A vulnerability was discovered and fixed in gtk+2.0:

gdk/gdkwindow.c in GTK+ before 2.18.5, as used in gnome-screensaver
before 2.28.1, performs implicit paints on windows of type
GDK_WINDOW_FOREIGN, which triggers an X error in certain circumstances
and consequently allows physically proximate attackers to bypass
screen locking and access an unattended workstation by pressing the
Enter key many times (CVE-2010-0732).

Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

This update fixes this issue.

The Gnome Settings Daemon would crash when the multimedia volume keys
were used when the mouse pointer is on the secondary screen. This
updates gtk+ to a new version that also has fixes for crashes in
empathy, eog and other applications.

A vulnerability was discovered and fixed in kolab-horde-framework:

Unspecified vulnerability in Kolab Webclient before 1.2.0 in Kolab
Server before 2.2.3 allows attackers to have an unspecified impact
via vectors related to an image upload form. (CVE-2009-4824).

Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

This update fixes this issue.

Multiple vulnerabilities has been found and corrected in mysql:

The server failed to check the table name argument of a COM_FIELD_LIST
command packet for validity and compliance to acceptable table name
standards. This could be exploited to bypass almost all forms of
checks for privileges and table-level grants by providing a specially
crafted table name argument to COM_FIELD_LIST (CVE-2010-1848).

The server could be tricked into reading packets indefinitely if
it received a packet larger than the maximum size of one packet
CVE-2010-1849).

The server was susceptible to a buffer-overflow attack due to a
failure to perform bounds checking on the table name argument of a
COM_FIELD_LIST command packet. By sending long data for the table name,
a buffer is overflown, which could be exploited by an authenticated
user to inject malicious code (CVE-2010-1850).

Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program.
Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

A vulnerability was discovered in aria2 which allows remote attackers
to create arbitrary files via directory traversal sequences in the
name attribute of a file element in a metalink file (CVE-2010-1512).

This update fixes this issue.

Packages for 2009.0 are provided as of the Extended Maintenance
Program.
Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

This updates provides a new OpenOffice.org version 3.1.1. It holds
security and bug fixes described as follow:

An integer underflow might allow remote attackers to execute arbitrary
code via crafted records in the document table of a Word document,
leading to a heap-based buffer overflow (CVE-2009-0200).

A heap-based buffer overflow might allow remote attackers to execute
arbitrary code via unspecified records in a crafted Word document,
related to table parsing (CVE-2009-0201).

A heap-based buffer overflow allows remote attackers to execute
arbitrary code via a crafted EMF file (CVE-2009-2139).

Multiple heap-based buffer overflows allow remote attackers to execute
arbitrary code via a crafted EMF+ file (CVE-2009-2140).

OpenOffice's xmlsec uses a bundled Libtool which might load .la
file in the current working directory allowing local users to gain
privileges via a Trojan horse file. For enabling such vulnerability
xmlsec has to use --enable-crypto_dl building flag however it does
not, although the fix keeps protected against this threat whenever
that flag had been enabled (CVE-2009-3736).

Addittionaly this update provides following bug fixes:

OpenOffice.org is not properly configure to use the xdg-email
functionality of the FreeDesktop standard (#52195).

Template desktop icons are not properly set up then they are not
presented under the context menu of applications like Dolphin (#56439).

libia_ora-gnome is added as suggest as long as that package is needed
for a better look (#57385#c28).

It is enabled a fallback logic to properly select an OpenOffice.org
style whenever one is set up but that is not installed (#57530#c1,
#53284, #45133, #39043)

It is enabled the Firefox plugin for viewing OpenOffice.org documents
inside browser.

Further packages were provided to supply OpenOffice.org. 3.1.1
dependencies.

A vulnerability was discovered and corrected in dovecot:

Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows
remote attackers to cause a denial of service (CPU consumption)
via long headers in an e-mail message (CVE-2010-0745).

This update provides dovecot 1.2.11 which is not vulnerable to this
issue and also holds many bugfixes as well.

This updates digikam and all it's dependencies, fixing some bugs,
notably #56078, and introducing functionalities and boosting up
stability.

Multiple vulnerabilities was discovered and corrected in postgresql:

The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL
8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users
to cause a denial of service (daemon crash) or have unspecified
other impact via vectors involving a negative integer in the third
argument, as demonstrated by a SELECT statement that contains a
call to the substring function for a bit string, related to an
overflow. (CVE-2010-0442).

A flaw was found in the way the PostgreSQL server process
enforced permission checks on scripts written in PL/Perl. A remote,
authenticated user, running a specially-crafted PL/Perl script, could
use this flaw to bypass PL/Perl trusted mode restrictions, allowing
them to obtain sensitive information; execute arbitrary Perl scripts;
or cause a denial of service (remove protected, sensitive data)
(CVE-2010-1169).

The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0
before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before
8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads
Tcl code from the pltcl_modules table regardless of the table's
ownership and permissions, which allows remote authenticated users,
with database-creation privileges, to execute arbitrary Tcl code by
creating this table and inserting a crafted Tcl script (CVE-2010-1170).

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21,
8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not
properly check privileges during certain RESET ALL operations, which
allows remote authenticated users to remove arbitrary parameter
settings via a (1) ALTER USER or (2) ALTER DATABASE statement
(CVE-2010-1975).

Packages for 2008.0 and 2009.0 are provided as of the Extended
Maintenance Program.
Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

This update provides a solution to these vulnerabilities.

Multiple vulnerabilities has been found and corrected in clamav:

ClamAV before 0.96 does not properly handle the (1) CAB and (2) 7z file
formats, which allows remote attackers to bypass virus detection via
a crafted archive that is compatible with standard archive utilities
(CVE-2010-0098).

The qtm_decompress function in libclamav/mspack.c in ClamAV before
0.96 allows remote attackers to cause a denial of service (memory
corruption and application crash) via a crafted CAB archive that uses
the Quantum (aka .Q) compression format. NOTE: some of these details
are obtained from third party information (CVE-2010-1311).

This update provides clamav 0.96, which is not vulnerable to these
issues.

Update:

Packages for 2009.0 are provided due to the Extended Maintenance
Program.

mono as shipped with Mandriva 2010.0 was built with wrong compiler
optimizations that made some applications freeze. The updated package
uses safe compiler flags that prevents the freeze.

A vulnerability has been found and corrected in ghostscript:

Stack-based buffer overflow in the parser function in GhostScript 8.70
and 8.64 allows context-dependent attackers to execute arbitrary code
via a crafted PostScript file (CVE-2010-1869).

Packages for 2008.0 and 2009.0 are provided due to the Extended
Maintenance Program for those products.

The updated packages have been patched to correct this issue.

A vulnerability has been found and corrected in mysql:

It was possible for DROP TABLE of one MyISAM table to remove the
data and index files of a different MyISAM table (CVE-2010-1626).

Packages for 2008.0 and 2009.0 are provided due to the Extended
Maintenance Program for those products.

The updated packages have been patched to correct this issue.

A vulnerability has been found and corrected in krb5:

Certain invalid GSS-API tokens can cause a GSS-API acceptor (server)
to crash due to a null pointer dereference in the GSS-API library
(CVE-2010-1321).

Packages for 2008.0 and 2009.0 are provided due to the Extended
Maintenance Program for those products.

The updated packages have been patched to correct this issue.

This advisory updates wireshark to the latest version(s), fixing
several bugs and one security issue:

The DOCSIS dissector in Wireshark 0.9.6 through 1.0.12 and 1.2.0
through 1.2.7 allows user-assisted remote attackers to cause a denial
of service (application crash) via a malformed packet trace file
(CVE-2010-1455).

Multiple vulnerabilities has been discovered and fixed in kget
(kdenetwork4):

Directory traversal vulnerability in KGet in KDE SC 4.0.0 through
4.4.3 allows remote attackers to create arbitrary files via directory
traversal sequences in the name attribute of a file element in a
metalink file (CVE-2010-1000).

KGet 2.4.2 in KDE SC 4.0.0 through 4.4.3 does not properly request
download confirmation from the user, which makes it easier for remote
attackers to overwrite arbitrary files via a crafted metalink file
(CVE-2010-1511).

Packages for 2009.0 are provided due to the Extended Maintenance
Program.

The corrected packages solves these problems.