Security update for kiwi (critical)

SUSE Studio was prone to several cross-site-scripting (XSS)
and shell quoting issues.

• CVE-2011-2652 - XSS vulnerability in overlay files:
  bad escaping archive file list
• CVE-2011-2651 - Remote code execution via crafted
  filename in file browser
• CVE-2011-2650 - XSS vulnerability when displaying RPM
  info (pattern name)
• CVE-2011-2649 - Unwanted shell expansion when
  executing commands in FileUtils fix
• CVE-2011-2648 - Arbitrary code execution via filters
  in modified files
• CVE-2011-2647 - studio: Remote code execution via
  crafted archive name in testdrive’s modified files
• CVE-2011-2646 - studio: Remote code execution via
  crafted filename in testdrive’s modified files
• CVE-2011-2645 - Remote code execution via crafted
  custom RPM filename
• CVE-2011-2644 - XSS vulnerability in displaying RPM
  info
• CVE-2011-2226 - XSS vulnerability when displaying
  pattern listing
• CVE-2011-2225 - Overlay directory pathes are not
  properly escaped before inclusion into config.sh

Furthermore, the following non-security fixes are included:

• 682978: Fix apache config for cloning appliances with
  image repos
• 681902: Fix images being deleted when one format is
  deleted
• 571584: Show 32bit packages in 64bit appliance when
  there’s no 64bit version available
• 701512: Remove kiwi version dependency on release
• 704730: Fix script for fixing the apache configuration
• 707637: Fixed rmds segfaults during attempt of adding
  specially crafted repositories
• 704726: Disable partition alignment for SLE10
• 709437: Fix Export script
• 689907: Fix SLE 10 SP3 appliances containing SP2
  product file
• 711998: Do not waste disk space when generating the
  export tarball

In addition, this update provides kiwi version 3.73.1 with
the following fixes:

• 667082: KIWIManager.sh rpmLibs() should execute
  ldconfig after baselib cleanup
• 668014: Support raid 1 (mirroring) for pxe images
• 670299: kiwi’s implementation of 4k alignment feature
  covers only first partition
• 675004: TFTP block size
• 694506: Kiwi: boot partition runs out of space
• 659843: Avoid initialization of KMS without kernel
  support
• 693847: fixed URL quoting, we have to distinguish the
  quoting

Also an important fix was made to the "export" script.