-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:161 http://www.mandriva.com/security/ _______________________________________________________________________ Package : rxvt Date : August 7, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: A vulnerability in rxvt allowed it to open a terminal on :0 if the environment variable was not set, which could be used by a local user to hijack X11 connections (CVE-2008-1142). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1142 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 57b033071ca6cf454e53679cfc946215 2007.1/i586/rxvt-2.7.10-16.1mdv2007.1.i586.rpm 987dfd1fc331f8047320a567205f2b0e 2007.1/i586/rxvt-CJK-2.7.10-16.1mdv2007.1.i586.rpm 22d14c838873f3a5a12953ddc80b379f 2007.1/SRPMS/rxvt-2.7.10-16.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 1aa9086c284832ff0d8bea0df49b2dc0 2007.1/x86_64/rxvt-2.7.10-16.1mdv2007.1.x86_64.rpm 526300e80d46b885b4c0c2a7f89e5713 2007.1/x86_64/rxvt-CJK-2.7.10-16.1mdv2007.1.x86_64.rpm 22d14c838873f3a5a12953ddc80b379f 2007.1/SRPMS/rxvt-2.7.10-16.1mdv2007.1.src.rpm Mandriva Linux 2008.0: 1ffd0f19c9b1f4e3aaf754ecf93add8e 2008.0/i586/rxvt-2.7.10-16.1mdv2008.0.i586.rpm 4b5fb452195f84baeb32cb5a34621a65 2008.0/i586/rxvt-CJK-2.7.10-16.1mdv2008.0.i586.rpm 8cb62791b100d1d29139755da8395385 2008.0/SRPMS/rxvt-2.7.10-16.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 4cfc1a35513ec7132f824451c7c8acf2 2008.0/x86_64/rxvt-2.7.10-16.1mdv2008.0.x86_64.rpm d2ecb0199b0077ade4c0547288b94517 2008.0/x86_64/rxvt-CJK-2.7.10-16.1mdv2008.0.x86_64.rpm 8cb62791b100d1d29139755da8395385 2008.0/SRPMS/rxvt-2.7.10-16.1mdv2008.0.src.rpm Mandriva Linux 2008.1: 71568160ba7e7b8a0491d519c7831681 2008.1/i586/rxvt-2.7.10-17.1mdv2008.1.i586.rpm 49d36222b49e6259a119aa60d94f6ef6 2008.1/i586/rxvt-CJK-2.7.10-17.1mdv2008.1.i586.rpm ba19748c3c818b097c5f67d00ae43134 2008.1/SRPMS/rxvt-2.7.10-17.1mdv2008.0.src.rpm Mandriva Linux 2008.1/X86_64: 35b3cfabfb394776cae6c0b1a10ab964 2008.1/x86_64/rxvt-2.7.10-17.1mdv2008.1.x86_64.rpm a3da3ba50a830441972b2543ed67827a 2008.1/x86_64/rxvt-CJK-2.7.10-17.1mdv2008.1.x86_64.rpm ba19748c3c818b097c5f67d00ae43134 2008.1/SRPMS/rxvt-2.7.10-17.1mdv2008.0.src.rpm Corporate 3.0: cb6ac4354c0d8318a601763eb1bfdbfa corporate/3.0/i586/rxvt-2.7.10-9.1.C30mdk.i586.rpm eebcd4d9b19b4d0656212c6e4d0541da corporate/3.0/i586/rxvt-CJK-2.7.10-9.1.C30mdk.i586.rpm ded480e4d648c4639d90de1ac2de935d corporate/3.0/SRPMS/rxvt-2.7.10-9.1.C30mdk.src.rpm Corporate 3.0/X86_64: 149aef5a3dab942e78e2fb96d7bde221 corporate/3.0/x86_64/rxvt-2.7.10-9.1.C30mdk.x86_64.rpm 5665b6aca60cb592bccd67cb99cafec2 corporate/3.0/x86_64/rxvt-CJK-2.7.10-9.1.C30mdk.x86_64.rpm ded480e4d648c4639d90de1ac2de935d corporate/3.0/SRPMS/rxvt-2.7.10-9.1.C30mdk.src.rpm Corporate 4.0: 500e79ac86c14861a69c2bf8c72f0325 corporate/4.0/i586/rxvt-2.7.10-13.1.20060mlcs4.i586.rpm e4d09a0e068739291785382d215ef80d corporate/4.0/i586/rxvt-CJK-2.7.10-13.1.20060mlcs4.i586.rpm 889447e164e762ea80a1b64de69e5a15 corporate/4.0/SRPMS/rxvt-2.7.10-13.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 186d8735347752199a6da2f369bf7f93 corporate/4.0/x86_64/rxvt-2.7.10-13.1.20060mlcs4.x86_64.rpm fab3e425e1d0d39a298c0000203a7ebb corporate/4.0/x86_64/rxvt-CJK-2.7.10-13.1.20060mlcs4.x86_64.rpm 889447e164e762ea80a1b64de69e5a15 corporate/4.0/SRPMS/rxvt-2.7.10-13.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIm0bNmqjQ0CJFipgRAszKAKCJJ52NXN7/hfGfe5NLC6BKlI6POACdFkBh a7gln4nBgMCPOGNn6TRE1U8= =zzJU -----END PGP SIGNATURE-----