%package beagle beagle-crawl-system beagle-doc beagle-evolution beagle-gui beagle-gui-qt beagle-libs epiphany epiphany-devel epiphany-extensions firefox firefox-af firefox-ar firefox-be firefox-bg firefox-bn firefox-ca firefox-cs firefox-cy firefox-da firefox-de firefox-devel firefox-el firefox-en_GB firefox-eo firefox-es_AR firefox-es_ES firefox-et firefox-eu firefox-ext-beagle firefox-ext-blogrovr firefox-ext-foxmarks firefox-ext-mozvoikko firefox-ext-plasmanotify firefox-ext-r-kiosk firefox-ext-scribefire firefox-fi firefox-fr firefox-fy firefox-ga_IE firefox-gl firefox-gu_IN firefox-he firefox-hi firefox-hu firefox-id firefox-is firefox-it firefox-ja firefox-ka firefox-kn firefox-ko firefox-ku firefox-lt firefox-lv firefox-mk firefox-mn firefox-mr firefox-nb_NO firefox-nl firefox-nn_NO firefox-oc firefox-pa_IN firefox-pl firefox-pt_BR firefox-pt_PT firefox-ro firefox-ru firefox-si firefox-sk firefox-sl firefox-sq firefox-sr firefox-sv_SE firefox-te firefox-th firefox-theme-kde4ff firefox-tr firefox-uk firefox-zh_CN firefox-zh_TW gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell google-gadgets-common google-gadgets-gtk google-gadgets-qt libggadget1.0_0 libggadget-dbus1.0_0 libggadget-gtk1.0_0 libggadget-js1.0_0 libggadget-npapi1.0_0 libggadget-qt1.0_0 libggadget-webkitjs0 libggadget-xdg1.0_0 libgoogle-gadgets-devel libopensc2 libopensc-devel libxulrunner1.9.1.4 libxulrunner-devel mozilla-plugin-opensc mozilla-thunderbird-beagle opensc python-xpcom xulrunner yelp Update: Thu Nov 05 22:51:47 2009 Importance: security ID: MDVSA-2009:294 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:294 %pre Security issues were identified and fixed in firefox 3.5.x: Security researcher Alin Rad Pop of Secunia Research reported a heap-based buffer overflow in Mozilla's string to floating point number conversion routines. Using this vulnerability an attacker could craft some malicious JavaScript code containing a very long string to be converted to a floating point number which would result in improper memory allocation and the execution of an arbitrary memory location. This vulnerability could thus be leveraged by the attacker to run arbitrary code on a victim's computer (CVE-2009-1563). Security researcher Jeremy Brown reported that the file naming scheme used for downloading a file which already exists in the downloads folder is predictable. If an attacker had local access to a victim's computer and knew the name of a file the victim intended to open through the Download Manager, he could use this vulnerability to place a malicious file in the world-writable directory used to save temporary downloaded files and cause the browser to choose the incorrect file when opening it. Since this attack requires local access to the victim's machine, the severity of this vulnerability was determined to be low (CVE-2009-3274). Security researcher Paul Stone reported that a user's form history, both from web content as well as the smart location bar, was vulnerable to theft. A malicious web page could synthesize events such as mouse focus and key presses on behalf of the victim and trick the browser into auto-filling the form fields with history entries and then reading the entries (CVE-2009-3370). Security researcher Orlando Berrera of Sec Theory reported that recursive creation of JavaScript web-workers can be used to create a set of objects whose memory could be freed prior to their use. These conditions often result in a crash which could potentially be used by an attacker to run arbitrary code on a victim's computer (CVE-2009-3371). Security researcher Marco C. reported a flaw in the parsing of regular expressions used in Proxy Auto-configuration (PAC) files. In certain cases this flaw could be used by an attacker to crash a victim's browser and run arbitrary code on their computer. Since this vulnerability requires the victim to have PAC configured in their environment with specific regular expresssions which can trigger the crash, the severity of the issue was determined to be moderate (CVE-2009-3372). Security research firm iDefense reported that researcher regenrecht discovered a heap-based buffer overflow in Mozilla's GIF image parser. This vulnerability could potentially be used by an attacker to crash a victim's browser and run arbitrary code on their computer (CVE-2009-3373). Mozilla security researcher moz_bug_r_a4 reported that the XPCOM utility XPCVariant::VariantDataToJS unwrapped doubly-wrapped objects before returning them to chrome callers. This could result in chrome privileged code calling methods on an object which had previously been created or modified by web content, potentially executing malicious JavaScript code with chrome privileges (CVE-2009-3374). Security researcher Gregory Fleischer reported that text within a selection on a web page can be read by JavaScript in a different domain using the document.getSelection function, violating the same-origin policy. Since this vulnerability requires user interaction to exploit, its severity was determined to be moderate (CVE-2009-3375). Mozilla security researchers Jesse Ruderman and Sid Stamm reported that when downloading a file containing a right-to-left override character (RTL) in the filename, the name displayed in the dialog title bar conflicts with the name of the file shown in the dialog body. An attacker could use this vulnerability to obfuscate the name and file extension of a file to be downloaded and opened, potentially causing a user to run an executable file when they expected to open a non-executable file (CVE-2009-3376). Mozilla upgraded several third party libraries used in media rendering to address multiple memory safety and stability bugs identified by members of the Mozilla community. Some of the bugs discovered could potentially be used by an attacker to crash a victim's browser and execute arbitrary code on their computer. liboggz, libvorbis, and liboggplay were all upgraded to address these issues (CVE-2009-3377, CVE-2009-3379, CVE-2009-3378). Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2009-3380). Additionally, some packages which require so, have been rebuilt and are being provided as updates. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package mdkonline Update: Fri Nov 06 14:51:30 2009 Importance: bugfix ID: MDVA-2009:184 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:184 %pre This update fixes an issue in mdkapplet where it offers to upgrade Mandriva 2010.0 to 2009.1 when the former is not listed on api.mdv.com (bug #55017) %description The Mandriva Online tool allows users to be kept informed about security updates, hardware support/enhancements and other high value services. The package include : * Update daemon which allows you to install security updates automatically, * A KDE/Gnome/IceWM compliant applet for security updates notification and installation. %package msec msec-gui Update: Fri Nov 06 14:59:10 2009 Importance: bugfix ID: MDVA-2009:185 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:185 %pre This update provides updated translation files for msec shipped with Mandriva Linux 2010.0 %description The Mandriva Linux Security package is designed to provide security features to the Mandriva Linux users. It allows to select from a set of preconfigured security levels, and supports custom permission settings, user-specified levels, and several security utilities. This packages includes main msec application and several programs that will be run periodically in order to test the security of your system and alert you if needed. %package beagle beagle-crawl-system beagle-doc beagle-evolution beagle-gui beagle-gui-qt beagle-libs firefox firefox-af firefox-ar firefox-be firefox-bg firefox-bn firefox-ca firefox-cs firefox-cy firefox-da firefox-de firefox-devel firefox-el firefox-en_GB firefox-eo firefox-es_AR firefox-es_ES firefox-et firefox-eu firefox-ext-beagle firefox-ext-blogrovr firefox-ext-mozvoikko firefox-ext-plasmanotify firefox-ext-r-kiosk firefox-ext-scribefire firefox-fi firefox-fr firefox-fy firefox-ga_IE firefox-gl firefox-gu_IN firefox-he firefox-hi firefox-hu firefox-id firefox-is firefox-it firefox-ja firefox-ka firefox-kn firefox-ko firefox-ku firefox-lt firefox-lv firefox-mk firefox-mn firefox-mr firefox-nb_NO firefox-nl firefox-nn_NO firefox-oc firefox-pa_IN firefox-pl firefox-pt_BR firefox-pt_PT firefox-ro firefox-ru firefox-si firefox-sk firefox-sl firefox-sq firefox-sr firefox-sv_SE firefox-te firefox-th firefox-theme-kde4ff firefox-tr firefox-uk firefox-zh_CN firefox-zh_TW gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell google-gadgets-common google-gadgets-gtk google-gadgets-qt libggadget1.0_0 libggadget-dbus1.0_0 libggadget-gtk1.0_0 libggadget-js1.0_0 libggadget-npapi1.0_0 libggadget-qt1.0_0 libggadget-webkitjs0 libggadget-xdg1.0_0 libgoogle-gadgets-devel libopensc2 libopensc-devel libxulrunner1.9.1.5 libxulrunner-devel mozilla-plugin-opensc mozilla-thunderbird-beagle opensc python-xpcom xulrunner yelp Update: Fri Nov 06 17:04:11 2009 Importance: bugfix ID: MDVA-2009:186 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:186 %pre This is a maintenance and bugfix update for firefox 3.5.x: * Bug 468562 - ASSERTION: Inserting multiple children without flushing * Bug 521750 - Put a runtime NS_IsMainThread check in nsCycleCollector::Suspect2 and Forget2 * Bug 525326 - Crashes in gif decoder [@ xul.dll@0x348945][@ xul.dll@0x348864][@nsGIFDecoder2::GifWrite(unsigned char const*, unsigned int)] * Bug 525276 - crashes [@ nsDocument::RegisterNamedItems(nsIContent*)] * Bug 524462 - startup crash [@ gfxWindowsFontGroup::WhichFontSupportsChar(nsTArray > const&, unsigned int)] Additionally, some packages which require so, have been rebuilt and are being provided as updates. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package apache-base apache-devel apache-htcacheclean apache-mod_authn_dbd apache-mod_cache apache-mod_dav apache-mod_dbd apache-mod_deflate apache-mod_disk_cache apache-mod_file_cache apache-mod_ldap apache-mod_mem_cache apache-mod_proxy apache-mod_proxy_ajp apache-mod_proxy_scgi apache-mod_ssl apache-modules apache-mod_userdir apache-mpm-event apache-mpm-itk apache-mpm-peruser apache-mpm-prefork apache-mpm-worker apache-source Update: Sun Nov 08 19:03:54 2009 Importance: security ID: MDVSA-2009:295 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:295 %pre A vulnerability was discovered and corrected in apache: Apache is affected by SSL injection or man-in-the-middle attacks due to a design flaw in the SSL and/or TLS protocols. A short term solution was released Sat Nov 07 2009 by the ASF team to mitigate these problems. Apache will now reject in-session renegotiation (CVE-2009-3555). Additionally the SNI patch was upgraded for 2009.0/MES5 and 2009.1. This update provides a solution to this vulnerability. %description This package contains the main binary of apache, a powerful, full-featured, efficient and freely-available Web server. Apache is also the most popular Web server on the Internet. This version of apache is fully modular, and many modules are available in pre-compiled formats, like PHP and mod_auth_external. Check for available Apache modules for Mandriva Linux at: http://nux.se/apache/ (most of them can be installed from the contribs repository) This package defaults to a maximum of 128 dynamically loadable modules. This package defaults to a ServerLimit of 1024. You can change these values at RPM build time by using for example: --define 'maxmodules 512' --define 'serverlimit 2048' The package was built to support a maximum of 128 dynamically loadable modules. The package was built with a ServerLimit of 1024. %package desktop-common-data Update: Mon Nov 09 16:48:58 2009 Importance: bugfix ID: MDVA-2009:187 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:187 %pre Sound events for Ia_Ora sound theme were not disabled by default for some actions. This package fixes this issue and ensure OpenOffice entries are in the correct order in Office menu in desktop environments. %description This package contains useful icons, menu structure and others goodies for the Mandriva Linux desktop. %package indexhtml Update: Mon Nov 09 16:51:10 2009 Importance: bugfix ID: MDVA-2009:188 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:188 %pre This update fixes the index page css and images when in disconnected mode. %description Mandriva Linux index.html welcome page displayed by web browsers when they are launched, first mail displayed on mail clients after installation and "about" information. %package libqassistant4 libqt3support4 libqt4-devel libqtclucene4 libqtcore4 libqtdbus4 libqtdesigner4 libqtgui4 libqthelp4 libqtnetwork4 libqtopengl4 libqtscript4 libqtscripttools4 libqtsql4 libqtsvg4 libqttest4 libqtwebkit4 libqtxml4 libqtxmlpatterns4 qt4-accessibility-plugin qt4-assistant qt4-common qt4-database-plugin-mysql qt4-database-plugin-odbc qt4-database-plugin-pgsql qt4-database-plugin-sqlite qt4-database-plugin-tds qt4-designer qt4-designer-plugin-phonon qt4-designer-plugin-qt3support qt4-designer-plugin-webkit qt4-doc qt4-examples qt4-graphicssystems-plugin qt4-linguist qt4-qdoc3 qt4-qtconfig qt4-qtdbus qt4-qvfb qt4-xmlpatterns Update: Mon Nov 09 18:52:57 2009 Importance: bugfix ID: MDVA-2009:189 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:189 %pre Some Qt softwares like Opera have some CPU issues with Qt4 version released on mandriva 2010.0 This update fixes this issues. %description Qt is a GUI software toolkit which simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. Qt is written in C++ and is fully object-oriented. This package contains the shared library needed to run Qt applications, as well as the README files for Qt. %package netprofile Update: Mon Nov 09 18:54:08 2009 Importance: bugfix ID: MDVA-2009:190 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:190 %pre This update provides the missing read-netprofile command for netprofile application, which was required for on-boot network profile selection. %description Netprofile is a Mandriva solution to manage different network profile. It allows to define specific network, firewall and proxy configuration to use in different network environment (for example, at home, at work or while roaming), and also provides a way for user to switch those profiles on the fly. %package mc Update: Mon Nov 09 19:38:01 2009 Importance: bugfix ID: MDVA-2009:191 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:191 %pre This update updates Midnight Commander to latest version, which fixes occasional crashes when searching within editor/browser. %description Midnight Commander is a visual shell much like a file manager, only with way more features. It is text mode, but also includes mouse support if you are running GPM. Its coolest feature is the ability to ftp, view tar, zip files, and poke into RPMs for specific files. %package apache-mod_php libphp5_common5 php-bcmath php-bz2 php-calendar php-cgi php-cli php-ctype php-curl php-dba php-devel php-doc php-dom php-enchant php-exif php-fileinfo php-filter php-ftp php-gd php-gettext php-gmp php-hash php-iconv php-imap php-ini php-intl php-json php-ldap php-mbstring php-mcrypt php-mssql php-mysql php-mysqli php-odbc php-openssl php-pcntl php-pdo php-pdo_dblib php-pdo_mysql php-pdo_odbc php-pdo_pgsql php-pdo_sqlite php-pgsql php-posix php-pspell php-readline php-recode php-session php-shmop php-snmp php-soap php-sockets php-sqlite3 php-sybase_ct php-sysvmsg php-sysvsem php-sysvshm php-tidy php-tokenizer php-wddx php-xml php-xmlreader php-xmlrpc php-xmlwriter php-xsl php-zip php-zlib Update: Tue Nov 10 12:50:25 2009 Importance: bugfix ID: MDVA-2009:193 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:193 %pre This is a bugfix and maintenance release for php that upgrades php to 5.3.1RC3 and fixes some bugs: - fix #54993 - With latest php-5.3.xx, it's not needed to build a separate binary for FastCGI SAPI support, this is allways enabled in the php-cgi binary. This obsoletes the php-fcgi package and also adds a copy of php.ini as /etc/php-cgi-fcgi.ini to be able to have a separate configuration. - fix #55063 - Calling utf8_encode or utf8_decode functions stalls PHP, there was a missing dependancy on php-xml that is now fixed. Additionally, some packages which require so, have been rebuilt and are being provided as updates. %description PHP5 is an HTML-embeddable scripting language. PHP5 offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled script with PHP5 is fairly simple. The most common use of PHP5 coding is probably as a replacement for CGI scripts. This version of php has the suhosin patch 0.9.8 applied. Please report bugs here: http://qa.mandriva.com/ so that the official maintainer of this Mandriva package can help you. More information regarding the suhosin patch 0.9.8 here: http://www.suhosin.org/ %package mdkonline Update: Thu Nov 12 11:54:23 2009 Importance: bugfix ID: MDVA-2009:194 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:194 %pre This update fixes several issues with mdkapplet: - it fixes adding the Restricted media (bug #55320) - it fixes a rare crash (bug #55346) - it forces applying the updates before offering to upgrade to a newer distro - it fixes a crash while upgrading older distributions when perl has been upgraded to a newer version(bug #55090) %description The Mandriva Online tool allows users to be kept informed about security updates, hardware support/enhancements and other high value services. The package include : * Update daemon which allows you to install security updates automatically, * A KDE/Gnome/IceWM compliant applet for security updates notification and installation. %package libsndfile1 libsndfile-devel libsndfile-progs libsndfile-static-devel Update: Thu Nov 12 16:45:16 2009 Importance: bugfix ID: MDVA-2009:196 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:196 %pre The x86_64 and i586 development packages had conflicting files and weren't installable in parallel. This update modifies the installation of the conflicting files. %description libsndfile is a C library for reading and writing sound files such as AIFF, AU and WAV files through one standard interface. It can currently read/write 8, 16, 24 and 32-bit PCM files as well as 32-bit floating point WAV files and a number of compressed formats. %package glibc glibc-devel glibc-doc glibc-doc-pdf glibc-i18ndata glibc-profile glibc-static-devel glibc-utils nscd Update: Thu Nov 12 16:56:48 2009 Importance: bugfix ID: MDVA-2009:197 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:197 %pre This update ships glibc with fixed preadv/pwritev/fallocate prototypes which are wrong on 32-bit architectures with -D_FILE_OFFSET_BITS=64 on glibc 2.10.1. After installing the update, you must rebuild any application using preadv/pwritev/fallocate built with -D_FILE_OFFSET_BITS=64 on a 32-bit arch. %description The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. The glibc package also contains national language (locale) support. This package now also provides ldconfig which was package seperately in the past. Ldconfig is a basic system program which determines run-time link bindings between ld.so and shared libraries. Ldconfig scans a running system and sets up the symbolic links that are used to load shared libraries properly. It also creates a cache (/etc/ld.so.cache) which speeds the loading of programs which use shared libraries. %package squid squid-cachemgr Update: Thu Nov 12 18:23:33 2009 Importance: bugfix ID: MDVA-2009:199 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:199 %pre This is a bugfix and maintenance release for squid that upgrades squid to 3.0.STABLE20 and fixes some bugs: An outstanding issue with code 304 and code 200 replies being mixed up has now been resolved. This means requests which need to refresh cache objects will not cause temporary client software failures. %description Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. Squid consists of a main server program squid, a Domain Name System lookup program (dnsserver), a program for retrieving FTP data (ftpget), and some management and client tools. Install squid if you need a proxy caching server. This package defaults to a maximum of 8192 filedescriptors. You can change these values at build time by using for example: --define 'maxfiles 4096' The package was built to support a maximum of 8192 filedescriptors. You can build squid with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] test Initiate the test suite %package squid squid-cachemgr Update: Thu Nov 12 18:26:33 2009 Importance: bugfix ID: MDVA-2009:199 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:199 %pre This is a bugfix and maintenance release for squid that upgrades squid to 3.0.STABLE20 and fixes some bugs: An outstanding issue with code 304 and code 200 replies being mixed up has now been resolved. This means requests which need to refresh cache objects will not cause temporary client software failures. %description Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. Squid consists of a main server program squid, a Domain Name System lookup program (dnsserver), a program for retrieving FTP data (ftpget), and some management and client tools. Install squid if you need a proxy caching server. This package defaults to a maximum of 8192 filedescriptors. You can change these values at build time by using for example: --define 'maxfiles 4096' The package was built to support a maximum of 8192 filedescriptors. You can build squid with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] test Initiate the test suite %package mmc-agent python-mmc-base python-mmc-mail python-mmc-network python-mmc-proxy python-mmc-samba Update: Fri Nov 13 11:48:54 2009 Importance: bugfix ID: MDVA-2009:200 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:200 %pre When accounts are created in MDS, the accounts are created with shadowExpire=0 They should be set with shadowExpire=-1, otherwise new accounts will always warn that they are expired when logging in using the account. This fixes this bug for new accounts created using MDS. It does not fix the problem for existing accounts. %description XMLRPC server of the MMC API. %package gimp gimp-python libgimp2.0_0 libgimp2.0-devel Update: Fri Nov 13 14:13:02 2009 Importance: security ID: MDVSA-2009:296 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:296 %pre %description The GIMP is an image manipulation program suitable for photo retouching, image composition and image authoring. Many people find it extremely useful in creating logos and other graphics for web pages. The GIMP has many of the tools and filters you would expect to find in similar commercial offerings, and some interesting extras as well. The GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. This version of The GIMP includes a scripting facility, but many of the included scripts rely on fonts that we cannot distribute. The GIMP ftp site has a package of fonts that you can install by yourself, which includes all the fonts needed to run the included scripts. Some of the fonts have unusual licensing requirements; all the licenses are documented in the package. Get them in ftp://ftp.gimp.org/pub/gimp/fonts/ if you are so inclined. Alternatively, choose fonts which exist on your system before running the scripts. Build Options: --without python Disable pygimp (default enabled) --with lzw Enable LZW compression in GIF (default disabled) %package java-1.6.0-openjdk java-1.6.0-openjdk-demo java-1.6.0-openjdk-devel java-1.6.0-openjdk-javadoc java-1.6.0-openjdk-plugin java-1.6.0-openjdk-src Update: Fri Nov 13 20:07:15 2009 Importance: bugfix ID: MDVA-2009:202 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:202 %pre Correct issues with scaled bitmap fonts by properly installing fontconfig.properties and requires a default font (bug #55005). %description The OpenJDK runtime environment. This version is built without netbeans, so jvisualvm is disabled. %package apache-mod_php libphp5_common5 php-apc php-apc-admin php-bcmath php-bz2 php-calendar php-cgi php-cli php-ctype php-curl php-dba php-devel php-doc php-dom php-eaccelerator php-eaccelerator-admin php-enchant php-exif php-fileinfo php-filter php-ftp php-gd php-gettext php-gmp php-hash php-iconv php-imap php-ini php-intl php-json php-ldap php-mbstring php-mcrypt php-mssql php-mysql php-mysqli php-odbc php-openssl php-pcntl php-pdo php-pdo_dblib php-pdo_mysql php-pdo_odbc php-pdo_pgsql php-pdo_sqlite php-pgsql php-posix php-pspell php-readline php-recode php-session php-shmop php-snmp php-soap php-sockets php-sqlite3 php-suhosin php-sybase_ct php-sysvmsg php-sysvsem php-sysvshm php-tidy php-tokenizer php-wddx php-xml php-xmlreader php-xmlrpc php-xmlwriter php-xsl php-zip php-zlib Update: Sun Nov 15 13:47:16 2009 Importance: bugfix ID: MDVA-2009:203 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:203 %pre This is a bugfix and maintenance release for php that upgrades php to 5.3.1RC4. Additionally, some packages which require so, have been rebuilt and are being provided as updates. %description PHP5 is an HTML-embeddable scripting language. PHP5 offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled script with PHP5 is fairly simple. The most common use of PHP5 coding is probably as a replacement for CGI scripts. This version of php has the suhosin patch 0.9.8 applied. Please report bugs here: http://qa.mandriva.com/ so that the official maintainer of this Mandriva package can help you. More information regarding the suhosin patch 0.9.8 here: http://www.suhosin.org/ %package apache-conf Update: Sun Nov 15 16:09:41 2009 Importance: security ID: MDVSA-2009:300 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:300 %pre A vulnerability was discovered and corrected in apache-conf: The Apache HTTP Server enables the HTTP TRACE method per default which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software (CVE-2009-2823). This update provides a solution to this vulnerability. %description This package contains configuration files for apache. It is necessary for operation of the apache webserver. Having those files into a separate modules provides better customization for OEMs and ISPs, who can modify the look and feel of the apache webserver without having to re-compile the whole suite to change a logo or config file. %package kompozer Update: Mon Nov 16 17:49:55 2009 Importance: bugfix ID: MDVA-2009:204 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:204 %pre As mentioned on http://kompozer.net/, KompoZer 0.7.10 doesn't work with GTK 2.14 or higher. This is a update to version 0.8 making it work fine again. %description A complete Web authoring system for Linux Desktop users, similar to Microsoft Windows programs like FrontPage and Dreamweaver. KompoZer is an unofficial branch of Nvu, previously developed by Linspire Inc. It makes managing a Web site a snap. Now anyone can create Web pages and manage a Web site with no technical expertise or HTML knowledge. Features * WYSIWYG editing of pages, making Web creation as easy as typing a letter with your word processor. * Integrated file management via FTP. Simply log in to your Web site and navigate through your files, editing Web pages on the fly, directly from your site. * Reliable HTML code creation that works with today's most popular browsers. * Jump between WYSIWYG editing mode and HTML using tabs. * Tabbed editing to make working on multiple pages a snap. * Powerful support for frames, forms, tables, and templates. %package gstreamer0.10-a52dec gstreamer0.10-cdio gstreamer0.10-mpeg gstreamer0.10-plugins-ugly gstreamer0.10-sid gstreamer0.10-twolame libphonon4 libphononexperimental4 phonon-devel phonon-gstreamer phonon-xine Update: Tue Nov 17 15:19:59 2009 Importance: bugfix ID: MDVA-2009:206 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:206 %pre In Amarok of mandriva 2010, the time bar is locked, you cannot seek to a point when listening to a song, this happens because missing gstreamer0.10-plugins-ugly, this phonon-gstreamer update adds this package as dependency fixing the bug. Additionally the gstreamer0.10-plugins-ugly packages are provide to ensure a smooth update. %description Phonon is the KDE4 Multimedia Framework %package tcsh Update: Tue Nov 17 22:24:14 2009 Importance: bugfix ID: MDVA-2009:207 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:207 %pre %description Tcsh is an enhanced but completely compatible version of csh, the C shell. Tcsh is a command language interpreter which can be used both as an interactive login shell and as a shell script command processor. Tcsh includes a command line editor, programmable word completion, spelling correction, a history mechanism, job control and a C language like syntax. %package tcsh Update: Tue Nov 17 22:24:35 2009 Importance: bugfix ID: MDVA-2009:207 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:207 %pre Tcsh as shipped with Mandriva Linux 2010.0 would abort on startup with the Unknown colorls variable mh. error, caused by inability to handle the MULTIHARDLINK color parameter (bug #53139). This update fixes this issue. %description Tcsh is an enhanced but completely compatible version of csh, the C shell. Tcsh is a command language interpreter which can be used both as an interactive login shell and as a shell script command processor. Tcsh includes a command line editor, programmable word completion, spelling correction, a history mechanism, job control and a C language like syntax. %package aoss libalsa-oss0 libalsa-oss-devel Update: Wed Nov 18 00:35:00 2009 Importance: bugfix ID: MDVA-2009:208 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:208 %pre The aoss script which redirect OSS sound output to Alsa contains an error which makes it fail to preload the correct library. Because of this error, old applications using OSS may fail to play sound if PulseAudio is not used. This update corrects this error. %description Advanced Linux Sound Architecture (ALSA) is a modularized architecture which supports quite a large range of ISA and PCI cards. It's fully compatible with old OSS drivers (either OSS/Lite, OSS/commercial). To use the features of alsa, one can either use: - the old OSS api - the new ALSA api that provides many enhanced features. Using the ALSA api requires to use the ALSA library. This library provides oss compatibility %package kino kino-devel soundwrapper Update: Thu Nov 19 19:45:04 2009 Importance: bugfix ID: MDVA-2009:210 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:210 %pre The version of kino shipped with 2010.0 does not use the soundwrapper system to allow output to legacy OSS sound device in a friendly way (without soundwrapper the first application to use OSS for sound will hog the device and prevent any other apps using sound). This update changes the .desktop file used to launch kino from the menus to ensure that soundwrapper is used. Additionally, this update also provides soundwrapper package in main/updates media, as it is a new dependency required by kino. %description When placed before a command to run a program with some audio component, that program's audio output is redirected to the ALSA sound device or to the PulseAudio, aRts, or EsounD sound servers if either of them is in control of the sound device, enabling programs to play sounds at the same time %package libpango1.0_0 libpango1.0_0-modules libpango1.0-devel pango pango-doc Update: Thu Nov 19 20:39:41 2009 Importance: bugfix ID: MDVA-2009:211 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:211 %pre A bug in pango was preventing correct location of some glyphs when scaling was in effect. This update fixes this issue and enforce version dependency on cairo, which could cause crashes when upgrading Mandriva Linux distribution to release 2010.0. %description A library to handle unicode strings as well as complex bidirectional or context dependent shaped strings. It is the next step on Gtk+ internationalization. %package libSDL_image1.2_0 libSDL_image1.2_0-test libSDL_image-devel Update: Thu Nov 19 20:59:56 2009 Importance: bugfix ID: MDVA-2009:212 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:212 %pre SDL_image shipped in Mandriva Linux 2010.0 contains a hidden link on libjpeg62, which is incompatible with libjpeg7 shipped in 2010.0. The hidden link will cause downstream applications such as tuxmath unable to launch. This update fixes this issue. %description This is a simple library to load images of various formats as SDL surfaces. This library currently supports BMP, PPM, PCX, GIF, JPEG, and PNG formats. This package contains the binary `sdlshow' to test the library. %package apache-mod_php libphp5_common5 php-apc php-apc-admin php-bcmath php-bz2 php-calendar php-cgi php-cli php-ctype php-curl php-dba php-devel php-doc php-dom php-eaccelerator php-eaccelerator-admin php-enchant php-exif php-fileinfo php-filter php-ftp php-gd php-gettext php-gmp php-hash php-iconv php-imap php-intl php-json php-ldap php-mbstring php-mcrypt php-mssql php-mysql php-mysqli php-odbc php-openssl php-pcntl php-pdo php-pdo_dblib php-pdo_mysql php-pdo_odbc php-pdo_pgsql php-pdo_sqlite php-pgsql php-posix php-pspell php-readline php-recode php-session php-shmop php-snmp php-soap php-sockets php-sqlite3 php-suhosin php-sybase_ct php-sysvmsg php-sysvsem php-sysvshm php-tidy php-tokenizer php-wddx php-xml php-xmlreader php-xmlrpc php-xmlwriter php-xsl php-zip php-zlib Update: Sat Nov 21 14:07:55 2009 Importance: security ID: MDVSA-2009:302 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:302 %pre Some vulnerabilities were discovered and corrected in php-5.3.1: - Added max_file_uploads INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion. (Ilia) - Added missing sanity checks around exif processing. (CVE-2009-3292, Ilia) - Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus) - Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus) - Fixed bug #50063 (safe_mode_include_dir fails). (CVE-2009-3559, Johannes, christian at elmerot dot se) Additionally, some packages which require so, have been rebuilt and are being provided as updates. %description PHP5 is an HTML-embeddable scripting language. PHP5 offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled script with PHP5 is fairly simple. The most common use of PHP5 coding is probably as a replacement for CGI scripts. This version of php has the suhosin patch 0.9.8 applied. Please report bugs here: http://qa.mandriva.com/ so that the official maintainer of this Mandriva package can help you. More information regarding the suhosin patch 0.9.8 here: http://www.suhosin.org/ %package fuse libfuse2 libfuse-devel libfuse-static-devel Update: Mon Nov 23 18:00:06 2009 Importance: bugfix ID: MDVA-2009:215 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:215 %pre Due to a bad interaction between fuse and audit framework, applications reading .gvfs would hang if audit is activated. This happens at least on first boot and every month due to readahead-collector. This was reported as bug #53208. These updated packages fix the issue. %description FUSE (Filesystem in USErspace) is a simple interface for userspace programs to export a virtual filesystem to the linux kernel. FUSE also aims to provide a secure method for non privileged users to create and mount their own filesystem implementations. %package qemu qemu-img Update: Tue Nov 24 13:19:57 2009 Importance: bugfix ID: MDVA-2009:217 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:217 %pre This update is a rebuild of qemu packages shipped in 2010.0 against latest glibc-2.10.1-6.2mnb2 with fixed preadv/pwritev prototypes. %description QEMU is a FAST! processor emulator. By using dynamic translation it achieves a reasonnable speed while being easy to port on new host CPUs. QEMU has two operating modes: * User mode emulation. In this mode, QEMU can launch Linux processes compiled for one CPU on another CPU. Linux system calls are converted because of endianness and 32/64 bit mismatches. Wine (Windows emulation) and DOSEMU (DOS emulation) are the main targets for QEMU. * Full system emulation. In this mode, QEMU emulates a full system, including a processor and various peripherials. Currently, it is only used to launch an x86 Linux kernel on an x86 Linux system. It enables easier testing and debugging of system code. It can also be used to provide virtual hosting of several virtual PC on a single server. %package kdebase4-workspace kdebase4-workspace-devel kdm libkdecorations4 libkephal4 libkfontinst4 libkfontinstui4 libkhotkeysprivate4 libkscreensaver5 libksgrd4 libkwineffects1 libkwinnvidiahack4 libkworkspace4 liblsofui4 libnepomukquery4 libnepomukqueryclient4 libplasma_applet_system_monitor4 libplasmaclock4 libplasma-geolocation-interface4 libpolkitkdeprivate4 libprocesscore4 libprocessui4 libsolidcontrol4 libsolidcontrolifaces4 libtaskmanager4 libtime_solar4 libweather_ion4 plasma-applet-battery plasma-applet-calendar plasma-applet-quicklaunch plasma-applet-system-monitor-cpu plasma-applet-system-monitor-hdd plasma-applet-system-monitor-hwinfo plasma-applet-system-monitor-net plasma-applet-system-monitor-temperature plasma-applet-webbrowser plasma-krunner-powerdevil plasma-runner-places policykit-kde Update: Tue Nov 24 14:41:44 2009 Importance: bugfix ID: MDVA-2009:218 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:218 %pre In kde 4.3 of mandriva 2010.0 the possibility to lock/unlock widgets from the panel wasn't activated, this rpms handles this issue. %description This package contains the KDE 4 application workspace components. %package libxcb1 libxcb-composite0 libxcb-damage0 libxcb-devel libxcb-dpms0 libxcb-glx0 libxcb-randr0 libxcb-record0 libxcb-render0 libxcb-res0 libxcb-screensaver0 libxcb-shape0 libxcb-shm0 libxcb-static-devel libxcb-sync0 libxcb-xevie0 libxcb-xf86dri0 libxcb-xfixes0 libxcb-xinerama0 libxcb-xprint0 libxcb-xtest0 libxcb-xv0 libxcb-xvmc0 Update: Tue Nov 24 23:20:42 2009 Importance: bugfix ID: MDVA-2009:219 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:219 %pre Due to a packaging problem, the development version of the libxcb package on 64 bit systems could lead to file conflicts during the installation because it was not providing the libxcb-devel package. This update fixes this issue. %description the X protocol C-language Binding (XCB) is a replacement for Xlib featuring a small footprint, latency hiding, direct access to the protocol, improved threading support, and extensibility. %package libxt6 libxt6-devel libxt6-static-devel Update: Tue Nov 24 23:37:36 2009 Importance: bugfix ID: MDVA-2009:220 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:220 %pre Due to a packaging problem, the development version of the libxt package on 64 bit systems could lead to file conflicts during the installation because it was not providing the libxt6-devel package. This update fixes this issue. %description X Toolkit Library. %package eclipse-ecj eclipse-jdt eclipse-pde eclipse-platform eclipse-rcp eclipse-swt Update: Wed Nov 25 18:46:14 2009 Importance: bugfix ID: MDVA-2009:222 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:222 %pre A missing xulrunner path in the eclipse.ini configuration file is preventing the Eclipse to start resulting in a crash. This update provides the fix for that bug. %description The Eclipse platform is designed for building integrated development environments (IDEs), server-side applications, desktop applications, and everything in between. %package bind bind-devel bind-doc bind-utils Update: Thu Nov 26 17:26:41 2009 Importance: security ID: MDVSA-2009:304 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:304 %pre Some vulnerabilities were discovered and corrected in bind: Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3, and 9.0.x through 9.3.x with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks via additional sections in a response sent for resolution of a recursive client query, which is not properly handled when the response is processed at the same time as requesting DNSSEC records (DO). (CVE-2009-4022). Additionally BIND has been upgraded to the latest point release or closest supported version by ISC. %description BIND (Berkeley Internet Name Domain) is an implementation of the DNS (domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses, and a resolver library (routines for applications to use when interfacing with DNS). A DNS server allows clients to name resources or objects and share the information with other network machines. The named DNS server can be used on workstations as a caching name server, but is generally only needed on one machine for an entire network. Note that the configuration files for making BIND act as a simple caching nameserver are included in the caching-nameserver package. Install the bind package if you need a DNS server for your network. If you want bind to act a caching name server, you will also need to install the caching-nameserver package. Many BIND 8 features previously unimplemented in BIND 9, including domain-specific forwarding, the \$GENERATE master file directive, and the "blackhole", "dialup", and "sortlist" options Forwarding of dynamic update requests; this is enabled by the "allow-update-forwarding" option A new, simplified database interface and a number of sample drivers based on it; see doc/dev/sdb for details Support for building single-threaded servers for environments that do not supply POSIX threads New configuration options: "min-refresh-time", "max-refresh-time", "min-retry-time", "max-retry-time", "additional-from-auth", "additional-from-cache", "notify explicit" Faster lookups, particularly in large zones. Build Options: --without sdb_ldap Build without ldap simple database support (enabled per default) --with sdb_mysql Build with MySQL database support (disables ldap support, it's either way.) --with geoip Build with GeoIP support (disabled per default) %package mencoder mplayer mplayer-doc mplayer-gui Update: Fri Nov 27 12:49:30 2009 Importance: bugfix ID: MDVA-2009:223 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:223 %pre mplayer would crash when selecting a chapter from the DVD menu. This update prevents the crash. %description MPlayer is a movie player for LINUX (runs on many other Unices, and non-x86 CPUs, see the documentation). It plays most MPEG, VOB, AVI, VIVO, ASF/WMV, QT/MOV, FLI, NuppelVideo, yuv4mpeg, FILM, RoQ, and some RealMedia files, supported by many native, XAnim, and Win32 DLL codecs. You can watch VideoCD, SVCD, DVD, 3ivx, FLI, and even DivX movies too (and you don't need the avifile library at all!). The another big feature of mplayer is the wide range of supported output drivers. It works with X11, Xv, DGA, OpenGL, SVGAlib, fbdev, AAlib, but you can use SDL (and this way all drivers of SDL), VESA (on every VESA compatible card, even without X!), and some lowlevel card-specific drivers (for Matrox, 3Dfx and Radeon) too! Most of them supports software or hardware scaling, so you can enjoy movies in fullscreen. MPlayer supports displaying through some hardware MPEG decoder boards, such as the DVB and DXR3/Hollywood+! And what about the nice big antialiased shaded subtitles (9 supported types!!!) with european/ISO 8859-1,2 (hungarian, english, czech, etc), cyrillic, korean fonts, and OSD? Note: If you want to play Real content, you need to have the content of RealPlayer's Codecs directory in /usr/lib/RealPlayer10GOLD/codecs %package flash-kde4-config free-kde4-config mandriva-kde4-config-common mandriva-kdm4-config one-kde4-config powerpack-kde4-config Update: Fri Nov 27 13:01:46 2009 Importance: bugfix ID: MDVA-2009:224 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:224 %pre This package adds new top bar for Mandriva Flash 2010 edition. %description This package regroups all specific Mandriva config file for KDE. (kicker config etc.) %package dovecot dovecot-devel dovecot-plugins-gssapi dovecot-plugins-ldap dovecot-plugins-managesieve dovecot-plugins-mysql dovecot-plugins-pgsql dovecot-plugins-sieve dovecot-plugins-sqlite Update: Sun Nov 29 16:15:55 2009 Importance: security ID: MDVSA-2009:306 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:306 %pre A vulnerability was discovered and corrected in dovecot: Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself (CVE-2009-3897). The updated packages have been patched to correct these issues. %description Dovecot is an IMAP and POP3 server for Linux/UNIX-like systems, written with security primarily in mind. Although it's written with C, it uses several coding techniques to avoid most of the common pitfalls. Dovecot can work with standard mbox and maildir formats and it's fully compatible with UW-IMAP and Courier IMAP servers as well as mail clients accessing the mailboxes directly. You can build dovecot with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] gssapi GSSAPI support (enabled) --with[out] ldap LDAP support (enabled) --with[out] lucene Lucene support (enabled) --with[out] mysql MySQL support (enabled) --with[out] pgsql PostgreSQL support (enabled) --with[out] sqlite SQLite support (enabled) --with[out] sieve CMU Sieve support (enabled) --with[out] managesieve MmanageSieve support (enabled) %package apache-base apache-devel apache-htcacheclean apache-mod_authn_dbd apache-mod_cache apache-mod_dav apache-mod_dbd apache-mod_deflate apache-mod_disk_cache apache-mod_file_cache apache-mod_ldap apache-mod_mem_cache apache-mod_proxy apache-mod_proxy_ajp apache-mod_proxy_scgi apache-mod_ssl apache-modules apache-mod_userdir apache-mpm-event apache-mpm-itk apache-mpm-peruser apache-mpm-prefork apache-mpm-worker apache-source Update: Sun Nov 29 19:32:04 2009 Importance: bugfix ID: MDVA-2009:226 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:226 %pre This is a minor bugfix release for apache (mod_ssl): The openssl and makedev packages is needed at install time from cdrom medias in %post for the apache-mod_ssl sub package in order to be able to generate the dummy ssl certificate (fixes #55951) The packages provided with this update addresses this problem. %description This package contains the main binary of apache, a powerful, full-featured, efficient and freely-available Web server. Apache is also the most popular Web server on the Internet. This version of apache is fully modular, and many modules are available in pre-compiled formats, like PHP and mod_auth_external. Check for available Apache modules for Mandriva Linux at: http://nux.se/apache/ (most of them can be installed from the contribs repository) This package defaults to a maximum of 128 dynamically loadable modules. This package defaults to a ServerLimit of 1024. You can change these values at RPM build time by using for example: --define 'maxmodules 512' --define 'serverlimit 2048' The package was built to support a maximum of 128 dynamically loadable modules. The package was built with a ServerLimit of 1024. %package gcc gcc-c++ gcc-cpp gcc-doc gcc-doc-pdf gcc-gfortran gcc-gnat gcc-java gcc-objc gcc-objc++ gcj-tools graphicsmagick graphicsmagick-doc graphviz graphviz-doc heartbeat heartbeat-ldirectord heartbeat-pils heartbeat-stonith java-graphviz libbraille14 libbraille-devel libcdt4 libcgraph4 libffi4 libffi4-devel libgcc1 libgcj10 libgcj10-base libgcj10-src libgcj_bc1 libgcj-devel libgcj-static-devel libgfortran3 libgnat1 libgomp1 libgomp-devel libgraph4 libgraphicsmagick3 libgraphicsmagick-devel libgraphicsmagickwand2 libgraphviz-devel libgraphviz-static-devel libgvc5 libheartbeat1 libheartbeat1-devel libheartbeat-apphb0 libheartbeat-pils1 libheartbeat-pils1-devel libheartbeat-stonith1 libheartbeat-stonith1-devel libltdl7 libltdl-devel libmudflap0 libmudflap-devel libobjc2 libpathplan4 libprelude2 libprelude-devel libprelude-static-devel libredland0 libredland-devel libstdc++6 libstdc++-devel libstdc++-static-devel libtool libtool-base libxmlsec1-1 libxmlsec1-devel libxmlsec1-gnutls1 libxmlsec1-gnutls-devel libxmlsec1-nss1 libxmlsec1-nss-devel libxmlsec1-openssl1 libxmlsec1-openssl-devel lua-graphviz ocaml-graphviz perl-Graphics-Magick perl-graphviz perl-prelude php-graphviz prelude-tools proftpd proftpd-devel proftpd-mod_autohost proftpd-mod_ban proftpd-mod_case proftpd-mod_ctrls_admin proftpd-mod_gss proftpd-mod_ifsession proftpd-mod_ldap proftpd-mod_load proftpd-mod_quotatab proftpd-mod_quotatab_file proftpd-mod_quotatab_ldap proftpd-mod_quotatab_radius proftpd-mod_quotatab_sql proftpd-mod_radius proftpd-mod_ratio proftpd-mod_rewrite proftpd-mod_sftp proftpd-mod_shaper proftpd-mod_site_misc proftpd-mod_sql proftpd-mod_sql_mysql proftpd-mod_sql_postgres proftpd-mod_time proftpd-mod_tls proftpd-mod_vroot proftpd-mod_wrap proftpd-mod_wrap_file proftpd-mod_wrap_sql python-braille python-graphviz python-prelude redland ruby-graphviz tcl-graphviz xmlsec1 Update: Mon Nov 30 15:33:28 2009 Importance: security ID: MDVSA-2009:307 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:307 %pre A vulnerability was discovered and corrected in libtool: All versions of libtool prior to 2.2.6b suffers from a local privilege escalation vulnerability that could be exploited under certain conditions to load arbitrary code (CVE-2009-3736). This advisory fixes this issue. Additionally, all applications embedding the libtool code were patched in order to avoid possible future exploitations of this issue. %description XML Security Library is a C library based on LibXML2 and OpenSSL. The library was created with a goal to support major XML security standards "XML Digital Signature" and "XML Encryption". %package mandriva-doc-common mandriva-doc-Drakxtools-Guide-en mandriva-doc-Drakxtools-Guide-fr mandriva-doc-Drakxtools-Guide-pt_br mandriva-doc-installer-help mandriva-doc-Introducing-en mandriva-doc-Introducing-fr mandriva-doc-Introducing-pt_br mandriva-doc-Mastering-Manual-en mandriva-doc-Mastering-Manual-fr Update: Mon Nov 30 18:53:27 2009 Importance: bugfix ID: MDVA-2009:227 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:227 %pre This is a bug fix release, added some missing screenshots for 2010 and a fix for publication date in the pdf file. %description This package contains some useful documentation for Mandriva Linux systems. This documentation is directly accessible through the menus. %package kdebase4-workspace kdebase4-workspace-devel kdm libkdecorations4 libkephal4 libkfontinst4 libkfontinstui4 libkhotkeysprivate4 libkscreensaver5 libksgrd4 libkwineffects1 libkwinnvidiahack4 libkworkspace4 liblsofui4 libnepomukquery4 libnepomukqueryclient4 libplasma_applet_system_monitor4 libplasmaclock4 libplasma-geolocation-interface4 libpolkitkdeprivate4 libprocesscore4 libprocessui4 libsolidcontrol4 libsolidcontrolifaces4 libtaskmanager4 libtime_solar4 libweather_ion4 plasma-applet-battery plasma-applet-calendar plasma-applet-quicklaunch plasma-applet-system-monitor-cpu plasma-applet-system-monitor-hdd plasma-applet-system-monitor-hwinfo plasma-applet-system-monitor-net plasma-applet-system-monitor-temperature plasma-applet-webbrowser plasma-krunner-powerdevil plasma-runner-places policykit-kde Update: Mon Nov 30 19:39:43 2009 Importance: bugfix ID: MDVA-2009:228 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:228 %pre On mandriva 2010.0 when closing the KDE session, with 3D effects enabled, it can happen that the screen become black. %description This package contains the KDE 4 application workspace components. %package kdelibs4-core kdelibs4-devel libkde3support4 libkdecore5 libkdefakes5 libkdesu5 libkdeui5 libkdnssd4 libkfile4 libkhtml5 libkimproxy4 libkio5 libkjs4 libkjsapi4 libkjsembed4 libkmediaplayer4 libknewstuff2_4 libknotifyconfig4 libkntlm4 libkparts4 libkpty4 libkrosscore4 libkrossui4 libktexteditor4 libkunittest4 libkutils4 libnepomuk4 libplasma3 libsolid4 libthreadweaver4 Update: Mon Nov 30 21:33:11 2009 Importance: bugfix ID: MDVA-2009:230 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:230 %pre In Mandriva 2010.0 it may happen that devices like iPod fail to get ejected. Also in Mandriva 2010.0, solid does not respect HAL locks, resulting in KDE applications not properly showing partitions from these devices. This Update fixes these issues. %description Libraries for the K Desktop Environment. %package dolphin kappfinder kde4-nsplugins kdebase4 kdebase4-devel kdepasswd kdialog keditbookmarks kfind kinfocenter konqueror konsole kwrite libdolphinprivate4 libkonq5 libkonqsidebarplugin4 libkonquerorprivate4 plasma-applet-folderview Update: Mon Nov 30 21:38:48 2009 Importance: bugfix ID: MDVA-2009:231 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:231 %pre In Mandriva 2010.0, konqueror crashes when opening a new tab on a previously detached tab. This update fixes this issue. %description This meta package requires all base kdebase 4 packages. %package drakx-net drakx-net-text libdrakx-net Update: Tue Dec 01 19:33:47 2009 Importance: bugfix ID: MDVA-2009:232 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:232 %pre This update fixes two issues in drakx-net shipped with Mandriva Linux 2010.0: - draksambashare application was fixed to correctly handle samba users (bug #55388) - drakhosts application was fixed to allow specifying multiple IP addresses for same host address (bug #30168) %description This package contains the Mandriva network tools. net_applet: applet to check network connection %package msec msec-gui Update: Tue Dec 01 20:01:12 2009 Importance: bugfix ID: MDVA-2009:233 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:233 %pre This update fixes two issues with msec: - saving new security level with 'msec --save' would result in an error - msec would show a bogus error when checking permissions on non-local files (bug #56088) %description The Mandriva Linux Security package is designed to provide security features to the Mandriva Linux users. It allows to select from a set of preconfigured security levels, and supports custom permission settings, user-specified levels, and several security utilities. This packages includes main msec application and several programs that will be run periodically in order to test the security of your system and alert you if needed. %package dragonplayer juk kde4-audiocd kdemultimedia4 kdemultimedia4-core kdemultimedia4-devel kmix kscd libaudiocdplugins4 libkcddb4 libkcompactdisc4 mplayerthumbs Update: Wed Dec 02 21:10:40 2009 Importance: bugfix ID: MDVA-2009:236 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:236 %pre In Mandriva Linux 2010.0, the kmix application may fail to initialize on system start. This update fixes this issue. %description kdemultimedia4 metapackage. %package libdmx1 libdmx-devel libdmx-static-devel libxp6 libxp-devel libxp-static-devel xdpyinfo Update: Thu Dec 03 17:00:38 2009 Importance: bugfix ID: MDVA-2009:237 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:237 %pre The xdpyinfo package was updated to allow handling more X11 extensions. %description Xdpyinfo is a utility for displaying information about an X server. It is used to examine the capabilities of a server, the predefined values for various parameters used in communicating between clients and the server, and the different types of screens and visuals that are available. %package expat libexpat1 libexpat1-devel Update: Sat Dec 05 13:00:04 2009 Importance: security ID: MDVSA-2009:316 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:316 %pre A vulnerability has been found and corrected in expat: The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720 (CVE-2009-3560). Packages for 2008.0 are being provided due to extended support for Corporate products. This update provides a solution to these vulnerabilities. %description Expat is an XML 1.0 parser written in C by James Clark. It aims to be fully conforming. It is currently not a validating XML parser. %package python-qt Update: Tue Dec 08 14:47:29 2009 Importance: bugfix ID: MDVA-2009:242 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:242 %pre The python-qt package included in Mandriva 2010.0 contains a API incompatibility problem with python-sip 4.9.1, which will cause downstream problem unusable. This update fixes the issue. %description PyQt is a set of Python bindings for Trolltech's Qt application framework and runs on all platforms supported by Qt including Windows, MacOS/X and Linux. %package dragonplayer juk kde4-audiocd kdemultimedia4 kdemultimedia4-core kdemultimedia4-devel kmix kscd libaudiocdplugins4 libkcddb4 libkcompactdisc4 mplayerthumbs Update: Tue Dec 08 14:51:00 2009 Importance: bugfix ID: MDVA-2009:243 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:243 %pre With dragon player, after watching a film, the screensaver was activated even if you had disactived it. This update fixes the issue. %description kdemultimedia4 metapackage. %package kdelibs4-core kdelibs4-devel libkde3support4 libkdecore5 libkdefakes5 libkdesu5 libkdeui5 libkdnssd4 libkfile4 libkhtml5 libkimproxy4 libkio5 libkjs4 libkjsapi4 libkjsembed4 libkmediaplayer4 libknewstuff2_4 libknotifyconfig4 libkntlm4 libkparts4 libkpty4 libkrosscore4 libkrossui4 libktexteditor4 libkunittest4 libkutils4 libnepomuk4 libplasma3 libsolid4 libthreadweaver4 Update: Tue Dec 08 15:06:33 2009 Importance: bugfix ID: MDVA-2009:244 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:244 %pre In kde 4.3 provided with mandriva 2O1O.0 there was a performance regression and lag in krunner. This update fixes the issue. %description Libraries for the K Desktop Environment. %package ntp ntp-client ntp-doc Update: Wed Dec 09 00:02:24 2009 Importance: security ID: MDVSA-2009:328 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:328 %pre A vulnerability has been found and corrected in ntp: Robin Park and Dmitri Vinokurov discovered a flaw in the way ntpd handled certain malformed NTP packets. ntpd logged information about all such packets and replied with an NTP packet that was treated as malformed when received by another ntpd. A remote attacker could use this flaw to create an NTP packet reply loop between two ntpd servers via a malformed packet with a spoofed source IP address and port, causing ntpd on those servers to use excessive amounts of CPU time and fill disk space with log messages (CVE-2009-3563). This update provides a solution to this vulnerability. %description The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. The ntp package contains utilities and daemons which will synchronize your computer's time to Coordinated Universal Time (UTC) via the NTP protocol and NTP servers. Ntp includes ntpdate (a program for retrieving the date and time from remote machines via a network) and ntpd (a daemon which continuously adjusts system time). Install the ntp package if you need tools for keeping your system's time synchronized via the NTP protocol. Note: Primary, original, big, HTML documentation, is in the package ntp-doc. %package broadcom-wl-kernel-2.6.31.6-desktop-1mnb broadcom-wl-kernel-2.6.31.6-desktop586-1mnb broadcom-wl-kernel-2.6.31.6-server-1mnb broadcom-wl-kernel-desktop586-latest broadcom-wl-kernel-desktop-latest broadcom-wl-kernel-server-latest em8300-kernel-2.6.31.6-desktop-1mnb em8300-kernel-2.6.31.6-desktop586-1mnb em8300-kernel-2.6.31.6-server-1mnb em8300-kernel-desktop586-latest em8300-kernel-desktop-latest em8300-kernel-server-latest fglrx-kernel-2.6.31.6-desktop-1mnb fglrx-kernel-2.6.31.6-desktop586-1mnb fglrx-kernel-2.6.31.6-server-1mnb fglrx-kernel-desktop586-latest fglrx-kernel-desktop-latest fglrx-kernel-server-latest hcfpcimodem-kernel-2.6.31.6-desktop-1mnb hcfpcimodem-kernel-2.6.31.6-desktop586-1mnb hcfpcimodem-kernel-2.6.31.6-server-1mnb hcfpcimodem-kernel-desktop586-latest hcfpcimodem-kernel-desktop-latest hcfpcimodem-kernel-server-latest hsfmodem-kernel-2.6.31.6-desktop-1mnb hsfmodem-kernel-2.6.31.6-desktop586-1mnb hsfmodem-kernel-2.6.31.6-server-1mnb hsfmodem-kernel-desktop586-latest hsfmodem-kernel-desktop-latest hsfmodem-kernel-server-latest kernel-2.6.31.6-1mnb kernel-desktop-2.6.31.6-1mnb kernel-desktop586-2.6.31.6-1mnb kernel-desktop586-devel-2.6.31.6-1mnb kernel-desktop586-devel-latest kernel-desktop586-latest kernel-desktop-devel-2.6.31.6-1mnb kernel-desktop-devel-latest kernel-desktop-latest kernel-doc kernel-server-2.6.31.6-1mnb kernel-server-devel-2.6.31.6-1mnb kernel-server-devel-latest kernel-server-latest kernel-source-2.6.31.6-1mnb kernel-source-latest libafs-kernel-2.6.31.6-desktop-1mnb libafs-kernel-2.6.31.6-desktop586-1mnb libafs-kernel-2.6.31.6-server-1mnb libafs-kernel-desktop586-latest libafs-kernel-desktop-latest libafs-kernel-server-latest lirc-kernel-2.6.31.6-desktop-1mnb lirc-kernel-2.6.31.6-desktop586-1mnb lirc-kernel-2.6.31.6-server-1mnb lirc-kernel-desktop586-latest lirc-kernel-desktop-latest lirc-kernel-server-latest lzma-kernel-2.6.31.6-desktop-1mnb lzma-kernel-2.6.31.6-desktop586-1mnb lzma-kernel-2.6.31.6-server-1mnb lzma-kernel-desktop586-latest lzma-kernel-desktop-latest lzma-kernel-server-latest madwifi-kernel-2.6.31.6-desktop-1mnb madwifi-kernel-2.6.31.6-desktop586-1mnb madwifi-kernel-2.6.31.6-server-1mnb madwifi-kernel-desktop586-latest madwifi-kernel-desktop-latest madwifi-kernel-server-latest nvidia173-kernel-2.6.31.6-desktop-1mnb nvidia173-kernel-2.6.31.6-desktop586-1mnb nvidia173-kernel-2.6.31.6-server-1mnb nvidia173-kernel-desktop586-latest nvidia173-kernel-desktop-latest nvidia173-kernel-server-latest nvidia96xx-kernel-2.6.31.6-desktop-1mnb nvidia96xx-kernel-2.6.31.6-desktop586-1mnb nvidia96xx-kernel-2.6.31.6-server-1mnb nvidia96xx-kernel-desktop586-latest nvidia96xx-kernel-desktop-latest nvidia96xx-kernel-server-latest nvidia-current-kernel-2.6.31.6-desktop-1mnb nvidia-current-kernel-2.6.31.6-desktop586-1mnb nvidia-current-kernel-2.6.31.6-server-1mnb nvidia-current-kernel-desktop586-latest nvidia-current-kernel-desktop-latest nvidia-current-kernel-server-latest slmodem-kernel-2.6.31.6-desktop-1mnb slmodem-kernel-2.6.31.6-desktop586-1mnb slmodem-kernel-2.6.31.6-server-1mnb slmodem-kernel-desktop586-latest slmodem-kernel-desktop-latest slmodem-kernel-server-latest squashfs-lzma-kernel-2.6.31.6-desktop-1mnb squashfs-lzma-kernel-2.6.31.6-desktop586-1mnb squashfs-lzma-kernel-2.6.31.6-server-1mnb squashfs-lzma-kernel-desktop586-latest squashfs-lzma-kernel-desktop-latest squashfs-lzma-kernel-server-latest vboxadditions-kernel-2.6.31.6-desktop-1mnb vboxadditions-kernel-2.6.31.6-desktop586-1mnb vboxadditions-kernel-2.6.31.6-server-1mnb vboxadditions-kernel-desktop586-latest vboxadditions-kernel-desktop-latest vboxadditions-kernel-server-latest virtualbox-kernel-2.6.31.6-desktop-1mnb virtualbox-kernel-2.6.31.6-desktop586-1mnb virtualbox-kernel-2.6.31.6-server-1mnb virtualbox-kernel-desktop586-latest virtualbox-kernel-desktop-latest virtualbox-kernel-server-latest vpnclient-kernel-2.6.31.6-desktop-1mnb vpnclient-kernel-2.6.31.6-desktop586-1mnb vpnclient-kernel-2.6.31.6-server-1mnb vpnclient-kernel-desktop586-latest vpnclient-kernel-desktop-latest vpnclient-kernel-server-latest Update: Wed Dec 09 23:17:37 2009 Importance: security ID: MDVSA-2009:329 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:329 %pre Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: Memory leak in the appletalk subsystem in the Linux kernel 2.4.x through 2.4.37.6 and 2.6.x through 2.6.31, when the appletalk and ipddp modules are loaded but the ipddpN device is not found, allows remote attackers to cause a denial of service (memory consumption) via IP-DDP datagrams. (CVE-2009-2903) Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname. (CVE-2009-3547) The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2005-4881. (CVE-2009-3612) net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket. (CVE-2009-3621) Integer overflow in the kvm_dev_ioctl_get_supported_cpuid function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.31.4 allows local users to have an unspecified impact via a KVM_GET_SUPPORTED_CPUID request to the kvm_arch_dev_ioctl function. (CVE-2009-3638) The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the Linux kernel before 2.6.31-rc4 allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state. (CVE-2009-3726) The ip_frag_reasm function in ipv4/ip_fragment.c in Linux kernel 2.6.32-rc8, and possibly earlier versions, calls IP_INC_STATS_BH with an incorrect argument, which allows remote attackers to cause a denial of service (NULL pointer dereference and hang) via long IP packets, possibly related to the ip_defrag function. (CVE-2009-1298) To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate %description %package espeak libespeak1 libespeak-devel Update: Thu Dec 10 17:52:28 2009 Importance: bugfix ID: MDVA-2009:245 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:245 %pre In Mandriva 2010.0, espeak did not support the pulseaudio audio system, which rendered incomprehensible speech. This update changes the build of espeak to use pulseaudio as audio output. %description eSpeak is a compact open source software speech synthesizer for English and other languages. eSpeak produces good quality English speech. It uses a different synthesis method from other open source TTS engines, and sounds quite different. It's perhaps not as natural or "smooth", but I find the articulation clearer and easier to listen to for long periods. %package hal-cups-utils Update: Thu Dec 10 21:00:25 2009 Importance: bugfix ID: MDVA-2009:246 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:246 %pre In Mandriva 2010.0, hal-cups-utils does not re-enable printers when they are reconnected and no printer applet is running. This update fix this issue. %description This package contains utilities for linking CUPS to HAL. This includes: * backend/hal - the CUPS backend for browsing local printers using HAL * systemv/hal_lpadmin - a utility based on lpadmin for adding, configuring and removing printers using hal UDI's * requires system-config-printer-libs and a running cups server %package mdkonline Update: Thu Dec 10 21:47:23 2009 Importance: bugfix ID: MDVA-2009:247 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:247 %pre This update fixes several issues regarding the live upgrade to a more recent distribution. %description The Mandriva Online tool allows users to be kept informed about security updates, hardware support/enhancements and other high value services. The package include : * Update daemon which allows you to install security updates automatically, * A KDE/Gnome/IceWM compliant applet for security updates notification and installation. %package wireless-regdb Update: Thu Dec 10 21:55:50 2009 Importance: bugfix ID: MDVA-2009:250 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:250 %pre This updates the wireless regulatory domain database to 2009-11-10 in order to follow the wireless regulations in the world. For Mandriva 2010.0: - add support for Aruba (AW) - update United States (US) rules for 5600 MHz - 5650 MHz For Mandriva 2009.1: - enable 5GHz band for Thailand (TH) - updates to 5GHz band for Korea (KR) - add missing 5GHz band for Brunei Darussalam (BN) - update / fix 5GHz bands for Germany (DE) %description Database with wireless regulatory information, used by crda or which can be used by another user space helpers to communicate wireless regulatory data to linux kernel. %package gimp gimp-python libgimp2.0_0 libgimp2.0-devel Update: Fri Dec 11 11:47:08 2009 Importance: security ID: MDVSA-2009:332 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:332 %pre A vulnerability was discovered and corrected in gimp: Integer overflow in the read_channel_data function in plug-ins/file-psd/psd-load.c in GIMP 2.6.7 might allow remote attackers to execute arbitrary code via a crafted PSD file that triggers a heap-based buffer overflow (CVE-2009-3909). Additionally the patch for CVE-2009-1570 in MDVSA-2009:296 was incomplete, this update corrects this as well. This update provides a solution to this vulnerability. %description The GIMP is an image manipulation program suitable for photo retouching, image composition and image authoring. Many people find it extremely useful in creating logos and other graphics for web pages. The GIMP has many of the tools and filters you would expect to find in similar commercial offerings, and some interesting extras as well. The GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. This version of The GIMP includes a scripting facility, but many of the included scripts rely on fonts that we cannot distribute. The GIMP ftp site has a package of fonts that you can install by yourself, which includes all the fonts needed to run the included scripts. Some of the fonts have unusual licensing requirements; all the licenses are documented in the package. Get them in ftp://ftp.gimp.org/pub/gimp/fonts/ if you are so inclined. Alternatively, choose fonts which exist on your system before running the scripts. Build Options: --without python Disable pygimp (default enabled) --with lzw Enable LZW compression in GIF (default disabled) %package libwebkitgtk1.0_2 libwebkitgtk1.0-devel webkit1.0 webkit1.0-webinspector webkit webkit-gtklauncher webkit-jsc Update: Fri Dec 11 19:46:02 2009 Importance: bugfix ID: MDVA-2009:252 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:252 %pre This update brings the new stable version 1.1.15.4 of webkitgtk, and solves the problem with the SSE2 instruction set on AMD machines. %description WebKit is an open source web browser engine. %package libmpg123_0 libmpg123-devel mpg123 mpg123-esd mpg123-jack mpg123-nas mpg123-openal mpg123-portaudio mpg123-pulse mpg123-sdl Update: Mon Dec 14 12:01:12 2009 Importance: bugfix ID: MDVA-2009:253 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:253 %pre A regression was found and fixed for mpg123 while attempting to load the mpg123 modules. This regression stems from MDVSA-2009:307 (libtool ltdl). %description Mpg123 is a fast, free and portable MPEG audio player for Unix. It supports MPEG 1.0/2.0 layers 1, 2 and 3 ("mp3" files). For full CD quality playback (44 kHz, 16 bit, stereo) a fast CPU is required. Mono and/or reduced quality playback (22 kHz or 11 kHz) is possible on slow CPUs (like Intel 486). For information on the MP3 License, please visit: http://www.mpeg.org %package graphviz graphviz-doc java-graphviz libcdt4 libcgraph4 libgraph4 libgraphviz-devel libgraphviz-static-devel libgvc5 libpathplan4 lua-graphviz ocaml-graphviz perl-graphviz php-graphviz python-graphviz ruby-graphviz tcl-graphviz Update: Mon Dec 14 13:58:29 2009 Importance: bugfix ID: MDVA-2009:254 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:254 %pre This update fixes an issue with graphviz: * graphviz isn't properly upgraded to a newer version when upgrading from a 2009.0 system %description A collection of tools for the manipulation and layout of graphs (as in nodes and edges, not as in barcharts). %package fontconfig libfontconfig1 libfontconfig-devel Update: Mon Dec 14 18:48:54 2009 Importance: bugfix ID: MDVA-2009:255 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:255 %pre A bug in fontconfig language cache was generating invalid cache which would cause crashes or freeze when upgrading previous Mandriva Linux release to Mandriva Linux 2010 using live update feature. This updates fixes this issue. %description Fontconfig is designed to locate fonts within the system and select them according to requirements specified by applications. %package akregator kaddressbook kalarm kdepim4 kdepim4-core kdepim4-devel kdepim4-kresources kdepim4-wizards kjots kleopatra kmail kmailcvt knode knotes kontact korganizer kpilot ksendemail ktimetracker libakregatorinterfaces4 libakregatorprivate4 libgwsoap4 libkabc_groupdav4 libkabc_groupwise4 libkabckolab4 libkabcommon4 libkabcscalix4 libkabc_slox4 libkabc_xmlrpc4 libkabinterfaces4 libkaddressbookprivate4 libkalarm_resources4 libkcal_groupdav4 libkcal_groupwise4 libkcalkolab4 libkcal_resourceblog4 libkcal_resourceremote4 libkcalscalix4 libkcal_slox4 libkcal_xmlrpc4 libkdepim4 libkgroupwarebase4 libkgroupwaredav4 libkleo4 libkleopatraclientcore4 libkleopatraclientgui4 libkmailprivate4 libknodecommon4 libknoteskolab4 libknotesscalix4 libknotes_xmlrpc4 libkontactinterfaces4 libkontactprivate4 libkorganizer_calendar4 libkorganizer_core4 libkorganizer_eventviewer4 libkorganizer_interfaces4 libkorganizerprivate4 libkorg_stdprinting4 libkpgp4 libkpilot5 libksieve4 libkslox4 libmimelib4 Update: Mon Dec 14 20:08:41 2009 Importance: bugfix ID: MDVA-2009:256 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:256 %pre In Mandriva 2010.0, with Ktimetracker embedded in Kontact, the shortcut to create a new task didn't work, another bug is that the shortcut ctrl + shift + W would make Kontact crash. This update fixes these issues. %description Information Management applications for the K Desktop Environment. - kaddressbook: The KDE addressbook application. - korganizer: a calendar-of-events and todo-list manager - kpilot: to sync with your PalmPilot - kalarm: gui for setting up personal alarm/reminder messages - kalarmd: personal alarm/reminder messages daemon, shared by korganizer and kalarm. - kaplan: A shell for the PIM apps, still experimental. - ktimetracker: Time tracker. - kfile-plugins: vCard KFIleItem plugin. - knotes: yellow notes application - konsolecalendar: Command line tool for accessing calendar files. - kmail: universal mail client - kmailcvt: converst addressbooks to kmail format %package flash-kde4-config free-kde4-config mandriva-kde4-config-common mandriva-kdm4-config one-kde4-config powerpack-kde4-config Update: Mon Dec 14 23:05:25 2009 Importance: bugfix ID: MDVA-2009:257 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:257 %pre In kde4-firstsetup.sh from Mandriva 2010.0 there was still some references to plasma which have been renamed to plasma-desktop on KDE 4.3. This update fixes this issue. %description This package regroups all specific Mandriva config file for KDE. (kicker config etc.) %package libecpg8.4_6 libpq8.4_5 postgresql8.4 postgresql8.4-contrib postgresql8.4-devel postgresql8.4-docs postgresql8.4-pl postgresql8.4-plperl postgresql8.4-plpgsql postgresql8.4-plpython postgresql8.4-pltcl postgresql8.4-server Update: Tue Dec 15 16:02:53 2009 Importance: security ID: MDVSA-2009:333 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:333 %pre Multiple vulnerabilities was discovered and corrected in postgresql: NULL Bytes in SSL Certificates can be used to falsify client or server authentication. This only affects users who have SSL enabled, perform certificate name validation or client certificate authentication, and where the Certificate Authority (CA) has been tricked into issuing invalid certificates. The use of a CA that can be trusted to always issue valid certificates is recommended to ensure you are not vulnerable to this issue (CVE-2009-4034). Privilege escalation via changing session state in an index function. This closes a corner case related to vulnerabilities CVE-2009-3230 and CVE-2007-6600 (CVE-2009-4136). Packages for 2008.0 are being provided due to extended support for Corporate products. This update provides a solution to these vulnerabilities. %description PostgreSQL is an advanced Object-Relational database management system (DBMS) that supports almost all SQL constructs (including transactions, subselects and user-defined types and functions). The postgresql package includes the client programs and libraries that you'll need to access a PostgreSQL DBMS server. These PostgreSQL client programs are programs that directly manipulate the internal structure of PostgreSQL databases on a PostgreSQL server. These client programs can be located on the same machine with the PostgreSQL server, or may be on a remote machine which accesses a PostgreSQL server over a network connection. This package contains the client libraries for C and C++, as well as command-line utilities for managing PostgreSQL databases on a PostgreSQL server. If you want to manipulate a PostgreSQL database on a remote PostgreSQL server, you need this package. You also need to install this package if you're installing the postgresql-server package. %package libwebkitgtk1.0_2 libwebkitgtk1.0-devel webkit1.0 webkit1.0-webinspector webkit webkit-gtklauncher webkit-jsc Update: Tue Dec 15 19:41:12 2009 Importance: bugfix ID: MDVA-2009:258 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:258 %pre MDVA-2009:252 introduced a regression with the newer version of the webkit package, which made the Mandriva Control Center crash. This update reverts the webkit package to the previous version. Also this update reintroduces the issue fixed by MDVA-2009-252. %description WebKit is an open source web browser engine. %package libwebkitgtk1.0_2 libwebkitgtk1.0-devel webkit1.0 webkit1.0-webinspector webkit webkit-gtklauncher webkit-jsc Update: Wed Dec 16 06:51:29 2009 Importance: bugfix ID: MDVA-2009:259 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:259 %pre MDVA-2009:258 introduced a regression which made the libwebkitgtk devel packages uninstallable. This update fixes this issue. %description WebKit is an open source web browser engine. %package gnome-desktop gnome-desktop-common libgnome-desktop-2_11 libgnome-desktop-2-devel Update: Wed Dec 16 21:38:22 2009 Importance: bugfix ID: MDVA-2009:260 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:260 %pre In Mandriva 2010.0, when using an old X server without support for the XrandR extension, the Gnome settings daemon would crash. This update resolves the issue by adding a check before using the extension. %description This package contains some data files and other shared components of the GNOME user environment. %package akregator kaddressbook kalarm kdepim4 kdepim4-core kdepim4-devel kdepim4-kresources kdepim4-wizards kjots kleopatra kmail kmailcvt knode knotes kontact korganizer kpilot ksendemail ktimetracker libakregatorinterfaces4 libakregatorprivate4 libgwsoap4 libkabc_groupdav4 libkabc_groupwise4 libkabckolab4 libkabcommon4 libkabcscalix4 libkabc_slox4 libkabc_xmlrpc4 libkabinterfaces4 libkaddressbookprivate4 libkalarm_resources4 libkcal_groupdav4 libkcal_groupwise4 libkcalkolab4 libkcal_resourceblog4 libkcal_resourceremote4 libkcalscalix4 libkcal_slox4 libkcal_xmlrpc4 libkdepim4 libkgroupwarebase4 libkgroupwaredav4 libkleo4 libkleopatraclientcore4 libkleopatraclientgui4 libkmailprivate4 libknodecommon4 libknoteskolab4 libknotesscalix4 libknotes_xmlrpc4 libkontactinterfaces4 libkontactprivate4 libkorganizer_calendar4 libkorganizer_core4 libkorganizer_eventviewer4 libkorganizer_interfaces4 libkorganizerprivate4 libkorg_stdprinting4 libkpgp4 libkpilot5 libksieve4 libkslox4 libmimelib4 Update: Thu Dec 17 20:38:09 2009 Importance: bugfix ID: MDVA-2009:261 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:261 %pre In Mandriva 2010.0, because of a regression, the KTimetracker menu was missing many options, which made it unusable. Also in Mandriva 2010.0, when using Knotes inside Kontact the note title was left-cutted when using a long title. This update fixes these issues. %description Information Management applications for the K Desktop Environment. - kaddressbook: The KDE addressbook application. - korganizer: a calendar-of-events and todo-list manager - kpilot: to sync with your PalmPilot - kalarm: gui for setting up personal alarm/reminder messages - kalarmd: personal alarm/reminder messages daemon, shared by korganizer and kalarm. - kaplan: A shell for the PIM apps, still experimental. - ktimetracker: Time tracker. - kfile-plugins: vCard KFIleItem plugin. - knotes: yellow notes application - konsolecalendar: Command line tool for accessing calendar files. - kmail: universal mail client - kmailcvt: converst addressbooks to kmail format %package kde4-splash-mdv Update: Thu Dec 17 22:03:26 2009 Importance: bugfix ID: MDVA-2009:262 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:262 %pre This update improves the Polish translation used in KDE4 splash screens. %description Splash Screen Engine for KDE4 supporting SVG files on the theme %package proftpd proftpd-devel proftpd-mod_autohost proftpd-mod_ban proftpd-mod_case proftpd-mod_ctrls_admin proftpd-mod_gss proftpd-mod_ifsession proftpd-mod_ldap proftpd-mod_load proftpd-mod_quotatab proftpd-mod_quotatab_file proftpd-mod_quotatab_ldap proftpd-mod_quotatab_radius proftpd-mod_quotatab_sql proftpd-mod_radius proftpd-mod_ratio proftpd-mod_rewrite proftpd-mod_sftp proftpd-mod_shaper proftpd-mod_site_misc proftpd-mod_sql proftpd-mod_sql_mysql proftpd-mod_sql_postgres proftpd-mod_time proftpd-mod_tls proftpd-mod_vroot proftpd-mod_wrap proftpd-mod_wrap_file proftpd-mod_wrap_sql Update: Tue Dec 22 12:33:20 2009 Importance: security ID: MDVSA-2009:337 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:337 %pre A vulnerability has been identified and corrected in proftpd: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a plaintext injection attack, aka the Project Mogul issue (CVE-2009-3555). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This update fixes this vulnerability. %description ProFTPd is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This version supports both standalone and xinetd operation. %package beagle beagle-crawl-system beagle-doc beagle-evolution beagle-gui beagle-gui-qt beagle-libs firefox firefox-af firefox-ar firefox-be firefox-bg firefox-bn firefox-ca firefox-cs firefox-cy firefox-da firefox-de firefox-devel firefox-el firefox-en_GB firefox-eo firefox-es_AR firefox-es_ES firefox-et firefox-eu firefox-ext-beagle firefox-ext-blogrovr firefox-ext-mozvoikko firefox-ext-plasmanotify firefox-ext-r-kiosk firefox-ext-scribefire firefox-fi firefox-fr firefox-fy firefox-ga_IE firefox-gl firefox-gu_IN firefox-he firefox-hi firefox-hu firefox-id firefox-is firefox-it firefox-ja firefox-ka firefox-kn firefox-ko firefox-ku firefox-lt firefox-lv firefox-mk firefox-mn firefox-mr firefox-nb_NO firefox-nl firefox-nn_NO firefox-oc firefox-pa_IN firefox-pl firefox-pt_BR firefox-pt_PT firefox-ro firefox-ru firefox-si firefox-sk firefox-sl firefox-sq firefox-sr firefox-sv_SE firefox-te firefox-th firefox-theme-kde4ff firefox-tr firefox-uk firefox-zh_CN firefox-zh_TW gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell libopensc2 libopensc-devel libxulrunner1.9.1.6 libxulrunner-devel mozilla-plugin-opensc mozilla-thunderbird-beagle opensc python-xpcom xulrunner yelp Update: Tue Dec 22 16:24:50 2009 Importance: security ID: MDVSA-2009:338 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:338 %pre Security issues were identified and fixed in firefox 3.5.x: liboggplay in Mozilla Firefox 3.5.x before 3.5.6 and SeaMonkey before 2.0.1 might allow context-dependent attackers to cause a denial of service (application crash) or execute arbitrary code via unspecified vectors, related to memory safety issues. (CVE-2009-3388) Integer overflow in libtheora in Xiph.Org Theora before 1.1, as used in Mozilla Firefox 3.5 before 3.5.6 and SeaMonkey before 2.0.1, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a video with large dimensions (CVE-2009-3389). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3979). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3980). Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3982). Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to send authenticated requests to arbitrary applications by replaying the NTLM credentials of a browser user (CVE-2009-3983). Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to spoof an SSL indicator for an http URL or a file URL by setting document.location to an https URL corresponding to a site that responds with a No Content (aka 204) status code and an empty body (CVE-2009-3984). Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to associate spoofed content with an invalid URL by setting document.location to this URL, and then writing arbitrary web script or HTML to the associated blank document, a related issue to CVE-2009-2654 (CVE-2009-3985). Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to execute arbitrary JavaScript with chrome privileges by leveraging a reference to a chrome window from a content window, related to the window.opener property (CVE-2009-3986). The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, generates different exception messages depending on whether the referenced COM object is listed in the registry, which allows remote attackers to obtain potentially sensitive information about installed software by making multiple calls that specify the ProgID values of different COM objects (CVE-2009-3987). Additionally, some packages which require so, have been rebuilt and are being provided as updates. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package kde4-filesharing kdenetwork4 kdenetwork4-core kdenetwork4-devel kdenetwork4-kopete-latex kdnssd kget kopete kppp kppp-provider krdc krfb libkgetcore4 libkopete4 libkopeteaddaccountwizard1 libkopetechatwindow_shared1 libkopetecontactlist1 libkopeteidentity1 libkopete_oscar4 libkopete_otr_shared1 libkopeteprivacy1 libkopetestatusmenu1 libkopete_videodevice4 libkrdccore1 libkyahoo1 liboscar1 rdesktop Update: Tue Dec 22 21:30:30 2009 Importance: bugfix ID: MDVA-2009:264 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:264 %pre In Mandriva 2010.0, krdc was not able to connect to RDP servers as the rdesktop package was not installed, this update fixes this by adding rdesktop as runtime dependency for krdc. %description rdesktop is an open source client for Windows NT Terminal Server and Windows 2000 Terminal Services, capable of natively speaking Remote Desktop Protocol (RDP) in order to present the user's NT desktop. Unlike Citrix ICA, no server extensions are required. rdesktop currently runs on most UNIX based platforms with the X Window System, and other ports should be fairly straightforward. rdesktop is used through rfbdrake. %package beagle beagle-crawl-system beagle-doc beagle-evolution beagle-gui beagle-gui-qt beagle-libs firefox-ext-beagle mozilla-thunderbird-beagle Update: Sat Dec 26 13:50:46 2009 Importance: bugfix ID: MDVA-2009:265 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:265 %pre The firefox extension for the beagle desktop search engine was not compatible anymore with the latest firefox security update. This update makes it work with the new firefox. %description Beagle is an indexing sub-system and search aggregator built on top of Lucene.Net. It can index your files, mailboxes, your web browsing behaviour and other things. %package acpid Update: Sat Dec 26 20:34:59 2009 Importance: security ID: MDVSA-2009:343 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:343 %pre A vulnerability has been found and corrected in acpid: acpid 1.0.4 sets an unrestrictive umask, which might allow local users to leverage weak permissions on /var/log/acpid, and obtain sensitive information by reading this file or cause a denial of service by overwriting this file, a different vulnerability than CVE-2009-4033 (CVE-2009-4235). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This update provides a solution to this vulnerability. %description The ACPI specification defines power and system management functions for each computer, in a generic manner. The ACPI daemon coordinates the management of power and system functions when ACPI kernel support is enabled (kernel 2.3.x or later). %package acl libacl1 libacl-devel Update: Mon Dec 28 22:19:25 2009 Importance: security ID: MDVSA-2009:345 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:345 %pre A vulnerability was discovered and corrected in acl: The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack (CVE-2009-4411). This update provides a fix for this vulnerability. %description This package contains the getfacl and setfacl utilities needed for manipulating access control lists. %package libpcsclite1 libpcsclite-devel libpcsclite-static-devel pcsc-lite Update: Tue Dec 29 18:16:28 2009 Importance: bugfix ID: MDVA-2009:266 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:266 %pre This update provides the pcsc-lite packages which were needed by MDVA-2009:264 but not provided. %description pcscd is the daemon program for PC/SC Lite. It is a resource manager that coorinates communications with Smart Card readers and Smart Cards that are connected to the system. The purpose of PCSC Lite is to provide a Windows(R) SCard interface in a very small form factor for communicating to smartcards and readers. PCSC Lite uses the same winscard api as used under Windows(R) This package was tested to work with A.E.T. Europe SafeSign. This package is supported by A.E.T. Europe B.V. when used in combination with SafeSign. %package libtcb0 libtcb-devel nss_tcb pam_tcb tcb Update: Wed Dec 30 16:28:12 2009 Importance: bugfix ID: MDVA-2009:267 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:267 %pre Due to a change in glibc on x86_64, pam_tcb incorrectly handles negative values in /etc/shadow. When password expiration warning delay is set to -1, a warning would be displayed to the users saying that their password will expire in 99999 days. This update resolves this bug. %description The tcb package consists of three components: pam_tcb, libnss_tcb, and libtcb. pam_tcb is a PAM module which supersedes pam_unix and pam_pwdb. It also implements the tcb password shadowing scheme (see tcb(5) for details). The tcb scheme allows many core system utilities (passwd(1) being the primary example) to operate with little privilege. libnss_tcb is the accompanying NSS module. libtcb contains code shared by the PAM and NSS modules and is also used by programs from the shadow-utils package. %package dansguardian Update: Wed Dec 30 16:31:00 2009 Importance: bugfix ID: MDVA-2009:268 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:268 %pre Dansguardian service, when launched with the stop option, would report errors on lines 51. This update fixes the issue. %description DansGuardian is a filtering proxy for Linux, FreeBSD, OpenBSD and Solaris. It filters using multiple methods. These methods include URL and domain filtering, content phrase filtering, PICS filtering, MIME filtering, file extension filtering, POST filtering. The content phrase filtering will check for pages that contain profanities and phrases often associated with pornography and other undesirable content. The POST filtering allows you to block or limit web upload. The URL and domain filtering is able to handle huge lists and is significantly faster than squidGuard. The filtering has configurable domain, user and ip exception lists. SSL Tunneling is supported. %package gvfs gvfs-archive gvfs-fuse gvfs-gphoto2 gvfs-iphone gvfs-obexftp gvfs-smb libgvfs0 libgvfs-devel Update: Wed Dec 30 17:28:09 2009 Importance: bugfix ID: MDVA-2009:269 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:269 %pre Nautilus would sometimes crash, caused by corrupted gvfs metadata. This updates gvfs to the new fixed version. %description This is a Virtual File System library based on gio and Glib. %package dolphin kappfinder kde4-nsplugins kdebase4 kdebase4-devel kdepasswd kdialog keditbookmarks kfind kinfocenter konqueror konsole kwrite libdolphinprivate4 libkonq5 libkonqsidebarplugin4 libkonquerorprivate4 plasma-applet-folderview Update: Wed Dec 30 17:32:12 2009 Importance: bugfix ID: MDVA-2009:270 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:270 %pre In Konqueror of Mandriva 2010.0 there is a statusbar rendering a bug when restoring multiple tabs. This Update fixes this issue. %description This meta package requires all base kdebase 4 packages. %package k3b k3b-devel libk3b6 libk3bdevice6 Update: Wed Dec 30 17:35:41 2009 Importance: bugfix ID: MDVA-2009:271 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:271 %pre Mandriva 2010 includes k3b 1.68 (alpha3) and the stable release won't be ready before a long time, this update introduces the Aplha4 version, with lot's of bugfixes and some new features including: New features * Added close buttons on project tabs (159751) * Added support for new libmpcdec API (214149) Bugfixes * Crash at the beginning of burning (204333) * Crash during DVD ripping (207958) * Crash right after burn (195436) * Crash during Audio CD ripping (198015) * Crash at the beginning of ripping Audio CD with data tracks (186555) * Crash at the beginning of burning cue/bin image (190775) * Fixed various typos in UI (208401, 209512) * Fixed potential aliasing issues (210890) * Show only one entry on the task list even when dialog window is opened (211680) * Show correct size when project contains invalid links (212609) * Show correct elapsed time when burning over midnight (211604) * Added timeout when checking version number and features of executable (212582) * Fixed visually endless busy status when opening an empty folder (113649) * Burning double-layer DVDs should be possible again (214115) This bug also fixes an error in the migration process from 2009.0 to 2010.0 (bug #56493) %description K3b is CD-writing software which intends to be feature-rich and provide an easily usable interface. Features include burning audio CDs from .WAV and .MP3 audio files, configuring external programs and configuring devices. %package kdebase4-runtime kdebase4-runtime-devel kwallet-daemon libkwalletbackend4 libmolletnetwork4 Update: Wed Dec 30 17:45:33 2009 Importance: bugfix ID: MDVA-2009:272 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:272 %pre In mandriva 2010.0, KNetattach was using fish for the ssh connections, this update makes it use the more suported sftp instead. %description KDE 4 application runtime components. %package gwenview kamera kcolorchooser kdegraphics4 kdegraphics4-core kdegraphics4-devel kgamma kipi-common kolourpaint kruler ksnapshot libgwenviewlib4 libkdcraw7 libkdcraw-common libkexiv2_7 libkipi6 libkolourpaint_lgpl4 libksane0 libokularcore1 okular Update: Wed Dec 30 17:48:18 2009 Importance: bugfix ID: MDVA-2009:273 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:273 %pre In mandriva 2010.0, Okular was failing to open files from firefox, if the URL contained spaces or accents. This update fixes this issue. %description Graphical tools for the K Desktop Environment. kdegraphics is a collection of graphic oriented applications %package digikam kipi-plugins kipi-plugins-devel libdigikamcore1 libdigikamdatabase1 libdigikam-devel libkipiplugins1 showfoto Update: Wed Dec 30 17:54:46 2009 Importance: bugfix ID: MDVA-2009:274 URL: http://www.mandriva.com/security/advisories?name=MDVA-2009:274 %pre In mandriva 2010.0, a beta version of digikam was provided. This update provides the final version of 1.0.0. %description DigiKam is an advanced digital photo management application for KDE. Photos can be collected into albums which can be sorted chronologically, by directory layout or by custom collections. DigiKam also provides tagging functionality. Images can be tagged despite of their position and digiKam provides fast and intuitive ways to browse them. User comments and customized meta-information added to images, are stored into a database and retrieved to make them available into the user interface. As soon as the camera is plugged in digikam allows you to preview, download, upload and delete images. Digikam also includes tools like Image Editor, to modify photos using plugins such as red eye correction or Gamma correction, exif management,... Light Table to make artistic photos and an external image editor such as Showfoto. Digikam also uses KIPI plugins (KDE Image Plugin Interface) to increase its functionalities. %package a2ps a2ps-devel a2ps-static-devel Update: Mon Jan 04 18:12:46 2010 Importance: bugfix ID: MDVA-2010:001 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:001 %pre The a2ps package as provided in Mandriva Linux 2010.0 contains improvements concerning paper auto-detection, locale recognition and security issues. The locale recognition prevented the application to perform correctly, this update fixes the issue. %description The a2ps filter converts text and other types of files to PostScript(TM). a2ps has pretty-printing capabilities and includes support for a wide number of programming languages, encodings (ISO Latins, Cyrillic, etc.), and medias. %package rpmstats Update: Wed Jan 06 13:44:11 2010 Importance: bugfix ID: MDVA-2010:002 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:002 %pre rpmstats in 2010.0 displays strange characters for some last modified file names, this is easy noticed on Drakstats. This updated package fixes this bug (#56176). %description rpmstats retrieves statistics about installed packages. %package libphonon4 libphononexperimental4 phonon-devel phonon-gstreamer phonon-xine Update: Wed Jan 06 14:00:14 2010 Importance: bugfix ID: MDVA-2010:003 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:003 %pre In mandriva 2010.0, when listening to a web stream while you lose your internet connection can make Amarok to crash. This update fixes this bug. %description Phonon is the KDE4 Multimedia Framework %package dolphin kappfinder kde4-nsplugins kdebase4 kdebase4-devel kdepasswd kdialog keditbookmarks kfind kinfocenter konqueror konsole kwrite libdolphinprivate4 libkonq5 libkonqsidebarplugin4 libkonquerorprivate4 plasma-applet-folderview Update: Wed Jan 06 14:03:06 2010 Importance: bugfix ID: MDVA-2010:004 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:004 %pre This update only reverts two testing patches, fixing some font issues in the folderview-applet. %description This meta package requires all base kdebase 4 packages. %package msec msec-gui Update: Wed Jan 06 14:15:46 2010 Importance: bugfix ID: MDVA-2010:005 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:005 %pre This update fixes two issues with msec: - some error messages could result in msec trowing an exception instead of logging the corresponding text (bug #56180) - security report about group-writable files belonging to gdm user was silenced by default (bug #56064) %description The Mandriva Linux Security package is designed to provide security features to the Mandriva Linux users. It allows to select from a set of preconfigured security levels, and supports custom permission settings, user-specified levels, and several security utilities. This packages includes main msec application and several programs that will be run periodically in order to test the security of your system and alert you if needed. %package timezone timezone-java Update: Wed Jan 06 14:54:16 2010 Importance: bugfix ID: MDVA-2010:006 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:006 %pre Updated timezone packages are being provided for older Mandriva Linux systems that do not contain new Daylight Savings Time information and Time Zone information for some locations. These updated packages contain the new information. %description This package contains data files with rules for various timezones around the world. %package kdebase4-workspace kdebase4-workspace-devel kdelibs4-core kdelibs4-devel kdm libkde3support4 libkdecorations4 libkdecore5 libkdefakes5 libkdesu5 libkdeui5 libkdnssd4 libkephal4 libkfile4 libkfontinst4 libkfontinstui4 libkhotkeysprivate4 libkhtml5 libkimproxy4 libkio5 libkjs4 libkjsapi4 libkjsembed4 libkmediaplayer4 libknewstuff2_4 libknotifyconfig4 libkntlm4 libkparts4 libkpty4 libkrosscore4 libkrossui4 libkscreensaver5 libksgrd4 libktexteditor4 libkunittest4 libkutils4 libkwineffects1 libkwinnvidiahack4 libkworkspace4 liblsofui4 libnepomuk4 libnepomukquery4 libnepomukqueryclient4 libplasma3 libplasma_applet_system_monitor4 libplasmaclock4 libplasma-geolocation-interface4 libpolkitkdeprivate4 libprocesscore4 libprocessui4 libsolid4 libsolidcontrol4 libsolidcontrolifaces4 libtaskmanager4 libthreadweaver4 libtime_solar4 libweather_ion4 plasma-applet-battery plasma-applet-calendar plasma-applet-quicklaunch plasma-applet-system-monitor-cpu plasma-applet-system-monitor-hdd plasma-applet-system-monitor-hwinfo plasma-applet-system-monitor-net plasma-applet-system-monitor-temperature plasma-applet-webbrowser plasma-krunner-powerdevil plasma-runner-places policykit-kde Update: Wed Jan 06 16:43:59 2010 Importance: bugfix ID: MDVA-2010:007 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:007 %pre In mandriva 2010.0 there was some missing translations. This update fixes this issue. %description This package contains the KDE 4 application workspace components. %package kde4-style-iaora kde4-style-iaora-common qt4-style-iaora Update: Thu Jan 07 13:05:14 2010 Importance: bugfix ID: MDVA-2010:010 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:010 %pre -In mandriva 2010.0 under KDE, the scrollbar was too small to be used in some cases, this update adds a minimum size to 21 for the scrollbar (bug #56018). -In mandriva 2010.0 under KDE, Quassel could crash when highlighting links. -This update fixes the titlebar colors to make it friendly with ia ora specs. %description IaOra theme for KDE 4 %package apache-conf Update: Thu Jan 07 13:32:50 2010 Importance: bugfix ID: MDVA-2010:011 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:011 %pre This is a maintenance and bugfix release of apache-conf that mainly fixes so that the httpd service is handled more gracefully when reloading the apache server (#56857). Other fixes (where appliable): - fix #53887 (obsolete favicon.ico file in Apache default www pages) - workaround #47992 (apache does not start occasionally) - added logic to make it possible to set limits from the init script in an attempt to address #30849 and similar problems - added logic to easy debugging with gdb in the initscript Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. %description This package contains configuration files for apache. It is necessary for operation of the apache webserver. Having those files into a separate modules provides better customization for OEMs and ISPs, who can modify the look and feel of the apache webserver without having to re-compile the whole suite to change a logo or config file. %package davfs kompozer libpython2.6 libpython2.6-devel mozilla-thunderbird mozilla-thunderbird-devel mozilla-thunderbird-enigmail nsinstall python python-docs tkinter tkinter-apps Update: Fri Jan 08 14:18:03 2010 Importance: security ID: MDVSA-2009:316-1 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:316-1 %pre A vulnerability has been found and corrected in expat: The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720 (CVE-2009-3560). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities. Update: This vulnerability was discovered in the bundled expat code in various softwares besides expat itself. As a precaution the affected softwares has preemptively been patched to prevent presumptive future exploitations of this issue. %description Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. This package contains most of the standard Python modules, as well as modules for interfacing to the Tix widget set for Tk and RPM. Note that documentation for Python is provided in the python-docs package. %package dolphin kappfinder kde4-nsplugins kdebase4 kdebase4-devel kdepasswd kdialog keditbookmarks kfind kinfocenter konqueror konsole kwrite libdolphinprivate4 libkonq5 libkonqsidebarplugin4 libkonquerorprivate4 plasma-applet-folderview Update: Fri Jan 08 20:52:57 2010 Importance: bugfix ID: MDVA-2010:012 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:012 %pre In kde4.3 this is not possible to execute a bash script when double clicking on it. This update fixes this issue. %description This meta package requires all base kdebase 4 packages. %package akregator kaddressbook kalarm kdepim4 kdepim4-core kdepim4-devel kdepim4-kresources kdepim4-wizards kjots kleopatra kmail kmailcvt knode knotes kontact korganizer kpilot ksendemail ktimetracker libakregatorinterfaces4 libakregatorprivate4 libgwsoap4 libkabc_groupdav4 libkabc_groupwise4 libkabckolab4 libkabcommon4 libkabcscalix4 libkabc_slox4 libkabc_xmlrpc4 libkabinterfaces4 libkaddressbookprivate4 libkalarm_resources4 libkcal_groupdav4 libkcal_groupwise4 libkcalkolab4 libkcal_resourceblog4 libkcal_resourceremote4 libkcalscalix4 libkcal_slox4 libkcal_xmlrpc4 libkdepim4 libkgroupwarebase4 libkgroupwaredav4 libkleo4 libkleopatraclientcore4 libkleopatraclientgui4 libkmailprivate4 libknodecommon4 libknoteskolab4 libknotesscalix4 libknotes_xmlrpc4 libkontactinterfaces4 libkontactprivate4 libkorganizer_calendar4 libkorganizer_core4 libkorganizer_eventviewer4 libkorganizer_interfaces4 libkorganizerprivate4 libkorg_stdprinting4 libkpgp4 libkpilot5 libksieve4 libkslox4 libmimelib4 Update: Fri Jan 08 20:55:16 2010 Importance: bugfix ID: MDVA-2010:013 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:013 %pre In mandriva 2010.0, there was a layout pb in the Kontact Planner plugin. In Korganizer, in the TODO Mode, the first line of text wasn't viewable in non rich text mode. This update fixes these issues. %description Information Management applications for the K Desktop Environment. - kaddressbook: The KDE addressbook application. - korganizer: a calendar-of-events and todo-list manager - kpilot: to sync with your PalmPilot - kalarm: gui for setting up personal alarm/reminder messages - kalarmd: personal alarm/reminder messages daemon, shared by korganizer and kalarm. - kaplan: A shell for the PIM apps, still experimental. - ktimetracker: Time tracker. - kfile-plugins: vCard KFIleItem plugin. - knotes: yellow notes application - konsolecalendar: Command line tool for accessing calendar files. - kmail: universal mail client - kmailcvt: converst addressbooks to kmail format %package davfs kompozer libpython2.6 libpython2.6-devel mozilla-thunderbird mozilla-thunderbird-devel mozilla-thunderbird-enigmail nsinstall python python-docs tkinter tkinter-apps Update: Sat Jan 09 01:58:32 2010 Importance: security ID: MDVSA-2009:316-2 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:316-2 %pre A vulnerability has been found and corrected in expat: The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720 (CVE-2009-3560). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. Update: SUSE discovered a regression with the previous patch fixing CVE-2009-3560. This regression is now being addressed with this update. %description Python is an interpreted, interactive, object-oriented programming language often compared to Tcl, Perl, Scheme or Java. Python includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Programmers can write new built-in modules for Python in C or C++. Python can be used as an extension language for applications that need a programmable interface. This package contains most of the standard Python modules, as well as modules for interfacing to the Tix widget set for Tk and RPM. Note that documentation for Python is provided in the python-docs package. %package expat libexpat1 libexpat1-devel Update: Sun Jan 10 11:40:11 2010 Importance: security ID: MDVSA-2009:316-3 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2009:316-3 %pre A vulnerability has been found and corrected in expat: The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720 (CVE-2009-3560). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides a solution to these vulnerabilities. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. Update: The previous (MDVSA-2009:316-2) updates provided packages for 2008.0/2009.0/2009.1/2010.0/mes5 that did not have an increased release number which prevented the packages from hitting the mirrors. %description Expat is an XML 1.0 parser written in C by James Clark. It aims to be fully conforming. It is currently not a validating XML parser. %package perl-Mail-SpamAssassin perl-Mail-SpamAssassin-Spamd spamassassin spamassassin-sa-compile spamassassin-spamc spamassassin-spamd spamassassin-tools Update: Sun Jan 10 17:54:30 2010 Importance: bugfix ID: MDVA-2010:014 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:014 %pre A bug was discovered in the FH_DATE_PAST_20XX rules that affects vanilla spamassassin 3.2 installations after the first of January 2010 (aka. the y2k10 rule bug). This update fixes this issue. %description SpamAssassin provides you with a way to reduce if not completely eliminate Unsolicited Commercial Email (SPAM) from your incoming email. It can be invoked by a MDA such as sendmail or postfix, or can be called from a procmail script, .forward file, etc. It uses a genetic-algorithm evolved scoring system to identify messages which look spammy, then adds headers to the message so they can be filtered by the user's mail reading software. This distribution includes the spamd/spamc components which create a server that considerably speeds processing of mail. SpamAssassin also includes support for reporting spam messages automatically, and/or manually, to collaborative filtering databases such as Vipul's Razor, DCC or pyzor. Install perl-Razor-Agent package to get Vipul's Razor support. Install dcc package to get Distributed Checksum Clearinghouse (DCC) support. Install pyzor package to get Pyzor support. Install perl-Mail-SPF-Query package to get SPF support. To enable spamassassin, if you are receiving mail locally, simply add this line to your ~/.procmailrc: INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc To filter spam for all users, add that line to /etc/procmailrc (creating if necessary). %package beagle beagle-crawl-system beagle-doc beagle-evolution beagle-gui beagle-gui-qt beagle-libs firefox firefox-af firefox-ar firefox-be firefox-bg firefox-bn firefox-ca firefox-cs firefox-cy firefox-da firefox-de firefox-devel firefox-el firefox-en_GB firefox-eo firefox-es_AR firefox-es_ES firefox-et firefox-eu firefox-ext-beagle firefox-ext-blogrovr firefox-ext-mozvoikko firefox-ext-plasmanotify firefox-ext-r-kiosk firefox-ext-scribefire firefox-fi firefox-fr firefox-fy firefox-ga_IE firefox-gl firefox-gu_IN firefox-he firefox-hi firefox-hu firefox-id firefox-is firefox-it firefox-ja firefox-ka firefox-kn firefox-ko firefox-ku firefox-lt firefox-lv firefox-mk firefox-mn firefox-mr firefox-nb_NO firefox-nl firefox-nn_NO firefox-oc firefox-pa_IN firefox-pl firefox-pt_BR firefox-pt_PT firefox-ro firefox-ru firefox-si firefox-sk firefox-sl firefox-sq firefox-sr firefox-sv_SE firefox-te firefox-th firefox-theme-kde4ff firefox-tr firefox-uk firefox-zh_CN firefox-zh_TW gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell google-gadgets-common google-gadgets-gtk google-gadgets-qt libggadget1.0_0 libggadget-dbus1.0_0 libggadget-gtk1.0_0 libggadget-js1.0_0 libggadget-npapi1.0_0 libggadget-qt1.0_0 libggadget-webkitjs0 libggadget-xdg1.0_0 libgoogle-gadgets-devel libopensc2 libopensc-devel libxulrunner1.9.1.7 libxulrunner-devel mozilla-plugin-opensc mozilla-thunderbird-beagle opensc python-xpcom xulrunner yelp Update: Sun Jan 10 21:58:30 2010 Importance: security ID: MDVSA-2010:000 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:000 %pre Security issues were identified and fixed in firefox 3.5.x: The nsObserverList::FillObserverArray function in xpcom/ds/nsObserverList.cpp in Mozilla Firefox before 3.5.7 allows remote attackers to cause a denial of service (application crash) via a crafted web site that triggers memory consumption and an accompanying Low Memory alert dialog, and also triggers attempted removal of an observer from an empty observers array (CVE-2010-0220). Additionally, some packages which require so, have been rebuilt and are being provided as updates. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package beagle beagle-crawl-system beagle-doc beagle-evolution beagle-gui beagle-gui-qt beagle-libs firefox-ext-beagle firefox-theme-kfirefox mozilla-thunderbird-beagle Update: Mon Jan 11 17:46:01 2010 Importance: bugfix ID: MDVA-2010:016 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:016 %pre It was dicovered that the kde4ff theme for firefox 3.5 (firefox-theme-kde4ff) did not work, to address this problem the kfirefox theme (firefox-theme-kfirefox) is provided as a drop in replacement. It was discovered that the beagle extension for firefox (firefox-ext-beagle) had the wrong release number which prevented it from being upgraded. This advisory addresses these problems. %description Beagle is an indexing sub-system and search aggregator built on top of Lucene.Net. It can index your files, mailboxes, your web browsing behaviour and other things. %package consolekit consolekit-x11 libconsolekit0 libconsolekit-devel Update: Mon Jan 11 18:37:11 2010 Importance: bugfix ID: MDVA-2010:017 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:017 %pre A incorrect initialisation in consolekit daemon could prevent automount of removable media under GNOME or KDE environment. This package update fixes this issue (it requires restarting the system to take effect). %description ConsoleKit is a system daemon for tracking what users are logged into the system and how they interact with the computer (e.g. which keyboard and mouse they use). It provides asynchronous notification via the system message bus. %package finch libfinch0 libpurple0 libpurple-devel pidgin pidgin-bonjour pidgin-client pidgin-gevolution pidgin-i18n pidgin-meanwhile pidgin-mono pidgin-perl pidgin-plugins pidgin-silc pidgin-tcl Update: Mon Jan 11 23:10:16 2010 Importance: security ID: MDVSA-2010:002 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:002 %pre A security vulnerability has been identified and fixed in pidgin: Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). This update provides pidgin 2.6.5, which is not vulnerable to this issue. %description Pidgin allows you to talk to anyone using a variety of messaging protocols including AIM, MSN, Yahoo!, Jabber, Bonjour, Gadu-Gadu, ICQ, IRC, Novell Groupwise, QQ, Lotus Sametime, SILC, Simple and Zephyr. These protocols are implemented using a modular, easy to use design. To use a protocol, just add an account using the account editor. Pidgin supports many common features of other clients, as well as many unique features, such as perl scripting, TCL scripting and C plugins. Pidgin is not affiliated with or endorsed by America Online, Inc., Microsoft Corporation, Yahoo! Inc., or ICQ Inc. %package fetchmail fetchmailconf fetchmail-daemon Update: Mon Jan 11 23:25:09 2010 Importance: bugfix ID: MDVA-2010:018 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:018 %pre A regression was discovered in fetchmail 6.3.12 The multiline SMTP error fix in release 6.3.12 caused fetchmail to lose message codes 400..599 and treat all of these as temporary error. This would cause messages to be left on the server even if softbounce was turned off. Reported by Thomas Jarosch. This update provides fetchmail 6.3.13, which addresses this problem. %description Fetchmail is a free, full-featured, robust, and well-documented remote mail retrieval and forwarding utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP connections). It retrieves mail from remote mail servers and forwards it to your local (client) machine's delivery system, so it can then be read by normal mail user agents such as Mutt, Elm, Pine, (X)Emacs/Gnus or Mailx. It comes with an interactive GUI configurator suitable for end-users. Fetchmail supports every remote-mail protocol currently in use on the Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN) for retrieval. Then Fetchmail forwards the mail through SMTP, so you can read it through your normal mail client. %package libpolkit-gtk1_0 libpolkit-gtk1-devel polkit-gnome polkit-gnome-docs Update: Tue Jan 12 12:38:05 2010 Importance: bugfix ID: MDVA-2010:019 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:019 %pre Programs like hplip that use polkit to authorize privileged operations fail in desktop environments that don't start their own polkit-agent. This update starts the polkit-agent for GNOME in all desktop environments. %description polkit-gnome provides an authentication agent for PolicyKit that matches the look and feel of the GNOME desktop. %package sendmail sendmail-cf sendmail-devel sendmail-doc Update: Tue Jan 12 16:12:15 2010 Importance: security ID: MDVSA-2010:003 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:003 %pre A security vulnerability has been identified and fixed in sendmail: sendmail before 8.14.4 does not properly handle a '\0' (NUL) character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2009-4565). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This update provides a fix for this vulnerability. %description The Sendmail program is a very widely used Mail Transport Agent (MTA). MTAs send mail from one machine to another. Sendmail is not a client program, which you use to read your e-mail. Sendmail is a behind-the-scenes program which actually moves your e-mail over networks or the Internet to where you want it to go. If you ever need to reconfigure Sendmail, you'll also need to have the sendmail.cf package installed. If you need documentation on Sendmail, you can install the sendmail-doc package. %package libpyglib2.0_0 python-gobject python-gobject-devel Update: Tue Jan 12 17:24:52 2010 Importance: bugfix ID: MDVA-2010:022 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:022 %pre A programming error in the Python bindings for GObject would make programs like eliza and Moodvida take up all CPU resources for unnecessary operations while running. This update fixes the problem. %description This archive contains bindings for the GObject, to be used in Python It is a fairly complete set of bindings, it's already rather useful, and is usable to write moderately complex programs. (see the examples directory for some examples of the simpler programs you could write). %package kde4-style-iaora kde4-style-iaora-common qt4-style-iaora Update: Tue Jan 12 17:40:29 2010 Importance: bugfix ID: MDVA-2010:023 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:023 %pre The last iaora update introduced a litlle regression in some IaOra color schemes, like Iaora-Gray, this new package is correcting this. Also in iaora, the application's name in the titlebar wasn't correctly centered. %description IaOra theme for KDE 4 %package bash bash-doc Update: Wed Jan 13 16:15:03 2010 Importance: security ID: MDVSA-2010:004 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:004 %pre A vulnerability have been discovered in Mandriva bash package, which could allow a malicious user to hide files from the ls command, or garble its output by crafting files or directories which contain special characters or escape sequences (CVE-2010-0002). This update fixes the issue by disabling the display of control characters by default. Additionally, this update fixes the unsafe file creation in bash-doc sample scripts (CVE-2008-5374). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. %description Bash is a GNU project sh-compatible shell or command language interpreter. Bash (Bourne Again shell) incorporates useful features from the Korn shell (ksh) and the C shell (csh). Most sh scripts can be run by bash without modification. Bash offers several improvements over sh, including command line editing, unlimited size command history, job control, shell functions and aliases, indexed arrays of unlimited size and integer arithmetic in any base from two to 64. Bash is ultimately intended to conform to the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. %package bash bash-doc Update: Wed Jan 13 16:16:25 2010 Importance: security ID: MDVSA-2010:004 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:004 %pre A vulnerability have been discovered in Mandriva bash package, which could allow a malicious user to hide files from the ls command, or garble its output by crafting files or directories which contain special characters or escape sequences (CVE-2010-0002). This update fixes the issue by disabling the display of control characters by default. Additionally, this update fixes the unsafe file creation in bash-doc sample scripts (CVE-2008-5374). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. %description Bash is a GNU project sh-compatible shell or command language interpreter. Bash (Bourne Again shell) incorporates useful features from the Korn shell (ksh) and the C shell (csh). Most sh scripts can be run by bash without modification. Bash offers several improvements over sh, including command line editing, unlimited size command history, job control, shell functions and aliases, indexed arrays of unlimited size and integer arithmetic in any base from two to 64. Bash is ultimately intended to conform to the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. %package ftp-client-krb5 ftp-server-krb5 krb5 krb5-server krb5-workstation libkrb53 libkrb53-devel telnet-client-krb5 telnet-server-krb5 Update: Thu Jan 14 00:03:08 2010 Importance: security ID: MDVSA-2010:006 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:006 %pre A vulnerability has been found and corrected in krb5: Multiple integer underflows in the (1) AES and (2) RC4 decryption functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1.3 through 1.6.3, and 1.7 before 1.7.1, allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by providing ciphertext with a length that is too short to be valid (CVE-2009-4212). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue. %description Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. %package libphp5_common5 php-bcmath php-bz2 php-calendar php-cgi php-cli php-ctype php-curl php-dba php-devel php-doc php-dom php-enchant php-exif php-fileinfo php-filter php-ftp php-gd php-gettext php-gmp php-hash php-iconv php-imap php-intl php-json php-ldap php-mbstring php-mcrypt php-mssql php-mysql php-mysqli php-odbc php-openssl php-pcntl php-pdo php-pdo_dblib php-pdo_mysql php-pdo_odbc php-pdo_pgsql php-pdo_sqlite php-pgsql php-posix php-pspell php-readline php-recode php-session php-shmop php-snmp php-soap php-sockets php-sqlite3 php-sybase_ct php-sysvmsg php-sysvsem php-sysvshm php-tidy php-tokenizer php-wddx php-xml php-xmlreader php-xmlrpc php-xmlwriter php-xsl php-zip php-zlib Update: Fri Jan 15 21:40:36 2010 Importance: security ID: MDVSA-2010:009 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:009 %pre A vulnerability has been found and corrected in php: The htmlspecialchars function in PHP before 5.2.12 does not properly handle (1) overlong UTF-8 sequences, (2) invalid Shift_JIS sequences, and (3) invalid EUC-JP sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks by placing a crafted byte sequence before a special character (CVE-2009-4142). The updated packages have been patched to correct this issue. %description PHP5 is an HTML-embeddable scripting language. PHP5 offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled script with PHP5 is fairly simple. The most common use of PHP5 coding is probably as a replacement for CGI scripts. This version of php has the suhosin patch 0.9.8 applied. Please report bugs here: http://qa.mandriva.com/ so that the official maintainer of this Mandriva package can help you. More information regarding the suhosin patch 0.9.8 here: http://www.suhosin.org/ %package msec msec-gui Update: Sat Jan 16 14:28:56 2010 Importance: bugfix ID: MDVA-2010:030 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:030 %pre This update adds a feature to msec to save the log message that would be sent by email into /var/log/security/ to allow consulting it without relying on email system. %description The Mandriva Linux Security package is designed to provide security features to the Mandriva Linux users. It allows to select from a set of preconfigured security levels, and supports custom permission settings, user-specified levels, and several security utilities. This packages includes main msec application and several programs that will be run periodically in order to test the security of your system and alert you if needed. %package freeradius freeradius-krb5 freeradius-ldap freeradius-mysql freeradius-postgresql freeradius-unixODBC freeradius-web libfreeradius1 libfreeradius-devel Update: Sat Jan 16 14:49:11 2010 Importance: bugfix ID: MDVA-2010:031 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:031 %pre Perl scripts shipped in the freeradius-web sub package use File::Temp perl module incorrectly, preventing to execute them correctly. In these perl scripts, a change was made to replace the line use File::Temp %description The FreeRADIUS Server Project is a high-performance and highly configurable GPL'd RADIUS server. It is somewhat similar to the Livingston 2.0 RADIUS server, but has many more features, and is much more configurable. %package freeradius freeradius-krb5 freeradius-ldap freeradius-mysql freeradius-postgresql freeradius-unixODBC freeradius-web libfreeradius1 libfreeradius-devel Update: Sat Jan 16 14:50:12 2010 Importance: bugfix ID: MDVA-2010:031 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:031 %pre Perl scripts shipped in the freeradius-web sub package use File::Temp perl module incorrectly, preventing to execute them correctly. In these perl scripts, a change was made to replace the line "use File::Temp \;" by "use File::Tempqw\(tempfile tempdir\)\;". %description The FreeRADIUS Server Project is a high-performance and highly configurable GPL'd RADIUS server. It is somewhat similar to the Livingston 2.0 RADIUS server, but has many more features, and is much more configurable. %package libbdevid-python mkinitrd mkinitrd-devel nash Update: Sat Jan 16 15:32:11 2010 Importance: bugfix ID: MDVA-2010:032 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:032 %pre When a system uses dmraid, mkinitrd now calls dmraid command with the option --rm_partitions. This option is only available in new dmraid package, so boot will fail if, during an upgrade, initrd is generated with new mkinitrd and old dmraid (#55427). This updated package adds this dependency. Additionally, two bug were fixed about drm modules inclusion (#55676). First, when a drm module was loaded at the time mkinitrd is run, it would be included even if it not in DRM_WHITELIST. Then, when a module was whitelisted, all the drm modules for this hardware where included, including proprietary ones). %description mkinitrd creates filesystem images for use as initial ram filesystem (initramfs) images. These images are used to find and mount the root filesystem. %package libthai0 libthai-devel thai-data Update: Sat Jan 16 16:20:02 2010 Importance: security ID: MDVSA-2010:010 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:010 %pre Multiple vulnerabilities has been found and corrected in libthai: Tim Starling discovered that libthai, a set of Thai language support routines, is vulnerable of integer/heap overflow. This vulnerability could allow an attacker to run arbitrary code by sending a very long string (CVE-2009-4012). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct these issues. %description LibThai is a set of Thai language support routines aimed to ease developers' tasks to incorporate Thai language support in their applications. It includes important Thai-specific functions e.g. word breaking, input and output methods as well as basic character and string supports. %package libmysql16 libmysql-devel libmysql-static-devel mysql mysql-bench mysql-client mysql-common mysql-common-core mysql-core mysql-doc mysql-max mysql-ndb-extra mysql-ndb-management mysql-ndb-storage mysql-ndb-tools Update: Sun Jan 17 21:38:44 2010 Importance: security ID: MDVSA-2010:012 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:012 %pre Multiple vulnerabilities has been found and corrected in mysql: mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement (CVE-2009-4019). The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library (CVE-2009-4028). MySQL 5.1.x before 5.1.41 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079 (CVE-2009-4030). The updated packages have been patched to correct these issues. Additionally for 2009.1 and 2010.0 mysql has also been upgraded to the latest stable 5.1 release (5.1.42). %description The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of MySQL AB. Please see the documentation and the manual for more information. %package libao2 libao-devel libdvdread4 libdvdread-devel libid3tag0 libid3tag-devel libmad0 libmad-devel normalize Update: Mon Jan 18 13:17:25 2010 Importance: bugfix ID: MDVA-2010:034 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:034 %pre The package phonon-gstreamer (MDVA-2010:003) issued in main/updates has a new dependency added, gstreamer0.10-plugins-ugly, this new dependencie also depends on some other packages only available on the /main/release media, this updates pushes the gstreamer0.10-plugins-ugly dependecies to the /Main/Updates media making MandrivaUpdate issue the phonon-gstreamer update without problems. %description normalize is an overly complicated tool for adjusting the volume of wave files to a standard volume level. This is useful for things like creating mp3 mixes, where different recording levels on different albums can cause the volume to vary greatly from song to song. %package transmission-cli transmission-common transmission-daemon transmission-gtk transmission-qt4 Update: Mon Jan 18 17:04:14 2010 Importance: security ID: MDVSA-2010:014 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:014 %pre A vulnerability has been found and corrected in transmission: Directory traversal vulnerability in libtransmission/metainfo.c in Transmission 1.22, 1.34, 1.75, and 1.76 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a pathname within a .torrent file (CVE-2010-0012). The updated packages have been patched to correct this issue. %description Transmission is a free, lightweight BitTorrent client. It features a simple, intuitive interface on top of an efficient back-end. %package ruby ruby-devel ruby-doc ruby-tk Update: Tue Jan 19 15:40:36 2010 Importance: security ID: MDVSA-2010:017 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:017 %pre A vulnerability has been found and corrected in ruby: WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator (CVE-2009-4492). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue. %description Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. %package drakx-finish-install drakxtools drakxtools-backend drakxtools-curses drakxtools-http harddrake harddrake-ui Update: Tue Jan 19 15:55:54 2010 Importance: bugfix ID: MDVA-2010:035 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:035 %pre This update has fixes for pccard 3G modem detection and accumulated fix for handling hdX/sdX devices (#53107) %description Contains many Mandriva Linux applications simplifying users and administrators life on a Mandriva Linux machine. Nearly all of them work both under XFree (graphical environment) and in console (text environment), allowing easy distant work. - drakbug: interactive bug report tool - drakbug_report: help find bugs in DrakX - drakclock: date & time configurator - drakfloppy: boot disk creator - drakfont: import fonts in the system - draklog: show extracted information from the system logs - drakperm: msec GUI (permissions configurator) - draksec: security options managment / msec frontend - draksplash: bootsplash themes creation %package dumpcap libwireshark0 libwireshark-devel rawshark tshark wireshark wireshark-tools Update: Tue Jan 19 18:47:42 2010 Importance: security ID: MDVSA-2010:016 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:016 %pre This advisory updates wireshark to the latest 1.2.5 version, fixing several bugs and two security issues: - The (1) SMB and (2) SMB2 dissectors in Wireshark 0.9.0 through 1.2.4 allow remote attackers to cause a denial of service (crash) via a crafted packet (CVE-2009-4377) - Buffer overflow in the daintree_sna_read function in the Daintree SNA file parser in Wireshark 1.2.0 through 1.2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet (CVE-2009-4376) %description Wireshark is a network traffic analyzer for Unix-ish operating systems. It is based on GTK+, a graphical user interface library, and libpcap, a packet capture and filtering library. Wireshark is a fork of Ethereal(tm) %package debugmode initscripts Update: Wed Jan 20 13:25:12 2010 Importance: bugfix ID: MDVA-2010:036 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:036 %pre The network detection routine could not detect the network connection properly in some cases, resulting in premature termination with incorrect return code. This could result in failure on startup for services which depend on network to be up, such as apache2 server. This update fixes this issue. %description The initscripts package contains the basic system scripts used to boot your Mandriva Linux system, change run levels, and shut the system down cleanly. Initscripts also contains the scripts that activate and deactivate most network interfaces. %package gzip Update: Wed Jan 20 16:38:03 2010 Importance: security ID: MDVSA-2010:020 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:020 %pre Multiple vulnerabilities has been found and corrected in gzip: A missing input sanitation flaw was found in the way gzip used to decompress data blocks for dynamic Huffman codes. A remote attacker could provide a specially-crafted gzip compressed data archive, which once opened by a local, unsuspecting user would lead to denial of service (gzip crash) or, potentially, to arbitrary code execution with the privileges of the user running gzip (CVE-2009-26244). An integer underflow leading to array index error was found in the way gzip used to decompress files / archives, compressed with the Lempel-Ziv-Welch (LZW) compression algorithm. A remote attacker could provide a specially-crafted LZW compressed gzip archive, which once decompressed by a local, unsuspecting user would lead to gzip crash, or, potentially to arbitrary code execution with the privileges of the user running gzip (CVE-2010-0001). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct these issues. %description The gzip package contains the popular GNU gzip data compression program. Gzipped files have a .gz extension. Gzip should be installed on your Mandriva Linux system, because it is a very commonly used data compression program. %package bind bind-devel bind-doc bind-utils Update: Wed Jan 20 18:02:25 2010 Importance: security ID: MDVSA-2010:021 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:021 %pre Some vulnerabilities were discovered and corrected in bind: The original fix for CVE-2009-4022 was found to be incomplete. BIND was incorrectly caching certain responses without performing proper DNSSEC validation. CNAME and DNAME records could be cached, without proper DNSSEC validation, when received from processing recursive client queries that requested DNSSEC records but indicated that checking should be disabled. A remote attacker could use this flaw to bypass the DNSSEC validation check and perform a cache poisoning attack if the target BIND server was receiving such client queries (CVE-2010-0290). There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly, so that future queries to the resolver would return the bogus NXDOMAIN with the AD flag set (CVE-2010-0097). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. Additionally BIND has been upgraded to the latest patch release version. %description BIND (Berkeley Internet Name Domain) is an implementation of the DNS (domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses, and a resolver library (routines for applications to use when interfacing with DNS). A DNS server allows clients to name resources or objects and share the information with other network machines. The named DNS server can be used on workstations as a caching name server, but is generally only needed on one machine for an entire network. Note that the configuration files for making BIND act as a simple caching nameserver are included in the caching-nameserver package. Install the bind package if you need a DNS server for your network. If you want bind to act a caching name server, you will also need to install the caching-nameserver package. Many BIND 8 features previously unimplemented in BIND 9, including domain-specific forwarding, the \$GENERATE master file directive, and the "blackhole", "dialup", and "sortlist" options Forwarding of dynamic update requests; this is enabled by the "allow-update-forwarding" option A new, simplified database interface and a number of sample drivers based on it; see doc/dev/sdb for details Support for building single-threaded servers for environments that do not supply POSIX threads New configuration options: "min-refresh-time", "max-refresh-time", "min-retry-time", "max-retry-time", "additional-from-auth", "additional-from-cache", "notify explicit" Faster lookups, particularly in large zones. Build Options: --without sdb_ldap Build without ldap simple database support (enabled per default) --with sdb_mysql Build with MySQL database support (disables ldap support, it's either way.) --with geoip Build with GeoIP support (disabled per default) %package xinit Update: Wed Jan 20 19:33:10 2010 Importance: bugfix ID: MDVA-2010:037 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:037 %pre The xinit manpage in 2010.0 was not reflecting the real application behavior, which could confuse users. This update fixes the xinit manpage to reflect its real behavior. %description The xinit program is used to start the X Window System server and a first client program on systems that cannot start X directly from /etc/init or in environments that use multiple window systems. When this first client exits, xinit will kill the X server and then terminate. %package libopenssl0.9.8 libopenssl0.9.8-devel libopenssl0.9.8-static-devel openssl Update: Thu Jan 21 10:52:46 2010 Importance: security ID: MDVSA-2010:022 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:022 %pre Some vulnerabilities were discovered and corrected in openssl: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_free_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678 (CVE-2009-4355). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct thies issue. %description The openssl certificate management tool and the shared libraries that provide various encryption and decription algorithms and protocols, including DES, RC4, RSA and SSL. %package libxrender1 libxrender1-devel libxrender1-static-devel Update: Thu Jan 21 12:32:01 2010 Importance: bugfix ID: MDVA-2010:038 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:038 %pre The libxrender library contained a bug where it could crash applications on x86_64 bit machines when the XRenderSetPictureFilter function was called (#56721). %description X Render Library %package libdbus-glib-1_2 libdbus-glib-1_2-devel Update: Thu Jan 21 12:47:52 2010 Importance: bugfix ID: MDVA-2010:039 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:039 %pre The dbus-glib package was built without a symbol that is needed by the latest versions of tracker. This update adds the missing functions (#57068). %description D-Bus add-on library to integrate the standard D-Bus library with the GLib thread abstraction and main loop. %package drakx-finish-install drakxtools drakxtools-backend drakxtools-curses drakxtools-http harddrake harddrake-ui Update: Thu Jan 21 13:15:46 2010 Importance: bugfix ID: MDVA-2010:035-1 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:035-1 %pre This update has fixes for pccard 3G modem detection and accumulated fix for handling hdX/sdX devices (#53107) Update: This update remove conflicts on drakfirsttime caused by the last update of drakxtools. %description Contains many Mandriva Linux applications simplifying users and administrators life on a Mandriva Linux machine. Nearly all of them work both under XFree (graphical environment) and in console (text environment), allowing easy distant work. - drakbug: interactive bug report tool - drakbug_report: help find bugs in DrakX - drakclock: date & time configurator - drakfloppy: boot disk creator - drakfont: import fonts in the system - draklog: show extracted information from the system logs - drakperm: msec GUI (permissions configurator) - draksec: security options managment / msec frontend - draksplash: bootsplash themes creation %package drakx-finish-install drakxtools drakxtools-backend drakxtools-curses drakxtools-http harddrake harddrake-ui Update: Thu Jan 21 13:37:53 2010 Importance: bugfix ID: MDVA-2010:035-1 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:035-1 %pre This update has fixes for pccard 3G modem detection and accumulated fix for handling hdX/sdX devices (#53107) Update: This update remove conflicts on drakfirsttime caused by the last update of drakxtools. %description Contains many Mandriva Linux applications simplifying users and administrators life on a Mandriva Linux machine. Nearly all of them work both under XFree (graphical environment) and in console (text environment), allowing easy distant work. - drakbug: interactive bug report tool - drakbug_report: help find bugs in DrakX - drakclock: date & time configurator - drakfloppy: boot disk creator - drakfont: import fonts in the system - draklog: show extracted information from the system logs - drakperm: msec GUI (permissions configurator) - draksec: security options managment / msec frontend - draksplash: bootsplash themes creation %package coreutils coreutils-doc Update: Sat Jan 23 20:25:21 2010 Importance: security ID: MDVSA-2010:024 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:024 %pre A vulnerability were discovered and corrected in coreutils: The distcheck rule in dist-check.mk in GNU coreutils 5.2.1 through 8.1 allows local users to gain privileges via a symlink attack on a file in a directory tree under /tmp (CVE-2009-4135). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue. %description This package is the union of the old GNU fileutils, sh-utils, and textutils packages. These tools are the GNU versions of common useful and popular file & text utilities which are used for: - file management - shell scripts - modifying text file (spliting, joining, comparing, modifying, ...) Most of these programs have significant advantages over their Unix counterparts, such as greater speed, additional options, and fewer arbitrary limits. %package php-pear-Mail Update: Mon Jan 25 13:32:04 2010 Importance: security ID: MDVSA-2010:025 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:025 %pre Multiple vulnerabilities were discovered and corrected in php-pear (Mail): Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted parameter, a different vector than CVE-2009-4111 (CVE-2009-4023). Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023 (CVE-2009-4111). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct these issues. %description PEAR's Mail package defines an interface for implementing mailers under the PEAR hierarchy. It also provides supporting functions useful to multiple mailer backends. Currently supported backends include: PHP's native mail() function, sendmail, and SMTP. This package also provides a RFC822 email address list validation utility class. %package libmjpegtools1.9_0 libmjpegtools1.9_0-devel mjpegtools Update: Mon Jan 25 14:10:48 2010 Importance: bugfix ID: MDVA-2010:041 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:041 %pre jpeg2yuv (from the mjpegtools package) segfaulted when linked against libjpeg v7/8 (#55450). The provided packages has been patched to address this issue. %description The MJPEG-tools are a basic set of utilities for recording, editing, playing back and encoding (to mpeg) video under linux. Recording can be done with zoran-based MJPEG-boards (LML33, Iomega Buz, Pinnacle DC10(+), Marvel G200/G400), these can also playback video using the hardware. With the rest of the tools, this video can be edited and encoded into mpeg1/2 or divx video. %package kdelibs4-core kdelibs4-devel libkde3support4 libkdecore5 libkdefakes5 libkdesu5 libkdeui5 libkdnssd4 libkfile4 libkhtml5 libkimproxy4 libkio5 libkjs4 libkjsapi4 libkjsembed4 libkmediaplayer4 libknewstuff2_4 libknotifyconfig4 libkntlm4 libkparts4 libkpty4 libkrosscore4 libkrossui4 libktexteditor4 libkunittest4 libkutils4 libnepomuk4 libplasma3 libsolid4 libthreadweaver4 Update: Wed Jan 27 10:14:11 2010 Importance: security ID: MDVSA-2010:028 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:028 %pre Multiple vulnerabilities was discovered and corrected in kdelibs4: KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a \'\0\' (NUL) character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2009-2702). KDE Konqueror allows remote attackers to cause a denial of service (memory consumption) via a large integer value for the length property of a Select object, a related issue to CVE-2009-1692 (CVE-2009-2537). The gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc in FreeBSD 6.4 and 7.2, NetBSD 5.0, and OpenBSD 4.5 allows context-dependent attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a large precision value in the format argument to a printf function, related to an array overrun. (CVE-2009-0689). The updated packages have been patched to correct these issues. %description Libraries for the K Desktop Environment. %package gurpmi urpmi urpmi-dudf urpmi-ldap urpmi-parallel-ka-run urpmi-parallel-ssh Update: Wed Jan 27 11:28:57 2010 Importance: bugfix ID: MDVA-2010:042 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:042 %pre This update a bug in urpmi which prevented rpmdrake to install packages a second time (bug #54842) %description urpmi is Mandriva Linux's console-based software installation tool. You can use it to install software from the console in the same way as you use the graphical Install Software tool (rpmdrake) to install software from the desktop. urpmi will follow package dependencies -- in other words, it will install all the other software required by the software you ask it to install -- and it's capable of obtaining packages from a variety of media, including the Mandriva Linux installation CD-ROMs, your local hard disk, and remote sources such as web or FTP sites. %package libpci3 pciutils pciutils-devel Update: Wed Jan 27 11:46:04 2010 Importance: bugfix ID: MDVA-2010:043 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:043 %pre This update fixes unaligned access in libpci on some rare hardware which ended in all programs using libldetect to fail with draksound (Bug #56772). %description This package contains various utilities for inspecting and setting devices connected to the PCI bus. %package libwebkitgtk1.0_2 libwebkitgtk1.0-devel webkit1.0 webkit1.0-webinspector webkit webkit-gtklauncher webkit-jsc Update: Wed Jan 27 17:15:35 2010 Importance: bugfix ID: MDVA-2010:046 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:046 %pre This update brings a new stable version of webkitgtk, and solves the problem with processors without the SSE2 instruction set. It is easy to see if you are suffering from this bug, just try to open some webpage on epiphany Web broswser, it will crash with old webkit version. %description WebKit is an open source web browser engine. %package evolution evolution-data-server evolution-devel evolution-exchange evolution-mono evolution-pilot gtkhtml-3.14 libcamel14 libebackend0 libebook9 libecal7 libedata-book2 libedata-cal6 libedataserver11 libedataserver-devel libedataserverui8 libegroupwise13 libexchange-storage3 libgdata1 libgtkhtml-3.14_19 libgtkhtml-3.14-devel Update: Wed Jan 27 18:26:08 2010 Importance: bugfix ID: MDVA-2010:047 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:047 %pre Evolution could crash when adding new task to a task list. Those packages fixes this issue and updates Evolution to the latest stable release, bringing performance and stability fixes, as well as additional translations. %description GtkHTML is a HTML rendering/editing library. GtkHTML is not designed to be the ultimate HTML browser/editor: instead, it is designed to be easily embedded into applications that require lightweight HTML functionality. GtkHTML was originally based on KDE's KHTMLW widget, but is now developed independently of it. The most important difference between KHTMLW and GtkHTML, besides being GTK-based, is that GtkHTML is also an editor. Thanks to the Bonobo editor component that comes with the library, it's extremely simple to add HTML editing to an existing application. %package libnss3 libnss-devel libnss-static-devel nss rootcerts rootcerts-java Update: Thu Jan 28 22:12:17 2010 Importance: security ID: MDVSA-2010:029 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:029 %pre The rootcerts package was added in Mandriva in 2005 and was meant to be updated when nessesary. The provided rootcerts packages has been upgraded using the latest certdata.txt file from the mozilla cvs repository, as of 2009/12/03. In Mandriva a number of additional CA root certificates has been added such as ICP-Brasil (Brazil government CA), cacert.org, IGC/A CA (French government CA). The IGC/A CA one was recently added upstream in the mozilla certdata.txt file. The rootcerts package provides the /etc/pki/tls/certs/ca-bundle.crt file which most sofwares in Mandriva, and where appliable is sharing such as KDE, curl, pidgin, neon, and more. The mozilla nss library has consequently been rebuilt to pickup these changes and are also being provided. %description This is a bundle of X.509 certificates of public Certificate Authorities (CA). These were automatically extracted from Mozilla's root CA list (the file "certdata.txt"). It contains the certificates in both plain text and PEM format and therefore can be directly used with an Apache/mod_ssl webserver for SSL client authentication. Just configure this file as the SSLCACertificateFile. %package gtk+2.0 libgail18 libgail-devel libgdk_pixbuf2.0_0 libgdk_pixbuf2.0_0-devel libgtk+2.0_0 libgtk+2.0_0-devel libgtk+-x11-2.0_0 Update: Mon Feb 01 13:23:43 2010 Importance: bugfix ID: MDVA-2010:048 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:048 %pre gtk+ 2.0 was not handling correctly input method in client-side window mode. This could lead to applications crash, inkscape is a good example of crash. This updates fixes this issues and upgrades gtk+2.0 to latest stable release (2.18.6), which includes stability fixes for various applications, including gnome-panel. %description The gtk+ package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. GTK+ was originally written for the GIMP (GNU Image Manipulation Program) image processing program, but is now used by several other programs as well. If you are planning on using the GIMP or another program that uses GTK+, you'll need to have the gtk+ package installed. %package broadcom-wl-kernel-2.6.31.12-desktop-1mnb broadcom-wl-kernel-2.6.31.12-desktop586-1mnb broadcom-wl-kernel-2.6.31.12-server-1mnb broadcom-wl-kernel-desktop586-latest broadcom-wl-kernel-desktop-latest broadcom-wl-kernel-server-latest em8300-kernel-2.6.31.12-desktop-1mnb em8300-kernel-2.6.31.12-desktop586-1mnb em8300-kernel-2.6.31.12-server-1mnb em8300-kernel-desktop586-latest em8300-kernel-desktop-latest em8300-kernel-server-latest fglrx-kernel-2.6.31.12-desktop-1mnb fglrx-kernel-2.6.31.12-desktop586-1mnb fglrx-kernel-2.6.31.12-server-1mnb fglrx-kernel-desktop586-latest fglrx-kernel-desktop-latest fglrx-kernel-server-latest hcfpcimodem-kernel-2.6.31.12-desktop-1mnb hcfpcimodem-kernel-2.6.31.12-desktop586-1mnb hcfpcimodem-kernel-2.6.31.12-server-1mnb hcfpcimodem-kernel-desktop586-latest hcfpcimodem-kernel-desktop-latest hcfpcimodem-kernel-server-latest hsfmodem-kernel-2.6.31.12-desktop-1mnb hsfmodem-kernel-2.6.31.12-desktop586-1mnb hsfmodem-kernel-2.6.31.12-server-1mnb hsfmodem-kernel-desktop586-latest hsfmodem-kernel-desktop-latest hsfmodem-kernel-server-latest kernel-2.6.31.12-1mnb kernel-desktop-2.6.31.12-1mnb kernel-desktop586-2.6.31.12-1mnb kernel-desktop586-devel-2.6.31.12-1mnb kernel-desktop586-devel-latest kernel-desktop586-latest kernel-desktop-devel-2.6.31.12-1mnb kernel-desktop-devel-latest kernel-desktop-latest kernel-doc kernel-server-2.6.31.12-1mnb kernel-server-devel-2.6.31.12-1mnb kernel-server-devel-latest kernel-server-latest kernel-source-2.6.31.12-1mnb kernel-source-latest libafs-kernel-2.6.31.12-desktop-1mnb libafs-kernel-2.6.31.12-desktop586-1mnb libafs-kernel-2.6.31.12-server-1mnb libafs-kernel-desktop586-latest libafs-kernel-desktop-latest libafs-kernel-server-latest lirc-kernel-2.6.31.12-desktop-1mnb lirc-kernel-2.6.31.12-desktop586-1mnb lirc-kernel-2.6.31.12-server-1mnb lirc-kernel-desktop586-latest lirc-kernel-desktop-latest lirc-kernel-server-latest lzma-kernel-2.6.31.12-desktop-1mnb lzma-kernel-2.6.31.12-desktop586-1mnb lzma-kernel-2.6.31.12-server-1mnb lzma-kernel-desktop586-latest lzma-kernel-desktop-latest lzma-kernel-server-latest madwifi-kernel-2.6.31.12-desktop-1mnb madwifi-kernel-2.6.31.12-desktop586-1mnb madwifi-kernel-2.6.31.12-server-1mnb madwifi-kernel-desktop586-latest madwifi-kernel-desktop-latest madwifi-kernel-server-latest nvidia173-kernel-2.6.31.12-desktop-1mnb nvidia173-kernel-2.6.31.12-desktop586-1mnb nvidia173-kernel-2.6.31.12-server-1mnb nvidia173-kernel-desktop586-latest nvidia173-kernel-desktop-latest nvidia173-kernel-server-latest nvidia96xx-kernel-2.6.31.12-desktop-1mnb nvidia96xx-kernel-2.6.31.12-desktop586-1mnb nvidia96xx-kernel-2.6.31.12-server-1mnb nvidia96xx-kernel-desktop586-latest nvidia96xx-kernel-desktop-latest nvidia96xx-kernel-server-latest nvidia-current-kernel-2.6.31.12-desktop-1mnb nvidia-current-kernel-2.6.31.12-desktop586-1mnb nvidia-current-kernel-2.6.31.12-server-1mnb nvidia-current-kernel-desktop586-latest nvidia-current-kernel-desktop-latest nvidia-current-kernel-server-latest slmodem-kernel-2.6.31.12-desktop-1mnb slmodem-kernel-2.6.31.12-desktop586-1mnb slmodem-kernel-2.6.31.12-server-1mnb slmodem-kernel-desktop586-latest slmodem-kernel-desktop-latest slmodem-kernel-server-latest squashfs-lzma-kernel-2.6.31.12-desktop-1mnb squashfs-lzma-kernel-2.6.31.12-desktop586-1mnb squashfs-lzma-kernel-2.6.31.12-server-1mnb squashfs-lzma-kernel-desktop586-latest squashfs-lzma-kernel-desktop-latest squashfs-lzma-kernel-server-latest vboxadditions-kernel-2.6.31.12-desktop-1mnb vboxadditions-kernel-2.6.31.12-desktop586-1mnb vboxadditions-kernel-2.6.31.12-server-1mnb vboxadditions-kernel-desktop586-latest vboxadditions-kernel-desktop-latest vboxadditions-kernel-server-latest virtualbox-kernel-2.6.31.12-desktop-1mnb virtualbox-kernel-2.6.31.12-desktop586-1mnb virtualbox-kernel-2.6.31.12-server-1mnb virtualbox-kernel-desktop586-latest virtualbox-kernel-desktop-latest virtualbox-kernel-server-latest vpnclient-kernel-2.6.31.12-desktop-1mnb vpnclient-kernel-2.6.31.12-desktop586-1mnb vpnclient-kernel-2.6.31.12-server-1mnb vpnclient-kernel-desktop586-latest vpnclient-kernel-desktop-latest vpnclient-kernel-server-latest Update: Mon Feb 01 15:56:10 2010 Importance: security ID: MDVSA-2010:030 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:030 %pre Some vulnerabilities were discovered and corrected in the Linux 2.6 kernel: Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request. (CVE-2009-3080) The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read. (CVE-2009-4005) An issue was discovered in 2.6.32.x kernels, which sets unsecure permission for devtmpfs file system by default. (CVE-2010-0299) Additionally, it was added support for Atheros AR2427 Wireless Network Adapter. To update your kernel, please follow the directions located at: http://www.mandriva.com/en/security/kernelupdate %description %package libnss3 libnss-devel libnss-static-devel nss rootcerts rootcerts-java Update: Thu Feb 04 13:40:33 2010 Importance: security ID: MDVSA-2010:032 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:032 %pre It was brought to our attention by Ludwig Nussel at SUSE the md5 collision certificate should not be included. This update removes the offending certificate. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The mozilla nss library has consequently been rebuilt to pickup these changes and are also being provided. %description This is a bundle of X.509 certificates of public Certificate Authorities (CA). These were automatically extracted from Mozilla's root CA list (the file "certdata.txt"). It contains the certificates in both plain text and PEM format and therefore can be directly used with an Apache/mod_ssl webserver for SSL client authentication. Just configure this file as the SSLCACertificateFile. %package squid squid-cachemgr Update: Fri Feb 05 17:18:53 2010 Importance: security ID: MDVSA-2010:033 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:033 %pre A vulnerability have been discovered and corrected in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15, which allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header (CVE-2010-0308). This update provides a fix to this vulnerability. %description Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests. Squid consists of a main server program squid, a Domain Name System lookup program (dnsserver), a program for retrieving FTP data (ftpget), and some management and client tools. Install squid if you need a proxy caching server. This package defaults to a maximum of 8192 filedescriptors. You can change these values at build time by using for example: --define 'maxfiles 4096' The package was built to support a maximum of 8192 filedescriptors. You can build squid with some conditional build swithes; (ie. use with rpm --rebuild): --with[out] test Initiate the test suite %package webmin Update: Fri Feb 12 18:51:31 2010 Importance: security ID: MDVSA-2010:036 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:036 %pre This advisory updates webmin to the latest version 1.500, fixing several bugs and a cross-site scripting issue which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors (CVE-2009-4568). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. %description A web-based administration interface for Unix systems. Using Webmin you can configure DNS, Samba, NFS, local/remote filesystems, Apache, Sendmail/Postfix, and more using your web browser. After installation, enter the URL https://localhost:10000/ into your browser and login as root with your root password. Please consider logging in and modify your password for security issue. PLEASE NOTE THAT THIS VERSION NOW USES SECURE WEB TRANSACTIONS: YOU HAVE TO LOGIN TO "https://localhost:10000/" AND NOT "http://localhost:10000/". %package msec msec-gui Update: Fri Feb 12 22:35:13 2010 Importance: bugfix ID: MDVA-2010:059 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:059 %pre msec in Mandriva Linux 2009.1 and 2010.0 would not carry out the chkrootkit check correctly if the chkrootkit package was uninstalled after the test has been run at least once. This update fixes the issue. %description The Mandriva Linux Security package is designed to provide security features to the Mandriva Linux users. It allows to select from a set of preconfigured security levels, and supports custom permission settings, user-specified levels, and several security utilities. This packages includes main msec application and several programs that will be run periodically in order to test the security of your system and alert you if needed. %package xfig Update: Mon Feb 15 17:14:14 2010 Importance: bugfix ID: MDVA-2010:061 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:061 %pre The predrawn figure library in xfig could not be accessed by non-root users because of incorrect permissions making the contents of /usr/lib/X11/xfig/Libraries readable only by root. This update corrects the problematic permissions. %description Xfig is an X Window System tool for creating basic vector graphics, including bezier curves, lines, rulers and more. The resulting graphics can be saved, printed on PostScript printers or converted to a variety of other formats (e.g., X11 bitmaps, Encapsulated PostScript, LaTeX). You should install xfig if you need a simple program to create vector graphics. %package drakx-finish-install drakxtools drakxtools-backend drakxtools-curses drakxtools-http harddrake harddrake-ui Update: Mon Feb 15 17:23:49 2010 Importance: bugfix ID: MDVA-2010:062 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:062 %pre Allow to use ddf1 raid and to manage unpartitionned dmraid. It also offers to install onto dmraid or existing lvm without using manual partitionning. %description Contains many Mandriva Linux applications simplifying users and administrators life on a Mandriva Linux machine. Nearly all of them work both under XFree (graphical environment) and in console (text environment), allowing easy distant work. - drakbug: interactive bug report tool - drakbug_report: help find bugs in DrakX - drakclock: date & time configurator - drakfloppy: boot disk creator - drakfont: import fonts in the system - draklog: show extracted information from the system logs - drakperm: msec GUI (permissions configurator) - draksec: security options managment / msec frontend - draksplash: bootsplash themes creation %package totem totem-mozilla totem-nautilus Update: Mon Feb 15 17:36:18 2010 Importance: bugfix ID: MDVA-2010:063 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:063 %pre The youtube plugin in totem has stopped working. This was caused by changes on the youtube web site. This new version updates to those changes to make youtube playback in totem work again. %description Totem is simple movie player for the GNOME desktop. It features a simple playlist, a full-screen mode, seek and volume controls, as well as a pretty complete keyboard navigation. %package pptp-linux Update: Mon Feb 15 18:25:17 2010 Importance: bugfix ID: MDVA-2010:064 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:064 %pre The pptp-linux packages in Mandriva Linux 2009.0, MES5, 2009.1 and 2010.0 try to call /bin/ip instead of /sbin/ip. The updated packages fix this issue. %description PPTP-linux allows you to connect to a PPTP server from a Linux or other Unix box (ports of pptp-linuxto other Unix variants should be trivial, but have not yet been performed). See the IPfwd page (http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd) for information on tunnelling PPTP through Linux firewalls. %package drakx-installer-stage2 Update: Tue Feb 16 09:38:57 2010 Importance: bugfix ID: MDVA-2010:062-1 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:062-1 %pre Allow to use ddf1 raid and to manage unpartitionned dmraid. It also offers to install onto dmraid or existing lvm without using manual partitionning. Update: drakx-installer-stage2 packages was missing with the MDVA-2010:062 advisory. The missing packages being provided with this advisory. %description This is the stage2 image for Mandriva DrakX installer. %package fetchmail fetchmailconf fetchmail-daemon Update: Tue Feb 16 10:12:13 2010 Importance: security ID: MDVSA-2010:037 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:037 %pre A vulnerability have been discovered and corrected in fetchmail: The sdump function in sdump.c in fetchmail 6.3.11, 6.3.12, and 6.3.13, when running in verbose mode on platforms for which char is signed, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an SSL X.509 certificate containing non-printable characters with the high bit set, which triggers a heap-based buffer overflow during escaping (CVE-2010-0562). This update provides fetchmail 6.3.14, which is not vulnerable to this issue. %description Fetchmail is a free, full-featured, robust, and well-documented remote mail retrieval and forwarding utility intended to be used over on-demand TCP/IP links (such as SLIP or PPP connections). It retrieves mail from remote mail servers and forwards it to your local (client) machine's delivery system, so it can then be read by normal mail user agents such as Mutt, Elm, Pine, (X)Emacs/Gnus or Mailx. It comes with an interactive GUI configurator suitable for end-users. Fetchmail supports every remote-mail protocol currently in use on the Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN) for retrieval. Then Fetchmail forwards the mail through SMTP, so you can read it through your normal mail client. %package mdkonline Update: Tue Feb 16 11:17:54 2010 Importance: bugfix ID: MDVA-2010:067 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:067 %pre The new mdkonline packages adds the extended maintenance support to mdkonline. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. %description The Mandriva Online tool allows users to be kept informed about security updates, hardware support/enhancements and other high value services. The package include : * Update daemon which allows you to install security updates automatically, * A KDE/Gnome/IceWM compliant applet for security updates notification and installation. %package drakconf drakconf-icons Update: Tue Feb 16 11:51:22 2010 Importance: bugfix ID: MDVA-2010:068 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:068 %pre The new drakconf packages adds extended maintainance access support to drakconf. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers as well as for official 2008.0 updates. %description drakconf includes the Mandriva Linux Control Center which is an interface to multiple utilities from DrakXtools. %package blogtk python-gdata Update: Tue Feb 16 15:05:26 2010 Importance: bugfix ID: MDVA-2010:070 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:070 %pre The blogtk package in 2010.0 was crashing on start. This update fixes the problem by updating blogtk to the latest version. Additionally the python-gdata packages are being provided as well due to requirements. %description This is a Python module for accessing online Google services, such as: - Blogger - Calendar - Picasa Web Albums - Spreadsheets - YouTube - Notebook %package eject Update: Tue Feb 16 15:55:49 2010 Importance: bugfix ID: MDVA-2010:071 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:071 %pre The eject package shipped in Mandriva Linux 2009.0, 2009.1, 2010.0 contains a bug which will lead to a failure when ejecting a DVD which has space characters within its name. The updated package fixes this problem. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. %description The eject program allows the user to eject removable media (typically CD-ROMs, floppy disks or Iomega Jaz or Zip disks) using software control. Eject can also control some multi- disk CD changers and even some devices' auto-eject features. Install eject if you'd like to eject removable media using software control. %package libnetpbm10 libnetpbm-devel libnetpbm-static-devel netpbm Update: Wed Feb 17 16:00:07 2010 Importance: security ID: MDVSA-2010:039 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:039 %pre A vulnerability have been discovered and corrected in netpbm: Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm before 10.47.07 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value (CVE-2009-4274). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue. %description The netpbm package contains a library of functions which support programs for handling various graphics file formats, including .pbm (portable bitmaps), .pgm (portable graymaps), .pnm (portable anymaps), .ppm (portable pixmaps) and others. %package gnome-screensaver Update: Wed Feb 17 17:07:43 2010 Importance: security ID: MDVSA-2010:040 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:040 %pre Multiple vulnerabilities has been discovered and corrected in gnome-screensaver: gnome-screensaver 2.28.0 does not resume adherence to its activation settings after an inhibiting application becomes unavailable on the session bus, which allows physically proximate attackers to access an unattended workstation on which screen locking had been intended (CVE-2009-4641). gnome-screensaver before 2.28.2 allows physically proximate attackers to bypass screen locking and access an unattended workstation by moving the mouse position to an external monitor and then disconnecting that monitor (CVE-2010-0414). This update provides gnome-screensaver 2.28.3, which is not vulnerable to these issues. %description gnome-screensaver is a screen saver and locker that aims to have simple, sane, secure defaults and be well integrated with the desktop. It is designed to support: * the ability to lock down configuration settings * translation into other languages * user switching %package finch libfinch0 libpurple0 libpurple-devel pidgin pidgin-bonjour pidgin-client pidgin-gevolution pidgin-i18n pidgin-meanwhile pidgin-mono pidgin-perl pidgin-plugins pidgin-silc pidgin-tcl Update: Thu Feb 18 12:31:19 2010 Importance: security ID: MDVSA-2010:041 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:041 %pre Multiple security vulnerabilities has been identified and fixed in pidgin: Certain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly (CVE-2010-0277). In a user in a multi-user chat room has a nickname containing '
' then libpurple ends up having two users with username ' ' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution (CVE-2010-0420). oCERT notified us about a problem in Pidgin, where a large amount of processing time will be used when inserting many smileys into an IM or chat window. This should not cause a crash, but Pidgin can become unusable slow (CVE-2010-0423). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This update provides pidgin 2.6.6, which is not vulnerable to these issues. %description Pidgin allows you to talk to anyone using a variety of messaging protocols including AIM, MSN, Yahoo!, Jabber, Bonjour, Gadu-Gadu, ICQ, IRC, Novell Groupwise, QQ, Lotus Sametime, SILC, Simple and Zephyr. These protocols are implemented using a modular, easy to use design. To use a protocol, just add an account using the account editor. Pidgin supports many common features of other clients, as well as many unique features, such as perl scripting, TCL scripting and C plugins. Pidgin is not affiliated with or endorsed by America Online, Inc., Microsoft Corporation, Yahoo! Inc., or ICQ Inc. %package dhcp-client dhcp-common dhcp-devel dhcp-doc dhcp-relay dhcp-server Update: Thu Feb 18 17:38:37 2010 Importance: bugfix ID: MDVA-2010:073 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:073 %pre The DHCP client ignores the interface-mtu option set by server. This update fixes the issue. %description DHCP (Dynamic Host Configuration Protocol) is a protocol which allows individual devices on an IP network to get their own network configuration information (IP address, subnetmask, broadcast address, etc.) from a DHCP server. The overall purpose of DHCP is to make it easier to administer a large network. The dhcp package includes the DHCP server and a DHCP relay agent. You will also need to install the dhcp-client or dhcpcd package, or pump or dhcpxd, which provides the DHCP client daemon, on client machines. If you want the DHCP server and/or relay, you will also need to install the dhcp-server and/or dhcp-relay packages. %package xdg-utils Update: Thu Feb 18 18:12:51 2010 Importance: bugfix ID: MDVA-2010:074 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:074 %pre This update enables files to be properly attached when xdg-email is used with Thunderbird as the default mail client. %description This version of xdg-utils contains the following commands: xdg-desktop-menu: command line tool for (un)installing desktop menu items xdg-desktop-icon: command line tool for (un)installing icons to the desktop xdg-mime: command line tool for querying information about file type handling and adding descriptions for new file types xdg-icon-resource: command line tool for (un)installing icon resources xdg-open: opens a file or URL in the user's preferred application xdg-email: command line tool for sending mail using the user's preferred e-mail composer xdg-su: run a program as root after prompting for the root password xdg-screensaver: command line tool for controlling the screensaver Testsuite for xdg-utils is available from http://portland.freedesktop.org/wiki/TestSuite %package beagle beagle-crawl-system beagle-doc beagle-evolution beagle-gui beagle-gui-qt beagle-libs firefox firefox-af firefox-ar firefox-be firefox-bg firefox-bn firefox-ca firefox-cs firefox-cy firefox-da firefox-de firefox-devel firefox-el firefox-en_GB firefox-eo firefox-es_AR firefox-es_ES firefox-et firefox-eu firefox-ext-beagle firefox-ext-blogrovr firefox-ext-mozvoikko firefox-ext-plasmanotify firefox-ext-r-kiosk firefox-ext-scribefire firefox-fi firefox-fr firefox-fy firefox-ga_IE firefox-gl firefox-gu_IN firefox-he firefox-hi firefox-hu firefox-id firefox-is firefox-it firefox-ja firefox-ka firefox-kn firefox-ko firefox-ku firefox-lt firefox-lv firefox-mk firefox-mn firefox-mr firefox-nb_NO firefox-nl firefox-nn_NO firefox-oc firefox-pa_IN firefox-pl firefox-pt_BR firefox-pt_PT firefox-ro firefox-ru firefox-si firefox-sk firefox-sl firefox-sq firefox-sr firefox-sv_SE firefox-te firefox-th firefox-theme-kfirefox firefox-tr firefox-uk firefox-zh_CN firefox-zh_TW gnome-python-extras gnome-python-gda gnome-python-gda-devel gnome-python-gdl gnome-python-gtkhtml2 gnome-python-gtkmozembed gnome-python-gtkspell google-gadgets-common google-gadgets-gtk google-gadgets-qt libggadget1.0_0 libggadget-dbus1.0_0 libggadget-gtk1.0_0 libggadget-js1.0_0 libggadget-npapi1.0_0 libggadget-qt1.0_0 libggadget-webkitjs0 libggadget-xdg1.0_0 libgoogle-gadgets-devel libopensc2 libopensc-devel libxulrunner1.9.1.8 libxulrunner-devel mozilla-plugin-opensc mozilla-thunderbird-beagle opensc python-xpcom xulrunner yelp Update: Fri Feb 19 13:55:18 2010 Importance: security ID: MDVSA-2010:042 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:042 %pre Security issues were identified and fixed in firefox 3.0.x and 3.5.x: Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2010-0159). Security researcher Orlando Barrera II reported via TippingPoint's Zero Day Initiative that Mozilla's implementation of Web Workers contained an error in its handling of array data types when processing posted messages. This error could be used by an attacker to corrupt heap memory and crash the browser, potentially running arbitrary code on a victim's computer (CVE-2010-0160). Security researcher Alin Rad Pop of Secunia Research reported that the HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text. These conditions could result in the execution or arbitrary code if methods on the freed objects were subsequently called (CVE-2009-1571). Security researcher Hidetake Jo of Microsoft Vulnerability Research reported that the properties set on an object passed to showModalDialog were readable by the document contained in the dialog, even when the document was from a different domain. This is a violation of the same-origin policy and could result in a website running untrusted JavaScript if it assumed the dialogArguments could not be initialized by another site. An anonymous security researcher, via TippingPoint's Zero Day Initiative, also independently reported this issue to Mozilla (CVE-2009-3988). Mozilla security researcher Georgi Guninski reported that when a SVG document which is served with Content-Type: application/octet-stream is embedded into another document via an tag with type=image/svg+xml, the Content-Type is ignored and the SVG document is processed normally. A website which allows arbitrary binary data to be uploaded but which relies on Content-Type: application/octet-stream to prevent script execution could have such protection bypassed. An attacker could upload a SVG document containing JavaScript as a binary file to a website, embed the SVG document into a malicous page on another site, and gain access to the script environment from the SVG-serving site, bypassing the same-origin policy (CVE-2010-0162). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. Additionally, some packages which require so, have been rebuilt and are being provided as updates. %description Help browser for GNOME 2 which supports docbook documents, info and man. %package gtksourceview libgtksourceview-2.0_0 libgtksourceview-2.0-devel python-gtksourceview python-gtksourceview-devel python-webkitgtk Update: Fri Feb 19 19:01:59 2010 Importance: bugfix ID: MDVA-2010:070-1 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:070-1 %pre The blogtk package in 2010.0 was crashing on start. This update fixes the problem by updating blogtk to the latest version. Additionally the python-gdata packages are being provided as well due to requirements. Update: The MDVA-2010:070 advisory was missing some new dependancies (packages) that prevented blogtk to install using MandrivaUpdate. This advisory provides the missing packages. %description PyWebKitGtk provides an API for developers to program WebKit/Gtk using Python. %package libmysql16 libmysql-devel libmysql-static-devel mysql mysql-bench mysql-client mysql-common mysql-common-core mysql-core mysql-doc mysql-max mysql-ndb-extra mysql-ndb-management mysql-ndb-storage mysql-ndb-tools Update: Fri Feb 19 19:40:17 2010 Importance: security ID: MDVSA-2010:044 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:044 %pre A vulnerabilitiy has been found and corrected in mysql: MySQL is vulnerable to a symbolic link attack when the data home directory contains a symlink to a different filesystem which allows remote authenticated users to bypass intended access restrictions (CVE-2008-7247). The updated packages have been patched to correct these issues. %description The MySQL(TM) software delivers a very fast, multi-threaded, multi-user, and robust SQL (Structured Query Language) database server. MySQL Server is intended for mission-critical, heavy-load production systems as well as for embedding into mass-deployed software. MySQL is a trademark of MySQL AB. Please see the documentation and the manual for more information. %package ipxutils libncpfs2.3 libncpfs-devel ncpfs Update: Tue Feb 23 17:33:58 2010 Importance: security ID: MDVSA-2010:046 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:046 %pre A vulnerability has been found in ncpfs which can be exploited by local users to disclose potentially sensitive information, cause a DoS (Denial of Service), and potentially gain escalated privileges (CVE-2009-3297). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue. %description Ncpfs is a filesystem which understands the Novell NetWare(TM) NCP protocol. Functionally, NCP is used for NetWare the way NFS is used in the TCP/IP world. For a Linux system to mount a NetWare filesystem, it needs a special mount program. The ncpfs package contains such a mount program plus other tools for configuring and using the ncpfs filesystem. Install the ncpfs package if you need to use the ncpfs filesystem to use Novell NetWare files or services. %package fuse libfuse2 libfuse-devel libfuse-static-devel Update: Tue Feb 23 18:09:51 2010 Importance: security ID: MDVSA-2010:047 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:047 %pre A race condition has been found in fuse that could escalate privileges for local users and lead to a DoS (Denial of Service) (CVE-2009-3297). The updated packages have been patched to correct this issue. %description FUSE (Filesystem in USErspace) is a simple interface for userspace programs to export a virtual filesystem to the linux kernel. FUSE also aims to provide a secure method for non privileged users to create and mount their own filesystem implementations. %package rsh rsh-server Update: Wed Feb 24 14:49:47 2010 Importance: bugfix ID: MDVA-2010:076 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:076 %pre The rsh package in 2010.0 has several bugs that prevented it from working correctly, the updated packages fix all those issues. %description The rsh package contains a set of programs which allow users to run commmands on remote machines, login to other machines and copy files between machines (rsh, rlogin and rcp). All three of these commands use rhosts style authentication. This package contains the clients needed for all of these services. The rsh package should be installed to enable remote access to other machines. %package aria2 Update: Wed Feb 24 15:01:19 2010 Importance: bugfix ID: MDVA-2010:077 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:077 %pre In some cases aria2 would crash with a segmentation fault when encountering file not found errors. This could particularly happen when installing updates with urpmi. %description Aria2 has segmented downloading engine in its core. It can download one file from multiple URLs or multiple connections from one URL. This results in very high speed downloading, very much faster than ordinary browsers. This engine is implemented with a single-thread model. It can also download BitTorrent files and supports Metalink version 3.0. %package glibc glibc-devel glibc-doc glibc-doc-pdf glibc-i18ndata glibc-profile glibc-static-devel glibc-utils nscd Update: Thu Feb 25 19:00:44 2010 Importance: bugfix ID: MDVA-2010:081 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:081 %pre glibc 2.10.1 on Mandriva 2010.0 can't resolve names with some buggy routers. This update includes upstream fixes post glibc 2.10.1 release that fixes the issue (Mandriva bug #57698). Other glibc resolver fixes are included too, which addresses also some other upstream opened bugs. %description The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. The glibc package also contains national language (locale) support. This package now also provides ldconfig which was package seperately in the past. Ldconfig is a basic system program which determines run-time link bindings between ld.so and shared libraries. Ldconfig scans a running system and sets up the symbolic links that are used to load shared libraries properly. It also creates a cache (/etc/ld.so.cache) which speeds the loading of programs which use shared libraries. %package sudo Update: Thu Feb 25 19:23:29 2010 Importance: security ID: MDVSA-2010:049 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:049 %pre A vulnerabilitiy has been found and corrected in sudo: sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory (CVE-2010-0426). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue. %description Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done. %package x11-driver-video-ati Update: Fri Feb 26 13:29:27 2010 Importance: bugfix ID: MDVA-2010:084 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:084 %pre There was a bug in the ATI X1200 driver, making it show very frequent screen corruption. This update fixes the issue. %description x11-driver-video-ati is the X.org driver for ATI Technologies. %package dhcp-client dhcp-common dhcp-devel dhcp-doc dhcp-relay dhcp-server Update: Fri Feb 26 17:45:13 2010 Importance: bugfix ID: MDVA-2010:085 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:085 %pre Dhcp-server package shipped with Mandriva Linux 2009.1 and 2010.0 was using incorrect SV_LDAP definitions during the build, which resulted in ldap support being non-functional. This update fixes the issue. %description DHCP (Dynamic Host Configuration Protocol) is a protocol which allows individual devices on an IP network to get their own network configuration information (IP address, subnetmask, broadcast address, etc.) from a DHCP server. The overall purpose of DHCP is to make it easier to administer a large network. The dhcp package includes the DHCP server and a DHCP relay agent. You will also need to install the dhcp-client or dhcpcd package, or pump or dhcpxd, which provides the DHCP client daemon, on client machines. If you want the DHCP server and/or relay, you will also need to install the dhcp-server and/or dhcp-relay packages. %package irqbalance Update: Mon Mar 01 12:15:24 2010 Importance: bugfix ID: MDVA-2010:086 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:086 %pre This update fixes a bug in irqbalance that makes it to fail to spread IRQs in a SMP or a muli core machine (#57523) %description irqbalance is a daemon that evenly distributes IRQ load across multiple CPUs for enhanced performance. %package mozilla-thunderbird mozilla-thunderbird-devel mozilla-thunderbird-enigmail nsinstall Update: Mon Mar 01 15:33:32 2010 Importance: security ID: MDVSA-2010:051 URL: http://www.mandriva.com/security/advisories?name=MDVSA-2010:051 %pre A vulnerabilitiy has been found and corrected in mozilla-thunderbird: Security researcher Alin Rad Pop of Secunia Research reported that the HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text. These conditions could result in the execution or arbitrary code if methods on the freed objects were subsequently called (CVE-2009-1571). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue. %description Mozilla Thunderbird is a full-featured email, RSS and newsgroup client that makes emailing safer, faster and easier than ever before. %package rsnapshot Update: Mon Mar 01 17:00:46 2010 Importance: bugfix ID: MDVA-2010:088 URL: http://www.mandriva.com/security/advisories?name=MDVA-2010:088 %pre Rsnapshot will automatically add --exclude=xxxx to the rsync options for backups of the filesystem on which the snapshot-root is located. This will be added to the rsync command-line AFTER the rsync_short_args and rsync_long_args, but BEFORE any backup-specific options. This means that the --exclude=xxxx will override whatever backup-specific excludes are defined. This can be a problem if the name of your snapshot-root is something which is common in many file names. This version resolves this problems. %description This is a remote backup program that uses rsync to take backup snapshots of filesystems. It uses hard links to save space on disk. For more details see http://www.rsnapshot.org/.