The Adobe Flash plugin has https support, but only searches for SSL
certificates in /etc/ssl/certs. This advisory provides a compatibility
symlink at /etc/ssl/certs pointing to /etc/pki/tls/certs to remedy
this problem.

Additionally this advisory also brings the latest root CA certs
from the mozilla cvs dated 2010-02-16. The mozilla nss library has
consequently been rebuilt to pickup these changes and are also being
provided.

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

Multiple vulnerabilities has been found and corrected in ncpfs:

sutil/ncpumount.c in ncpumount in ncpfs 2.2.6 produces certain detailed
error messages about the results of privileged file-access attempts,
which allows local users to determine the existence of arbitrary
files via the mountpoint name (CVE-2010-0790).

The (1) ncpmount, (2) ncpumount, and (3) ncplogin programs in ncpfs
2.2.6 do not properly create lock files, which allows local users
to cause a denial of service (application failure) via unspecified
vectors that trigger the creation of a /etc/mtab~ file that persists
after the program exits (CVE-2010-0791).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct these issues.

There was a regression in certain versions of foomatic-rip 3 and 4,
which has since been fixed. As a result, old versions fail the LSB
printing tests.

This advisory updates foomatic-db to 4.0 that passes the LSB tests
and also provides various updated printing softwares and drivers.

A vulnerability has been found and corrected in squid:

The htcpHandleTstRequest function in htcp.c in Squid 2.x and 3.0
through 3.0.STABLE23 allows remote attackers to cause a denial of
service (crash) via crafted packets to the HTCP port, which triggers
a NULL pointer dereference (CVE-2010-0639).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct this issue.

A vulnerability has been found and corrected in virtualbox:

Unspecified vulnerability in Guest Additions in Sun xVM VirtualBox
1.6.x and 2.0.x before 2.0.12, 2.1.x, and 2.2.x, and Sun
VirtualBox before 3.0.10, allows guest OS users to cause a denial
of service (memory consumption) on the guest OS via unknown vectors
(CVE-2009-3940).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct this issue.

Multiple vulnerabilities has been found and corrected in php:

* Improved LCG entropy. (Rasmus, Samy Kamkar)
* Fixed safe_mode validation inside tempnam() when the directory
path does not end with a /). (Martin Jansen)
* Fixed a possible open_basedir/safe_mode bypass in the session
extension identified by Grzegorz Stachowiak. (Ilia)

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct these issues.

Fix packages signature management when a package is in 2
sub-repositories same version but different signature. This problem
occured when local media were used.

Revert third party integration for now as some issues were discovered.

Update:

The mmc-wizard-1.0-13.10mdvmes5 update packages brought new
unresolved dependancies wich prevented it from installing using
MandrivaUpdate. This advisory resolves this problem by providing the
missing packages.

A vulnerabilitiy has been found and corrected in apache:

The ap_read_request function in server/protocol.c in the Apache HTTP
Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does
not properly handle headers in subrequests in certain circumstances
involving a parent request that has a body, which might allow remote
attackers to obtain sensitive information via a crafted request that
triggers access to memory locations associated with an earlier request
(CVE-2010-0434).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct this issue.

This update provides the OpenOffice.org 3.0 major version and holds
the security fixes for the following issues:

An integer underflow might allow remote attackers to execute arbitrary
code via crafted records in the document table of a Word document
leading to a heap-based buffer overflow (CVE-2009-0200).

An heap-based buffer overflow might allow remote attackers to execute
arbitrary code via unspecified records in a crafted Word document
related to table parsing. (CVE-2009-0201).

Multiple heap-based buffer overflows allow remote attackers to execute
arbitrary code via a crafted EMF+ file (CVE-2009-2140).

OpenOffice's xmlsec uses a bundled Libtool which might load .la
file in the current working directory allowing local users to gain
privileges via a Trojan horse file. For enabling such vulnerability
xmlsec has to use --enable-crypto_dl building flag however it does
not, although the fix keeps protected against this threat whenever
that flag had been enabled (CVE-2009-3736).

Additional packages are also being provided due to dependencies.

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

Add a buildrequire on python-twisted-core to get rid of a file deps
on /usr/bin/twistd

At OSFree project we are currently working to get 0.0.5 milestone which it is "Filesystem API  implementation. LX loader must allow loading of MINICMD.EXE task via L4VFS  and execute it. Minimal set of API must be implemented. All pointers operations must be replaced by handles (implement handle manager). OS/2 Server must be much structured. "

We expect this milestone to be completed in May. You are invited to check the roadmap at: www.osfree.org/wiki/doku.php/en:roadmap

Any developer is welcome on this open source project. There is still a lot to be done like in the following areas:

1. Presentation Manager. Draft sources exists from FreePM project. Sources allow to imagine architecture of PM (it is client-server, like X) and GPI part (GD used as background to provide primitives)

2. Installer subsystem. WarpIn based. We need to get warpin sources and provide special backends for installation time (this means not directly create WPS objects, profiles modification but create first-time-start scripts instead).

3. Command line tools. Make revision. Add missed features.

osFree is a FOSS (Free Open Source software) operating system development project, aiming to replace eventually all OS/2 subsystems with Open source analogues. It aims for OS/2 Warp 4 (Merlin) as a base compatibility system, which does not mean that we will not support features of newer (OS/2 Warp Server for e-business and eComStation) OS/2 versions. This includes rewriting not only user-level code but the OS/2 kernel too.

Visit the Project's Homepage at: www.osfree.org

You can visit the Chat Room at: irc://efnet/osfree

Or you can visit the Forums at: www.osfree.org/board/

We are reusing many other Open Source projects.
The projects are listed at:
www.osfree.org/wiki/doku.php/en:credits

If you are a developer and you are willing to help us in building an Open Source OS/2 replacement please visit this page, we need your help:
www.osfree.org/wiki/doku.php/en:develop


Please remember that you can support OSFree by making a paypal donation at:
sourceforge.net/donate/index.php


Regards

OSFree Team

eCoSoftware toolkit is updated, DevCon site:

ecomstation.ru/projects/developer/

 

How to reanimate old project?

* step 1: switch to LANGE library ecomstation.ru/lange => this will

make you read the source code of your program, simplify and refine it, remember its structure.

Multilanguage support will attract more users.

 

* step 2: use modern MsgBox and Progress bar:

ecomstation.ru/projects/developer/

 

* step 3: update artwork: use transparent PNG instead of ugly BMP and ICO

(send us a request, we are going draw icons for some applications and

utilities free of charge)

 

Now you can move to the next stage - update the engine of

you program (update algorithm, use modern formats of files, use modern libraries)

Revert third party integration for now as some issues were discovered.

Paul Smedley has updated ImageMagick to v6.6.0-3. www.smedley.info/os2ports/

os2ports.smedley.info/index.php

"ImageMagick, is a software suite to create, edit, and compose bitmap images."

Download: download.smedley.info/ImageMagick-6.6.0-3-os2-20100309.zip
Requires: ftp://ftp.netlabs.org/pub/gcc/libc-0.6.3-csd3.zip

Please let Paul know if you find this software useful. He needs user
feedback to continue work on these projects. He maintains a bug tracker
for many projects at mantis.smedley.info It just requires a simple
registration.

If you'd like to help support continued development of this project (and
many others) for OS/2 & eComStation, please consider making a donation
either via Paypal using the link on Paul's website, or using the Mensys
Online Store www.mensys.net/os2ports/

Paul Smedley has updated PHP to v5.2.13. www.smedley.info/os2ports/

os2ports.smedley.info/index.php

"PHP is a widely-used general-purpose scripting language"

Download: download.smedley.info/php-5.2.13-os2-20100308.zip
Requires: ftp://ftp.netlabs.org/pub/gcc/libc-0.6.3-csd3.zip

Please let Paul know if you find this software useful. He needs user
feedback to continue work on these projects. He maintains a bug tracker
for many projects at mantis.smedley.info It just requires a simple
registration.

If you'd like to help support continued development of this project (and
many others) for OS/2 & eComStation, please consider making a donation
either via Paypal using the link on Paul's website, or using the Mensys
Online Store www.mensys.net/os2ports/

An out-of-bounds reading flaw in the JBIG2 decoder allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
(CVE-2009-0799).

Multiple input validation flaws in the JBIG2 decoder allows
remote attackers to execute arbitrary code via a crafted PDF file
(CVE-2009-0800).

An integer overflow in the JBIG2 decoder allows remote attackers to
execute arbitrary code via a crafted PDF file (CVE-2009-1179).

A free of invalid data flaw in the JBIG2 decoder allows remote
attackers to execute arbitrary code via a crafted PDF (CVE-2009-1180).

A NULL pointer dereference flaw in the JBIG2 decoder allows remote
attackers to cause denial of service (crash) via a crafted PDF file
(CVE-2009-1181).

Multiple buffer overflows in the JBIG2 MMR decoder allows remote
attackers to cause denial of service or to execute arbitrary code
via a crafted PDF file (CVE-2009-1182, CVE-2009-1183).

An integer overflow in the JBIG2 decoding feature allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via vectors related to CairoOutputDev (CVE-2009-1187).

An integer overflow in the JBIG2 decoding feature allows remote
attackers to execute arbitrary code or cause a denial of service
(application crash) via a crafted PDF document (CVE-2009-1188).

Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x
before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers
to execute arbitrary code via a crafted PDF document that triggers a
heap-based buffer overflow. NOTE: some of these details are obtained
from third party information. NOTE: this issue reportedly exists
because of an incomplete fix for CVE-2009-1188 (CVE-2009-3603).

The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x
before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF,
does not properly allocate memory, which allows remote attackers to
cause a denial of service (application crash) or possibly execute
arbitrary code via a crafted PDF document that triggers a NULL pointer
dereference or a heap-based buffer overflow (CVE-2009-3604).

Multiple integer overflows allow remote attackers to cause a denial
of service (application crash) or possibly execute arbitrary code
via a crafted PDF file, related to (1) glib/poppler-page.cc; (2)
ArthurOutputDev.cc, (3) CairoOutputDev.cc, (4) GfxState.cc, (5)
JBIG2Stream.cc, (6) PSOutputDev.cc, and (7) SplashOutputDev.cc
in poppler/; and (8) SplashBitmap.cc, (9) Splash.cc, and (10)
SplashFTFont.cc in splash/. NOTE: this may overlap CVE-2009-0791
(CVE-2009-3605).

Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf
before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might
allow remote attackers to execute arbitrary code via a crafted PDF
document that triggers a heap-based buffer overflow (CVE-2009-3606).

Integer overflow in the create_surface_from_thumbnail_data function
in glib/poppler-page.cc allows remote attackers to cause a denial of
service (memory corruption) or possibly execute arbitrary code via a
crafted PDF document that triggers a heap-based buffer overflow. NOTE:
some of these details are obtained from third party information
(CVE-2009-3607).

Integer overflow in the ObjectStream::ObjectStream function in XRef.cc
in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in
GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote
attackers to execute arbitrary code via a crafted PDF document that
triggers a heap-based buffer overflow (CVE-2009-3608).

Integer overflow in the ImageStream::ImageStream function in Stream.cc
in Xpdf before 3.02pl4 and Poppler before 0.12.1, as used in GPdf,
kdegraphics KPDF, and CUPS pdftops, allows remote attackers to
cause a denial of service (application crash) via a crafted PDF
document that triggers a NULL pointer dereference or buffer over-read
(CVE-2009-3609).

Buffer overflow in the ABWOutputDev::endWord function in
poppler/ABWOutputDev.cc as used by the Abiword pdftoabw utility,
allows user-assisted remote attackers to cause a denial of service and
possibly execute arbitrary code via a crafted PDF file (CVE-2009-3938).
This update provides fixes for that vulnerabilities.

This update provides lots of bugs fixes and new functionalities for
installation:
- Add pt_BR translation for Advanced and Others stack
- Add NuFW stack
- Open postinstall links in new window
- Add post-installation feature + supplementary text description in
bundle display
- Request my.mandriva.com account validation when media add fails
- Check if media is already configured
- Remember login lang setting with a cookie

Pam_krb5 2.2.14 through 2.3.4 generates different password prompts
depending on whether the user account exists, which allows remote
attackers to enumerate valid usernames (CVE-2009-1384).

This update provides the version 2.3.5 of pam_krb5, which is not
vulnerable to this issue.