lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040922211502.18304.qmail@updates.mandrakesoft.com>
Date: 22 Sep 2004 21:15:02 -0000
From: Mandrake Linux Security Team <security@...ux-mandrake.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2004:100 - Updated mpg123 packages fix vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           mpg123
 Advisory ID:            MDKSA-2004:100
 Date:                   September 22nd, 2004

 Affected versions:	 10.0, 9.2, Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 A vulnerability in mpg123 was discovered by Davide Del Vecchio where
 certain malicious mpg3/2 files would cause mpg123 to fail header
 checks, which could in turn allow arbitrary code to be executed with
 the privileges of the user running mpg123 (CAN-2004-0805).
 
 As well, an older vulnerability in mpg123, where a response from a
 remote HTTP server could overflow a buffer allocated on the heap, is
 also fixed in these packages.  This vulnerability could also
 potentially permit the execution of arbitray code with the privileges
 of the user running mpg123 (CAN-2003-0865).
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0865
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0805
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 0b5270c11943064f9c0f7374f63cdc4c  10.0/RPMS/mpg123-0.59r-21.1.100mdk.i586.rpm
 8661f67e88ebc2821d4c5e212236465d  10.0/SRPMS/mpg123-0.59r-21.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 f6e601b01a3c8b24279b3465e784829a  amd64/10.0/RPMS/mpg123-0.59r-21.1.100mdk.amd64.rpm
 8661f67e88ebc2821d4c5e212236465d  amd64/10.0/SRPMS/mpg123-0.59r-21.1.100mdk.src.rpm

 Corporate Server 2.1:
 714d75b86c7a99c40f522cc45f69d136  corporate/2.1/RPMS/mpg123-0.59r-21.1.C21mdk.i586.rpm
 cba666174f4117e7776c9baa04f8983a  corporate/2.1/SRPMS/mpg123-0.59r-21.1.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 f7279fee83461fa06a9bbcc904b0ead2  x86_64/corporate/2.1/RPMS/mpg123-0.59r-21.1.C21mdk.x86_64.rpm
 cba666174f4117e7776c9baa04f8983a  x86_64/corporate/2.1/SRPMS/mpg123-0.59r-21.1.C21mdk.src.rpm

 Mandrakelinux 9.2:
 afe98cf7c89affb136b7048b3f387583  9.2/RPMS/mpg123-0.59r-21.1.92mdk.i586.rpm
 21a4273e29d60f0e79a5092b7713301b  9.2/SRPMS/mpg123-0.59r-21.1.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 590153b9ca949f851903d6010ced9ae8  amd64/9.2/RPMS/mpg123-0.59r-21.1.92mdk.amd64.rpm
 21a4273e29d60f0e79a5092b7713301b  amd64/9.2/SRPMS/mpg123-0.59r-21.1.92mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBUetWmqjQ0CJFipgRAlD8AJ9tY/3Soi6fKJqVRG7vRTDPhNBBuwCfYeXN
kX4V4dICCQtnTE2+3w4g03g=
=AKOr
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ