 2007 Importance: security ID: MDKSA-2007:241 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:241 %pre A number of vulnerabilities were found in Tomcat: A directory traversal vulnerability, when using certain proxy modules, allows a remote attacker to read arbitrary files via a .. (dot dot) sequence with various slash, backslash, or url-encoded backslash characters (CVE-2007-0450; affects Mandriva Linux 2007.1 only). Multiple cross-site scripting vulnerabilities in certain JSP files allow remote attackers to inject arbitrary web script or HTML (CVE-2007-2449). Multiple cross-site scripting vulnerabilities in the Manager and Host Manager web applications allow remote authenticated users to inject arbitrary web script or HTML (CVE-2007-2450). Tomcat treated single quotes as delimiters in cookies, which could cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks (CVE-2007-3382). Tomcat did not properly handle the " character sequence in a cookie value, which could cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks (CVE-2007-3385). A cross-site scripting vulnerability in the Host Manager servlet allowed remote attackers to inject arbitrary HTML and web script via crafted attacks (CVE-2007-3386). Finally, an absolute path traversal vulnerability, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag (CVE-2007-5461). The updated packages have been patched to correct these issues. %description Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project. To learn more about getting involved, click here. %package e2fsprogs libext2fs-devel libext2fs2 Update: Mon Dec 10 14:54:49 2007 Importance: security ID: MDKSA-2007:242 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:242 %pre Rafal Wojtczuk of McAfee AVERT Research found that e2fsprogs contained multiple integer overflows in memory allocations, based on sizes taken directly from filesystem information. These flaws could result in heap-based overflows potentially allowing for the execution of arbitrary code. The updated packages have been patched to correct these issues. %description The e2fsprogs package contains a number of utilities for creating, checking, modifying and correcting any inconsistencies in second extended (ext2) filesystems. E2fsprogs contains e2fsck (used to repair filesystem inconsistencies after an unclean shutdown), mke2fs (used to initialize a partition to contain an empty ext2 filesystem), debugfs (used to examine the internal structure of a filesystem, to manually repair a corrupted filesystem or to create test cases for e2fsck), tune2fs (used to modify filesystem parameters) and most of the other core ext2fs filesystem utilities. You should install the e2fsprogs package if you need to manage the performance of an ext2 filesystem. %package libmysql-devel libmysql-static-devel libmysql15 mysql mysql-bench mysql-client mysql-common mysql-max mysql-ndb-extra mysql-ndb-management mysql-ndb-storage mysql-ndb-tools Update: Mon Dec 10 15:12:45 2007 Importance: security ID: MDKSA-2007:243 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:243 %pre A vulnerability in MySQL prior to 5.0.45 did not require priveliges such as SELECT for the source table in a CREATE TABLE LIKE statement, allowing remote authenticated users to obtain sensitive information such as the table structure (CVE-2007-3781). A vulnerability in the InnoDB engine in MySQL allowed remote authenticated users to cause a denial of service (database crash) via certain CONTAINS operations on an indexed column, which triggered an assertion error (CVE-2007-5925). Using RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options could be used to overwrite system table information by replacing the file to which a symlink pointed to (CVE-2007-5969). The updated packages have been patched to correct these issues. %description The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of MySQL AB. The MySQL software has Dual Licensing, which means you can use the MySQL software free of charge under the GNU General Public License (http://www.gnu.org/licenses/). You can also purchase commercial MySQL licenses from MySQL AB if you do not wish to be bound by the terms of the GPL. See the chapter "Licensing and Support" in the manual for further info. The MySQL web site (http://www.mysql.com/) provides the latest news and information about the MySQL software. Also please see the documentation and the manual for more information. %package openssh-askpass-qt Update: Tue Dec 11 12:46:27 2007 Importance: bugfix ID: MDKA-2007:127 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:127 %pre The QT openssh password asking dialog, provided by openssh-askpass-qt package, would always exit with successful status (0), even when the user did not press the Ok button. This would, at least, make the openssh client always allow sharing a connection when ControlMaster option was set to ask. This update fixes the issue. %description Qt version of ssh auth agent for keychain %package libsmbclient0 libsmbclient0-devel libsmbclient0-static-devel mount-cifs nss_wins samba-client samba-common samba-doc samba-server samba-smbldap-tools samba-swat samba-vscan-clamav samba-vscan-icap samba-winbind Update: Tue Dec 11 16:06:57 2007 Importance: security ID: MDKSA-2007:244 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:244 %pre Alin Rad Pop of Secunia Research discovered a stack buffer overflow in how Samba authenticates remote users. A remote unauthenticated user could trigger this flaw to cause the Samba server to crash, or possibly execute arbitrary code with the permissions of the Samba server. The updated packages have been patched to correct these issues. %description Samba provides an SMB server which can be used to provide network services to SMB (sometimes called "Lan Manager") clients, including various versions of MS Windows, OS/2, and other Linux machines. Samba also provides some SMB clients, which complement the built-in SMB filesystem in Linux. Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI (Microsoft Raw NetBIOS frame) protocol. Samba-3.0 features working NT Domain Control capability and includes the SWAT (Samba Web Administration Tool) that allows samba's smb.conf file to be remotely managed using your favourite web browser. For the time being this is being enabled on TCP port 901 via xinetd. SWAT is now included in it's own subpackage, samba-swat. Please refer to the WHATSNEW.txt document for fixup information. This binary release includes encrypted password support. Please read the smb.conf file and ENCRYPTION.txt in the docs directory for implementation details. %package wpa_gui wpa_supplicant Update: Thu Dec 13 11:19:09 2007 Importance: security ID: MDKSA-2007:245 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:245 %pre Stack-based buffer overflow in driver_wext.c in wpa_supplicant 0.6.0 allows remote attackers to cause a denial of service (crash) via crafted TSF data. Updated package fixes this issue. %description wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver. wpa_supplicant is designed to be a "daemon" program that runs in the background and acts as the backend component controlling the wireless connection. wpa_supplicant supports separate frontend programs and an example text-based frontend, wpa_cli, is included with wpa_supplicant. Supported WPA/IEEE 802.11i features: * WPA-PSK ("WPA-Personal") * WPA with EAP (e.g., with RADIUS authentication server) ("WPA-Enterprise") * key management for CCMP, TKIP, WEP104, WEP40 * WPA and full IEEE 802.11i/RSN/WPA2 * RSN: PMKSA caching, pre-authentication See the project web site or the eap_testing.txt file for a complete list of supported EAP methods (IEEE 802.1X Supplicant), supported drivers and interoperability testing. %package draklive Update: Thu Dec 13 17:21:29 2007 Importance: normal ID: MDKA-2007:128 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:128 %pre This update provides the version of the draklive tool that was used to build the 2008.0 live CDs. The original package in the 2008.0 repositories contained an obsolete version of the tool. %description This tool lets you generate Mandriva live systems. %package devhelp devhelp-plugins eclipse-cvs-client eclipse-ecj eclipse-jdt eclipse-pde eclipse-pde-runtime eclipse-platform eclipse-rcp epiphany epiphany-devel galeon gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gksu gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell libdevhelp-1-devel libdevhelp-1_0 libmozilla-firefox-devel libmozilla-firefox2.0.0.11 libswt3-gtk2 libtotem-plparser-devel libtotem-plparser7 mozilla-firefox mozilla-firefox-af mozilla-firefox-ar mozilla-firefox-be mozilla-firefox-bg mozilla-firefox-br_FR mozilla-firefox-ca mozilla-firefox-cs mozilla-firefox-da mozilla-firefox-de mozilla-firefox-el mozilla-firefox-en_GB mozilla-firefox-es_AR mozilla-firefox-es_ES mozilla-firefox-et_EE mozilla-firefox-eu mozilla-firefox-ext-blogrovr mozilla-firefox-ext-foxmarks mozilla-firefox-ext-scribefire mozilla-firefox-fi mozilla-firefox-fr mozilla-firefox-fy mozilla-firefox-ga mozilla-firefox-gnome-support mozilla-firefox-gu_IN mozilla-firefox-he mozilla-firefox-hu mozilla-firefox-it mozilla-firefox-ja mozilla-firefox-ka mozilla-firefox-ko mozilla-firefox-ku mozilla-firefox-lt mozilla-firefox-mk mozilla-firefox-mn mozilla-firefox-nb_NO mozilla-firefox-nl mozilla-firefox-nn_NO mozilla-firefox-pa_IN mozilla-firefox-pl mozilla-firefox-pt_BR mozilla-firefox-pt_PT mozilla-firefox-ro mozilla-firefox-ru mozilla-firefox-sk mozilla-firefox-sl mozilla-firefox-sv_SE mozilla-firefox-tr mozilla-firefox-uk mozilla-firefox-zh_CN mozilla-firefox-zh_TW totem totem-common totem-gstreamer totem-mozilla totem-mozilla-gstreamer yelp Update: Thu Dec 13 20:28:00 2007 Importance: security ID: MDKSA-2007:246 URL: http://www.mandriva.com/security/advisories?name=MDKSA-2007:246 %pre A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.11. This update provides the latest Firefox to correct these issues. As well, it provides Firefox 2.0.0.11 for older products. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package acpid Update: Mon Dec 17 11:38:29 2007 Importance: bugfix ID: MDKA-2007:129 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:129 %pre The acpid daemon wrote a lot of information about ACPI events in the system logs, making harddisks too busy on laptops. This update package suppresses these events logs in the default setup, and enables them in debug mode only. %description The ACPI specification defines power and system management functions for each computer, in a generic manner. The ACPI daemon coordinates the management of power and system functions when ACPI kernel support is enabled (kernel 2.3.x or later). %package evolution-data-server libcamel-provider10 libcamel10 libebook9 libecal7 libedata-book2 libedata-cal6 libedataserver-devel libedataserver9 libedataserverui8 libegroupwise13 libexchange-storage3 Update: Mon Dec 17 12:58:23 2007 Importance: bugfix ID: MDKA-2007:130 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:130 %pre A reference leak prevented evolution-data-server to correctly shutdown when terminating a GNOME session. This prevented some programs to start correctly when login back after a logout. Updated package fixes this issue, and include stability fixes for Evolution mail client (GNOME bugs #271777, #488351, #461125) and translations updates. %description Evolution Data Server provides a central location for your addressbook and calendar in the gnome desktop. %package evolution-data-server libcamel-provider10 libcamel10 libebook9 libecal7 libedata-book2 libedata-cal6 libedataserver-devel libedataserver9 libedataserverui8 libegroupwise13 libexchange-storage3 Update: Mon Dec 17 13:26:42 2007 Importance: bugfix ID: MDKA-2007:130 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:130 %pre A reference leak prevented evolution-data-server to correctly shutdown when terminating a GNOME session. This prevented some programs to start correctly when login back after a logout. Updated package fixes this issue, and include stability fixes for Evolution mail client (GNOME bugs #271777, #488351, #461125) and translations updates. %description Evolution Data Server provides a central location for your addressbook and calendar in the gnome desktop. %package procps procps-devel Update: Tue Dec 18 08:41:42 2007 Importance: bugfix ID: MDKA-2007:131 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:131 %pre A bug in the program 'top' prevented the saving of user's preferences. The updated package fixes this issue. %description The procps package contains a set of system utilities which provide system information. Procps includes ps, free, skill, snice, tload, top, uptime, vmstat, w and watch. * The ps command displays a snapshot of running processes. * The top command provides a repetitive update of the statuses of running processes. * The free command displays the amounts of free and used memory on your system. * The skill command sends a terminate command (or another specified signal) to a specified set of processes. * The snice command is used to change the scheduling priority of specified processes. * The tload command prints a graph of the current system load average to a specified tty. * The uptime command displays the current time, how long the system has been running, how many users are logged on and system load averages for the past one, five and fifteen minutes. * The w command displays a list of the users who are currently logged on and what they're running. * The watch program watches a running program. * The vmstat command displays virtual memory statistics about processes, memory, paging, block I/O, traps and CPU activity. %package libtotem-plparser-devel libtotem-plparser7 totem totem-common totem-gstreamer totem-mozilla totem-mozilla-gstreamer Update: Tue Dec 18 11:13:13 2007 Importance: bugfix ID: MDKA-2007:132 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:132 %pre Totem volume control could not be displayed properly when running in fullscreen mode. The update package fixes this issue and and include stability fixes as well. %description Totem is simple movie player for the GNOME desktop. It features a simple playlist, a full-screen mode, seek and volume controls, as well as a pretty complete keyboard navigation. This version is based on the xine backend. %package timezone timezone-java Update: Tue Dec 18 13:44:43 2007 Importance: normal ID: MDKA-2007:133 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:133 %pre Updated timezone packages are being provided for older Mandriva Linux systems that do not contain the new Daylight Savings Time information for 2007 and later for certain time zones. These updated packages contain the new information. %description This package contains data files with rules for various timezones around the world. %package initscripts Update: Mon Dec 31 10:01:25 2007 Importance: bugfix ID: MDKA-2007:134 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:134 %pre This update for initscripts on Mandriva Linux 2008.0 fixes a bug in the setup of the mode of the text console when UTF-8 mode is disabled for the configured locale of the system. %description The initscripts package contains the basic system scripts used to boot your Mandriva Linux system, change run levels, and shut the system down cleanly. Initscripts also contains the scripts that activate and deactivate most network interfaces. %package kdetoys kdetoys-kweather libkdetoys1-devel libkdetoys1-kweather Update: Mon Dec 31 10:02:00 2007 Importance: bugfix ID: MDKA-2007:135 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:135 %pre The kweather applet would be available in the applets viewer of the KDE kicker, despite the kweather application not being installed. This update corrects the issue. %description Toys for the K Desktop Environment. Software included in this package are: - amor: Amusing Misuse Of Resources put's comic figures above your windows - eyesapplet: a kicker applet similar to XEyes - fifteenapplet: kicker applet, order 15 pieces in a 4x4 square by moving them - kmoon: system tray applet showing the moon phase - kodo: mouse movement meter - kscore: kicker applet with a sports ticker - kteatime: system tray applet that makes sure your tea doesn't get too strong - ktux: Tux-in-a-Spaceship screen saver - kweather: kicker applet that will display the current weather outside - kworldwatch: application and kicker applet showing daylight area on the world globe %package ez-ipupdate Update: Mon Dec 31 10:35:17 2007 Importance: bugfix ID: MDKA-2007:136 URL: http://www.mandriva.com/security/advisories?name=MDKA-2007:136 %pre A 64-bit type error in ez-ipupdate would cause it to creash on x86_64 systems. This update corrects the problem. %description ez-ipupdate is a small utility for updating your host name for any of the dynamic DNS service offered at: * http://www.ez-ip.net * http://www.justlinux.com * http://www.dhs.org * http://www.dyndns.org * http://www.ods.org * http://gnudip.cheapnet.net (GNUDip) * http://www.dyn.ca (GNUDip) * http://www.tzo.com * http://www.easydns.com * http://www.dyns.cx * http://www.hn.org * http://www.zoneedit.com it is pure C and works on Linux, *BSD and Solaris. Don't forget to create your own config file ( in /etc/ez-ipupdate.conf ) You can find some example in /usr/share/doc/ez-ipupdate-3.0.11b8 %package gurpmi urpmi urpmi-ldap urpmi-parallel-ka-run urpmi-parallel-ssh urpmi-recover Update: Wed Jan 02 11:46:39 2008 Importance: bugfix ID: MDVA-2008:1 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:1 %pre urpmi --auto-update was strangely broken in some uncertain cases (see bug #36134). urpmi --limit-rate had a regression introduced in version 4.9.12. The updated package fixes these issues. %description urpmi is Mandriva Linux's console-based software installation tool. You can use it to install software from the console in the same way as you use the graphical Install Software tool (rpmdrake) to install software from the desktop. urpmi will follow package dependencies -- in other words, it will install all the other software required by the software you ask it to install -- and it's capable of obtaining packages from a variety of media, including the Mandriva Linux installation CD-ROMs, your local hard disk, and remote sources such as web or FTP sites. %package libsmi-devel libsmi-mibs-ext libsmi-mibs-std libsmi2 libwireshark-devel libwireshark0 smi-tools tshark wireshark wireshark-tools Update: Wed Jan 02 13:26:42 2008 Importance: security ID: MDVSA-2008:1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:1 %pre A number of vulnerabilities in the Wireshark program were found that could cause crashes, excessive looping, or arbitrary code execution. This update rovides Wireshark 0.99.7 which is not vulnerable to these issues. An updated version of libsmi is also being provided, not because of security issues, but because this version of wireshark uses it instead of net-snmp for SNMP support. %description Wireshark is a network traffic analyzer for Unix-ish operating systems. It is based on GTK+, a graphical user interface library, and libpcap, a packet capture and filtering library. Wireshark is a fork of Ethereal(tm) %package drakx-net drakx-net-text libdrakx-net Update: Thu Jan 03 07:41:53 2008 Importance: bugfix ID: MDVA-2008:002 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:002 %pre The VPN connection wizard failed to setup OpenVPN connections with username and password, because of a missing requirement in the package. This update package adds the perl-Net-Telnet dependency to solve the issue. %description This package contains the Mandriva network tools. net_applet: applet to check network connection net_monitor: connection monitoring %package dosfstools Update: Thu Jan 03 10:52:25 2008 Importance: bugfix ID: MDVA-2008:003 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:003 %pre The previous update introduced a bug into the dosfsck program that made it crash. This update fixes it. %description Inside of this package there are two utilities to create and to check MS-DOS FAT filesystems on either harddisks or floppies under Linux. This version uses the enhanced boot sector/superblock format of DOS 3.3+ as well as provides a default dummy boot sector code. %package squid squid-cachemgr Update: Fri Jan 04 13:36:51 2008 Importance: security ID: MDVSA-2008:002 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:002 %pre The cache update reply processing functionality in Squid 2.x before 2.6.STABLE17, and Squid 3.0, allows remote attackers to cause a denial of service (crash) via unknown vectors related to HTTP headers. The updated package fixes this issue. %description Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. Squid consists of a main server program squid, a Domain Name System lookup program (dnsserver), a program for retrieving FTP data (ftpget), and some management and client tools. Install squid if you need a proxy caching server. This package defaults to a maximum of 1024 filedescriptors. You can change this value at build time by using for example: --define 'maxfiles 4096' The package was built to support a maximum of 1024 filedescriptors. %package timezone timezone-java Update: Fri Jan 04 22:53:06 2008 Importance: normal ID: MDVA-2008:004 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:004 %pre Updated timezone packages are being provided for older Mandriva Linux systems that do not contain the new Daylight Savings Time information for 2007 and later for certain time zones. These updated packages contain the new information. %description This package contains data files with rules for various timezones around the world. %package libwireshark-devel libwireshark0 tshark wireshark wireshark-tools Update: Mon Jan 07 19:56:17 2008 Importance: security ID: MDVSA-2008:001-1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:001-1 %pre A number of vulnerabilities in the Wireshark program were found that could cause crashes, excessive looping, or arbitrary code execution. This update provides Wireshark 0.99.7 which is not vulnerable to these issues. An updated version of libsmi is also being provided, not because of security issues, but because this version of wireshark uses it instead of net-snmp for SNMP support. Update: This update is being reissued without libcap (kernel capabilities) support, as that is not required by the original released packages, and thus gave trouble for a number of users. %description Wireshark is a network traffic analyzer for Unix-ish operating systems. It is based on GTK+, a graphical user interface library, and libpcap, a packet capture and filtering library. Wireshark is a fork of Ethereal(tm) %package clamav clamav-db clamav-milter clamd clamdmon klamav libclamav-devel libclamav3 Update: Tue Jan 08 21:12:12 2008 Importance: security ID: MDVSA-2008:003 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:003 %pre An integer overflow vulnerability was reported by iDefense with clamav when parsing Portable Executable (PE) files packed in he MEW format. This could be exploited to cause a heap-based buffer overflow (CVE-2007-6335). Toeroek Edwin reported an off-by-one error when decompressing MS-ZIP compressed CAB files (CVE-2007-6336). As well, an unspecified vulnerability related to the bzip2 decompression algorithm was also discovered (CVE-2007-6337). Other bugs have also been corrected in 0.92 which is being provided with this update. Because this new version has increased the major of the libclamav library, updated dependent packages are also being provided. %description Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail seversions (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. You can build clamav with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] milter Build clamav-milter (default) %package libecpg-devel libecpg5 libpq-devel libpq5 postgresql postgresql-devel postgresql8.2 postgresql8.2-contrib postgresql8.2-devel postgresql8.2-docs postgresql8.2-pl postgresql8.2-plperl postgresql8.2-plpgsql postgresql8.2-plpython postgresql8.2-pltcl postgresql8.2-server postgresql8.2-test Update: Tue Jan 08 21:52:52 2008 Importance: security ID: MDVSA-2008:004 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:004 %pre Index Functions Privilege Escalation (CVE-2007-6600): as a unique feature, PostgreSQL allows users to create indexes on the results of user-defined functions, known as expression indexes. This provided two vulnerabilities to privilege escalation: (1) index functions were executed as the superuser and not the table owner during VACUUM and ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were permitted within index functions. Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067, CVE-2007-4769): three separate issues in the regular expression libraries used by PostgreSQL allowed malicious users to initiate a denial-of-service by passing certain regular expressions in SQL queries. First, users could create infinite loops using some specific regular expressions. Second, certain complex regular expressions could consume excessive amounts of memory. Third, out-of-range backref numbers could be used to crash the backend. DBLink Privilege Escalation (CVE-2007-6601): DBLink functions combined with local trust or ident authentication could be used by a malicious user to gain superuser privileges. This issue has been fixed, and does not affect users who have not installed DBLink (an optional module), or who are using password authentication for local access. This same problem was addressed in the previous release cycle (see CVE-2007-3278), but that patch failed to close all forms of the loophole. Updated packages fix these issues by upgrading to the latest maintenance versions of PostgreSQL. %description PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server. These PostgreSQL client programs are programs that directly manipulate the internal structure of PostgreSQL databases on a PostgreSQL server. These client programs can be located on the same machine with the PostgreSQL server, or may be on a remote machine which accesses a PostgreSQL server over a network connection. This package contains the client libraries for C and C++, as well as command-line utilities for managing PostgreSQL databases on a PostgreSQL server. If you want to manipulate a PostgreSQL database on a remote PostgreSQL server, you need this package. You also need to install this package if you're installing the postgresql-server package. %package libexif-devel libexif12 Update: Wed Jan 09 12:50:20 2008 Importance: security ID: MDVSA-2008:005 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:005 %pre An infinite recursion flaw was found in the way that libexif parses Exif image tags. A carefully crafted Exif image file opened by an application linked against libexif could cause the application to crash (CVE-2007-6351). An integer overflow flaw was also found in how libexif parses Exif image tags. A carefully crafted Exif image file opened by an application linked against libexif could cause the application to crash or execute arbitrary code with the privileges of the user executing the application (CVE-2007-6352). The updated packages have been patched to correct these issues. %description Most digital cameras produce EXIF files, which are JPEG files with extra tags that contain information about the image. The EXIF library allows you to parse an EXIF file and read the data from those tags. %package exiv2 libexiv2 libexiv2-devel Update: Thu Jan 10 10:05:11 2008 Importance: security ID: MDVSA-2008:006 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:006 %pre An integer overflow in the Exiv2 library allows context-dependent attackers to execute arbitrary code via a crafted EXIF file that triggers a heap-based buffer overflow. The updated packages have been patched to correct these issues. %description Exiv2 is a command line utility to access image metadata. Exiv2 is free software. The Exiv2 library provides * full read and write access to the Exif and IPTC metadata of an image through Exiv2 keys and standard C++ iterators (Example1, Example2, Example3, Example4) * a smart IPTC implementation that does not affect data that programs like Photoshop store in the same image segment * Exif MakerNote support: o MakerNote tags can be accessed just like any other Exif metadata o a sophisticated write algorithm avoids corrupting the MakerNote: 1) the MakerNote is not re-located if possible at all, and 2) MakerNote Ifd offsets are re-calculated if the MakerNote needs to be moved (for known Ifd MakerNotes) * extract and delete methods for Exif thumbnails (both, JPEG and TIFF thumbnails) * set methods for Exif thumbnails (JPEG only, TIFF thumbnails can be set from individual tags) * complete API documentation (by Doxygen) Exiv2 is a command line utility to * print the Exif metadata of JPEG, TIFF and several RAW image formats as summary info, interpreted values, or the plain data for each tag (a sample is here) * print the IPTC metadata of JPEG images * print, set and delete the JPEG comment of JPEG images * set, add and delete Exif and IPTC metadata of JPEG images * adjust the Exif timestamp (that's how it all started...) * rename Exif image files according to the Exif timestamp * extract, insert and delete Exif metadata, IPTC metadata and JPEG comments * extract, insert and delete the thumbnail image embedded in the Exif metadata * fix the Exif ISO setting of picture taken with Nikon cameras %package dkms-libafs libopenafs1 libopenafs1-devel openafs openafs-client openafs-doc openafs-server Update: Thu Jan 10 11:30:17 2008 Importance: bugfix ID: MDVA-2008:006 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:006 %pre The previous openafs update (MDKA-2007:124) was released to correct gcc compiler optimisations, however it only corrected the problem on 32bit platforms. This update fixes it for both 32bit and 64bit architectures. %description AFS is a distributed filesystem allowing cross-platform sharing of files among multiple computers. Facilities are provided for access control, authentication, backup and administrative management. This package provides common files shared across all the various OpenAFS packages but are not necessarily tied to a client or server. %package e2fsprogs libext2fs-devel libext2fs2 Update: Thu Jan 10 19:03:38 2008 Importance: bugfix ID: MDVA-2008:007 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:007 %pre An incorrect Requires was added to the e2fsprogs package that prevented it from being installed properly on a system with both 32bit and 64bit update media configured. This update corrects the Requires, allowing the package to be installed properly. %description The e2fsprogs package contains a number of utilities for creating, checking, modifying and correcting any inconsistencies in second extended (ext2) filesystems. E2fsprogs contains e2fsck (used to repair filesystem inconsistencies after an unclean shutdown), mke2fs (used to initialize a partition to contain an empty ext2 filesystem), debugfs (used to examine the internal structure of a filesystem, to manually repair a corrupted filesystem or to create test cases for e2fsck), tune2fs (used to modify filesystem parameters) and most of the other core ext2fs filesystem utilities. You should install the e2fsprogs package if you need to manage the performance of an ext2 filesystem. %package madwifi-source wpa_gui wpa_supplicant Update: Thu Jan 10 19:43:00 2008 Importance: security ID: MDVSA-2008:007 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:007 %pre MadWifi prior to 0.9.3.3 allowed remote attackers to cause a denial of service (panic) via a beacon frame with a large length value in the extended supported rates (xrates) element, which would trigger an assertion error. Updated packages have been updated to 0.9.3.3 to correct this issue. Wpa_supplicant is built using madwifi-source and has been rebuilt using 0.9.3.3 source. %description wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver. wpa_supplicant is designed to be a "daemon" program that runs in the background and acts as the backend component controlling the wireless connection. wpa_supplicant supports separate frontend programs and an example text-based frontend, wpa_cli, is included with wpa_supplicant. Supported WPA/IEEE 802.11i features: * WPA-PSK ("WPA-Personal") * WPA with EAP (e.g., with RADIUS authentication server) ("WPA-Enterprise") * key management for CCMP, TKIP, WEP104, WEP40 * WPA and full IEEE 802.11i/RSN/WPA2 * RSN: PMKSA caching, pre-authentication See the project web site or the eap_testing.txt file for a complete list of supported EAP methods (IEEE 802.1X Supplicant), supported drivers and interoperability testing. %package e2fsprogs libext2fs-devel libext2fs2 Update: Fri Jan 11 10:27:27 2008 Importance: bugfix ID: MDVA-2008:007-1 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:007-1 %pre An incorrect Requires was added to the e2fsprogs package that prevented it from being installed properly on a system with both 32bit and 64bit update media configured. This update corrects the Requires, allowing the package to be installed properly. Update: The Requires that was used on the previous update was not explicit enough. This update corrects that. %description The e2fsprogs package contains a number of utilities for creating, checking, modifying and correcting any inconsistencies in second extended (ext2) filesystems. E2fsprogs contains e2fsck (used to repair filesystem inconsistencies after an unclean shutdown), mke2fs (used to initialize a partition to contain an empty ext2 filesystem), debugfs (used to examine the internal structure of a filesystem, to manually repair a corrupted filesystem or to create test cases for e2fsck), tune2fs (used to modify filesystem parameters) and most of the other core ext2fs filesystem utilities. You should install the e2fsprogs package if you need to manage the performance of an ext2 filesystem. %package autofs Update: Fri Jan 11 12:58:14 2008 Importance: security ID: MDVSA-2008:009 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:009 %pre The default behaviour of autofs 5 for the hosts map did not specify the nosuid and nodev mount options. This could allow a local user with control of a remote NFS server to create a setuid root executable on the exported filesystem of the remote NFS server. If this filesystem was mounted with the default hosts map, it would allow the user to obtain root privileges (CVE-2007-5964). Likewise, the same scenario would be available for local users able to create device files on the exported filesystem which could allow the user to gain access to important system devices (CVE-2007-6285). Because the default behaviour of autofs was to mount -hosts map entries with the dev and suid options enabled by default, autofs has been altered to always use nodev and nosuid by default. In order to have the old behaviour, the configuration must now explicitly set the dev and/or suid options. This change only affects the -hosts map which corresponds to the /net entry in the default configuration. %description autofs is a daemon which automatically mounts filesystems when you use them, and unmounts them later when you are not using them. This can include network filesystems, CD-ROMs, floppies, and so forth. %package libxml2-devel libxml2-python libxml2-utils libxml2_2 Update: Fri Jan 11 14:59:33 2008 Importance: security ID: MDVSA-2008:010 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:010 %pre A denial of service flaw was discovered by the Google Security Team in the way libxml2 processes malformed XML content. This flaw could cause the application to stop responding. The updated packages have been patched to correct this issue. %description This library allows you to manipulate XML files. It includes support for reading, modifying and writing XML and HTML files. There is DTDs support: this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM-like representations. In this case one can use the built-in XPath and XPointer implementation to select subnodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to a URI library. %package rsync Update: Fri Jan 11 15:13:44 2008 Importance: security ID: MDVSA-2008:011 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:011 %pre rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy. (CVE-2007-6199) Unspecified vulnerability in rsync before 3.0.0pre6, when running a writable rsync daemon, allows remote attackers to bypass exclude, exclude_from, and filter and read or write hidden files via (1) symlink, (2) partial-dir, (3) backup-dir, and unspecified (4) dest options. (CVE-2007-6200) This update fixes these issues. It is recommended users (specially system and network administrators) read the manpage about the introduced munge symlinks feature. This update also upgrades rsync to version 2.6.9 for all Mandriva Linux versions earlier than 2008.0. %description Rsync uses a quick and reliable algorithm to very quickly bring remote and host files into sync. Rsync is fast because it just sends the differences in the files over the network (instead of sending the complete files). Rsync is often used as a very powerful mirroring process or just as a more capable replacement for the rcp command. A technical report which describes the rsync algorithm is included in this package. Install rsync if you need a powerful mirroring program. This rpm has these patches applied from rsync tree: - acl: allow to mirror acl Rebuild the source rpm with `--without patches' if you don't want these patches %package autofs Update: Sat Jan 12 12:05:08 2008 Importance: security ID: MDVSA-2008:009 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:009 %pre The default behaviour of autofs 5 for the hosts map did not specify the nosuid and nodev mount options. This could allow a local user with control of a remote NFS server to create a setuid root executable on the exported filesystem of the remote NFS server. If this filesystem was mounted with the default hosts map, it would allow the user to obtain root privileges (CVE-2007-5964). Likewise, the same scenario would be available for local users able to create device files on the exported filesystem which could allow the user to gain access to important system devices (CVE-2007-6285). Because the default behaviour of autofs was to mount -hosts map entries with the dev and suid options enabled by default, autofs has been altered to always use nodev and nosuid by default. In order to have the old behaviour, the configuration must now explicitly set the dev and/or suid options. This change only affects the -hosts map which corresponds to the /net entry in the default configuration. Update: The previous update shipped with an incorrect LDAP lookup module that would prevent the automount daemon from starting. This update corrects that problem. %description autofs is a daemon which automatically mounts filesystems when you use them, and unmounts them later when you are not using them. This can include network filesystems, CD-ROMs, floppies, and so forth. %package kdetoys kdetoys-kweather libkdetoys1-devel libkdetoys1-kweather Update: Mon Jan 14 10:53:01 2008 Importance: bugfix ID: MDVA-2008:008 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:008 %pre The kweather applet would be available in the applets viewer of the KDE kicker, despite the kweather application not being installed. Also, the previous update of kdetoys wouldn't install because of a typo in the package specification. This update corrects the issues. %description Toys for the K Desktop Environment. Software included in this package are: - amor: Amusing Misuse Of Resources put's comic figures above your windows - eyesapplet: a kicker applet similar to XEyes - fifteenapplet: kicker applet, order 15 pieces in a 4x4 square by moving them - kmoon: system tray applet showing the moon phase - kodo: mouse movement meter - kscore: kicker applet with a sports ticker - kteatime: system tray applet that makes sure your tea doesn't get too strong - ktux: Tux-in-a-Spaceship screen saver - kweather: kicker applet that will display the current weather outside - kworldwatch: application and kicker applet showing daylight area on the world globe %package libpython2.5 libpython2.5-devel python python-base python-docs tkinter tkinter-apps Update: Mon Jan 14 12:49:33 2008 Importance: security ID: MDVSA-2008:013 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:013 %pre Multiple integer overflows were found in python's imageop module. If an application written in python used the imageop module to process untrusted images, it could cause the application to crash, enter an infinite loop, or possibly execute arbitrary code with the privileges of the python interpreter. The updated packages have been patched to correct this issue. %description Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. This package contains most of the standard Python modules, as well as modules for interfacing to the Tix widget set for Tk and RPM. Note that documentation for Python is provided in the python-docs package. %package apache-base apache-devel apache-htcacheclean apache-mod_authn_dbd apache-mod_cache apache-mod_dav apache-mod_dbd apache-mod_deflate apache-mod_disk_cache apache-mod_file_cache apache-mod_ldap apache-mod_mem_cache apache-mod_proxy apache-mod_proxy_ajp apache-mod_ssl apache-mod_userdir apache-modules apache-mpm-event apache-mpm-itk apache-mpm-prefork apache-mpm-worker apache-source Update: Wed Jan 16 13:25:46 2008 Importance: security ID: MDVSA-2008:016 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:016 %pre A number of vulnerabilities were found and fixed in the Apache 2.2.x packages: A flaw found in the mod_imagemap module could lead to a cross-site scripting attack on sites where mod_imagemap was enabled and an imagemap file was publically available (CVE-2007-5000). A flaw found in the mod_status module could lead to a cross-site scripting attack on sites where mod_status was enabled and the status pages were publically available (CVE-2007-6388). A flaw found in the mod_proxy_balancer module could lead to a cross-site scripting attack against an authorized user on sites where mod_proxy_balancer was enabled (CVE-2007-6421). Another flaw in the mod_proxy_balancer module was found where, on sites with the module enabled, an authorized user could send a carefully crafted request that would cause the apache child process handling the request to crash, which could lead to a denial of service if using a threaded MPM (CVE-2007-6422). A flaw found in the mod_proxy_ftp module could lead to a cross-site scripting attack against web browsers which do not correctly derive the response character set following the rules in RFC 2616, on sites where the mod_proxy_ftp module was enabled (CVE-2008-0005). The updated packages have been patched to correct these issues. %description This package contains the main binary of apache, a powerful, full-featured, efficient and freely-available Web server. Apache is also the most popular Web server on the Internet. This version of apache is fully modular, and many modules are available in pre-compiled formats, like PHP and mod_auth_external. Check for available Apache modules for Mandriva Linux at: http://nux.se/apache/ (most of them can be installed from the contribs repository) %package park-rpmdrake rpmdrake Update: Wed Jan 16 14:35:56 2008 Importance: bugfix ID: MDVA-2008:009 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:009 %pre When listing updates to install MandrivaUpdate performs a consistency check of the package set to install. At this stage, MandrivaUpdate was automatically selecting updated packages from non update media, as shown in the confirmation dialog. This behaviour was wrong especially due to the backports media. This update corrects the issues. %description rpmdrake is a simple graphical frontend to manage software packages on a Mandriva Linux system; it has 3 different modes: - software packages installation; - software packages removal; - MandrivaUpdate (software packages updates). A fourth program manages the media (add, remove, edit). %package vorbis-tools Update: Wed Jan 16 16:00:54 2008 Importance: bugfix ID: MDVA-2008:010 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:010 %pre The oggenc program incorrectly wrote special characters in tags; they were incorrectly replaced with sharp characters. This update makes oggenc properly handle special characters in tags. %description This package contains oggenc (encoder), oggdec, ogg123 (command line player) vorbiscomment (metadata editor) and vcut (cut tool). Find some free Ogg Vorbis music here: http://www.vorbis.com/music/ %package kdelibs-common kdelibs-devel-doc libkdecore4 libkdecore4-devel Update: Wed Jan 16 19:15:55 2008 Importance: bugfix ID: MDVA-2008:011 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:011 %pre Due to bad encoding, accented letters appeared on the KDE menu and kicker as strange symbols rather than the actual letters. This update fixes the issue and properly displays those letters. %description Libraries for the K Desktop Environment. %package dkms-lzma liblzma0 liblzma0-devel lzma Update: Thu Jan 17 11:23:40 2008 Importance: bugfix ID: MDVA-2008:012 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:012 %pre The lzma program did not properly check that the closing of output succeeded, which could lead to rare, but possible, data loss. Another issue with liblzmadec was also discovered where programs could crash if decoding of a stream was not properly initialized. This update ensures that output is properly closed so as to avoid silent data loss, and adds consistency checks to liblzmadec so that programs will no longer crash if a stream isn't properly initialized. %description LZMA provides very high compression ratio and fast decompression. The core of the LZMA utils is Igor Pavlov's LZMA SDK containing the actual LZMA encoder/decoder. LZMA utils add a few scripts which provide gzip-like command line interface and a couple of other LZMA related tools. Also provides: - Average compression ratio 30% better than that of gzip and 15% better than that of bzip2. - Decompression speed is only little slower than that of gzip, being two to five times faster than bzip2. - In fast mode, compresses faster than bzip2 with a comparable compression ratio. - Achieving the best compression ratios takes four to even twelve times longer than with bzip2. However. this doesn't affect decompressing speed. - Very similar command line interface than what gzip and bzip2 have. %package libmysql-devel libmysql-static-devel libmysql15 mysql mysql-bench mysql-client mysql-common mysql-max mysql-ndb-extra mysql-ndb-management mysql-ndb-storage mysql-ndb-tools Update: Sat Jan 19 16:42:02 2008 Importance: security ID: MDVSA-2008:017 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:017 %pre MySQL 5.0.x did not update the DEFINER value of a view when the view is altered, which allows remote authenticated users to gain privileges via a sequence of statements including a CREATE SQL SECURITY DEFINER VIEW statement and an ALTER VIEW statement (CVE-2007-6303). The federated engine in MySQL 5.0.x, when performing a certain SHOW TABLE STATUS query, did not properly handle a response with a small number of columns, which could allow a remote MySQL server to cause a denial of service (federated handler crash and daemon crash) via a response that lacks the minimum required number of columns (CVE-2007-6304). The updated packages have been patched to correct these issues. %description The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of MySQL AB. The MySQL software has Dual Licensing, which means you can use the MySQL software free of charge under the GNU General Public License (http://www.gnu.org/licenses/). You can also purchase commercial MySQL licenses from MySQL AB if you do not wish to be bound by the terms of the GPL. See the chapter "Licensing and Support" in the manual for further info. The MySQL web site (http://www.mysql.com/) provides the latest news and information about the MySQL software. Also please see the documentation and the manual for more information. %package libcairo-devel libcairo-static-devel libcairo2 Update: Mon Jan 21 20:15:33 2008 Importance: security ID: MDVSA-2008:019 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:019 %pre Peter Valchev discovered that Cairo did not correctly decode PNG image data. By tricking a user or automated system into processing a specially crafted PNG with Cairo, a remote attacker could execute arbitrary code with the privileges of the user opening the file. The updated packages have been patched to correct this issue. %description Cairo provides anti-aliased vector-based rendering for X. Paths consist of line segments and cubic splines and can be rendered at any width with various join and cap styles. All colors may be specified with optional translucence (opacity/alpha) and combined using the extended Porter/Duff compositing algebra as found in the X Render Extension. Cairo exports a stateful rendering API similar in spirit to the path construction, text, and painting operators of PostScript, (with the significant addition of translucence in the imaging model). When complete, the API is intended to support the complete imaging model of PDF 1.4. Cairo relies on the Xc library for backend rendering. Xc provides an abstract interface for rendering to multiple target types. As of this writing, Xc allows Cairo to target X drawables as well as generic image buffers. Future backends such as PostScript, PDF, and perhaps OpenGL are currently being planned. %package isdn4k-utils isdn4k-utils-doc isdn4k-utils-eurofile isdn4k-utils-isdnlog isdn4k-utils-vbox isdn4k-utils-xtools libisdn4k-utils2 libisdn4k-utils2-devel Update: Tue Jan 22 08:43:18 2008 Importance: bugfix ID: MDVA-2008:014 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:014 %pre The capi4linux initscript from the isdn4k-utils package in Mandriva Linux 2008.0 had incorrect permissions, which prevented it from being used. The updated package fixes the permissions of the initscript. %description isdn4k-utils is a collection of various ISDN related utilities. This package contains configuration tools for all ISDN adapters, supported by Linux. Furthermore, several status-monitors are provided as well as some ISDN-based applications. Namely ipppd, a PPP daemon for synchronous PPP over ISDN; vbox, an answering-machine and (for use with AVM-B1 only) capifax, a faxmachine. %package kdelibs-common kdelibs-devel-doc libkdecore4 libkdecore4-devel Update: Tue Jan 22 13:01:40 2008 Importance: bugfix ID: MDVA-2008:015 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:015 %pre Kpdf applet crashed when trying to create a new server, if avahi wasn't running. LZMA compressed man pages bigger than 8KB were not readable using the man:/ kioslave of KDE. The updated packages fix these issues. %description Libraries for the K Desktop Environment. %package libxine-devel libxine1 xine-aa xine-caca xine-dxr3 xine-esd xine-flac xine-gnomevfs xine-image xine-jack xine-plugins xine-pulse xine-sdl xine-smb Update: Tue Jan 22 14:08:43 2008 Importance: security ID: MDVSA-2008:020 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:020 %pre Two vulnerabilities discovered in xine-lib allow remote execution of arbitrary code: Heap-based buffer overflow in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote attackers to execute arbitrary code via the SDP Abstract attribute, related to the rmff_dump_header function and related to disregarding the max field. (CVE-2008-0225) Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP (1) Title, (2) Author, or (3) Copyright attribute, related to the rmff_dump_header function, different vectors than CVE-2008-0225. (CVE-2008-0238) Besides those security issues, the xine-lib provided in Mandriva Linux 2008.0 and 2007.1 did not automatically use Real binary codecs, when the user had them installed in /usr/lib64/real on x86_64 architecture. Also, xine-lib of Mandriva Linux 2007.1 did not automatically use the Real codecs from /usr/lib/RealPlayer10GOLD/codecs, which is provided by RealPlayer package of Mandriva Powerpack editions. The updated packages fix these issues. %description xine is a free gpl-licensed video player for unix-like systems. %package x11-server x11-server-common x11-server-devel x11-server-xati x11-server-xchips x11-server-xdmx x11-server-xephyr x11-server-xepson x11-server-xfake x11-server-xfbdev x11-server-xi810 x11-server-xmach64 x11-server-xmga x11-server-xneomagic x11-server-xnest x11-server-xnvidia x11-server-xorg x11-server-xpm2 x11-server-xr128 x11-server-xsdl x11-server-xsmi x11-server-xvesa x11-server-xvfb x11-server-xvia x11-server-xvnc Update: Wed Jan 23 18:20:43 2008 Importance: security ID: MDVSA-2008:023 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:023 %pre An input validation flaw was found in the X.org server's XFree86-Misc extension that could allow a malicious authorized client to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.org server (CVE-2007-5760). A flaw was found in the X.org server's XC-SECURITY extension that could allow a local user to verify the existence of an arbitrary file, even in directories that are not normally accessible to that user (CVE-2007-5958). A memory corruption flaw was found in the X.org server's XInput extension that could allow a malicious authorized client to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server (CVE-2007-6427). An information disclosure flaw was found in the X.org server's TOG-CUP extension that could allow a malicious authorized client to cause a denial of service (crash) or potentially view arbitrary memory content within the X.org server's address space (CVE-2007-6428). Two integer overflow flaws were found in the X.org server's EVI and MIT-SHM modules that could allow a malicious authorized client to cause a denial of service (crash) or potentially execute arbitrary code with the privileges of the X.org server (CVE-2007-6429). The updated packages have been patched to correct these issues. %description X11 servers %package libxfont1 libxfont1-devel libxfont1-static-devel Update: Wed Jan 23 18:22:10 2008 Importance: security ID: MDVSA-2008:024 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:024 %pre A heap-based buffer overflow flaw was found in how the X.org server handled malformed font files that could allow a malicious local user to potentially execute arbitrary code with the privileges of the X.org server (CVE-2008-0006). The updated packages have been patched to correct this issue. %description X font Library %package x11-server-xgl Update: Wed Jan 23 20:43:54 2008 Importance: security ID: MDVSA-2008:025 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:025 %pre An input validation flaw was found in the X.org server's XFree86-Misc extension that could allow a malicious authorized client to cause a denial of service (crash), or potentially execute arbitrary code with root privileges on the X.org server (CVE-2007-5760). A flaw was found in the X.org server's XC-SECURITY extension that could allow a local user to verify the existence of an arbitrary file, even in directories that are not normally accessible to that user (CVE-2007-5958). A memory corruption flaw was found in the X.org server's XInput extension that could allow a malicious authorized client to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server (CVE-2007-6427). An information disclosure flaw was found in the X.org server's TOG-CUP extension that could allow a malicious authorized client to cause a denial of service (crash) or potentially view arbitrary memory content within the X.org server's address space (CVE-2007-6428). Two integer overflow flaws were found in the X.org server's EVI and MIT-SHM modules that could allow a malicious authorized client to cause a denial of service (crash) or potentially execute arbitrary code with the privileges of the X.org server (CVE-2007-6429). The updated packages have been patched to correct these issues. %description Xgl is an Xserver that uses OpenGL for its drawing operations. Some operations like antialiased font rendering is noticably faster with this technology, and future graphics hardware might only have support for 3D operations and no 2D core any more. Note that this is highly experimental code, it has been tested only on few hardware platforms, and depending on driver state it may even crash your computer. %package kdebase kdebase-common kdebase-devel-doc kdebase-kate kdebase-kdeprintfax kdebase-kdm kdebase-kmenuedit kdebase-konsole kdebase-ksysguard kdebase-nsplugins kdebase-progs kdebase-session-plugins libkdebase4 libkdebase4-devel libkdebase4-kate libkdebase4-kmenuedit libkdebase4-konsole Update: Thu Jan 24 20:40:27 2008 Importance: bugfix ID: MDVA-2008:016 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:016 %pre On kdebase as released in Mandriva Linux 2008.0, Khelpcenter could not build an index for the KDE applications manuals, because a required package, htdig, is not in the main repositories. Htdig is now added as suggested package. Also, the Add a network wizard did not show up when browsing the remote:/ kioslave in konqueror. And finally, the icon for Home in the pager applet would appear as a blank page and did not work (malformed URL). The updated package fixes these issues. %description Core applications for the K Desktop Environment. Here is an overview of the directories: - drkonqi: if ever an app crashes (heaven forbid!) then Dr.Konqi will be so kind and make a stack trace. This is a great help for the developers to fix the bug. - kappfinder: searches your hard disk for non-KDE applications, e.g. Acrobat Reader (tm) and installs those apps under the K start button - kate: a fast and advanced text editor with nice plugins - kcheckpass: small program to enter and check passwords, only to be used by other programs - kcontrol: the KDE Control Center allows you to tweak the KDE settings - kdcop: GUI app to browse for DCOP interfaces, can also execute them - kdebugdialog: allows you to specify which debug messages you want to see - kdeprint: the KDE printing system - kdesktop: you guessed it: the desktop above the panel - kdesu: a graphical front end to "su" - kdm: replacement for XDM, for those people that like graphical logins - kfind: find files - khelpcenter: the app to read all great documentation about KDE - khotkeys: intercepts keys and can call applications - kicker: the panel at the botton with the K start button and the taskbar etc - kioslave: infrastructure that helps make every application internet enabled e.g. to directly save a file to ftp://place.org/dir/file.txt - klipper: enhances and extenses the X clipboard - kmenuedit: edit for the menu below the K start button - konqueror: the file manager and web browser you get easily used to - kpager: applet to show the contents of the virtual desktops - kpersonalizer: the customization wizard you get when you first start KDE - kreadconfig: a tool for shell scripts to get info from KDE's config files - kscreensaver: the KDE screensaver environment and lot's of savers - ksmserver: the KDE session manager (saves program status on login, restarts those program at the next login) - ksplash: the screen displayed while KDE starts - kstart: to launch applications with special window properties such as iconified etc - ksysguard: task manager and system monitor, even for remote systems - ksystraycmd: allows to run any application in the system tray - ktip: gives you tips how to use KDE - kwin: the KDE window manager - kxkb: a keyboard map tool - legacyimport: odd name for a cute program to load GTK themes - libkonq: some libraries needed by Konqueror - nsplugins: together with OSF/Motif or Lesstif allows you to use Netscape (tm) plugins in Konqueror %package icu icu-doc libicu-devel libicu36 Update: Fri Jan 25 10:26:48 2008 Importance: security ID: MDVSA-2008:026 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:026 %pre Will Drewry reported multiple flaws in how libicu processed certain malformed regular expressions. If an application linked against libicu, such as OpenOffice.org, processed a carefully-crafted regular expression, it could potentially cause the execution of arbitrary code with the privileges of the user running the application. The updated packages have been patched to correct these issues. %description The International Components for Unicode (ICU) libraries provide robust and full-featured Unicode services on a wide variety of platforms. ICU supports the most current version of the Unicode standard, and they provide support for supplementary Unicode characters (needed for GB 18030 repertoire support). As computing environments become more heterogeneous, software portability becomes more important. ICU lets you produce the same results across all the various platforms you support, without sacrificing performance. It offers great flexibility to extend and customize the supplied services, which include: * Text: Unicode text handling, full character properties and character set conversions (500+ codepages) * Analysis: Unicode regular expressions; full Unicode sets; character, word and line boundaries * Comparison: Language sensitive collation and searching * Transformations: normalization, upper/lowercase, script transliterations (50+ pairs) * Locales: Comprehensive locale data (230+) and resource bundle architecture * Complex Text Layout: Arabic, Hebrew, Indic and Thai * Time: Multi-calendar and time zone * Formatting and Parsing: dates, times, numbers, currencies, messages and rule based %package php-timezonedb Update: Fri Jan 25 11:04:45 2008 Importance: normal ID: MDVA-2008:017 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:017 %pre Updated PHP timezone packages are being provided for older Mandriva Linux systems that do not contain the new Daylight Savings Time information for 2007 and later for certain time zones. In Mandriva Linux 2007.1 and newer, package php-timezonedb provides the PHP timezone database. These updated packages contain the new information. %description This extension is a drop-in replacement for the builtin timezone database that comes with PHP. You should only install this extension in case you need to get a later version of the timezone database than the one that ships with PHP. The data that this extension uses comes from the "Olson" database, which is located at ftp://elsie.nci.nih.gov/pub/. %package libpulseaudio0 libpulseaudio0-devel libpulsecore3 pulseaudio Update: Fri Jan 25 14:11:38 2008 Importance: security ID: MDVSA-2008:027 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:027 %pre A programming flaw was found in Pulseaudio versions older than 0.9.9, by which a local user can gain root access, if pulseaudio is installed as a setuid to root binary, which is the recommended configuration. The updated packages fix this issue. %description pulseaudio is a sound server for Linux and other Unix like operating systems. It is intended to be an improved drop-in replacement for the Enlightened Sound Daemon (ESOUND). In addition to the features ESOUND provides pulseaudio has: * Extensible plugin architecture (by loading dynamic loadable modules with dlopen()) * Support for more than one sink/source * Better low latency behaviour * Embedabble into other software (the core is available as C library) * Completely asynchronous C API * Simple command line interface for reconfiguring the daemon while running * Flexible, implicit sample type conversion and resampling * "Zero-Copy" architecture * Module autoloading * Very accurate latency measurement for playback and recording. * May be used to combine multiple sound cards to one (with sample rate adjustment) * Client side latency interpolation %package libmysql-devel libmysql-static-devel libmysql15 mysql mysql-bench mysql-client mysql-common mysql-max mysql-ndb-extra mysql-ndb-management mysql-ndb-storage mysql-ndb-tools Update: Tue Jan 29 17:34:38 2008 Importance: bugfix ID: MDVA-2008:018 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:018 %pre Updated MySQL packages are being made available that fix a number of upstream bugs, as well as some minor packaging bugs. %description The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of MySQL AB. The MySQL software has Dual Licensing, which means you can use the MySQL software free of charge under the GNU General Public License (http://www.gnu.org/licenses/). You can also purchase commercial MySQL licenses from MySQL AB if you do not wish to be bound by the terms of the GPL. See the chapter "Licensing and Support" in the manual for further info. The MySQL web site (http://www.mysql.com/) provides the latest news and information about the MySQL software. Also please see the documentation and the manual for more information. %package drakbt Update: Wed Jan 30 15:47:57 2008 Importance: bugfix ID: MDVA-2008:020 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:020 %pre A minor bug in drakbt was causing it to crash when opening some dialogs such as the help. This update corrects the bug. %description Drakbt reports status information for a given torrent file or URL. It can connect automatically to Mandriva Linux websites to grab and display available torrents. You should provide login and password if you want to connect to club member restricted torrents. After all checks are done, you can trigger the download process from drakbt. Information displayed are : - current number of complete copies (seeds) - incomplete copies (leeches) currently active. - Bittorrent port reachability - Hash info .... %package ruby ruby-devel ruby-doc ruby-tk Update: Wed Jan 30 21:39:31 2008 Importance: security ID: MDVSA-2008:029 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:029 %pre Ruby network libraries Net::HTTP, Net::IMAP, Net::FTPTLS, Net::Telnet, Net::POP3, and Net::SMTP, up to Ruby version 1.8.6 are affected by a possible man-in-the-middle attack, when using SSL, due to a missing check of the CN (common name) attribute in SSL certificates against the server's hostname. The updated packages have been patched to prevent the issue. %description Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. %package xdg-utils Update: Thu Jan 31 23:52:38 2008 Importance: security ID: MDVSA-2008:031 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:031 %pre A vulnerability was found in xdg-open and xdg-email commands, which allows remote attackers to execute arbitrary commands if the user is tricked into trying to open a maliciously crafted URL. The updated packages have been patched to prevent the issue. %description This version of xdg-utils contains the following commands: xdg-desktop-menu: command line tool for (un)installing desktop menu items xdg-desktop-icon: command line tool for (un)installing icons to the desktop xdg-mime: command line tool for querying information about file type handling and adding descriptions for new file types xdg-icon-resource: command line tool for (un)installing icon resources xdg-open: opens a file or URL in the user's preferred application xdg-email: command line tool for sending mail using the user's preferred e-mail composer xdg-su: run a program as root after prompting for the root password xdg-screensaver: command line tool for controlling the screensaver Testsuite for xdg-utils is available from http://portland.freedesktop.org/wiki/TestSuite %package libboost1 libboost1-devel libboost1-examples libboost1-static-devel Update: Fri Feb 01 12:32:15 2008 Importance: security ID: MDVSA-2008:032 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:032 %pre Tavis Ormandy and Will Drewry found that the bost library did not properly perform input validation on regular expressions. An attacker could exploit this by sening a specially crafted regular expression to an application linked against boost and cause a denial of service via an application crash. The updated packages have been patched to correct this issue. %description Boost is a collection of free peer-reviewed portable C++ source libraries. The emphasis is on libraries which work well with the C++ Standard Library. This package contains only the shared libraries needed for running programs using Boost. %package ruby-atk ruby-gconf2 ruby-gdkpixbuf2 ruby-glib2 ruby-gnome2 ruby-gnome2-devel ruby-gnomecanvas2 ruby-gnomeprint2 ruby-gnomeprintui2 ruby-gnomevfs2 ruby-gtk2 ruby-gtkglext ruby-gtkhtml2 ruby-gtkmozembed ruby-gtksourceview ruby-libart2 ruby-libglade2 ruby-panelapplet2 ruby-pango ruby-poppler ruby-rsvg2 ruby-vte Update: Fri Feb 01 13:20:38 2008 Importance: security ID: MDVSA-2008:033 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:033 %pre A format string vulnerability in Ruby-GNOME 2 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter. The updated packages have been patched to prevent this issue. %description set of Ruby language bindings for the GNOME 2.0 development environment. This is the next generation of Ruby-GNOME. %package emacs emacs-common emacs-doc emacs-el emacs-gtk emacs-leim emacs-nox Update: Mon Feb 04 19:42:03 2008 Importance: security ID: MDVSA-2008:034 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:034 %pre The hack-local-variable function in Emacs 22 prior to version 22.2, when enable-local-variables is set to ':safe', did not properly search lists of unsafe or risky variables, which could allow user-assisted attackers to bypass intended restrictions and modify critical program variables via a file containing a Local variables declaration (CVE-2007-5795; only affects Mandriva Linux 2008.0). A stack-based buffer overflow in emacs could allow user-assisted attackers to cause an application crash or possibly have other unspecified impacts via a large precision value in an integer format string specifier to the format function (CVE-2007-6109). The updated packages have been patched to correct these issues. %description Emacs-X11 includes the Emacs text editor program for use with the X Window System (it provides support for the mouse and other GUI elements). Emacs-X11 will also run Emacs outside of X, but it has a larger memory footprint than the 'non-X' Emacs package (emacs-nox). Install emacs if you are going to use Emacs with the X Window System. You should also install emacs if you're going to run Emacs both with and without X (it will work fine both ways). You'll also need to install the emacs-common package in order to run Emacs. %package imagemagick imagemagick-desktop imagemagick-doc libmagick10.7.0 libmagick10.7.0-devel perl-Image-Magick Update: Tue Feb 05 11:01:17 2008 Importance: security ID: MDVSA-2008:035 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:035 %pre Multiple vulnerabilities were discovered in the image decoders of ImageMagick. If a user or automated system were tricked into processing malicious DCM, DIB, XBM, XCF, or XWD images, a remote attacker could execute arbitrary code with user privileges. The updated packages have been patched to correct these issues. %description ImageMagick is a powerful image display, conversion and manipulation tool. It runs in an X session. With this tool, you can view, edit and display a variety of image formats. Build Options: --with plf Build for PLF (fpx support) --with modules Compile all supported image types as modules --with jasper Enable JPEG2000 support (enabled) --with graphviz Enable Graphviz support (enabled) %package gcc gcc-c++ gcc-cpp gcc-doc gcc-doc-pdf gcc-gfortran gcc-gnat gcc-java gcc-objc++ gcc-objc gcj-tools libffi-devel libffi4 libgcc1 libgcj-devel libgcj-static-devel libgcj8 libgcj8-base libgcj8-src libgfortran2 libgnat1 libgomp-devel libgomp1 libmudflap-devel libmudflap0 libobjc2 libstdc++-devel libstdc++-static-devel libstdc++6 Update: Wed Feb 06 08:56:39 2008 Importance: bugfix ID: MDVA-2008:021 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:021 %pre libstdc++ released in Mandriva Linux 2008.0 has a small binary incompatibility, which does not affect any packages released with it, but makes it fail LSB tests. The updated package fixes this issue. %description A compiler aimed at integrating all the optimizations and features necessary for a high-performance and stable development environment. This package is required for all other GCC compilers, namely C++, Fortran 95, Objective C, Java and Ada 95. If you have multiple versions of GCC installed on your system, it is preferred to type "gcc-$(gcc4.2-version)" (without double quotes) in order to use the GNU C compiler version 4.2.2. %package cups cups-common cups-serial libcups2 libcups2-devel php-cups Update: Wed Feb 06 10:40:33 2008 Importance: security ID: MDVSA-2008:036 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:036 %pre Wei Wang found that the SNMP discovery backend in CUPS did not correctly calculate the length of strings. If a user could be tricked into scanning for printers, a remote attacker could send a specially crafted packet and possibly execute arbitrary code (CVE-2007-5849). As well, the fix for CVE-2007-0720 in MDKSA-2007:086 caused another denial of service regression within SSL handling (CVE-2007-4045). The updated packages have been patched to correct these issues. %description CUPS 1.2 is fully compatible with CUPS-1.1 machines in the network and with software built against CUPS-1.1 libraries. The Common Unix Printing System provides a portable printing layer for UNIX(TM) operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. This is the main package needed for CUPS servers (machines where a printer is connected to or which host a queue for a network printer). It can also be used on CUPS clients so that they simply pick up broadcasted printer information from other CUPS servers and do not need to be assigned to a specific CUPS server by an /etc/cups/client.conf file. %package x11-data-xkbdata Update: Thu Feb 07 09:07:52 2008 Importance: bugfix ID: MDVA-2008:022 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:022 %pre The x11-data-xkbdata package distributed with Mandriva Linux 2008 had a different configuration for french keyboards, which prevented the generation of the 'oe' symbol through altgr-o, and a few others. This update fixes the problem. %description Xkeyboard-config provides consistent, well-structured, frequently released of X keyboard configuration data (XKB) for various X Window System implementations. %package libcdio++0 libcdio-apps libcdio-devel libcdio-static-devel libcdio7 libcdio_cdda0 libiso9660_5 Update: Thu Feb 07 10:28:59 2008 Importance: security ID: MDVSA-2008:037 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:037 %pre A stack-based buffer overflow was discovered in libcdio that allowed context-dependent attackers to cause a denial of service (core dump) and possibly execute arbitrary code via a disk or image file that contains a long joliet file name. In addition, a fix for failed UTF-8 conversions that would cause a segfault on certain ISOs was also fixed. The updated packages have been patched to correct this issue. %description This library is to encapsulate CD-ROM reading and control. Applications wishing to be oblivious of the OS- and device-dependent properties of a CD-ROM can use this library. Some support for disk image types like BIN/CUE and NRG is available, so applications that use this library also have the ability to read disc images as though they were CD's. %package libSDL_image1.2 libSDL_image1.2-devel libSDL_image1.2-test Update: Thu Feb 07 16:43:22 2008 Importance: security ID: MDVSA-2008:040 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:040 %pre The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code. The updated packages have been patched to correct this issue. %description This is a simple library to load images of various formats as SDL surfaces. This library currently supports BMP, PPM, PCX, GIF, JPEG, and PNG formats. This package contains the binary `sdlshow' to test the library. %package libtk-devel libtk8.5 tk Update: Thu Feb 07 16:44:48 2008 Importance: security ID: MDVSA-2008:041 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:041 %pre The ReadImage() function in Tk did not check codeSize read from GIF images prior to initializing the append array, which could lead to a buffer overflow with unknown impact. The updated packages have been patched to correct this issue. %description Tk is a X Windows widget set designed to work closely with the tcl scripting language. It allows you to write simple programs with full featured GUI's in only a little more time then it takes to write a text based interface. Tcl/Tk applications can also be run on Windows and Macintosh platforms. %package libqassistant1 libqt3support4 libqt4-devel libqtcore4 libqtdbus4 libqtdesigner1 libqtgui4 libqtnetwork4 libqtopengl4 libqtscript4 libqtsql4 libqtsvg4 libqttest4 libqtuitools4 libqtxml4 qt4-accessibility-plugin-lib qt4-assistant qt4-codecs-plugin-lib qt4-common qt4-database-plugin-mysql-lib qt4-database-plugin-odbc-lib qt4-database-plugin-pgsql-lib qt4-database-plugin-sqlite-lib qt4-designer qt4-doc qt4-examples qt4-linguist qt4-qtdbus qt4-qvfb qt4-tutorial Update: Thu Feb 07 19:39:10 2008 Importance: security ID: MDVSA-2008:042 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:042 %pre A potential vulnerability was discovered in Qt4 version 4.3.0 through 4.3.2 which may cause a certificate verification in SSL connections not to be performed. As a result, code that uses QSslSocket could be tricked into thinking that the certificate was verified correctly when it actually failed in one or more criteria. The updated packages have been patched to correct this issue. %description Qt is a GUI software toolkit which simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. Qt is written in C++ and is fully object-oriented. This package contains the shared library needed to run Qt applications, as well as the README files for Qt. %package park-rpmdrake rpmdrake Update: Fri Feb 08 08:54:16 2008 Importance: bugfix ID: MDVA-2008:024 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:024 %pre This update fixes a crash when reading packages with an empty backport media (#36720). This is a rare bug since DVD media did not include backport media, and network media provides a non-empty backport media. It also makes sure that a wait dialog always got destroyed (#36921). Due to a bug, in some error cases, the dialog was not destroyed, thus blocking the GUI until rpmdrake was closed. Last but not least, it makes MandrivaUpdate ignore backport media tagged as update (#36654). %description rpmdrake is a simple graphical frontend to manage software packages on a Mandriva Linux system; it has 3 different modes: - software packages installation; - software packages removal; - MandrivaUpdate (software packages updates). A fourth program manages the media (add, remove, edit). %package drakx-finish-install drakxtools drakxtools-backend drakxtools-curses drakxtools-http harddrake harddrake-ui Update: Fri Feb 08 12:17:20 2008 Importance: bugfix ID: MDVA-2008:025 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:025 %pre This drakxtools update package fixes issues with the hardrake tool to make sure that USB keys are not auto-configured by the service at boot (#34568), and adds back the Run Config tool button in the harddrake interface (#34794). An issue where bootloader-config would use vmlinuz-desktop or initrd-desktop.img instead of vmlinuz or initrd.img was corrected (#35721). A crash in drakfont where it would crash on names with meta characters was also fixed (#36482). It also contains other fixes for the bootloader-config, drakclock, draksec, and localdrake tools. %description Contains many Mandriva Linux applications simplifying users and administrators life on a Mandriva Linux machine. Nearly all of them work both under XFree (graphical environment) and in console (text environment), allowing easy distant work. - drakbug: interactive bug report tool - drakbug_report: help find bugs in DrakX - drakclock: date & time configurator - drakfloppy: boot disk creator - drakfont: import fonts in the system - draklog: show extracted information from the system logs - drakperm: msec GUI (permissions configurator) - draksec: security options managment / msec frontend - draksplash: bootsplash themes creation %package kernel-2.6.22.18-1mdv kernel-desktop-2.6.22.18-1mdv kernel-desktop-devel-2.6.22.18-1mdv kernel-desktop-devel-latest kernel-desktop-latest kernel-desktop586-2.6.22.18-1mdv kernel-desktop586-devel-2.6.22.18-1mdv kernel-desktop586-devel-latest kernel-desktop586-latest kernel-doc kernel-laptop-2.6.22.18-1mdv kernel-laptop-devel-2.6.22.18-1mdv kernel-laptop-devel-latest kernel-laptop-latest kernel-server-2.6.22.18-1mdv kernel-server-devel-2.6.22.18-1mdv kernel-server-devel-latest kernel-server-latest kernel-source-2.6.22.18-1mdv kernel-source-latest Update: Mon Feb 11 23:36:21 2008 Importance: security ID: MDVSA-2008:044 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:044 %pre The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. NOTE: some of these details are obtained from third party information. (CVE-2007-5500) The tcp_sacktag_write_queue function in the Linux kernel 2.6.21 through 2.6.23.7 allowed remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference (CVE-2007-5501). The do_corefump function in fs/exec.c in the Linux kernel prior to 2.6.24-rc3 did not change the UID of a core dump file if it exists before a root process creates a core dump in the same location, which could possibly allow local users to obtain sensitive information (CVE-2007-6206). VFS in the Linux kernel before 2.6.22.16 performed tests of access mode by using the flag variable instead of the acc_mode variable, which could possibly allow local users to bypass intended permissions and remove directories (CVE-2008-0001). The Linux kernel prior to 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allowed local users to access kernel memory via an out-of-range offset (CVE-2008-0007). A flaw in the vmsplice system call did not properly verify address arguments passed by user-space processes, which allowed local attackers to overwrite arbitrary kernel memory and gain root privileges (CVE-2008-0600). Mandriva urges all users to upgrade to these new kernels immediately as the CVE-2008-0600 flaw is being actively exploited. This issue only affects 2.6.17 and newer Linux kernels, so neither Corporate 3.0 nor Corporate 4.0 are affected. Additionally, this kernel updates the version from 2.6.22.12 to 2.6.22.18 and fixes numerous other bugs, including: - fix freeze when ejecting a cm40x0 PCMCIA card - fix crash on unloading netrom - fixes alsa-related sound issues on Dell XPS M1210 and M1330 models - the HZ value was increased on the laptop kernel to increase interactivity and reduce latency - netfilter ipset, psd, and ifwlog support was re-enabled - unionfs was reverted to a working 1.4 branch that is less buggy To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate %description The kernel package contains the Linux kernel (vmlinuz), the core of your Mandriva Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc. For instructions for update, see: http://www.mandriva.com/en/security/kernelupdate %package desktop-common-data Update: Wed Feb 13 08:48:07 2008 Importance: bugfix ID: MDVA-2008:026 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:026 %pre In Mandriva Linux 2008.0 some utilities were not correctly displayed in Tools menu (such as Yakuake), and settings:// was not working properly in KDE konqueror. This update fixes the problems. %description This package contains useful icons, menu structure and others goodies for the Mandriva Linux desktop. %package free-kde-config mandriva-kde-config-common mandriva-kdm-config one-kde-config powerpack-kde-config Update: Wed Feb 13 08:53:32 2008 Importance: bugfix ID: MDVA-2008:027 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:027 %pre The KDE panel has a clock applet which includes de hability to change its appearance and behavior. Because of a configuration problem, this applet was not properly saving these changes were not properly saved, being lost at every user login. This update fixes the problem. %description This package regroups all specific Mandriva config file for KDE. (kicker config etc.) %package libdha1.0 mencoder mplayer mplayer-doc mplayer-gui Update: Thu Feb 14 13:45:37 2008 Importance: security ID: MDVSA-2008:045 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:045 %pre Heap-based buffer overflow in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote attackers to execute arbitrary code via the SDP Abstract attribute, related to the rmff_dump_header function and related to disregarding the max field. Although originally a xine-lib issue, also affects MPlayer due to code similarity. (CVE-2008-0225) Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP (1) Title, (2) Author, or (3) Copyright attribute, related to the rmff_dump_header function, different vectors than CVE-2008-0225. Although originally a xine-lib issue, also affects MPlayer due to code similarity. (CVE-2008-0238) Array index error in libmpdemux/demux_mov.c in MPlayer 1.0 rc2 and earlier might allow remote attackers to execute arbitrary code via a QuickTime MOV file with a crafted stsc atom tag. (CVE-2008-0485) Array index vulnerability in libmpdemux/demux_audio.c in MPlayer 1.0rc2 and SVN before r25917, and possibly earlier versions, as used in Xine-lib 1.1.10, might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow. (CVE-2008-0486) Buffer overflow in stream_cddb.c in MPlayer 1.0rc2 and SVN before r25824 allows remote user-assisted attackers to execute arbitrary code via a CDDB database entry containing a long album title. (CVE-2008-0629) Buffer overflow in url.c in MPlayer 1.0rc2 and SVN before r25823 allows remote attackers to execute arbitrary code via a crafted URL that prevents the IPv6 parsing code from setting a pointer to NULL, which causes the buffer to be reused by the unescape code. (CVE-2008-0630) The updated packages have been patched to prevent these issues. %description MPlayer is a movie player for LINUX (runs on many other Unices, and non-x86 CPUs, see the documentation). It plays most MPEG, VOB, AVI, VIVO, ASF/WMV, QT/MOV, FLI, NuppelVideo, yuv4mpeg, FILM, RoQ, and some RealMedia files, supported by many native, XAnim, and Win32 DLL codecs. You can watch VideoCD, SVCD, DVD, 3ivx, FLI, and even DivX movies too (and you don't need the avifile library at all!). The another big feature of mplayer is the wide range of supported output drivers. It works with X11, Xv, DGA, OpenGL, SVGAlib, fbdev, AAlib, but you can use SDL (and this way all drivers of SDL), VESA (on every VESA compatible card, even without X!), and some lowlevel card-specific drivers (for Matrox, 3Dfx and Radeon) too! Most of them supports software or hardware scaling, so you can enjoy movies in fullscreen. MPlayer supports displaying through some hardware MPEG decoder boards, such as the DVB and DXR3/Hollywood+! And what about the nice big antialiased shaded subtitles (9 supported types!!!) with european/ISO 8859-1,2 (hungarian, english, czech, etc), cyrillic, korean fonts, and OSD? Note: If you want to play Real content, you need to have the content of RealPlayer's Codecs directory in /usr/lib/RealPlayer10GOLD/codecs %package libxine-devel libxine1 xine-aa xine-caca xine-dxr3 xine-esd xine-flac xine-gnomevfs xine-image xine-jack xine-plugins xine-pulse xine-sdl xine-smb Update: Fri Feb 15 12:24:52 2008 Importance: security ID: MDVSA-2008:046 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:046 %pre An array index vulnerability found in the FLAC audio demuxer might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow. Although originally an MPlayer issue, it also affects xine-lib due to code similarity. The updated packages have been patched to prevent this issue. %description xine is a free gpl-licensed video player for unix-like systems. %package perl-IPTables-ChainMgr perl-IPTables-Parse psad Update: Fri Feb 15 13:13:54 2008 Importance: bugfix ID: MDVA-2008:028 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:028 %pre The package included with Mandriva Linux 2008 for psad had two problems. Firstly, it did not depend on perl-IPTables-ChainMgr, which in fact it does require to work. Secondly, the /etc/psad/ip_options file was incorrectly omitted from the package, making psad fail to start. This updated package fixes both issues. %description Port Scan Attack Detector (psad) is a collection of four lightweight system daemons written in Perl and C that are designed to work with Linux firewalling code (iptables in the 2.4.x kernels, and ipchains in the 2.2.x kernels) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options (Linux 2.4.x kernels only), email alerting, and automatic blocking of offending IP addresses via dynamic configuration of ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the TCP, UDP, and ICMP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via nmap. Psad also uses packet TTL, IP id, TOS, and TCP window sizes to passively fingerprint the remote operating system from which scans originate. %package mozilla-thunderbird mozilla-thunderbird-be mozilla-thunderbird-bg mozilla-thunderbird-ca mozilla-thunderbird-cs mozilla-thunderbird-da mozilla-thunderbird-de mozilla-thunderbird-devel mozilla-thunderbird-el mozilla-thunderbird-en_GB mozilla-thunderbird-enigmail mozilla-thunderbird-enigmail-ca mozilla-thunderbird-enigmail-cs mozilla-thunderbird-enigmail-de mozilla-thunderbird-enigmail-el mozilla-thunderbird-enigmail-es mozilla-thunderbird-enigmail-es_AR mozilla-thunderbird-enigmail-fi mozilla-thunderbird-enigmail-fr mozilla-thunderbird-enigmail-hu mozilla-thunderbird-enigmail-it mozilla-thunderbird-enigmail-ja mozilla-thunderbird-enigmail-ko mozilla-thunderbird-enigmail-nb mozilla-thunderbird-enigmail-nl mozilla-thunderbird-enigmail-pl mozilla-thunderbird-enigmail-pt mozilla-thunderbird-enigmail-pt_BR mozilla-thunderbird-enigmail-ro mozilla-thunderbird-enigmail-ru mozilla-thunderbird-enigmail-sk mozilla-thunderbird-enigmail-sl mozilla-thunderbird-enigmail-sv mozilla-thunderbird-enigmail-tr mozilla-thunderbird-enigmail-zh_CN mozilla-thunderbird-enigmail-zh_TW mozilla-thunderbird-es_AR mozilla-thunderbird-es_ES mozilla-thunderbird-et_EE mozilla-thunderbird-eu mozilla-thunderbird-fi mozilla-thunderbird-fr mozilla-thunderbird-gu_IN mozilla-thunderbird-he mozilla-thunderbird-hu mozilla-thunderbird-it mozilla-thunderbird-ja mozilla-thunderbird-ko mozilla-thunderbird-lt mozilla-thunderbird-mk mozilla-thunderbird-moztraybiff mozilla-thunderbird-nb_NO mozilla-thunderbird-nl mozilla-thunderbird-nn_NO mozilla-thunderbird-pa_IN mozilla-thunderbird-pl mozilla-thunderbird-pt_BR mozilla-thunderbird-pt_PT mozilla-thunderbird-ru mozilla-thunderbird-sk mozilla-thunderbird-sl mozilla-thunderbird-sv_SE mozilla-thunderbird-tr mozilla-thunderbird-zh_CN mozilla-thunderbird-zh_TW nsinstall Update: Tue Feb 19 11:43:04 2008 Importance: security ID: MDVSA-2007:047 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2007:047 %pre A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 2.0.0.9. This update provides the latest Thunderbird to correct these issues. %description Mozilla Thunderbird is a full-featured email, RSS and newsgroup client that makes emailing safer, faster and easier than ever before. %package evolution evolution-devel evolution-mono evolution-pilot Update: Tue Feb 19 13:16:43 2008 Importance: bugfix ID: MDVA-2008:029 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:029 %pre A bug in Evolution was preventing the adding of remote calendars, which caused the application to crash. This update provides Evolution 2.12.3 which fixes this bug and other crash bugs, as well as including translation updates. %description Evolution is the GNOME mailer, calendar, contact manager and communications tool. The tools which make up Evolution will be tightly integrated with one another and act as a seamless personal information-management tool. %package kdelibs-common kdelibs-devel-doc libkdecore4 libkdecore4-devel Update: Tue Feb 19 13:51:14 2008 Importance: bugfix ID: MDVA-2008:030 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:030 %pre After a previous update (kdelibs-3.5.7-43.5mdv2008.0), Ark was able to open tar.bz2 archives, but couldn't show their content. The updated packages fix this issue. %description Libraries for the K Desktop Environment. %package libxine-devel libxine1 xine-aa xine-caca xine-dxr3 xine-esd xine-flac xine-gnomevfs xine-image xine-jack xine-plugins xine-pulse xine-sdl xine-smb Update: Wed Feb 20 14:59:28 2008 Importance: security ID: MDVSA-2008:046-1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:046-1 %pre An array index vulnerability found in the FLAC audio demuxer might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow. Although originally an MPlayer issue, it also affects xine-lib due to code similarity. The updated packages have been patched to prevent this issue. Update: The previous update used a bad patch which made Amarok interface very unresponsive while playing FLAC files. This new update fixes the security issue with a better patch. %description xine is a free gpl-licensed video player for unix-like systems. %package x11-driver-video-openchrome Update: Thu Feb 21 09:27:23 2008 Importance: bugfix ID: MDVA-2008:031 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:031 %pre The openchrome driver version shipped with Mandriva 2008.0 is not fully functional with most chrome based video cards available in the market. This update, requested by upstream developers, should correct the problems, and provide a more mature driver. %description A free and Open Source video driver for the VIA/S3G UniChrome and UniChrome Pro graphics chipsets. (CLE266, KN400, KM400, K8M800, PM800, CN400, VN800) %package devhelp devhelp-plugins eclipse-cvs-client eclipse-ecj eclipse-jdt eclipse-pde eclipse-pde-runtime eclipse-platform eclipse-rcp epiphany epiphany-devel galeon gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gksu gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell libdevhelp-1-devel libdevhelp-1_0 libmozilla-firefox-devel libmozilla-firefox2.0.0.12 libswt3-gtk2 libtotem-plparser-devel libtotem-plparser7 mozilla-firefox mozilla-firefox-af mozilla-firefox-ar mozilla-firefox-be mozilla-firefox-bg mozilla-firefox-br_FR mozilla-firefox-ca mozilla-firefox-cs mozilla-firefox-da mozilla-firefox-de mozilla-firefox-el mozilla-firefox-en_GB mozilla-firefox-es_AR mozilla-firefox-es_ES mozilla-firefox-et_EE mozilla-firefox-eu mozilla-firefox-ext-blogrovr mozilla-firefox-ext-foxmarks mozilla-firefox-ext-scribefire mozilla-firefox-fi mozilla-firefox-fr mozilla-firefox-fy mozilla-firefox-ga mozilla-firefox-gnome-support mozilla-firefox-gu_IN mozilla-firefox-he mozilla-firefox-hu mozilla-firefox-it mozilla-firefox-ja mozilla-firefox-ka mozilla-firefox-ko mozilla-firefox-ku mozilla-firefox-lt mozilla-firefox-mk mozilla-firefox-mn mozilla-firefox-nb_NO mozilla-firefox-nl mozilla-firefox-nn_NO mozilla-firefox-pa_IN mozilla-firefox-pl mozilla-firefox-pt_BR mozilla-firefox-pt_PT mozilla-firefox-ro mozilla-firefox-ru mozilla-firefox-sk mozilla-firefox-sl mozilla-firefox-sv_SE mozilla-firefox-tr mozilla-firefox-uk mozilla-firefox-zh_CN mozilla-firefox-zh_TW totem totem-common totem-gstreamer totem-mozilla totem-mozilla-gstreamer yelp Update: Fri Feb 22 13:26:53 2008 Importance: security ID: MDVSA-2008:048 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:048 %pre A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.12. This update provides the latest Firefox to correct these issues. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package cups cups-common cups-serial libcups2 libcups2-devel php-cups Update: Tue Feb 26 12:40:25 2008 Importance: security ID: MDVSA-2008:051 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:051 %pre A flaw was found in how CUPS handled the addition and removal of remote printers via IPP that could allow a remote attacker to send a malicious IPP packet to the UDP port causing CUPS to crash. The updated packages have been patched to correct these issues. %description CUPS 1.2 is fully compatible with CUPS-1.1 machines in the network and with software built against CUPS-1.1 libraries. The Common Unix Printing System provides a portable printing layer for UNIX(TM) operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. This is the main package needed for CUPS servers (machines where a printer is connected to or which host a queue for a network printer). It can also be used on CUPS clients so that they simply pick up broadcasted printer information from other CUPS servers and do not need to be assigned to a specific CUPS server by an /etc/cups/client.conf file. %package fluxbox Update: Tue Feb 26 15:27:13 2008 Importance: bugfix ID: MDVA-2008:032 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:032 %pre The fluxbox package had an incorrect post-installation script which prevented the additional fonts files to be installed correctly. This update package fixes the fonts installation. %description Fluxbox is yet another windowmanager for X. It's a fork from the origi- nal blackbox-0.61.1 code. Fluxbox looks like blackbox and handles styles, colors, window placement and similar thing exactly like black- box. So what's the difference between fluxbox and blackbox then? The answer is: LOTS! Have a look at the homepage for more info ;) %package libpcre-devel libpcre0 pcre Update: Wed Feb 27 12:24:12 2008 Importance: security ID: MDVSA-2008:053 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:053 %pre A buffer overflow in PCRE 7.x before 7.6 allows remote attackers to execute arbitrary code via a regular expression that contains a character class with a large number of characters with Unicode code points greater than 255. The updated packages have been patched to correct these issues. %description PCRE has its own native API, but a set of "wrapper" functions that are based on the POSIX API are also supplied in the library libpcreposix. Note that this just provides a POSIX calling interface to PCRE: the regular expressions themselves still follow Perl syntax and semantics. This package contains a grep variant based on the PCRE library. %package dbus dbus-x11 libdbus-1_3 libdbus-1_3-devel Update: Thu Feb 28 12:02:27 2008 Importance: security ID: MDVSA-2008:054 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:054 %pre A vulnerability was discovered by Havoc Pennington in how the dbus-daemon applied its security policy. A user with the ability to connect to the dbus-daemon could possibly execute certain method calls that they should not normally have access to. The updated packages have been patched to correct these issues. Users will have to reboot the system once these packages have been installed in order to prevent problems due to service dependencies on the messagebus service. %description D-Bus is a system for sending messages between applications. It is used both for the systemwide message bus service, and as a per-user-login-session messaging facility. %package ghostscript ghostscript-X ghostscript-common ghostscript-doc ghostscript-dvipdf ghostscript-module-X libgs8 libgs8-devel libijs1 libijs1-devel Update: Thu Feb 28 21:42:51 2008 Importance: security ID: MDVSA-2008:055 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:055 %pre Chris Evans found a buffer overflow condition in Ghostscript, which can lead to arbitrary code execution as the user running any application using it to process a maliciously crafted Postscript file. The updated packages have been patched to prevent this issue. %description Ghostscript is a set of software tools that provide a PostScript(TM) interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. Ghostscript translates PostScript code into many common, bitmapped and vector formats, like those understood by your printer or screen. Ghostscript is normally used to display PostScript files and to print PostScript files to non-PostScript printers. You should install ghostscript if you need to display PostScript or PDF files, or if you have a non-PostScript printer. %package gnumeric libspreadsheet1.7.12 libspreadsheet1.7.12-devel Update: Fri Feb 29 10:50:39 2008 Importance: security ID: MDVSA-2008:056 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:056 %pre A vulnerability was found in the excel_read_HLINK function in the Microsoft Excel plugin in Gnumeric prior to version 1.8.1 that would allow for the execution of arbitrary code via a crafted XLS file containing XLS HLINK opcodes. The updated packages have been patched to correct this issues. %description This is the Gnumeric, the GNOME spreadsheet program. If you are familiar with Excel, you should be ready to use Gnumeric. It tries to clone all of the good features and stay as compatible as possible with Excel in terms of usability. Hopefully the bugs have been left behind :). %package fluxbox Update: Fri Feb 29 17:05:38 2008 Importance: bugfix ID: MDVA-2008:032-1 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:032-1 %pre The fluxbox package had an incorrect post-installation script which prevented the additional fonts files to be installed correctly. Update: The previous package incorrectly added a requirement on a package that does not correct the problem. This update corrects that. %description Fluxbox is yet another windowmanager for X. It's a fork from the origi- nal blackbox-0.61.1 code. Fluxbox looks like blackbox and handles styles, colors, window placement and similar thing exactly like black- box. So what's the difference between fluxbox and blackbox then? The answer is: LOTS! Have a look at the homepage for more info ;) %package libwireshark-devel libwireshark0 tshark wireshark wireshark-tools Update: Mon Mar 03 11:52:27 2008 Importance: security ID: MDVSA-2008:057 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:057 %pre A few vulnerabilities were found in Wireshark, that could cause it to crash or consume excessive memory under certain conditions. This update rovides Wireshark 0.99.8 which is not vulnerable to the issues. %description Wireshark is a network traffic analyzer for Unix-ish operating systems. It is based on GTK+, a graphical user interface library, and libpcap, a packet capture and filtering library. Wireshark is a fork of Ethereal(tm) %package libldap2.3_0 libldap2.3_0-devel libldap2.3_0-static-devel openldap openldap-clients openldap-doc openldap-servers openldap-testprogs openldap-tests Update: Wed Mar 05 09:27:24 2008 Importance: security ID: MDVSA-2008:058 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:058 %pre A vulnerability was found in slapo-pcache in slapd of OpenLDAP prior to 2.3.39 when running as a proxy-caching server. It would allocate memory using a malloc variant rather than calloc, which prevented an array from being properly initialized and could possibly allow attackers to cause a denial of service (CVE-2007-5708). Two vulnerabilities were found in how slapd handled modify (prior to 2.3.26) and modrdn (prior to 2.3.29) requests with NOOP control on objects stored in the BDB backend. An authenticated user with permission to perform modify (CVE-2007-6698) or modrdn (CVE-2008-0658) operations could cause slapd to crash. The updated packages have been patched to correct these issues. %description OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The suite includes a stand-alone LDAP server (slapd) and stand-alone LDAP replication server (slurpd) which are in the -servers package, libraries for implementing the LDAP protocol (in the lib packages), and utilities, tools, and sample clients (in the -clients package). The openldap binary package includes configuration files used by the libraries. Install openldap if you need LDAP applications and tools. %package libtcl-devel libtcl8.5 tcl Update: Wed Mar 05 11:57:37 2008 Importance: security ID: MDVSA-2008:059 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:059 %pre A flaw in the Tcl regular expression handling engine was originally discovered by Will Drewry in the PostgreSQL database server's Tcl regular expression engine. This flaw can result in an infinite loop when processing certain regular expressions. The updated packages have been patched to correct these issues. %description Tcl is a simple scripting language designed to be embedded into other applications. Tcl is designed to be used with Tk, a widget set, which is provided in the tk package. This package also includes tclsh, a simple example of a Tcl application. If you're installing the tcl package and you want to use Tcl for development, you should also install the tk and tclx packages. %package joomla joomla-administrator Update: Wed Mar 05 12:54:48 2008 Importance: security ID: MDVSA-2008:060 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:060 %pre Several severe security issues were discovered in the Joomla! PHP-based content management system. These issues have been fixed in version 1.0.15 which is provided with this update. %description Joomla! is a Content Management System (CMS) created by the same award-winning team that brought the Mambo CMS to its current state of stardom. %package mailman Update: Thu Mar 06 11:10:24 2008 Importance: security ID: MDVSA-2008:061 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:061 %pre Multiple cross-site scripting (XSS) vulnerabilities were found in Mailman prior to version 2.1.10b1, which allow remote attackers to inject arbitrary web script or HTML via edting templates and the list's info attribute in the web administrator interface. The updated packages have been patched to correct these issues. %description Mailman -- The GNU Mailing List Management System -- is a mailing list management system written mostly in Python. Features: o Most standard mailing list features, including: moderation, mail based commands, digests, etc... o An extensive Web interface, customizable on a per-list basis. o Web based list administration interface for *all* admin-type tasks o Automatic Web based hypermail-style archives (using pipermail or other external archiver), including provisions for private archives o Integrated mail list to newsgroup gatewaying o Integrated newsgroup to mail list gatewaying (polling-based... if you have access to the nntp server, you should be able to easily do non-polling based news->mail list gatewaying; email viega@list.org, I'd like to help get that going and come up with instructions) o Smart bounce detection and correction o Integrated fast bulk mailing o Smart spam protection o Extensible logging o Multiple list owners and moderators are possible o Optional MIME-compliant digests o Nice about which machine you subscribed from if you're from the right domain Conditional build options: mailman uid --with uid mail mailman gid --with gid mail %package mozilla-thunderbird mozilla-thunderbird-be mozilla-thunderbird-bg mozilla-thunderbird-ca mozilla-thunderbird-cs mozilla-thunderbird-da mozilla-thunderbird-de mozilla-thunderbird-devel mozilla-thunderbird-el mozilla-thunderbird-en_GB mozilla-thunderbird-enigmail mozilla-thunderbird-enigmail-ca mozilla-thunderbird-enigmail-cs mozilla-thunderbird-enigmail-de mozilla-thunderbird-enigmail-el mozilla-thunderbird-enigmail-es mozilla-thunderbird-enigmail-es_AR mozilla-thunderbird-enigmail-fi mozilla-thunderbird-enigmail-fr mozilla-thunderbird-enigmail-hu mozilla-thunderbird-enigmail-it mozilla-thunderbird-enigmail-ja mozilla-thunderbird-enigmail-ko mozilla-thunderbird-enigmail-nb mozilla-thunderbird-enigmail-nl mozilla-thunderbird-enigmail-pl mozilla-thunderbird-enigmail-pt mozilla-thunderbird-enigmail-pt_BR mozilla-thunderbird-enigmail-ro mozilla-thunderbird-enigmail-ru mozilla-thunderbird-enigmail-sk mozilla-thunderbird-enigmail-sl mozilla-thunderbird-enigmail-sv mozilla-thunderbird-enigmail-tr mozilla-thunderbird-enigmail-zh_CN mozilla-thunderbird-enigmail-zh_TW mozilla-thunderbird-es_AR mozilla-thunderbird-es_ES mozilla-thunderbird-et_EE mozilla-thunderbird-eu mozilla-thunderbird-fi mozilla-thunderbird-fr mozilla-thunderbird-gu_IN mozilla-thunderbird-he mozilla-thunderbird-hu mozilla-thunderbird-it mozilla-thunderbird-ja mozilla-thunderbird-ko mozilla-thunderbird-lt mozilla-thunderbird-mk mozilla-thunderbird-moztraybiff mozilla-thunderbird-nb_NO mozilla-thunderbird-nl mozilla-thunderbird-nn_NO mozilla-thunderbird-pa_IN mozilla-thunderbird-pl mozilla-thunderbird-pt_BR mozilla-thunderbird-pt_PT mozilla-thunderbird-ru mozilla-thunderbird-sk mozilla-thunderbird-sl mozilla-thunderbird-sv_SE mozilla-thunderbird-tr mozilla-thunderbird-zh_CN mozilla-thunderbird-zh_TW nsinstall Update: Thu Mar 06 15:47:10 2008 Importance: security ID: MDVSA-2008:062 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:062 %pre A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 2.0.0.12. This update provides the latest Thunderbird to correct these issues. %description Mozilla Thunderbird is a full-featured email, RSS and newsgroup client that makes emailing safer, faster and easier than ever before. %package evolution evolution-devel evolution-mono evolution-pilot Update: Thu Mar 06 16:40:33 2008 Importance: security ID: MDVSA-2008:063 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:063 %pre Ulf Harnhammar of Secunia Research discovered a format string flaw in how Evolution displayed encrypted mail content. If a user were to open a carefully crafted email message, arbitrary code could be executed with the permissions of the user running Evolution. The updated packages have been patched to correct this issue. %description Evolution is the GNOME mailer, calendar, contact manager and communications tool. The tools which make up Evolution will be tightly integrated with one another and act as a seamless personal information-management tool. %package tomboy Update: Fri Mar 07 11:04:17 2008 Importance: security ID: MDVSA-2008:064 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:064 %pre A flaw in how tomboy handles LD_LIBRARY_PATH was discovered where by appending paths to LD_LIBRARY_PATH the program would also search the current directory for shared libraries. In directories containing network data, those libraries could be injected into the application. The updated packages have been patched to correct this issue. %description Tomboy is a desktop note-taking application for Linux and Unix. Simple and easy to use, but with potential to help you organize the ideas and information you deal with every day. The key to Tomboy's usefulness lies in the ability to relate notes and ideas together. Using a WikiWiki-like linking system, organizing ideas is as simple as typing a name. Branching an idea off is easy as pressing the Link button. And links between your ideas won't break, even when renaming and reorganizing them. %package drakconf drakconf-icons Update: Wed Mar 12 20:43:25 2008 Importance: bugfix ID: MDVA-2008:035 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:035 %pre This drakconf update fixes a bug where some icons were hidden when translations contained certain meta characters. It also fixes a few translation errors, and enables visiting the Mandriva Tour from the Mandriva Control Center. %description drakconf includes the Mandriva Linux Control Center which is an interface to multiple utilities from DrakXtools. %package timezone timezone-java Update: Thu Mar 13 16:10:24 2008 Importance: normal ID: MDVA-2008:036 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:036 %pre Updated timezone packages are being provided for older Mandriva Linux systems that do not contain the new Daylight Savings Time information for 2008 and later for certain time zones. These updated packages contain the new information. %description This package contains data files with rules for various timezones around the world. %package pdksh Update: Mon Mar 17 11:54:36 2008 Importance: bugfix ID: MDVA-2008:037 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:037 %pre The pdksh package shipped with Mandriva Linux 2008.0 contained a packaging bug where /usr/bin/ksh pointed to a non-existant target. This update corrects the problem. %description The pdksh package contains PD-ksh, a clone of the Korn shell (ksh). The ksh shell is a command interpreter intended for both interactive and shell script use. Ksh's command language is a superset of the sh shell language. Install the pdksh package if you want to use a version of the ksh shell. %package unzip Update: Tue Mar 18 16:20:21 2008 Importance: security ID: MDVSA-2008:068 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:068 %pre Tavis Ormandy of Google Security discovered an invalid pointer flaw in unzip that could lead to the execution of arbitrary code with the privileges of the user running unzip. The updated packages have been patched to correct this issue. %description unzip will list, test, or extract files from a ZIP archive, commonly found on MS-DOS systems. A companion program, zip, creates ZIP archives; both programs are compatible with archives created by PKWARE's PKZIP and PKUNZIP for MS-DOS, but in many cases the program options or default behaviors differ. This version also has encryption support. %package ftp-client-krb5 ftp-server-krb5 krb5 krb5-server krb5-workstation libkrb53 libkrb53-devel telnet-client-krb5 telnet-server-krb5 Update: Wed Mar 19 12:55:59 2008 Importance: security ID: MDVSA-2008:069 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:069 %pre Multiple memory management flaws were found in the GSSAPI library used by Kerberos that could result in the use of already freed memory or an attempt to free already freed memory, possibly leading to a crash or allowing the execution of arbitrary code (CVE-2007-5901, CVE-2007-5971). A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly %execute arbitrary code using malformed or truncated Kerberos v4 protocol requests (CVE-2008-0062, CVE-2008-0063). This issue only affects krb5kdc when it has Kerberos v4 protocol compatibility enabled, which is a compiled-in default in all Kerberos versions that Mandriva Linux ships prior to Mandriva Linux 2008.0. Kerberos v4 protocol support can be disabled by adding v4_mode=none (without quotes) to the [kdcdefaults] section of /etc/kerberos/krb5kdc/kdc.conf. A flaw in the RPC library as used in Kerberos' kadmind was discovered by Jeff Altman of Secure Endpoints. An unauthenticated remote attacker could use this vulnerability to crash kadmind or possibly execute arbitrary code in systems with certain resource limits configured; this does not affect the default resource limits used by Mandriva Linux (CVE-2008-0947). The updated packages have been patched to correct these issues. %description Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. %package kdepim kdepim-akregator kdepim-common kdepim-devel kdepim-devel-doc kdepim-kaddressbook kdepim-kandy kdepim-karm kdepim-kitchensync kdepim-kmail kdepim-knode kdepim-knotes kdepim-kontact kdepim-korganizer kdepim-korn kdepim-kpilot kdepim-ktnef kdepim-wizards libkdepim2-common libkdepim2-index libkdepim2-kaddressbook libkdepim2-kitchensync libkdepim2-kontact libkdepim2-korganizer libkdepim2-kpilot libkdepim2-ktnef libkdepim2-qopensync Update: Wed Mar 19 20:48:05 2008 Importance: bugfix ID: MDVA-2008:038 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:038 %pre When pasting cells from OpenOffice.org to KMail, on Mandriva Linux 2008.0, KMail would crash. This update corrects the issue. %description Information Management applications for the K Desktop Environment. - kaddressbook: The KDE addressbook application. - kandy: sync phone book entries between your cell phone and computer ("kandy" comes from "Handy", the german word used for a cellular) - korganizer: a calendar-of-events and todo-list manager - kpilot: to sync with your PalmPilot - kalarm: gui for setting up personal alarm/reminder messages - kalarmd: personal alarm/reminder messages daemon, shared by korganizer and kalarm. - kaplan: A shell for the PIM apps, still experimental. - karm: Time tracker. - kitchensync: Synchronisation framework, still under heavy development. - kfile-plugins: vCard KFIleItem plugin. - knotes: yellow notes application - konsolecalendar: Command line tool for accessing calendar files. - kmail: universal mail client - kmailcvt: converst addressbooks to kmail format %package kdeutils kdeutils-ark kdeutils-common kdeutils-kcalc kdeutils-kcharselect kdeutils-kdessh kdeutils-kdf kdeutils-kedit kdeutils-kfloppy kdeutils-kgpg kdeutils-khexedit kdeutils-kjots kdeutils-klaptop kdeutils-ksim kdeutils-ktimer kdeutils-kwalletmanager kdeutils-superkaramba libkdeutils1-common libkdeutils1-common-devel libkdeutils1-khexedit libkdeutils1-klaptop libkdeutils1-ksim Update: Wed Mar 19 20:49:08 2008 Importance: bugfix ID: MDVA-2008:039 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:039 %pre When the Kcharselect package is installed in Mandriva Linux 2008.0, the KDE kicker applet was not installed. This update corrects the problem. %description Utilities for the K Desktop Environment. - ark: manager for compressed files and archives - kcalc: scientific calculator - kcharselect: select special characters from any fonts and put them into the clipboard - charselectapplet: dito, but as a Kicker applet - kcardtools: - kdessh: front end to ssh - kdf: like 'df', a graphical free disk space viewer - kedit: a simple text editor, without formatting like bold, italics etc - kfloppy: format a floppy disks with this app - khexedit: binary file editor - kjots: manages several "books" with a subject and notes - klaptopdaemon: battery and power management, including KControl plugins - kregexpeditor: graphical regular expression editor - ktimer: execute programs after some time %package monitor-edid Update: Thu Mar 20 08:30:00 2008 Importance: bugfix ID: MDVA-2008:040 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:040 %pre This update adds support for getting EDID information from a different DDC port and uses it by default to also get port 1. %description This package will try to read the monitor details directly from the monitor. %package perl-Net-DNS Update: Thu Mar 20 11:32:56 2008 Importance: security ID: MDVSA-2008:073 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:073 %pre A vulnerability in the Net::DNS perl module was found that could allow remote attackers to cause a denial of service via a crafted DNS response. The updated packages have been patched to correct this issue. %description Net::DNS is a collection of Perl modules that act as a Domain Name System (DNS) resolver. It allows the programmer to perform DNS queries that are beyond the capabilities of gethostbyname and gethostbyaddr. The programmer should be somewhat familiar with the format of a DNS packet and its various sections. See RFC 1035 or DNS and BIND (Albitz & Liu) for details. %package audacity Update: Thu Mar 20 13:33:42 2008 Importance: security ID: MDVSA-2008:074 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:074 %pre Audacity creates a temporary directory with a predictable name without checking for previous existence of that directory, which allows local users to cause a denial of service (recording deadlock) by creating the directory before Audacity is run. This issue can also be leveraged to delete arbitrary files or directories via a symlink attack. The updated package fixes the issue. %description Audacity is a program that lets you manipulate digital audio waveforms. In addition to letting you record sounds directly from within the program, it imports many sound file formats, including WAV, AIFF, MP3 and Ogg/Vorbis. It supports all common editing operations such as Cut, Copy, and Paste, plus it will mix tracks and let you apply plug-in effects to any part of a sound. It also has a built-in amplitude envelope editor, a customizable spectrogram mode and a frequency analysis window for audio analysis applications. %package bzip2 libbzip2_1 libbzip2_1-devel Update: Sun Mar 23 12:38:44 2008 Importance: security ID: MDVSA-2008:075 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:075 %pre Bzip2 versions before 1.0.5 are vulnerable to a denial of service attack via malicious compressed data. The updated packages have been patched to prevent the issue. %description Bzip2 compresses files using the Burrows-Wheeler block-sorting text compression algorithm, and Huffman coding. Compression is generally considerably better than that achieved by more conventional LZ77/LZ78-based compressors, and approaches the performance of the PPM family of statistical compressors. The command-line options are deliberately very similar to those of GNU Gzip, but they are not identical. %package webmin Update: Mon Mar 24 15:37:24 2008 Importance: bugfix ID: MDVA-2008:041 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:041 %pre Webmin would always fail the login if the user's password contained UTF-8 non-ascii characters. This update corrects the issue. %description A web-based administration interface for Unix systems. Using Webmin you can configure DNS, Samba, NFS, local/remote filesystems, Apache, Sendmail/Postfix, and more using your web browser. After installation, enter the URL https://localhost:10000/ into your browser and login as root with your root password. Please consider logging in and modify your password for security issue. PLEASE NOTE THAT THIS VERSION NOW USES SECURE WEB TRANSACTIONS: YOU HAVE TO LOGIN TO "https://localhost:10000/" AND NOT "http://localhost:10000/". %package wml Update: Wed Mar 26 11:51:29 2008 Importance: security ID: MDVSA-2008:076 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:076 %pre Two vulnerabilities were found in the Website META Language (WML) package that allowed local users to overwrite arbitrary files via symlink attacks. The updated packages have been patched to correct these issues. %description WML is a free and extensible Webdesigner's off-line HTML generation toolkit for Unix, distributed under the GNU General Public License (GPL v2). It is written in ANSI C and Perl 5, build via a GNU Autoconf based source tree and runs out-of-the-box on all major Unix derivates. It can be used free of charge both in educational and commercial environments. %package perl-Tk perl-Tk-devel perl-Tk-doc Update: Wed Mar 26 15:04:56 2008 Importance: security ID: MDVSA-2008:077 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:077 %pre A vulnerability in perl-Tk was found where specially crafted GIF images could crash perl-Tk (an identical issue to that found in php-gd, gd, and SDL_image). The updated packages have been patched to correct this issue. %description This package provides the modules and Tk code for Perl/Tk, as written by Nick Ing-Simmons (pTk), John Ousterhout(Tk), and Ioi Kim Lam(Tix). It gives you the ability to develop perl applications using the Tk GUI. It includes the source code for the Tk and Tix elements it uses. The licences for the various components differ, so check the copyright. %package openssh openssh-askpass openssh-askpass-common openssh-askpass-gnome openssh-clients openssh-server Update: Wed Mar 26 16:30:25 2008 Importance: security ID: MDVSA-2008:078 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:078 %pre OpenSSH allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port. The updated packages have been patched to prevent this issue. %description Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL). This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. You can build openssh with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] skey smartcard support (disabled) --with[out] krb5 kerberos support (enabled) --with[out] watchdog watchdog support (disabled) --with[out] x11askpass X11 ask pass support (enabled) --with[out] gnomeaskpass Gnome ask pass support (enabled) --with[out] ldap OpenLDAP support (disabled) --with[out] sftpcontrol sftp file control support (disabled) --with[out] chroot chroot support (disabled) %package sarg Update: Thu Mar 27 13:11:17 2008 Importance: security ID: MDVSA-2008:079 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:079 %pre A stack-based buffer overflow in sarg (Squid Analysis Report Generator) allowed remote attackers to execute arbitrary code via a long Squid proxy server User-Agent header (CVE-2008-1167). A cross-site scripting vulnerability in sarg version 2.x prior to 2.2.5 allowed remote attackers to inject arbitrary web script or HTML via the User-Agent heder, which is not properly handled when displaying the Squid proxy log (CVE-2008-1168). In addition, a number of other fixes have been made such as making the getword() function more robust which should prevent any overflows, other segfaults have been fixed, and the useragent report is now more consistent with the other reports. The updated packages have been patched to correct these issues. %description Sarg (was Sqmgrlog) generate reports per user/ip/name from SQUID log file. The reports will be generated in HTML or email. %package park-rpmdrake rpmdrake Update: Fri Mar 28 00:14:25 2008 Importance: bugfix ID: MDVA-2008:042 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:042 %pre This update fixes a few minor issues like a rare crash on searching (#37626), a rare crash when an icon is missing (#37700) and a crash with non existing packages (#36529). We really query local packages with the proper UTF-8 locale. %description rpmdrake is a simple graphical frontend to manage software packages on a Mandriva Linux system; it has 3 different modes: - software packages installation; - software packages removal; - MandrivaUpdate (software packages updates). A fourth program manages the media (add, remove, edit). %package devhelp devhelp-plugins eclipse-cvs-client eclipse-ecj eclipse-jdt eclipse-pde eclipse-pde-runtime eclipse-platform eclipse-rcp epiphany epiphany-devel galeon gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gksu gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell libdevhelp-1-devel libdevhelp-1_0 libmozilla-firefox-devel libmozilla-firefox2.0.0.13 libswt3-gtk2 libtotem-plparser-devel libtotem-plparser7 mozilla-firefox mozilla-firefox-af mozilla-firefox-ar mozilla-firefox-be mozilla-firefox-bg mozilla-firefox-br_FR mozilla-firefox-ca mozilla-firefox-cs mozilla-firefox-da mozilla-firefox-de mozilla-firefox-el mozilla-firefox-en_GB mozilla-firefox-es_AR mozilla-firefox-es_ES mozilla-firefox-et_EE mozilla-firefox-eu mozilla-firefox-ext-blogrovr mozilla-firefox-ext-foxmarks mozilla-firefox-ext-scribefire mozilla-firefox-fi mozilla-firefox-fr mozilla-firefox-fy mozilla-firefox-ga mozilla-firefox-gnome-support mozilla-firefox-gu_IN mozilla-firefox-he mozilla-firefox-hu mozilla-firefox-it mozilla-firefox-ja mozilla-firefox-ka mozilla-firefox-ko mozilla-firefox-ku mozilla-firefox-lt mozilla-firefox-mk mozilla-firefox-mn mozilla-firefox-nb_NO mozilla-firefox-nl mozilla-firefox-nn_NO mozilla-firefox-pa_IN mozilla-firefox-pl mozilla-firefox-pt_BR mozilla-firefox-pt_PT mozilla-firefox-ro mozilla-firefox-ru mozilla-firefox-sk mozilla-firefox-sl mozilla-firefox-sv_SE mozilla-firefox-tr mozilla-firefox-uk mozilla-firefox-zh_CN mozilla-firefox-zh_TW totem totem-common totem-gstreamer totem-mozilla totem-mozilla-gstreamer yelp Update: Fri Mar 28 14:55:32 2008 Importance: security ID: MDVSA-2008:080 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:080 %pre A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.13. This update provides the latest Firefox to correct these issues. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package cups cups-common cups-serial libcups2 libcups2-devel php-cups Update: Wed Apr 02 11:32:59 2008 Importance: security ID: MDVSA-2008:081 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:081 %pre A heap-based buffer overflow in CUPS 1.2.x and later was discovered by regenrecht of VeriSign iDenfense that could allow a remote attacker to execute arbitrary code via a crafted CGI search expression (CVE-2008-0047). A validation error in the Hp-GL/2 filter was also discovered (CVE-2008-0053). Finally, a vulnerability in how CUPS handled GIF files was found by Tomas Hoger of Red Hat, similar to previous issues corrected in PHP, gd, tk, netpbm, and SDL_image (CVE-2008-1373). The updated packages have been patched to correct these issues. %description CUPS 1.2 is fully compatible with CUPS-1.1 machines in the network and with software built against CUPS-1.1 libraries. The Common Unix Printing System provides a portable printing layer for UNIX(TM) operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. This is the main package needed for CUPS servers (machines where a printer is connected to or which host a queue for a network printer). It can also be used on CUPS clients so that they simply pick up broadcasted printer information from other CUPS servers and do not need to be assigned to a specific CUPS server by an /etc/cups/client.conf file. %package timezone timezone-java Update: Fri Apr 04 13:32:09 2008 Importance: normal ID: MDVA-2008:043 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:043 %pre Updated timezone packages are being provided for older Mandriva Linux systems that do not contain the new Daylight Savings Time information for 2008 and later for certain time zones. These updated packages contain the new information. %description This package contains data files with rules for various timezones around the world. %package audit libaudit0 libaudit-devel libaudit-static-devel python-audit system-config-audit Update: Wed Apr 09 13:50:07 2008 Importance: security ID: MDVSA-2008:083 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:083 %pre Joe Nall reported a stack-based buffer overflow in Audit's log handling that could allow remote attackers to execute arbitrary code via a long command argument (CVE-2008-1628). The updated packages have been patched to correct this issue. %description The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. %package rsync Update: Fri Apr 11 14:01:56 2008 Importance: security ID: MDVSA-2008:084 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:084 %pre Sebastian Krahmer of SUSE discovered that rsync could overflow when handling ACLs. An attakcer could construct a malicious set of files that, when processed, could lead to arbitrary code execution or a crash (CVE-2008-1720). The updated packages have been patched to correct this issue. %description Rsync uses a quick and reliable algorithm to very quickly bring remote and host files into sync. Rsync is fast because it just sends the differences in the files over the network (instead of sending the complete files). Rsync is often used as a very powerful mirroring process or just as a more capable replacement for the rcp command. A technical report which describes the rsync algorithm is included in this package. Install rsync if you need a powerful mirroring program. This rpm has these patches applied from rsync tree: - acl: allow to mirror acl Rebuild the source rpm with `--without patches' if you don't want these patches %package rsync Update: Fri Apr 11 14:10:42 2008 Importance: security ID: MDVSA-2008:084 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:084 %pre Sebastian Krahmer of SUSE discovered that rsync could overflow when handling ACLs. An attakcer could construct a malicious set of files that, when processed, could lead to arbitrary code execution or a crash (CVE-2008-1720). The updated packages have been patched to correct this issue. %description Rsync uses a quick and reliable algorithm to very quickly bring remote and host files into sync. Rsync is fast because it just sends the differences in the files over the network (instead of sending the complete files). Rsync is often used as a very powerful mirroring process or just as a more capable replacement for the rcp command. A technical report which describes the rsync algorithm is included in this package. Install rsync if you need a powerful mirroring program. This rpm has these patches applied from rsync tree: - acl: allow to mirror acl Rebuild the source rpm with `--without patches' if you don't want these patches %package libpython2.5 libpython2.5-devel python python-base python-docs tkinter tkinter-apps Update: Tue Apr 15 00:26:34 2008 Importance: security ID: MDVSA-2008:085 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:085 %pre Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow. The updated packages have been patched to prevent this issue. %description Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. This package contains most of the standard Python modules, as well as modules for interfacing to the Tix widget set for Tk and RPM. Note that documentation for Python is provided in the python-docs package. %package giftrans Update: Tue Apr 15 10:04:48 2008 Importance: bugfix ID: MDVA-2008:044 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:044 %pre The giftrans package was using the wrong path to the color definition file and couldn't be used at all. This update uses the correct path. %description Giftrans will convert an existing GIF87 file to GIF89 format. In other words, Giftrans can make one color in a .gif image (normally the background) transparent. Install the giftrans package if you need a quick, small, one-purpose graphics program to make transparent .gifs out of existing .gifs. %package clamav clamav-db clamav-milter clamd clamdmon klamav libclamav4 libclamav-devel Update: Thu Apr 17 15:18:01 2008 Importance: security ID: MDVSA-2008:088 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:088 %pre Multiple vulnerabilities were discovered in ClamAV and corrected with the 0.93 release, including: ClamAV 0.92 allowed local users to overwrite arbitrary files via a symlink attack on temporary files or on .ascii files in sigtool, when utf16-decode is enabled (CVE-2007-6595). A heap-based buffer overflow in ClamAV 0.92.1 allowed remote attackers to execute arbitrary code via a crafted PeSpin packed PE binary (CVE-2008-0314). An integer overflow in libclamav prior to 0.92.1 allowed remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggered a heap-based buffer overflow (CVE-2008-0318). An unspecified vulnerability in ClamAV prior to 0.92.1 triggered heap corruption (CVE-2008-0728). A buffer overflow in ClamAV 0.92 and 0.92.1 allowed remote attackers to execute arbitrary code via a crafted Upack PE file (CVE-2008-1100). ClamAV prior to 0.93 allowed remote attackers to cause a denial of service (CPU consumption) via a crafted ARJ archive (CVE-2008-1387). A heap-based buffer overflow in ClamAV 0.92.1 allowed remote attackers to execute arbitrary code via a crafted WWPack compressed PE binary (CVE-2008-1833). ClamAV prior to 0.93 allowed remote attackers to bypass the scanning engine via a RAR file with an invalid version number (CVE-2008-1835). A vulnerability in rfc2231 handling in ClamAV prior to 0.93 allowed remote attackers to cause a denial of service (crash) via a crafted message that produced a string that was not null terminated, triggering a buffer over-read (CVE-2008-1836). A vulnerability in libclamunrar in ClamAV prior to 0.93 allowed remote attackers to cause a denial of service (crash) via a crafted RAR file (CVE-2008-1837). Other bugs have also been corrected in 0.93 which is being provided with this update. Because this new version has increased the major of the libclamav library, updated dependent packages are also being provided. %description Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail seversions (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. You can build clamav with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] milter Build clamav-milter (default) %package kdeutils kdeutils-ark kdeutils-common kdeutils-kcalc kdeutils-kcharselect kdeutils-kdessh kdeutils-kdf kdeutils-kedit kdeutils-kfloppy kdeutils-kgpg kdeutils-khexedit kdeutils-kjots kdeutils-klaptop kdeutils-ksim kdeutils-ktimer kdeutils-kwalletmanager kdeutils-superkaramba libkdeutils1-common libkdeutils1-common-devel libkdeutils1-khexedit libkdeutils1-klaptop libkdeutils1-ksim Update: Fri Apr 18 15:00:31 2008 Importance: bugfix ID: MDVA-2008:046 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:046 %pre Mozilla Firefox on Mandriva Linux 2008.0 was not able to properly handle zip files if only Ark was installed due to a missing mimetype in Ark. This update provides the proper mimetype so zip files will be properly handled in Mozilla Firefox. %description Utilities for the K Desktop Environment. - ark: manager for compressed files and archives - kcalc: scientific calculator - kcharselect: select special characters from any fonts and put them into the clipboard - charselectapplet: dito, but as a Kicker applet - kcardtools: - kdessh: front end to ssh - kdf: like 'df', a graphical free disk space viewer - kedit: a simple text editor, without formatting like bold, italics etc - kfloppy: format a floppy disks with this app - khexedit: binary file editor - kjots: manages several "books" with a subject and notes - klaptopdaemon: battery and power management, including KControl plugins - kregexpeditor: graphical regular expression editor - ktimer: execute programs after some time %package libwireshark0 tshark wireshark wireshark-tools Update: Thu Apr 24 16:02:23 2008 Importance: security ID: MDVSA-2008:091 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:091 %pre A few vulnerabilities were found in Wireshark, that could cause it to crash or hang under certain conditions. This update provides Wireshark 1.0.0, which is not vulnerable to the issues. %description Wireshark is a network traffic analyzer for Unix-ish operating systems. It is based on GTK+, a graphical user interface library, and libpcap, a packet capture and filtering library. Wireshark is a fork of Ethereal(tm) %package laptop-mode-tools Update: Fri Apr 25 09:37:14 2008 Importance: bugfix ID: MDVA-2008:047 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:047 %pre Default power management settings for hard disks may trigger excessive load/unload cycles on some disk models, and shorten their lifetime. This update package fixes the problem, by setting a less aggressive hard disk power management level. %description Userland scripts to control "laptop mode" Laptop mode is a Linux kernel feature that allows your laptop to save considerable power, by allowing the hard drive to spin down for longer periods of time. This package contains the userland scripts that are needed to enable laptop mode. %package gstreamer0.10-aalib gstreamer0.10-caca gstreamer0.10-dv gstreamer0.10-esound gstreamer0.10-flac gstreamer0.10-plugins-good gstreamer0.10-raw1394 gstreamer0.10-speex gstreamer0.10-wavpack Update: Tue Apr 29 12:27:34 2008 Importance: security ID: MDVSA-2008:092 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:092 %pre A vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). The speex plugin in the gstreamer-plugins-good package is similarly affected by this issue. The updated packages have been patched to correct this issue. %description GStreamer is a streaming-media framework, based on graphs of filters which operate on media data. Applications using this library can do anything from real-time sound processing to playing videos, and just about anything else media-related. Its plugin-based architecture means that new data types or processing capabilities can be added simply by installing new plug-ins. This package contains a set of plug-ins that are considered to have good quality code, correct functionality, the preferred license (LGPL for the plug-in code, LGPL or LGPL-compatible for the supporting library). People writing elements should base their code on these elements. %package vorbis-tools Update: Tue Apr 29 12:29:48 2008 Importance: security ID: MDVSA-2008:093 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:093 %pre A vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). The ogg123 application in vorbis-tools is similarly affected by this issue. The updated packages have been patched to correct this issue. %description This package contains oggenc (encoder), oggdec, ogg123 (command line player) vorbiscomment (metadata editor) and vcut (cut tool). Find some free Ogg Vorbis music here: http://www.vorbis.com/music/ %package libspeex1 libspeex1-devel libspeex1-static-devel speex Update: Tue Apr 29 12:33:09 2008 Importance: security ID: MDVSA-2008:094 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:094 %pre A vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). The updated packages have been patched to correct this issue. %description Speex is a patent-free audio codec designed especially for voice (unlike Vorbis which targets general audio) signals and providing good narrowband and wideband quality. This project aims to be complementary to the Vorbis codec. %package openoffice.org openoffice.org-devel openoffice.org-devel-doc openoffice.org-galleries openoffice.org-gnome openoffice.org-kde openoffice.org-l10n-af openoffice.org-l10n-ar openoffice.org-l10n-bg openoffice.org-l10n-br openoffice.org-l10n-bs openoffice.org-l10n-ca openoffice.org-l10n-cs openoffice.org-l10n-cy openoffice.org-l10n-da openoffice.org-l10n-de openoffice.org-l10n-el openoffice.org-l10n-en_GB openoffice.org-l10n-es openoffice.org-l10n-et openoffice.org-l10n-eu openoffice.org-l10n-fi openoffice.org-l10n-fr openoffice.org-l10n-he openoffice.org-l10n-hi openoffice.org-l10n-hu openoffice.org-l10n-it openoffice.org-l10n-ja openoffice.org-l10n-ko openoffice.org-l10n-mk openoffice.org-l10n-nb openoffice.org-l10n-nl openoffice.org-l10n-nn openoffice.org-l10n-pl openoffice.org-l10n-pt openoffice.org-l10n-pt_BR openoffice.org-l10n-ru openoffice.org-l10n-sk openoffice.org-l10n-sl openoffice.org-l10n-sv openoffice.org-l10n-ta openoffice.org-l10n-tr openoffice.org-l10n-zh_CN openoffice.org-l10n-zh_TW openoffice.org-l10n-zu openoffice.org-mono openoffice.org-ooqstart Update: Fri May 02 08:59:46 2008 Importance: security ID: MDVSA-2008:095 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:095 %pre A vulnerability in HSQLDB before 1.8.0.9 in OpenOffice.org could allow user-assisted remote attackers to execute arbitrary Java code via crafted database documents (CVE-2007-4575). A heap overflow was discovered in OpenOffice.org's EMF parser. An attacker could create a carefully crafted EMF file that could cause OpenOffice.org to crash or potentially execute arbitrary code if the malicious EMF image was added to a document or if a document containing such an EMF file was opened (CVE-2007-5746). Multiple heap overflows and an integer underflow were discovered in the Quattro Pro(R) import filter. An attacker could create a carefully crafted Quattro Pro file that could cause OpenOffice.org ro crash or potentially execute arbitraty code (CVE-2007-5745, CVE-2007-5747). A heap overflow was discovered in the OLE Structured Storage file parser, a format used by Microsoft Office documents. An attacker could create a carefully crafted OLE file that could cause OpenOffice.org to crash or potentially execute arbitrary code (CVE-2008-0320). The updated packages have been patched to correct these issues. %description OpenOffice.org is an Open Source, community-developed, multi-platform office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet, presentation manager, formula editing and drawing program, with a user interface and feature set similar to other office suites. Sophisticated and flexible, OpenOffice.org also works transparently with a variety of file formats, including Microsoft Office. %package libwine1 libwine1-devel wine Update: Fri May 02 19:42:12 2008 Importance: bugfix ID: MDVA-2008:057 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:057 %pre Some commercial Windows programs did not run under previous builds of Wine, producing an error message notifying the user that a debugger has been detected. This update corrects the issue. %description Wine is a program which allows running Microsoft Windows programs (including DOS, Windows 3.x and Win32 executables) on Unix. It consists of a program loader which loads and executes a Microsoft Windows binary, and a library (called Winelib) that implements Windows API calls using their Unix or X11 equivalents. The library may also be used for porting Win32 code into native Unix executables. %package drakx-net drakx-net-text libdrakx-net Update: Mon May 05 10:12:38 2008 Importance: bugfix ID: MDVA-2008:058 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:058 %pre This update enhances ndiswrapper drivers support (resolving bugs #28335, #34660, #37026, #37106), and madwifi driver support (resolving bugs #33044, #33531). It also fixes the configuration of cellular cards (bug ##36801). Also, some crashes have been fixed in the net_monitor tool (bugs #36537, #37635). %description This package contains the Mandriva network tools. net_applet: applet to check network connection net_monitor: connection monitoring %package emacs emacs-common emacs-doc emacs-el emacs-gtk emacs-leim emacs-nox Update: Tue May 06 13:16:09 2008 Importance: security ID: MDVSA-2008:096 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:096 %pre Steve Grubb found that the vcdiff script in Emacs create temporary files insecurely when used with SCCS. A local user could exploit a race condition to create or overwrite files with the privileges of the user invoking the program (CVE-2008-1694). The updated packages have been patched to correct this issue. %description Emacs-X11 includes the Emacs text editor program for use with the X Window System (it provides support for the mouse and other GUI elements). Emacs-X11 will also run Emacs outside of X, but it has a larger memory footprint than the 'non-X' Emacs package (emacs-nox). Install emacs if you are going to use Emacs with the X Window System. You should also install emacs if you're going to run Emacs both with and without X (it will work fine both ways). You'll also need to install the emacs-common package in order to run Emacs. %package kdelibs-common kdelibs-devel-doc libkdecore4 libkdecore4-devel Update: Tue May 06 15:02:17 2008 Importance: security ID: MDVSA-2008:097 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:097 %pre A vulnerability was found in start_kdeinit in KDE 3.5.5 through 3.5.9 where, if it was installed setuid root, it could allow local users to cause a denial of service or possibly execute arbitrary code (CVE-2008-1671). By default, start_kdeinit is not installed setuid root on Mandriva Linux, however updated packages have been patched to correct this issue. %description Libraries for the K Desktop Environment. %package openssh openssh-askpass openssh-askpass-common openssh-askpass-gnome openssh-clients openssh-server Update: Tue May 06 15:04:02 2008 Importance: security ID: MDVSA-2008:098 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:098 %pre A vulnerability in OpenSSH 4.4 through 4.8 allowed local attackers to bypass intended security restrictions enabling them to execute commands other than those specified by the ForceCommand directive, provided they are able to modify to ~/.ssh/rc (CVE-2008-1657). The updated packages have been patched to correct this issue. %description Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to separate libraries (OpenSSL). This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. You can build openssh with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] skey smartcard support (disabled) --with[out] krb5 kerberos support (enabled) --with[out] watchdog watchdog support (disabled) --with[out] x11askpass X11 ask pass support (enabled) --with[out] gnomeaskpass Gnome ask pass support (enabled) --with[out] ldap OpenLDAP support (disabled) --with[out] sftpcontrol sftp file control support (disabled) --with[out] chroot chroot support (disabled) %package imagemagick imagemagick-desktop imagemagick-doc libmagick10.7.0 libmagick10.7.0-devel perl-Image-Magick Update: Thu May 08 14:39:10 2008 Importance: security ID: MDVSA-2008:099 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:099 %pre A heap-based buffer overflow vulnerability was found in how ImageMagick parsed XCF files. If ImageMagick opened a specially-crafted XCF file, it could be made to overwrite heap memory beyond the bounds of its allocated memory, potentially allowing an attacker to execute arbitrary code on the system running ImageMagick (CVE-2008-1096). Another heap-based buffer overflow vulnerability was found in how ImageMagick processed certain malformed PCX images. If ImageMagick opened a specially-crafted PCX image file, an attacker could possibly execute arbitrary code on the system running ImageMagick (CVE-2008-1097). The updated packages have been patched to correct these issues. %description ImageMagick is a powerful image display, conversion and manipulation tool. It runs in an X session. With this tool, you can view, edit and display a variety of image formats. Build Options: --with plf Build for PLF (fpx support) --with modules Compile all supported image types as modules --with jasper Enable JPEG2000 support (enabled) --with graphviz Enable Graphviz support (enabled) %package drakx-kbd-mouse-x11 Update: Thu May 08 16:37:31 2008 Importance: bugfix ID: MDVA-2008:059 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:059 %pre An updated XFdrake is available that corrects a number of bugs: - never write a ModeLine when using the fglrx driver (bug #30934) - if the EDID gives a valid EISA_ID, a valid 16/10 preferred resolution, but no HorizSync/VertRefresh, use a generic flat panel HorizSync/VertRefresh (needed for edid.lcd.Elonex-PR600) - add 800x480 (used on belinea s.book) - add 1024x600 (used on Samsung Q1Ultra) (bug #37889) - if the EDID gives a valid 16/10 preferred resolution (even if duplicated), but no HorizSync/VertRefresh, use a generic flat panel HorizSync/VertRefresh (needed for edid.lcd.dell-inspiron-6400, bug #37971) %description Keyboarddrake enables to configure the keyboard. Mousedrake enables to configure the mice. XFdrake enables to configure the graphic card. %package hal-info Update: Thu May 08 16:53:36 2008 Importance: bugfix ID: MDVA-2008:060 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:060 %pre An updated hal-info package fixes resume from suspend to RAM on HP 6710b systems. It had previously failed with a black screen on Mandriva Linux 2008.0. %description hal-info contains device information for HAL. %package park-rpmdrake rpmdrake Update: Fri May 09 11:51:12 2008 Importance: bugfix ID: MDVA-2008:061 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:061 %pre This update fixes a minor issue in rpmdrake; it prevents crashing if the RPM database is locked when trying to install some packages (bug #40244). %description rpmdrake is a simple graphical frontend to manage software packages on a Mandriva Linux system; it has 3 different modes: - software packages installation; - software packages removal; - MandrivaUpdate (software packages updates). A fourth program manages the media (add, remove, edit). %package drakx-finish-install drakxtools drakxtools-backend drakxtools-curses drakxtools-http harddrake harddrake-ui Update: Fri May 09 11:52:06 2008 Importance: bugfix ID: MDVA-2008:062 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:062 %pre This update fixes several minor issues: - some GUIes (eg: rpmdrake) would crash on clicking on the close button while they load (bug #35230) - draksec was crashing if the administrator refused to install (bug #38911) - localdrake: After changing the localization language from drakconf in a high security level, the permissions of /etc/sysconfig/i18n were changed such that the file was only readable by root. This caused graphical login via kdm to fail (bug #39027) %description Contains many Mandriva Linux applications simplifying users and administrators life on a Mandriva Linux machine. Nearly all of them work both under XFree (graphical environment) and in console (text environment), allowing easy distant work. - drakbug: interactive bug report tool - drakbug_report: help find bugs in DrakX - drakclock: date & time configurator - drakfloppy: boot disk creator - drakfont: import fonts in the system - draklog: show extracted information from the system logs - drakperm: msec GUI (permissions configurator) - draksec: security options managment / msec frontend - draksplash: bootsplash themes creation %package perl perl-base perl-devel perl-doc perl-suid Update: Sun May 11 00:45:15 2008 Importance: security ID: MDVSA-2008:100 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:100 %pre A double free vulnerability in Perl 5.8.8 and earlier versions, allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. The updated packages have been patched to prevent this. %description Perl is a high-level programming language with roots in C, sed, awk and shell scripting. Perl is good at handling processes and files, and is especially good at handling text. Perl's hallmarks are practicality and efficiency. While it is used to do a lot of different things, Perl's most common applications (and what it excels at) are probably system administration utilities and web programming. A large proportion of the CGI scripts on the web are written in Perl. You need the perl package installed on your system so that your system can handle Perl scripts. You need perl-base to have a full perl. %package rdesktop Update: Fri May 16 11:33:33 2008 Importance: security ID: MDVSA-2008:101 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:101 %pre Several vulnerabilities were discovered in rdesktop, a Remote Desktop Protocol client. An integer underflow vulnerability allowed attackers to cause a denial of service (crash) and possibly execute arbitrary code with the privileges of the logged-in user (CVE-2008-1801). A buffer overflow vulnerability allowed attackers to execute arbitrary code with the privileges of the logged-in user (CVE-2008-1802). An integer signedness vulnerability allowed attackers to execute arbitrary code with the privileges of the logged-in user (CVE-2008-1803). In order for these vulnerabilities to be exploited, an attacker must persuade a targeted user to connect to a malicious RDP server. The updated packages have been patched to correct these issues. %description rdesktop is an open source client for Windows NT Terminal Server and Windows 2000 Terminal Services, capable of natively speaking Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required. rdesktop currently runs on most UNIX based platforms with the X Window System, and other ports should be fairly straightforward. rdesktop is used through rfbdrake. %package libvorbis0 libvorbis-devel libvorbisenc2 libvorbisfile3 Update: Fri May 16 11:43:29 2008 Importance: security ID: MDVSA-2008:102 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:102 %pre Will Drewry of the Google Security Team reported several vulnerabilities in how libvorbis processed audio data. An attacker could create a carefuly crafted OGG audio file in such a way that it would cause an application linked to libvorbis to crash or possibly execute arbitray code when opened (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423). The updated packages have been patched to correct these issues. %description Ogg Vorbis is a fully open, non-proprietary, patent-and-royalty-free, general-purpose compressed audio format for audio and music at fixed and variable bitrates from 16 to 128 kbps/channel. Find some free Ogg Vorbis music here: http://www.vorbis.com/music.html %package libid3tag0 libid3tag0-devel Update: Mon May 19 11:54:59 2008 Importance: security ID: MDVSA-2008:103 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:103 %pre field.c in the libid3tag 0.15.0b library allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0', which triggers an infinite loop. The updated packages have been patched to correct this. %description A library for reading and (eventually) writing ID3 tags, both ID3v1 and the various versions of ID3v2. %package xinitrc Update: Mon May 19 14:05:30 2008 Importance: bugfix ID: MDVA-2008:066 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:066 %pre This update corrects a problem where an incorrect path was being used to execute xdm scripts. %description The xinitrc package contains the xinitrc file, a script which is used to configure your X Window System session or to start a window manager. %package actuator-kernel-2.6.22.19-desktop-2mdv actuator-kernel-2.6.22.19-desktop586-2mdv actuator-kernel-2.6.22.19-laptop-2mdv actuator-kernel-2.6.22.19-server-2mdv actuator-kernel-desktop586-latest actuator-kernel-desktop-latest actuator-kernel-laptop-latest actuator-kernel-server-latest alsa_raoppcm-kernel-2.6.22.19-desktop-2mdv alsa_raoppcm-kernel-2.6.22.19-desktop586-2mdv alsa_raoppcm-kernel-2.6.22.19-laptop-2mdv alsa_raoppcm-kernel-2.6.22.19-server-2mdv alsa_raoppcm-kernel-desktop586-latest alsa_raoppcm-kernel-desktop-latest alsa_raoppcm-kernel-laptop-latest alsa_raoppcm-kernel-server-latest cdemu-kernel-2.6.22.19-desktop-2mdv cdemu-kernel-2.6.22.19-desktop586-2mdv cdemu-kernel-2.6.22.19-laptop-2mdv cdemu-kernel-2.6.22.19-server-2mdv cdemu-kernel-desktop586-latest cdemu-kernel-desktop-latest cdemu-kernel-laptop-latest cdemu-kernel-server-latest em8300-kernel-2.6.22.19-desktop-2mdv em8300-kernel-2.6.22.19-desktop586-2mdv em8300-kernel-2.6.22.19-laptop-2mdv em8300-kernel-2.6.22.19-server-2mdv em8300-kernel-desktop586-latest em8300-kernel-desktop-latest em8300-kernel-laptop-latest em8300-kernel-server-latest et131x-kernel-2.6.22.19-desktop-2mdv et131x-kernel-2.6.22.19-desktop586-2mdv et131x-kernel-2.6.22.19-laptop-2mdv et131x-kernel-2.6.22.19-server-2mdv et131x-kernel-desktop586-latest et131x-kernel-desktop-latest et131x-kernel-laptop-latest et131x-kernel-server-latest fglrx-hd2000-kernel-2.6.22.19-desktop-2mdv fglrx-hd2000-kernel-2.6.22.19-desktop586-2mdv fglrx-hd2000-kernel-2.6.22.19-laptop-2mdv fglrx-hd2000-kernel-2.6.22.19-server-2mdv fglrx-hd2000-kernel-desktop586-latest fglrx-hd2000-kernel-desktop-latest fglrx-hd2000-kernel-laptop-latest fglrx-hd2000-kernel-server-latest fglrx-kernel-2.6.22.19-desktop-2mdv fglrx-kernel-2.6.22.19-desktop586-2mdv fglrx-kernel-2.6.22.19-laptop-2mdv fglrx-kernel-2.6.22.19-server-2mdv fglrx-kernel-desktop586-latest fglrx-kernel-desktop-latest fglrx-kernel-laptop-latest fglrx-kernel-server-latest fuse-kernel-2.6.22.19-desktop-2mdv fuse-kernel-2.6.22.19-desktop586-2mdv fuse-kernel-2.6.22.19-laptop-2mdv fuse-kernel-2.6.22.19-server-2mdv fuse-kernel-desktop586-latest fuse-kernel-desktop-latest fuse-kernel-laptop-latest fuse-kernel-server-latest fusion-kernel-2.6.22.19-desktop-2mdv fusion-kernel-2.6.22.19-desktop586-2mdv fusion-kernel-2.6.22.19-laptop-2mdv fusion-kernel-2.6.22.19-server-2mdv fusion-kernel-desktop586-latest fusion-kernel-desktop-latest fusion-kernel-laptop-latest fusion-kernel-server-latest hcfpcimodem-kernel-2.6.22.19-desktop-2mdv hcfpcimodem-kernel-2.6.22.19-desktop586-2mdv hcfpcimodem-kernel-2.6.22.19-laptop-2mdv hcfpcimodem-kernel-2.6.22.19-server-2mdv hcfpcimodem-kernel-desktop586-latest hcfpcimodem-kernel-desktop-latest hcfpcimodem-kernel-laptop-latest hcfpcimodem-kernel-server-latest hsfmodem-kernel-2.6.22.19-desktop-2mdv hsfmodem-kernel-2.6.22.19-desktop586-2mdv hsfmodem-kernel-2.6.22.19-laptop-2mdv hsfmodem-kernel-2.6.22.19-server-2mdv hsfmodem-kernel-desktop586-latest hsfmodem-kernel-desktop-latest hsfmodem-kernel-laptop-latest hsfmodem-kernel-server-latest iscsitarget-kernel-2.6.22.19-desktop-2mdv iscsitarget-kernel-2.6.22.19-desktop586-2mdv iscsitarget-kernel-2.6.22.19-laptop-2mdv iscsitarget-kernel-2.6.22.19-server-2mdv iscsitarget-kernel-desktop586-latest iscsitarget-kernel-desktop-latest iscsitarget-kernel-laptop-latest iscsitarget-kernel-server-latest kernel-2.6.22.19-2mdv kernel-desktop-2.6.22.19-2mdv kernel-desktop586-2.6.22.19-2mdv kernel-desktop586-devel-2.6.22.19-2mdv kernel-desktop586-devel-latest kernel-desktop586-latest kernel-desktop-devel-2.6.22.19-2mdv kernel-desktop-devel-latest kernel-desktop-latest kernel-doc kernel-laptop-2.6.22.19-2mdv kernel-laptop-devel-2.6.22.19-2mdv kernel-laptop-devel-latest kernel-laptop-latest kernel-server-2.6.22.19-2mdv kernel-server-devel-2.6.22.19-2mdv kernel-server-devel-latest kernel-server-latest kernel-source-2.6.22.19-2mdv kernel-source-latest kqemu-kernel-2.6.22.19-desktop-2mdv kqemu-kernel-2.6.22.19-desktop586-2mdv kqemu-kernel-2.6.22.19-laptop-2mdv kqemu-kernel-2.6.22.19-server-2mdv kqemu-kernel-desktop586-latest kqemu-kernel-desktop-latest kqemu-kernel-laptop-latest kqemu-kernel-server-latest libafs-kernel-2.6.22.19-desktop-2mdv libafs-kernel-2.6.22.19-desktop586-2mdv libafs-kernel-2.6.22.19-laptop-2mdv libafs-kernel-2.6.22.19-server-2mdv libafs-kernel-desktop586-latest libafs-kernel-desktop-latest libafs-kernel-laptop-latest libafs-kernel-server-latest lirc-gpio-kernel-2.6.22.19-desktop-2mdv lirc-gpio-kernel-2.6.22.19-desktop586-2mdv lirc-gpio-kernel-2.6.22.19-laptop-2mdv lirc-gpio-kernel-2.6.22.19-server-2mdv lirc-gpio-kernel-desktop586-latest lirc-gpio-kernel-desktop-latest lirc-gpio-kernel-laptop-latest lirc-gpio-kernel-server-latest lirc-kernel-2.6.22.19-desktop-2mdv lirc-kernel-2.6.22.19-desktop586-2mdv lirc-kernel-2.6.22.19-laptop-2mdv lirc-kernel-2.6.22.19-server-2mdv lirc-kernel-desktop586-latest lirc-kernel-desktop-latest lirc-kernel-laptop-latest lirc-kernel-server-latest madwifi-kernel-2.6.22.19-desktop-2mdv madwifi-kernel-2.6.22.19-desktop586-2mdv madwifi-kernel-2.6.22.19-laptop-2mdv madwifi-kernel-2.6.22.19-server-2mdv madwifi-kernel-desktop586-latest madwifi-kernel-desktop-latest madwifi-kernel-laptop-latest madwifi-kernel-server-latest ndiswrapper-kernel-2.6.22.19-desktop-2mdv ndiswrapper-kernel-2.6.22.19-desktop586-2mdv ndiswrapper-kernel-2.6.22.19-laptop-2mdv ndiswrapper-kernel-2.6.22.19-server-2mdv ndiswrapper-kernel-desktop586-latest ndiswrapper-kernel-desktop-latest ndiswrapper-kernel-laptop-latest ndiswrapper-kernel-server-latest nvidia71xx-kernel-2.6.22.19-desktop-2mdv nvidia71xx-kernel-2.6.22.19-desktop586-2mdv nvidia71xx-kernel-2.6.22.19-laptop-2mdv nvidia71xx-kernel-2.6.22.19-server-2mdv nvidia71xx-kernel-desktop586-latest nvidia71xx-kernel-desktop-latest nvidia71xx-kernel-laptop-latest nvidia71xx-kernel-server-latest nvidia96xx-kernel-2.6.22.19-desktop-2mdv nvidia96xx-kernel-2.6.22.19-desktop586-2mdv nvidia96xx-kernel-2.6.22.19-laptop-2mdv nvidia96xx-kernel-2.6.22.19-server-2mdv nvidia96xx-kernel-desktop586-latest nvidia96xx-kernel-desktop-latest nvidia96xx-kernel-laptop-latest nvidia96xx-kernel-server-latest nvidia-current-kernel-2.6.22.19-desktop-2mdv nvidia-current-kernel-2.6.22.19-desktop586-2mdv nvidia-current-kernel-2.6.22.19-laptop-2mdv nvidia-current-kernel-2.6.22.19-server-2mdv nvidia-current-kernel-desktop586-latest nvidia-current-kernel-desktop-latest nvidia-current-kernel-laptop-latest nvidia-current-kernel-server-latest omfs-kernel-2.6.22.19-desktop-2mdv omfs-kernel-2.6.22.19-laptop-2mdv omfs-kernel-2.6.22.19-server-2mdv omfs-kernel-desktop-latest omfs-kernel-laptop-latest omfs-kernel-server-latest realcrypt-kernel-2.6.22.19-desktop-2mdv realcrypt-kernel-2.6.22.19-desktop586-2mdv realcrypt-kernel-2.6.22.19-laptop-2mdv realcrypt-kernel-2.6.22.19-server-2mdv realcrypt-kernel-desktop586-latest realcrypt-kernel-desktop-latest realcrypt-kernel-laptop-latest realcrypt-kernel-server-latest slmodem-kernel-2.6.22.19-desktop-2mdv slmodem-kernel-2.6.22.19-desktop586-2mdv slmodem-kernel-2.6.22.19-laptop-2mdv slmodem-kernel-2.6.22.19-server-2mdv slmodem-kernel-desktop586-latest slmodem-kernel-desktop-latest slmodem-kernel-laptop-latest slmodem-kernel-server-latest unicorn-kernel-2.6.22.19-desktop-2mdv unicorn-kernel-2.6.22.19-desktop586-2mdv unicorn-kernel-2.6.22.19-laptop-2mdv unicorn-kernel-2.6.22.19-server-2mdv unicorn-kernel-desktop586-latest unicorn-kernel-desktop-latest unicorn-kernel-laptop-latest unicorn-kernel-server-latest vboxadd-kernel-2.6.22.19-desktop-2mdv vboxadd-kernel-2.6.22.19-desktop586-2mdv vboxadd-kernel-2.6.22.19-laptop-2mdv vboxadd-kernel-2.6.22.19-server-2mdv vboxadd-kernel-desktop586-latest vboxadd-kernel-desktop-latest vboxadd-kernel-laptop-latest vboxadd-kernel-server-latest vboxvfs-kernel-2.6.22.19-desktop-2mdv vboxvfs-kernel-2.6.22.19-desktop586-2mdv vboxvfs-kernel-2.6.22.19-laptop-2mdv vboxvfs-kernel-2.6.22.19-server-2mdv vboxvfs-kernel-desktop586-latest vboxvfs-kernel-desktop-latest vboxvfs-kernel-laptop-latest vboxvfs-kernel-server-latest virtualbox-kernel-2.6.22.19-desktop-2mdv virtualbox-kernel-2.6.22.19-desktop586-2mdv virtualbox-kernel-2.6.22.19-laptop-2mdv virtualbox-kernel-2.6.22.19-server-2mdv virtualbox-kernel-desktop586-latest virtualbox-kernel-desktop-latest virtualbox-kernel-laptop-latest virtualbox-kernel-server-latest Update: Tue May 20 13:16:52 2008 Importance: security ID: MDVSA-2008:104 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:104 %pre A race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors. (CVE-2008-1375) The Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain re-ordered access to the descriptor table. (CVE-2008-1669) Additionaly, the updated kernel for Mandriva Linux 2008.0 has bug fixes for sound on NEC S970 systems, an oops in module rt73, and the -devel package fixes DKMS builds. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate %description %package gnutls libgnutls13 libgnutls-devel Update: Fri May 23 16:14:58 2008 Importance: security ID: MDVSA-2008:106 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:106 %pre Flaws discovered in versions prior to 2.2.4 (stable) and 2.3.10 (development) of GnuTLS allow an attacker to cause denial of service (application crash), and maybe (so far undetermined) execute arbitrary code. The updated packages have been patched to fix these flaws. Note that any applications using this library must be restarted for the update to take effect. %description GnuTLS is a project that aims to develop a library which provides a secure layer, over a reliable transport layer. %package nfs-utils nfs-utils-clients Update: Mon May 26 10:09:17 2008 Importance: bugfix ID: MDVA-2008:071 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:071 %pre The nfs server initscript in Mandriva Linux 2008 and 2008 Spring releases lacked support for NFS quota, preventing quota information to be available on user side. The updated packages fix this issue. %description The nfs-utils package provides a daemon for the kernel NFS server and related tools, which provides a much higher level of performance than the traditional Linux NFS server used by most users. This package also contains the showmount program. Showmount queries the mount daemon on a remote host for information about the NFS (Network File System) server on the remote host. For example, showmount can display the clients which are mounted on that host. %package libsmbclient0 libsmbclient0-devel libsmbclient0-static-devel mount-cifs nss_wins samba-client samba-common samba-doc samba-server samba-smbldap-tools samba-swat samba-vscan-clamav samba-vscan-icap samba-winbind Update: Wed May 28 14:47:47 2008 Importance: security ID: MDVSA-2008:108 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:108 %pre %description Samba provides an SMB server which can be used to provide network services to SMB (sometimes called "Lan Manager") clients, including various versions of MS Windows, OS/2, and other Linux machines. Samba also provides some SMB clients, which complement the built-in SMB filesystem in Linux. Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI (Microsoft Raw NetBIOS frame) protocol. Samba-3.0 features working NT Domain Control capability and includes the SWAT (Samba Web Administration Tool) that allows samba's smb.conf file to be remotely managed using your favourite web browser. For the time being this is being enabled on TCP port 901 via xinetd. SWAT is now included in it's own subpackage, samba-swat. Please refer to the WHATSNEW.txt document for fixup information. This binary release includes encrypted password support. Please read the smb.conf file and ENCRYPTION.txt in the docs directory for implementation details. %package drakconf drakconf-icons Update: Wed May 28 16:24:11 2008 Importance: bugfix ID: MDVA-2008:075 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:075 %pre This update fixes a crash that some users saw, which resulted in either a segfault or a strange perl error (bug #34505). %description drakconf includes the Mandriva Linux Control Center which is an interface to multiple utilities from DrakXtools. %package timezone timezone-java Update: Mon Jun 02 15:27:43 2008 Importance: normal ID: MDVA-2008:082 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:082 %pre Updated timezone packages are being provided for older Mandriva Linux systems that do not contain the new Daylight Savings Time information for 2008 and later for certain time zones. These updated packages contain the new information. %description This package contains data files with rules for various timezones around the world. %package GConf2 libGConf2_4 libGConf2-devel Update: Tue Jun 03 12:55:38 2008 Importance: bugfix ID: MDVA-2008:083 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:083 %pre A missing dependency could prevent gconftool symlink to be create at package install time, when installing a minimal system. This update fixes that issue. %description GConf is a configuration data storage mechanism scheduled to ship with GNOME 2.0. GConf does work without GNOME however; it can be used with plain GTK+, Xlib, KDE, or even text mode applications as well. %package dumpcap libwireshark0 libwireshark-devel rawshark tshark wireshark wireshark-tools Update: Thu Jun 05 18:34:46 2008 Importance: bugfix ID: MDVA-2008:089 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:089 %pre The previous update of wireshark had the dumpcap program, which is required by both wireshark and tshark, in the wireshark package. If a user installed tshark, it would not properly operate unless the wireshark package was also installed. This update corrects the problem by providing a new dumpcap package that both wireshark and tshark require. %description Wireshark is a network traffic analyzer for Unix-ish operating systems. It is based on GTK+, a graphical user interface library, and libpcap, a packet capture and filtering library. Wireshark is a fork of Ethereal(tm) %package devhelp devhelp-plugins eclipse-cvs-client eclipse-ecj eclipse-jdt eclipse-pde eclipse-pde-runtime eclipse-platform eclipse-rcp epiphany epiphany-devel galeon gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gksu gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell libdevhelp-1_0 libdevhelp-1-devel libmozilla-firefox2.0.0.14 libmozilla-firefox-devel libswt3-gtk2 libtotem-plparser7 libtotem-plparser-devel mozilla-firefox mozilla-firefox-af mozilla-firefox-ar mozilla-firefox-be mozilla-firefox-bg mozilla-firefox-br_FR mozilla-firefox-ca mozilla-firefox-cs mozilla-firefox-da mozilla-firefox-de mozilla-firefox-el mozilla-firefox-en_GB mozilla-firefox-es_AR mozilla-firefox-es_ES mozilla-firefox-et_EE mozilla-firefox-eu mozilla-firefox-ext-blogrovr mozilla-firefox-ext-foxmarks mozilla-firefox-ext-scribefire mozilla-firefox-fi mozilla-firefox-fr mozilla-firefox-fy mozilla-firefox-ga mozilla-firefox-gu_IN mozilla-firefox-he mozilla-firefox-hu mozilla-firefox-it mozilla-firefox-ja mozilla-firefox-ka mozilla-firefox-ko mozilla-firefox-ku mozilla-firefox-lt mozilla-firefox-mk mozilla-firefox-mn mozilla-firefox-nb_NO mozilla-firefox-nl mozilla-firefox-nn_NO mozilla-firefox-pa_IN mozilla-firefox-pl mozilla-firefox-pt_BR mozilla-firefox-pt_PT mozilla-firefox-ro mozilla-firefox-ru mozilla-firefox-sk mozilla-firefox-sl mozilla-firefox-sv_SE mozilla-firefox-tr mozilla-firefox-uk mozilla-firefox-zh_CN mozilla-firefox-zh_TW totem totem-common totem-gstreamer totem-mozilla totem-mozilla-gstreamer yelp Update: Thu Jun 05 20:29:40 2008 Importance: security ID: MDVSA-2008:110 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:110 %pre Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.14. This update provides the latest Firefox to correct these issues. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package evolution evolution-devel evolution-mono evolution-pilot Update: Tue Jun 10 10:53:28 2008 Importance: security ID: MDVSA-2008:111 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:111 %pre Alan Rad Pop of Secunia Research discovered the following two vulnerabilities in Evolution: Evolution did not properly validate timezone data when processing iCalendar attachments. If a user disabled the Itip Formatter plugin and viewed a crafted iCalendar attachment, an attacker could cause a denial of service or potentially execute arbitrary code with the user's privileges (CVE-2008-1108). Evolution also did not properly validate the DESCRIPTION field when processing iCalendar attachments. If a user were tricked into accepting a crafted iCalendar attachment and replied to it from the calendar window, an attacker could cause a denial of service or potentially execute arbitrary code with the user's privileges (CVE-2008-1109). In addition, Matej Cepl found that Evolution did not properly validate date fields when processing iCalendar attachments, which could lead to a denial of service if the user viewed a crafted iCalendar attachment with the Itip Formatter plugin disabled. Mandriva Linux has the Itip Formatter plugin enabled by default. The updated packages have been patched to prevent these issues. %description Evolution is the GNOME mailer, calendar, contact manager and communications tool. The tools which make up Evolution will be tightly integrated with one another and act as a seamless personal information-management tool. %package python-sip Update: Wed Jun 11 13:21:31 2008 Importance: bugfix ID: MDVA-2008:092 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:092 %pre The python-sip package in Mandriva Linux 2008.0 release contained a packaging bug, making it fail to obsolete old package names. That would lead to an upgrade failure, and python-devel would not install due to unsatisfied dependencies. This update fixes that issue. %description SIP is a tool that makes it very easy to create Python bindings for C and C++ libraries. It was originally developed to create PyQt, the Python bindings for the Qt toolkit, but can be used to create bindings for any C or C++ library. %package kdesdk kdesdk-cervisia kdesdk-kbabel kdesdk-kcachegrind kdesdk-kompare kdesdk-po2xml kdesdk-umbrello libkdesdk1 libkdesdk1-cervisia libkdesdk1-cervisia-devel libkdesdk1-devel libkdesdk1-kbabel libkdesdk1-kbabel-devel Update: Wed Jun 11 14:58:52 2008 Importance: bugfix ID: MDVA-2008:093 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:093 %pre kdesdk packages in Mandriva Linux 2008 and 2008 Spring had packaging bugs which led to the subversion ioslave to not build and thus not be provided. The updated packages fixed the bugs and provide the subversion access ioslave. %description Software Development Kit for the K Desktop Environment. %package util-linux-ng Update: Fri Jun 13 15:14:51 2008 Importance: security ID: MDVSA-2008:114 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:114 %pre Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events. The updated packages have been patched to fix the issue. %description The util-linux-ng package contains a large variety of low-level system utilities that are necessary for a Linux system to function. Among others, Util-linux contains the fdisk configuration tool and the login program. %package kdesdk kdesdk-cervisia kdesdk-kbabel kdesdk-kcachegrind kdesdk-kompare kdesdk-po2xml kdesdk-umbrello libkdesdk1 libkdesdk1-cervisia libkdesdk1-cervisia-devel libkdesdk1-devel libkdesdk1-kbabel libkdesdk1-kbabel-devel Update: Sat Jun 14 08:35:06 2008 Importance: bugfix ID: MDVA-2008:093-1 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:093-1 %pre kdesdk packages in Mandriva Linux 2008 and 2008 Spring had packaging bugs which led to the subversion ioslave to not build and thus not be provided. The updated packages fixed the bugs and provide the subversion access ioslave. Update: The previous kdesdk update placed subversion-related files in such a way that they conflicted with kdesvn. This update corrects that issue. %description Software Development Kit for the K Desktop Environment. %package rsh rsh-server Update: Sat Jun 14 09:14:51 2008 Importance: bugfix ID: MDVA-2008:095 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:095 %pre A bug in the rsh package prevented it from having the alternatives symlinks created if installed via auto_inst.cfg.pl. This update corrects the issue. %description The rsh package contains a set of programs which allow users to run commmands on remote machines, login to other machines and copy files between machines (rsh, rlogin and rcp). All three of these commands use rhosts style authentication. This package contains the clients needed for all of these services. The rsh package should be installed to enable remote access to other machines. %package ntfs-3g ntfs-3g-devel Update: Sat Jun 14 10:00:52 2008 Importance: bugfix ID: MDVA-2008:096 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:096 %pre In certain rare circumstances, any area of an NTFS volume, excluding the NTFS boot sector, could get corrupted. The chances for this to happen are greater when the disk is close to full utilization and when using one of the more uncommon, less than 4096 byte cluster sizes. The updated packages correct this issue. %description The ntfs-3g package contains NTFS filesystem driver with read and write support. It provides safe and fast handling of MS Windows Vista, XP, 2000 and Server 2003 NTFS file systems. Most POSIX file system operations are supported, with the exceptions of full file ownership and access right support. %package x11-server x11-server-common x11-server-devel x11-server-xati x11-server-xchips x11-server-xdmx x11-server-xephyr x11-server-xepson x11-server-xfake x11-server-xfbdev x11-server-xgl x11-server-xi810 x11-server-xmach64 x11-server-xmga x11-server-xneomagic x11-server-xnest x11-server-xnvidia x11-server-xorg x11-server-xpm2 x11-server-xr128 x11-server-xsdl x11-server-xsmi x11-server-xvesa x11-server-xvfb x11-server-xvia x11-server-xvnc Update: Mon Jun 16 10:59:20 2008 Importance: security ID: MDVSA-2008:116 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:116 %pre An input validation flaw was found in X.org's Security and Record extensions. A malicious authorized client could exploit the issue to cause a denial of service (crash) or possibly execute arbitrary code with root privileges on the X.org server (CVE-2008-1377). An input validation flaw was found in X.org's MIT-SHM extension. A client connected to the X.org server could read arbitrary server memory, resulting in the disclosure of sensitive data of other users of the X.org server (CVE-2008-1379). Multiple integer overflows were found in X.org's Render extension. A malicious authorized client could explot these issues to cause a denial of service (crash) or possibly execute arbitrary code with root privileges on the X.org server (CVE-2008-2360, CVE-2008-2361, CVE-2008-2362). In addition, this update corrects a problem that could cause memory corruption or segfaults in the render code of the vnc server on Mandriva Linux 2008.1 The updated packages have been patched to prevent these issues. %description X11 servers %package fetchmail fetchmailconf fetchmail-daemon Update: Thu Jun 19 19:45:41 2008 Importance: security ID: MDVSA-2008:117 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:117 %pre A flaw in fetchmail was discovered that allowed remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed message with long headers. The crash only occured when fetchmail was called in '-v -v' mode (CVE-2008-2711). The updated packages have been patched to prevent this issue. %description Fetchmail is a free, full-featured, robust, and well-documented remote mail retrieval and forwarding utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP connections). It retrieves mail from remote mail servers and forwards it to your local (client) machine's delivery system, so it can then be read by normal mail user agents such as Mutt, Elm, Pine, (X)Emacs/Gnus or Mailx. It comes with an interactive GUI configurator suitable for end-users. Fetchmail supports every remote-mail protocol currently in use on the Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN) for retrieval. Then Fetchmail forwards the mail through SMTP, so you can read it through your normal mail client. %package libnet-snmp15 libnet-snmp-devel libnet-snmp-static-devel net-snmp net-snmp-mibs net-snmp-trapd net-snmp-utils perl-NetSNMP Update: Fri Jun 20 12:15:23 2008 Importance: security ID: MDVSA-2008:118 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:118 %pre A vulnerability was found in how Net-SNMP checked an SNMPv3 packet's Keyed-Hash Message Authentication Code (HMAC). An attacker could exploit this flaw to spoof an authenticated SNMPv3 packet (CVE-2008-0960). A buffer overflow was found in the perl bindings for Net-SNMP that could be exploited if an attacker could convince an application using the Net-SNMP perl modules to connect to a malicious SNMP agent (CVE-2008-2292). The updated packages have been patched to prevent these issues. %description SNMP (Simple Network Management Protocol) is a protocol used for network management. The NET-SNMP project includes various SNMP tools: an extensible agent, an SNMP library, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl mib browser. This package contains the snmpd and snmptrapd daemons, documentation, etc. You will probably also want to install the net-snmp-utils package, which contains NET-SNMP utilities. %package exiv2 libexiv2 libexiv2-devel Update: Fri Jun 20 21:05:14 2008 Importance: security ID: MDVSA-2008:119 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:119 %pre A flaw was found in exiv2 that would cause exiv2, or applictions linked to libexiv2, to crash on image files with certain metadata in the image (CVE-2008-2696). The updated packages have been patched to prevent this issue. %description Exiv2 is a command line utility to access image metadata. Exiv2 is free software. The Exiv2 library provides * full read and write access to the Exif and IPTC metadata of an image through Exiv2 keys and standard C++ iterators (Example1, Example2, Example3, Example4) * a smart IPTC implementation that does not affect data that programs like Photoshop store in the same image segment * Exif MakerNote support: o MakerNote tags can be accessed just like any other Exif metadata o a sophisticated write algorithm avoids corrupting the MakerNote: 1) the MakerNote is not re-located if possible at all, and 2) MakerNote Ifd offsets are re-calculated if the MakerNote needs to be moved (for known Ifd MakerNotes) * extract and delete methods for Exif thumbnails (both, JPEG and TIFF thumbnails) * set methods for Exif thumbnails (JPEG only, TIFF thumbnails can be set from individual tags) * complete API documentation (by Doxygen) Exiv2 is a command line utility to * print the Exif metadata of JPEG, TIFF and several RAW image formats as summary info, interpreted values, or the plain data for each tag (a sample is here) * print the IPTC metadata of JPEG images * print, set and delete the JPEG comment of JPEG images * set, add and delete Exif and IPTC metadata of JPEG images * adjust the Exif timestamp (that's how it all started...) * rename Exif image files according to the Exif timestamp * extract, insert and delete Exif metadata, IPTC metadata and JPEG comments * extract, insert and delete the thumbnail image embedded in the Exif metadata * fix the Exif ISO setting of picture taken with Nikon cameras %package libfreetype6 libfreetype6-devel libfreetype6-static-devel Update: Mon Jun 23 12:10:40 2008 Importance: security ID: MDVSA-2008:121 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:121 %pre Multiple vulnerabilities were discovered in FreeType's Printer Font Binary (PFB) font-file format parser. If a user were to load a carefully crafted font file with a program linked against FreeType, it could cause the application to crash or potentially execute arbitrary code (CVE-2008-1806, CVE-2008-1807, CVE-2008-1808). The updated packages have been patched to prevent this issue. %description The FreeType2 engine is a free and portable TrueType font rendering engine. It has been developed to provide TT support to a great variety of platforms and environments. Note that FreeType2 is a library, not a stand-alone application, though some utility applications are included %package clamav clamav-db clamav-milter clamd libclamav4 libclamav-devel Update: Tue Jun 24 10:09:53 2008 Importance: security ID: MDVSA-2008:122 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:122 %pre A vulnerability was discovered in ClamAV and corrected with the 0.93.1 release: libclamav/petite.c in ClamAV before 0.93.1 allows remote attackers to cause a denial of service via a crafted Petite file that triggers an out-of-bounds read. (CVE-2008-2713) Other bugs have also been corrected in 0.93.1 which is being provided with this update. %description Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail seversions (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. You can build clamav with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] milter Build clamav-milter (default) %package imlib2-data libimlib2_1 libimlib2_1-filters libimlib2_1-loaders libimlib2-devel Update: Wed Jun 25 10:01:51 2008 Importance: security ID: MDVSA-2008:123 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:123 %pre Stefan Cornelius discovered two buffer overflows in Imlib's image loaders for PNM and XPM images, which could possibly result in the execution of arbitrary code (CVE-2008-2426). The updated packages have been patched to prevent this issue. %description Imlib2 is an advanced replacement library for libraries like libXpm that provides many more features with much greater flexibility and speed than standard libraries, including font rasterization, rotation, RGBA space rendering and blending, dynamic binary filters, scripting, and more. Build Options: --with mmx Enable mmx cpu detection (10% - 30% speedup) %package libxine1 libxine-devel xine-aa xine-caca xine-dxr3 xine-esd xine-flac xine-gnomevfs xine-image xine-jack xine-plugins xine-pulse xine-sdl xine-smb Update: Thu Jun 26 13:58:17 2008 Importance: security ID: MDVSA-2008:124 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:124 %pre A vulnerability in the Speex library was found where it did not properly validate input values read from the Speex files headers. An attacker could create a malicious Speex file that would crash an application or potentially allow the execution of arbitrary code with the privileges of the application calling the Speex library (CVE-2008-1686). Xine-lib is similarly affected by this issue. As well, the previous version of xine as provided in Mandriva Linux 2008.1 would crash when playing matroska files, and a regression was introduced that prevented Amarok from playing m4a files. The updated packages have been patched to correct this issue. %description xine is a free gpl-licensed video player for unix-like systems. %package libphp5_common5 php-bcmath php-bz2 php-calendar php-cgi php-cli php-ctype php-curl php-dba php-dbase php-devel php-dom php-exif php-fcgi php-filter php-ftp php-gd php-gettext php-gmp php-hash php-iconv php-imap php-json php-ldap php-mbstring php-mcrypt php-mhash php-mime_magic php-ming php-mssql php-mysql php-mysqli php-ncurses php-odbc php-openssl php-pcntl php-pdo php-pdo_dblib php-pdo_mysql php-pdo_odbc php-pdo_pgsql php-pdo_sqlite php-pgsql php-posix php-pspell php-readline php-recode php-session php-shmop php-simplexml php-snmp php-soap php-sockets php-sqlite php-sysvmsg php-sysvsem php-sysvshm php-tidy php-tokenizer php-wddx php-xml php-xmlreader php-xmlrpc php-xmlwriter php-xsl php-zlib Update: Thu Jul 03 14:58:21 2008 Importance: security ID: MDVSA-2008:127 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:127 %pre A number of vulnerabilities have been found and corrected in PHP: The htmlentities() and htmlspecialchars() functions in PHP prior to 5.2.5 accepted partial multibyte sequences, which has unknown impact and attack vectors (CVE-2007-5898). The output_add_rewrite_var() function in PHP prior to 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which could allow a remote attacker to obtain potentially sensitive information by reading the requests for this URL (CVE-2007-5899). php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, this update also corrects an issue with some float to string conversions. The updated packages have been patched to correct these issues. %description PHP5 is an HTML-embeddable scripting language. PHP5 offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled script with PHP5 is fairly simple. The most common use of PHP5 coding is probably as a replacement for CGI scripts. %package gnome-screensaver Update: Fri Jul 04 13:25:53 2008 Importance: security ID: MDVSA-2008:132 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:132 %pre A vulnerability was found in gnome-screensaver prior to 2.22.1 when a remote authentication server was enabled. During a network outage, gnome-screensaver would crash upon an unlock attempt, allowing physically local users to gain access to locked sessions (CVE-2008-0887). The updated packages have been patched to correct this issue. %description gnome-screensaver is a screen saver and locker that aims to have simple, sane, secure defaults and be well integrated with the desktop. It is designed to support: * the ability to lock down configuration settings * translation into other languages * user switching %package squid squid-cachemgr Update: Fri Jul 04 15:20:00 2008 Importance: security ID: MDVSA-2008:134 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:134 %pre An incorrect fix for CVE-2007-6239 resulted in Squid not performing proper bounds checking when processing cache update replies. Because of this, a remote authenticated user might have been able to trigger an assertion error and cause a denial of service (CVE-2008-1612). The updated packages have been patched to correct this issue. %description Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. Squid consists of a main server program squid, a Domain Name System lookup program (dnsserver), a program for retrieving FTP data (ftpget), and some management and client tools. Install squid if you need a proxy caching server. This package defaults to a maximum of 1024 filedescriptors. You can change this value at build time by using for example: --define 'maxfiles 4096' The package was built to support a maximum of 1024 filedescriptors. %package gnome-screensaver Update: Fri Jul 04 18:16:14 2008 Importance: security ID: MDVSA-2008:135 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:135 %pre A vulnerability was found in gnome-screensaver 2.20.0 that could possibly allow a local user to read the clipboard contents and X selection data for a locked session by using CTRL-V (CVE-2007-6389). The updated packages have been patched to correct this issue. %description gnome-screensaver is a screen saver and locker that aims to have simple, sane, secure defaults and be well integrated with the desktop. It is designed to support: * the ability to lock down configuration settings * translation into other languages * user switching %package devhelp devhelp-plugins eclipse-cvs-client eclipse-ecj eclipse-jdt eclipse-pde eclipse-pde-runtime eclipse-platform eclipse-rcp epiphany epiphany-devel galeon gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gksu gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell libdevhelp-1_0 libdevhelp-1-devel libmozilla-firefox2.0.0.15 libmozilla-firefox-devel libswt3-gtk2 libtotem-plparser7 libtotem-plparser-devel mozilla-firefox mozilla-firefox-af mozilla-firefox-ar mozilla-firefox-be mozilla-firefox-bg mozilla-firefox-br_FR mozilla-firefox-ca mozilla-firefox-cs mozilla-firefox-da mozilla-firefox-de mozilla-firefox-el mozilla-firefox-en_GB mozilla-firefox-es_AR mozilla-firefox-es_ES mozilla-firefox-et_EE mozilla-firefox-eu mozilla-firefox-ext-blogrovr mozilla-firefox-ext-foxmarks mozilla-firefox-ext-scribefire mozilla-firefox-fi mozilla-firefox-fr mozilla-firefox-fy mozilla-firefox-ga mozilla-firefox-gu_IN mozilla-firefox-he mozilla-firefox-hu mozilla-firefox-it mozilla-firefox-ja mozilla-firefox-ka mozilla-firefox-ko mozilla-firefox-ku mozilla-firefox-lt mozilla-firefox-mk mozilla-firefox-mn mozilla-firefox-nb_NO mozilla-firefox-nl mozilla-firefox-nn_NO mozilla-firefox-pa_IN mozilla-firefox-pl mozilla-firefox-pt_BR mozilla-firefox-pt_PT mozilla-firefox-ro mozilla-firefox-ru mozilla-firefox-sk mozilla-firefox-sl mozilla-firefox-sv_SE mozilla-firefox-tr mozilla-firefox-uk mozilla-firefox-zh_CN mozilla-firefox-zh_TW totem totem-common totem-gstreamer totem-mozilla totem-mozilla-gstreamer yelp Update: Tue Jul 08 12:21:54 2008 Importance: security ID: MDVSA-2008:136 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:136 %pre Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.15 (CVE-2008-2798, CVE-2008-2799, CVE-2008-2800, CVE-2008-2801, CVE-2008-2802, CVE-2008-2803, CVE-2008-2805, CVE-2008-2807, CVE-2008-2808, CVE-2008-2809, CVE-2008-2811). This update provides the latest Firefox to correct these issues. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package openoffice.org openoffice.org-devel openoffice.org-devel-doc openoffice.org-galleries openoffice.org-gnome openoffice.org-kde openoffice.org-l10n-af openoffice.org-l10n-ar openoffice.org-l10n-bg openoffice.org-l10n-br openoffice.org-l10n-bs openoffice.org-l10n-ca openoffice.org-l10n-cs openoffice.org-l10n-cy openoffice.org-l10n-da openoffice.org-l10n-de openoffice.org-l10n-el openoffice.org-l10n-en_GB openoffice.org-l10n-es openoffice.org-l10n-et openoffice.org-l10n-eu openoffice.org-l10n-fi openoffice.org-l10n-fr openoffice.org-l10n-he openoffice.org-l10n-hi openoffice.org-l10n-hu openoffice.org-l10n-it openoffice.org-l10n-ja openoffice.org-l10n-ko openoffice.org-l10n-mk openoffice.org-l10n-nb openoffice.org-l10n-nl openoffice.org-l10n-nn openoffice.org-l10n-pl openoffice.org-l10n-pt openoffice.org-l10n-pt_BR openoffice.org-l10n-ru openoffice.org-l10n-sk openoffice.org-l10n-sl openoffice.org-l10n-sv openoffice.org-l10n-ta openoffice.org-l10n-tr openoffice.org-l10n-zh_CN openoffice.org-l10n-zh_TW openoffice.org-l10n-zu openoffice.org-mono openoffice.org-ooqstart Update: Tue Jul 08 19:56:22 2008 Importance: security ID: MDVSA-2008:138 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:138 %pre Integer overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in OpenOffice.org (OOo) 2.0 through 2.4 allows remote attackers to execute arbitrary code via a crafted file that triggers a heap-based buffer overflow. The updated packages have been patched to fix the issue. %description OpenOffice.org is an Open Source, community-developed, multi-platform office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet, presentation manager, formula editing and drawing program, with a user interface and feature set similar to other office suites. Sophisticated and flexible, OpenOffice.org also works transparently with a variety of file formats, including Microsoft Office. %package bind bind-devel bind-utils Update: Wed Jul 09 11:40:45 2008 Importance: security ID: MDVSA-2008:139 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:139 %pre A weakness was found in the DNS protocol by Dan Kaminsky. A remote attacker could exploit this weakness to spoof DNS entries and poison DNS caches. This could be used to misdirect users and services; i.e. for web and email traffic (CVE-2008-1447). This update provides the latest stable BIND releases for all platforms except Corporate Server/Desktop 3.0 and MNF2, which have been patched to correct the issue. %description BIND (Berkeley Internet Name Domain) is an implementation of the DNS (domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses, and a resolver library (routines for applications to use when interfacing with DNS). A DNS server allows clients to name resources or objects and share the information with other network machines. The named DNS server can be used on workstations as a caching name server, but is generally only needed on one machine for an entire network. Note that the configuration files for making BIND act as a simple caching nameserver are included in the caching-nameserver package. Install the bind package if you need a DNS server for your network. If you want bind to act a caching name server, you will also need to install the caching-nameserver package. Many BIND 8 features previously unimplemented in BIND 9, including domain-specific forwarding, the \$GENERATE master file directive, and the "blackhole", "dialup", and "sortlist" options Forwarding of dynamic update requests; this is enabled by the "allow-update-forwarding" option A new, simplified database interface and a number of sample drivers based on it; see doc/dev/sdb for details Support for building single-threaded servers for environments that do not supply POSIX threads New configuration options: "min-refresh-time", "max-refresh-time", "min-retry-time", "max-retry-time", "additional-from-auth", "additional-from-cache", "notify explicit" Faster lookups, particularly in large zones. Build Options: --without sdb_ldap Build without ldap simple database support (enabled per default) --with sdb_mysql Build with MySQL database support (disables ldap support, it's either way.) --with geoip Build with GeoIP support (disabled per default) %package ruby ruby-devel ruby-doc ruby-tk Update: Wed Jul 09 16:54:34 2008 Importance: security ID: MDVSA-2008:141 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:141 %pre Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby. Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) ..%5c (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. (CVE-2008-1145) Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. (CVE-2008-1891) Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption. (CVE-2008-2662) Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors. (CVE-2008-2663) The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca. (CVE-2008-2664) Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the REALLOC_N variant. (CVE-2008-2725) Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption, aka the beg + rlen issue. (CVE-2008-2726) Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. (CVE-2008-2376) The updated packages have been patched to fix these issues. %description Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. %package finch libfinch0 libpurple0 libpurple-devel pidgin pidgin-bonjour pidgin-client pidgin-facebook pidgin-gevolution pidgin-i18n pidgin-meanwhile pidgin-mono pidgin-perl pidgin-silc pidgin-tcl Update: Thu Jul 10 17:45:20 2008 Importance: security ID: MDVSA-2008:143 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:143 %pre An integer overflow flaw was found in Pidgin's MSN protocol handler that could allow for the execution of arbitrary code if a user received a malicious MSN message (CVE-2008-2927). In addition, this update provides the ability to use ICQ networks again on Mandriva Linux 2008.0, as in MDVA-2008:103 (updated pidgin for 2008.1). The updated packages have been patched to correct this issue. %description Pidgin allows you to talk to anyone using a variety of messaging protocols including AIM, MSN, Yahoo!, Jabber, Bonjour, Gadu-Gadu, ICQ, IRC, Novell Groupwise, QQ, Lotus Sametime, SILC, Simple and Zephyr. These protocols are implemented using a modular, easy to use design. To use a protocol, just add an account using the account editor. Pidgin supports many common features of other clients, as well as many unique features, such as perl scripting, TCL scripting and C plugins. Pidgin is not affiliated with or endorsed by America Online, Inc., Microsoft Corporation, Yahoo! Inc., or ICQ Inc. %package locales locales-aa locales-af locales-am locales-ar locales-as locales-az locales-be locales-ber locales-bg locales-bn locales-br locales-bs locales-ca locales-cs locales-cy locales-da locales-de locales-dz locales-el locales-en locales-eo locales-es locales-et locales-eu locales-fa locales-fi locales-fo locales-fr locales-fur locales-fy locales-ga locales-gd locales-gl locales-gu locales-gv locales-ha locales-he locales-hi locales-hr locales-hsb locales-hu locales-hy locales-id locales-ig locales-ik locales-is locales-it locales-iu locales-ja locales-ka locales-kk locales-kl locales-km locales-kn locales-ko locales-ku locales-kw locales-ky locales-lg locales-li locales-lo locales-lt locales-lv locales-mg locales-mi locales-mk locales-ml locales-mn locales-mr locales-ms locales-mt locales-nds locales-ne locales-nl locales-no locales-nr locales-nso locales-oc locales-pa locales-pl locales-pt locales-ro locales-ru locales-rw locales-sc locales-se locales-si locales-sk locales-sl locales-so locales-sq locales-sr locales-ss locales-st locales-sv locales-sw locales-ta locales-te locales-tg locales-th locales-tk locales-tl locales-tn locales-tr locales-ts locales-tt locales-ug locales-uk locales-ur locales-uz locales-ve locales-vi locales-wa locales-xh locales-yi locales-yo locales-zh locales-zu Update: Thu Jul 10 23:59:48 2008 Importance: bugfix ID: MDVA-2008:105 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:105 %pre A flaw in the locales packages could make the spell checker in OpenOffice.org and other programs to not work as intended (bug #39789). This was a side-effect of the locales packges not updating the _install_langs rpm macro on the system with provided locale variants for some cases. This update also contains additional fixes for issues that affect the stable releases of Mandriva 2008.0 and 2008.1. %description These are the base files for language localization. You also need to install the specific locales-?? for the language(s) you want. Then the user need to set the LANG variable to their preferred language in their ~/.profile configuration file. %package libldap2.3_0 libldap2.3_0-devel libldap2.3_0-static-devel openldap openldap-clients openldap-doc openldap-servers openldap-testprogs openldap-tests Update: Fri Jul 11 21:07:14 2008 Importance: security ID: MDVSA-2008:144 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:144 %pre A denial of service vulnerability was discovered in the way the OpenLDAP slapd daemon processed certain network messages. An unauthenticated remote attacker could send a specially crafted request that would crash the slapd daemon (CVE-2008-2952). The updated packages have been patched to correct this issue. %description OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The suite includes a stand-alone LDAP server (slapd) and stand-alone LDAP replication server (slurpd) which are in the -servers package, libraries for implementing the LDAP protocol (in the lib packages), and utilities, tools, and sample clients (in the -clients package). The openldap binary package includes configuration files used by the libraries. Install openldap if you need LDAP applications and tools. %package bluez-utils bluez-utils-cups libbluez2 libbluez-devel Update: Mon Jul 14 19:45:52 2008 Importance: security ID: MDVSA-2008:145 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:145 %pre An input validation flaw was found in the Bluetooth Session Description Protocol (SDP) packet parser used in the Bluez bluetooth utilities. A bluetooth device with an already-trusted relationship, or a local user registering a service record via a UNIX socket or D-Bus interface, could cause a crash and potentially execute arbitrary code with the privileges of the hcid daemon (CVE-2008-2374). The updated packages have been patched to correct this issue. %description These are the official Bluetooth communication libraries for Linux. %package libpoppler2 libpoppler-devel libpoppler-glib2 libpoppler-glib-devel libpoppler-qt2 libpoppler-qt4-2 libpoppler-qt4-devel libpoppler-qt-devel poppler Update: Tue Jul 15 14:55:59 2008 Importance: security ID: MDVSA-2008:146 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:146 %pre A memory management issue was found in libpoppler by Felipe Andres Manzano that could allow for the execution of arbitrary code with the privileges of the user running a poppler-based application, if they opened a specially crafted PDF file (CVE-2008-2950). The updated packages have been patched to correct this issue. %description Poppler is a PDF rendering library based on the xpdf-3.0 code base. %package libpcre0 libpcre-devel pcre Update: Tue Jul 15 21:55:10 2008 Importance: security ID: MDVSA-2008:147 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:147 %pre Tavis Ormandy of the Google Security Team discovered a heap-based buffer overflow when compiling certain regular expression patterns. This could be used by a malicious attacker by sending a specially crafted regular expression to an application using the PCRE library, resulting in the possible execution of arbitrary code or a denial of service (CVE-2008-2371). The updated packages have been patched to correct this issue. %description PCRE has its own native API, but a set of "wrapper" functions that are based on the POSIX API are also supplied in the library libpcreposix. Note that this just provides a POSIX calling interface to PCRE: the regular expressions themselves still follow Perl syntax and semantics. This package contains a grep variant based on the PCRE library. %package timezone timezone-java Update: Wed Jul 16 15:32:21 2008 Importance: normal ID: MDVA-2008:109 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:109 %pre Updated timezone packages are being provided for older Mandriva Linux systems that do not contain the new Daylight Savings Time information for 2008 and later for certain time zones. These updated packages contain the new information. %description This package contains data files with rules for various timezones around the world. %package devhelp devhelp-plugins eclipse-cvs-client eclipse-ecj eclipse-jdt eclipse-pde eclipse-pde-runtime eclipse-platform eclipse-rcp epiphany epiphany-devel galeon gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gksu gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell libdevhelp-1_0 libdevhelp-1-devel libmozilla-firefox2.0.0.16 libmozilla-firefox-devel libswt3-gtk2 libtotem-plparser7 libtotem-plparser-devel mozilla-firefox mozilla-firefox-af mozilla-firefox-ar mozilla-firefox-be mozilla-firefox-bg mozilla-firefox-br_FR mozilla-firefox-ca mozilla-firefox-cs mozilla-firefox-da mozilla-firefox-de mozilla-firefox-el mozilla-firefox-en_GB mozilla-firefox-es_AR mozilla-firefox-es_ES mozilla-firefox-et_EE mozilla-firefox-eu mozilla-firefox-ext-blogrovr mozilla-firefox-ext-foxmarks mozilla-firefox-ext-scribefire mozilla-firefox-fi mozilla-firefox-fr mozilla-firefox-fy mozilla-firefox-ga mozilla-firefox-gu_IN mozilla-firefox-he mozilla-firefox-hu mozilla-firefox-it mozilla-firefox-ja mozilla-firefox-ka mozilla-firefox-ko mozilla-firefox-ku mozilla-firefox-lt mozilla-firefox-mk mozilla-firefox-mn mozilla-firefox-nb_NO mozilla-firefox-nl mozilla-firefox-nn_NO mozilla-firefox-pa_IN mozilla-firefox-pl mozilla-firefox-pt_BR mozilla-firefox-pt_PT mozilla-firefox-ro mozilla-firefox-ru mozilla-firefox-sk mozilla-firefox-sl mozilla-firefox-sv_SE mozilla-firefox-tr mozilla-firefox-uk mozilla-firefox-zh_CN mozilla-firefox-zh_TW totem totem-common totem-gstreamer totem-mozilla totem-mozilla-gstreamer yelp Update: Thu Jul 17 15:42:42 2008 Importance: security ID: MDVSA-2008:148 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:148 %pre Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.16 (CVE-2008-2785, CVE-2008-2933). This update provides the latest Firefox to correct these issues. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package libmysql15 libmysql-devel libmysql-static-devel mysql mysql-bench mysql-client mysql-common mysql-max mysql-ndb-extra mysql-ndb-management mysql-ndb-storage mysql-ndb-tools Update: Sat Jul 19 13:52:06 2008 Importance: security ID: MDVSA-2008:150 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:150 %pre Multiple buffer overflows in yaSSL, which is used in MySQL, allowed remote attackers to execute arbitrary code (CVE-2008-0226) or cause a denial of service via a special Hello packet (CVE-2008-0227). Sergei Golubchik found that MySQL did not properly validate optional data or index directory paths given in a CREATE TABLE statement; as well it would not, under certain conditions, prevent two databases from using the same paths for data or index files. This could allow an authenticated user with appropriate privilege to create tables in one database to read and manipulate data in tables later created in other databases, regardless of GRANT privileges (CVE-2008-2079). The updated packages have been patched to correct these issues. %description The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of MySQL AB. The MySQL software has Dual Licensing, which means you can use the MySQL software free of charge under the GNU General Public License (http://www.gnu.org/licenses/). You can also purchase commercial MySQL licenses from MySQL AB if you do not wish to be bound by the terms of the GPL. See the chapter "Licensing and Support" in the manual for further info. The MySQL web site (http://www.mysql.com/) provides the latest news and information about the MySQL software. Also please see the documentation and the manual for more information. %package libxslt1 libxslt-devel libxslt-proc python-libxslt Update: Mon Jul 21 16:30:18 2008 Importance: security ID: MDVSA-2008:151 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:151 %pre A buffer overflow vulnerability in libxslt could be exploited via an XSL style sheet file with a long XLST transformation match condition, which could possibly lead to the execution of arbitrary code (CVE-2008-1767). The updated packages have been patched to correct this issue. %description This C library allows to transform XML files into other XML files (or HTML, text, ...) using the standard XSLT stylesheet transformation mechanism. %package dumpcap libwireshark0 libwireshark-devel rawshark tshark wireshark wireshark-tools Update: Tue Jul 22 13:50:50 2008 Importance: security ID: MDVSA-2008:152 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:152 %pre A vulnerability was found in Wireshark, that could cause it to crash while processing malicious packets. This update provides Wireshark 1.0.2, which is not vulnerable to that. %description Wireshark is a network traffic analyzer for Unix-ish operating systems. It is based on GTK+, a graphical user interface library, and libpcap, a packet capture and filtering library. Wireshark is a fork of Ethereal(tm) %package emacs emacs-common emacs-doc emacs-el emacs-gtk emacs-leim emacs-nox Update: Wed Jul 23 12:36:19 2008 Importance: security ID: MDVSA-2008:153 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:153 %pre A vulnerability in emacs was found where an attacker could provide a group of files containing local variable definitions and arbitrary Lisp code to be executed when one of the provided files is opened by emacs (CVE-2008-2142). The updated packages have been patched to correct this issue. %description Emacs-X11 includes the Emacs text editor program for use with the X Window System (it provides support for the mouse and other GUI elements). Emacs-X11 will also run Emacs outside of X, but it has a larger memory footprint than the 'non-X' Emacs package (emacs-nox). Install emacs if you are going to use Emacs with the X Window System. You should also install emacs if you're going to run Emacs both with and without X (it will work fine both ways). You'll also need to install the emacs-common package in order to run Emacs. %package mozilla-thunderbird mozilla-thunderbird-af mozilla-thunderbird-be mozilla-thunderbird-bg mozilla-thunderbird-ca mozilla-thunderbird-cs mozilla-thunderbird-da mozilla-thunderbird-de mozilla-thunderbird-devel mozilla-thunderbird-el mozilla-thunderbird-en_GB mozilla-thunderbird-enigmail mozilla-thunderbird-enigmail-ar mozilla-thunderbird-enigmail-ca mozilla-thunderbird-enigmail-cs mozilla-thunderbird-enigmail-de mozilla-thunderbird-enigmail-el mozilla-thunderbird-enigmail-es mozilla-thunderbird-enigmail-es_AR mozilla-thunderbird-enigmail-fi mozilla-thunderbird-enigmail-fr mozilla-thunderbird-enigmail-hu mozilla-thunderbird-enigmail-it mozilla-thunderbird-enigmail-ja mozilla-thunderbird-enigmail-ko mozilla-thunderbird-enigmail-nb mozilla-thunderbird-enigmail-nl mozilla-thunderbird-enigmail-pl mozilla-thunderbird-enigmail-pt mozilla-thunderbird-enigmail-pt_BR mozilla-thunderbird-enigmail-ro mozilla-thunderbird-enigmail-ru mozilla-thunderbird-enigmail-sk mozilla-thunderbird-enigmail-sl mozilla-thunderbird-enigmail-sv mozilla-thunderbird-enigmail-tr mozilla-thunderbird-enigmail-zh_CN mozilla-thunderbird-enigmail-zh_TW mozilla-thunderbird-es_AR mozilla-thunderbird-es_ES mozilla-thunderbird-et_EE mozilla-thunderbird-eu mozilla-thunderbird-fi mozilla-thunderbird-fr mozilla-thunderbird-gu_IN mozilla-thunderbird-he mozilla-thunderbird-hu mozilla-thunderbird-it mozilla-thunderbird-ja mozilla-thunderbird-ko mozilla-thunderbird-lt mozilla-thunderbird-mk mozilla-thunderbird-moztraybiff mozilla-thunderbird-nb_NO mozilla-thunderbird-nl mozilla-thunderbird-nn_NO mozilla-thunderbird-pa_IN mozilla-thunderbird-pl mozilla-thunderbird-pt_BR mozilla-thunderbird-pt_PT mozilla-thunderbird-ru mozilla-thunderbird-sk mozilla-thunderbird-sl mozilla-thunderbird-sv_SE mozilla-thunderbird-tr mozilla-thunderbird-uk mozilla-thunderbird-zh_CN mozilla-thunderbird-zh_TW nsinstall Update: Fri Jul 25 13:12:08 2008 Importance: security ID: MDVSA-2008:155 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:155 %pre A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 2.0.0.16 (CVE-2008-1233, CVE-2008-1234, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237, CVE-2008-2785, CVE-2008-2798, CVE-2008-2799, CVE-2008-2802, CVE-2008-2803, CVE-2008-2807, CVE-2008-2809, CVE-2008-2811). This update provides the latest Thunderbird to correct these issues. It also provides Thunderbird 2.x for Corporate 3.0 systems. %description Mozilla Thunderbird is a full-featured email, RSS and newsgroup client that makes emailing safer, faster and easier than ever before. %package mozilla-thunderbird-enigmail-ar mozilla-thunderbird-enigmail-ca mozilla-thunderbird-enigmail-cs mozilla-thunderbird-enigmail-de mozilla-thunderbird-enigmail-el mozilla-thunderbird-enigmail-es mozilla-thunderbird-enigmail-es_AR mozilla-thunderbird-enigmail-fi mozilla-thunderbird-enigmail-fr mozilla-thunderbird-enigmail-hu mozilla-thunderbird-enigmail-it mozilla-thunderbird-enigmail-ja mozilla-thunderbird-enigmail-ko mozilla-thunderbird-enigmail-nb mozilla-thunderbird-enigmail-nl mozilla-thunderbird-enigmail-pl mozilla-thunderbird-enigmail-pt mozilla-thunderbird-enigmail-pt_BR mozilla-thunderbird-enigmail-ro mozilla-thunderbird-enigmail-ru mozilla-thunderbird-enigmail-sk mozilla-thunderbird-enigmail-sl mozilla-thunderbird-enigmail-sv mozilla-thunderbird-enigmail-tr mozilla-thunderbird-enigmail-zh_CN mozilla-thunderbird-enigmail-zh_TW Update: Sun Jul 27 09:39:03 2008 Importance: security ID: MDVSA-2008:155-1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:155-1 %pre A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 2.0.0.16 (CVE-2008-1233, CVE-2008-1234, CVE-2008-1235, CVE-2008-1236, CVE-2008-1237, CVE-2008-2785, CVE-2008-2798, CVE-2008-2799, CVE-2008-2802, CVE-2008-2803, CVE-2008-2807, CVE-2008-2809, CVE-2008-2811). This update provides the latest Thunderbird to correct these issues. It also provides Thunderbird 2.x for Corporate 3.0 systems. Update: The previous update provided the incorrect version of the enigmail locale files. This version correctly builds them for Thunderbird 2.0.0.16. %description Localizations for Enigmail %package libpng3 libpng-devel libpng-source libpng-static-devel Update: Mon Jul 28 14:33:11 2008 Importance: security ID: MDVSA-2008:156 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:156 %pre Tavis Ormandy of the Google Security Team discovered a flaw in how libpng handles zero-length unknown chunks in PNG files, which could lead to memory corruption in applications that make use of certain functions (CVE-2008-1382). The updated packages have been patched to correct this issue. %description The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. PNG is a bit-mapped graphics format similar to the GIF format. PNG was created to replace the GIF format, since GIF uses a patented data compression algorithm. Libpng should be installed if you need to manipulate PNG format image files. %package dbus dbus-x11 initscripts libdbus-1_3 libdbus-1_3-devel Update: Mon Jul 28 19:47:26 2008 Importance: bugfix ID: MDVA-2008:111 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:111 %pre A race condition was preventing dbus from starting correctly when user authentication was network based (LDAP, etc.). This could prevent other desktop functions from working properly, such as device automounting. This update provides updated dbus and initscript packages that fix this issue. Both packages must be upgraded at the same time. %description D-Bus is a system for sending messages between applications. It is used both for the systemwide message bus service, and as a per-user-login-session messaging facility. %package ffmpeg libavformats51 libavutil49 libffmpeg51 libffmpeg51-devel libffmpeg51-static-devel Update: Tue Jul 29 12:04:14 2008 Importance: security ID: MDVSA-2008:157 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:157 %pre A vulnerability was found in how ffmpeg handled STR file demuxing. If a user were tricked into processing a malicious STR file, a remote attacker could execute arbitrary code with user privileges via applications linked against ffmpeg (CVE-2008-3162). The updated packages have been patched to correct this issue. %description ffmpeg is a hyper fast realtime audio/video encoder, a streaming server and a generic audio and video file converter. It can grab from a standard Video4Linux video source and convert it into several file formats based on DCT/motion compensation encoding. Sound is compressed in MPEG audio layer 2 or using an AC3 compatible stream. %package libsilc-1.1_2 libsilcclient-1.1_2 silc-toolkit silc-toolkit-devel Update: Wed Jul 30 09:44:10 2008 Importance: security ID: MDVSA-2008:158 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:158 %pre A vulnerability was found in the SILC toolkit before version 1.1.5 that allowed a remote attacker to cause a denial of service (crash), or possibly execute arbitrary code via long input data (CVE-2008-1227). A vulnerability was found in the SILC toolkit before version 1.1.7 that allowed a remote attacker to execute arbitrary code via a crafted PKCS#2 message (CVE-2008-1552). The updated packages have been patched to correct these issues. %description SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services on the Internet over insecure channel. SILC is IRC-like software although internally they are very different. The biggest similarity between SILC and IRC is that they both provide conferencing services and that SILC has almost the same commands as IRC. Other than that they are nothing alike. Major differences are that SILC is secure what IRC is not in any way. The network model is also entirely different compared to IRC. This package provides development related files for any application that has SILC support. %package libxslt1 libxslt-devel libxslt-proc python-libxslt Update: Fri Aug 01 11:31:42 2008 Importance: security ID: MDVSA-2008:160 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:160 %pre Chris Evans of the Google Security Team found a vulnerability in the RC4 processing code in libxslt that did not properly handle corrupted key information. A remote attacker able to make an application linked against libxslt process malicious XML input could cause the application to crash or possibly execute arbitrary code with the privileges of the application in question (CVE-2008-2935). The updated packages have been patched to correct this issue. %description This C library allows to transform XML files into other XML files (or HTML, text, ...) using the standard XSLT stylesheet transformation mechanism. %package rxvt rxvt-CJK Update: Thu Aug 07 11:31:53 2008 Importance: security ID: MDVSA-2008:161 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:161 %pre A vulnerability in rxvt allowed it to open a terminal on :0 if the environment variable was not set, which could be used by a local user to hijack X11 connections (CVE-2008-1142). The updated packages have been patched to correct this issue. %description Rxvt is a color VT102 terminal emulator for the X Window System. Rxvt is intended to be an xterm replacement for users who don't need the more esoteric features of xterm, like Tektronix 4014 emulation, session logging and toolkit style configurability. Since it doesn't support those features, rxvt uses much less swap space than xterm uses. This is a significant advantage on a machine which is serving a large number of X sessions. The rxvt package should be installed on any machine which serves a large number of X sessions, if you'd like to improve that machine's performance. This version of rxvt can display Japanese, Chinese (Big5 and GuoBiao) and Korean. %package dkms-kqemu qemu qemu-img Update: Thu Aug 07 14:46:23 2008 Importance: security ID: MDVSA-2008:162 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:162 %pre Multiple vulnerabilities have been found in Qemu. Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to attempting to mark non-existent regions as dirty, aka the bitblt heap overflow. (CVE-2007-1320) Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 receive integer signedness error. (CVE-2007-1321) QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction. (CVE-2007-1322) QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by aam 0x0, which triggers a divide-by-zero error. (CVE-2007-1366) The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the MTU to the EN0_TCNT register, which triggers a heap-based buffer overflow in the slirp library, aka NE2000 mtu heap overflow. (CVE-2007-5729) Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the net socket listen option, aka QEMU net socket heap overflow. (CVE-2007-5730) QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating system to overwrite the TranslationBlock (code_gen_buffer) buffer, and probably have unspecified other impacts related to an overflow, via certain Windows executable programs, as demonstrated by qemu-dos.com. (CVE-2007-6227) Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine. (CVE-2008-0928) Changing removable media in QEMU could trigger a bug similar to CVE-2008-2004, which would allow local guest users to read arbitrary files on the host by modifying the header of the image to identify a different format. (CVE-2008-1945) See the diskformat: parameter to the -usbdevice option. The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. (CVE-2008-2004) See the -format option. The updated packages have been patched to fix these issues. %description QEMU is a FAST! processor emulator. By using dynamic translation it achieves a reasonnable speed while being easy to port on new host CPUs. QEMU has two operating modes: * User mode emulation. In this mode, QEMU can launch Linux processes compiled for one CPU on another CPU. Linux system calls are converted because of endianness and 32/64 bit mismatches. Wine (Windows emulation) and DOSEMU (DOS emulation) are the main targets for QEMU. * Full system emulation. In this mode, QEMU emulates a full system, including a processor and various peripherials. Currently, it is only used to launch an x86 Linux kernel on an x86 Linux system. It enables easier testing and debugging of system code. It can also be used to provide virtual hosting of several virtual PC on a single server. This QEMU package provides support for KQEMU, the QEMU Accelerator module. This QEMU package provides support for KVM (Kernel-based Virtual Machine), a full virtualization solution for Linux on x86 hardware containing virtualization extensions (AMD-v or Intel VT). %package libpython2.5 libpython2.5-devel python python-base python-docs tkinter tkinter-apps Update: Thu Aug 07 16:12:12 2008 Importance: security ID: MDVSA-2008:163 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:163 %pre Multiple integer overflows in the imageop module in Python prior to 2.5.3 allowed context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows (CVE-2008-1679). This was due to an incomplete fix for CVE-2007-4965. David Remahl of Apple Product Security reported several integer overflows in a number of core modules (CVE-2008-2315). He also reported an integer overflow in the hashlib module on Python 2.5 that lead to unreliable cryptographic digest results (CVE-2008-2316). Justin Ferguson reported multiple buffer overflows in unicode string processing that affected 32bit systems (CVE-2008-3142). Multiple integer overflows were reported by the Google Security Team that had been fixed in Python 2.5.2 (CVE-2008-3143). Justin Ferguson reported a number of integer overflows and underflows in the PyOS_vsnprintf() function, as well as an off-by-one error when passing zero-length strings, that led to memory corruption (CVE-2008-3144). The updated packages have been patched to correct these issues. As well, Python packages on Mandriva Linux 2007.1 and 2008.0 have been updated to version 2.5.2. Due to slight packaging changes on Mandriva Linux 2007.1, a new package is available (tkinter-apps) that contains binary files (such as /usr/bin/idle) that were previously in the tkinter package. %description Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. This package contains most of the standard Python modules, as well as modules for interfacing to the Tix widget set for Tk and RPM. Note that documentation for Python is provided in the python-docs package. %package libmesagl1 libmesagl1-devel libmesaglu1 libmesaglu1-devel libmesaglut3 libmesaglut3-devel libmesaglw1 libmesaglw1-devel mesa mesa-common-devel mesa-demos mesa-source x11-server x11-server-common x11-server-devel x11-server-xati x11-server-xchips x11-server-xdmx x11-server-xephyr x11-server-xepson x11-server-xfake x11-server-xfbdev x11-server-xi810 x11-server-xmach64 x11-server-xmga x11-server-xneomagic x11-server-xnest x11-server-xnvidia x11-server-xorg x11-server-xpm2 x11-server-xr128 x11-server-xsdl x11-server-xsmi x11-server-xvesa x11-server-xvfb x11-server-xvia x11-server-xvnc Update: Thu Aug 07 21:25:17 2008 Importance: bugfix ID: MDVA-2008:117 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:117 %pre This update fixes an X server crash with multiple indirect rendering clients and software rendering. %description X11 servers %package clamav clamav-db clamav-milter clamd libclamav4 libclamav-devel Update: Tue Aug 12 14:54:10 2008 Importance: security ID: MDVSA-2008:166 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:166 %pre An incomplete fix for CVE-2008-2713 resulted in remote attackers being able to cause a denial of service via a malformed Petite file that triggered an out-of-bounds memory access (CVE-2008-3215). This issue is corrected with the 0.93.3 release which is being provided. %description Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail seversions (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. You can build clamav with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] milter Build clamav-milter (default) %package libstunnel0 libstunnel0-devel stunnel Update: Wed Aug 13 19:11:52 2008 Importance: security ID: MDVSA-2008:168 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:168 %pre A vulnerability was found in the OCSP search functionality in stunnel that could allow a remote attacker to use a revoked certificate that would be successfully authenticated by stunnel (CVE-2008-2420). This flaw only concerns users who have enabled OCSP validation in stunnel. The updated packages have been patched to correct this issue. %description The stunnel program is designed to work as SSL encryption wrapper between remote clients and local (inetd-startable) or remote servers. The concept is that having non-SSL aware daemons running on your system you can easily set them up to communicate with clients over secure SSL channels. stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without changes to the source code. %package hplip hplip-doc hplip-hpijs hplip-hpijs-ppds hplip-model-data libhpip0 libhpip0-devel libsane-hpaio1 Update: Wed Aug 13 19:15:38 2008 Importance: security ID: MDVSA-2008:169 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:169 %pre Marc Schoenefeld of the Red Hat Security Response Team discovered a vulnerability in the hplip alert-mailing functionality that could allow a local attacker to elevate their privileges by using specially-crafted packets to trigger alert mails that are sent by the root account (CVE-2008-2940). Another vulnerability was discovered by Marc Schoenefeld in the hpssd message parser that could allow a local attacker to stop the hpssd process by sending specially-craftd packets, causing a denial of service (CVE-2008-2941). The updated packages have been patched to correct these issues. %description This is the HP driver package to supply Linux support for most Hewlett-Packard DeskJet, LaserJet, PSC, OfficeJet, and PhotoSmart printers and all-in-one peripherals (also known as Multi-Function Peripherals or MFPs), which can print, scan, copy, fax, and/or access flash memory cards. It is work in progress, but printing, scanning, memory card access, ink/toner/battery/consumable level checking, and inkjet printer maintenance are supported on most models, when either connected to the USB or LAN (built-in interfaces or selected HP JetDirect models) on a Linux workstation with CUPS printing system. For status and consumable checking and also for inkjet maintenance there is the graphical tool "hp-toolbox" available (Menu: "System"/"Monitoring"/"HP Printer Toolbox"). %package cups cups-common cups-serial libcups2 libcups2-devel php-cups Update: Wed Aug 13 19:22:45 2008 Importance: security ID: MDVSA-2008:170 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:170 %pre Thomas Pollet discovered an integer overflow vulnerability in the PNG image handling filter in CUPS. This could allow a malicious user to execute arbitrary code with the privileges of the user running CUPS, or cause a denial of service by sending a specially crafted PNG image to the print server (CVE-2008-1722). The updated packages have been patched to correct this issue. %description CUPS 1.2 is fully compatible with CUPS-1.1 machines in the network and with software built against CUPS-1.1 libraries. The Common Unix Printing System provides a portable printing layer for UNIX(TM) operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. This is the main package needed for CUPS servers (machines where a printer is connected to or which host a queue for a network printer). It can also be used on CUPS clients so that they simply pick up broadcasted printer information from other CUPS servers and do not need to be assigned to a specific CUPS server by an /etc/cups/client.conf file. %package libpostfix1 postfix postfix-ldap postfix-mysql postfix-pcre postfix-pgsql Update: Fri Aug 15 11:24:12 2008 Importance: security ID: MDVSA-2008:171 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:171 %pre Sebastian Krahmer of the SUSE Security Team discovered a flaw in the way Postfix dereferenced symbolic links. If a local user had write access to a mail spool directory without a root mailbox file, it could be possible for them to append arbitrary data to files that root had write permissions to (CVE-2008-2936). The updated packages have been patched to correct this issue. %description Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), TLS and running in a chroot environment. Postfix is Wietse Venema's mailer that started life as an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different. This software was formerly known as VMailer. It was released by the end of 1998 as the IBM Secure Mailer. From then on it has lived on as Postfix. PLEASE READ THE /usr/share/doc/postfix/README.MDK FILE. This rpm supports different build time options, to enable or disable these features you must rebuild the source rpm using the --with ... or --without ... rpm option. Currently postfix has been built with: Smtpd multiline greeting: --without multiline Virtual Delivery Agent: --without VDA Munge bare CR: --without barecr TLS support: --with tls %{with_TXT_tls} IPV6 support: --with IPV6 %{with_TXT_ipv6} CDB support: --without cdb Chroot by default: --with chroot %package amarok amarok-engine-xine amarok-scripts libamarok0 libamarok0-scripts libamarok-devel libamarok-scripts-devel Update: Fri Aug 15 12:45:14 2008 Importance: security ID: MDVSA-2008:172 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:172 %pre A flaw in Amarok prior to 1.4.10 would allow local users to overwrite arbitrary files via a symlink attack on a temporary file that Amarok created with a predictable name (CVE-2008-3699). The updated packages have been patched to correct this issue. %description Feature Overview * Music Collection: You have a huge music library and want to locate tracks quickly? Let amaroK's powerful Collection take care of that! It's a database powered music store, which keeps track of your complete music library, allowing you to find any title in a matter of seconds. * Intuitive User Interface: You will be amazed to see how easy amaroK is to use! Simply drag-and-drop files into the playlist. No hassle with complicated buttons or tangled menus. Listening to music has never been easier! * Streaming Radio: Web streams take radio to the next level: Listen to thousands of great radio stations on the internet, for free! amaroK provides excellent streaming support, with advanced features, such as displaying titles of the currently playing songs. * Context Browser: This tool provides useful information on the music you are currently listening to, and can make listening suggestions, based on your personal music taste. An innovate and unique feature. * Visualizations: amaroK is compatible with XMMS visualization plugins. Allows you to use the great number of stunning visualizations available on the net. 3d visualizations with OpenGL are a great way to enhance your music experience. %package yelp Update: Wed Aug 20 10:07:28 2008 Importance: security ID: MDVSA-2008:175 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:175 %pre A format string vulnerability was discovered in yelp after version 2.19.90 and before 2.24 that could allow remote attackers to execute arbitrary code via format string specifiers in an invalid URI on the command-line or via URI helpers in Firefox, Evolution, or possibly other programs (CVE-2008-3533). The updated packages have been patched to correct this issue. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package libxine1 libxine-devel xine-aa xine-caca xine-dxr3 xine-esd xine-flac xine-gnomevfs xine-image xine-jack xine-plugins xine-pulse xine-sdl xine-smb Update: Wed Aug 20 20:32:27 2008 Importance: security ID: MDVSA-2008:178 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:178 %pre Alin Rad Pop found an array index vulnerability in the SDP parser of xine-lib. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker could possibly execute arbitrary code with the privileges of the user using the program (CVE-2008-0073). The ASF demuxer in xine-lib did not properly check the length of ASF headers. If a user was tricked into opening a crafted ASF file, a remote attacker could possibly cause a denial of service or execute arbitrary code with the privileges of the user using the program (CVE-2008-1110). The Matroska demuxer in xine-lib did not properly verify frame sizes, which could possibly lead to the execution of arbitrary code if a user opened a crafted ASF file (CVE-2008-1161). Luigi Auriemma found multiple integer overflows in xine-lib. If a user was tricked into opening a crafted FLV, MOV, RM, MVE, MKV, or CAK file, a remote attacker could possibly execute arbitrary code with the privileges of the user using the program (CVE-2008-1482). Guido Landi found A stack-based buffer overflow in xine-lib that could allow a remote attacker to cause a denial of service (crash) and potentially execute arbitrary code via a long NSF title (CVE-2008-1878). The updated packages have been patched to correct this issue. %description xine is a free gpl-licensed video player for unix-like systems. %package libmetisse1 libmetisse1-devel metisse metisse-fvwm x11-server-xmetisse Update: Thu Aug 21 12:32:51 2008 Importance: security ID: MDVSA-2008:179 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:179 %pre An input validation flaw was found in X.org's MIT-SHM extension. A client connected to the X.org server could read arbitrary server memory, resulting in the disclosure of sensitive data of other users of the X.org server (CVE-2008-1379). Multiple integer overflows were found in X.org's Render extension. A malicious authorized client could explot these issues to cause a denial of service (crash) or possibly execute arbitrary code with root privileges on the X.org server (CVE-2008-2360, CVE-2008-2361, CVE-2008-2362). The Metisse program is likewise affected by these issues; the updated packages have been patched to prevent them. %description Metisse is an experimental X desktop with some OpenGL capacity. It consists of a virtual X server called Xmetisse, a special version of FVWM, and a FVWM module FvwmCompositor. %package libxml2_2 libxml2-devel libxml2-python libxml2-utils Update: Thu Aug 21 14:37:58 2008 Importance: security ID: MDVSA-2008:180 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:180 %pre Andreas Solberg found a denial of service flaw in how libxml2 processed certain content. If an application linked against libxml2 processed such malformed XML content, it could cause the application to stop responding (CVE-2008-3281). The updated packages have been patched to prevent this issue. %description This library allows you to manipulate XML files. It includes support for reading, modifying and writing XML and HTML files. There is DTDs support: this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM-like representations. In this case one can use the built-in XPath and XPointer implementation to select subnodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to a URI library. %package libxml2_2 libxml2-devel libxml2-python libxml2-utils Update: Tue Aug 26 10:31:53 2008 Importance: security ID: MDVSA-2008:180-1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:180-1 %pre Andreas Solberg found a denial of service flaw in how libxml2 processed certain content. If an application linked against libxml2 processed such malformed XML content, it could cause the application to stop responding (CVE-2008-3281). Update: The original fix used to correct this issue caused some applications that used the libxml2 library to crash. These new updated packages use a different fix that does not cause certain linked applications to crash as the old packages did. %description This library allows you to manipulate XML files. It includes support for reading, modifying and writing XML and HTML files. There is DTDs support: this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM-like representations. In this case one can use the built-in XPath and XPointer implementation to select subnodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to a URI library. %package timezone timezone-java Update: Thu Aug 28 10:59:37 2008 Importance: bugfix ID: MDVA-2008:119 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:119 %pre Updated timezone packages are being provided for older Mandriva Linux systems that do not contain new Daylight Savings Time information and Time Zone information for some locations. These updated packages contain the new information. %description This package contains data files with rules for various timezones around the world. %package ipsec-tools libipsec0 libipsec0-devel Update: Thu Aug 28 19:59:05 2008 Importance: security ID: MDVSA-2008:181 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:181 %pre Two denial of service vulnerabilities were discovered in the ipsec-tools racoon daemon, which could allow a remote attacker to cause it to consume all available memory (CVE-2008-3651, CVE-2008-3652). The updated packages have been patched to prevent these issues. %description This is the IPsec-Tools package. You need this package in order to really use the IPsec functionality in the linux-2.6 and above kernels. This package builds: - libipsec, a PFKeyV2 library - setkey, a program to directly manipulate policies and SAs - racoon, an IKEv1 keying daemon %package libwordnet3.0 libwordnet3.0-devel wordnet Update: Tue Sep 02 09:59:21 2008 Importance: security ID: MDVSA-2008:182 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:182 %pre Rob Holland found several programming errors in WordNet which could lead to the execution or arbitrary code when used with untrusted input (CVE-2008-2149). The updated packages have been patched to prevent these issues. %description WordNet® is an online lexical reference system whose design is inspired by current psycholinguistic theories of human lexical memory. English nouns, verbs, adjectives and adverbs are organized into synonym sets, each representing one underlying lexical concept. Different relations link the synonym sets. %package libopensc2 libopensc-devel mozilla-plugin-opensc opensc Update: Tue Sep 02 11:57:32 2008 Importance: security ID: MDVSA-2008:183 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:183 %pre Chaskiel M Grundman found that OpenSC would initialize smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone to change the card's PIN without first having the PIN or PUK, or the superuser's PIN or PUK (CVE-2008-2235). Please note that this issue can not be used to discover the PIN on a card. If the PIN on a card is the same that was always there, it is unlikely that this vulnerability has been exploited. As well, this issue only affects smart cards and USB crypto tokens based on Siemens CardOS M4, and then only those devices that were initialized by OpenSC. Users of other smart cards or USB crypto tokens, or cards that were not initialized by OpenSC, are not affected. After applying the update, executing 'pkcs15-tool -T' will indicate whether the card is fine or vulnerable. If the card is vulnerable, the security settings need to be updated by executing 'pkcs15-tool -T -U'. The updated packages have been patched to prevent this issue. %description opensc is a library for accessing smart card devices using PC/SC Lite middleware package. It is also the core library of the OpenSC project. Basic functionality (e.g. SELECT FILE, READ BINARY) should work on any ISO 7816-4 compatible smart card. Encryption and decryption using private keys on the SmartCard is at the moment possible only with PKCS #15 compatible cards. %package libtiff3 libtiff3-devel libtiff3-static-devel libtiff-progs Update: Wed Sep 03 09:54:03 2008 Importance: security ID: MDVSA-2008:184 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:184 %pre Drew Yaro of the Apple Product Security Team reported multiple uses of uninitialized values in libtiff's LZW compression algorithm decoder. An attacker could create a carefully crafted LZW-encoded TIFF file that would cause an application linked to libtiff to crash or potentially execute arbitrary code (CVE-2008-2327). The updated packages have been patched to prevent this issue. %description The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. %package python-django Update: Wed Sep 03 11:37:01 2008 Importance: security ID: MDVSA-2008:185 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:185 %pre A cross-site request forgery vulnerability was discovered in Django that, if exploited, could be used to perform unrequested deletion or modification of data. Updated versions of Django will now discard posts from users whose sessions have expired, so data will need to be re-entered in these cases. The versions of Django shipping with Mandriva Linux have been updated to the latest patched versions that include the fix for this issue. In addition, they provide other bug fixes. %description Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Developed and used over the past two years by a fast-moving online-news operation, Django was designed from scratch to handle two challenges: the intensive deadlines of a newsroom and the stringent requirements of experienced Web developers. It has convenient niceties for developing content-management systems, but it's an excellent tool for building any Web site. Django focuses on automating as much as possible and adhering to the DRY principle. %package tomcat5 tomcat5-admin-webapps tomcat5-common-lib tomcat5-jasper tomcat5-jasper-javadoc tomcat5-jsp-2.0-api tomcat5-jsp-2.0-api-javadoc tomcat5-server-lib tomcat5-servlet-2.4-api tomcat5-servlet-2.4-api-javadoc tomcat5-webapps Update: Fri Sep 05 13:39:54 2008 Importance: security ID: MDVSA-2008:188 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:188 %pre A number of vulnerabilities have been discovered in the Apache Tomcat server: The default catalina.policy in the JULI logging component did not restrict certain permissions for web applications which could allow a remote attacker to modify logging configuration options and overwrite arbitrary files (CVE-2007-5342). A cross-site scripting vulnerability was found in the HttpServletResponse.sendError() method which could allow a remote attacker to inject arbitrary web script or HTML via forged HTTP headers (CVE-2008-1232). A cross-site scripting vulnerability was found in the host manager application that could allow a remote attacker to inject arbitrary web script or HTML via the hostname parameter (CVE-2008-1947). A traversal vulnerability was found when using a RequestDispatcher in combination with a servlet or JSP that could allow a remote attacker to utilize a specially-crafted request parameter to access protected web resources (CVE-2008-2370). A traversal vulnerability was found when the 'allowLinking' and 'URIencoding' settings were actived which could allow a remote attacker to use a UTF-8-encoded request to extend their privileges and obtain local files accessible to the Tomcat process (CVE-2008-2938). The updated packages have been patched to correct these issues. %description Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project. To learn more about getting involved, click here. %package clamav clamav-db clamav-milter clamd klamav libclamav5 libclamav-devel Update: Tue Sep 09 19:43:52 2008 Importance: security ID: MDVSA-2008:189 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:189 %pre Multiple vulnerabilities were discovered in ClamAV and corrected with the 0.94 release, including: A vulnerability in ClamAV's chm-parser allowed remote attackers to cause a denial of service (application crash) via a malformed CHM file (CVE-2008-1389). A vulnerability in libclamav would allow attackers to cause a denial of service via vectors related to an out-of-memory condition (CVE-2008-3912). Multiple memory leaks were found in ClamAV that could possibly allow attackers to cause a denial of service via excessive memory consumption (CVE-2008-3913). A number of unspecified vulnerabilities in ClamAV were reported that have an unknown impact and attack vectors related to file descriptor leaks (CVE-2008-3914). Other bugs have also been corrected in 0.94 which is being provided with this update. Because this new version has increased the major of the libclamav library, updated dependent packages are also being provided. %description Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail seversions (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. You can build clamav with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] milter Build clamav-milter (default) %package libpostfix1 postfix postfix-ldap postfix-mysql postfix-pcre postfix-pgsql Update: Wed Sep 10 09:42:03 2008 Importance: security ID: MDVSA-2008:190 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:190 %pre A vulnerability in Postfix 2.4 and later was discovered, when running on Linux kernel 2.6, where a local user could cause a denial of service due to Postfix leaking the epoll file descriptor when executing non-Postfix commands (CVE-2008-3889). The updated packages have been patched to correct this issue. %description Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL), TLS and running in a chroot environment. Postfix is Wietse Venema's mailer that started life as an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different. This software was formerly known as VMailer. It was released by the end of 1998 as the IBM Secure Mailer. From then on it has lived on as Postfix. PLEASE READ THE /usr/share/doc/postfix/README.MDK FILE. This rpm supports different build time options, to enable or disable these features you must rebuild the source rpm using the --with ... or --without ... rpm option. Currently postfix has been built with: Smtpd multiline greeting: --without multiline Virtual Delivery Agent: --without VDA Munge bare CR: --without barecr TLS support: --with tls %{with_TXT_tls} IPV6 support: --with IPV6 %{with_TXT_ipv6} CDB support: --without cdb Chroot by default: --with chroot %package rsh rsh rsh-server rsh-server Update: Thu Sep 11 16:42:05 2008 Importance: security ID: MDVSA-2008:191 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:191 %pre A vulnerability in the rcp protocol was discovered that allows a server to instruct a client to write arbitrary files outside of the current directory, which could potentially be a security concern if a user used rcp to copy files from a malicious server (CVE-2004-0175). This issue was originally corrected in MDKSA-2005:100, but the patch had not been applied to the development tree, so released packages after that date did not have the fix applied. This update also corrects an issue where rexecd did not honor settings in /etc/security/limits if pam_limits was in use. %description The rsh package contains a set of programs which allow users to run commmands on remote machines, login to other machines and copy files between machines (rsh, rlogin and rcp). All three of these commands use rhosts style authentication. This package contains the clients needed for all of these services. The rsh package should be installed to enable remote access to other machines. %package libxml2_2 libxml2-devel libxml2-python libxml2-utils Update: Thu Sep 11 16:49:47 2008 Importance: security ID: MDVSA-2008:192 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:192 %pre A heap-based buffer overflow was found in how libxml2 handled long XML entity names. If an application linked against libxml2 processed untrusted malformed XML content, it could cause the application to crash or possibly execute arbitrary code (CVE-2008-3529). The updated packages have been patched to prevent this issue. As well, the patch to fix CVE-2008-3281 has been updated to remove the hard-coded entity limit that was set to 5M, instead using XML entity density heuristics. Many thanks to Daniel Veillard of Red Hat for his hard work in tracking down and dealing with the edge cases discovered with the initial fix to this issue. %description This library allows you to manipulate XML files. It includes support for reading, modifying and writing XML and HTML files. There is DTDs support: this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM-like representations. In this case one can use the built-in XPath and XPointer implementation to select subnodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to a URI library. %package park-rpmdrake rpmdrake Update: Thu Sep 11 17:29:52 2008 Importance: bugfix ID: MDVA-2008:123 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:123 %pre This update fixes several minor issues with rpmdrake, including preventing a rare crash when canceling and fixing a crash when selecting all packages. %description rpmdrake is a simple graphical frontend to manage software packages on a Mandriva Linux system; it has 3 different modes: - software packages installation; - software packages removal; - MandrivaUpdate (software packages updates). A fourth program manages the media (add, remove, edit). %package apache-base apache-devel apache-htcacheclean apache-mod_authn_dbd apache-mod_cache apache-mod_dav apache-mod_dbd apache-mod_deflate apache-mod_disk_cache apache-mod_file_cache apache-mod_ldap apache-mod_mem_cache apache-mod_proxy apache-mod_proxy_ajp apache-mod_ssl apache-modules apache-mod_userdir apache-mpm-event apache-mpm-itk apache-mpm-prefork apache-mpm-worker apache-source Update: Sat Sep 13 13:31:59 2008 Importance: security ID: MDVSA-2008:195 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:195 %pre A vulnerability was discovered in the mod_proxy module in Apache where it did not limit the number of forwarded interim responses, allowing remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses (CVE-2008-2364). A cross-site scripting vulnerability was found in the mod_proxy_ftp module in Apache that allowed remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI (CVE-2008-2939). The updated packages have been patched to prevent these issues. %description This package contains the main binary of apache, a powerful, full-featured, efficient and freely-available Web server. Apache is also the most popular Web server on the Internet. This version of apache is fully modular, and many modules are available in pre-compiled formats, like PHP and mod_auth_external. Check for available Apache modules for Mandriva Linux at: http://nux.se/apache/ (most of them can be installed from the contribs repository) %package libdha1.0 mencoder mplayer mplayer-doc mplayer-gui Update: Mon Sep 15 13:11:30 2008 Importance: security ID: MDVSA-2008:196 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:196 %pre Uncontrolled array index in the sdpplin_parse function in stream/realrtsp/sdpplin.c in MPlayer 1.0 rc2 allows remote attackers to overwrite memory and execute arbitrary code via a large streamid SDP parameter. The updated packages have been patched to fix this issue. %description MPlayer is a movie player for LINUX (runs on many other Unices, and non-x86 CPUs, see the documentation). It plays most MPEG, VOB, AVI, VIVO, ASF/WMV, QT/MOV, FLI, NuppelVideo, yuv4mpeg, FILM, RoQ, and some RealMedia files, supported by many native, XAnim, and Win32 DLL codecs. You can watch VideoCD, SVCD, DVD, 3ivx, FLI, and even DivX movies too (and you don't need the avifile library at all!). The another big feature of mplayer is the wide range of supported output drivers. It works with X11, Xv, DGA, OpenGL, SVGAlib, fbdev, AAlib, but you can use SDL (and this way all drivers of SDL), VESA (on every VESA compatible card, even without X!), and some lowlevel card-specific drivers (for Matrox, 3Dfx and Radeon) too! Most of them supports software or hardware scaling, so you can enjoy movies in fullscreen. MPlayer supports displaying through some hardware MPEG decoder boards, such as the DVB and DXR3/Hollywood+! And what about the nice big antialiased shaded subtitles (9 supported types!!!) with european/ISO 8859-1,2 (hungarian, english, czech, etc), cyrillic, korean fonts, and OSD? Note: If you want to play Real content, you need to have the content of RealPlayer's Codecs directory in /usr/lib/RealPlayer10GOLD/codecs %package libwordnet3.0 libwordnet3.0-devel wordnet Update: Mon Sep 15 13:38:36 2008 Importance: security ID: MDVSA-2008:182-1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:182-1 %pre Rob Holland found several programming errors in WordNet which could lead to the execution or arbitrary code when used with untrusted input (CVE-2008-2149, CVE-2008-3908). Update: The previous patch had a typo that caused incorrect behaviour in WordNet. This update uses an update patch that corrects the issue and also notes the additional assigned CVE name for these issues. %description WordNet® is an online lexical reference system whose design is inspired by current psycholinguistic theories of human lexical memory. English nouns, verbs, adjectives and adverbs are organized into synonym sets, each representing one underlying lexical concept. Different relations link the synonym sets. %package koffice koffice-karbon koffice-kexi koffice-kformula koffice-kivio koffice-koshell koffice-kplato koffice-kpresenter koffice-krita koffice-kspread koffice-kugar koffice-kword koffice-progs libkoffice2-karbon libkoffice2-karbon-devel libkoffice2-kexi libkoffice2-kexi-devel libkoffice2-kformula libkoffice2-kformula-devel libkoffice2-kivio libkoffice2-kivio-devel libkoffice2-koshell libkoffice2-kplato libkoffice2-kpresenter libkoffice2-kpresenter-devel libkoffice2-krita libkoffice2-krita-devel libkoffice2-kspread libkoffice2-kspread-devel libkoffice2-kugar libkoffice2-kugar-devel libkoffice2-kword libkoffice2-kword-devel libkoffice2-progs libkoffice2-progs-devel Update: Mon Sep 15 14:02:08 2008 Importance: security ID: MDVSA-2008:197 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:197 %pre Kees Cook of Ubuntu security found a flaw in how poppler prior to version 0.6 displayed malformed fonts embedded in PDF files. An attacker could create a malicious PDF file that would cause applications using poppler to crash, or possibly execute arbitrary code when opened (CVE-2008-1693). This vulnerability also affected KOffice, so the updated packages have been patched to correct this issue. %description Office applications for the K Desktop Environment. KOffice contains: * KWord: word processor * KSpread: spreadsheet * KPresenter: presentations * KChart: diagram generator * Kugar: A tool for generating business quality reports. * Kivio: A Visio(r)-style flowcharting application. * Kexi: an integrated environment for managing data * Some filters (Excel 97, Winword 97/2000, etc.) * karbon: the scalable vector drawing application for KDE. * kformula: a formula editor for KOffice. * krita: painting and image editing application. * koshell * kplato: a project management. %package libRmath libRmath-devel R-base Update: Tue Sep 16 11:47:13 2008 Importance: security ID: MDVSA-2008:198 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:198 %pre A symlink vulnerability was found in the javareconf script in R that allows local users to overwrite arbitrary files (CVE-2008-3931). The updated packages have been patched to prevent this issue. %description `GNU S' - A language and environment for statistical computing and graphics. R is similar to the S system, which was developed at Bell Laboratories by John Chambers et al. It provides a wide variety of statistical and graphical techniques (linear and nonlinear modelling, statistical tests, time series analysis, classification, clustering, ...). R is designed as a true computer language with control-flow constructions for iteration and alternation, and it allows users to add additional functionality by defining new functions. For computationally intensive tasks, C, C++ and Fortran code can be linked and called at run time. %package park-rpmdrake rpmdrake Update: Tue Sep 16 17:10:20 2008 Importance: bugfix ID: MDVA-2008:123-1 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:123-1 %pre This update fixes several minor issues with rpmdrake, including preventing a rare crash when canceling and fixing a crash when selecting all packages. Update: The wrong rpmdrake revision was built for updates. This update provides the correct revision. %description rpmdrake is a simple graphical frontend to manage software packages on a Mandriva Linux system; it has 3 different modes: - software packages installation; - software packages removal; - MandrivaUpdate (software packages updates). A fourth program manages the media (add, remove, edit). %package dkms-libafs libopenafs1 libopenafs1-devel openafs openafs-client openafs-doc openafs-server Update: Wed Sep 17 09:42:54 2008 Importance: bugfix ID: MDVA-2008:006-1 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:006-1 %pre The previous openafs update (MDKA-2007:124) was released to correct gcc compiler optimisations, however it only corrected the problem on 32bit platforms. This update fixes it for both 32bit and 64bit architectures. Update: The previous update did not completely correct the problem in all cases. It prevented listing directory contents when attaching to an AFS server, making files inaccessible. %description AFS is a distributed filesystem allowing cross-platform sharing of files among multiple computers. Facilities are provided for access control, authentication, backup and administrative management. This package provides common files shared across all the various OpenAFS packages but are not necessarily tied to a client or server. %package clamav clamav-db clamav-milter clamd libclamav5 libclamav-devel Update: Wed Sep 17 11:27:10 2008 Importance: security ID: MDVSA-2008:189-1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:189-1 %pre Multiple vulnerabilities were discovered in ClamAV and corrected with the 0.94 release, including: A vulnerability in ClamAV's chm-parser allowed remote attackers to cause a denial of service (application crash) via a malformed CHM file (CVE-2008-1389). A vulnerability in libclamav would allow attackers to cause a denial of service via vectors related to an out-of-memory condition (CVE-2008-3912). Multiple memory leaks were found in ClamAV that could possibly allow attackers to cause a denial of service via excessive memory consumption (CVE-2008-3913). A number of unspecified vulnerabilities in ClamAV were reported that have an unknown impact and attack vectors related to file descriptor leaks (CVE-2008-3914). Other bugs have also been corrected in 0.94 which is being provided with this update. Because this new version has increased the major of the libclamav library, updated dependent packages are also being provided. Update: The previous update had experimental support enabled, which caused ClamAV to report the version as 0.94-exp rather than 0.94, causing ClamAV to produce bogus warnings about the installation being outdated. This update corrects that problem. %description Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail seversions (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. You can build clamav with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] milter Build clamav-milter (default) %package xdm Update: Thu Sep 18 12:11:04 2008 Importance: bugfix ID: MDVA-2008:128 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:128 %pre Trying to establish an XDMCP session to a machine running xdm would result in a blue screen and an X cursor that could be moved with the mouse but no login greeter. After 2 to 3 minutes, the launching tty would say XDM: too many retransmissions, declaring session dead. This update fixes the issue. %description Xdm manages a collection of X displays, which may be on the local host or remote servers. The design of xdm was guided by the needs of X terminals as well as The Open Group standard XDMCP, the X Display Manager Control Protocol. Xdm provides services similar to those provided by init, getty and login on character terminals: prompting for login name and password, authenticating the user, and running a session. %package dumpcap libwireshark0 libwireshark-devel rawshark tshark wireshark wireshark-tools Update: Fri Sep 19 11:22:24 2008 Importance: security ID: MDVSA-2008:199 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:199 %pre A number of vulnerabilities were discovered in Wireshark that could cause it to crash while processing malicious packets (CVE-2008-3146, CVE-2008-3932, CVE-2008-3933, CVE-2008-3934). This update provides Wireshark 1.0.3, which is not vulnerable to these issues. %description Wireshark is a network traffic analyzer for Unix-ish operating systems. It is based on GTK+, a graphical user interface library, and libpcap, a packet capture and filtering library. Wireshark is a fork of Ethereal(tm) %package ed Update: Mon Sep 22 11:13:07 2008 Importance: security ID: MDVSA-2008:200 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:200 %pre A heap-based buffer overflow was found in GNU ed that allowed context-dependent or user-assisted attackers to execute arbitrary code via a long filename (CVE-2008-3916). This update provides GNU ed 1.0, which is not vulnerable to this issue. %description Ed is a line-oriented text editor, used to create, display, and modify text files (both interactively and via shell scripts). For most purposes, ed has been replaced in normal usage by full-screen editors (emacs and vi, for example). Ed was the original UNIX editor, and may be used by some programs. In general, however, you probably don't need to install it and you probably won't use it much. %package pan Update: Mon Sep 22 12:51:41 2008 Importance: security ID: MDVSA-2008:201 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:201 %pre Pavel Polischouk found a boundary error in the PartsBatch class in the Pan newsreader when processing .nzb files, which could allow remote attackers to cause a denial of serice (application crash) or possibly execute arbitrary code via a crafted .nzb file (CVE-2008-2363). The updated packages have been patched to prevent this issue. %description This is PAN, a powerful and user-friendly USENET newsreader for GNOME. The latest info and versions of Pan can always be found at http://pan.rebelbase.com/. %package blender Update: Wed Sep 24 11:07:44 2008 Importance: security ID: MDVSA-2008:204 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:204 %pre Stefan Cornelius of Secunia Research reported a boundary error when Blender processed RGBE images which could be used to execute arbitrary code with the privileges of the user running Blender if a specially crafted .hdr or .blend file were opened(CVE-2008-1102). As well, multiple vulnerabilities involving insecure usage of temporary files had also been reported (CVE-2008-1103). The updated packages have been patched to prevent these issues. %description Blender is the in-house software of a high quality animation studio. It has proven to be an extremely fast and versatile design instrument. The software has a personal touch, offering a unique approach to the world of three dimensions. Blender can be used to create TV commercials, to make technical visualizations or business graphics, to do some morphing, or to design user interfaces. Developers can easily build and manage complex environments. The renderer is versatile and extremely fast. All basic animation principles (curves and keys) are implemented. %package devhelp devhelp-plugins eclipse-cvs-client eclipse-ecj eclipse-jdt eclipse-pde eclipse-pde-runtime eclipse-platform eclipse-rcp epiphany epiphany-devel galeon gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gksu gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell libdevhelp-1_0 libdevhelp-1-devel libmozilla-firefox2.0.0.17 libmozilla-firefox-devel libswt3-gtk2 libtotem-plparser7 libtotem-plparser-devel mozilla-firefox mozilla-firefox-af mozilla-firefox-ar mozilla-firefox-be mozilla-firefox-bg mozilla-firefox-br_FR mozilla-firefox-ca mozilla-firefox-cs mozilla-firefox-da mozilla-firefox-de mozilla-firefox-el mozilla-firefox-en_GB mozilla-firefox-es_AR mozilla-firefox-es_ES mozilla-firefox-et_EE mozilla-firefox-eu mozilla-firefox-ext-blogrovr mozilla-firefox-ext-foxmarks mozilla-firefox-ext-scribefire mozilla-firefox-fi mozilla-firefox-fr mozilla-firefox-fy mozilla-firefox-ga mozilla-firefox-gu_IN mozilla-firefox-he mozilla-firefox-hu mozilla-firefox-it mozilla-firefox-ja mozilla-firefox-ka mozilla-firefox-ko mozilla-firefox-ku mozilla-firefox-lt mozilla-firefox-mk mozilla-firefox-mn mozilla-firefox-nb_NO mozilla-firefox-nl mozilla-firefox-nn_NO mozilla-firefox-pa_IN mozilla-firefox-pl mozilla-firefox-pt_BR mozilla-firefox-pt_PT mozilla-firefox-ro mozilla-firefox-ru mozilla-firefox-sk mozilla-firefox-sl mozilla-firefox-sv_SE mozilla-firefox-tr mozilla-firefox-uk mozilla-firefox-zh_CN mozilla-firefox-zh_TW totem totem-common totem-gstreamer totem-mozilla totem-mozilla-gstreamer yelp Update: Thu Sep 25 14:19:30 2008 Importance: security ID: MDVSA-2008:205 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:205 %pre Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox program, version 2.0.0.17 (CVE-2008-0016, CVE-2008-3835, CVE-2008-3836, CVE-2008-3837, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4065, CVE-2008-4066, CVE-2008-4067, CVE-2008-4068, CVE-2008-4069). This update provides the latest Firefox to correct these issues. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package mozilla-thunderbird mozilla-thunderbird-af mozilla-thunderbird-be mozilla-thunderbird-bg mozilla-thunderbird-ca mozilla-thunderbird-cs mozilla-thunderbird-da mozilla-thunderbird-de mozilla-thunderbird-devel mozilla-thunderbird-el mozilla-thunderbird-en_GB mozilla-thunderbird-enigmail mozilla-thunderbird-enigmail-ar mozilla-thunderbird-enigmail-ca mozilla-thunderbird-enigmail-cs mozilla-thunderbird-enigmail-de mozilla-thunderbird-enigmail-el mozilla-thunderbird-enigmail-es mozilla-thunderbird-enigmail-es_AR mozilla-thunderbird-enigmail-fi mozilla-thunderbird-enigmail-fr mozilla-thunderbird-enigmail-hu mozilla-thunderbird-enigmail-it mozilla-thunderbird-enigmail-ja mozilla-thunderbird-enigmail-ko mozilla-thunderbird-enigmail-nb mozilla-thunderbird-enigmail-nl mozilla-thunderbird-enigmail-pl mozilla-thunderbird-enigmail-pt mozilla-thunderbird-enigmail-pt_BR mozilla-thunderbird-enigmail-ro mozilla-thunderbird-enigmail-ru mozilla-thunderbird-enigmail-sk mozilla-thunderbird-enigmail-sl mozilla-thunderbird-enigmail-sv mozilla-thunderbird-enigmail-tr mozilla-thunderbird-enigmail-zh_CN mozilla-thunderbird-enigmail-zh_TW mozilla-thunderbird-es_AR mozilla-thunderbird-es_ES mozilla-thunderbird-et_EE mozilla-thunderbird-eu mozilla-thunderbird-fi mozilla-thunderbird-fr mozilla-thunderbird-gu_IN mozilla-thunderbird-he mozilla-thunderbird-hu mozilla-thunderbird-it mozilla-thunderbird-ja mozilla-thunderbird-ko mozilla-thunderbird-lt mozilla-thunderbird-mk mozilla-thunderbird-moztraybiff mozilla-thunderbird-nb_NO mozilla-thunderbird-nl mozilla-thunderbird-nn_NO mozilla-thunderbird-pa_IN mozilla-thunderbird-pl mozilla-thunderbird-pt_BR mozilla-thunderbird-pt_PT mozilla-thunderbird-ru mozilla-thunderbird-sk mozilla-thunderbird-sl mozilla-thunderbird-sv_SE mozilla-thunderbird-tr mozilla-thunderbird-uk mozilla-thunderbird-zh_CN mozilla-thunderbird-zh_TW nsinstall Update: Fri Sep 26 12:48:43 2008 Importance: security ID: MDVSA-2008:206 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:206 %pre A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 2.0.0.17 (CVE-2008-0016, CVE-2008-3835, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4065, CVE-2008-4066, CVE-2008-4067, CVE-2008-4068, CVE-2008-4070). This update provides the latest Thunderbird to correct these issues. %description Mozilla Thunderbird is a full-featured email, RSS and newsgroup client that makes emailing safer, faster and easier than ever before. %package dkms-libafs libopenafs1 libopenafs1-devel openafs openafs-client openafs-doc openafs-server Update: Mon Sep 29 11:48:33 2008 Importance: security ID: MDVSA-2008:207 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:207 %pre A race condition in OpenAFS 1.3.40 through 1.4.5 allowed remote attackers to cause a denial of service (daemon crash) by simultaneously acquiring and giving back file callbacks (CVE-2007-6559). The updated packages have been patched to prevent this issue. %description AFS is a distributed filesystem allowing cross-platform sharing of files among multiple computers. Facilities are provided for access control, authentication, backup and administrative management. This package provides common files shared across all the various OpenAFS packages but are not necessarily tied to a client or server. %package pam_mount pam_mount-devel Update: Mon Sep 29 17:56:21 2008 Importance: security ID: MDVSA-2008:208 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:208 %pre pam_mount 0.10 through 0.45, when luserconf is enabled, does not verify mountpoint and source ownership before mounting a user-defined volume, which allows local users to bypass intended access restrictions via a local mount. The updated packages have been patched to fix the issue. %description Pam_mount is a PAM module that allows dynamic remote volume mounting. It is mainly useful for users that have private volumes in Samba / Windows NT / Netware servers and need access to them during a Unix session. %package pam_krb5 Update: Fri Oct 03 14:12:29 2008 Importance: security ID: MDVSA-2008:209 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:209 %pre Stéphane Bertin discovered a flaw in the pam_krb5 existing_ticket configuration option where, if enabled and using an existing credential cache, it was possible for a local user to gain elevated privileges by using a different, local user's credential cache (CVE-2008-3825). The updated packages have been patched to prevent this issue. %description This is pam_krb5, a pluggable authentication module that can be used with Linux-PAM and Kerberos 5. This module supports password checking, ticket creation, and optional TGT verification and conversion to Kerberos IV tickets. The included pam_krb5afs module also gets AFS tokens if so configured. %package jay libmono0 libmono-devel mono mono-bytefx-data-mysql mono-data mono-data-firebird mono-data-oracle mono-data-postgresql mono-data-sqlite mono-data-sybase mono-doc mono-extras mono-ibm-data-db2 mono-jscript mono-locale-extras mono-nunit mono-web mono-winforms Update: Fri Oct 03 15:02:07 2008 Importance: security ID: MDVSA-2008:210 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:210 %pre CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string. The updated packages have been patched to fix the issue. %description Mono is an implementation of the ECMA Common Language Infrastructure, it contains both a just-in-time compiler for maximum performance, and an interpeter. It can also be used to run programs from the .NET Framework. This package contains the core of the Mono runtime including its Virtual Machine, Just-in-time compiler, C# compiler, security tools and libraries (corlib, XML, System.Security, System.Drawing, ZipLib, I18N, Cairo and Mono.*). %package timezone timezone-java Update: Tue Oct 07 11:32:42 2008 Importance: bugfix ID: MDVA-2008:133 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:133 %pre Updated timezone packages are being provided for older Mandriva Linux systems that do not contain new Daylight Savings Time information and Time Zone information for some locations. These updated packages contain the new information. %description This package contains data files with rules for various timezones around the world. %package symlinks Update: Thu Oct 09 11:51:20 2008 Importance: bugfix ID: MDVA-2008:140 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:140 %pre The symlinks program did not work on files larger than 2GB, reporting the error Value too large for defined data type. This update fixes this issue in addition to an error where symlinks converted from absolute to relative paths were not shortened (Red Hat bug #89655). %description The symlinks utility performs maintenance on symbolic links. Symlinks checks for symlink problems, including dangling symlinks which point to nonexistent files. Symlinks can also automatically convert absolute symlinks to relative symlinks. Install the symlinks package if you need a program for maintaining symlinks on your system. %package gdb Update: Fri Oct 10 13:09:18 2008 Importance: bugfix ID: MDVA-2008:142 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:142 %pre A bug was found in the gdb package that prevented the build of the gdbserver binary and its manpage. Updated packages are being provided to fix the issue. %description Gdb is a full featured, command driven debugger. Gdb allows you to trace the execution of programs and examine their internal state at any time. Gdb works for C and C++ compiled with the GNU C compiler gcc. If you are going to develop C and/or C++ programs and use the GNU gcc compiler, you may want to install gdb to help you debug your programs. %package cups cups-common cups-serial libcups2 libcups2-devel php-cups Update: Fri Oct 10 23:20:09 2008 Importance: security ID: MDVSA-2008:211 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:211 %pre A buffer overflow in the SGI image format decoding routines used by the CUPS image converting filter imagetops was discovered. An attacker could create malicious SGI image files that could possibly execute arbitrary code if the file was printed (CVE-2008-3639). An integer overflow flaw leading to a heap buffer overflow was found in the Text-to-PostScript texttops filter. An attacker could create a malicious text file that could possibly execute arbitrary code if the file was printed (CVE-2008-3640). Finally, an insufficient buffer bounds checking flaw was found in the HP-GL/2-to-PostScript hpgltops filter. An attacker could create a malicious HP-GL/2 file that could possibly execute arbitrary code if the file was printed (CVE-2008-3641). The updated packages have been patched to prevent this issue; for Mandriva Linux 2009.0 the latest CUPS version (1.3.9) is provided that corrects these issues and also provides other bug fixes. %description CUPS 1.2 is fully compatible with CUPS-1.1 machines in the network and with software built against CUPS-1.1 libraries. The Common Unix Printing System provides a portable printing layer for UNIX(TM) operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. This is the main package needed for CUPS servers (machines where a printer is connected to or which host a queue for a network printer). It can also be used on CUPS clients so that they simply pick up broadcasted printer information from other CUPS servers and do not need to be assigned to a specific CUPS server by an /etc/cups/client.conf file. %package dbus dbus-x11 libdbus-1_3 libdbus-1_3-devel Update: Wed Oct 15 11:30:03 2008 Importance: security ID: MDVSA-2008:213 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:213 %pre The D-Bus library did not correctly validate certain corrupted signatures which could cause a crash of applications linked against the D-Bus library if a local user were to send a specially crafted D-Bus request (CVE-2008-3834). The updated packages have been patched to prevent this issue. %description D-Bus is a system for sending messages between applications. It is used both for the systemwide message bus service, and as a per-user-login-session messaging facility. %package timezone timezone-java Update: Mon Oct 20 10:32:29 2008 Importance: normal ID: MDVA-2008:151 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:151 %pre Updated timezone packages are being provided for older Mandriva Linux systems that do not contain new Daylight Savings Time information and Time Zone information for some locations. These updated packages contain the new information. %description This package contains data files with rules for various timezones around the world. %package emacs emacs-common emacs-doc emacs-el emacs-gtk emacs-leim emacs-nox Update: Mon Oct 27 13:05:16 2008 Importance: security ID: MDVSA-2008:216 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:216 %pre A vulnerability was found in how Emacs would import python scripts from the current working directory during the editing of a python file. This could allow a local user to execute arbitrary code via a trojan python file (CVE-2008-3949). %description Emacs-X11 includes the Emacs text editor program for use with the X Window System (it provides support for the mouse and other GUI elements). Emacs-X11 will also run Emacs outside of X, but it has a larger memory footprint than the 'non-X' Emacs package (emacs-nox). Install emacs if you are going to use Emacs with the X Window System. You should also install emacs if you're going to run Emacs both with and without X (it will work fine both ways). You'll also need to install the emacs-common package in order to run Emacs. %package lynx Update: Tue Oct 28 11:58:31 2008 Importance: security ID: MDVSA-2008:218 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:218 %pre A vulnerability was found in the Lynxcgi: URI handler that could allow an attacker to create a web page redirecting to a malicious URL that would execute arbitrary code as the user running Lynx, if they were using the non-default Advanced user mode (CVE-2008-4690). This update corrects these issues and, in addition, makes Lynx always prompt the user before loading a lynxcgi: URI. As well, the default lynx.cfg configuration file marks all lynxcgi: URIs as untrusted. %description This a terminal based WWW browser. While it does not make any attempt at displaying graphics, it has good support for HTML text formatting, forms, and tables. This version includes support for SSL encryption. WARNING: In some countries, it is illegal to export this package. In some countries, it may even be illegal to use it. %package libdha1.0 mencoder mplayer mplayer-doc mplayer-gui Update: Wed Oct 29 14:04:48 2008 Importance: security ID: MDVSA-2008:219 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:219 %pre A vulnerability that was discovered in xine-lib that allowed remote RTSP servers to execute arbitrary code via a large streamid SDP parameter also affects MPlayer (CVE-2008-0073). Several integer overflows were discovered by Felipe Andres Manzano in MPlayer's Real video stream demuxing code. These vulnerabilities could allow an attacker to cause a crash or possibly execute arbitrary code by supplying a malicious crafted video file (CVE-2008-3827). The updated packages have been patched to fix these issues. Note that CVE-2008-3827 was already corrected in the Mandriva Linux 2009 packages. %description MPlayer is a movie player for LINUX (runs on many other Unices, and non-x86 CPUs, see the documentation). It plays most MPEG, VOB, AVI, VIVO, ASF/WMV, QT/MOV, FLI, NuppelVideo, yuv4mpeg, FILM, RoQ, and some RealMedia files, supported by many native, XAnim, and Win32 DLL codecs. You can watch VideoCD, SVCD, DVD, 3ivx, FLI, and even DivX movies too (and you don't need the avifile library at all!). The another big feature of mplayer is the wide range of supported output drivers. It works with X11, Xv, DGA, OpenGL, SVGAlib, fbdev, AAlib, but you can use SDL (and this way all drivers of SDL), VESA (on every VESA compatible card, even without X!), and some lowlevel card-specific drivers (for Matrox, 3Dfx and Radeon) too! Most of them supports software or hardware scaling, so you can enjoy movies in fullscreen. MPlayer supports displaying through some hardware MPEG decoder boards, such as the DVB and DXR3/Hollywood+! And what about the nice big antialiased shaded subtitles (9 supported types!!!) with european/ISO 8859-1,2 (hungarian, english, czech, etc), cyrillic, korean fonts, and OSD? Note: If you want to play Real content, you need to have the content of RealPlayer's Codecs directory in /usr/lib/RealPlayer10GOLD/codecs %package libpopt0 libpopt-devel librpm4.4 librpm-devel perl-RPM popt-data python-rpm rpm rpm-build Update: Thu Oct 30 15:57:00 2008 Importance: bugfix ID: MDVA-2008:164 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:164 %pre This update provides Lzma payload support to rpm, which allows for updating to Mandriva Linux 2009 from Mandriva Linux 2008, or allows for creating 2009-based chroots on a 2008-based host. %description RPM is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package like its version, a description, etc. %package libnet-snmp15 libnet-snmp-devel libnet-snmp-static-devel net-snmp net-snmp-mibs net-snmp-trapd net-snmp-utils perl-NetSNMP Update: Wed Nov 05 10:16:28 2008 Importance: security ID: MDVSA-2008:225 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:225 %pre A denial of service vulnerability was discovered in how Net-SNMP processed GETBULK requests. A remote attacker with read access to the SNMP server could issue a specially-crafted request which would cause snmpd to crash (CVE-2008-4309). Please note that for this to be successfully exploited, an attacker must have read access to the SNMP server. By default, the public community name grants read-only access, however it is recommended that the default community name be changed in production. The updated packages have been patched to correct this issue. %description SNMP (Simple Network Management Protocol) is a protocol used for network management. The NET-SNMP project includes various SNMP tools: an extensible agent, an SNMP library, tools for requesting or setting information from SNMP agents, tools for generating and handling SNMP traps, a version of the netstat command which uses SNMP, and a Tk/Perl mib browser. This package contains the snmpd and snmptrapd daemons, documentation, etc. You will probably also want to install the net-snmp-utils package, which contains NET-SNMP utilities. %package ruby ruby-devel ruby-doc ruby-tk Update: Thu Nov 06 12:36:17 2008 Importance: security ID: MDVSA-2008:226 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:226 %pre A denial of service condition was found in Ruby's regular expression engine. If a Ruby script tried to process a large amount of data via a regular expression, it could cause Ruby to enter an infinite loop and crash (CVE-2008-3443). A number of flaws were found in Ruby that could allow an attacker to create a carefully crafted script that could allow for the bypass of certain safe-level restrictions (CVE-2008-3655). A denial of service vulnerability was found in Ruby's HTTP server toolkit, WEBrick. A remote attacker could send a specially-crafted HTTP request to a WEBrick server that would cause it to use an excessive amount of CPU time (CVE-2008-3656). An insufficient taintness check issue was found in Ruby's DL module, a module that provides direct access to the C language functions. This flaw could be used by an attacker to bypass intended safe-level restrictions by calling external C functions with the arguments from an untrusted tainted input (CVE-2008-3657). A denial of service condition in Ruby's XML document parsing module (REXML) could cause a Ruby application using the REXML module to use an excessive amount of CPU and memory via XML documents with large XML entitity definitions recursion (CVE-2008-3790). The Ruby DNS resolver library used predictable transaction IDs and a fixed source port when sending DNS requests. This could be used by a remote attacker to spoof a malicious reply to a DNS query (CVE-2008-3905). The updated packages have been patched to correct these issues. %description Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. %package gnutls libgnutls13 libgnutls-devel Update: Wed Nov 12 16:24:13 2008 Importance: security ID: MDVSA-2008:227 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:227 %pre Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until 2.6.1 verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications that used the GnuTLS library to trust invalid certificates (CVE-2008-4989). The updated packages have been patched to correct this issue. %description GnuTLS is a project that aims to develop a library which provides a secure layer, over a reliable transport layer. %package devhelp devhelp-plugins eclipse-cvs-client eclipse-ecj eclipse-jdt eclipse-pde eclipse-pde-runtime eclipse-platform eclipse-rcp epiphany epiphany-devel galeon gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gksu gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell libdevhelp-1_0 libdevhelp-1-devel libmozilla-firefox2.0.0.18 libmozilla-firefox-devel libswt3-gtk2 libtotem-plparser7 libtotem-plparser-devel mozilla-firefox mozilla-firefox-af mozilla-firefox-ar mozilla-firefox-be mozilla-firefox-bg mozilla-firefox-br_FR mozilla-firefox-ca mozilla-firefox-cs mozilla-firefox-da mozilla-firefox-de mozilla-firefox-el mozilla-firefox-en_GB mozilla-firefox-es_AR mozilla-firefox-es_ES mozilla-firefox-et_EE mozilla-firefox-eu mozilla-firefox-ext-blogrovr mozilla-firefox-ext-foxmarks mozilla-firefox-ext-scribefire mozilla-firefox-fi mozilla-firefox-fr mozilla-firefox-fy mozilla-firefox-ga mozilla-firefox-gu_IN mozilla-firefox-he mozilla-firefox-hu mozilla-firefox-it mozilla-firefox-ja mozilla-firefox-ka mozilla-firefox-ko mozilla-firefox-ku mozilla-firefox-lt mozilla-firefox-mk mozilla-firefox-mn mozilla-firefox-nb_NO mozilla-firefox-nl mozilla-firefox-nn_NO mozilla-firefox-pa_IN mozilla-firefox-pl mozilla-firefox-pt_BR mozilla-firefox-pt_PT mozilla-firefox-ro mozilla-firefox-ru mozilla-firefox-sk mozilla-firefox-sl mozilla-firefox-sv_SE mozilla-firefox-tr mozilla-firefox-uk mozilla-firefox-zh_CN mozilla-firefox-zh_TW totem totem-common totem-gstreamer totem-mozilla totem-mozilla-gstreamer yelp Update: Thu Nov 13 17:55:09 2008 Importance: security ID: MDVSA-2008:228 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:228 %pre Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox 2.x, version 2.0.0.18 (CVE-2008-0017, CVE-2008-5012, CVE-2008-5013, CVE-2008-5014, CVE-2008-5017, CVE-2008-5018, CVE-2008-5019, CVE-2008-5021, CVE-2008-5022, CVE-2008-5023, CVE-2008-5024, CVE-2008-5052). This update provides the latest Mozilla Firefox 2.x to correct these issues. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package clamav clamav-db clamd libclamav5 libclamav-devel Update: Fri Nov 14 11:35:10 2008 Importance: security ID: MDVSA-2008:229 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:229 %pre An off-by-one error was found in ClamAV versions prior to 0.94.1 that could allow remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted VBA project file (CVE-2008-5050). Other bugs have also been corrected in 0.94.1 which is being provided with this update. %description Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail seversions (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. You can build clamav with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] milter Build clamav-milter (disabled) %package gnutls libgnutls13 libgnutls-devel Update: Mon Nov 17 12:39:47 2008 Importance: security ID: MDVSA-2008:227-1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:227-1 %pre Martin von Gagern found a flow in how GnuTLS versions 1.2.4 up until 2.6.1 verified certificate chains provided by a server. A malicious server could use this flaw to spoof its identity by tricking client applications that used the GnuTLS library to trust invalid certificates (CVE-2008-4989). Update: It was found that the previously-published patch to correct this issue caused a regression when dealing with self-signed certificates. An updated patch that fixes the security issue and resolves the regression issue has been applied to these packages. %description GnuTLS is a project that aims to develop a library which provides a secure layer, over a reliable transport layer. %package libxml2_2 libxml2-devel libxml2-python libxml2-utils Update: Tue Nov 18 14:38:15 2008 Importance: security ID: MDVSA-2008:231 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:231 %pre Drew Yaro of the Apple Product Security Team found two flaws in libxml2. The first is a denial of service flaw in libxml2's XML parser. If an application linked against libxml2 were to process certain malformed XML content, it cause the application to enter an infinite loop (CVE-2008-4225). The second is an integer overflow that caused a heap-based buffer overflow in libxml2's XML parser. If an application linked against libxml2 were to process certain malformed XML content, it could cause the application to crash or possibly execute arbitrary code (CVE-2008-4226). The updated packages have been patched to correct these issues. %description This library allows you to manipulate XML files. It includes support for reading, modifying and writing XML and HTML files. There is DTDs support: this includes parsing and validation even with complex DtDs, either at parse time or later once the document has been modified. The output can be a simple SAX stream or and in-memory DOM-like representations. In this case one can use the built-in XPath and XPointer implementation to select subnodes or ranges. A flexible Input/Output mechanism is available, with existing HTTP and FTP modules and combined to a URI library. %package kdebase kdebase-common kdebase-devel-doc kdebase-kate kdebase-kdeprintfax kdebase-kdm kdebase-kmenuedit kdebase-konsole kdebase-ksysguard kdebase-nsplugins kdebase-progs kdebase-session-plugins libkdebase4 libkdebase4-devel libkdebase4-kate libkdebase4-kmenuedit libkdebase4-konsole Update: Wed Nov 19 13:16:22 2008 Importance: bugfix ID: MDVA-2008:172 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:172 %pre The kdeeject command did not work, which resulted in a user being able to unmount, but not eject, removable devices. This package update corrects the issue. %description Core applications for the K Desktop Environment. Here is an overview of the directories: - drkonqi: if ever an app crashes (heaven forbid!) then Dr.Konqi will be so kind and make a stack trace. This is a great help for the developers to fix the bug. - kappfinder: searches your hard disk for non-KDE applications, e.g. Acrobat Reader (tm) and installs those apps under the K start button - kate: a fast and advanced text editor with nice plugins - kcheckpass: small program to enter and check passwords, only to be used by other programs - kcontrol: the KDE Control Center allows you to tweak the KDE settings - kdcop: GUI app to browse for DCOP interfaces, can also execute them - kdebugdialog: allows you to specify which debug messages you want to see - kdeprint: the KDE printing system - kdesktop: you guessed it: the desktop above the panel - kdesu: a graphical front end to "su" - kdm: replacement for XDM, for those people that like graphical logins - kfind: find files - khelpcenter: the app to read all great documentation about KDE - khotkeys: intercepts keys and can call applications - kicker: the panel at the botton with the K start button and the taskbar etc - kioslave: infrastructure that helps make every application internet enabled e.g. to directly save a file to ftp://place.org/dir/file.txt - klipper: enhances and extenses the X clipboard - kmenuedit: edit for the menu below the K start button - konqueror: the file manager and web browser you get easily used to - kpager: applet to show the contents of the virtual desktops - kpersonalizer: the customization wizard you get when you first start KDE - kreadconfig: a tool for shell scripts to get info from KDE's config files - kscreensaver: the KDE screensaver environment and lot's of savers - ksmserver: the KDE session manager (saves program status on login, restarts those program at the next login) - ksplash: the screen displayed while KDE starts - kstart: to launch applications with special window properties such as iconified etc - ksysguard: task manager and system monitor, even for remote systems - ksystraycmd: allows to run any application in the system tray - ktip: gives you tips how to use KDE - kwin: the KDE window manager - kxkb: a keyboard map tool - legacyimport: odd name for a cute program to load GTK themes - libkonq: some libraries needed by Konqueror - nsplugins: together with OSF/Motif or Lesstif allows you to use Netscape (tm) plugins in Konqueror %package dkms-lirc dkms-lirc-gpio dkms-lirc-parallel liblirc0 liblirc0-devel lirc Update: Thu Nov 20 14:45:27 2008 Importance: bugfix ID: MDVA-2008:177 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:177 %pre The LIRC packages included with Mandriva Linux 2008 and Mandriva Linux 2008 Spring did not include the 'commandir' module, which is necessary (along with the 'lirc_cmdir' module) to properly support CommandIR remote controls. These updated packages do include the module. %description LIRC is a package that allows you to decode and send infra-red signals of many (but not all) commonly used remote controls. Configuration files for many remotes are locate in lirc-remotes package %package vim-common vim-enhanced vim-minimal vim-X11 Update: Wed Dec 03 17:57:24 2008 Importance: security ID: MDVSA-2008:236 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:236 %pre Several vulnerabilities were found in the vim editor: A number of input sanitization flaws were found in various vim system functions. If a user were to open a specially crafted file, it would be possible to execute arbitrary code as the user running vim (CVE-2008-2712). Ulf Härnhammar of Secunia Research found a format string flaw in vim's help tags processor. If a user were tricked into executing the helptags command on malicious data, it could result in the execution of arbitrary code as the user running vim (CVE-2008-2953). A flaw was found in how tar.vim handled TAR archive browsing. If a user were to open a special TAR archive using the plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3074). A flaw was found in how zip.vim handled ZIP archive browsing. If a user were to open a special ZIP archive using the plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3075). A number of security flaws were found in netrw.vim, the vim plugin that provides the ability to read and write files over the network. If a user opened a specially crafted file or directory with the netrw plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3076). A number of input validation flaws were found in vim's keyword and tag handling. If vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitary code as the user running vim (CVE-2008-4101). A vulnerability was found in certain versions of netrw.vim where it would send FTP credentials stored for an FTP session to subsequent FTP sessions to servers on different hosts, exposing FTP credentials to remote hosts (CVE-2008-4677). This update provides vim 7.2 (patchlevel 65) which corrects all of these issues and introduces a number of new features and bug fixes. %description VIM (VIsual editor iMproved) is an updated and improved version of the vi editor. Vi was the first real screen-based editor for UNIX, and is still very popular. VIM improves on vi by adding new features: multiple windows, multi-level undo, block highlighting and more. The vim-common package contains files which every VIM binary will need in order to run. %package libsamplerate0 libsamplerate-devel libsamplerate-progs Update: Thu Dec 04 15:18:28 2008 Importance: security ID: MDVSA-2008:238 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:238 %pre A buffer overflow was found by Russell O'Conner in the libsamplerate library versions prior to 0.1.4 that could possibly lead to the execution of arbitrary code via a specially crafted audio file (CVE-2008-5008). The updated packages have been patched to prevent this issue. %description Secret Rabbit Code (aka libsamplerate) is a Sample Rate Converter for audio. One example of where such a thing would be useful is converting audio from the CD sample rate of 44.1kHz to the 48kHz sample rate used by DAT players. SRC is capable of arbitrary and time varying conversions ; from downsampling by a factor of 12 to upsampling by the same factor. Arbitrary in this case means that the ratio of input and output sample rates can be an irrational number. The conversion ratio can also vary with time for speeding up and slowing down effects. SRC provides a small set of converters to allow quality to be traded off against computation cost. The current best converter provides a signal-to-noise ratio of 97dB with -3dB passband extending from DC to 96% of the theoretical best bandwidth for a given pair of input and output sample rates. %package clamav clamav-db clamd libclamav5 libclamav-devel Update: Fri Dec 05 16:22:59 2008 Importance: security ID: MDVSA-2008:239 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:239 %pre Ilja van Sprundel found that ClamAV contained a denial of service vulnerability in how it handled processing JPEG files, due to it not limiting the recursion depth when processing JPEG thumbnails (CVE-2008-5314). Other bugs have also been corrected in 0.94.2 which is being provided with this update. %description Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail seversions (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. You can build clamav with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] milter Build clamav-milter (disabled) %package vim-common vim-enhanced vim-minimal vim-X11 Update: Mon Dec 08 16:18:52 2008 Importance: security ID: MDVSA-2008:236-1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:236-1 %pre Several vulnerabilities were found in the vim editor: A number of input sanitization flaws were found in various vim system functions. If a user were to open a specially crafted file, it would be possible to execute arbitrary code as the user running vim (CVE-2008-2712). Ulf Härnhammar of Secunia Research found a format string flaw in vim's help tags processor. If a user were tricked into executing the helptags command on malicious data, it could result in the execution of arbitrary code as the user running vim (CVE-2008-2953). A flaw was found in how tar.vim handled TAR archive browsing. If a user were to open a special TAR archive using the plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3074). A flaw was found in how zip.vim handled ZIP archive browsing. If a user were to open a special ZIP archive using the plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3075). A number of security flaws were found in netrw.vim, the vim plugin that provides the ability to read and write files over the network. If a user opened a specially crafted file or directory with the netrw plugin, it could result in the execution of arbitrary code as the user running vim (CVE-2008-3076). A number of input validation flaws were found in vim's keyword and tag handling. If vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitary code as the user running vim (CVE-2008-4101). A vulnerability was found in certain versions of netrw.vim where it would send FTP credentials stored for an FTP session to subsequent FTP sessions to servers on different hosts, exposing FTP credentials to remote hosts (CVE-2008-4677). This update provides vim 7.2 (patchlevel 65) which corrects all of these issues and introduces a number of new features and bug fixes. Update: The previous vim update incorrectly introduced a requirement on libruby and also conflicted with a file from the git-core package (in contribs). These issues have been corrected with these updated packages. %description VIM (VIsual editor iMproved) is an updated and improved version of the vi editor. Vi was the first real screen-based editor for UNIX, and is still very popular. VIM improves on vi by adding new features: multiple windows, multi-level undo, block highlighting and more. The vim-common package contains files which every VIM binary will need in order to run. %package timezone timezone-java Update: Tue Dec 09 10:34:23 2008 Importance: normal ID: MDVA-2008:195 URL: http://www.mandriva.com/security/advisories?name=MDVA-2008:195 %pre Updated timezone packages are being provided for older Mandriva Linux systems that do not contain new Daylight Savings Time information and Time Zone information for some locations. These updated packages contain the new information. %description This package contains data files with rules for various timezones around the world. %package enscript Update: Mon Dec 15 13:14:34 2008 Importance: security ID: MDVSA-2008:243 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2008:243 %pre Two buffer overflow vulnerabilities were discovered in GNU enscript, which could allow an attacker to execute arbitrary commands via a specially crafted ASCII file, if the file were opened with the -e or --escapes option enabled (CVE-2008-3863, CVE-2008-4306). The updated packages have been patched to prevent these issues. %description GNU enscript is a free replacement for Adobe's Enscript program. Enscript converts ASCII files to PostScript(TM) and spools generated PostScript output to the specified printer or saves it to a file. Enscript can be extended to handle different output media and includes many options for customizing printouts. %package dos2unix Update: Wed Jan 07 12:38:47 2009 Importance: bugfix ID: MDVA-2009:001-1 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:001-1 %pre The dos2unix command removes the last line of a file if no newline character(s) follow. This package fixes the issue. Update: This update now provides corrected packages for Mandriva Linux 2008.x and Corporate Server 4.0. %description hd2u is "Hany's Dos2Unix converter". It provides 'dos2unix'. 'dos2unix' is filter used to convert DOS-style EOLs to UNIX-style EOLs and vice versa (EOL - End Of Line character). %package libopenssl0.9.8 libopenssl0.9.8-devel libopenssl0.9.8-static-devel openssl Update: Thu Jan 08 18:02:16 2009 Importance: security ID: MDVSA-2009:001 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:001 %pre A vulnerability was found by the Google Security Team with how OpenSSL checked the verification of certificates. An attacker in control of a malicious server or able to effect a man-in-the-middle attack, could present a malformed SSL/TLS signature from a certificate chain to a vulnerable client, which would then bypass the certificate validation (CVE-2008-5077). The updated packages have been patched to prevent this issue. %description The openssl certificate management tool and the shared libraries that provide various encryption and decription algorithms and protocols, including DES, RC4, RSA and SSL. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). %package libpython2.5 libpython2.5-devel python python-base python-docs tkinter tkinter-apps Update: Fri Jan 09 15:01:00 2009 Importance: security ID: MDVSA-2009:003 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:003 %pre Multiple integer overflows in imageop.c in the imageop module in Python 1.5.2 through 2.5.1 allow context-dependent attackers to break out of the Python VM and execute arbitrary code via large integer values in certain arguments to the crop function, leading to a buffer overflow, a different vulnerability than CVE-2007-4965 and CVE-2008-1679. (CVE-2008-4864) Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown impact via a large integer value in the tabsize argument to the expandtabs method, as implemented by (1) the string_expandtabs function in Objects/stringobject.c and (2) the unicode_expandtabs function in Objects/unicodeobject.c. NOTE: this vulnerability reportedly exists because of an incomplete fix for CVE-2008-2315. (CVE-2008-5031) The updated Python packages have been patched to correct these issues. %description Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. This package contains most of the standard Python modules, as well as modules for interfacing to the Tix widget set for Tk and RPM. Note that documentation for Python is provided in the python-docs package. %package pam_mount pam_mount-devel Update: Fri Jan 09 18:35:06 2009 Importance: security ID: MDVSA-2009:004 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:004 %pre passwdehd script in pam_mount would allow local users to overwrite arbitrary files via a symlink attack on a temporary file. The updated packages have been patched to prevent this. %description Pam_mount is a PAM module that allows dynamic remote volume mounting. It is mainly useful for users that have private volumes in Samba / Windows NT / Netware servers and need access to them during a Unix session. %package bind bind-devel bind-utils Update: Fri Jan 09 22:20:40 2009 Importance: security ID: MDVSA-2009:002 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:002 %pre A flaw was found in how BIND checked the return value of the OpenSSL DSA_do_verify() function. On systems that use DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, which would allow for spoofing attacks (CVE-2009-0025). The updated packages have been patched to prevent this issue. %description BIND (Berkeley Internet Name Domain) is an implementation of the DNS (domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses, and a resolver library (routines for applications to use when interfacing with DNS). A DNS server allows clients to name resources or objects and share the information with other network machines. The named DNS server can be used on workstations as a caching name server, but is generally only needed on one machine for an entire network. Note that the configuration files for making BIND act as a simple caching nameserver are included in the caching-nameserver package. Install the bind package if you need a DNS server for your network. If you want bind to act a caching name server, you will also need to install the caching-nameserver package. Many BIND 8 features previously unimplemented in BIND 9, including domain-specific forwarding, the \$GENERATE master file directive, and the "blackhole", "dialup", and "sortlist" options Forwarding of dynamic update requests; this is enabled by the "allow-update-forwarding" option A new, simplified database interface and a number of sample drivers based on it; see doc/dev/sdb for details Support for building single-threaded servers for environments that do not supply POSIX threads New configuration options: "min-refresh-time", "max-refresh-time", "min-retry-time", "max-retry-time", "additional-from-auth", "additional-from-cache", "notify explicit" Faster lookups, particularly in large zones. Build Options: --without sdb_ldap Build without ldap simple database support (enabled per default) --with sdb_mysql Build with MySQL database support (disables ldap support, it's either way.) --with geoip Build with GeoIP support (disabled per default) %package xterm Update: Sun Jan 11 17:05:42 2009 Importance: security ID: MDVSA-2009:005 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:005 %pre A vulnerability has been discovered in xterm, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to xterm not properly processing the DECRQSS Device Control Request Status String escape sequence. This can be exploited to inject and execute arbitrary shell commands by e.g. tricking a user into displaying a malicious text file containing a specially crafted escape sequence via the more command in xterm (CVE-2008-2383). The updated packages have been patched to prevent this. %description The XTerm program is the standard terminal emulator for the X Window System. It provides DEC VT102/VT220 and Tektronix 4014 compatible terminals for programs that can't use the window system directly. If the underlying operating system supports terminal resizing capabilities (for example, the SIGWINCH signal in systems derived from 4.3bsd), xterm will use the facilities to notify programs running in the window whenever it is resized. The xterm included in this package has support for 256 colors enabled. %package openoffice.org openoffice.org-devel openoffice.org-devel-doc openoffice.org-galleries openoffice.org-gnome openoffice.org-kde openoffice.org-l10n-af openoffice.org-l10n-ar openoffice.org-l10n-bg openoffice.org-l10n-br openoffice.org-l10n-bs openoffice.org-l10n-ca openoffice.org-l10n-cs openoffice.org-l10n-cy openoffice.org-l10n-da openoffice.org-l10n-de openoffice.org-l10n-el openoffice.org-l10n-en_GB openoffice.org-l10n-es openoffice.org-l10n-et openoffice.org-l10n-eu openoffice.org-l10n-fi openoffice.org-l10n-fr openoffice.org-l10n-he openoffice.org-l10n-hi openoffice.org-l10n-hu openoffice.org-l10n-it openoffice.org-l10n-ja openoffice.org-l10n-ko openoffice.org-l10n-mk openoffice.org-l10n-nb openoffice.org-l10n-nl openoffice.org-l10n-nn openoffice.org-l10n-pl openoffice.org-l10n-pt openoffice.org-l10n-pt_BR openoffice.org-l10n-ru openoffice.org-l10n-sk openoffice.org-l10n-sl openoffice.org-l10n-sv openoffice.org-l10n-ta openoffice.org-l10n-tr openoffice.org-l10n-zh_CN openoffice.org-l10n-zh_TW openoffice.org-l10n-zu openoffice.org-mono openoffice.org-ooqstart Update: Tue Jan 13 06:37:49 2009 Importance: security ID: MDVSA-2009:006 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:006 %pre Heap-based overflow on functions to manipulate WMF and EMF files in OpenOffice.org documments enables remote attackers to execute arbitrary code on documments holding certain crafted either WMF or EMF files (CVE-2008-2237) (CVE-2008-2238). This update provide the fix for these security issues and further openoffice.org-voikko package has been updated as it depends on openoffice.org packages. %description OpenOffice.org is an Open Source, community-developed, multi-platform office productivity suite. It includes the key desktop applications, such as a word processor, spreadsheet, presentation manager, formula editing and drawing program, with a user interface and feature set similar to other office suites. Sophisticated and flexible, OpenOffice.org also works transparently with a variety of file formats, including Microsoft Office. %package ntp ntp-client ntp-doc Update: Tue Jan 13 15:27:30 2009 Importance: security ID: MDVSA-2009:007 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:007 %pre A flaw was found in how NTP checked the return value of signature verification. A remote attacker could use this to bypass certificate validation by using a malformed SSL/TLS signature (CVE-2009-0021). The updated packages have been patched to prevent this issue. %description The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. The ntp package contains utilities and daemons which will synchronize your computer's time to Coordinated Universal Time (UTC) via the NTP protocol and NTP servers. Ntp includes ntpdate (a program for retrieving the date and time from remote machines via a network) and ntpd (a daemon which continuously adjusts system time). Install the ntp package if you need tools for keeping your system's time synchronized via the NTP protocol. Note: Primary, original, big, HTML documentation, is in the package ntp-doc. %package dkms-kqemu qemu qemu-img Update: Tue Jan 13 21:02:45 2009 Importance: security ID: MDVSA-2009:010 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:010 %pre A security vulnerability have been discovered and corrected in VNC server of qemu 0.9.1 and earlier, which could lead to a denial-of-service attack (CVE-2008-2382). The updated packages have been patched to prevent this. %description QEMU is a FAST! processor emulator. By using dynamic translation it achieves a reasonnable speed while being easy to port on new host CPUs. QEMU has two operating modes: * User mode emulation. In this mode, QEMU can launch Linux processes compiled for one CPU on another CPU. Linux system calls are converted because of endianness and 32/64 bit mismatches. Wine (Windows emulation) and DOSEMU (DOS emulation) are the main targets for QEMU. * Full system emulation. In this mode, QEMU emulates a full system, including a processor and various peripherials. Currently, it is only used to launch an x86 Linux kernel on an x86 Linux system. It enables easier testing and debugging of system code. It can also be used to provide virtual hosting of several virtual PC on a single server. This QEMU package provides support for KQEMU, the QEMU Accelerator module. This QEMU package provides support for KVM (Kernel-based Virtual Machine), a full virtualization solution for Linux on x86 hardware containing virtualization extensions (AMD-v or Intel VT). %package dkms-vboxadd dkms-vboxvfs dkms-virtualbox virtualbox virtualbox-guest-additions x11-driver-input-vboxmouse x11-driver-video-vboxvideo Update: Wed Jan 14 16:11:47 2009 Importance: security ID: MDVSA-2009:011 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:011 %pre A vulnerability have been discovered and corrected in VirtualBox, affecting versions prior to 2.0.6, which allows local users to overwrite arbitrary files via a symlink attack on a /tmp/.vbox-qateam-ipc/lock temporary file (CVE-2008-5256). The updated packages have been patched to prevent this. %description VirtualBox Open Source Edition (OSE) is a general-purpose full virtualizer for x86 hardware. %package libdha1.0 mencoder mplayer mplayer-doc mplayer-gui Update: Thu Jan 15 18:11:19 2009 Importance: security ID: MDVSA-2009:014 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:014 %pre Several vulnerabilities have been discovered in mplayer, which could allow remote attackers to execute arbitrary code via a malformed TwinVQ file (CVE-2008-5616), and in ffmpeg, as used by mplayer, related to the execution of DTS generation code (CVE-2008-4866). The updated packages have been patched to prevent this. %description MPlayer is a movie player for LINUX (runs on many other Unices, and non-x86 CPUs, see the documentation). It plays most MPEG, VOB, AVI, VIVO, ASF/WMV, QT/MOV, FLI, NuppelVideo, yuv4mpeg, FILM, RoQ, and some RealMedia files, supported by many native, XAnim, and Win32 DLL codecs. You can watch VideoCD, SVCD, DVD, 3ivx, FLI, and even DivX movies too (and you don't need the avifile library at all!). The another big feature of mplayer is the wide range of supported output drivers. It works with X11, Xv, DGA, OpenGL, SVGAlib, fbdev, AAlib, but you can use SDL (and this way all drivers of SDL), VESA (on every VESA compatible card, even without X!), and some lowlevel card-specific drivers (for Matrox, 3Dfx and Radeon) too! Most of them supports software or hardware scaling, so you can enjoy movies in fullscreen. MPlayer supports displaying through some hardware MPEG decoder boards, such as the DVB and DXR3/Hollywood+! And what about the nice big antialiased shaded subtitles (9 supported types!!!) with european/ISO 8859-1,2 (hungarian, english, czech, etc), cyrillic, korean fonts, and OSD? Note: If you want to play Real content, you need to have the content of RealPlayer's Codecs directory in /usr/lib/RealPlayer10GOLD/codecs %package libdha1.0 mencoder mplayer mplayer-doc mplayer-gui Update: Thu Jan 15 18:12:02 2009 Importance: security ID: MDVSA-2009:014 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:014 %pre Several vulnerabilities have been discovered in mplayer, which could allow remote attackers to execute arbitrary code via a malformed TwinVQ file (CVE-2008-5616), and in ffmpeg, as used by mplayer, related to the execution of DTS generation code (CVE-2008-4866). The updated packages have been patched to prevent this. %description MPlayer is a movie player for LINUX (runs on many other Unices, and non-x86 CPUs, see the documentation). It plays most MPEG, VOB, AVI, VIVO, ASF/WMV, QT/MOV, FLI, NuppelVideo, yuv4mpeg, FILM, RoQ, and some RealMedia files, supported by many native, XAnim, and Win32 DLL codecs. You can watch VideoCD, SVCD, DVD, 3ivx, FLI, and even DivX movies too (and you don't need the avifile library at all!). The another big feature of mplayer is the wide range of supported output drivers. It works with X11, Xv, DGA, OpenGL, SVGAlib, fbdev, AAlib, but you can use SDL (and this way all drivers of SDL), VESA (on every VESA compatible card, even without X!), and some lowlevel card-specific drivers (for Matrox, 3Dfx and Radeon) too! Most of them supports software or hardware scaling, so you can enjoy movies in fullscreen. MPlayer supports displaying through some hardware MPEG decoder boards, such as the DVB and DXR3/Hollywood+! And what about the nice big antialiased shaded subtitles (9 supported types!!!) with european/ISO 8859-1,2 (hungarian, english, czech, etc), cyrillic, korean fonts, and OSD? Note: If you want to play Real content, you need to have the content of RealPlayer's Codecs directory in /usr/lib/RealPlayer10GOLD/codecs %package ffmpeg libavformats51 libavutil49 libffmpeg51 libffmpeg51-devel libffmpeg51-static-devel Update: Thu Jan 15 18:39:57 2009 Importance: security ID: MDVSA-2009:015 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:015 %pre Several vulnerabilities have been discovered in ffmpeg, related to the execution of DTS generation code (CVE-2008-4866) and incorrect handling of DCA_MAX_FRAME_SIZE value (CVE-2008-4867). The updated packages have been patched to prevent this. %description ffmpeg is a hyper fast realtime audio/video encoder, a streaming server and a generic audio and video file converter. It can grab from a standard Video4Linux video source and convert it into several file formats based on DCT/motion compensation encoding. Sound is compressed in MPEG audio layer 2 or using an AC3 compatible stream. %package imlib2-data libimlib2_1 libimlib2_1-filters libimlib2_1-loaders libimlib2-devel Update: Mon Jan 19 09:08:11 2009 Importance: security ID: MDVSA-2009:019 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:019 %pre A vulnerability have been discovered in the load function of the XPM loader for imlib2, which allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XPM file (CVE-2008-5187). The updated packages have been patched to prevent this. %description Imlib2 is an advanced replacement library for libraries like libXpm that provides many more features with much greater flexibility and speed than standard libraries, including font rasterization, rotation, RGBA space rendering and blending, dynamic binary filters, scripting, and more. Build Options: --with mmx Enable mmx cpu detection (10% - 30% speedup) %package libphp5_common5 php-bcmath php-bz2 php-calendar php-cgi php-cli php-ctype php-curl php-dba php-dbase php-devel php-dom php-exif php-fcgi php-filter php-ftp php-gd php-gettext php-gmp php-hash php-iconv php-imap php-json php-ldap php-mbstring php-mcrypt php-mhash php-mime_magic php-ming php-mssql php-mysql php-mysqli php-ncurses php-odbc php-openssl php-pcntl php-pdo php-pdo_dblib php-pdo_mysql php-pdo_odbc php-pdo_pgsql php-pdo_sqlite php-pgsql php-posix php-pspell php-readline php-recode php-session php-shmop php-simplexml php-snmp php-soap php-sockets php-sqlite php-sysvmsg php-sysvsem php-sysvshm php-tidy php-tokenizer php-wddx php-xml php-xmlreader php-xmlrpc php-xmlwriter php-xsl php-zlib Update: Wed Jan 21 13:28:09 2009 Importance: security ID: MDVSA-2009:022 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:022 %pre A vulnerability in PHP allowed context-dependent attackers to cause a denial of service (crash) via a certain long string in the glob() or fnmatch() functions (CVE-2007-4782). A vulnerability in the cURL library in PHP allowed context-dependent attackers to bypass safe_mode and open_basedir restrictions and read arbitrary files using a special URL request (CVE-2007-4850). An integer overflow in PHP allowed context-dependent attackers to cause a denial of serivce via a special printf() format parameter (CVE-2008-1384). A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown impact and attack vectors (CVE-2008-2050). A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658). A buffer overflow in the memnstr() function allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via the delimiter argument to the explode() function (CVE-2008-3659). PHP, when used as a FastCGI module, allowed remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension (CVE-2008-3660). An array index error in the imageRotate() function in PHP allowed context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument to the function for an indexed image (CVE-2008-5498). The updated packages have been patched to correct these issues. %description PHP5 is an HTML-embeddable scripting language. PHP5 offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled script with PHP5 is fairly simple. The most common use of PHP5 coding is probably as a replacement for CGI scripts. %package cups cups-common cups-serial libcups2 libcups2-devel php-cups Update: Sat Jan 24 09:40:01 2009 Importance: security ID: MDVSA-2009:028 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:028 %pre Security vulnerabilities have been discovered and corrected in CUPS. CUPS before 1.3.8 allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference (CVE-2008-5183). The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions (CVE-2008-5184). CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary code via a PNG image with a large height value, which bypasses a validation check and triggers a buffer overflow (CVE-2008-5286). CUPS shipped with Mandriva Linux allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file (CVE-2009-0032). The updated packages have been patched to prevent this. %description CUPS 1.2 is fully compatible with CUPS-1.1 machines in the network and with software built against CUPS-1.1 libraries. The Common Unix Printing System provides a portable printing layer for UNIX(TM) operating systems. It has been developed by Easy Software Products to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces. This is the main package needed for CUPS servers (machines where a printer is connected to or which host a queue for a network printer). It can also be used on CUPS clients so that they simply pick up broadcasted printer information from other CUPS servers and do not need to be assigned to a specific CUPS server by an /etc/cups/client.conf file. %package avahi avahi-dnsconfd avahi-python avahi-sharp avahi-sharp-doc avahi-x11 libavahi-client3 libavahi-client3-devel libavahi-common3 libavahi-common3-devel libavahi-compat-howl0 libavahi-compat-howl0-devel libavahi-compat-libdns_sd1 libavahi-compat-libdns_sd1-devel libavahi-core5 libavahi-core5-devel libavahi-glib1 libavahi-glib1-devel libavahi-qt3_1 libavahi-qt3_1-devel libavahi-qt4_1 libavahi-qt4_1-devel libavahi-ui1 libavahi-ui1-devel Update: Fri Jan 30 18:31:00 2009 Importance: security ID: MDVSA-2009:031 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:031 %pre A vulnerability has been discovered in Avahi before 0.6.24, which allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0 (CVE-2008-5081). The updated packages have been patched to prevent this. %description Avahi is a system which facilitates service discovery on a local network -- this means that you can plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared. This kind of technology is already found in MacOS X (branded 'Rendezvous', 'Bonjour' and sometimes 'ZeroConf') and is very convenient. %package avahi avahi-dnsconfd avahi-python avahi-sharp avahi-sharp-doc avahi-x11 libavahi-client3 libavahi-client3-devel libavahi-common3 libavahi-common3-devel libavahi-compat-howl0 libavahi-compat-howl0-devel libavahi-compat-libdns_sd1 libavahi-compat-libdns_sd1-devel libavahi-core5 libavahi-core5-devel libavahi-glib1 libavahi-glib1-devel libavahi-qt3_1 libavahi-qt3_1-devel libavahi-qt4_1 libavahi-qt4_1-devel libavahi-ui1 libavahi-ui1-devel Update: Fri Jan 30 18:32:05 2009 Importance: security ID: MDVSA-2009:031 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:031 %pre A vulnerability has been discovered in Avahi before 0.6.24, which allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0 (CVE-2008-5081). The updated packages have been patched to prevent this. %description Avahi is a system which facilitates service discovery on a local network -- this means that you can plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared. This kind of technology is already found in MacOS X (branded 'Rendezvous', 'Bonjour' and sometimes 'ZeroConf') and is very convenient. %package sudo Update: Wed Feb 04 12:38:11 2009 Importance: security ID: MDVSA-2009:033 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:033 %pre A vulnerability has been identified in sudo which allowed - depending on the sudoers rules - a sudo-user to execute arbitrary shell commands as root (CVE-2009-0034). The updated packages have been patched to prevent this. %description Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done. %package clamav clamav-db clamav-milter clamd libclamav5 libclamav-devel Update: Fri Feb 06 18:27:24 2009 Importance: bugfix ID: MDVA-2009:018 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:018 %pre This update fixes several issues with clamav: - update unexpectely changes location of clamd socket (#46459) - clamav-milter was not built (#46555) - Clamav-milter wanted to remove postfix (#46556) %description Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail seversions (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. You can build clamav with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] milter Build clamav-milter (disabled) %package clamav clamav-db clamav-milter clamd libclamav5 libclamav-devel Update: Fri Feb 06 18:35:52 2009 Importance: bugfix ID: MDVA-2009:018 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:018 %pre This update fixes several issues with clamav: - update unexpectely changes location of clamd socket (#46459) - clamav-milter was not built (#46555) - Clamav-milter wanted to remove postfix (#46556) %description Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail seversions (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. You can build clamav with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] milter Build clamav-milter (disabled) %package clamav clamav-db clamav-milter clamd libclamav5 libclamav-devel Update: Fri Feb 06 18:47:01 2009 Importance: bugfix ID: MDVA-2009:018 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:018 %pre This update fixes several issues with clamav: - update unexpectely changes location of clamd socket (#46459) - clamav-milter was not built (#46555) - Clamav-milter wanted to remove postfix (#46556) - Scanning mail with clamav leaves a big temporary folder (#46642) - Build fails if invoked with --with milter, in a configure stage (#46554) - Jpeg parsing denial-of-service crash in clamav 0.94-1 and earlier (#46199) %description Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail seversions (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. You can build clamav with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] milter Build clamav-milter (disabled) %package gstreamer0.10-aalib gstreamer0.10-caca gstreamer0.10-dv gstreamer0.10-esound gstreamer0.10-flac gstreamer0.10-plugins-good gstreamer0.10-raw1394 gstreamer0.10-speex gstreamer0.10-wavpack Update: Wed Feb 11 02:07:54 2009 Importance: security ID: MDVSA-2009:035 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:035 %pre Security vulnerabilities have been discovered and corrected in gstreamer0.10-plugins-good, might allow remote attackers to execute arbitrary code via a malformed QuickTime media file (CVE-2009-0386, CVE-2009-0387, CVE-2009-0397). The updated packages have been patched to prevent this. %description GStreamer is a streaming-media framework, based on graphs of filters which operate on media data. Applications using this library can do anything from real-time sound processing to playing videos, and just about anything else media-related. Its plugin-based architecture means that new data types or processing capabilities can be added simply by installing new plug-ins. This package contains a set of plug-ins that are considered to have good quality code, correct functionality, the preferred license (LGPL for the plug-in code, LGPL or LGPL-compatible for the supporting library). People writing elements should base their code on these elements. %package glibc glibc-devel glibc-doc glibc-doc-pdf glibc-i18ndata glibc-profile glibc-static-devel glibc-utils nscd Update: Thu Feb 12 02:40:25 2009 Importance: bugfix ID: MDVA-2009:019 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:019 %pre The glibc packages released with Mandriva Linux 2008 and Mandriva Linux 2008 Spring had the /etc/ld.so.conf file using relative paths to include other config files at /etc/ld.so.conf.d, breaking usage of ldconfig -r, for example when you have chroot environments. This update fixes ld.so.conf to use absolute paths instead. Also, other cumulative bug fixes are provided. %description The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. The glibc package also contains national language (locale) support. This package now also provides ldconfig which was package seperately in the past. Ldconfig is a basic system program which determines run-time link bindings between ld.so and shared libraries. Ldconfig scans a running system and sets up the symbolic links that are used to load shared libraries properly. It also creates a cache (/etc/ld.so.cache) which speeds the loading of programs which use shared libraries. %package bind bind-devel bind-utils Update: Mon Feb 16 11:41:32 2009 Importance: security ID: MDVSA-2009:037 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:037 %pre Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025. In this particular case the DSA_verify function was fixed with MDVSA-2009:002, this update does however address the RSA_verify function (CVE-2009-0265). %description BIND (Berkeley Internet Name Domain) is an implementation of the DNS (domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses, and a resolver library (routines for applications to use when interfacing with DNS). A DNS server allows clients to name resources or objects and share the information with other network machines. The named DNS server can be used on workstations as a caching name server, but is generally only needed on one machine for an entire network. Note that the configuration files for making BIND act as a simple caching nameserver are included in the caching-nameserver package. Install the bind package if you need a DNS server for your network. If you want bind to act a caching name server, you will also need to install the caching-nameserver package. Many BIND 8 features previously unimplemented in BIND 9, including domain-specific forwarding, the \$GENERATE master file directive, and the "blackhole", "dialup", and "sortlist" options Forwarding of dynamic update requests; this is enabled by the "allow-update-forwarding" option A new, simplified database interface and a number of sample drivers based on it; see doc/dev/sdb for details Support for building single-threaded servers for environments that do not supply POSIX threads New configuration options: "min-refresh-time", "max-refresh-time", "min-retry-time", "max-retry-time", "additional-from-auth", "additional-from-cache", "notify explicit" Faster lookups, particularly in large zones. Build Options: --without sdb_ldap Build without ldap simple database support (enabled per default) --with sdb_mysql Build with MySQL database support (disables ldap support, it's either way.) --with geoip Build with GeoIP support (disabled per default) %package jhead Update: Tue Feb 17 16:13:05 2009 Importance: security ID: MDVSA-2009:041 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:041 %pre Security vulnerabilies have been identified and fixed in jhead. Buffer overflow in the DoCommand function in jhead before 2.84 might allow context-dependent attackers to cause a denial of service (crash) (CVE-2008-4575). Jhead before 2.84 allows local users to overwrite arbitrary files via a symlink attack on a temporary file (CVE-2008-4639). Jhead 2.84 and earlier allows local users to delete arbitrary files via vectors involving a modified input filename (CVE-2008-4640). jhead 2.84 and earlier allows attackers to execute arbitrary commands via shell metacharacters in unspecified input (CVE-2008-4641). This update provides the latest Jhead to correct these issues. %description Most digital cameras produce EXIF files, which are JPEG files with extra tags that contain information about the image. In contrary to the tools "exif" and "gexif" (and all other libexif-based tools as "gphoto2") this tool gives a much easier readable summary of camera settings (shutter speed in 1/x sec, focal length (also the 35-mm camera equivalent), focal distance, ...), EXIF header manipulation as stripping off the thumbnail and other info not needed, stripping off the complete header, applying arbitrary conversion tools to the JPEG image and conserving the header, renaming JPEG images with the capture date stored in the header, and even turning the images upright when the camera has an orientation sensor (as Canon Digital IXUS 400) ... The tool is very compact, the executable has only a size of around 35 kb, the whole package (with documentation) occupies 60 kb. See /usr/share/doc/jhead-2.86/usage.html for how to use this program. %package apache-mod_php libphp5_common5 php-bcmath php-bz2 php-calendar php-cgi php-cli php-ctype php-curl php-dba php-dbase php-devel php-dom php-exif php-fcgi php-filter php-ftp php-gd php-gettext php-gmp php-hash php-iconv php-imap php-json php-ldap php-mbstring php-mcrypt php-mhash php-mime_magic php-ming php-mssql php-mysql php-mysqli php-ncurses php-odbc php-openssl php-pcntl php-pdo php-pdo_dblib php-pdo_mysql php-pdo_odbc php-pdo_pgsql php-pdo_sqlite php-pgsql php-posix php-pspell php-readline php-recode php-session php-shmop php-simplexml php-snmp php-soap php-sockets php-sqlite php-sysvmsg php-sysvsem php-sysvshm php-tidy php-tokenizer php-wddx php-xml php-xmlreader php-xmlrpc php-xmlwriter php-xsl php-zlib Update: Fri Feb 20 18:31:37 2009 Importance: security ID: MDVSA-2009:045 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:045 %pre A number of vulnerabilities have been found and corrected in PHP: improve mbfl_filt_conv_html_dec_flush() error handling in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c (CVE-2008-5557). Additionally on Mandriva Linux 2009.0 and up the php-mbstring module is linked against a separate shared libmbfl library that also have been patched to address CVE-2008-5557. Directory traversal vulnerability in the ZipArchive::extractTo function in PHP 5.2.6 and earlier allows context-dependent attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences. (CVE-2008-5658) make sure the page_uid and page_gid get initialized properly in ext/standard/basic_functions.c. Also, init server_context before processing config variables in sapi/apache/mod_php5.c (CVE-2008-5624). enforce restrictions when merging in dir entry in sapi/apache/mod_php5.c and sapi/apache2handler/apache_config.c (CVE-2008-5625). On 2008.1, 2009.0 and cooker (2009.1) seen on x86_64 and with the latest phpmyadmin 3.1.2 software made apache+php segfault (#26274, #45864). This problem has been addressed by using -O0 for compiler optimization and by using -fno-strict-aliasing. Either the bug is in php and/or in gcc 4.3.2. Preferable just make it work as expected for now. In addition, the updated packages provide a number of bug fixes. The updated packages have been patched to correct these issues. %description PHP5 is an HTML-embeddable scripting language. PHP5 offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled script with PHP5 is fairly simple. The most common use of PHP5 coding is probably as a replacement for CGI scripts. %package pycrypto Update: Fri Feb 20 21:37:42 2009 Importance: security ID: MDVSA-2009:049 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:049 %pre A vulnerability have been discovered and corrected in PyCrypto ARC2 module 2.0.1, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large ARC2 key length (CVE-2009-0544). The updated packages have been patched to prevent this. %description The Toolkit is a collection of cryptographic algorithms and protocols, implemented for use from Python. The current release is 1.9alpha6. Among the contents of the package: * Hash functions: MD2, MD4, RIPEMD. * Block encryption algorithms: AES, ARC2, Blowfish, CAST, DES, Triple- DES, IDEA, RC5. * Stream encryption algorithms: ARC4, simple XOR. * Public-key algorithms: RSA, DSA, ElGamal, qNEW. * Protocols: All-or-nothing transforms, chaffing/winnowing. * Miscellaneous: RFC1751 module for converting 128-key keys into a set of English words, primality testing. * Some demo programs (currently all quite old and outdated). %package libpng3 libpng-devel libpng-source libpng-static-devel Update: Mon Feb 23 18:18:13 2009 Importance: security ID: MDVSA-2009:051 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:051 %pre A number of vulnerabilities have been found and corrected in libpng: Fixed 1-byte buffer overflow in pngpread.c (CVE-2008-3964). This was allready fixed in Mandriva Linux 2009.0. Fix the function png_check_keyword() that allowed setting arbitrary bytes in the process memory to 0 (CVE-2008-5907). Fix a potential DoS (Denial of Service) or to potentially compromise an application using the library (CVE-2009-0040). The updated packages have been patched to prevent this. %description The libpng package contains a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. PNG is a bit-mapped graphics format similar to the GIF format. PNG was created to replace the GIF format, since GIF uses a patented data compression algorithm. Libpng should be installed if you need to manipulate PNG format image files. %package pycrypto Update: Mon Feb 23 21:52:17 2009 Importance: security ID: MDVSA-2009:049-1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:049-1 %pre A vulnerability have been discovered and corrected in PyCrypto ARC2 module 2.0.1, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large ARC2 key length (CVE-2009-0544). The updated packages have been patched to prevent this. Update: The previous update package was not signed. %description The Toolkit is a collection of cryptographic algorithms and protocols, implemented for use from Python. The current release is 1.9alpha6. Among the contents of the package: * Hash functions: MD2, MD4, RIPEMD. * Block encryption algorithms: AES, ARC2, Blowfish, CAST, DES, Triple- DES, IDEA, RC5. * Stream encryption algorithms: ARC4, simple XOR. * Public-key algorithms: RSA, DSA, ElGamal, qNEW. * Protocols: All-or-nothing transforms, chaffing/winnowing. * Miscellaneous: RFC1751 module for converting 128-key keys into a set of English words, primality testing. * Some demo programs (currently all quite old and outdated). %package vim-common vim-enhanced vim-minimal vim-X11 Update: Tue Feb 24 14:13:08 2009 Importance: security ID: MDVSA-2009:047-1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:047-1 %pre Python has a variable called sys.path that contains all paths where Python loads modules by using import scripting procedure. A wrong handling of that variable enables local attackers to execute arbitrary code via Python scripting in the current Vim working directory (CVE-2009-0316). This update provides fix for that vulnerability. Update: This update also provides updated packages for Mandriva Linux 2008.0. %description VIM (VIsual editor iMproved) is an updated and improved version of the vi editor. Vi was the first real screen-based editor for UNIX, and is still very popular. VIM improves on vi by adding new features: multiple windows, multi-level undo, block highlighting and more. The vim-common package contains files which every VIM binary will need in order to run. %package php-smarty php-smarty-manual Update: Tue Feb 24 17:43:02 2009 Importance: security ID: MDVSA-2009:052 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:052 %pre A vulnerability has been identified and corrected in php-smarty: The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and (1) a dollar-sign character, aka php executed in templates %description Smarty is a template engine for PHP. More specifically, it facilitates a manageable way to separate application logic and content from its presentation. This is best described in a situation where the application programmer and the template designer play different roles, or in most cases are not the same person. For example, let's say you are creating a web page that is displaying a newspaper article. The article headline, tagline, author and body are content elements, they contain no information about how they will be presented. They are passed into Smarty by the application, then the template designer edits the templates and uses a combination of HTML tags and template tags to format the presentation of these elements (HTML tables, background colors, font sizes, style sheets, etc.) One day the programmer needs to change the way the article content is retrieved (a change in application logic.) This change does not affect the template designer, the content will still arrive in the template exactly the same. Likewise, if the template designer wants to completely redesign the templates, this requires no changes to the application logic. Therefore, the programmer can make changes to the application logic without the need to restructure templates, and the template designer can make changes to templates without breaking application logic. %package audacity Update: Wed Feb 25 17:02:50 2009 Importance: security ID: MDVSA-2009:055 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:055 %pre A vulnerability has been identified and corrected in audacity: Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a .gro file containing a long string (CVE-2009-0490). The updated packages have been patched to prevent this. %description Audacity is a program that lets you manipulate digital audio waveforms. In addition to letting you record sounds directly from within the program, it imports many sound file formats, including WAV, AIFF, MP3 and Ogg/Vorbis. It supports all common editing operations such as Cut, Copy, and Paste, plus it will mix tracks and let you apply plug-in effects to any part of a sound. It also has a built-in amplitude envelope editor, a customizable spectrogram mode and a frequency analysis window for audio analysis applications. %package valgrind Update: Thu Feb 26 13:29:48 2009 Importance: security ID: MDVSA-2009:057 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:057 %pre A vulnerability has been identified and corrected in valgrind: Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary programs via a Trojan horse .valgrindrc file in the current working directory, as demonstrated using a malicious --db-command options. NOTE: the severity of this issue has been disputed, but CVE is including this issue because execution of a program from an untrusted directory is a common scenario. (CVE-2008-4865) The updated packages have been patched to prevent this. %description When a program is run under Valgrind's supervision, all reads and writes of memory are checked, and calls to malloc/new/free/delete are intercepted. As a result, Valgrind can detect problems such as: * Use of uninitialised memory * Reading/writing memory after it has been free'd * Reading/writing off the end of malloc'd blocks * Reading/writing inappropriate areas on the stack * Memory leaks -- where pointers to malloc'd blocks are lost forever * Passing of uninitialised and/or unaddressible memory to system calls * Mismatched use of malloc/new/new [] vs free/delete/delete [] %package nfs-utils nfs-utils-clients Update: Fri Feb 27 22:38:13 2009 Importance: security ID: MDVSA-2009:060 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:060 %pre A security vulnerability has been identified and fixed in nfs-utils, which caused TCP Wrappers to ignore netgroups and allows remote attackers to bypass intended access restrictions (CVE-2008-4552). The updated packages have been patched to prevent this. %description The nfs-utils package provides a daemon for the kernel NFS server and related tools, which provides a much higher level of performance than the traditional Linux NFS server used by most users. This package also contains the showmount program. Showmount queries the mount daemon on a remote host for information about the NFS (Network File System) server on the remote host. For example, showmount can display the clients which are mounted on that host. %package proftpd proftpd-devel proftpd-mod_autohost proftpd-mod_ban proftpd-mod_case proftpd-mod_ctrls_admin proftpd-mod_gss proftpd-mod_ifsession proftpd-mod_ldap proftpd-mod_load proftpd-mod_quotatab proftpd-mod_quotatab_file proftpd-mod_quotatab_ldap proftpd-mod_quotatab_radius proftpd-mod_quotatab_sql proftpd-mod_radius proftpd-mod_ratio proftpd-mod_rewrite proftpd-mod_shaper proftpd-mod_site_misc proftpd-mod_sql proftpd-mod_sql_mysql proftpd-mod_sql_postgres proftpd-mod_time proftpd-mod_tls proftpd-mod_wrap proftpd-mod_wrap_file proftpd-mod_wrap_sql Update: Fri Feb 27 23:35:37 2009 Importance: security ID: MDVSA-2009:061 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:061 %pre %description ProFTPd is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This version supports both standalone and xinetd operation. %package shadow-utils Update: Mon Mar 02 19:45:28 2009 Importance: security ID: MDVSA-2009:062 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:062 %pre A security vulnerability has been identified and fixed in login application from shadow-utils, which could allow local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry (CVE-2008-5394). The updated packages have been patched to prevent this. Note: Mandriva Linux is using login application from util-linux-ng by default, and therefore is not affected by this issue on default configuration. %description The shadow-utils package includes the necessary programs for converting UNIX password files to the shadow password format, plus programs for managing user and group accounts. The pwconv command converts passwords to the shadow password format. The pwunconv command unconverts shadow passwords and generates an npasswd file (a standard UNIX password file). The pwck command checks the integrity of password and shadow files. The lastlog command prints out the last login times for all users. The useradd, userdel and usermod commands are used for managing user accounts. The groupadd, groupdel and groupmod commands are used for managing group accounts. %package shadow-utils Update: Mon Mar 02 19:46:15 2009 Importance: security ID: MDVSA-2009:062 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:062 %pre A security vulnerability has been identified and fixed in login application from shadow-utils, which could allow local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry (CVE-2008-5394). The updated packages have been patched to prevent this. Note: Mandriva Linux is using login application from util-linux-ng by default, and therefore is not affected by this issue on default configuration. %description The shadow-utils package includes the necessary programs for converting UNIX password files to the shadow password format, plus programs for managing user and group accounts. The pwconv command converts passwords to the shadow password format. The pwunconv command unconverts shadow passwords and generates an npasswd file (a standard UNIX password file). The pwck command checks the integrity of password and shadow files. The lastlog command prints out the last login times for all users. The useradd, userdel and usermod commands are used for managing user accounts. The groupadd, groupdel and groupmod commands are used for managing group accounts. %package libphp5_common5 php-bcmath php-bz2 php-calendar php-cgi php-cli php-ctype php-curl php-dba php-dbase php-devel php-dom php-exif php-fcgi php-filter php-ftp php-gd php-gettext php-gmp php-hash php-iconv php-imap php-json php-ldap php-mbstring php-mcrypt php-mhash php-mime_magic php-ming php-mssql php-mysql php-mysqli php-ncurses php-odbc php-openssl php-pcntl php-pdo php-pdo_dblib php-pdo_mysql php-pdo_odbc php-pdo_pgsql php-pdo_sqlite php-pgsql php-posix php-pspell php-readline php-recode php-session php-shmop php-simplexml php-snmp php-soap php-sockets php-sqlite php-sysvmsg php-sysvsem php-sysvshm php-tidy php-tokenizer php-wddx php-xml php-xmlreader php-xmlrpc php-xmlwriter php-xsl php-zlib Update: Thu Mar 05 19:04:39 2009 Importance: security ID: MDVSA-2009:066 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:066 %pre PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server (CVE-2009-0754). The updated packages have been patched to correct these issues. %description PHP5 is an HTML-embeddable scripting language. PHP5 offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled script with PHP5 is fairly simple. The most common use of PHP5 coding is probably as a replacement for CGI scripts. %package libsndfile1 libsndfile-devel libsndfile-progs libsndfile-static-devel Update: Thu Mar 05 21:25:33 2009 Importance: security ID: MDVSA-2009:067 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:067 %pre Crafted data - channels per frame value - in CAF files enables remote attackers to execute arbitrary code or denial of service via a possible integer overflow, leading to a possible heap overflow (CVE-2009-0186). This update provides fix for that vulnerability. %description libsndfile is a C library for reading and writing sound files such as AIFF, AU and WAV files through one standard interface. It can currently read/write 8, 16, 24 and 32-bit PCM files as well as 32-bit floating point WAV files and a number of compressed formats. %package libpoppler2 libpoppler-devel libpoppler-glib2 libpoppler-glib-devel libpoppler-qt2 libpoppler-qt4-2 libpoppler-qt4-devel libpoppler-qt-devel poppler Update: Fri Mar 06 19:13:36 2009 Importance: security ID: MDVSA-2009:068 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:068 %pre A crafted PDF file that triggers a parsing error allows remote attackers to cause definal of service. This bug is consequence of a wrong processing on FormWidgetChoice::loadDefaults method (CVE-2009-0755). A crafted PDF file that triggers a parsing error allows remote attackers to cause definal of service. This bug is consequence of an invalid memory dereference on JBIG2SymbolDict::~JBIG2SymbolDict destructor when JBIG2Stream::readSymbolDictSeg method is used (CVE-2009-0756). This update provides fixes for those vulnerabilities. Update: This update does not apply for CVE-2009-0755 under Corporate Server 4.0 libpoppler0-0.4.1-3.7.20060mlcs4. %description Poppler is a PDF rendering library based on the xpdf-3.0 code base. %package curl libcurl4 libcurl-devel Update: Fri Mar 06 22:33:16 2009 Importance: security ID: MDVSA-2009:069 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:069 %pre A security vulnerability has been identified and fixed in curl, which could allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL (CVE-2009-0037). The updated packages have been patched to prevent this. %description curl is a client to get documents/files from servers, using any of the supported protocols. The command is designed to work without user interaction or any kind of interactivity. curl offers a busload of useful tricks like proxy support, user authentication, ftp upload, HTTP post, file transfer resume and more. This version is compiled with SSL (https) support. %package libpoppler2 libpoppler-devel libpoppler-glib2 libpoppler-glib-devel libpoppler-qt2 libpoppler-qt4-2 libpoppler-qt4-devel libpoppler-qt-devel poppler Update: Sat Mar 07 00:53:33 2009 Importance: security ID: MDVSA-2009:068-1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:068-1 %pre A crafted PDF file that triggers a parsing error allows remote attackers to cause definal of service. This bug is consequence of a wrong processing on FormWidgetChoice::loadDefaults method (CVE-2009-0755). A crafted PDF file that triggers a parsing error allows remote attackers to cause definal of service. This bug is consequence of an invalid memory dereference on JBIG2SymbolDict::~JBIG2SymbolDict destructor when JBIG2Stream::readSymbolDictSeg method is used (CVE-2009-0756). This update provides fixes for those vulnerabilities. This update does not apply for CVE-2009-0755 under Corporate Server 4.0 libpoppler0-0.4.1-3.7.20060mlcs4. Update: The previous packages were not signed, this new update fixes that issue. %description Poppler is a PDF rendering library based on the xpdf-3.0 code base. %package php-ssh2 Update: Mon Mar 09 13:09:13 2009 Importance: bugfix ID: MDVA-2009:037 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:037 %pre This update upgrades the php-ssh2 package to version 0.11.0 (stable) to address intermittent segfaults (#39079). %description Provides bindings to the libssh2 library which provide access to resources (shell, remote exec, tunneling, file transfer) on a remote machine using a secure cryptographic transport. %package perl-MDK-Common Update: Wed Mar 11 17:14:19 2009 Importance: security ID: MDVSA-2009:072 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:072 %pre Some vulnerabilities were discovered and corrected in perl-MDK-Common: The functions used to write strings into shell like configuration files by Mandriva tools were not taking care of some special characters. This could lead to some bugs (like wireless keys containing certain characters not working), and privilege escalation. This update fixes that issue by ensuring proper protection of strings. The updated packages have been patched to correct these issues. %description Various simple functions created for DrakX %package sarg Update: Wed Mar 11 19:40:57 2009 Importance: security ID: MDVSA-2009:073 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:073 %pre Various stack buffer overflows were discovered and corrected in sarg: Additionally the previous release fixed CVE-2008-1922 The updated packages have been patched to correct these issues. %description Sarg (was Sqmgrlog) generate reports per user/ip/name from SQUID log file. The reports will be generated in HTML or email. %package nspluginwrapper Update: Fri Mar 13 09:12:06 2009 Importance: bugfix ID: MDVA-2009:038 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:038 %pre Acroread would not react to keyboard input. This update also fixes non working Flash browser plugin using this wrapper in 64bits architecture. %description nspluginwrapper makes it possible to use Netscape 4 compatible plugins compiled for linux/i386 into Mozilla for another architecture, e.g. x86_64. This package consists in: * npviewer: the plugin viewer * npwrapper.so: the browser-side plugin * nspluginwrapper: a tool to manage plugins installation and update %package avahi avahi-dnsconfd avahi-python avahi-sharp avahi-sharp-doc avahi-x11 libavahi-client3 libavahi-client3-devel libavahi-common3 libavahi-common3-devel libavahi-compat-howl0 libavahi-compat-howl0-devel libavahi-compat-libdns_sd1 libavahi-compat-libdns_sd1-devel libavahi-core5 libavahi-core5-devel libavahi-glib1 libavahi-glib1-devel libavahi-qt3_1 libavahi-qt3_1-devel libavahi-qt4_1 libavahi-qt4_1-devel libavahi-ui1 libavahi-ui1-devel Update: Fri Mar 13 23:50:38 2009 Importance: security ID: MDVSA-2009:076 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:076 %pre A security vulnerability has been identified and fixed in avahi which could allow remote attackers to cause a denial of service (network bandwidth and CPU consumption) via a crafted legacy unicast mDNS query packet (CVE-2009-0758). The updated packages have been patched to prevent this. %description Avahi is a system which facilitates service discovery on a local network -- this means that you can plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared. This kind of technology is already found in MacOS X (branded 'Rendezvous', 'Bonjour' and sometimes 'ZeroConf') and is very convenient. %package clamav clamav-db clamav-milter clamd libclamav5 libclamav-devel Update: Wed Mar 18 14:14:20 2009 Importance: bugfix ID: MDVA-2009:018-1 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:018-1 %pre This update fixes several issues with clamav: - update unexpectely changes location of clamd socket (#46459) - clamav-milter was not built (#46555) - Clamav-milter wanted to remove postfix (#46556) - Scanning mail with clamav leaves a big temporary folder (#46642) - Build fails if invoked with --with milter, in a configure stage (#46554) - Jpeg parsing denial-of-service crash in clamav 0.94-1 and earlier (#46199) Update: The previous package introduced a patch that broke the clamav-milter, this update addresses this problem: - Bug 48633 - Fix for -Werror=format-security breaks clamav-milter %description Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail seversions (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software. You can build clamav with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] milter Build clamav-milter (disabled) %package libmodprobe0 libmodprobe0-devel module-init-tools Update: Thu Mar 19 00:02:24 2009 Importance: bugfix ID: MDVA-2009:044 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:044 %pre This stable update fixes a bug in depmod which may cause the corruption of the modules.dep file when triggered. (#46884) %description This package contains a set of programs for loading, inserting, and removing kernel modules for Linux (versions 2.5.47 and above). It serves the same function that the "modutils" package serves for Linux 2.4. %package libpam0 libpam-devel pam pam-doc Update: Sat Mar 21 17:10:09 2009 Importance: security ID: MDVSA-2009:077 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:077 %pre A security vulnerability has been identified and fixed in pam: Integer signedness error in the _pam_StrTok function in libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a configuration file contains non-ASCII usernames, might allow remote attackers to cause a denial of service, and might allow remote authenticated users to obtain login access with a different user's non-ASCII username, via a login attempt (CVE-2009-0887). The updated packages have been patched to prevent this. Additionally some development packages were missing that are required to build pam for CS4, these are also provided with this update. %description PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set authentication policy without having to recompile programs that handle authentication. %package evolution-data-server libcamel10 libcamel-provider10 libebook9 libecal7 libedata-book2 libedata-cal6 libedataserver9 libedataserver-devel libedataserverui8 libegroupwise13 libexchange-storage3 Update: Mon Mar 23 15:25:34 2009 Importance: security ID: MDVSA-2009:078 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:078 %pre A wrong handling of signed Secure/Multipurpose Internet Mail Extensions (S/MIME) e-mail messages enables attackers to spoof its signatures by modifying the latter copy (CVE-2009-0547). Crafted authentication challange packets (NT Lan Manager type 2) sent by a malicious remote mail server enables remote attackers either to cause denial of service and to read information from the process memory of the client (CVE-2009-0582). Multiple integer overflows in Base64 encoding functions enables attackers either to cause denial of service and to execute arbitrary code (CVE-2009-0587). This update provides fixes for those vulnerabilities. Update: evolution-data-server packages from Mandriva Linux distributions 2008.1 and 2009.0 are not affected by CVE-2009-0587. %description Evolution Data Server provides a central location for your addressbook and calendar in the gnome desktop. %package libecpg5 libecpg-devel libpq5 libpq-devel postgresql postgresql8.2 postgresql8.2-contrib postgresql8.2-devel postgresql8.2-docs postgresql8.2-pl postgresql8.2-plperl postgresql8.2-plpgsql postgresql8.2-plpython postgresql8.2-pltcl postgresql8.2-server postgresql8.2-test postgresql-devel Update: Mon Mar 23 15:39:07 2009 Importance: security ID: MDVSA-2009:079 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:079 %pre PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests (CVE-2009-0922). This update provides a fix for this vulnerability. %description PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server. These PostgreSQL client programs are programs that directly manipulate the internal structure of PostgreSQL databases on a PostgreSQL server. These client programs can be located on the same machine with the PostgreSQL server, or may be on a remote machine which accesses a PostgreSQL server over a network connection. This package contains the client libraries for C and C++, as well as command-line utilities for managing PostgreSQL databases on a PostgreSQL server. If you want to manipulate a PostgreSQL database on a remote PostgreSQL server, you need this package. You also need to install this package if you're installing the postgresql-server package. %package glib2.0-common glib-gettextize libglib2.0_0 libglib2.0_0-devel Update: Thu Mar 26 19:38:45 2009 Importance: security ID: MDVSA-2009:080 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:080 %pre Multiple integer overflows in GLib's Base64 encoding and decoding functions enable attackers (possibly remote ones, depending on the applications glib2 is linked against with - mostly GNOME ones) either to cause denial of service and to execute arbitrary code via an untrusted input (CVE-2008-4316). This update provide the fix for that security issue. %description Glib is a handy library of utility functions. This C library is designed to solve some portability problems and provide other useful functionality which most programs require. Glib is used by GDK, GTK+ and many applications. You should install Glib because many of your applications will depend on this library. %package libsoup-2.2_8 libsoup-2.2_8-devel Update: Fri Mar 27 20:07:06 2009 Importance: security ID: MDVSA-2009:081 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:081 %pre An integer overflow in libsoup Base64 encoding and decoding functions enables attackers either to cause denial of service and to execute arbitrary code (CVE-2009-0585). This update provides the fix for that security issue. %description Soup is a SOAP (Simple Object Access Protocol) implementation in C. It provides an queued asynchronous callback-based mechanism for sending and servicing SOAP requests, and a WSDL (Web Service Definition Language) to C compiler which generates client stubs and server skeletons for easily calling and implementing SOAP methods. %package ftp-client-krb5 ftp-server-krb5 krb5 krb5-server krb5-workstation libkrb53 libkrb53-devel telnet-client-krb5 telnet-server-krb5 Update: Mon Mar 30 13:59:37 2009 Importance: security ID: MDVSA-2009:082 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:082 %pre The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token (CVE-2009-0845). This update provides the fix for that security issue. %description Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. %package gstreamer0.10-cdparanoia gstreamer0.10-gnomevfs gstreamer0.10-libvisual gstreamer0.10-plugins-base libgstreamer-plugins-base0.10 libgstreamer-plugins-base0.10-devel Update: Thu Apr 02 14:18:34 2009 Importance: security ID: MDVSA-2009:085 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:085 %pre Integer overflows in gstreamer0.10-plugins-base Base64 encoding and decoding functions (related with glib2.0 issue CVE-2008-4316) may lead attackers to cause denial of service. Altough vector attacks are not known yet (CVE-2009-0586). This update provide the fix for that security issue. %description GStreamer is a streaming-media framework, based on graphs of filters which operate on media data. Applications using this library can do anything from real-time sound processing to playing videos, and just about anything else media-related. Its plugin-based architecture means that new data types or processing capabilities can be added simply by installing new plug-ins. This package contains a set of reference plugins, base classes for other plugins, and helper libraries: * device plugins: x(v)imagesink, alsa, v4lsrc, cdparanoia * containers: ogg * codecs: vorbis, theora * text: textoverlay, subparse * sources: audiotestsrc, videotestsrc, gnomevfssrc * network: tcp * typefind * audio processing: audioconvert, adder, audiorate, audioscale, volume * visualisation: libvisual * video processing: ffmpegcolorspace * aggregate elements: decodebin, playbin %package libopenssl0.9.8 libopenssl0.9.8-devel libopenssl0.9.8-static-devel openssl Update: Fri Apr 03 21:23:20 2009 Importance: security ID: MDVSA-2009:087 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:087 %pre A security vulnerability has been identified and fixed in OpenSSL, which could crash applications using OpenSSL library when parsing malformed certificates (CVE-2009-0590). The updated packages have been patched to prevent this. %description The openssl certificate management tool and the shared libraries that provide various encryption and decription algorithms and protocols, including DES, RC4, RSA and SSL. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). %package libopenssl0.9.8 libopenssl0.9.8-devel libopenssl0.9.8-static-devel openssl Update: Fri Apr 03 21:23:56 2009 Importance: security ID: MDVSA-2009:087 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:087 %pre A security vulnerability has been identified and fixed in OpenSSL, which could crash applications using OpenSSL library when parsing malformed certificates (CVE-2009-0590). The updated packages have been patched to prevent this. %description The openssl certificate management tool and the shared libraries that provide various encryption and decription algorithms and protocols, including DES, RC4, RSA and SSL. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). %package libtommath0 libtommath-devel libtommath-static-devel Update: Tue Apr 07 14:04:35 2009 Importance: bugfix ID: MDVA-2009:050 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:050 %pre The tommath library will be needed for future clamav updates. %description A free open source portable number theoretic multiple-precision integer library written entirely in C. (phew!). The library is designed to provide a simple to work with API that provides fairly efficient routines that build out of the box without configuration. %package libopensc2 libopensc-devel mozilla-plugin-opensc opensc Update: Fri Apr 10 01:00:16 2009 Importance: security ID: MDVSA-2009:089 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:089 %pre OpenSC before 0.11.7 allows physically proximate attackers to bypass intended PIN requirements and read private data objects via a (1) low level APDU command or (2) debugging tool, as demonstrated by reading the 4601 or 4701 file with the opensc-explorer or opensc-tool program. The updated packages fix the issue. %description opensc is a library for accessing smart card devices using PC/SC Lite middleware package. It is also the core library of the OpenSC project. Basic functionality (e.g. SELECT FILE, READ BINARY) should work on any ISO 7816-4 compatible smart card. Encryption and decryption using private keys on the SmartCard is at the moment possible only with PKCS #15 compatible cards. %package xpdf xpdf-common xpdf-tools Update: Tue Apr 28 21:49:09 2009 Importance: security ID: MDVSA-2009:101 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:101 %pre Multiple buffer overflows in the JBIG2 decoder allows remote attackers to cause a denial of service (crash) via a crafted PDF file (CVE-2009-0146). Multiple integer overflows in the JBIG2 decoder allows remote attackers to cause a denial of service (crash) via a crafted PDF file (CVE-2009-0147). An integer overflow in the JBIG2 decoder has unspecified impact. (CVE-2009-0165). A free of uninitialized memory flaw in the the JBIG2 decoder allows remote to cause a denial of service (crash) via a crafted PDF file (CVE-2009-0166). Multiple input validation flaws in the JBIG2 decoder allows remote attackers to execute arbitrary code via a crafted PDF file (CVE-2009-0800). An out-of-bounds read flaw in the JBIG2 decoder allows remote attackers to cause a denial of service (crash) via a crafted PDF file (CVE-2009-0799). An integer overflow in the JBIG2 decoder allows remote attackers to execute arbitrary code via a crafted PDF file (CVE-2009-1179). A free of invalid data flaw in the JBIG2 decoder allows remote attackers to execute arbitrary code via a crafted PDF (CVE-2009-1180). A NULL pointer dereference flaw in the JBIG2 decoder allows remote attackers to cause denial of service (crash) via a crafted PDF file (CVE-2009-1181). Multiple buffer overflows in the JBIG2 MMR decoder allows remote attackers to cause denial of service or to execute arbitrary code via a crafted PDF file (CVE-2009-1182, CVE-2009-1183). This update provides fixes for that vulnerabilities. %description Xpdf is an X Window System based viewer for Portable Document Format (PDF) files. PDF files are sometimes called Acrobat files, after Adobe Acrobat (Adobe's PDF viewer). Xpdf is a small and efficient program which uses standard X fonts.