-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:173 http://www.mandriva.com/security/ _______________________________________________________________________ Package : tar Date : September 4, 2007 Affected: 2007.0, 2007.1, Corporate 4.0 _______________________________________________________________________ Problem Description: Dmitry V. Levin discovered a path traversal flaw in how GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary fiels that the user running tar has write access to. Updated packages have been patched to prevent these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 8f82a3a1e903928948584afac733c0be 2007.0/i586/tar-1.15.91-1.2mdv2007.0.i586.rpm 65e7c9a6300a397c71cbfe1c1854e491 2007.0/SRPMS/tar-1.15.91-1.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: e4d6a38673a213ee0011624ecd6b5667 2007.0/x86_64/tar-1.15.91-1.2mdv2007.0.x86_64.rpm 65e7c9a6300a397c71cbfe1c1854e491 2007.0/SRPMS/tar-1.15.91-1.2mdv2007.0.src.rpm Mandriva Linux 2007.1: 003db92130c44646c89d127db26a4fd8 2007.1/i586/tar-1.16-3.1mdv2007.1.i586.rpm d929dd2ef2716987b8890542fb762693 2007.1/SRPMS/tar-1.16-3.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 92323c0cb0bd466e2a35e6b02f01778b 2007.1/x86_64/tar-1.16-3.1mdv2007.1.x86_64.rpm d929dd2ef2716987b8890542fb762693 2007.1/SRPMS/tar-1.16-3.1mdv2007.1.src.rpm Corporate 4.0: ecc995d361f75e3618cb23e000f012cf corporate/4.0/i586/tar-1.15.1-5.3.20060mlcs4.i586.rpm 1831cb7c8437d7f68c6e53d3980a0049 corporate/4.0/SRPMS/tar-1.15.1-5.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: 61513a4da673ea8d5ffb4fe26f346488 corporate/4.0/x86_64/tar-1.15.1-5.3.20060mlcs4.x86_64.rpm 1831cb7c8437d7f68c6e53d3980a0049 corporate/4.0/SRPMS/tar-1.15.1-5.3.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG3eWimqjQ0CJFipgRAnYAAJ0RL4xQslR0uit2VfqOLtshNBWACwCgxbh8 nMLWpKWv+9ZVFr3CDD5CNc4= =lmMn -----END PGP SIGNATURE-----