August, 16th 2000 SECURITY UPDATE: Zope
Problem: A problem exists in the Zope package with the getRoles method of user objects contained in the default UserFolder implementation. Users with the ability to edit DTML could arrange to give themselves extra roles for the duration of a single request by mutating the roles list as a part of the request process. Please upgrade to:
fe4e1f82ed6167585ed6c6afb68e8cee 7.1/RPMS/Zope-2.1.6-2mdk.i586.rpm
7a429bb87e331e3e49a1d356c13c89e5 7.1/RPMS/Zope-components-2.1.6-2mdk.i586.rpm
abfc5fa12c632e5aed25685187f6013f 7.1/RPMS/Zope-core-2.1.6-2mdk.i586.rpm
ebfc5919455ad30bd600dd927215de9d 7.1/RPMS/Zope-pcgi-2.1.6-2mdk.i586.rpm
0177a677584d246982b0b5a78e46156e 7.1/RPMS/Zope-services-2.1.6-2mdk.i586.rpm
0583790773b5b8da6cecf014e302f77f 7.1/RPMS/Zope-zpublisher-2.1.6-2mdk.i586.rpm
2634f0fc9acf486d0943261ba08e8331 7.1/RPMS/Zope-zserver-2.1.6-2mdk.i586.rpm
215234484e1fde0a5f2f85d70e4048b0 7.1/RPMS/Zope-ztemplates-2.1.6-2mdk.i586.rpm
4a8505637b762d1f03623924e386a908 7.1/SRPMS/Zope-2.1.6-2mdk.src.rpm
August, 12th 2000 SECURITY UPDATE: MandrakeUpdate
Problem: There is a possible race condition in MandrakeUpdate that has the potential for users to tamper with RPMs downloaded by MandrakeUpdate prior to them being installed. This is due to files being stored in the /tmp directory. This is a very low security-risk as most servers that provide user logins shouldn't be using MandrakeUpdate. These updated versions provide a fix for the problem by using /root/tmp instead of /tmp. Please upgrade to:
06be2f821dddae85207e2a3832fb32fc 7.1/RPMS/MandrakeUpdate-7.1-9mdk.i586.rpm
a15a682c20f484d5054b70b9c226861f 7.1/RPMS/grpmi-7.1-9mdk.i586.rpm
2cd78d22707aebeda6932daf40ff6c37 7.1/SRPMS/MandrakeUpdate-7.1-9mdk.src.rpm
August, 8th 2000 SECURITY UPDATE: perl
Problem: There is a vulnerability that exists when using setuidperl together with the mailx program. In some cases, setuidperl will warn root that something has going on. The setuidperl program uses /bin/mail to send the message, as root, with the environment preserved. An undocumented feature of /bin/mail consists of it interpretting the ~! sequence even if it is not running on the terminal, and the message also contains the script name, taken from argv[1]. With all of this combined, it is possible to execute a command using ~! passed in the script name to create a suid shell. The instance of setuidperl sending such a message can only be reached if you try to fool perl into forcing the execution of one file instead of another. This vulnerability may not be limited to just the mailx program, which is why an upgrade for perl is provided as opposed to an upgrade for mailx. Please upgrade to:
39a43d7f8449a692e11fa384343dc939 7.1/RPMS/perl-5.600-5mdk.i586.rpm
025428ebc98430c138979f9cd3f1bdb8 7.1/RPMS/perl-base-5.600-5mdk.i586.rpm
332ef51a58f9946b5c834fd1acc681bd 7.1/SRPMS/perl-5.600-5mdk.src.rpm
August, 1st 2000 SECURITY UPDATE: pam
Problem: There is a problem with the pam_console module that incorrectly identifies remote X logins for displays other than :0 (for example, :1, :2, etc.) as being local displays, thus giving control of the console to the remote user. Because the remote user has control of the console they are able to issue commands to reboot the remote system after providing their password. Please note that this vulnerability is only exploitable if the system is running a graphical login manager like gdm, kdm, or xdm and if XDMCP is enabled and remote access is granted. Please upgrade to:
75c7e5a003efc4ab1f6907249a96adf3 7.1/RPMS/pam-0.72-7mdk.i586.rpm
1a1a1dd397675fedd998c0e726ff97ea 7.1/RPMS/pam-devel-0.72-7mdk.i586.rpm
b50f0af977548ccaf61b05c9d09354e4 7.1/RPMS/pam-doc-0.72-7mdk.i586.rpm
8487df775c4b3f775c10b2c636b87710 7.1/SRPMS/pam-0.72-7mdk.src.rpm
August, 1st 2000 SECURITY UPDATE: kon2
Problem: There is a vulnerable suid program called fld. This program accepts option input from a text file and it is possible to input arbitrary code into the stack, thus spawning a root shell. Please upgrade to:
7c0a253209e2d760e6b99110e82ea73e 7.1/RPMS/kon2-0.3.8-15mdk.i586.rpm
040fb17eabb96cf5920d6a623bf8b809 7.1/SRPMS/kon2-0.3.8-15mdk.src.rpm
August, 1st 2000 quota
Problem: A conflict existed between the quota package and the nfs-utils package for Linux-Mandrake 7.1 as both provided the rpc.quotad program as well as the man page. This update corrects this problem. Please upgrade to:
d2480d8292fafc886f3527fe84352136 7.1/RPMS/quota-1.70-3mdk.i586.rpm
934d0aed187648c4967ec7378ea7af1e 7.1/SRPMS/quota-1.70-3mdk.src.rpm
July, 31st 2000 SECURITY UPDATE: netscape
Problem: Previous versions of Netscape, from version 3.0 to 4.73 contain a serious overflow flaw due to improper input verification in Netscape's JPEG processing code. The way Netscape processed JPEG comments trusted the length parameter for comment fields. By manipulating this value, it was possible to cause Netscape to read in an excessive amount of data which would then overwrite memory. Data with a malicious design could allow a remote site to execute arbitrary code as the user of Netscape on the client system. It is highly recommended that everyone using Netscape upgrade to this latest version that fixes the flaw. Please upgrade to:
365ff8c6b19ea8f1ca189e6886f9fba8 7.1/RPMS/netscape-castellano-4.74-1mdk.noarch.rpm
3c83d493cbada78ba6348e6581bcf523 7.1/RPMS/netscape-catalan-4.74-1mdk.noarch.rpm
9791a6e655b3f8a76a112c6c13c53534 7.1/RPMS/netscape-common-4.74-3mdk.i586.rpm
f34cc1d76f649556b51f2fafbfc2936f 7.1/RPMS/netscape-communicator-4.74-3mdk.i586.rpm
eedd08421fa0e6496dcb1ea575bf627c 7.1/RPMS/netscape-euskara-4.74-1mdk.noarch.rpm
573eaa96ade623548dbc6f4d87a2df98 7.1/RPMS/netscape-francais-4.74-2mdk.noarch.rpm
4f71f99e91182679b4c26a571e85bbbb 7.1/RPMS/netscape-navigator-4.74-3mdk.i586.rpm
c43957d0f00722111abfb90ac2028c97 7.1/RPMS/netscape-walon-4.74-1mdk.noarch.rpm
832fa8524513f2be4f688983e1483d71 7.1/SRPMS/netscape-4.74-3mdk.src.rpm
29d92c1962b636d0436311b76f980eeb 7.1/SRPMS/netscape-castellano-4.74-1mdk.src.rpm
fd2d46d05243044e4e318f08c163bfba 7.1/SRPMS/netscape-catalan-4.74-1mdk.src.rpm
4ab96db6b7bb17a1f89cdd09ada4a5a6 7.1/SRPMS/netscape-euskara-4.74-1mdk.src.rpm
701f6c3aa7b4b6cd800322b624f040e2 7.1/SRPMS/netscape-francais-4.74-2mdk.src.rpm
4e715744e0e66b487def62a4e750923d 7.1/SRPMS/netscape-walon-4.74-1mdk.src.rpm
July, 28th 2000 SECURITY UPDATE: Zope
Problem: Previous versions of Zope have a serious security flaw in one of the base classes in the DocumentTemplate package that is inadequately protected. This flaw allows the contents of DHTML Documents or DHTML Methods to be changed remotely or through DHTML code without forcing proper user authorization. Please upgrade to:
ad28fb2fb4f0105639a641a7acc98821 7.1/RPMS/Zope-2.1.6-1mdk.i586.rpm
e2b8fd281a2e93cbf5221bcfd3aff65b 7.1/RPMS/Zope-components-2.1.6-1mdk.i586.rpm
ea50788d6f88abc99bfabb190f2ab3ce 7.1/RPMS/Zope-core-2.1.6-1mdk.i586.rpm
95b993149c1c97fe7c9e9d53e4923f31 7.1/RPMS/Zope-pcgi-2.1.6-1mdk.i586.rpm
e74684a03fc61784bfdaec2887e82064 7.1/RPMS/Zope-services-2.1.6-1mdk.i586.rpm
1cae17ae5ffe776a073255ce4cec9661 7.1/RPMS/Zope-zpublisher-2.1.6-1mdk.i586.rpm
7fa38fbf43c8b08a26c4694a0a93857a 7.1/RPMS/Zope-zserver-2.1.6-1mdk.i586.rpm
983471606b95bd60c9d8a5e00e53d90b 7.1/RPMS/Zope-ztemplates-2.1.6-1mdk.i586.rpm
33b2e53429e3b6f588b9fdfb1ab5dc95 7.1/SRPMS/Zope-2.1.6-1mdk.src.rpm
July, 27th 2000 SECURITY UPDATE: gpm
Problem: Many security flaws existed in the gpm package, which is used to control the mouse in a terminal outside of X Windows. As well, a denial of service attack via /dev/gpmctl is possible. All security issues with the gpm package have been addressed with this update. Please upgrade to:
630d939d8159f79a8eae5f9823591064 7.1/RPMS/gpm-1.19.2-4mdk.i586.rpm
43ca39afe363d915f474041b84725a35 7.1/RPMS/gpm-devel-1.19.2-4mdk.i586.rpm
dfa3f0e0a000e0443eb6f9ef2c7e75d9 7.1/SRPMS/gpm-1.19.2-4mdk.src.rpm
July, 22nd 2000 SECURITY UPDATE: inn
Problem: A vulnerability exists when verifycancels is enabled in /etc/news/inn.conf. This vulnerability could be used to gain root access on any system with inn installed. This new version also does not install inews as setgid news or rnews as setuid root. Many other security paranoia fixes have been made as well. Please upgrade to:
1ca85a595222542fc6a5932c58828d3e 7.1/RPMS/inews-2.2.3-1mdk.i586.rpm
f3d4471afbb49bca81cb30c301e111f7 7.1/RPMS/inn-2.2.3-1mdk.i586.rpm
d386b423d391343c9a627eb69773d657 7.1/RPMS/inn-devel-2.2.3-1mdk.i586.rpm
0295f03b4b45b26ddc05f06e81603fba 7.1/SRPMS/inn-2.2.3-1mdk.src.rpm
July, 21st 2000 SECURITY UPDATE: dhcp
Problem: All versions of the ISC DHCP client program, dhclient, are vulnerable to a root attack by a corrupt DHCP server. This version fixes the vulnerability. Please upgrade to:
2053f46717fa0e87b77de6e98b92e39e 7.1/RPMS/dhcp-3.0b1pl17-2mdk.i586.rpm
b1282db6e3d2e9ca3aa91e473e9e08ce 7.1/RPMS/dhcp-client-3.0b1pl17-2mdk.i586.rpm
ce1f1a728d709d29f7699a584f4165ff 7.1/RPMS/dhcp-relay-3.0b1pl17-2mdk.i586.rpm
4183dde09bea7ef859d1c076852371ef 7.1/SRPMS/dhcp-3.0b1pl17-2mdk.src.rpm
July, 18th 2000 SECURITY UPDATE: nfs-utils
Problem: A bug recently discovered in the nfs-utils package can theoretically be used for gaining remote root access. While there are currently no known exploits for this bug, we recommend upgrading to the latest version which fixes the bug. Please upgrade to:
b66dbb042b73ea3d9d435c014a282f33 7.1/RPMS/nfs-utils-0.1.9.1-3mdk.i586.rpm
ccde88bed0710b397a15b9f64f9adea1 7.1/RPMS/nfs-utils-clients-0.1.9.1-3mdk.i586.rpm
17a25a1ab9ef6d4c3b97e2ac101c3ebf 7.1/SRPMS/nfs-utils-0.1.9.1-3mdk.src.rpm
July, 18th 2000 SECURITY UPDATE: usermode
Problem: A bug existed in the usermode package that permitted users to reboot or halt the system without having root access. This update removes those files associated with allowing users access to reboot, shutdown, halt, or poweroff the system. Please upgrade to:
3ca98a6e5d73cf1e5e75fcce9d862d01 7.1/RPMS/usermode-1.22-2mdk.i586.rpm
448261293ab337fdf2740228a0534ccc 7.1/SRPMS/usermode-1.22-2mdk.src.rpm
July, 14th 2000 SECURITY UPDATE: cvsweb
Problem: Cvsweb contains a hole that provides attackers who have write access to a cvs repository with shell access. Thus, attackers who have write access to a cvs repository but not shell access can obtain a shell. In addition, anyone with write access to a cvs repository that is viewable with cvsweb can get access to whatever user the cvsweb cgi script runs as (typically nobody or www-data, etc.). This update closes all of these possibly exploited pipe-opens. Please upgrade to:
2a435a7edf358f59a93eb5534efcd273 7.1/RPMS/cvsweb-1.80-3mdk.noarch.rpm
24b7d490f63e154c88909c9b214793e0 7.1/SRPMS/cvsweb-1.80-3mdk.src.rpm
July, 11th 2000 SECURITY UPDATE: dump
Problem: There was the potential for a buffer overflow in the restore program. This new version fixes this possible vulnerability. Please upgrade to:
1c14f72e09d69fcd4645ea2bd80c4ab3 7.1/RPMS/dump-0.4b18-1mdk.i586.rpm
6d419e7e52dda174f7250b1b59c6b614 7.1/RPMS/rmt-0.4b18-1mdk.i586.rpm
4ff0d0a768b603f22a40745da303e365 7.1/SRPMS/dump-0.4b18-1mdk.src.rpm
July, 11th 2000 isdn4k-utils
Problem: The version of isdn4k-utils that shipped with Linux-Mandrake 7.1 did not work at all. Please upgrade to:
c3df36eea18a0b05d4a05fcd6b138b32 7.1/RPMS/isdn4k-utils-3.1b7-6mdk.i586.rpm
acaf78c5731ce5ac8177519e4aab6bf9 7.1/SRPMS/isdn4k-utils-3.1b7-6mdk.src.rpm
July, 7th 2000 SECURITY UPDATE: BitchX
Problem: A denial of service vulnerability exists in BitchX. Improper handling of incoming invitation messages can crash the client. Any user on IRC can send the client an invitation message that causes BitchX to segfault. Please upgrade to:
f6297ab3e697cfa24762565a26ff6544 7.1/RPMS/BitchX-75p3-12mdk.i586.rpm
d4876a7dc0b40226b8abbd80e01988a6 7.1/SRPMS/BitchX-75p3-12mdk.src.rpm
July, 7th 2000 SECURITY UPDATE: inn
Problem: A vulnerability exists when verifycancels is enabled in /etc/news/inn.conf. This vulnerability could be used to gain root access on any system with inn installed. Please upgrade to:
c9218a4698fefd7f6e24757c7f6d140b 7.1/RPMS/inews-2.2.2-6mdk.i586.rpm
8a642083edcada45518966496a6fc5d4 7.1/RPMS/inn-2.2.2-6mdk.i586.rpm
bde6519c5192f706d83db0a3aa78fb94 7.1/RPMS/inn-devel-2.2.2-6mdk.i586.rpm
fc3ec63010930e50aed0cea3bb316023 7.1/SRPMS/inn-2.2.2-6mdk.src.rpm
July, 7th 2000 SECURITY UPDATE: man
Internet Security Systems (ISS) X-Force has identified a vulnerability in the makewhatis Bourne shell script that ships with many Linux distributions. It is found in versions 1.5e and higher of man, and handles temporary files insecurely. Local users may gain a variety of privileges depending on the complexity of the exploit. The mode of any file on the system can be changed to 0700. Any file on the system may be created or overwritten as root. Local users may also be able to read any system file by forcing a copy of it into the whatis database. Please upgrade to:
fbc1b9e04d75f267650f291d99f467f1 7.1/RPMS/man-1.5g-15mdk.i586.rpm
52d021732aa09d517eeff8b60d427a69 7.1/SRPMS/man-1.5g-15mdk.src.rpm
July, 2nd 2000 SECURITY UPDATE: wu-ftpd
Wu-ftpd is vulnerable to a very serious remote attack in the SITE EXEC implementation. Because of user input going directly into a format string for a *printf function, it is possible to overwrite important data, such as a return address, on the stack. When this is accomplished, the function can jump into shellcode pointed to by the overwritten eip and execute arbitrary commands as root. While exploited in a manner similar to a buffer overflow, it is actually an input validation problem. Anonymous ftp is exploitable making it even more serious as attacks can come anonymously from anywhere on the internet. Please upgrade to:
2b83dcb120012f1009e707398b5f4dc4 7.1/RPMS/wu-ftpd-2.6.0-7mdk.i586.rpm
bb37dbaf5f9fc3953c2869592df608c9 7.1/SRPMS/wu-ftpd-2.6.0-7mdk.src.rpm
July, 2nd 2000 SECURITY UPDATE: dhcp
The OpenBSD team discovered a vulnerability in it that allows for remote exploitation by a corrupt dhcp server, (or an attacker pretending to be a dhcp server). If this vulnerability is exploited, root access can be gained on the host running dhcp client remotely. The problem is that input is not checked and, as a result, it is possible to execute commands remotely when the network config files are being written on the dhcp client. Please upgrade to:
57ef403c1a6f5734b1ac63dcde854ae8 7.1/RPMS/dhcp-3.0b1pl12-6mdk.i586.rpm
d8d3a7bfb145c7c2f5cfdd2127333c67 7.1/RPMS/dhcp-client-3.0b1pl12-6mdk.i586.rpm
9469c360585a2dc69eccf6fbaf3e9099 7.1/SRPMS/dhcp-3.0b1pl12-6mdk.src.rpm
June, 26 2000 initscripts
An typo in the script /etc/profile.d/inputrc.csh print error messages when using csh as shell. If you use csh upgrade to this version.
63d1615688ab55af2a83fd66fb71a069 7.1/RPMS/initscripts-4.97-35mdk.i586.rpm
20f1ec418aa37c47fbe7181919b47d62 7.1/SRPMS/initscripts-4.97-35mdk.src.rpm
June, 24 2000 SECURITY UPDATE: kernel
POSIX "Capabilities" have recently been implemented in the Linux kernel. These "Capabilities" are an additional form of privilege control to enable more specific control over what privileged processes can do. Capabilities are implemented as three (fairly large) bitfields, which each bit representing a specific action a privileged process can perform. By setting specific bits, the actions of priviliged processes can be controlled -- access can be granted for various functions only to the specific parts of a program that require them. It is a security measure.
Important: If you use ReiserFS, please don't forget to do as following after the upgrade:
If you used MandrakeUpdate or rpm -Uvh to upgrade, reinstall kernel 2.2.15 from native Mandrake 7.1
Type: cd /lib/modules/2.2.15-4mdk
Type: /sbin/depmod -a
Type: mkinitrd -f --ifneeded /boot/initrd-2.2.16-9mdk 2.2.16-9mdk
You can now remove the older 2.2.15. Type: rpm -e kernel-2.2.15
Type: ln -sf /boot/initrd-2.2.16-9mdk /boot/initrd.img
Type: ln -sf /boot/System.map-2.2.16-9mdk /boot/System.map
Type: ln -sf /boot/vmlinuz-2.2.16-9mdk /boot/vmlinuz
In /etc/lilo.conf add: initrd=/boot/initrd-2.2.16-9mdk
Type: lilo -v
Upgrade to:
c5331676f063807160ff44e221cbd81d 7.1/RPMS/kernel-2.2.16-9mdk.i586.rpm
94b6ea108fd5436c7271ef5fc117553d 7.1/RPMS/kernel-doc-2.2.16-9mdk.i586.rpm
b4e61a18465a1d452ef7768e3eb5bdc8 7.1/RPMS/kernel-fb-2.2.16-9mdk.i586.rpm
69e05cea2853440c9914d71e6cea167f 7.1/RPMS/kernel-headers-2.2.16-9mdk.i586.rpm
5c1463354cb8327d515cb0ba9453ffdc 7.1/RPMS/kernel-linus-2.2.16-2mdk.i586.rpm
8735b139e0fc71f56d9a78d5f41a38da 7.1/RPMS/kernel-pcmcia-cs-2.2.16-9mdk.i586.rpm
3fa45cb921549de64677fea83d0d47bc 7.1/RPMS/kernel-secure-2.2.16-9mdk.i586.rpm
3aac015c1dd82951a3c4d5c8f694d2bb 7.1/RPMS/kernel-smp-2.2.16-9mdk.i586.rpm
3dc16da65156c7cda785fe0a80e8e546 7.1/RPMS/kernel-source-2.2.16-9mdk.i586.rpm
fb0aba2b890edb6a238b090760abdef2 7.1/RPMS/kernel-utils-2.2.16-9mdk.i586.rpm
20346b180246a4695145684f07a7a979 7.1/SRPMS/kernel-2.2.16-9mdk.src.rpm
c158098babcbdc5a5235ded8adf5dc09 7.1/RPMS/reiserfs-utils-2.2.16_3.5.19-9mdk.i586.rpm
a22bd276a9f77ac16b87494b7880b3c3 7.1/RPMS/alsa-2.2.16_0.5.7-9mdk.i586.rpm
June, 23 2000 qt
The qt package has some problems to display european accents, upgrade to this package if you have some problems with your qt applications to wrote your accents.
61f2b56efe93ee962d40b8395f92a0c9 7.1/RPMS/qt-1.44-23mdk.i586.rpm
9d63573de4ae46281b052b323f22062c 7.1/SRPMS/qt-1.44-23mdk.src.rpm
June, 23 2000 SECURITY UPDATE: xlockmore
Xlock is an X11 utility used to lock X-Window displays until the password of the user running X is entered correctly. Of course, in order to perform the password-check xlock must be setuid root and have access to the shadowed passwd file. In the xlockmore distributions versions prior to 4.16.1, a buffer overflow vulnerability was present in xlock that permitted a user to view parts of the shadowed passwd file. This is achieved by overwriting (with an oversized -mode argument) a global variable storing a pointer to a string printed in the "usage" output. The pointer would be overwritten with an address pointing to the shadowed passwd data. With the long argument, xlock would find and an error in the command syntax and exit, printing the usage information (along with the shadowed passwd text). Please upgrade to:
120ecc3f1ae12fd550c642fa47439a5f 7.1/RPMS/xlockmore-4.16.1-1mdk.i586.rpm
d0a6a3bf840b4d3ea347892f8df1896e 7.1/SRPMS/xlockmore-4.16.1-1mdk.src.rpm
June, 23 2000 SECURITY UPDATE: bind
By default bind is launched as user and group root. This setting can give the possibility to easily exploit vulnerabities in bind. Thanks to Nicolas MONNET for his contribution. Please upgrade to:
b253136e73207abfc0255c14652f0c09 7.1/RPMS/bind-8.2.2P5-6mdk.i586.rpm
cdc532e1a2cf81ba5c5abc3cde75936a 7.1/RPMS/bind-devel-8.2.2P5-6mdk.i586.rpm
57ac2ece97a037198b45464396e9b7e0 7.1/RPMS/bind-utils-8.2.2P5-6mdk.i586.rpm
eeffc6a7d2c7813931a2bbcb8da05a79 7.1/SRPMS/bind-8.2.2P5-6mdk.src.rpm
June, 23 2000 SECURITY UPDATE: cdrecord
The linux cdrecord binary is vulnerable to a locally exploitable
buffer overflow attack. When installed on a Linux-Mandrake
distribution, it is by default setgid "cdburner" (which is a group,
gid: 80, that is created for the application). The overflow condition
is the result of no bounds checking on the 'dev=' argument passed to
cdburner at execution time. This vulnerability can be exploited to
execute arbitrary commands with the gid "cdburner".
Please upgrade to:
be1da959bdbc0762fc148d6a1a29d73b 7.1/RPMS/cdrecord-1.8.1-4mdk.i586.rpm
624aebaf07615e3f18471d3ff9af4ede 7.1/SRPMS/cdrecord-1.8.1-4mdk.src.rpm
June, 23 2000 SECURITY UPDATE: kdesu
A vulnerability in kdesud will allow any user to exploit a buffer overflow. This user then can have a root group access on the machine, by exploiting a bug in the kdesud program. Please upgrade to:
f7e7e16155961422e4d7952639ab6035 7.1/RPMS/kdesu-0.98-14mdk.i586.rpm
2fe16773e5f04707e43c839e35cd8077 7.1/SRPMS/kdesu-0.98-14mdk.src.rpm
June, 23 2000 SECURITY UPDATE: dump
Dump may cause security problem due to a buffer overflow. This package removes the set gid root on the dump exec file. Please upgrade to:
1184cd0e63f1ffa0503d58875335dc39 7.1/RPMS/dump-0.4b16-3mdk.i586.rpm
d81a1894d511ce4f7a86d9e4a104b259 7.1/SRPMS/dump-0.4b16-3mdk.src.rpm
June, 23 2000 SECURITY UPDATE: xemacs
From the Caldera advisory : under some circumstances, users are able to snoop on other users' keystrokes. This is a serious problems if you use modules that require e.g. input of passwords, such as MailCrypt. Please upgrade to:
074d4bd556b2f2cfa29ccd5a18cbe7ef 7.1/RPMS/xemacs-21.1.9-8mdk.i586.rpm
4783690dc25b2601f564c3c4f6e94b33 7.1/RPMS/xemacs-el-21.1.9-8mdk.i586.rpm
52017318776e510dc8e573677cb08381 7.1/RPMS/xemacs-extras-21.1.9-8mdk.i586.rpm
ea8765c92a0c07a93f4d1af5e15791f0 7.1/RPMS/xemacs-info-21.1.9-8mdk.i586.rpm
fa9632a7ecd6dd79affc274aac8e4614 7.1/RPMS/xemacs-mule-21.1.9-8mdk.i586.rpm
604f7a3bb4ffe81b44cfc8edcc6bfe05 7.1/SRPMS/xemacs-21.1.9-8mdk.src.rpm
June, 23 2000 SECURITY UPDATE: fdutils
A vulnerability in fdmount will allow any user to exploit a buffer overflow. This user, when he is in the floppy group, can have a root access on the machine. Please upgrade to:
8cc3da61720d177cdbc75cac9192e427 7.1/RPMS/fdutils-5.3-11mdk.i586.rpm
63fc61599cd180a6b0e4ec9bfebc08d0 7.1/SRPMS/fdutils-5.3-11mdk.src.rpm