[Full-disclosure] [ MDVSA-2010:205 ] freeciv



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:205
http://www.mandriva.com/security/
_______________________________________________________________________

Package : freeciv
Date : October 15, 2010
Affected: 2010.0, 2010.1
_______________________________________________________________________

Problem Description:

A vulnerability was discovered and corrected in freeciv:

freeciv 2.2 before 2.2.1 and 2.3 before 2.3.0 allows attackers to
read arbitrary files or execute arbitrary commands via scenario
that contains Lua functionality, related to the (1) os, (2) io, (3)
package, (4) dofile, (5) loadfile, (6) loadlib, (7) module, and (8)
require modules or functions (CVE-2010-2445).

The updated packages have been upgraded to v2.2.1 which is not
vulnerable to this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2445
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2010.0:
f2e462016bfa51641c707193f15050b4 2010.0/i586/freeciv-client-2.2.1-0.1mdv2010.0.i586.rpm
7e28a7979376addeac1ece3abcd00865 2010.0/i586/freeciv-data-2.2.1-0.1mdv2010.0.i586.rpm
ed7806f924cc1ecaf780ab6a73484b86 2010.0/i586/freeciv-server-2.2.1-0.1mdv2010.0.i586.rpm
9447db00f5008ab4373bd4c03af7bc4b 2010.0/SRPMS/freeciv-2.2.1-0.1mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
8f268efc340ce284141c20a1fb345df8 2010.0/x86_64/freeciv-client-2.2.1-0.1mdv2010.0.x86_64.rpm
eaeb56096e20284e194ee28f212deb05 2010.0/x86_64/freeciv-data-2.2.1-0.1mdv2010.0.x86_64.rpm
aa1376b65f2c4e2577dfcebbb6818894 2010.0/x86_64/freeciv-server-2.2.1-0.1mdv2010.0.x86_64.rpm
9447db00f5008ab4373bd4c03af7bc4b 2010.0/SRPMS/freeciv-2.2.1-0.1mdv2010.0.src.rpm

Mandriva Linux 2010.1:
2d1e4377d45abcc5665c26f02d4307aa 2010.1/i586/freeciv-client-2.2.1-0.1mdv2010.1.i586.rpm
3ca4f6fc9f371c8d5582a1b8ad4b6287 2010.1/i586/freeciv-data-2.2.1-0.1mdv2010.1.i586.rpm
374b4e4171e1616443c9c02bf6fbfe6d 2010.1/i586/freeciv-server-2.2.1-0.1mdv2010.1.i586.rpm
00d1331c2e1cf23b38fb97fb461d2329 2010.1/SRPMS/freeciv-2.2.1-0.1mdv2010.1.src.rpm

Mandriva Linux 2010.1/X86_64:
745e0b2e0766e83df352579cc233aae4 2010.1/x86_64/freeciv-client-2.2.1-0.1mdv2010.1.x86_64.rpm
c6d9f073d456bb7970a27352eb613d6b 2010.1/x86_64/freeciv-data-2.2.1-0.1mdv2010.1.x86_64.rpm
d4557ce2c4772e5da2457f6f38a8b37a 2010.1/x86_64/freeciv-server-2.2.1-0.1mdv2010.1.x86_64.rpm
00d1331c2e1cf23b38fb97fb461d2329 2010.1/SRPMS/freeciv-2.2.1-0.1mdv2010.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMuCVXmqjQ0CJFipgRAjmyAJ9O8CcnkJ9IBNEL6rlSc2C/+H6tkwCfWsOj
4EvFV7Efhy5TCTSqyYhN9lg=
=NK6h
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] [ MDVSA-2010:073-1 ] cups
    ... Use-after-free vulnerability in the abstract file-descriptor handling ... scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers ... The updated packages have been patched to correct these issues. ... Packages for Mandriva Linux 2010.0 was missing with ...
    (Full-Disclosure)
  • [ MDVSA-2010:073-1 ] cups
    ... Use-after-free vulnerability in the abstract file-descriptor handling ... scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers ... The updated packages have been patched to correct these issues. ... Packages for Mandriva Linux 2010.0 was missing with ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2010:084 ] java-1.6.0-openjdk
    ... Multiple Java OpenJDK security vulnerabilities has been identified ... CMM readMabCurveData Buffer Overflow Vulnerability. ... Packages for 2009.0 are provided due to the Extended Maintenance ... Mandriva Linux 2009.0/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2010:084 ] java-1.6.0-openjdk
    ... Multiple Java OpenJDK security vulnerabilities has been identified ... CMM readMabCurveData Buffer Overflow Vulnerability. ... Packages for 2009.0 are provided due to the Extended Maintenance ... Mandriva Linux 2009.0/X86_64: ...
    (Bugtraq)
  • [Full-disclosure] [ MDKSA-2007:079-1 ] - Updated xorg-x11/XFree86 packages fix i
    ... Local exploitation of a memory corruption vulnerability in the X.Org ... Updated packages are patched to address these issues. ... Packages for Mandriva Linux 2007.1 are now available. ...
    (Full-Disclosure)