-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:070 http://www.mandriva.com/security/ _______________________________________________________________________ Package : sash Date : April 10, 2006 Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Tavis Ormandy of the Gentoo Security Project discovered a vulnerability in zlib where a certain data stream would cause zlib to corrupt a data structure, resulting in the linked application to dump core (CVE-2005-2096). Markus Oberhumber discovered additional ways that a specially-crafted compressed stream could trigger an overflow. An attacker could create such a stream that would cause a linked application to crash if opened by a user (CVE-2005-1849). Both of these issues have previously been fixed in zlib, but sash links statically against zlib and is thus also affected by these issues. New sash packages are available that link against the updated zlib packages. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096 _______________________________________________________________________ Updated Packages: Mandriva Linux 10.2: 290e5d895235afaaa1548d4898c5cde8 10.2/RPMS/sash-3.7-3.1.102mdk.i586.rpm 6cb36fc925f8793ef0f22a1d0adacb24 10.2/SRPMS/sash-3.7-3.1.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 4088008711f30343c6ddbd45dd4429f0 x86_64/10.2/RPMS/sash-3.7-3.1.102mdk.x86_64.rpm 6cb36fc925f8793ef0f22a1d0adacb24 x86_64/10.2/SRPMS/sash-3.7-3.1.102mdk.src.rpm Mandriva Linux 2006.0: 6a8ef8036ca25661d6e1e18e826b7cf7 2006.0/RPMS/sash-3.7-3.1.20060mdk.i586.rpm ebfdd661247a673a536d14b57bd1494f 2006.0/SRPMS/sash-3.7-3.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: f3ace9f835ba2bcf3358404ec3b35863 x86_64/2006.0/RPMS/sash-3.7-3.1.20060mdk.x86_64.rpm ebfdd661247a673a536d14b57bd1494f x86_64/2006.0/SRPMS/sash-3.7-3.1.20060mdk.src.rpm Corporate 3.0: 76d84869521a8231bde684d29c909f77 corporate/3.0/RPMS/sash-3.6-5.1.C30mdk.i586.rpm 5a52429713ca8dabda8fe0462eedbf41 corporate/3.0/SRPMS/sash-3.6-5.1.C30mdk.src.rpm Corporate 3.0/X86_64: 5fdfa411aaa588d14e3f92d877b31e0b x86_64/corporate/3.0/RPMS/sash-3.6-5.1.C30mdk.x86_64.rpm 5a52429713ca8dabda8fe0462eedbf41 x86_64/corporate/3.0/SRPMS/sash-3.6-5.1.C30mdk.src.rpm Multi Network Firewall 2.0: b1d67ff8736048c8687708ff614d995b mnf/2.0/RPMS/sash-3.6-5.1.M20mdk.i586.rpm df79ea5562d8e2d45f98ead903f1b4c7 mnf/2.0/SRPMS/sash-3.6-5.1.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEOtv8mqjQ0CJFipgRAvmaAKDbjEYQYMNmbwm5XFF37ClR4W2+rACfSszW RKonuFKGLwS+UEca0OtVDUc= =I//9 -----END PGP SIGNATURE-----