In mandriva 2010.0, we provided KDE 4.3.2, this update brings KDE to
version 4.3.5, overall, it provides many bug fixes and enhancements.
For a complete list with changes, access the official announcement
at http://www.kde.org/announcements/announce-4.3.5.php
In addiction we are providing new versions of digikam, k3b and
kbluetooth.

A vulnerability has been found and corrected in curl:

content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is
enabled, does not properly restrict the amount of callback data sent
to an application that requests automatic decompression, which might
allow remote attackers to cause a denial of service (application
crash) or have unspecified other impact by sending crafted compressed
data to an application that relies on the intended data-length limit
(CVE-2010-0734).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct theis issue.

The version of PulseAudio shipped with 2010.0 has had numerous bug
fixes since it was released. This updates the PulseAudio package to
0.9.21 which contains most of the bug fixes (the package versions from
0.9.17 through 0.9.21 are all considered bugfix updates). Additional
fixes from the upstream stable-queue branch are also included in
this package. The fixes include better support for variations in ALSA
mixer elements, bluetooth fixes and general stability fixes.

Additionally, the alsa library shipped with 2010.0 had some flaws
in the way certain timer events were handled and with how paramaters
were set for some input devices (most notably the microphone in some
Logitech Web Cams). Fixes for these flaws are also included.

In mandriva 2010.0, there was a missing requires that make impossible
to choose a printer though samba.
Also, in mandriva 2010.0, the cups service couldn't be started if
the user started s-c-p manually.
This update fixes these issues.

Updated packages for lvm2 and device mapper correct malfunctioning
of dmeventd and errors while creating snapshots and mirrored targets.

This update adds missing header files which are necessary to compile
third-party applications based on iptables.

Poppler cairo backend was not handling PDF images prescaling
correctly, causing some PDF files (mostly from scanned text) to
be unreadable. This updates fixes this issues and includes other
stability fixes.

Updated timezone packages are being provided for older Mandriva Linux
systems that do not contain new Daylight Savings Time information
and Time Zone information for some locations. These updated packages
contain the new information.

The RPM packages tag was wrong in the mandriva-release package
released with Mandriva Enterprise Server 5.1. This only affected
packages rebuilt in that system.

This update addresses that issue.

The Adobe Flash plugin has https support, but only searches for SSL
certificates in /etc/ssl/certs. This advisory provides a compatibility
symlink at /etc/ssl/certs pointing to /etc/pki/tls/certs to remedy
this problem.

Additionally this advisory also brings the latest root CA certs
from the mozilla cvs dated 2010-02-16. The mozilla nss library has
consequently been rebuilt to pickup these changes and are also being
provided.

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

Multiple vulnerabilities has been found and corrected in ncpfs:

sutil/ncpumount.c in ncpumount in ncpfs 2.2.6 produces certain detailed
error messages about the results of privileged file-access attempts,
which allows local users to determine the existence of arbitrary
files via the mountpoint name (CVE-2010-0790).

The (1) ncpmount, (2) ncpumount, and (3) ncplogin programs in ncpfs
2.2.6 do not properly create lock files, which allows local users
to cause a denial of service (application failure) via unspecified
vectors that trigger the creation of a /etc/mtab~ file that persists
after the program exits (CVE-2010-0791).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct these issues.

There was a regression in certain versions of foomatic-rip 3 and 4,
which has since been fixed. As a result, old versions fail the LSB
printing tests.

This advisory updates foomatic-db to 4.0 that passes the LSB tests
and also provides various updated printing softwares and drivers.

A vulnerability has been found and corrected in squid:

The htcpHandleTstRequest function in htcp.c in Squid 2.x and 3.0
through 3.0.STABLE23 allows remote attackers to cause a denial of
service (crash) via crafted packets to the HTCP port, which triggers
a NULL pointer dereference (CVE-2010-0639).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct this issue.

A vulnerability has been found and corrected in virtualbox:

Unspecified vulnerability in Guest Additions in Sun xVM VirtualBox
1.6.x and 2.0.x before 2.0.12, 2.1.x, and 2.2.x, and Sun
VirtualBox before 3.0.10, allows guest OS users to cause a denial
of service (memory consumption) on the guest OS via unknown vectors
(CVE-2009-3940).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct this issue.

Multiple vulnerabilities has been found and corrected in php:

* Improved LCG entropy. (Rasmus, Samy Kamkar)
* Fixed safe_mode validation inside tempnam() when the directory
path does not end with a /). (Martin Jansen)
* Fixed a possible open_basedir/safe_mode bypass in the session
extension identified by Grzegorz Stachowiak. (Ilia)

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct these issues.

Fix packages signature management when a package is in 2
sub-repositories same version but different signature. This problem
occured when local media were used.

Revert third party integration for now as some issues were discovered.

Update:

The mmc-wizard-1.0-13.10mdvmes5 update packages brought new
unresolved dependancies wich prevented it from installing using
MandrivaUpdate. This advisory resolves this problem by providing the
missing packages.

A vulnerabilitiy has been found and corrected in apache:

The ap_read_request function in server/protocol.c in the Apache HTTP
Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does
not properly handle headers in subrequests in certain circumstances
involving a parent request that has a body, which might allow remote
attackers to obtain sensitive information via a crafted request that
triggers access to memory locations associated with an earlier request
(CVE-2010-0434).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

The updated packages have been patched to correct this issue.

This update provides the OpenOffice.org 3.0 major version and holds
the security fixes for the following issues:

An integer underflow might allow remote attackers to execute arbitrary
code via crafted records in the document table of a Word document
leading to a heap-based buffer overflow (CVE-2009-0200).

An heap-based buffer overflow might allow remote attackers to execute
arbitrary code via unspecified records in a crafted Word document
related to table parsing. (CVE-2009-0201).

Multiple heap-based buffer overflows allow remote attackers to execute
arbitrary code via a crafted EMF+ file (CVE-2009-2140).

OpenOffice's xmlsec uses a bundled Libtool which might load .la
file in the current working directory allowing local users to gain
privileges via a Trojan horse file. For enabling such vulnerability
xmlsec has to use --enable-crypto_dl building flag however it does
not, although the fix keeps protected against this threat whenever
that flag had been enabled (CVE-2009-3736).

Additional packages are also being provided due to dependencies.

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

Add a buildrequire on python-twisted-core to get rid of a file deps
on /usr/bin/twistd