diese advisories stammen zwar schon vom zeitraum zwischen 15 und 17 dezember, sind aber troztdem zu beachten.


-----Slackware-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security] lftp security update (SSA:2003-346-01)

lftp is a file transfer program that connects to other hosts
using FTP, HTTP, and other protocols.

A security problem with lftp has been corrected with the release
of lftp-2.6.10. New packages are available for Slackware 8.1,
9.0, 9.1, and -current. Any sites using lftp should upgrade to
the new packages.


Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Fri Dec 12 11:12:05 PST 2003
patches/packages/lftp-2.6.10-i486-1.tgz: Upgraded to lftp-2.6.10.
According to the NEWS file, this includes "security fixes in html
parsing code" which could cause a compromise when using lftp to
access an untrusted site.
(* Security fix *)
+--------------------------+


WHERE TO FIND THE NEW PACKAGE:
+-----------------------------+

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/sl…6.10-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/sl…6.10-i386-1.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/sl…6.10-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/sl…6.10-i486-1.tgz


MD5 SIGNATURES:
+-------------+

Slackware 8.1 package:
1e7eae2a8279491d439f4494c8733aa2 lftp-2.6.10-i386-1.tgz

Slackware 9.0 package:
af80878951917a6683bc3076947f2632 lftp-2.6.10-i386-1.tgz

Slackware 9.1 package:
e053a1641f1f16de8d2659e70ca81c04 lftp-2.6.10-i486-1.tgz

Slackware -current package:
07e76203820f54983cbc4591cc830b97 lftp-2.6.10-i486-1.tgz


INSTALLATION INSTRUCTIONS:
+------------------------+

Upgrade the package as root:
# upgradepkg lftp-2.6.10-i486-1.tgz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/2hdTakRjwEAQIjMRAmHbAKCQtw9UN4ItGNph3ca4CqtfJDZiyACfV5gc
0uX5KSFnwEb2k0tucmkKWzI=
=SQlB
-----END PGP SIGNATURE-----


-----immunix-----

-----------------------------------------------------------------------
Immunix Secured OS Security Advisory

Packages updated: lftp
Affected products: Immunix OS 7.3
Bugs fixed: CAN-2003-0963
Date: Tue Dec 9 2003
Advisory ID: IMNX-2003-73-002-01
Author: Seth Arnold <sarnold@immunix.com>
-----------------------------------------------------------------------

Description:
Ulf Härnhammar has discovered remotely triggerable buffer overflows
in lftp; this update fixes both of these problems. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0963 to this issue.

StackGuard should not be relied on to mitigate this vulnerability.

Immunix 7.3 users may use our up2date service to install fixed
packages: you may run either "up2date" within X, and follow the
directions, or run "up2date -u" to ensure your system is current.

Package names and locations:
Precompiled binary packages for Immunix 7.3 are available at:
http://download.immunix.org/ImmunixOS/7.…imnx_3.i386.rpm

Source packages for Immunix 7.3 are available at:
http://download.immunix.org/ImmunixOS/7.…_imnx_3.src.rpm

Immunix OS 7.3 md5sums:
01863149ee0914c2ff3ea21fb66b7eac RPMS/lftp-2.4.9-1_imnx_3.i386.rpm
ea33a569204f4413065eaa2f5ae2eadc SRPMS/lftp-2.4.9-1_imnx_3.src.rpm

GPG verification:
Our public keys are available at http://download.immunix.org/GPG_KEY
Immunix, Inc., has changed policy with GPG keys. We maintain several
keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
Immunix 7.3 package signing, and 1B7456DA for general security issues.


NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html

ImmunixOS 7+ will not be officially supported after March 1 2004.
ImmunixOS 7.0 is no longer officially supported.
ImmunixOS 6.2 is no longer officially supported.

Contact information:
To report vulnerabilities, please contact security@immunix.com.
Immunix attempts to conform to the RFP vulnerability disclosure protocol
http://www.wiretrip.net/rfp/policy.html.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/24xgn5I6Lxt0VtoRAgMlAKCxaDmucvPk9+foYEjdn1cfydj7eQCgu3+a
P64DMhv8msfgccfcKqNrpEs=
=Lnzp
-----END PGP SIGNATURE-----


-----SuSE-----
-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

SUSE Security Announcement

Package: lftp
Announcement-ID: SuSE-SA:2003:051
Date: Monday, Dec 15th 2003 14:30 MET
Affected products: 8.2, 9.0
remote system compromise
Severity (1-10): 3
SUSE default package: no
Cross References:

Content of this advisory:
1) security vulnerability resolved:
- local buffer overflow
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- mc
- mod_gzip
- freeradius
- tripwire
- cvs
- irssi
- atftp
3) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion, solution, upgrade information

The the flexible and powerful FTP command-line client lftp is vulnerable
to two remote buffer overflows.
When using lftp via HTTP or HTTPS to execute commands like 'ls' or 'rels'
specially prepared directories on the server can trigger a buffer overflow
in the HTTP handling functions of lftp to possibly execute arbitrary code
on the client-side.
Please note, to exploit these bugs an attacker has to control the server-
side of the context and the attacker will only gain access to the account
of the user that is executing lftp.

There is no temporary workaround known.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.



Intel i386 Platform:

SuSE-9.0:
ftp://ftp.suse.com/pub/suse/i386/update/…6.6-71.i586.rpm
2e5aee46868b5b19c26a8559927e8663
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/….i586.patch.rpm
0468cf8f2b2b4c18a854f51ef63470b7
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/….6.6-71.src.rpm
a32eee3ff4eeb322d44f04b9f8ff4c9c

SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/…6.4-44.i586.rpm
df0d7c059cd3bb4fe47c927849fd9a5e
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/….i586.patch.rpm
eb9d6aedc25d3e2d25b63999526ee1bd
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/….6.4-44.src.rpm
63695b02bf520b02f93ec73078d6e4d8


______________________________________________________________________________

2) Pending vulnerabilities in SUSE Distributions and Workarounds:

- mc
By using a special combination of links in archive-files it is possible
to execute arbitrary commands while mc tries to open it in its VFS.
The packages are currently tested and will be release as soon as
possible.

- mod_gzip
The apache module mod_gzip is vulnerable to remote code execution
while running in debug-mode. We do not ship this module in debug-mode
but future versions will include the fix.
Additionally the mod_gzip code was audited to fix more possible security
related bugs.

- freeradius
Two vulnerabilities were found in the FreeRADIUS package.
The remote denial-of-service attack bug was fixed and new packages
will be released as soon as testing was successfully finished.
The other bug is a remote buffer overflow in the module rlm_smb.
We do not ship this module and will fix it for future releases.

- tripwire
Tripwire is a file integrity checker. The tripwire version on SuSE Linux
8.2 and 9.0 do crash when a requested file does not exists.
New packages will be available soon.

- cvs
The cvs server-side can be tricked to create files in the root filesystem
of the server by requesting malformed modules. The permissions on the
root filesystem normally prevent this malfunction.
New packages will be available soon.

- irssi
Under special circumstances the the irc-client irssi can be crashed
remotely by other irc-clients.
A fix will be available soon.

- atftp
A buffer overflow vulnerability discovered by Rick Patel has been
fixed in the atftpd (trivial file transfer protocol, UDP oriented)
daemon, contained in the atftp package. Update packages for the
affected SUSE Linux distributions 8.1 and 8.2 have been published on
our ftp server today.
We explicitly thank Dirk Mueller, KDE developer, for notifying SUSE
Security about the pending treatment of this incident.

______________________________________________________________________________

3) standard appendix: authenticity verification, additional information

- Package authenticity verification:

SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.

1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SUSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security@suse.de),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.

2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an un-installed rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SUSE in rpm packages for SUSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SUSE Linux distributions version 7.1 and thereafter install the
key "build@suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the top-level directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .


- SUSE runs two security mailing lists to which any interested party may
subscribe:

suse-security@suse.com
- general/linux/SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe@suse.com>.

suse-security-announce@suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively.

=====================================================================
SUSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the clear-text signature shows proof of the
authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQEVAwUBP924BXey5gA9JdPZAQH62AgAlxCwdyZUeBESHMSf3SGyAsmFQtTFBqRX
Ypg89ZWB4WeRzrYerB7jFZUlN5g7wClLeOuV14P02OhuuHr+mvPkJne5iNMIeDJc
AEBf8DMmnIc/46tOmltJuRjAG8Q2h9Skv02/qcbg6ryOlbHNgZgi+iiXTwj6QIZj
WVF69esx3VC7qo2HoPR7dSbWBSgI6IikGK01YYxK29uvvPvpZ5jxO13I4vy/H3Sc
ziGw14fV7sGy5I/NdmEri/iCeaMPmvI6JWplWjASMB4aYX/ap2BKNSdUmwIGA1gG
2SPIYPtCFWqTqn7drf8t1+BsI8s97Dm2wUc9KUzqOirdwwB+rQQiFg==
=7LOp
-----END PGP SIGNATURE-----

-----RedHat-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Updated lftp packages fix security vulnerability
Advisory ID: RHSA-2003:403-01
Issue date: 2003-12-16
Updated on: 2003-12-16
Product: Red Hat Linux
Keywords:
Cross references:
Obsoletes:
CVE Names: CAN-2003-0963
- ---------------------------------------------------------------------

1. Topic:

Updated lftp packages are now available that fix a buffer overflow
security vulnerability.

2. Relevant releases/architectures:

Red Hat Linux 7.2 - i386, ia64
Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386
Red Hat Linux 9 - i386

3. Problem description:

lftp is a command-line file transfer program supporting FTP and HTTP
protocols.

Ulf Härnhammar discovered a buffer overflow bug in versions of lftp up to
and including 2.6.9. An attacker could create a carefully crafted
directory on a website such that, if a user connects to that directory
using the lftp client and subsequently issues a 'ls' or 'rels' command, the
attacker could execute arbitrary code on the users machine. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0963 to this issue.

Users of lftp are advised to upgrade to these erratum packages, which
contain a backported security patch and are not vulnerable to this issue.

Red Hat would like to thank Ulf Härnhammar for discovering and alerting us
to this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL Certificate
Errors, you need to install a version of the up2date client with an updated
certificate. The latest version of up2date is available from the Red Hat
FTP site and may also be downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. RPMs required:

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS…2.4.9-2.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/….4.9-2.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/….4.9-2.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS…2.4.9-2.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/….4.9-2.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS…2.5.2-6.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/….5.2-6.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/lftp-2.6.3-4.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/lftp-2.6.3-4.i386.rpm



6. Verification:

MD5 sum Package Name
- --------------------------------------------------------------------------
fc135158bb815852827c057342a163ae 7.2/en/os/SRPMS/lftp-2.4.9-2.src.rpm
a9e10adf4c53f444ae4c628c082ac45d 7.2/en/os/i386/lftp-2.4.9-2.i386.rpm
429b62e868da2b23d6f55ee9fe922687 7.2/en/os/ia64/lftp-2.4.9-2.ia64.rpm
fc135158bb815852827c057342a163ae 7.3/en/os/SRPMS/lftp-2.4.9-2.src.rpm
a9e10adf4c53f444ae4c628c082ac45d 7.3/en/os/i386/lftp-2.4.9-2.i386.rpm
b62685fd9517fb489418165afd78fd76 8.0/en/os/SRPMS/lftp-2.5.2-6.src.rpm
9ba7d379882bdebcca3fdfb86a153ffe 8.0/en/os/i386/lftp-2.5.2-6.i386.rpm
a4ef0a84493aa570bc7625904bc42c18 9/en/os/SRPMS/lftp-2.6.3-4.src.rpm
7bee4629496d2085856c103927470c28 9/en/os/i386/lftp-2.6.3-4.i386.rpm


These packages are GPG signed by Red Hat for security. Our key is
available from https://www.redhat.com/security/keys.html

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:

md5sum <filename>


7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0963

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/solutions/security/news/contact.html

Copyright 2003 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/3xFNXlSAg2UNWIIRAuuKAKDCjimvt3LoJQJlgaadl+Bal/xO1QCeItfh
DkoUrvPBcLHwxFHG4vbKe2k=
=Z3q2
-----END PGP SIGNATURE-----

-----gentoo-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- --------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-07
- --------------------------------------------------------------------------

GLSA: 200312-07
Package: net-ftp/lftp
Summary: Two buffer overflow problems found in lftp
Severity: minimal
Gentoo bug: 35866
Date: 2003-12-16
CVE: CAN-2003-0963
Exploit: remote
Affected: <=2.6.9
Fixed: >=2.6.10


DESCRIPTION:

Two buffer overflow problems have been found in lftp, a multithreaded
command-line based FTP client. A specially created directory on a web
server could be used to execute arbitrary code on the connecting machine.
The user's machine has to connect to a malicious web server using HTTP or
HTTPS, then issue an "ls" or "rels" command.

Please see
<http://www.securityfocus.com/archive/1/3…13/2003-12-19/0>
for more details on this problem.


SOLUTION:

All machines which have net-ftp/lftp installed should be updated to use
version 2.6.10 or higher using these commands:

emerge sync
emerge -pv '>=net-ftp/lftp-2.6.10'
emerge '>=net-ftp/lftp-2.6.10'
emerge clean


// end

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/4U3Wnt0v0zAqOHYRAm7VAJsHDxrJLLQOU51blaP2VMCjkt/+dQCcC6zP
m/ELiJH0C0PukA++i1CfCmc=
=h16K
-----END PGP SIGNATURE-----

-----mandrake-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandrake Linux Security Update Advisory
_______________________________________________________________________

Package name: lftp
Advisory ID: MDKSA-2003:116
Date: December 15th, 2003

Affected versions: 9.0, 9.1, 9.2, Corporate Server 2.1
______________________________________________________________________

Problem Description:

A buffer overflow vulnerability was discovered by Ulf Harnhammar in
the lftp FTP client when connecting to a web server using HTTP or
HTTPS and using the "ls" or "rels" command on specially prepared
directory. This vulnerability exists in lftp versions 2.3.0 through
2.6.9 and is corrected upstream in 2.6.10.

The updated packages are patched to protect against this problem.
______________________________________________________________________

Updated Packages:

Corporate Server 2.1:
701dc411181f76222b9da521ecb918ea corporate/2.1/RPMS/lftp-2.6.0-1.1.C21mdk.i586.rpm
645a7dc1cb448119e396caa811f166f4 corporate/2.1/SRPMS/lftp-2.6.0-1.1.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
4fb0dba34a2bf34eb308302a3c3a539a x86_64/corporate/2.1/RPMS/lftp-2.6.0-1.1.C21mdk.x86_64.rpm
645a7dc1cb448119e396caa811f166f4 x86_64/corporate/2.1/SRPMS/lftp-2.6.0-1.1.C21mdk.src.rpm

Mandrake Linux 9.0:
d25f45fc551ba6dff648b5606cf28f50 9.0/RPMS/lftp-2.6.0-1.1.90mdk.i586.rpm
d61a1547159595711598777db73bab3e 9.0/SRPMS/lftp-2.6.0-1.1.90mdk.src.rpm

Mandrake Linux 9.1:
c4b66d9cd6da996a8b75f8e64f53453f 9.1/RPMS/lftp-2.6.4-2.1.91mdk.i586.rpm
025d21cc6a3e309760ffe36d51fc091a 9.1/SRPMS/lftp-2.6.4-2.1.91mdk.src.rpm

Mandrake Linux 9.1/PPC:
2f282a7fa70ab9d0a8e556ecaf95bfd9 ppc/9.1/RPMS/lftp-2.6.4-2.1.91mdk.ppc.rpm
025d21cc6a3e309760ffe36d51fc091a ppc/9.1/SRPMS/lftp-2.6.4-2.1.91mdk.src.rpm

Mandrake Linux 9.2:
c24d53a5c4566d0ef9155fe427347fa8 9.2/RPMS/lftp-2.6.6-2.1.92mdk.i586.rpm
38cd1ea07bd0e2cbfbfaaf8b84d505e3 9.2/SRPMS/lftp-2.6.6-2.1.92mdk.src.rpm

Mandrake Linux 9.2/AMD64:
72cc8612325d8e985c3bbe40fa34fd8b amd64/9.2/RPMS/lftp-2.6.6-2.1.92mdk.amd64.rpm
38cd1ea07bd0e2cbfbfaaf8b84d505e3 amd64/9.2/SRPMS/lftp-2.6.6-2.1.92mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security. You can obtain
the GPG public key of the Mandrake Linux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/3kkimqjQ0CJFipgRAlzUAJ0WSamLZx1wKh5IR8ilZ//qZFYveACgq0gD
X7D6A+uP6H+TAU2C5aQMUTk=
=8M4I
-----END PGP SIGNATURE-----