Sigurnosni nedostaci većeg broja programskih paketa

Detalji os-a: WN7
Važnost: URG
Operativni sustavi: L
Kategorije: LMV

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:087
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : egroupware
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated egroupware packages fix security vulnerabilities:

eGroupware prior to 1.8.006.20140217 is vulnerable to remote file
deletion and possible remote code execution due to user input being
passed to PHP’s unserialize() method (CVE-2014-2027).

eGroupWare before 1.8.007 allows logged in users with administrative
priviledges to remotely execute arbitrary commands on the server.
It is also vulnerable to a cross site request forgery vulnerability
that allows creating new administrative users.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2027
http://advisories.mageia.org/MGASA-2014-0116.html
http://advisories.mageia.org/MGASA-2014-0221.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
cf4a9bb8ef30cf74a7e8104eaed1e5ea mbs2/x86_64/egroupware-1.8.007.20140506-1.mbs2.noarch.rpm
7d471a1f7934338d9c17c39aed046a92 mbs2/x86_64/egroupware-bookmarks-1.8.007.20140506-1.mbs2.noarch.rpm
bca49e4c9f90170d049e0f573736553f mbs2/x86_64/egroupware-calendar-1.8.007.20140506-1.mbs2.noarch.rpm
3195fb6185b0db015c68eeed25391fea mbs2/x86_64/egroupware-developer_tools-1.8.007.20140506-1.mbs2.noarch.rpm
e9f33f46b78933cc7c7c054be6f1bc18 mbs2/x86_64/egroupware-egw-pear-1.8.007.20140506-1.mbs2.noarch.rpm
8298f11458f4d6ab41a76842990c9b88 mbs2/x86_64/egroupware-emailadmin-1.8.007.20140506-1.mbs2.noarch.rpm
8395d7c10874355e37d93af463a912c0 mbs2/x86_64/egroupware-felamimail-1.8.007.20140506-1.mbs2.noarch.rpm
79b36d573ccaedd8ad098054d6ac662f mbs2/x86_64/egroupware-filemanager-1.8.007.20140506-1.mbs2.noarch.rpm
e931484776456c96ad3f7c2a98991904 mbs2/x86_64/egroupware-gallery-1.8.007.20140506-1.mbs2.noarch.rpm
0e6028e764cfcbe9adc7e2d429e1bcfa mbs2/x86_64/egroupware-importexport-1.8.007.20140506-1.mbs2.noarch.rpm
4026fb77115740ac83b194b4051fec80 mbs2/x86_64/egroupware-infolog-1.8.007.20140506-1.mbs2.noarch.rpm
95d30157cd8d0cbf6c65442ad20e26ae mbs2/x86_64/egroupware-manual-1.8.007.20140506-1.mbs2.noarch.rpm
f9f5395813df6b06711304342fcbbd43 mbs2/x86_64/egroupware-news_admin-1.8.007.20140506-1.mbs2.noarch.rpm
5e67c67c9fd0eb7308d6f268ac8506ab mbs2/x86_64/egroupware-notifications-1.8.007.20140506-1.mbs2.noarch.rpm
921e180cc7b2c6d2de58e2b5dc877a2f mbs2/x86_64/egroupware-phpbrain-1.8.007.20140506-1.mbs2.noarch.rpm
bf3d6323441283889833de12eda53b1a mbs2/x86_64/egroupware-phpsysinfo-1.8.007.20140506-1.mbs2.noarch.rpm
675ea8d94c058a0c048b0784128f3bc1 mbs2/x86_64/egroupware-polls-1.8.007.20140506-1.mbs2.noarch.rpm
4488bb434ff2cee958198a62cd75915d mbs2/x86_64/egroupware-projectmanager-1.8.007.20140506-1.mbs2.noarch.rpm
b1af84b4ee06f528c1bbb2026a1371c5 mbs2/x86_64/egroupware-registration-1.8.007.20140506-1.mbs2.noarch.rpm
5a4b0422fcf415cf7dbb67677aea4e69 mbs2/x86_64/egroupware-sambaadmin-1.8.007.20140506-1.mbs2.noarch.rpm
8ad55477e0043a97b98c312f996e1b89 mbs2/x86_64/egroupware-sitemgr-1.8.007.20140506-1.mbs2.noarch.rpm
0995e8539c804e5146da0e75d7a26031 mbs2/x86_64/egroupware-syncml-1.8.007.20140506-1.mbs2.noarch.rpm
6f4a523abe8818c71327896b1e212326 mbs2/x86_64/egroupware-timesheet-1.8.007.20140506-1.mbs2.noarch.rpm
6b309a26af38d62d817558e0658e3426 mbs2/x86_64/egroupware-tracker-1.8.007.20140506-1.mbs2.noarch.rpm
dbdfa7fa5e27ea271d6addd9b52acfa8 mbs2/x86_64/egroupware-wiki-1.8.007.20140506-1.mbs2.noarch.rpm
c8da1009e22f6018fd784fc18aa63651 mbs2/SRPMS/egroupware-1.8.007.20140506-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFmNDmqjQ0CJFipgRAtHlAKCtdE8cImMGN1YVYOmTaAd42jXNrQCgjOhw
XKQ6enfHyzG4jrDO2ndwLyg=
=0Ip3
—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:088
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : udisks2
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated udisks2 packages fixes security vulnerability:

A flaw was found in the way udisks and udisks2 handled long path
names. A malicious, local user could use this flaw to create a
specially-crafted directory structure that could lead to arbitrary
code execution with the privileges of the udisks daemon (root)
(CVE-2014-0004).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0004
http://advisories.mageia.org/MGASA-2014-0129.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
db7d8f7d616c58b009f532e4e85bc305 mbs2/x86_64/lib64udisks2_0-2.1.1-2.1.mbs2.x86_64.rpm
492c5477d9e17e5172ee5a84ccc4cec8 mbs2/x86_64/lib64udisks2-devel-2.1.1-2.1.mbs2.x86_64.rpm
e11bcaf1274f42aa95eaa148442c2b57 mbs2/x86_64/lib64udisks-gir2.0-2.1.1-2.1.mbs2.x86_64.rpm
dcf4c315adc600e6fb6c4ffd55f7890f mbs2/x86_64/udisks2-2.1.1-2.1.mbs2.x86_64.rpm
022327416d24b9b39100fae2a7d5c19a mbs2/SRPMS/udisks2-2.1.1-2.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFmVdmqjQ0CJFipgRAuu1AJ92ixDJ38TMMaIDYDY/QFtW0qtuXwCfftL1
njD7P23Xro7qC4Hszth6F/c=
=HOW/
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:089
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : freetype2
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated freetype2 packages fix security vulnerabilities:

It was reported that Freetype before 2.5.3 suffers from an
out-of-bounds stack-based read/write flaw in cf2_hintmap_build()
in the CFF rasterizing code, which could lead to a buffer overflow
(CVE-2014-2240).

It was also reported that Freetype before 2.5.3 has a denial-of-service
vulnerability in the CFF rasterizing code, due to a reachable assertion
(CVE-2014-2241).

It was reported that Freetype before 2.5.4 suffers from an
out-of-bounds stack-based read/write flaw in cf2_hintmap_build()
in the CFF rasterizing code, which could lead to a buffer overflow.
This is due to an incomplete fix for CVE-2014-2240.

The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType
before 2.5.4 does not properly check for an integer overflow, which
allows remote attackers to cause a denial of service (out-of-bounds
read) or possibly have unspecified other impact via a crafted OpenType
font (CVE-2014-9656).

The tt_face_load_hdmx function in truetype/ttpload.c in FreeType
before 2.5.4 does not establish a minimum record size, which allows
remote attackers to cause a denial of service (out-of-bounds read)
or possibly have unspecified other impact via a crafted TrueType font
(CVE-2014-9657).

The tt_face_load_kern function in sfnt/ttkern.c in FreeType before
2.5.4enforces an incorrect minimum table length, which allows
remote attackers to cause a denial of service (out-of-bounds read)
or possibly have unspecified other impact via a crafted TrueType font
(CVE-2014-9658).

The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4
does not properly handle a missing ENDCHAR record, which allows remote
attackers to cause a denial of service (NULL pointer dereference)
or possibly have unspecified other impact via a crafted BDF font
(CVE-2014-9660).

type42/t42parse.c in FreeType before 2.5.4 does not consider that
scanning can be incomplete without triggering an error, which allows
remote attackers to cause a denial of service (use-after-free) or
possibly have unspecified other impact via a crafted Type42 font
(CVE-2014-9661).

cff/cf2ft.c in FreeType before 2.5.4 does not validate the return
values of point-allocation functions, which allows remote attackers
to cause a denial of service (heap-based buffer overflow) or possibly
have unspecified other impact via a crafted OTF font (CVE-2014-9662).

The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before
2.5.4 validates a certain length field before that field’s value
is completely calculated, which allows remote attackers to cause a
denial of service (out-of-bounds read) or possibly have unspecified
other impact via a crafted cmap SFNT table (CVE-2014-9663).

FreeType before 2.5.4 does not check for the end of the data during
certain parsing actions, which allows remote attackers to cause a
denial of service (out-of-bounds read) or possibly have unspecified
other impact via a crafted Type42 font, related to type42/t42parse.c
and type1/t1load.c (CVE-2014-9664).

The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before
2.5.4 proceeds with a count-to-size association without restricting
the count value, which allows remote attackers to cause a denial of
service (integer overflow and out-of-bounds read) or possibly have
unspecified other impact via a crafted embedded bitmap (CVE-2014-9666).

sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length
calculations without restricting the values, which allows remote
attackers to cause a denial of service (integer overflow and
out-of-bounds read) or possibly have unspecified other impact via a
crafted SFNT table (CVE-2014-9667).

Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4
allow remote attackers to cause a denial of service (out-of-bounds
read or memory corruption) or possibly have unspecified other impact
via a crafted cmap SFNT table (CVE-2014-9669).

Multiple integer signedness errors in the pcf_get_encodings function
in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to
cause a denial of service (integer overflow, NULL pointer dereference,
and application crash) via a crafted PCF file that specifies negative
values for the first column and first row (CVE-2014-9670).

Off-by-one error in the pcf_get_properties function in pcf/pcfread.c
in FreeType before 2.5.4 allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via a crafted
PCF file with a 0xffffffff size value that is improperly incremented
(CVE-2014-9671).

Array index error in the parse_fond function in base/ftmac.c in
FreeType before 2.5.4 allows remote attackers to cause a denial
of service (out-of-bounds read) or obtain sensitive information
from process memory via a crafted FOND resource in a Mac font file
(CVE-2014-9672).

Integer signedness error in the Mac_Read_POST_Resource function in
base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to
cause a denial of service (heap-based buffer overflow) or possibly
have unspecified other impact via a crafted Mac font (CVE-2014-9673).

The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before
2.5.4 proceeds with adding to length values without validating the
original values, which allows remote attackers to cause a denial of
service (integer overflow and heap-based buffer overflow) or possibly
have unspecified other impact via a crafted Mac font (CVE-2014-9674).

bdf/bdflib.c in FreeType before 2.5.4 identifies property names by
only verifying that an initial substring is present, which allows
remote attackers to discover heap pointer values and bypass the ASLR
protection mechanism via a crafted BDF font (CVE-2014-9675).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9657
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9661
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9662
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9663
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9664
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9666
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9667
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9671
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9674
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9675
http://advisories.mageia.org/MGASA-2014-0130.html
http://advisories.mageia.org/MGASA-2014-0526.html
http://advisories.mageia.org/MGASA-2015-0083.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
c46c6c2e3576156daf884250899efe99 mbs2/x86_64/freetype2-demos-2.5.0.1-5.1.mbs2.x86_64.rpm
b280f0c0012241b88e138eb07d934258 mbs2/x86_64/lib64freetype6-2.5.0.1-5.1.mbs2.x86_64.rpm
a92799ca0556cd297380fd042f6e7fec mbs2/x86_64/lib64freetype6-devel-2.5.0.1-5.1.mbs2.x86_64.rpm
af1b2481edf21dd0d79ac0336e6ee0ab mbs2/x86_64/lib64freetype6-static-devel-2.5.0.1-5.1.mbs2.x86_64.rpm
df2cd8eb07691c4ae7ecab2c07d9229d mbs2/SRPMS/freetype2-2.5.0.1-5.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFmbTmqjQ0CJFipgRAtVyAKCYjujTFyJF54bxCbTdnO3cUOGetQCgpF1o
EpIoAR8hjGIYnT2ID1LxGUI=
=XvFx
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:090
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libpng
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libpng package fixes security vulnerabilities:

The png_push_read_chunk function in pngpread.c in the progressive
decoder in libpng 1.6.x through 1.6.9 allows remote attackers to cause
a denial of service (infinite loop and CPU consumption) via an IDAT
chunk with a length of zero (CVE-2014-0333).

libpng versions 1.6.9 through 1.6.15 have an integer-overflow
vulnerability in png_combine_row() when decoding very wide interlaced
images, which can allow an attacker to overwrite an arbitrary amount
of memory with arbitrary (attacker-controlled) data (CVE-2014-9495).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9495
http://advisories.mageia.org/MGASA-2014-0131.html
http://advisories.mageia.org/MGASA-2015-0008.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
12c8bd2dd02e2521830355aa84176974 mbs2/x86_64/lib64png16_16-1.6.16-1.mbs2.x86_64.rpm
4a8f8b65c02ef36efd73e532b3019a1a mbs2/x86_64/lib64png-devel-1.6.16-1.mbs2.x86_64.rpm
7375c5ff0f64bba7ad6123bd92a1bbd1 mbs2/SRPMS/libpng-1.6.16-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFmfPmqjQ0CJFipgRAob0AKC+xm11PSWhfZFPQWy+yCZ8l/FB1gCffjdb
Wimia4EqnYyH5TCFisxo2jc=
=EfGv
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:091
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : mariadb
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

This update provides MariaDB 5.5.42, which fixes several security
issues and other bugs. Please refer to the Oracle Critical Patch Update
Advisories and the Release Notes for MariaDB for further information
regarding the security vulnerabilities.

Additionally the jemalloc packages is being provided as it was
previousely provided with the mariadb source code, built and used
but removed from the mariadb source code since 5.5.40.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5908
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2436
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2431
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4258
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5615
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6495
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6551
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0391
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6507
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6496
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0382
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0381
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0374
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
https://mariadb.com/kb/en/mariadb/mariadb-5535-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-5536-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-5537-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-5538-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-5539-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-5540-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-5541-release-notes/
https://mariadb.com/kb/en/mariadb/mariadb-5542-release-notes/
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
612cb3963513954a4ce130804bc8430d mbs2/x86_64/lib64jemalloc1-3.6.0-2.mbs2.x86_64.rpm
b2e17515bfc67c9b2055bd00ed96b70b mbs2/x86_64/lib64jemalloc-devel-3.6.0-2.mbs2.x86_64.rpm
b5898d79491f692c17fd40979695e841 mbs2/x86_64/lib64mariadb18-5.5.42-1.mbs2.x86_64.rpm
0614fe34c397dcbca4f05bca0303ed94 mbs2/x86_64/lib64mariadb-devel-5.5.42-1.mbs2.x86_64.rpm
e015606fc64fa868c71aa88fc1e1a5c5 mbs2/x86_64/lib64mariadb-embedded18-5.5.42-1.mbs2.x86_64.rpm
2fdd36edadf13efb6cf4d71dc4c8a8b5 mbs2/x86_64/lib64mariadb-embedded-devel-5.5.42-1.mbs2.x86_64.rpm
778bb867e4a9dd56fd22311c6411b76d mbs2/x86_64/mariadb-5.5.42-1.mbs2.x86_64.rpm
79aace7bec6451434316d56f5921befb mbs2/x86_64/mariadb-bench-5.5.42-1.mbs2.x86_64.rpm
c2df3074f6e6d2746606dca06f183e00 mbs2/x86_64/mariadb-client-5.5.42-1.mbs2.x86_64.rpm
881efa4fdbbd9253bbbe96514db0d548 mbs2/x86_64/mariadb-common-5.5.42-1.mbs2.x86_64.rpm
fa6f6b56f29c8e3cef2a6041d1232c0e mbs2/x86_64/mariadb-common-core-5.5.42-1.mbs2.x86_64.rpm
301351d85d8dd15e5bc64eefd687b37b mbs2/x86_64/mariadb-core-5.5.42-1.mbs2.x86_64.rpm
4eed071bd33eab8c78b635cc8c430f73 mbs2/x86_64/mariadb-extra-5.5.42-1.mbs2.x86_64.rpm
8688b5068a8d446f09c3688fceb2e531 mbs2/x86_64/mariadb-feedback-5.5.42-1.mbs2.x86_64.rpm
e0fdd84a469e4236f9e61fbc91e4519f mbs2/x86_64/mariadb-obsolete-5.5.42-1.mbs2.x86_64.rpm
0bc451e4a1b8734c4f120a1de423a95e mbs2/x86_64/mysql-MariaDB-5.5.42-1.mbs2.x86_64.rpm
24c9a3d458242168777f87e8e637e1f9 mbs2/SRPMS/jemalloc-3.6.0-2.mbs2.src.rpm
65c1ffedf907ab44827596a84d63fcb0 mbs2/SRPMS/mariadb-5.5.42-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFnCBmqjQ0CJFipgRArPsAJ9Gdi7LKL6GabAy8iYzUqGsq8jgPwCgmYQG
Jjvq33dGL9GddGLwWYnaWDA=
=XRxl
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:092
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : net-snmp
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated net-snmp packages fix security vulnerabilities:

Remotely exploitable denial of service vulnerability in Net-SNMP,
in the Linux implementation of the ICMP-MIB, making the SNMP
agent vulnerable if it is making use of the ICMP-MIB table objects
(CVE-2014-2284).

Remotely exploitable denial of service vulnerability in Net-SNMP,
in snmptrapd, due to how it handles trap requests with an empty
community string when the perl handler is enabled (CVE-2014-2285).

A remote denial-of-service flaw was found in the way snmptrapd handled
certain SNMP traps when started with the -OQ option. If an attacker
sent an SNMP trap containing a variable with a NULL type where an
integer variable type was expected, it would cause snmptrapd to crash
(CVE-2014-3565).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2284
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3565
http://advisories.mageia.org/MGASA-2014-0122.html
http://advisories.mageia.org/MGASA-2014-0371.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
db108bc819bb011d352ac1be23005ae8 mbs2/x86_64/lib64net-snmp30-5.7.2-14.1.mbs2.x86_64.rpm
10d0754baaebe770c0accea30a4c570b mbs2/x86_64/lib64net-snmp-devel-5.7.2-14.1.mbs2.x86_64.rpm
f3c20caeb88eee898508110847de93c1 mbs2/x86_64/lib64net-snmp-static-devel-5.7.2-14.1.mbs2.x86_64.rpm
85a8e55a06278248c6d55ed71781d4ae mbs2/x86_64/net-snmp-5.7.2-14.1.mbs2.x86_64.rpm
dd6b3752ffc3abfa799752d6c68be260 mbs2/x86_64/net-snmp-mibs-5.7.2-14.1.mbs2.x86_64.rpm
dff402077edcdbbbb43876ab37f17c63 mbs2/x86_64/net-snmp-tkmib-5.7.2-14.1.mbs2.x86_64.rpm
e5dd0695599ce24250e9c56398ae708a mbs2/x86_64/net-snmp-trapd-5.7.2-14.1.mbs2.x86_64.rpm
73e35840936e48e76813ee9aa563e5db mbs2/x86_64/net-snmp-utils-5.7.2-14.1.mbs2.x86_64.rpm
3fcb54fc22046478a1f4fe25bfb3fbfc mbs2/x86_64/perl-NetSNMP-5.7.2-14.1.mbs2.x86_64.rpm
f7faf7abe0cb4119a24aa1eb7b4e88e2 mbs2/x86_64/python-netsnmp-5.7.2-14.1.mbs2.x86_64.rpm
70325be4b29a38030ee30a1bea4c0a40 mbs2/SRPMS/net-snmp-5.7.2-14.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFnIkmqjQ0CJFipgRApj2AJ4siseZB35ENesBHXAJd354ztjc2wCg4i9a
CVlceu1C+yhzzsfXCVXUd5g=
=mTTW
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:093
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : apache
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated apache packages fix security vulnerabilities:

Apache HTTPD before 2.4.9 was vulnerable to a denial of service in
mod_dav when handling DAV_WRITE requests (CVE-2013-6438).

Apache HTTPD before 2.4.9 was vulnerable to a denial of service when
logging cookies (CVE-2014-0098).

A race condition flaw, leading to heap-based buffer overflows,
was found in the mod_status httpd module. A remote attacker able to
access a status page served by mod_status on a server using a threaded
Multi-Processing Module (MPM) could send a specially crafted request
that would cause the httpd child process to crash or, possibly,
allow the attacker to execute arbitrary code with the privileges of
the apache user (CVE-2014-0226).

A denial of service flaw was found in the mod_proxy httpd module. A
remote attacker could send a specially crafted request to a server
configured as a reverse proxy using a threaded Multi-Processing
Modules (MPM) that would cause the httpd child process to crash
(CVE-2014-0117).

A denial of service flaw was found in the way httpd’s mod_deflate
module handled request body decompression (configured via the DEFLATE
input filter). A remote attacker able to send a request whose body
would be decompressed could use this flaw to consume an excessive
amount of system memory and CPU on the target system (CVE-2014-0118).

A denial of service flaw was found in the way httpd’s mod_cgid module
executed CGI scripts that did not read data from the standard input. A
remote attacker could submit a specially crafted request that would
cause the httpd child process to hang indefinitely (CVE-2014-0231).

A NULL pointer dereference flaw was found in the way the mod_cache
httpd module handled Content-Type headers. A malicious HTTP server
could cause the httpd child process to crash when the Apache HTTP
server was configured to proxy to a server with caching enabled
(CVE-2014-3581).

mod_lua.c in the mod_lua module in the Apache HTTP Server through
2.4.10 does not support an httpd configuration in which the same
Lua authorization provider is used with different arguments within
different contexts, which allows remote attackers to bypass intended
access restrictions in opportunistic circumstances by leveraging
multiple Require directives, as demonstrated by a configuration that
specifies authorization for one group to access a certain directory,
and authorization for a second group to access a second directory
(CVE-2014-8109).

In the mod_lua module in the Apache HTTP Server through 2.4.10, a
maliciously crafted websockets PING after a script calls r:wsupgrade()
can cause a child process crash (CVE-2015-0228).

A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could
use Trailer headers to set additional HTTP headers after header
processing was performed by other modules. This could, for example,
lead to a bypass of header restrictions defined with mod_headers
(CVE-2013-5704).

Note: With this update, httpd has been modified to not merge HTTP
Trailer headers with other HTTP request headers. A newly introduced
configuration directive MergeTrailers can be used to re-enable the
old method of processing Trailer headers, which also re-introduces
the aforementioned flaw.

This update also fixes the following bug:

Prior to this update, the mod_proxy_wstunnel module failed to set
up an SSL connection when configured to use a back end server using
the wss: URL scheme, causing proxied connections to fail. In these
updated packages, SSL is used when proxying to wss: back end servers
(rhbz#1141950).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228
http://advisories.mageia.org/MGASA-2014-0135.html
http://advisories.mageia.org/MGASA-2014-0305.html
http://advisories.mageia.org/MGASA-2014-0527.html
http://advisories.mageia.org/MGASA-2015-0011.html
http://advisories.mageia.org/MGASA-2015-0099.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
8c0fc93f8b18e8d40190ef9084f2d583 mbs2/x86_64/apache-2.4.12-1.mbs2.x86_64.rpm
6c90dd9f12f65e54ff131b0f4f2d04ee mbs2/x86_64/apache-devel-2.4.12-1.mbs2.x86_64.rpm
8b58ae3f9e57e02ff94a70de04ec8f23 mbs2/x86_64/apache-doc-2.4.12-1.mbs2.noarch.rpm
fefc0679674332198f1b42d5a0240351 mbs2/x86_64/apache-htcacheclean-2.4.12-1.mbs2.x86_64.rpm
22c39f085c7f81ba4186040aa20a79b4 mbs2/x86_64/apache-mod_cache-2.4.12-1.mbs2.x86_64.rpm
d57f8944df9e0443ee3da9bdc2cb78d1 mbs2/x86_64/apache-mod_dav-2.4.12-1.mbs2.x86_64.rpm
7a0e6435e3aaa22e6453dca56c47abb3 mbs2/x86_64/apache-mod_dbd-2.4.12-1.mbs2.x86_64.rpm
30c9610763c492d3c5526e5625128aa8 mbs2/x86_64/apache-mod_ldap-2.4.12-1.mbs2.x86_64.rpm
cdba1369c7b8dd017cf9790076bf0e15 mbs2/x86_64/apache-mod_proxy-2.4.12-1.mbs2.x86_64.rpm
4c4e73ac608bf820a87f27d00148f265 mbs2/x86_64/apache-mod_proxy_html-2.4.12-1.mbs2.x86_64.rpm
3103f59239d49810b16207502f271b8a mbs2/x86_64/apache-mod_session-2.4.12-1.mbs2.x86_64.rpm
2ef0b90590b36ca85c7103ebd02ea64b mbs2/x86_64/apache-mod_ssl-2.4.12-1.mbs2.x86_64.rpm
2f2855321b6554e400ba5542da3027ea mbs2/x86_64/apache-mod_suexec-2.4.12-1.mbs2.x86_64.rpm
b312e7cd14788b86c7088cc19473515c mbs2/x86_64/apache-mod_userdir-2.4.12-1.mbs2.x86_64.rpm
dee3a16d2c36fed2716a3ed17addc1e1 mbs2/SRPMS/apache-2.4.12-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFnRImqjQ0CJFipgRAhbAAKDF22tbaWSxzaiqvhq0t6uM1bwWvgCfVNIJ
7XU6s8wMPlxQucpKSIVIKYI=
=4uS5
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:094
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : nginx
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated nginx package fixes security vulnerabilities:

A bug in the experimental SPDY implementation in nginx was found,
which might allow an attacker to cause a heap memory buffer overflow
in a worker process by using a specially crafted request, potentially
resulting in arbitrary code execution (CVE-2014-0133).

Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that
it was possible to reuse cached SSL sessions in unrelated contexts,
allowing virtual host confusion attacks in some configurations by an
attacker in a privileged network position (CVE-2014-3616).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0133
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3616
http://advisories.mageia.org/MGASA-2014-0136.html
http://advisories.mageia.org/MGASA-2014-0427.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
f859044a48eda0b859c931bce3688184 mbs2/x86_64/nginx-1.4.7-1.mbs2.x86_64.rpm
36f49f7a1ca40c8546e82d514023b3f4 mbs2/SRPMS/nginx-1.4.7-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFnUlmqjQ0CJFipgRAvneAJ0evtNmMhS+lWltq9051wHRR6vuDgCg3BW0
x8jC+tKifZWs8shTG2EYzgo=
=oIRY
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:095
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : openssh
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated openssh packages fix security vulnerabilities:

sshd in OpenSSH before 6.6 does not properly support wildcards
on AcceptEnv lines in sshd_config, which allows remote attackers to
bypass intended environment restrictions by using a substring located
before a wildcard character (CVE-2014-2532).

Matthew Vernon reported that if a SSH server offers a HostCertificate
that the ssh client doesn’t accept, then the client doesn’t check
the DNS for SSHFP records. As a consequence a malicious server can
disable SSHFP-checking by presenting a certificate (CVE-2014-2653).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653
http://advisories.mageia.org/MGASA-2014-0143.html
http://advisories.mageia.org/MGASA-2014-0166.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
4cdb04be31987117f5111e3e6571dc98 mbs2/x86_64/openssh-6.2p2-6.2.mbs2.x86_64.rpm
7ab96e3da3647c4e5209b2d9d24f8fdb mbs2/x86_64/openssh-askpass-6.2p2-6.2.mbs2.x86_64.rpm
6c8c44006180a82b4e5a9bbdebaecbba mbs2/x86_64/openssh-askpass-common-6.2p2-6.2.mbs2.x86_64.rpm
dcff6d34efa6fb0f9128420d78a65eaa mbs2/x86_64/openssh-askpass-gnome-6.2p2-6.2.mbs2.x86_64.rpm
0323b38edadf62dfa9b7d3ae7a4c01fe mbs2/x86_64/openssh-clients-6.2p2-6.2.mbs2.x86_64.rpm
ebc1702b94487b1164de4d4a57723cc6 mbs2/x86_64/openssh-ldap-6.2p2-6.2.mbs2.x86_64.rpm
24bf0a4c7fbd35b3638385e7b406d036 mbs2/x86_64/openssh-server-6.2p2-6.2.mbs2.x86_64.rpm
4a887cb49bdb4aa4677fd409f8a6d927 mbs2/SRPMS/openssh-6.2p2-6.2.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFnasmqjQ0CJFipgRArqBAKDQxdvFitPWeNN8pj5JyGZDnnmTsACgvtsl
HCvZ0ewmoukeEWcbmRsuHtg=
=O2Up
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:096
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : stunnel
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated stunnel package fixes security vulnerability:

A flaw was found in the way stunnel, a socket wrapper which can provide
SSL support to ordinary applications, performed (re)initialization of
PRNG after fork. When accepting a new connection, the server forks and
the child process handles the request. The RAND_bytes() function of
openssl doesn’t reset its state after the fork, but seeds the PRNG
with the output of time(NULL). The most important consequence is
that servers using EC (ECDSA) or DSA certificates may under certain
conditions leak their private key (CVE-2014-0016).

The updated packages fix this issue by using threads instead of new
processes to handle connections.

Also an issue has been corrected where the directory for the pid file
was not being created when the package is installed.

An issue currently exists in Mageia 4 where it fails trying to use
FIPS SSL (mga#13124). This can be worked around by adding fips =
no into the config.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0016
http://advisories.mageia.org/MGASA-2014-0144.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
34c6ac327fa19ff94e3461e65b82518d mbs2/x86_64/stunnel-4.56-4.1.mbs2.x86_64.rpm
90de576bd2fb8b349c9fe373db32cac6 mbs2/SRPMS/stunnel-4.56-4.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFndtmqjQ0CJFipgRApoGAKCKm7afe52GdCtI9cNnTQYeDsGTyQCgx3Cy
mI0obV98onMUusG4+50jTWE=
=lTaS
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:097
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : php-ZendFramework
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated php-ZendFramework packages fix multiple vulnerabilities:

XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were
discovered in the Zend Framework. An attacker could use these flaws
to cause a denial of service, access files accessible to the server
process, or possibly perform other more advanced XML External Entity
(XXE) attacks (CVE-2014-2681, CVE-2014-2682, CVE-2014-2683).

Using the Consumer component of Zend_OpenId, it is possible to
login using an arbitrary OpenID account (without knowing any secret
information) by using a malicious OpenID Provider. That means OpenID it
is possible to login using arbitrary OpenID Identity (MyOpenID, Google,
etc), which are not under the control of our own OpenID Provider. Thus,
we are able to impersonate any OpenID Identity against the framework
(CVE-2014-2684, CVE-2014-2685).

The implementation of the ORDER BY SQL statement in Zend_Db_Select
of Zend Framework 1 contains a potential SQL injection when the query
string passed contains parentheses (CVE-2014-4914).

Due to a bug in PHP’s LDAP extension, when ZendFramework’s Zend_ldap
class is used for logins, an attacker can login as any user by
using a null byte to bypass the empty password check and perform an
unauthenticated LDAP bind (CVE-2014-8088).

The sqlsrv PHP extension, which provides the ability to connect to
Microsoft SQL Server from PHP, does not provide a built-in quoting
mechanism for manually quoting values to pass via SQL queries;
developers are encouraged to use prepared statements. Zend Framework
provides quoting mechanisms via Zend_Db_Adapter_Sqlsrv which uses
the recommended double single quote (”) as quoting delimiters. SQL
Server treats null bytes in a query as a string terminator, allowing
an attacker to add arbitrary SQL following a null byte, and thus
create a SQL injection (CVE-2014-8089).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089
http://advisories.mageia.org/MGASA-2014-0151.html
http://advisories.mageia.org/MGASA-2014-0311.html
http://advisories.mageia.org/MGASA-2014-0434.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
02c3b9ebdbe452af6df77ddaf6ca70f4 mbs2/x86_64/php-ZendFramework-1.12.9-1.mbs2.noarch.rpm
7ee9abec95d67fac97b10885f2dfd177 mbs2/x86_64/php-ZendFramework-Cache-Backend-Apc-1.12.9-1.mbs2.noarch.rpm
f2350b242c7b25969be3c4d3bfc46bd0 mbs2/x86_64/php-ZendFramework-Cache-Backend-Memcached-1.12.9-1.mbs2.noarch.rpm
c6635e6de414967f9f0b412a8b9ff952 mbs2/x86_64/php-ZendFramework-Captcha-1.12.9-1.mbs2.noarch.rpm
177c35ecd6b3fff97533e8420ba61ba0 mbs2/x86_64/php-ZendFramework-demos-1.12.9-1.mbs2.noarch.rpm
55d294c2c615919e2510e92f3ba75a97 mbs2/x86_64/php-ZendFramework-Dojo-1.12.9-1.mbs2.noarch.rpm
7746384bf97f55a83d2496704576efed mbs2/x86_64/php-ZendFramework-extras-1.12.9-1.mbs2.noarch.rpm
aac972c659c681b0334a98c5d2999134 mbs2/x86_64/php-ZendFramework-Feed-1.12.9-1.mbs2.noarch.rpm
f2675cbbeabf8da77e51e9bb155dad67 mbs2/x86_64/php-ZendFramework-Gdata-1.12.9-1.mbs2.noarch.rpm
cde54247acb864f63e957c55e3688c42 mbs2/x86_64/php-ZendFramework-Pdf-1.12.9-1.mbs2.noarch.rpm
525f594e3b2d939163d898debd94a77e mbs2/x86_64/php-ZendFramework-Search-Lucene-1.12.9-1.mbs2.noarch.rpm
f90cc7d553dc697b77c4ece07b53ce71 mbs2/x86_64/php-ZendFramework-Services-1.12.9-1.mbs2.noarch.rpm
22be7f86bf806cca47ab64edd9d2d2eb mbs2/x86_64/php-ZendFramework-tests-1.12.9-1.mbs2.noarch.rpm
2b72d33582d8ec662cebcad5ba58fce7 mbs2/SRPMS/php-ZendFramework-1.12.9-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFnlJmqjQ0CJFipgRAjaEAKDzxIBZeklYyKqSbiDpdO3pLGPxugCgkJ8t
PwkLG01bbegH7ISNqzJezXU=
=IXGe
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:098
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : curl
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated curl packages fix security vulnerabilities:

Paras Sethia discovered that libcurl would sometimes mix up multiple
HTTP and HTTPS connections with NTLM authentication to the same server,
sending requests for one user over the connection authenticated as
a different user (CVE-2014-0015).

libcurl can in some circumstances re-use the wrong connection when
asked to do transfers using other protocols than HTTP and FTP, causing
a transfer that was initiated by an application to wrongfully re-use
an existing connection to the same server that was authenticated
using different credentials (CVE-2014-0138).

libcurl incorrectly validates wildcard SSL certificates containing
literal IP addresses, so under certain conditions, it would allow
and use a wildcard match specified in the CN field, allowing a
malicious server to participate in a MITM attack or just fool users
into believing that it is a legitimate site (CVE-2014-0139).

In cURL before 7.38.0, libcurl can be fooled to both sending cookies
to wrong sites and into allowing arbitrary sites to set cookies for
others. For this problem to trigger, the client application must use
the numerical IP address in the URL to access the site (CVE-2014-3613).

In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top
Level Domains (TLDs), thus making them apply broader than cookies are
allowed. This can allow arbitrary sites to set cookies that then would
get sent to a different and unrelated site or domain (CVE-2014-3620).

Symeon Paraschoudis discovered that the curl_easy_duphandle() function
in cURL has a bug that can lead to libcurl eventually sending off
sensitive data that was not intended for sending, while performing
a HTTP POST operation. This bug requires CURLOPT_COPYPOSTFIELDS and
curl_easy_duphandle() to be used in that order, and then the duplicate
handle must be used to perform the HTTP POST. The curl command line
tool is not affected by this problem as it does not use this sequence
(CVE-2014-3707).

When libcurl sends a request to a server via a HTTP proxy, it copies
the entire URL into the request and sends if off. If the given URL
contains line feeds and carriage returns those will be sent along to
the proxy too, which allows the program to for example send a separate
HTTP request injected embedded in the URL (CVE-2014-8150).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3613
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8150
http://advisories.mageia.org/MGASA-2014-0153.html
http://advisories.mageia.org/MGASA-2014-0385.html
http://advisories.mageia.org/MGASA-2014-0444.html
http://advisories.mageia.org/MGASA-2015-0020.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
498d59be3a6a4ace215c0d98fb4abede mbs2/x86_64/curl-7.34.0-3.1.mbs2.x86_64.rpm
75a821b73a75ca34f1747a0f7479267f mbs2/x86_64/curl-examples-7.34.0-3.1.mbs2.noarch.rpm
f5d3aad5f0fd9db68b87c648aaabbb4a mbs2/x86_64/lib64curl4-7.34.0-3.1.mbs2.x86_64.rpm
4f356a2c97f9f64124b4e8ebe307826a mbs2/x86_64/lib64curl-devel-7.34.0-3.1.mbs2.x86_64.rpm
d010a357d76a8eb967c7c52f92fb35ae mbs2/SRPMS/curl-7.34.0-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFn3GmqjQ0CJFipgRAu1CAJ9iEOw8vZuH/tA8vyx1xmbC4vySTgCgqExY
Fpa5OZRsP4i0DWRwsyxOCt4=
=5PNM
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:098
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : curl
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated curl packages fix security vulnerabilities:

References:

Updated Packages:

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFn3GmqjQ0CJFipgRAu1CAJ9iEOw8vZuH/tA8vyx1xmbC4vySTgCgqExY
Fpa5OZRsP4i0DWRwsyxOCt4=
=5PNM
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:099
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : python-pillow
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated python-imaging packages fix security vulnerabilities:

Jakub Wilk discovered that temporary files were insecurely created
(via mktemp()) in the IptcImagePlugin.py, Image.py, JpegImagePlugin.py,
and EpsImagePlugin.py files of Python Imaging Library. A local attacker
could use this flaw to perform a symbolic link attack to modify an
arbitrary file accessible to the user running an application that
uses the Python Imaging Library (CVE-2014-1932).

Jakub Wilk discovered that temporary files created in the
JpegImagePlugin.py and EpsImagePlugin.py files of the Python Imaging
Library were passed to an external process. These could be viewed
on the command line, allowing an attacker to obtain the name and
possibly perform symbolic link attacks, allowing them to modify an
arbitrary file accessible to the user running an application that
uses the Python Imaging Library (CVE-2014-1933).

The Python Imaging Library is vulnerable to a denial of service attack
in the IcnsImagePlugin (CVE-2014-3589).

Python Image Library (PIL) 1.1.7 and earlier and Pillow 2.3
might allow remote attackers to execute arbitrary commands via
shell metacharacters, due to an incomplete fix for CVE-2014-1932
(CVE-2014-3007).

Pillow before 2.7.0 and 2.6.2 allows remote attackers to cause a
denial of service via a compressed text chunk in a PNG image that
has a large size when it is decompressed (CVE-2014-9601).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1932
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1933
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3589
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9601
http://advisories.mageia.org/MGASA-2014-0159.html
http://advisories.mageia.org/MGASA-2014-0343.html
http://advisories.mageia.org/MGASA-2014-0476.html
http://advisories.mageia.org/MGASA-2015-0039.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
851eb58425ac5564e505233acd49e147 mbs2/x86_64/python3-pillow-2.6.2-1.1.mbs2.x86_64.rpm
a24beaf54149ec5049cc215908c9a5ce mbs2/x86_64/python3-pillow-devel-2.6.2-1.1.mbs2.x86_64.rpm
5d6155bdef86b902c346cf11c55dceee mbs2/x86_64/python3-pillow-doc-2.6.2-1.1.mbs2.noarch.rpm
5727dc1b952f8d8e4214887c5f19f1e1 mbs2/x86_64/python3-pillow-sane-2.6.2-1.1.mbs2.x86_64.rpm
5d72610503946bfd2a3e5bb9f5aba317 mbs2/x86_64/python3-pillow-tk-2.6.2-1.1.mbs2.x86_64.rpm
ff25c3184b79c98affb7c287ed6bf810 mbs2/x86_64/python-pillow-2.6.2-1.1.mbs2.x86_64.rpm
b64e67fd59fbaed0a454134d8c5093b4 mbs2/x86_64/python-pillow-devel-2.6.2-1.1.mbs2.x86_64.rpm
84bac4da63c5a44bb49c353e9019ad2d mbs2/x86_64/python-pillow-doc-2.6.2-1.1.mbs2.noarch.rpm
8b567267acc437c0ebad1aeb8f85bb55 mbs2/x86_64/python-pillow-sane-2.6.2-1.1.mbs2.x86_64.rpm
b1750dd703813d162291db4f34e077eb mbs2/x86_64/python-pillow-tk-2.6.2-1.1.mbs2.x86_64.rpm
38024e50a951ebae0a6f670aed5a8b47 mbs2/SRPMS/python-pillow-2.6.2-1.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFn70mqjQ0CJFipgRAijaAKCTIyac5ApvxzxZ//qQJDsnz8YPGACgruKo
LTTw2e4UyqR4Vq8nItlLmcw=
=DRbE
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:100
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : cups-filters
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated cups-filters packages fix security vulnerabilities:

Florian Weimer discovered that cups-filters incorrectly handled
memory in the urftopdf filter. An attacker could possibly use this
issue to execute arbitrary code with the privileges of the lp user
(CVE-2013-6473).

Florian Weimer discovered that cups-filters incorrectly handled
memory in the pdftoopvp filter. An attacker could possibly use this
issue to execute arbitrary code with the privileges of the lp user
(CVE-2013-6474, CVE-2013-6475).

Florian Weimer discovered that cups-filters did not restrict driver
directories in in the pdftoopvp filter. An attacker could possibly
use this issue to execute arbitrary code with the privileges of the
lp user (CVE-2013-6476).

Sebastian Krahmer discovered it was possible to use malicious
broadcast packets to execute arbitrary commands on a server running
the cups-browsed daemon (CVE-2014-2707).

In cups-filters before 1.0.53, out-of-bounds accesses in the
process_browse_data function when reading the packet variable
could leading to a crash, thus resulting in a denial of service
(CVE-2014-4337).

In cups-filters before 1.0.53, if there was only a single BrowseAllow
line in cups-browsed.conf and its host specification was invalid, this
was interpreted as if no BrowseAllow line had been specified, which
resulted in it accepting browse packets from all hosts (CVE-2014-4338).

The CVE-2014-2707 issue with malicious broadcast packets, which
had been fixed in Mageia Bug 13216 (MGASA-2014-0181), had not been
completely fixed by that update. A more complete fix was implemented
in cups-filters 1.0.53 (CVE-2014-4336).

Note that only systems that have enabled the affected feature
by using the CreateIPPPrinterQueues configuration directive in
/etc/cups/cups-browsed.conf were affected by the CVE-2014-2707 /
CVE-2014-4336 issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6474
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2707
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4338
http://advisories.mageia.org/MGASA-2014-0170.html
http://advisories.mageia.org/MGASA-2014-0181.html
http://advisories.mageia.org/MGASA-2014-0267.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
8debeee26ba55f4bb1b93d553da75157 mbs2/x86_64/cups-filters-1.0.53-1.mbs2.x86_64.rpm
37666681642eddb5343e968a58b3d771 mbs2/x86_64/lib64cups-filters1-1.0.53-1.mbs2.x86_64.rpm
d526c4341f34532c8032655f7e334999 mbs2/x86_64/lib64cups-filters-devel-1.0.53-1.mbs2.x86_64.rpm
5ecb3127039ab1eacb519a7b98e1d545 mbs2/SRPMS/cups-filters-1.0.53-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF3e0mqjQ0CJFipgRAmSxAJ0fLCoHyyU8zzI8WSW36Yi7P1fAMgCfZ3sm
w9BvNovNQW1jwArTVorAJo0=
=0EYE
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:101
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : jbigkit
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated jbigkit packages fix security vulnerability:

Florian Weimer found a stack-based buffer overflow flaw in the libjbig
library (part of jbigkit). A specially-crafted image file read by
libjbig could be used to cause a program linked to libjbig to crash
or, potentially, to execute arbitrary code (CVE-2013-6369).

The jbigkit package has been updated to version 2.1, which fixes
this issue, as well as a few other bugs, including the ability of
corrupted input data to force the jbig85 decoder into an end-less loop.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6369
http://advisories.mageia.org/MGASA-2014-0174.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
ef2de936e41a5bbf1f3313af52e7ecd7 mbs2/x86_64/jbigkit-2.1-1.mbs2.x86_64.rpm
728aa373fab04541230ec467dbc441b4 mbs2/x86_64/lib64jbig1-2.1-1.mbs2.x86_64.rpm
5bc3e465717da27b3ae89aa05e883bbd mbs2/x86_64/lib64jbig-devel-2.1-1.mbs2.x86_64.rpm
4daab8843a69eb919335dbffcf6d2096 mbs2/SRPMS/jbigkit-2.1-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF3iymqjQ0CJFipgRAhBQAKCnn/hpISuXQeYxt4ZfLhR8M2AzrwCfXJtl
9e4YQgwyH1ygqHDnxBPXMmY=
=UiL+
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:102
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : json-c
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated json-c packages fix security vulnerabilities:

Florian Weimer reported that the printbuf APIs used in the json-c
library used ints for counting buffer lengths, which is inappropriate
for 32bit architectures. These functions need to be changed to using
size_t if possible for sizes, or to be hardened against negative
values if not. This could be used to cause a denial of service in
an application linked to the json-c library (CVE-2013-6370).

Florian Weimer reported that the hash function in the json-c library
was weak, and that parsing smallish JSON strings showed quadratic
timing behaviour. This could cause an application linked to the json-c
library, and that processes some specially-crafted JSON data, to use
excessive amounts of CPU (CVE-2013-6371).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6371
http://advisories.mageia.org/MGASA-2014-0175.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
a01b51b861573f870676ada72574883b mbs2/x86_64/lib64json2-0.11-4.1.mbs2.x86_64.rpm
d0c95fd3e09d5ea552cc3d01b1bc53e9 mbs2/x86_64/lib64json-devel-0.11-4.1.mbs2.x86_64.rpm
e741ceb24b4557e0e1cc4faa11b094a4 mbs2/SRPMS/json-c-0.11-4.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF3oGmqjQ0CJFipgRAoY3AKCVHteiqNEkSPslvN3c/tkTCe92wgCeK14k
Om5RGgjRhd9NhuTktQscCwo=
=nb0l
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:103
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : squid
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated squid packages fix security vulnerabilities:

Due to incorrect state management, Squid before 3.3.12 is vulnerable
to a denial of service attack when processing certain HTTPS requests
if the SSL-Bump feature is enabled (CVE-2014-0128).

Matthew Daley discovered that Squid 3 did not properly perform input
validation in request parsing. A remote attacker could send crafted
Range requests to cause a denial of service (CVE-2014-3609).

Due to incorrect buffer management Squid can be caused by an attacker
to write outside its allocated SNMP buffer (CVE-2014-6270).

Due to incorrect bounds checking Squid pinger binary is vulnerable to
denial of service or information leak attack when processing larger
than normal ICMP or ICMPv6 packets (CVE-2014-7141).

Due to incorrect input validation Squid pinger binary is vulnerable
to denial of service or information leak attacks when processing ICMP
or ICMPv6 packets (CVE-2014-7142).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7141
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7142
http://advisories.mageia.org/MGASA-2014-0168.html
http://advisories.mageia.org/MGASA-2014-0369.html
http://advisories.mageia.org/MGASA-2014-0396.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
071db3614e124eb1b387c264968d2ff9 mbs2/x86_64/squid-3.3.13-1.mbs2.x86_64.rpm
d7e3f39404d20077be8ac0c073fecf08 mbs2/x86_64/squid-cachemgr-3.3.13-1.mbs2.x86_64.rpm
172d9eb494509cb443fb772cbbc0a0ef mbs2/SRPMS/squid-3.3.13-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF35qmqjQ0CJFipgRAv8VAJ9RvVsprYr9T+jRbhrNzzqgUfUX9QCgmqAr
4GKmB9QQ7JpPgxndOeJz3mI=
=VVLp
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:104
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : elfutils
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated elfutils packages fix security vulnerabilities:

The libdw library provides support for accessing DWARF debugging
information inside ELF files. An integer overflow flaw in
check_section(), leading to a heap-based buffer overflow, was found
in the libdw library. A malicious ELF file could cause an application
using libdw (such as eu-readelf) to crash or, potentially, execute
arbitrary code with the privileges of the user running the application
(CVE-2014-0172).

Directory traversal vulnerability in the read_long_names function in
libelf/elf_begin.c in elfutils allows remote attackers to write to
arbitrary files to the root directory via a / (slash) in a crafted
archive, as demonstrated using the ar program (CVE-2014-9447).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0172
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9447
http://advisories.mageia.org/MGASA-2014-0177.html
http://advisories.mageia.org/MGASA-2015-0033.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
f6dff031dadff1b25f2020d013be555d mbs2/x86_64/elfutils-0.157-4.1.mbs2.x86_64.rpm
abdf7fe1804c7d198da3bb2b524d9480 mbs2/x86_64/lib64elfutils1-0.157-4.1.mbs2.x86_64.rpm
6da1d3540861610c31feea530810fc53 mbs2/x86_64/lib64elfutils-devel-0.157-4.1.mbs2.x86_64.rpm
eaecd3b922cb3b83ca29ba0d6457b7bd mbs2/x86_64/lib64elfutils-static-devel-0.157-4.1.mbs2.x86_64.rpm
a3931cbaea7928d476d646e3646a098d mbs2/SRPMS/elfutils-0.157-4.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF4SsmqjQ0CJFipgRApWzAKCL6kbVguiJIBQId0suIkDemq5CgQCg0Ehq
cx0nl2wHr5/pXHilf6NO9b8=
=iVT8
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:105
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : imagemagick
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated imagemagick package fixes security vulnerabilities:

A buffer overflow flaw was found in the way ImageMagick handled PSD
images that use RLE encoding. An attacker could create a malicious PSD
image file that, when opened in ImageMagick, would cause ImageMagick
to crash or, potentially, execute arbitrary code with the privileges
of the user running ImageMagick (CVE-2014-1958).

A buffer overflow flaw was found in the way ImageMagick writes PSD
images when the input data has a large number of unlabeled layers
(CVE-2014-2030).

ImageMagick is vulnerable to a denial of service due to out-of-bounds
memory accesses in the resize code (CVE-2014-8354), PCX parser
(CVE-2014-8355), DCM decoder (CVE-2014-8562), and JPEG decoder
(CVE-2014-8716).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2030
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8354
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8562
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8716
http://advisories.mageia.org/MGASA-2014-0087.html
http://advisories.mageia.org/MGASA-2014-0482.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
cbb2b057e921d799e6ee49a25e109566 mbs2/x86_64/imagemagick-6.8.7.0-3.1.mbs2.x86_64.rpm
65aab5ec709ce0c49ce05069df0dd500 mbs2/x86_64/imagemagick-desktop-6.8.7.0-3.1.mbs2.x86_64.rpm
201fdabb60c6a02e74b84b7d78e5fb73 mbs2/x86_64/imagemagick-doc-6.8.7.0-3.1.mbs2.noarch.rpm
0fe93393cec896559c037e77a4bc14e9 mbs2/x86_64/lib64magick-6Q16_1-6.8.7.0-3.1.mbs2.x86_64.rpm
f8cf870d729c2a8296810317a0ca2e6b mbs2/x86_64/lib64magick++-6Q16_3-6.8.7.0-3.1.mbs2.x86_64.rpm
e1898d061d94f5f559205ff981ea115f mbs2/x86_64/lib64magick-devel-6.8.7.0-3.1.mbs2.x86_64.rpm
d2e9137351c9f55d3c537440c46c2fa7 mbs2/x86_64/perl-Image-Magick-6.8.7.0-3.1.mbs2.x86_64.rpm
771bafb552b2b7761516da38035d3e0e mbs2/SRPMS/imagemagick-6.8.7.0-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF5yrmqjQ0CJFipgRAlC8AKDM9634waJA9GXof61IHck/iMai1QCfVVOL
YivihVq6/MrvvIwCD3ZhqTw=
=Sfpz
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:106
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : apache-mod_security
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated apache-mod_security packages fix security vulnerability:

Martin Holst Swende discovered a flaw in the way mod_security handled
chunked requests. A remote attacker could use this flaw to bypass
intended mod_security restrictions, allowing them to send requests
containing content that should have been removed by mod_security
(CVE-2013-5705).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5705
http://advisories.mageia.org/MGASA-2014-0180.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
30ed988377e0811c89f9314020ec94b2 mbs2/x86_64/apache-mod_security-2.7.5-4.1.mbs2.x86_64.rpm
2f187c8f03f68a7a3ffeb987b98b92d2 mbs2/x86_64/mlogc-2.7.5-4.1.mbs2.x86_64.rpm
575cc92b8083d28443af3dec18cce2be mbs2/SRPMS/apache-mod_security-2.7.5-4.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF57mmqjQ0CJFipgRAhuKAKDe2492mZOdVpt6vuotAhVYQYL6kwCgrmt2
6RJa3r/VLZjyxwbkzfVrNYQ=
=YWsx
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:107
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : lcms2
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated lcms2 packages fix security vulnerability:

Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE
Embedded 7u51, allows remote attackers to affect availability via
unknown vectors related to 2D (CVE-2014-0459).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0459
http://advisories.mageia.org/MGASA-2014-0189.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
71e2bbe02a3067aa35342ddb576b8d3e mbs2/x86_64/lcms2-2.5-3.1.mbs2.x86_64.rpm
18908a287574a6b4e70c0b81021efc4b mbs2/x86_64/lib64lcms2_2-2.5-3.1.mbs2.x86_64.rpm
3d81561fc5d55c9a81768479beba415b mbs2/x86_64/lib64lcms2-devel-2.5-3.1.mbs2.x86_64.rpm
501cdb6f9b5816843dd7c5f14cd37b7e mbs2/SRPMS/lcms2-2.5-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF6mbmqjQ0CJFipgRAqNmAJ47y5oR2qefxYiwQdOblES+PtDEjQCeLTZE
o2EzoZXAABowIvTRtRPma/g=
=39nE
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:108
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : cups
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated cups packages fix security vulnerabilities:

Cross-site scripting (XSS) vulnerability in scheduler/client.c
in Common Unix Printing System (CUPS) before 1.7.2 allows remote
attackers to inject arbitrary web script or HTML via the URL path,
related to the is_path_absolute function (CVE-2014-2856).

In CUPS before 1.7.4, a local user with privileges of group=lp
can write symbolic links in the rss directory and use that to gain
‘@SYSTEM’ group privilege with cupsd (CVE-2014-3537).

It was discovered that the web interface in CUPS incorrectly
validated permissions on rss files and directory index files. A local
attacker could possibly use this issue to bypass file permissions
and read arbitrary files, possibly leading to a privilege escalation
(CVE-2014-5029, CVE-2014-5030, CVE-2014-5031).

A malformed file with an invalid page header and compressed raster data
can trigger a buffer overflow in cupsRasterReadPixels (CVE-2014-9679).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679
http://advisories.mageia.org/MGASA-2014-0193.html
http://advisories.mageia.org/MGASA-2014-0313.html
http://advisories.mageia.org/MGASA-2015-0067.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
0d1f31885b6c118b63449f2fdd821666 mbs2/x86_64/cups-1.7.0-8.1.mbs2.x86_64.rpm
b5337600a386f902763653796a2cefdf mbs2/x86_64/cups-common-1.7.0-8.1.mbs2.x86_64.rpm
7b1513d85b5f22cd90bed23a35e44f51 mbs2/x86_64/cups-filesystem-1.7.0-8.1.mbs2.noarch.rpm
c25fa9b9bba101274984fa2b7a62f7a3 mbs2/x86_64/lib64cups2-1.7.0-8.1.mbs2.x86_64.rpm
df24a6b84fdafffaadf961ab4aa3640b mbs2/x86_64/lib64cups2-devel-1.7.0-8.1.mbs2.x86_64.rpm
5c172624c992de8ebb2bf8a2b232ee3a mbs2/SRPMS/cups-1.7.0-8.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF6q1mqjQ0CJFipgRAuxXAKDq8A/WlNzp54yRN7xnKy8ZBaRZQwCfSAh0
n7hHPzmYVzh2wFP6PffIl0E=
=ykhv
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:109
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : python-django
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated python-django packages fix security vulnerabilities:

Jedediah Smith discovered that Django incorrectly handled underscores
in WSGI headers. A remote attacker could possibly use this issue to
spoof headers in certain environments (CVE-2015-0219).

Mikko Ohtamaa discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to
perform a cross-site scripting attack (CVE-2015-0220).

Alex Gaynor discovered that Django incorrectly handled reading files
in django.views.static.serve(). A remote attacker could possibly use
this issue to cause Django to consume resources, resulting in a denial
of service (CVE-2015-0221).

Keryn Knight discovered that Django incorrectly handled forms with
ModelMultipleChoiceField. A remote attacker could possibly use this
issue to cause a large number of SQL queries, resulting in a database
denial of service. Note that this issue only affected python-django
(CVE-2015-0222).

Cross-site scripting (XSS) vulnerability in the contents function
in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2
allows remote attackers to inject arbitrary web script or HTML via
a model attribute in ModelAdmin.readonly_fields, as demonstrated by
a \@property (CVE-2015-2241).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0219
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0220
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0222
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2241
http://advisories.mageia.org/MGASA-2015-0026.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
f5401bdad08aa38aeb7d7b722e663128 mbs2/x86_64/python3-django-1.7.7-1.mbs2.noarch.rpm
e47fddab7db9e487deb8974880ba475b mbs2/x86_64/python-django-1.7.7-1.mbs2.noarch.rpm
f9022725b658fd13fe8c2a32ff5a3bbf mbs2/x86_64/python-django-bash-completion-1.7.7-1.mbs2.noarch.rpm
ce25238c42af0efb885ae649890fed2e mbs2/x86_64/python-django-doc-1.7.7-1.mbs2.noarch.rpm
f2f73820c324f1a946d0d55557fd24c2 mbs2/SRPMS/python-django-1.7.7-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF65FmqjQ0CJFipgRAoCpAJ4tltdOhv5kH910mcxuKav8lzWvAQCgzCms
XU8NmaHGkEIz/RuwYxv7+L4=
=oy1V
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:110
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : postgresql
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated postgresql packages fix multiple security vulnerabilities:

Granting a role without ADMIN OPTION is supposed to prevent the
grantee from adding or removing members from the granted role, but
this restriction was easily bypassed by doing SET ROLE first. The
security impact is mostly that a role member can revoke the access
of others, contrary to the wishes of his grantor. Unapproved role
member additions are a lesser concern, since an uncooperative role
member could provide most of his rights to others anyway by creating
views or SECURITY DEFINER functions (CVE-2014-0060).

The primary role of PL validator functions is to be called implicitly
during CREATE FUNCTION, but they are also normal SQL functions
that a user can call explicitly. Calling a validator on a function
actually written in some other language was not checked for and could
be exploited for privilege-escalation purposes. The fix involves
adding a call to a privilege-checking function in each validator
function. Non-core procedural languages will also need to make this
change to their own validator functions, if any (CVE-2014-0061).

If the name lookups come to different conclusions due to concurrent
activity, we might perform some parts of the DDL on a different
table than other parts. At least in the case of CREATE INDEX, this
can be used to cause the permissions checks to be performed against
a different table than the index creation, allowing for a privilege
escalation attack (CVE-2014-0062).

The MAXDATELEN constant was too small for the longest possible value of
type interval, allowing a buffer overrun in interval_out(). Although
the datetime input functions were more careful about avoiding buffer
overrun, the limit was short enough to cause them to reject some valid
inputs, such as input containing a very long timezone name. The ecpg
library contained these vulnerabilities along with some of its own
(CVE-2014-0063).

Several functions, mostly type input functions, calculated an
allocation size without checking for overflow. If overflow did
occur, a too-small buffer would be allocated and then written past
(CVE-2014-0064).

Use strlcpy() and related functions to provide a clear guarantee
that fixed-size buffers are not overrun. Unlike the preceding items,
it is unclear whether these cases really represent live issues,
since in most cases there appear to be previous constraints on the
size of the input string. Nonetheless it seems prudent to silence
all Coverity warnings of this type (CVE-2014-0065).

There are relatively few scenarios in which crypt() could return NULL,
but contrib/chkpass would crash if it did. One practical case in which
this could be an issue is if libc is configured to refuse to execute
unapproved hashing algorithms (e.g., FIPS mode) (CVE-2014-0066).

Since the temporary server started by make check uses trust
authentication, another user on the same machine could connect to it
as database superuser, and then potentially exploit the privileges of
the operating-system user who started the tests. A future release will
probably incorporate changes in the testing procedure to prevent this
risk, but some public discussion is needed first. So for the moment,
just warn people against using make check when there are untrusted
users on the same machine (CVE-2014-0067).

A user with limited clearance on a table might have access to
information in columns without SELECT rights on through server error
messages (CVE-2014-8161).

The function to_char() might read/write past the end of a buffer. This
might crash the server when a formatting template is processed
(CVE-2015-0241).

The pgcrypto module is vulnerable to stack buffer overrun that might
crash the server (CVE-2015-0243).

Emil Lenngren reported that an attacker can inject SQL commands when
the synchronization between client and server is lost (CVE-2015-0244).

This update provides PostgreSQL versions 9.3.6 and 9.2.10 that fix
these issues, as well as several others.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0061
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244
http://advisories.mageia.org/MGASA-2014-0205.html
http://advisories.mageia.org/MGASA-2015-0069.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
f99a635c6f82735fbc2b95e152f09efb mbs2/x86_64/lib64ecpg9.2_6-9.2.10-1.mbs2.x86_64.rpm
d57166faca3e9d1b932cdd43c04b4d3a mbs2/x86_64/lib64ecpg9.3_6-9.3.6-1.mbs2.x86_64.rpm
6e4f38d6fb5b9bb91e9f2eab3e567e1f mbs2/x86_64/lib64pq9.2_5.5-9.2.10-1.mbs2.x86_64.rpm
6671c3cf6916cf829c3e3bc0332190a7 mbs2/x86_64/lib64pq9.3_5-9.3.6-1.mbs2.x86_64.rpm
eda79e884356acdd4bc3776eb9f082d7 mbs2/x86_64/postgresql9.2-9.2.10-1.mbs2.x86_64.rpm
78ed2566f404f6af31337690f52851ca mbs2/x86_64/postgresql9.2-contrib-9.2.10-1.mbs2.x86_64.rpm
153a4a063504fa1fa1842b127712bfe0 mbs2/x86_64/postgresql9.2-devel-9.2.10-1.mbs2.x86_64.rpm
9bfdccf6a88c6b13496c7da4de2bca34 mbs2/x86_64/postgresql9.2-docs-9.2.10-1.mbs2.noarch.rpm
6b76f8d61fd457f92d90b1959fb1dea3 mbs2/x86_64/postgresql9.2-pl-9.2.10-1.mbs2.x86_64.rpm
8526ab569ed5362fc7a92fa23dca98b6 mbs2/x86_64/postgresql9.2-plperl-9.2.10-1.mbs2.x86_64.rpm
412cb6f09cb609fcbb09d3259f534dfc mbs2/x86_64/postgresql9.2-plpgsql-9.2.10-1.mbs2.x86_64.rpm
c95ce4440833dfc828c9ee8eecbcea17 mbs2/x86_64/postgresql9.2-plpython-9.2.10-1.mbs2.x86_64.rpm
50b9c0b0197667b390ba47ccd00770d4 mbs2/x86_64/postgresql9.2-pltcl-9.2.10-1.mbs2.x86_64.rpm
c019e6c9930eafc094f287ee7461aaaa mbs2/x86_64/postgresql9.2-server-9.2.10-1.mbs2.x86_64.rpm
d2a51e59c752f3ddb3ea6c77f7502433 mbs2/x86_64/postgresql9.3-9.3.6-1.mbs2.x86_64.rpm
60e543ac5e51171e6669e68b0a5a2eb3 mbs2/x86_64/postgresql9.3-contrib-9.3.6-1.mbs2.x86_64.rpm
483126b5d66cd0f375ec9732677b2808 mbs2/x86_64/postgresql9.3-devel-9.3.6-1.mbs2.x86_64.rpm
0b361bfcbc87273de585f3f9c4c6a618 mbs2/x86_64/postgresql9.3-docs-9.3.6-1.mbs2.noarch.rpm
357b9a02ee0271876013e2db04025721 mbs2/x86_64/postgresql9.3-pl-9.3.6-1.mbs2.x86_64.rpm
7bd4f962c795ee04836f1e162c1e6b7e mbs2/x86_64/postgresql9.3-plperl-9.3.6-1.mbs2.x86_64.rpm
66e4b7668e00e0d16d6570ea7f1651fa mbs2/x86_64/postgresql9.3-plpgsql-9.3.6-1.mbs2.x86_64.rpm
13e4930b5a0dbe06a5b886a83401470a mbs2/x86_64/postgresql9.3-plpython-9.3.6-1.mbs2.x86_64.rpm
32e568d9ba610c58e6587b04d4cdb6ab mbs2/x86_64/postgresql9.3-pltcl-9.3.6-1.mbs2.x86_64.rpm
0b8899321e95fd17fc6aa954fb450a0d mbs2/x86_64/postgresql9.3-server-9.3.6-1.mbs2.x86_64.rpm
f5856e921124345cf4dbadd41bfaab9d mbs2/SRPMS/postgresql9.2-9.2.10-1.mbs2.src.rpm
ca1994bd36f7310b82ec57914dd8496d mbs2/SRPMS/postgresql9.3-9.3.6-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7IDmqjQ0CJFipgRAgBlAKDN/FNh6U1fh0mOBPlEu4D3BPRj/ACdGjDR
xpQfI5PlLPp20JxyU8YdeLE=
=QEFG
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:111
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libxml2
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libxml2 packages fix security vulnerabilities:

It was discovered that libxml2, a library providing support to
read, modify and write XML files, incorrectly performs entity
substituton in the doctype prolog, even if the application using
libxml2 disabled any entity substitution. A remote attacker could
provide a specially-crafted XML file that, when processed, would lead
to the exhaustion of CPU and memory resources or file descriptors
(CVE-2014-0191).

A denial of service flaw was found in libxml2, a library providing
support to read, modify and write XML and HTML files. A remote attacker
could provide a specially crafted XML file that, when processed by
an application using libxml2, would lead to excessive CPU consumption
(denial of service) based on excessive entity substitutions, even if
entity substitution was disabled, which is the parser default behavior
(CVE-2014-3660).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660
http://advisories.mageia.org/MGASA-2014-0214.html
http://advisories.mageia.org/MGASA-2014-0418.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
a35559f4de0f536e3a6468d310edb22a mbs2/x86_64/lib64xml2_2-2.9.1-3.1.mbs2.x86_64.rpm
0a6a1369092011423c7166a214e8c828 mbs2/x86_64/lib64xml2-devel-2.9.1-3.1.mbs2.x86_64.rpm
4b0c0e185dd14ecdb6f7440e324ca1af mbs2/x86_64/libxml2-python-2.9.1-3.1.mbs2.x86_64.rpm
c80299579258833fd0899b9ec4ed1cfd mbs2/x86_64/libxml2-utils-2.9.1-3.1.mbs2.x86_64.rpm
bcacc9a4c667c5511db76d0512a38d29 mbs2/SRPMS/libxml2-2.9.1-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7NzmqjQ0CJFipgRAkTqAJ0Wy3rhdRALQuZhOglWO+C15uowWgCfaoys
i1Yd1rUMC67jFCPkumBZamo=
=SUXj
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:112
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : python-lxml
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated python-lxml packages fix security vulnerability:

The clean_html() function, provided by the lxml.html.clean module,
did not properly clean HTML input if it included non-printed characters
(\x01-\x08). A remote attacker could use this flaw to serve malicious
content to an application using the clean_html() function to process
HTML, possibly allowing the attacker to inject malicious code into
a website generated by this application (CVE-2014-3146).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3146
http://advisories.mageia.org/MGASA-2014-0218.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
fd09937c8512eba8dcc9e73c793e4e4e mbs2/x86_64/python3-lxml-3.2.4-1.1.mbs2.x86_64.rpm
051ab600dc56ab6925b03e7727678967 mbs2/x86_64/python-lxml-3.2.4-1.1.mbs2.x86_64.rpm
7d6deaef5ed3cfa6856401d06707b094 mbs2/x86_64/python-lxml-docs-3.2.4-1.1.mbs2.noarch.rpm
238755f1111909e6c968f1f597502036 mbs2/SRPMS/python-lxml-3.2.4-1.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7QDmqjQ0CJFipgRAuzcAKCzr1X7aGeQyURvacF2OaQ/HeAbPQCfSO9Q
ROaQEYzT+mRZV0KD66Z/FYc=
=/1fq
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:113
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : dovecot
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated dovecot packages fix security vulnerability.

Dovecot before 2.2.13 is vulnerable to a DoS attack against
imap/pop3-login processes. If SSL/TLS handshake was started but
wasn’t finished, the login process attempted to eventually forcibly
disconnect the client, but failed to do it correctly. This could have
left the connections hanging around for a long time (CVE-2014-3430).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3430
http://advisories.mageia.org/MGASA-2014-0223.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
1eb6e9066872c78e1755c1971036fc16 mbs2/x86_64/dovecot-2.2.6-3.1.mbs2.x86_64.rpm
656bf9481ba301e634d6a726f794dda5 mbs2/x86_64/dovecot-devel-2.2.6-3.1.mbs2.x86_64.rpm
25eba263e3a69fe651c0ed6337949830 mbs2/x86_64/dovecot-pigeonhole-2.2.6-3.1.mbs2.x86_64.rpm
67c9662509cf9fa64d129d846c06627a mbs2/x86_64/dovecot-pigeonhole-devel-2.2.6-3.1.mbs2.x86_64.rpm
11c9627af2b38d1935527942a3e66870 mbs2/x86_64/dovecot-plugins-gssapi-2.2.6-3.1.mbs2.x86_64.rpm
dfc56f23f07520c804b8af8688abdbbc mbs2/x86_64/dovecot-plugins-ldap-2.2.6-3.1.mbs2.x86_64.rpm
3ce270a44b749aef02b65b717518e93b mbs2/x86_64/dovecot-plugins-mysql-2.2.6-3.1.mbs2.x86_64.rpm
3610ca4c251604b05101401712af1694 mbs2/x86_64/dovecot-plugins-pgsql-2.2.6-3.1.mbs2.x86_64.rpm
9abe3f4567e180fcd9cbeaf0af8ea4e5 mbs2/x86_64/dovecot-plugins-sqlite-2.2.6-3.1.mbs2.x86_64.rpm
7d92ecbc2cb08e9591cd9b1be0326f49 mbs2/SRPMS/dovecot-2.2.6-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7SMmqjQ0CJFipgRAjUSAKCNzqOuQliJVc1nKiBdZhCBK+iFIQCdFtV9
NspHCwRPAGwc9Te32AbCpxA=
=DyJk
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:114
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : cifs-utils
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated cifs-utils packages fix security vulnerability:

Sebastian Krahmer discovered a stack-based buffer overflow flaw in
cifscreds.c (CVE-2014-2830).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2830
http://advisories.mageia.org/MGASA-2014-0242.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
f774cd2374f052f0ae020d167ab36235 mbs2/x86_64/cifs-utils-6.2-3.1.mbs2.x86_64.rpm
b80b0b335a9151a6c2d0121e948a9ed7 mbs2/x86_64/cifs-utils-devel-6.2-3.1.mbs2.x86_64.rpm
cebc2fbe53ce44f9a3a0a3adbd89924c mbs2/SRPMS/cifs-utils-6.2-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7UvmqjQ0CJFipgRApXDAKC33P8SycJYOzU77npYzOuuBIr67wCeP2/P
MyYOgtfx/RdydSxiTp7RVNw=
=lztc
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:115
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libvirt
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libvirt packages fix security vulnerabilities:

The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through
1.2.1 allows local users to (1) delete arbitrary host devices
via the virDomainDeviceDettach API and a symlink attack on /dev
in the container; (2) create arbitrary nodes (mknod) via the
virDomainDeviceAttach API and a symlink attack on /dev in the
container; and cause a denial of service (shutdown or reboot host
OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a
symlink attack on /dev/initctl in the container, related to paths under
/proc//root and the virInitctlSetRunLevel function (CVE-2013-6456).

libvirt was patched to prevent expansion of entities when parsing XML
files. This vulnerability allowed malicious users to read arbitrary
files or cause a denial of service (CVE-2014-0179).

An out-of-bounds read flaw was found in the way libvirt’s
qemuDomainGetBlockIoTune() function looked up the disk index in
a non-persistent (live) disk configuration while a persistent disk
configuration was being indexed. A remote attacker able to establish a
read-only connection to libvirtd could use this flaw to crash libvirtd
or, potentially, leak memory from the libvirtd process (CVE-2014-3633).

A denial of service flaw was found in the way libvirt’s
virConnectListAllDomains() function computed the number of used
domains. A remote attacker able to establish a read-only connection
to libvirtd could use this flaw to make any domain operations within
libvirt unresponsive (CVE-2014-3657).

Eric Blake discovered that libvirt incorrectly handled permissions
when processing the qemuDomainFormatXML command. An attacker with
read-only privileges could possibly use this to gain access to certain
information from the domain xml file (CVE-2014-7823).

The qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions
in qemu/qemu_driver.c in libvirt do not unlock the domain when an
ACL check fails, which allow local users to cause a denial of service
via unspecified vectors (CVE-2014-8136).

The XML getters for for save images and snapshots objects don’t
check ACLs for the VIR_DOMAIN_XML_SECURE flag and might possibly dump
security sensitive information. A remote attacker able to establish
a connection to libvirtd could use this flaw to cause leak certain
limited information from the domain xml file (CVE-2015-0236).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3633
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3657
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7823
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8136
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0236
http://advisories.mageia.org/MGASA-2014-0243.html
http://advisories.mageia.org/MGASA-2014-0401.html
http://advisories.mageia.org/MGASA-2014-0470.html
http://advisories.mageia.org/MGASA-2015-0002.html
http://advisories.mageia.org/MGASA-2015-0046.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
5313ea3546fbd0a7d405763c9e24663a mbs2/x86_64/lib64virt0-1.2.1-2.1.mbs2.x86_64.rpm
c82b1a481cb77c15bf95e59dfba4afda mbs2/x86_64/lib64virt-devel-1.2.1-2.1.mbs2.x86_64.rpm
ecf57a179ebe28c087a3f524003b85a3 mbs2/x86_64/libvirt-utils-1.2.1-2.1.mbs2.x86_64.rpm
260c157e422046f855924b0242d34240 mbs2/SRPMS/libvirt-1.2.1-2.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7aImqjQ0CJFipgRArwYAKDZ6tugHK8st/ya5LrtR3gX2ZrnywCdHyWm
C22Z3ojDBaFHLrr1SEQmuMc=
=bnrU
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:116
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libtasn1
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libtasn1 packages fix security vulnerabilities:

Multiple buffer boundary check issues were discovered in libtasn1
library, causing it to read beyond the boundary of an allocated buffer.
An untrusted ASN.1 input could cause an application using the library
to crash (CVE-2014-3467).

It was discovered that libtasn1 library function asn1_get_bit_der()
could incorrectly report negative bit length of the value read from
ASN.1 input. This could possibly lead to an out of bounds access in
an application using libtasn1, for example in case if application
tried to terminate read value with NUL byte (CVE-2014-3468).

A NULL pointer dereference flaw was found in libtasn1’s
asn1_read_value_type() / asn1_read_value() function. If an application
called the function with a NULL value for an ivalue argument to
determine the amount of memory needed to store data to be read from
the ASN.1 input, libtasn1 could incorrectly attempt to dereference
the NULL pointer, causing an application using the library to crash
(CVE-2014-3469).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469
http://advisories.mageia.org/MGASA-2014-0247.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
de6bb1c43cf66acc391b0866c78acc9d mbs2/x86_64/lib64tasn1_6-3.6-1.mbs2.x86_64.rpm
7190acef1aaac85573ade2ff1f25921e mbs2/x86_64/lib64tasn1-devel-3.6-1.mbs2.x86_64.rpm
5d87f79d7d3f3abb3d1b08e594eb5112 mbs2/x86_64/libtasn1-tools-3.6-1.mbs2.x86_64.rpm
67339ddfd49a0693dd664309fe47b351 mbs2/SRPMS/libtasn1-3.6-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7hQmqjQ0CJFipgRAsOhAJ4i3LBbQrVk+SQcbOz4w0m15f0yQgCgjADw
jh8cZSlUEuElsAbYnL80Ewg=
=S9im
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:117
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : emacs
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated emacs packages fix security vulnerabilities:

Steve Kemp discovered multiple temporary file handling issues in
Emacs. A local attacker could use these flaws to perform symbolic link
attacks against users running Emacs (CVE-2014-3421, CVE-2014-3422,
CVE-2014-3423, CVE-2014-3424).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3424
http://advisories.mageia.org/MGASA-2014-0250.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
d9f008f7b320e274f828f4e3c12f87fe mbs2/x86_64/emacs-24.3-7.1.mbs2.x86_64.rpm
f0a641e5e2f16a28daeafa623c0fd179 mbs2/x86_64/emacs-common-24.3-7.1.mbs2.x86_64.rpm
c367752961a74f31e1b8111f8e363777 mbs2/x86_64/emacs-doc-24.3-7.1.mbs2.noarch.rpm
0e0536e56c6a7f94cd52ed72908ca471 mbs2/x86_64/emacs-el-24.3-7.1.mbs2.noarch.rpm
a5d5e9f3bd2e77b4a8094c4e7b147477 mbs2/x86_64/emacs-leim-24.3-7.1.mbs2.noarch.rpm
14ffc339e2302b0252e0e82148c7eecd mbs2/x86_64/emacs-nox-24.3-7.1.mbs2.x86_64.rpm
ecef0a2fcec34515d8243558d9dc91dd mbs2/SRPMS/emacs-24.3-7.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7kBmqjQ0CJFipgRAqDfAKDFvMnvZoOdeSt2qSR/6bI3tWs4nwCaAveC
pnnVGz4Fon1YLjznhhMTSwo=
=Ehsq
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:118
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : xlockmore
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated xlockmore packages fix security vulnerability:

xlockmore before 5.45 contains a security flaw related to a bad value
of fnt for pyro2 which could cause an X error. This update backports
the fix for version 5.43.
_______________________________________________________________________

References:

http://advisories.mageia.org/MGASA-2014-0554.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
d630b77faf09d5a4d5cec661297776d7 mbs2/x86_64/xlockmore-5.43-2.1.mbs2.x86_64.rpm
7471f2552eb0a5e81dfd1febc6e6ee2f mbs2/x86_64/xlockmore-gtk2-5.43-2.1.mbs2.x86_64.rpm
19b70d4a6e7361314e9cc8e67cdea6fd mbs2/SRPMS/xlockmore-5.43-2.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7qHmqjQ0CJFipgRAmEFAJ9VX+wpS9rTKl01vPBwCwqAFTDPXwCgiOg5
BzjsS7Y7o5JyxJYtZSVt9HE=
=54Y8
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:119
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : x11-server
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated x11-server packages fix security vulnerabilities:

Ilja van Sprundel of IOActive discovered several security issues in the
X.org X server, which may lead to privilege escalation or denial of
service (CVE-2014-8091, CVE-2014-8092, CVE-2014-8093, CVE-2014-8094,
CVE-2014-8095, CVE-2014-8096, CVE-2014-8097, CVE-2014-8098,
CVE-2014-8099, CVE-2014-8100, CVE-2014-8101, CVE-2014-8102).

Olivier Fourdan from Red Hat has discovered a protocol handling
issue in the way the X server code base handles the XkbSetGeometry
request, where the server trusts the client to send valid string
lengths. A malicious client with string lengths exceeding the
request length can cause the server to copy adjacent memory data
into the XKB structs. This data is then available to the client via
the XkbGetGeometry request. This can lead to information disclosure
issues, as well as possibly a denial of service if a similar request
can cause the server to crash (CVE-2015-0255).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0255
http://advisories.mageia.org/MGASA-2014-0532.html
http://advisories.mageia.org/MGASA-2015-0073.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
d9de24245bf452fa208ce722ce58c0c4 mbs2/x86_64/x11-server-1.14.5-3.1.mbs2.x86_64.rpm
ef5ee1a16e59ffae7778412941fb93e4 mbs2/x86_64/x11-server-common-1.14.5-3.1.mbs2.x86_64.rpm
a27cff3cf97c4361132359441b13fd58 mbs2/x86_64/x11-server-devel-1.14.5-3.1.mbs2.x86_64.rpm
407b8d00033478227c18f2b6f9c7b387 mbs2/x86_64/x11-server-source-1.14.5-3.1.mbs2.noarch.rpm
6672056e57197215ab30be5763ce9422 mbs2/x86_64/x11-server-xdmx-1.14.5-3.1.mbs2.x86_64.rpm
864929bb7acad38a28cb8f126b440600 mbs2/x86_64/x11-server-xephyr-1.14.5-3.1.mbs2.x86_64.rpm
a29866186220c8f71eb18486a132ae57 mbs2/x86_64/x11-server-xfake-1.14.5-3.1.mbs2.x86_64.rpm
866e5323ec9efd6857e8ec83d3109ac2 mbs2/x86_64/x11-server-xfbdev-1.14.5-3.1.mbs2.x86_64.rpm
65906a705206237aab0303b5dd9358d8 mbs2/x86_64/x11-server-xnest-1.14.5-3.1.mbs2.x86_64.rpm
3840ccdf06db9d53914af96cee6e487d mbs2/x86_64/x11-server-xorg-1.14.5-3.1.mbs2.x86_64.rpm
8d9de7a9081ec613edac5e27b339af24 mbs2/x86_64/x11-server-xvfb-1.14.5-3.1.mbs2.x86_64.rpm
5bb951907ff0d8ae6087f812d8cf069b mbs2/SRPMS/x11-server-1.14.5-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7vNmqjQ0CJFipgRApeZAJoDcvfgKg1km5JKQz+iWRo/aZbCPgCg5PEC
rUnw2V62YoeD+/u29uMFLxs=
=0EhW
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:120
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : wpa_supplicant
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated wpa_supplicant and hostapd packages fix security vulnerability:

A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
for executing action scripts. An unsanitized string received from a
remote device can be passed to a system() call resulting in arbitrary
command execution under the privileges of the wpa_cli/hostapd_cli
process (which may be root in common use cases) (CVE-2014-3686).

Using the Mandriva wpa_supplicant package, systems are exposed to
the vulnerability if operating as a WPS registrar.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686
http://advisories.mageia.org/MGASA-2014-0429.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
dbd52ddc6494b7692d047d0172fcd2f1 mbs2/x86_64/wpa_supplicant-2.0-3.1.mbs2.x86_64.rpm
689cc6ca178cbde9c4f176da99cc149c mbs2/SRPMS/wpa_supplicant-2.0-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF7zRmqjQ0CJFipgRAsX8AJ9UChM53X1dsWe7+OjNMfHmGX5WUACfTVxj
wjMmceG2pPxgGXEp3CVopjc=
=SEAG
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:121
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : wget
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated wget package fixes security vulnerability:

Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP (CVE-2014-4877).

The default settings in wget have been changed such that wget no longer
creates local symbolic links, but rather traverses them and retrieves
the pointed-to file in such a retrieval. The old behaviour can be
attained by passing the –retr-symlinks=no option to the wget command.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
http://advisories.mageia.org/MGASA-2014-0431.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
41dc04fb6f6ec2bd55a3f8a971c75bab mbs2/x86_64/wget-1.14-5.1.mbs2.x86_64.rpm
32cc541180c974ae1e47566fc106a1ed mbs2/SRPMS/wget-1.14-5.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF71SmqjQ0CJFipgRAq9DAJ4g7oVl4kD/BtBzIusiezlHlcgNpACglhTJ
KGmThIXgPmVvTdAgw33lc+Q=
=uBEw
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:122
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : util-linux
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated util-linux packages fix security vulnerability:

Sebastian Krahmer reported a command injection flaw in blkid. This
could possibly result in command execution with root privileges
(CVE-2014-9114).

The util-linux package has been updated to version 2.24.2 and patched
to fix this issue and other bugs.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9114
http://advisories.mageia.org/MGASA-2014-0517.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
0dd96e136f3f056594564d97facd1a93 mbs2/x86_64/lib64blkid1-2.24.2-1.1.mbs2.x86_64.rpm
57c8d8643c8e92fab118f4cd230838b4 mbs2/x86_64/lib64blkid-devel-2.24.2-1.1.mbs2.x86_64.rpm
45c8d65f52e41cae00a7cebd904569e5 mbs2/x86_64/lib64mount1-2.24.2-1.1.mbs2.x86_64.rpm
fd637e2df1c9fdc281e0f679ab9586b5 mbs2/x86_64/lib64mount-devel-2.24.2-1.1.mbs2.x86_64.rpm
326f1e2de1593264299b19012eb94c12 mbs2/x86_64/lib64uuid1-2.24.2-1.1.mbs2.x86_64.rpm
bc4025575524f5b2a9a975cb6062a34d mbs2/x86_64/lib64uuid-devel-2.24.2-1.1.mbs2.x86_64.rpm
47a401e4e6b799072532b08d4faeb03c mbs2/x86_64/util-linux-2.24.2-1.1.mbs2.x86_64.rpm
3b0301982a44dfb540cd6d6851538051 mbs2/x86_64/uuidd-2.24.2-1.1.mbs2.x86_64.rpm
795dac104cdce5a7af82cba1e402ed66 mbs2/SRPMS/util-linux-2.24.2-1.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF79pmqjQ0CJFipgRAhH1AKCwarHBHmyfdm8jGPqN55oC5Zs2XwCfdNz+
Rvogf83ajS0QJRqEfxFhjqw=
=t53C
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:123
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : unzip
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated unzip package fix security vulnerabilities:

The unzip command line tool is affected by heap-based buffer overflows
within the CRC32 verification (CVE-2014-8139), the test_compr_eb()
(CVE-2014-8140) and the getZip64Data() (CVE-2014-8141) functions. The
input errors may result in in arbitrary code execution. A specially
crafted zip file, passed to the command unzip -t, can be used to
trigger the vulnerability.

OOB access (both read and write) issues also exist in test_compr_eb()
that can result in application crash or other unspecified impact. A
specially crafted zip file, passed to the command unzip -t, can be
used to trigger the issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8141
http://advisories.mageia.org/MGASA-2014-0562.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
c2c82b38cd5da29a86e679069bd67af7 mbs2/x86_64/unzip-6.0-12.1.mbs2.x86_64.rpm
dde696821dde524b26614d019f9257e9 mbs2/SRPMS/unzip-6.0-12.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF8AemqjQ0CJFipgRAu0kAJ9KelWheNASojgfypa1idE7R+cWcwCeIk2n
0Qt4trJdaF5uoa958NqhUHc=
=TjL+
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:124
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : torque
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated torque packages fix security vulnerabilities:

Chad Vizino reported that within a TORQUE Resource Manager job a
non-root user could use a vulnerability in the tm_adopt() library
call to kill processes he/she doesn’t own including root-owned ones
on any node in a job (CVE-2014-3684).

This update implements the upstream fixes.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3684
http://advisories.mageia.org/MGASA-2014-0408.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
7f266b55664de9a36b87619243b71944 mbs2/x86_64/lib64torque2-4.1.6-5.1.mbs2.x86_64.rpm
c8c7a345ad186a3754d35e1e9b6583ce mbs2/x86_64/lib64torque-devel-4.1.6-5.1.mbs2.x86_64.rpm
ca99868488904e804f17ceea4b44c7ed mbs2/x86_64/torque-4.1.6-5.1.mbs2.x86_64.rpm
b16f59f3a3fd0785d233756b2e7c8175 mbs2/x86_64/torque-client-4.1.6-5.1.mbs2.x86_64.rpm
054dbb1de559fdd4a87618753ce9ec73 mbs2/x86_64/torque-gui-4.1.6-5.1.mbs2.x86_64.rpm
63eeffd643e33f368e22a936ac2b413a mbs2/x86_64/torque-mom-4.1.6-5.1.mbs2.x86_64.rpm
e342a03fb5e77924f7a76c506f3aaaea mbs2/x86_64/torque-sched-4.1.6-5.1.mbs2.x86_64.rpm
a28aa1997c065db22a1515119366ce17 mbs2/x86_64/torque-server-4.1.6-5.1.mbs2.x86_64.rpm
5103137284de03ec5fabbd2192281740 mbs2/SRPMS/torque-4.1.6-5.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF8HgmqjQ0CJFipgRAgMjAJ40lLLcwBZBoqKo4iRgX26QVLs2GQCeM/J3
wxrCCfAxe0VStyG6koxKugw=
=1TlF
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:125
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : tcpdump
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated tcpdump package fixes security vulnerabilities:

The Tcpdump program could crash when processing a malformed OLSR
payload when the verbose output flag was set (CVE-2014-8767).

The application decoder for the Ad hoc On-Demand Distance Vector (AODV)
protocol in Tcpdump fails to perform input validation and performs
unsafe out-of-bound accesses. The application will usually not crash,
but perform out-of-bounds accesses and output/leak larger amounts of
invalid data, which might lead to dropped packets. It is unknown if
a payload exists that might trigger segfaults (CVE-2014-8769).

It was discovered that tcpdump incorrectly handled printing PPP
packets. A remote attacker could use this issue to cause tcpdump to
crash, resulting in a denial of service, or possibly execute arbitrary
code (CVE-2014-9140).

Several vulnerabilities have been discovered in tcpdump. These
vulnerabilities might result in denial of service (application
crash) or, potentially, execution of arbitrary code (CVE-2015-0261,
CVE-2015-2153, CVE-2015-2154, CVE-2015-2155).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8769
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0261
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2153
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2155
http://advisories.mageia.org/MGASA-2014-0503.html
http://advisories.mageia.org/MGASA-2014-0511.html
http://advisories.mageia.org/MGASA-2015-0114.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
1180c018a9b5d69f4a1ca1ec2c401e4a mbs2/x86_64/tcpdump-4.4.0-0.2.mbs2.x86_64.rpm
eef0acb6047e3127955be03f2ec91c88 mbs2/SRPMS/tcpdump-4.4.0-0.2.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF8P8mqjQ0CJFipgRApuKAKDo/wYI8YJin5D7FnZg/FpzyLs6oQCfdI1U
LHofvmsQYURPssiu4EMrSV4=
=GEwe
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:126
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : sudo
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated sudo packages fix security vulnerability:

Prior to sudo 1.8.12, the TZ environment variable was passed through
unchecked. Most libc tzset() implementations support passing
an absolute pathname in the time zone to point to an arbitrary,
user-controlled file. This may be used to exploit bugs in the C
library’s TZ parser or open files the user would not otherwise have
access to. Arbitrary file access via TZ could also be used in a denial
of service attack by reading from a file or fifo that will block
(CVE-2014-9680).

The sudo package has been updated to version 1.8.12, fixing this
issue and several other bugs.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9680
http://advisories.mageia.org/MGASA-2015-0079.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
6ed0eae05d8850045a5e3195b19f1b86 mbs2/x86_64/sudo-1.8.12-1.mbs2.x86_64.rpm
28b150485a3212819aed04e3f9d57479 mbs2/x86_64/sudo-devel-1.8.12-1.mbs2.x86_64.rpm
aff8ffe7a8374c94f38058b5464d7e5c mbs2/SRPMS/sudo-1.8.12-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF8XNmqjQ0CJFipgRAmWnAKCO0NugHj8i6slnCkNiPwVtGGYdUgCfaUax
QFE/Yn9a4JIk6CtZww58ox8=
=pzXF
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:127
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : serf
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated serf packages fix security vulnerability:

Ben Reser discovered that serf did not correctly handle SSL
certificates with NUL bytes in the CommonName or SubjectAltNames
fields. A remote attacker could exploit this to perform a man in
the middle attack to view sensitive information or alter encrypted
communications (CVE-2014-3504).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3504
http://advisories.mageia.org/MGASA-2014-0353.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
f5a7ea7fda3b382c04f75fc309e80624 mbs2/x86_64/lib64serf1-1.3.2-3.1.mbs2.x86_64.rpm
ccd6ad417f5c8e0a192b7b55dec8fc2c mbs2/x86_64/lib64serf-devel-1.3.2-3.1.mbs2.x86_64.rpm
d91af5e8113603c84b1a5d554e4bb995 mbs2/SRPMS/serf-1.3.2-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF8ZpmqjQ0CJFipgRAv1KAKCyxlQck0kqKWqiPEYIGh4/vBPzrgCcCdVu
9U00FrijBhtAUNfle/5qBJ8=
=0NtA
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:128
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : sendmail
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated sendmail packages fix security vulnerability:

Sendmail before 8.14.9 does not properly closing file descriptors
before executing programs. This bug could enable local users to
interfere with an open SMTP connection if they can execute their own
program for mail delivery (e.g., via procmail or the prog mailer)
(CVE-2014-3956).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3956
http://advisories.mageia.org/MGASA-2014-0270.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
951192a12154605913dcaacd6c76ef1c mbs2/x86_64/sendmail-8.14.7-4.1.mbs2.x86_64.rpm
7c228200cd2e737223125bb0d3df2682 mbs2/x86_64/sendmail-cf-8.14.7-4.1.mbs2.x86_64.rpm
c72ba7453fb84ff88ed75cd294d5fb57 mbs2/x86_64/sendmail-devel-8.14.7-4.1.mbs2.x86_64.rpm
2c22348bf6b9b60eb8017e6c75f1de4d mbs2/x86_64/sendmail-doc-8.14.7-4.1.mbs2.x86_64.rpm
9a0b0054ffb6e8aeb6723d2f247e816f mbs2/SRPMS/sendmail-8.14.7-4.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF8oqmqjQ0CJFipgRAnNvAJ9Lj8Os51FhiKMqzlsobUrA29B7vACdHpf+
d/4VrjRx4RAXv/nAV+Uej3Q=
=QHYb
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:129
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : ruby
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated ruby packages fix security vulnerabilities:

Due to unrestricted entity expansion, when reading text nodes from an
XML document, the REXML parser in Ruby can be coerced into allocating
extremely large string objects which can consume all of the memory
on a machine, causing a denial of service (CVE-2014-8080).

Will Wood discovered that Ruby incorrectly handled the encodes()
function. An attacker could possibly use this issue to cause Ruby to
crash, resulting in a denial of service, or possibly execute arbitrary
code. The default compiler options for affected releases should reduce
the vulnerability to a denial of service (CVE-2014-4975).

Due to an incomplete fix for CVE-2014-8080, 100% CPU utilization can
occur as a result of recursive expansion with an empty String. When
reading text nodes from an XML document, the REXML parser in Ruby can
be coerced into allocating extremely large string objects which can
consume all of the memory on a machine, causing a denial of service
(CVE-2014-8090).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090
http://advisories.mageia.org/MGASA-2014-0443.html
http://advisories.mageia.org/MGASA-2014-0472.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
21f6497011d5c12d481fd03fa53302ee mbs2/x86_64/lib64ruby2.0-2.0.0.p598-1.mbs2.x86_64.rpm
577db59ed8804f75ab194a1076523182 mbs2/x86_64/ruby-2.0.0.p598-1.mbs2.x86_64.rpm
1fcae47502636f81267d2091d2e6f16a mbs2/x86_64/ruby-devel-2.0.0.p598-1.mbs2.x86_64.rpm
11d103d52f5050ee72abb7313f6c92f0 mbs2/x86_64/ruby-doc-2.0.0.p598-1.mbs2.noarch.rpm
bab70f79054bac5869ac9d94301e761a mbs2/x86_64/ruby-irb-2.0.0.p598-1.mbs2.noarch.rpm
aef9f2690106b692cfbb0c9808722033 mbs2/x86_64/ruby-tk-2.0.0.p598-1.mbs2.x86_64.rpm
3a6998dd32576a04a1af77d0698bcc28 mbs2/SRPMS/ruby-2.0.0.p598-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF8tBmqjQ0CJFipgRApxgAKDhyw2yWZBpw9Ce9yQnxaPfKh+jggCg6arF
Fr2BH6Thlp3pFSAznSw1N6k=
=bcPN
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:130
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : rsyslog
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated rsyslog packages fix security vulnerability:

Rainer Gerhards, the rsyslog project leader, reported a vulnerability
in Rsyslog. As a consequence of this vulnerability an attacker can send
malformed messages to a server, if this one accepts data from untrusted
sources, and trigger a denial of service attack (CVE-2014-3634).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3634
http://advisories.mageia.org/MGASA-2014-0411.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
74a0a6c98ec9cc0bee87aabb9ddb65b8 mbs2/x86_64/rsyslog-5.10.1-3.1.mbs2.x86_64.rpm
156677bc5490e6f72a8c67f48fdf9650 mbs2/x86_64/rsyslog-dbi-5.10.1-3.1.mbs2.x86_64.rpm
a8f5eeae2c61df1b6c4d7e7b3a168b8c mbs2/x86_64/rsyslog-docs-5.10.1-3.1.mbs2.x86_64.rpm
2d836a6f8fc2426bdfc90d953fd96618 mbs2/x86_64/rsyslog-gnutls-5.10.1-3.1.mbs2.x86_64.rpm
288c1a732f2f706db3cb40b73d17821b mbs2/x86_64/rsyslog-gssapi-5.10.1-3.1.mbs2.x86_64.rpm
66e982c74556babbaea455207cae6292 mbs2/x86_64/rsyslog-mysql-5.10.1-3.1.mbs2.x86_64.rpm
698785034dfc15a09d6426f1252288b5 mbs2/x86_64/rsyslog-pgsql-5.10.1-3.1.mbs2.x86_64.rpm
562703f0c7968993ff1b9014c3794bde mbs2/x86_64/rsyslog-relp-5.10.1-3.1.mbs2.x86_64.rpm
5adc436da3f26b93fbe8cf4c15803a93 mbs2/x86_64/rsyslog-snmp-5.10.1-3.1.mbs2.x86_64.rpm
6e60ceb50bd6662b3db50025e69e0656 mbs2/SRPMS/rsyslog-5.10.1-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF8vVmqjQ0CJFipgRAiU3AJ42zM0vpSQjIF9RRZOMoxMZwz0IRQCgolmP
tLgf15MgbJzajgbx+0gWbWM=
=H0Sh
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:131
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : rsync
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated rsync package fixes security vulnerability:

Ryan Finnie discovered that rsync 3.1.0 contains a denial of service
issue when attempting to authenticate using a nonexistent username. A
remote attacker could use this flaw to cause a denial of service via
CPU consumption (CVE-2014-2855).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2855
http://advisories.mageia.org/MGASA-2015-0065.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
f5668fb3bd09802d3a089155a9ff622f mbs2/x86_64/rsync-3.1.0-5.1.mbs2.x86_64.rpm
a6d3db7fb7c0ecf466194bbbc1b91ab5 mbs2/SRPMS/rsync-3.1.0-5.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF8y+mqjQ0CJFipgRAsWaAKCSJynJdErYCrSmeGFEr9iF0ZHnAQCgp2bO
yQbN2AWct2Mo2lRVtP2gYVI=
=hGN2
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:132
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : readline
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated readline packages fix security vulnerability:

Steve Kemp discovered the _rl_tropen() function in readline insecurely
handled a temporary file. This could allow a local attacker to perform
symbolic link attacks (CVE-2014-2524).

Also, upstream patches have been added to fix an infinite loop in vi
input mode, and to fix an issue with slowness when pasting text.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2524
http://advisories.mageia.org/MGASA-2014-0319.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
1f991aa9831d317ff50aed0d743e9244 mbs2/x86_64/lib64readline6-6.2-10.1.mbs2.x86_64.rpm
413a1cf23e9c19b73082ee60628cbe14 mbs2/x86_64/lib64readline-devel-6.2-10.1.mbs2.x86_64.rpm
ddb46a6fe45b35821086e9788999fc54 mbs2/x86_64/readline-doc-6.2-10.1.mbs2.x86_64.rpm
a83277c3c28f74f07006d183066cd906 mbs2/SRPMS/readline-6.2-10.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF81tmqjQ0CJFipgRAkkhAJ96MFiu8oo8t44qUwe11BdhtnBLTACfQJu1
Ay9bhHAJQ+joHJ6JxsM7cQ4=
=gMA1
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:133
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : python-requests
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated python-requests packages fix security vulnerabilities:

Python-requests was found to have a vulnerability, where the attacker
can retrieve the passwords from ~/.netrc file through redirect
requests, if the user has their passwords stored in the ~/.netrc file
(CVE-2014-1829).

It was discovered that the python-requests Proxy-Authorization header
was never re-evaluated when a redirect occurs. The Proxy-Authorization
header was sent to any new proxy or non-proxy destination as redirected
(CVE-2014-1830).

In python-requests before 2.6.0, a cookie without a host value set
would use the hostname for the redirected URL exposing requests
users to session fixation attacks and potentially cookie stealing
(CVE-2015-2296).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296
http://advisories.mageia.org/MGASA-2014-0409.html
http://advisories.mageia.org/MGASA-2015-0120.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
bdc01b89f7847864db186b65cd1d46a4 mbs2/x86_64/python3-requests-2.3.0-1.1.mbs2.noarch.rpm
003bc0e04b5ebf77bcf00cf004d2591b mbs2/x86_64/python-requests-2.3.0-1.1.mbs2.noarch.rpm
18db7d8b658c588b49979966fce6577d mbs2/SRPMS/python-requests-2.3.0-1.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF85CmqjQ0CJFipgRApDzAJ94/bIyj7xjen0f8z7CAVYB4tM0JACfSyCR
UgtMpK/ETCrGT6qesmteJ5Q=
=I7Gj
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:134
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : pulseaudio
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated pulseaudio package fixes RTP remote crash vulnerability:

PulseAudio versions shipped in mbs2 were vulnerable to a remote RTP
attack which could crash the PulseAudio server simply by sending an
empty UDP packet.

Additionally, the version of PulseAudio shipped in mbs2 was a
pre-release version of PulseAudio v5 and has been updated to the
official final version.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3970
http://advisories.mageia.org/MGASA-2014-0440.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
c7173778c42dc113d5b3f5fa22c0bed4 mbs2/x86_64/lib64pulseaudio0-5.0-1.mbs2.x86_64.rpm
eb56efad6ea78e06542415b91978dac0 mbs2/x86_64/lib64pulseaudio-devel-5.0-1.mbs2.x86_64.rpm
0df303db1ceed4a22176f1b08bbfc98b mbs2/x86_64/lib64pulsecommon5.0-5.0-1.mbs2.x86_64.rpm
efc62c8009ab642f87342b5f32b45c79 mbs2/x86_64/lib64pulsecore5.0-5.0-1.mbs2.x86_64.rpm
d2289b4e1f9ab3e0fbbda56aae56ec5a mbs2/x86_64/lib64pulseglib20-5.0-1.mbs2.x86_64.rpm
ae94b8d766cc6c3c755d2a5cb492c4ac mbs2/x86_64/pulseaudio-5.0-1.mbs2.x86_64.rpm
5e4b67fa760fa7f69af024ad1a5340c0 mbs2/x86_64/pulseaudio-client-config-5.0-1.mbs2.x86_64.rpm
ee4e7ad07378be8e74b065eb233b6044 mbs2/x86_64/pulseaudio-esound-compat-5.0-1.mbs2.x86_64.rpm
9ca9587b15145cce0579f8dc77c6f06b mbs2/x86_64/pulseaudio-module-bluetooth-5.0-1.mbs2.x86_64.rpm
99954fd5fb94ec709abc21df7c1c7abe mbs2/x86_64/pulseaudio-module-equalizer-5.0-1.mbs2.x86_64.rpm
ae40837d35dd20f7fb2fb8d2f8051f6c mbs2/x86_64/pulseaudio-module-gconf-5.0-1.mbs2.x86_64.rpm
c558e998f4b7b3e676a55d9f50ba21cc mbs2/x86_64/pulseaudio-module-jack-5.0-1.mbs2.x86_64.rpm
5be7891d6cefe93f0c7158147e768e44 mbs2/x86_64/pulseaudio-module-lirc-5.0-1.mbs2.x86_64.rpm
04fc999181c8326081e41140550aeba3 mbs2/x86_64/pulseaudio-module-x11-5.0-1.mbs2.x86_64.rpm
e4c964e2b5cd17bc4508d595e4f37faa mbs2/x86_64/pulseaudio-module-xen-5.0-1.mbs2.x86_64.rpm
02228e2f73af3fdd03523ee479c8abea mbs2/x86_64/pulseaudio-module-zeroconf-5.0-1.mbs2.x86_64.rpm
92b85f86e00d4a82bfa3c98034ede5fd mbs2/x86_64/pulseaudio-utils-5.0-1.mbs2.x86_64.rpm
256e3c1f6e1be52e2f95f7ec3431c59e mbs2/SRPMS/pulseaudio-5.0-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF88omqjQ0CJFipgRAlH4AKC2jT23PGz0KcrKrX33oSifVSBXYwCcDUnM
2/X1Nk/chffE55Zz3CgKajc=
=Cnon
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:135
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : ppp
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated ppp packages fix security vulnerability:

A vulnerability in ppp before 2.4.7 may enable an unprivileged attacker
to access privileged options (CVE-2014-3158).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3158
http://advisories.mageia.org/MGASA-2014-0368.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
a92bbc170b0b2408ae958c6c0f4ec3c2 mbs2/x86_64/ppp-2.4.5-18.1.mbs2.x86_64.rpm
abc96087d3d2338ebc4598f8206f183b mbs2/x86_64/ppp-devel-2.4.5-18.1.mbs2.x86_64.rpm
fa6ef0b33e24ac8b4548932b823be613 mbs2/x86_64/ppp-dhcp-2.4.5-18.1.mbs2.x86_64.rpm
4067d334c09a98e35e5ab0fe3f041b41 mbs2/x86_64/ppp-pppoatm-2.4.5-18.1.mbs2.x86_64.rpm
fdbfd95c003135a0f69ce931216b3568 mbs2/x86_64/ppp-pppoe-2.4.5-18.1.mbs2.x86_64.rpm
c8763d16cf4690dc7e9bc5e5ff6dbfc0 mbs2/x86_64/ppp-radius-2.4.5-18.1.mbs2.x86_64.rpm
17a62a490d18ffa226c724ad7250475f mbs2/SRPMS/ppp-2.4.5-18.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF8+/mqjQ0CJFipgRAqxtAJ0dT9LjeNF8vgUwHPx6cwTHIo/pDQCg75gx
GYKeCTGVa6raq96CgxqHoJI=
=IfgT
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:136
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : perl
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated perl package fixes security vulnerability:

The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1
and earlier, allows context-dependent attackers to cause a denial of
service (stack consumption and crash) via an Array-Reference with many
nested Array-References, which triggers a large number of recursive
calls to the DD_dump function (CVE-2014-4330).

Also, the Text::Wrap version provided in perl contains a bug that can
lead to a code path that shouldn’t be hit. This can lead to crashes
in other software, such as Bugzilla.

The Text::Wrap module bundled with Perl has been patched and the
Data::Dumper module bundled with Perl has been updated to fix these
issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4330
http://advisories.mageia.org/MGASA-2014-0406.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
ad6ebe7e5f8290c6c89508c41d5a85e8 mbs2/x86_64/perl-5.18.1-5.1.mbs2.x86_64.rpm
c3d5a28dd7d7d8d361fd39b635f11887 mbs2/x86_64/perl-base-5.18.1-5.1.mbs2.x86_64.rpm
9ac3d8166eda134e3ea3d08ebdec1754 mbs2/x86_64/perl-devel-5.18.1-5.1.mbs2.x86_64.rpm
ee9cb33c6d571d0c89c38835ceb292fd mbs2/x86_64/perl-doc-5.18.1-5.1.mbs2.noarch.rpm
9991fca1f7669cf7518928625e3a26de mbs2/SRPMS/perl-5.18.1-5.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF9CZmqjQ0CJFipgRAsyRAJ965bvaZOasxaS94oyuuL//LbqvKACfa/Kz
vGic6TWIFAF95mYbYpXVHE4=
=/hb4
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:137
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : pcre
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated pcre packages fix security vulnerability:

A flaw was found in the way PCRE handled certain malformed regular
expressions. This issue could cause an application linked against PCRE
to crash while parsing malicious regular expressions (CVE-2014-8964).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8964
http://advisories.mageia.org/MGASA-2014-0534.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
1b10226cd1fff1474e1dbc26a1f6e568 mbs2/x86_64/lib64pcre16_0-8.33-3.1.mbs2.x86_64.rpm
9d96bed4ff00a80f97c6608323b9c3d1 mbs2/x86_64/lib64pcre1-8.33-3.1.mbs2.x86_64.rpm
828e753e611efe1f24d5b9a3bd5a03f3 mbs2/x86_64/lib64pcre32_0-8.33-3.1.mbs2.x86_64.rpm
7b37be9ed4178ed641da0962303b9a20 mbs2/x86_64/lib64pcrecpp0-8.33-3.1.mbs2.x86_64.rpm
721dc8a32888050c4214468719b1eb6e mbs2/x86_64/lib64pcrecpp-devel-8.33-3.1.mbs2.x86_64.rpm
117e723814672656a7081ab47529e5a7 mbs2/x86_64/lib64pcre-devel-8.33-3.1.mbs2.x86_64.rpm
04a303cb1814f2b04aa6755c2e27408f mbs2/x86_64/lib64pcreposix0-8.33-3.1.mbs2.x86_64.rpm
98564f8a99d44fd21fd9fe09f5f201cb mbs2/x86_64/lib64pcreposix1-8.33-3.1.mbs2.x86_64.rpm
8cd4746fde32f4d4ab0b47056feb9f86 mbs2/x86_64/lib64pcreposix-devel-8.33-3.1.mbs2.x86_64.rpm
916cfb13efdb6b8bc4ff68b4c1170594 mbs2/x86_64/pcre-8.33-3.1.mbs2.x86_64.rpm
712e87ab247bc30b84f5729263770dc7 mbs2/SRPMS/pcre-8.33-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF9EfmqjQ0CJFipgRAkybAJ9x6/t7KNU2Di4naqz4S7lAaAUVDQCeIWKQ
7So+s8xf2DLfaWZyl4mFf+o=
=8Goh
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:138
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : patch
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated patch package fixes security vulnerabilities:

It was reported that a crafted diff file can make patch eat memory
and later segfault (CVE-2014-9637).

It was reported that the versions of the patch utility that support
Git-style patches are vulnerable to a directory traversal flaw. This
could allow an attacker to overwrite arbitrary files by applying a
specially crafted patch, with the privileges of the user running patch
(CVE-2015-1395).

GNU patch before 2.7.4 allows remote attackers to write to arbitrary
files via a symlink attack in a patch file (CVE-2015-1196).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9637
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1395
http://advisories.mageia.org/MGASA-2015-0068.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
9f3a7b21f9f0a163fe64978670d4f1bc mbs2/x86_64/patch-2.7.4-1.mbs2.x86_64.rpm
5ce44e56a6f69a48cebc09339ed80791 mbs2/SRPMS/patch-2.7.4-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF9GSmqjQ0CJFipgRApxzAJ0aXVsA6Ft7hf5GuvMbZjO8U6VE4ACcCjLJ
nm/Lu6JaTr9BbgB68nvnl/s=
=BuvQ
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:139
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : openvpn
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated openvpn packages fix security vulnerability:

Dragana Damjanovic discovered that OpenVPN incorrectly handled certain
control channel packets. An authenticated attacker could use this
issue to cause an OpenVPN server to crash, resulting in a denial of
service (CVE-2014-8104).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104
http://advisories.mageia.org/MGASA-2014-0512.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
a0bc6211a25b38d07b51d0d605196afd mbs2/x86_64/lib64openvpn-devel-2.3.2-10.1.mbs2.x86_64.rpm
aa7d5bf4ce6bf5dbfd1c5a24a737cd4d mbs2/x86_64/openvpn-2.3.2-10.1.mbs2.x86_64.rpm
05898450f95db986a52a6ef5e11c7464 mbs2/SRPMS/openvpn-2.3.2-10.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF9ILmqjQ0CJFipgRAiRkAKDTbTJVjDikR+fbIf+9XaZRfPHOogCg8rSD
MjmXJ8Mlvkhq6YoZOJC5dLQ=
=qTc4
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:139
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : openvpn
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated openvpn packages fix security vulnerability:

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104
http://advisories.mageia.org/MGASA-2014-0512.html
_______________________________________________________________________

Updated Packages:

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF9ILmqjQ0CJFipgRAiRkAKDTbTJVjDikR+fbIf+9XaZRfPHOogCg8rSD
MjmXJ8Mlvkhq6YoZOJC5dLQ=
=qTc4
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:140
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : ntp
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated ntp packages fix security vulnerabilities:

If no authentication key is defined in the ntp.conf file, a
cryptographically-weak default key is generated (CVE-2014-9293).

ntp-keygen before 4.2.7p230 uses a non-cryptographic random number
generator with a weak seed to generate symmetric keys (CVE-2014-9294).

A remote unauthenticated attacker may craft special packets that
trigger buffer overflows in the ntpd functions crypto_recv() (when
using autokey authentication), ctl_putdata(), and configure(). The
resulting buffer overflows may be exploited to allow arbitrary
malicious code to be executed with the privilege of the ntpd process
(CVE-2014-9295).

A section of code in ntpd handling a rare error is missing a return
statement, therefore processing did not stop when the error was
encountered. This situation may be exploitable by an attacker
(CVE-2014-9296).

Stephen Roettger of the Google Security Team, Sebastian Krahmer of
the SUSE Security Team and Harlan Stenn of Network Time Foundation
discovered that the length value in extension fields is not properly
validated in several code paths in ntp_crypto.c, which could lead to
information leakage or denial of service (CVE-2014-9297).

Stephen Roettger of the Google Security Team reported that ACLs based
on IPv6 ::1 (localhost) addresses can be bypassed (CVE-2014-9298).

The ntp package has been patched to fix these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298
http://advisories.mageia.org/MGASA-2014-0541.html
http://advisories.mageia.org/MGASA-2015-0063.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
8f7d14b95c55bd1de7230cff0c8ea9d7 mbs2/x86_64/ntp-4.2.6p5-16.1.mbs2.x86_64.rpm
09063ab11459b1f935809b37c742ff12 mbs2/x86_64/ntp-client-4.2.6p5-16.1.mbs2.x86_64.rpm
7a0d0eca35911d9f15b76b474c5512cf mbs2/x86_64/ntp-doc-4.2.6p5-16.1.mbs2.noarch.rpm
cb0371050702950084ff633ea45c2c5c mbs2/SRPMS/ntp-4.2.6p5-16.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF9K3mqjQ0CJFipgRAn26AJwInkxLvDh/Gbb3uYRz9IjuaSK8+ACgiM1Z
rou2syvF1hyhVhxh7M5sv3c=
=uncU
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:141
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : not-yet-commons-ssl
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated not-yet-commons-ssl packages fixes security vulnerability:

It was discovered that the implementation used by the Not Yet Commons
SSL project to check that the server hostname matches the domain
name in the subject’s CN field was flawed. This can be exploited by
a Man-in-the-middle (MITM) attack, where the attacker can spoof a
valid certificate using a specially crafted subject (CVE-2014-3604).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=
http://advisories.mageia.org/MGASA-2014-0551.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
35198e191301d48894b3620bd1ca19b0 mbs2/x86_64/not-yet-commons-ssl-0.3.15-1.mbs2.noarch.rpm
2916d570fff84b4fa9561ed149c69016 mbs2/x86_64/not-yet-commons-ssl-javadoc-0.3.15-1.mbs2.noarch.rpm
73b20e92a844a08dd8381a404ac3bba4 mbs2/SRPMS/not-yet-commons-ssl-0.3.15-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF9RemqjQ0CJFipgRAjFQAJ0amJhEDrEtHwDFdQ76mLFKaA+pCwCg0ZPk
mfhYt0Iyf9kFZE4DuLdG8t8=
=hxH9
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:142
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : nodejs
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated nodejs package fixes security vulnerabilities:

A memory corruption vulnerability, which results in a
denial-of-service, was identified in the versions of V8 that ship with
Node.js 0.8 and 0.10. In certain circumstances, a particularly deep
recursive workload that may trigger a GC and receive an interrupt may
overflow the stack and result in a segmentation fault. For instance,
if your work load involves successive JSON.parse calls and the parsed
objects are significantly deep, you may experience the process aborting
while parsing (CVE-2014-5256).

Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10,
as used in Node.js before 0.10.31, allow attackers to cause a
denial of service or possibly have other impact via unknown vectors
(CVE-2013-6668).

The nodejs package has been updated to version 0.10.33 to fix these
issues as well as several other bugs.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5256
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6668
http://advisories.mageia.org/MGASA-2014-0516.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
1e12800b680b99a38a8fee68ae313f3d mbs2/x86_64/nodejs-0.10.33-1.mbs2.x86_64.rpm
8c931eed2bcfedf0fc947b268c20f206 mbs2/SRPMS/nodejs-0.10.33-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF9TomqjQ0CJFipgRAg9dAKDraQX/p+aOuyOpLOgz9BvQWrMgMgCdH8Lf
hWtZsghw9u0wOJ+Uh+I4Tkc=
=DXmi
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:143
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : mpfr
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated mpfr packages fix security vulnerability:

A buffer overflow was reported in mpfr. This is due to incorrect
GMP documentation for mpn_set_str about the size of a buffer
(CVE-2014-9474).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9474
http://advisories.mageia.org/MGASA-2015-0021.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
d2793e520426da49dd712c4fc33b20e8 mbs2/x86_64/lib64mpfr4-3.1.2-3.1.mbs2.x86_64.rpm
0452c2f70a5cc82bf313d71671500ce9 mbs2/x86_64/lib64mpfr-devel-3.1.2-3.1.mbs2.x86_64.rpm
08e9b00b94e178d13c944b041c1d3202 mbs2/x86_64/lib64mpfr-static-devel-3.1.2-3.1.mbs2.x86_64.rpm
8dea5b46acf554205d086e644fcafab1 mbs2/SRPMS/mpfr-3.1.2-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF9VimqjQ0CJFipgRAiAvAJ4hOgRPvLo+eUz1P5iZdOmdPPB51gCg9OH3
bjzQCjFucYqBk72Z/etWPoE=
=6i0B
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:144
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : lua
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated lua and lua5.1 packages fix security vulnerability:

A heap-based overflow vulnerability was found in the way Lua handles
varargs functions with many fixed parameters called with few arguments,
leading to application crashes or, potentially, arbitrary code
execution (CVE-2014-5461).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461
http://advisories.mageia.org/MGASA-2014-0414.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
bb42501e1dbd41fbcb19c44b1801e0aa mbs2/x86_64/lib64lua5.1-5.1.5-5.1.mbs2.x86_64.rpm
82566ffd4f1a523f9920f7c7ea268225 mbs2/x86_64/lib64lua5.1-devel-5.1.5-5.1.mbs2.x86_64.rpm
d38271efc06cb8dcf85f23698f79b877 mbs2/x86_64/lib64lua5.1-devel-static-5.1.5-5.1.mbs2.x86_64.rpm
213699dcab64f6e285d642b14b1e1e3a mbs2/x86_64/lib64lua5.2-5.2.2-3.1.mbs2.x86_64.rpm
e65095af93af2b83bcb2b50aafb4d6ac mbs2/x86_64/lib64lua-devel-5.2.2-3.1.mbs2.x86_64.rpm
b9ca538560a2f5d86bdd422d59933d21 mbs2/x86_64/lib64lua-static-devel-5.2.2-3.1.mbs2.x86_64.rpm
48a5eb26542ebaa76175e2cf3782ec57 mbs2/x86_64/lua5.1-5.1.5-5.1.mbs2.x86_64.rpm
12d531e8d4496f0b9e1e1bd7f1a2968f mbs2/x86_64/lua-5.2.2-3.1.mbs2.x86_64.rpm
7794bc510fe812d044f0c8b3f0d2164c mbs2/SRPMS/lua5.1-5.1.5-5.1.mbs2.src.rpm
48f1de7ca16ca5f70e767cf6037f277b mbs2/SRPMS/lua-5.2.2-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF9XimqjQ0CJFipgRAqR3AKDU9NqRGegrYbiyIGDVfCm69efQmgCffbrR
Sj+FQ2xkhciiVN+03TRowIA=
=WkLG
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:145
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libxfont
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libxfont packages fix security vulnerabilities:

Ilja van Sprundel discovered that libXfont incorrectly handled font
metadata file parsing. A local attacker could use this issue to cause
libXfont to crash, or possibly execute arbitrary code in order to
gain privileges (CVE-2014-0209).

Ilja van Sprundel discovered that libXfont incorrectly handled X Font
Server replies. A malicious font server could return specially-crafted
data that could cause libXfont to crash, or possibly execute arbitrary
code (CVE-2014-0210, CVE-2014-0211).

The bdf parser reads a count for the number of properties defined
in a font from the font file, and allocates arrays with entries for
each property based on that count. It never checked to see if that
count was negative, or large enough to overflow when multiplied by
the size of the structures being allocated, and could thus allocate
the wrong buffer size, leading to out of bounds writes (CVE-2015-1802).

If the bdf parser failed to parse the data for the bitmap for any
character, it would proceed with an invalid pointer to the bitmap
data and later crash when trying to read the bitmap from that pointer
(CVE-2015-1803).

The bdf parser read metrics values as 32-bit integers, but stored them
into 16-bit integers. Overflows could occur in various operations
leading to out-of-bounds memory access (CVE-2015-1804).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0210
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0211
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1802
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1804
http://advisories.mageia.org/MGASA-2014-0278.html
http://advisories.mageia.org/MGASA-2015-0113.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
5bb4cda12b7ad25294e04e421142720d mbs2/x86_64/lib64xfont1-1.4.7-2.2.mbs2.x86_64.rpm
ce3365a2c8a0187f21542ce02c34909d mbs2/x86_64/lib64xfont-devel-1.4.7-2.2.mbs2.x86_64.rpm
44c27c9ceda4091972c75c148e9250d3 mbs2/SRPMS/libxfont-1.4.7-2.2.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF9aamqjQ0CJFipgRAmBCAJ4kyc725cSTc0uKGAKINPL3YJ8AQACg3GN1
VRDAJI+qH9lOdp0gB8RweqQ=
=tZvk
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:146
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libvncserver
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libvncserver packages fix security vulnerabilities:

An integer overflow in liblzo before 2.07 allows attackers to cause
a denial of service or possibly code execution in applications using
performing LZO decompression on a compressed payload from the attacker
(CVE-2014-4607).

The libvncserver library is built with a bundled copy of minilzo,
which is a part of liblzo containing the vulnerable code.

A malicious VNC server can trigger incorrect memory management handling
by advertising a large screen size parameter to the VNC client. This
would result in multiple memory corruptions and could allow remote
code execution on the VNC client (CVE-2014-6051, CVE-2014-6052).

A malicious VNC client can trigger multiple DoS conditions on the VNC
server by advertising a large screen size, ClientCutText message length
and/or a zero scaling factor parameter (CVE-2014-6053, CVE-2014-6054).

A malicious VNC client can trigger multiple stack-based buffer
overflows by passing a long file and directory names and/or
attributes (FileTime) when using the file transfer message feature
(CVE-2014-6055).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6055
http://advisories.mageia.org/MGASA-2014-0356.html
http://advisories.mageia.org/MGASA-2014-0397.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
03972a91ec4c545d7adb31a70052b1da mbs2/x86_64/lib64vncserver0-0.9.9-4.1.mbs2.x86_64.rpm
1fa18e6e4fab02a75801ce5e1807ac48 mbs2/x86_64/lib64vncserver-devel-0.9.9-4.1.mbs2.x86_64.rpm
5a483661e96bc38566760b28f5c3a8f1 mbs2/x86_64/linuxvnc-0.9.9-4.1.mbs2.x86_64.rpm
e65eba74f16605cbe40b899ef3ff62af mbs2/SRPMS/libvncserver-0.9.9-4.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVF9eHmqjQ0CJFipgRAg/fAKCru327MZS4YBPejPDIWbMrwXrJHwCfSP+X
w9mSAA3hc8P7f31m7UgmjeM=
=BRU7
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:147
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libtiff
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libtiff packages fix security vulnerabilities:

The libtiff image decoder library contains several issues that
could cause the decoder to crash when reading crafted TIFF images
(CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130,
CVE-2014-9655, CVE-2015-1547).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8129
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8130
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9655
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1547
http://advisories.mageia.org/MGASA-2015-0112.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
17de6bd824adefbdae0ff3c563d63269 mbs2/x86_64/lib64tiff5-4.0.4-0.1.mbs2.x86_64.rpm
f54719a7fc450ee6d6f755276d9e2724 mbs2/x86_64/lib64tiff-devel-4.0.4-0.1.mbs2.x86_64.rpm
919f8e9c688aa4341e3e5a0beec9d845 mbs2/x86_64/lib64tiff-static-devel-4.0.4-0.1.mbs2.x86_64.rpm
f144bb33e2e10f9290851a5c8154660c mbs2/x86_64/libtiff-progs-4.0.4-0.1.mbs2.x86_64.rpm
74ddb4270be8dac262dce7cb8e33f2b6 mbs2/SRPMS/libtiff-4.0.4-0.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGACNmqjQ0CJFipgRAqWHAKCMsgmTovS2eO9vgejrPl3VxblviwCfdmYA
gzHy/Xg9PwU1pycCt9bn7Xg=
=Qxp+
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:148
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libssh2
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libssh2 packages fix security vulnerability:

Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was
reading and using the SSH_MSG_KEXINIT packet without doing sufficient
range checks when negotiating a new SSH session with a remote server. A
malicious attacker could man in the middle a real server and cause
a client using the libssh2 library to crash (denial of service)
or otherwise read and use unintended memory areas in this process
(CVE-2015-1782).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1782
http://advisories.mageia.org/MGASA-2015-0107.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
d7fde7fe41b6264b9b0dab6dfa1417b1 mbs2/x86_64/lib64ssh2_1-1.4.3-4.1.mbs2.x86_64.rpm
08f19d4c881fd6358038884c3dced0f9 mbs2/x86_64/lib64ssh2-devel-1.4.3-4.1.mbs2.x86_64.rpm
6a1d9accfa76264321c6e75c4ba07647 mbs2/SRPMS/libssh2-1.4.3-4.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGAJ0mqjQ0CJFipgRAvLQAJ9k6EqMnLYI2szT5eZJxyAF0jqM3ACghNrh
Y1sww9O+QXKt6k9lo5PV64g=
=pOmW
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:148
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libssh2
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libssh2 packages fix security vulnerability:

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1782
http://advisories.mageia.org/MGASA-2015-0107.html
_______________________________________________________________________

Updated Packages:

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGAJ0mqjQ0CJFipgRAvLQAJ9k6EqMnLYI2szT5eZJxyAF0jqM3ACghNrh
Y1sww9O+QXKt6k9lo5PV64g=
=pOmW
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:148-1
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libssh2
Date : March 29, 2015
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Updated libssh2 packages fix security vulnerability:

Update:

Packages were misssing for Mandriva Business Server 1 with the
MDVSA-2015:148 advisory which are now being provided.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1782
http://advisories.mageia.org/MGASA-2015-0107.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
39ce34b284b498b9d2fbb74cc7a551e2 mbs1/x86_64/lib64ssh2_1-1.4.0-2.1.mbs1.x86_64.rpm
9cef7db6044568518ff5fa0e1d32042a mbs1/x86_64/lib64ssh2-devel-1.4.0-2.1.mbs1.x86_64.rpm
4349f1a1b66b2ab25b986a166062ea6d mbs1/SRPMS/libssh2-1.4.0-2.1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGBTOmqjQ0CJFipgRAqyHAKDAwjrE+1mWVj2p7P1wQ1leGZiV6wCg7TZJ
m1t9eugn5v7UzE1j07vPt6k=
=aacK
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:149
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libsndfile
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libsndfile packages fix security vulnerabilities:

libsndfile contains multiple buffer-overflow vulnerabilities in
src/sd2.c because it fails to properly bounds-check user supplied
input, which may allow an attacker to execute arbitrary code or cause
a denial of service (CVE-2014-9496).

libsndfile contains a divide-by-zero error in src/file_io.c which
may allow an attacker to cause a denial of service.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9496
http://advisories.mageia.org/MGASA-2015-0015.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
824ecea60e42ed8573f7c05998cfdbe3 mbs2/x86_64/lib64sndfile1-1.0.25-4.1.mbs2.x86_64.rpm
93be592a607ebb21504a2c2474cde441 mbs2/x86_64/lib64sndfile-devel-1.0.25-4.1.mbs2.x86_64.rpm
324e5461e8a940849a166fba67062091 mbs2/x86_64/lib64sndfile-static-devel-1.0.25-4.1.mbs2.x86_64.rpm
3d887123ca55ec7885884268a8219e34 mbs2/x86_64/libsndfile-progs-1.0.25-4.1.mbs2.x86_64.rpm
738172dcbc6cc5523bacb96322c2fc78 mbs2/SRPMS/libsndfile-1.0.25-4.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGAN7mqjQ0CJFipgRAnfSAJ9rgu4+ghh3WUXevHolMP36WdH4gQCgh36e
scbKUG8gGq8/PReDsLLGsik=
=e195
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:150
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : liblzo
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated liblzo packages fix security vulnerability:

An integer overflow in liblzo before 2.07 allows attackers to
cause a denial of service or possibly code execution in applications
performing LZO decompression on a compressed payload from the attacker
(CVE-2014-4607).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://advisories.mageia.org/MGASA-2014-0290.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
fd5fc85a0b3d40541c22470fe509e1b6 mbs2/x86_64/lib64lzo2_2-2.08-1.mbs2.x86_64.rpm
14fc3b4d65c72db92a5a50032e1f63a8 mbs2/x86_64/lib64lzo-devel-2.08-1.mbs2.x86_64.rpm
9d632973c24342861e6009aea271d6aa mbs2/SRPMS/liblzo-2.08-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGAPnmqjQ0CJFipgRAp/LAJ9VdVeALL0qO8KGrvdzpa8RPX0Z/QCfXYjq
Al4Brz0TlfCAUHC11KvedWA=
=Fqp0
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:151
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libksba
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libksba packages fix security vulnerability:

By using special crafted S/MIME messages or ECC based OpenPGP data,
it is possible to create a buffer overflow, which could lead to a
denial of service (CVE-2014-9087).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9087
http://advisories.mageia.org/MGASA-2014-0498.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
380e30e21d208cd10e8d302774af44d5 mbs2/x86_64/lib64ksba8-1.3.2-1.mbs2.x86_64.rpm
3d3fa09f2b31b92b10ec8f4710affbc8 mbs2/x86_64/lib64ksba-devel-1.3.2-1.mbs2.x86_64.rpm
00c1493a8270cd6a7c7662dbbbabbe93 mbs2/SRPMS/libksba-1.3.2-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGARImqjQ0CJFipgRAlb5AKC1ZAftJUPkphLj7qufUXLHLDHu8QCgkn1X
duFwDjiqJD/8wVH1tndjRys=
=V0i/
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:152
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libjpeg
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libjpeg packages fix security vulnerability:

Passing a specially crafted jpeg file to libjpeg-turbo could lead to
stack smashing (CVE-2014-9092).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9092
http://advisories.mageia.org/MGASA-2014-0544.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
cfffdbee5761ab15865e348aeb9106c3 mbs2/x86_64/jpeg-progs-1.3.0-4.1.mbs2.x86_64.rpm
5d9c92c4d3283dd7c9ac8767d1b6f0fe mbs2/x86_64/lib64jpeg62-1.3.0-4.1.mbs2.x86_64.rpm
b77a09a4ddab360e7b76d504f9ecd6d1 mbs2/x86_64/lib64jpeg8-1.3.0-4.1.mbs2.x86_64.rpm
b3ad83f5e4812df3b5c2f7c2d95a26a6 mbs2/x86_64/lib64jpeg-devel-1.3.0-4.1.mbs2.x86_64.rpm
8ddcb38951b9806f0c8e84e6671832f9 mbs2/x86_64/lib64jpeg-static-devel-1.3.0-4.1.mbs2.x86_64.rpm
d024365e4a492b864ece2e068cb9cced mbs2/x86_64/lib64turbojpeg0-1.3.0-4.1.mbs2.x86_64.rpm
b2b32c2a19f9ab5c585c237808ba03b2 mbs2/SRPMS/libjpeg-1.3.0-4.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGAS3mqjQ0CJFipgRAgXtAJoDQ+3EwyHzVwF9yALa+cahu8yl/ACguui6
/7Y1PLb5IvFEQRHyfUZoS2Y=
=lZtW
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:153
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libgd
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libgd packages fix security vulnerabilities:

The gdImageCreateFromXpm function in gdxpm.c in the gd image library
allows remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via a crafted color table in an
XPM file (CVE-2014-2497).

A buffer read overflow in gd_gif_in.c in the php#68601 bug referenced
in the PHP 5.5.21 ChangeLog has been fixed in the libgd package.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9709
http://advisories.mageia.org/MGASA-2014-0288.html
http://advisories.mageia.org/MGASA-2015-0040.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
f418949d53ee92ca9c9acc0451586ce3 mbs2/x86_64/gd-utils-2.1.0-6.1.mbs2.x86_64.rpm
a0072a3e902548b088ed61ca37cf5215 mbs2/x86_64/lib64gd3-2.1.0-6.1.mbs2.x86_64.rpm
e7787b975a27495103d0cdad7231fdc9 mbs2/x86_64/lib64gd-devel-2.1.0-6.1.mbs2.x86_64.rpm
8f4ab3ea59df3e82d1415ff6ba55f539 mbs2/x86_64/lib64gd-static-devel-2.1.0-6.1.mbs2.x86_64.rpm
960d3c03094d376650f41d003e14a94c mbs2/SRPMS/libgd-2.1.0-6.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGAXgmqjQ0CJFipgRAo0IAKCtLvG59xZcdDiUsmFnztNqUactlACbB0nu
X9CBJGNfHXdFV6/kKNhJKQ8=
=xnz9
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:154
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : gnupg
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated gnupg, gnupg2 and libgcrypt packages fix security
vulnerabilities:

GnuPG versions before 1.4.17 and 2.0.24 are vulnerable to a denial
of service which can be caused by garbled compressed data packets
which may put gpg into an infinite loop (CVE-2014-4617).

The libgcrypt library before version 1.5.4 is vulnerable to an ELGAMAL
side-channel attack (CVE-2014-5270).

GnuPG before 1.4.19 is vulnerable to a side-channel attack which can
potentially lead to an information leak (CVE-2014-3591).

GnuPG before 1.4.19 is vulnerable to a side-channel attack on
data-dependent timing variations in modular exponentiation, which
can potentially lead to an information leak (CVE-2015-0837).

The gnupg and gnupg2 package has been patched to correct these issues.

GnuPG2 is vulnerable to these issues through the libgcrypt library.
The issues were fixed in libgcrypt 1.6.3. The libgcrypt package in
Mandriva, at version 1.5.4, was only vulnerable to the CVE-2014-3591
issue. It has also been patched to correct this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3591
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837
http://advisories.mageia.org/MGASA-2014-0365.html
http://advisories.mageia.org/MGASA-2015-0104.html
http://advisories.mageia.org/MGASA-2014-0276.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
a1f0d486301a8da6084b6986b069a60a mbs2/x86_64/gnupg-1.4.16-2.1.mbs2.x86_64.rpm
b902c66b91d7a5ecc1c93d580a2028a3 mbs2/x86_64/gnupg2-2.0.22-4.1.mbs2.x86_64.rpm
0d393d04f70b58c5692b2c28e5c62cc3 mbs2/x86_64/lib64gcrypt11-1.5.4-1.mbs2.x86_64.rpm
8ed5b1f7f83c843fbe0d3aa439417b06 mbs2/x86_64/lib64gcrypt-devel-1.5.4-1.mbs2.x86_64.rpm
6fc7d8af6e5cee8e6079b58de0508bf5 mbs2/SRPMS/gnupg-1.4.16-2.1.mbs2.src.rpm
932cd673c4fa7ab22f6e02b6d47f9ed3 mbs2/SRPMS/gnupg2-2.0.22-4.1.mbs2.src.rpm
ff815ad77f30a8c5acedc7915e752b75 mbs2/SRPMS/libgcrypt-1.5.4-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGA6YmqjQ0CJFipgRAu+LAJoDDubVaFYa6y+cOp0VGnPGlcmvzACeL6G/
NFmh/HHpyUFY5iu7MI6yRfc=
=FTng
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:155
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : gnupg
Date : March 29, 2015
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Updated gnupg and libgcrypt packages fix security vulnerabilities:

GnuPG before 1.4.19 is vulnerable to a side-channel attack which can
potentially lead to an information leak (CVE-2014-3591).

GnuPG before 1.4.19 is vulnerable to a side-channel attack on
data-dependent timing variations in modular exponentiation, which
can potentially lead to an information leak (CVE-2015-0837).

The gnupg package has been patched to correct these issues.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3591
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837
http://advisories.mageia.org/MGASA-2015-0104.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
8043770df411685441cb0f5d4f0ec682 mbs1/x86_64/gnupg-1.4.12-3.6.mbs1.x86_64.rpm
037172a4708f1f7fbe4f04bf5cc6f042 mbs1/x86_64/lib64gcrypt11-1.5.4-1.1.mbs1.x86_64.rpm
b0971681d4177a356d6751a648b1f3e1 mbs1/x86_64/lib64gcrypt-devel-1.5.4-1.1.mbs1.x86_64.rpm
6abc93a29b772fb70834686e856ec937 mbs1/SRPMS/gnupg-1.4.12-3.6.mbs1.src.rpm
25324cb2b6e5a4a9db57e5f14f3c7ac8 mbs1/SRPMS/libgcrypt-1.5.4-1.1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGBCjmqjQ0CJFipgRAgwhAJ9I1Y5Nvgs50ToLThWyfaXCROaCzACeN34R
G3pR3SdBrzC4uNG0TbYVqQg=
=FCFQ
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:157
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : libarchive
Date : March 29, 2015
Affected: Business Server 1.0, Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated libarchive packages fix security vulnerability:

Alexander Cherepanov discovered that bsdcpio, an implementation of
the cpio program part of the libarchive project, is susceptible to
a directory traversal vulnerability via absolute paths (CVE-2015-2304).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
http://advisories.mageia.org/MGASA-2015-0106.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
404b5f0e6134ed96491539d12858f100 mbs1/x86_64/bsdcpio-3.0.3-2.2.mbs1.x86_64.rpm
aa7fdbba386796326caf63120185f885 mbs1/x86_64/bsdtar-3.0.3-2.2.mbs1.x86_64.rpm
94f67b37caaaf08713cf09bab2fef37a mbs1/x86_64/lib64archive12-3.0.3-2.2.mbs1.x86_64.rpm
96592580ef91d9c120d4dc290c137021 mbs1/x86_64/lib64archive-devel-3.0.3-2.2.mbs1.x86_64.rpm
f685e0e4fb996b88b510c042376d9000 mbs1/SRPMS/libarchive-3.0.3-2.2.mbs1.src.rpm

Mandriva Business Server 2/X86_64:
3175c66d4acd925df665f4dea53a8ea8 mbs2/x86_64/bsdcpio-3.1.2-3.1.mbs2.x86_64.rpm
e5d6a91d031a3ebecc94b6f69afa80d6 mbs2/x86_64/bsdtar-3.1.2-3.1.mbs2.x86_64.rpm
160094d832e4ee41e1b7d3fb2883bbcf mbs2/x86_64/lib64archive13-3.1.2-3.1.mbs2.x86_64.rpm
1cf676d14e252d5fc2e1439d5e017a39 mbs2/x86_64/lib64archive-devel-3.1.2-3.1.mbs2.x86_64.rpm
9110d69aedd5e233a61fa90ed7b76ac9 mbs2/SRPMS/libarchive-3.1.2-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGCK+mqjQ0CJFipgRAuYFAJ9P4DqPQCi6pnyhFGClwpPglDXKQwCcDG6x
TEpHwvPURpz4ui92XhfI7f4=
=QOg0
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:158
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : jython
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated jython packages fix security vulnerability:

There are serveral problems with the way Jython creates class cache
files, potentially leading to arbitrary code execution or information
disclosure (CVE-2013-2027).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2027
http://advisories.mageia.org/MGASA-2015-0096.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
9d606311c99c891840256cee4bf737f1 mbs2/x86_64/jython-2.2.1-15.1.mbs2.noarch.rpm
2001363915af159639c6d0b77fca6b5b mbs2/x86_64/jython-demo-2.2.1-15.1.mbs2.noarch.rpm
f6ec9e25f3ed984cc3de3889129bca02 mbs2/x86_64/jython-javadoc-2.2.1-15.1.mbs2.noarch.rpm
ebe25df5b144b3dc246797156b2d008d mbs2/x86_64/jython-manual-2.2.1-15.1.mbs2.noarch.rpm
4f368652b5186520c0cf9b082feff5e6 mbs2/SRPMS/jython-2.2.1-15.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGCiNmqjQ0CJFipgRAqjjAKCm1rDyieOtauNz0BuklV5OnfPOAgCaA1/G
WsvqscAcN0NIbdyluee62WM=
=75a2
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:159
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : jasper
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated jasper packages fix security vulnerabilities:

Josh Duart of the Google Security Team discovered heap-based buffer
overflow flaws in JasPer, which could lead to denial of service
(application crash) or the execution of arbitrary code (CVE-2014-9029).

A double free flaw was found in the way JasPer parsed ICC color
profiles in JPEG 2000 image files. A specially crafted file could
cause an application using JasPer to crash or, possibly, execute
arbitrary code (CVE-2014-8137).

A heap-based buffer overflow flaw was found in the way JasPer
decoded JPEG 2000 image files. A specially crafted file could cause
an application using JasPer to crash or, possibly, execute arbitrary
code (CVE-2014-8138).

An off-by-one flaw, leading to a heap-based buffer overflow, was found
in the way JasPer decoded JPEG 2000 image files. A specially crafted
file could cause an application using JasPer to crash or, possibly,
execute arbitrary code (CVE-2014-8157).

An unrestricted stack memory use flaw was found in the way JasPer
decoded JPEG 2000 image files. A specially crafted file could cause
an application using JasPer to crash or, possibly, execute arbitrary
code (CVE-2014-8158).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8157
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029
http://advisories.mageia.org/MGASA-2014-0514.html
http://advisories.mageia.org/MGASA-2014-0539.html
http://advisories.mageia.org/MGASA-2015-0038.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
e95757ee7dc2acf62fc4932511c2ff5e mbs2/x86_64/jasper-1.900.1-16.1.mbs2.x86_64.rpm
ca6abfc2d05417b439cf99086ecc8d90 mbs2/x86_64/lib64jasper1-1.900.1-16.1.mbs2.x86_64.rpm
1f346e662de416c6dd64bc0bc938a3c3 mbs2/x86_64/lib64jasper-devel-1.900.1-16.1.mbs2.x86_64.rpm
1e3e9e6ebe5dc7cc3afb86a435f52545 mbs2/x86_64/lib64jasper-static-devel-1.900.1-16.1.mbs2.x86_64.rpm
8be93cb04aafe5b9f95f74b7c068584e mbs2/SRPMS/jasper-1.900.1-16.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGDDRmqjQ0CJFipgRAjRNAKCobRc4wbakbsjHSZFcDRYJqyWZBACeIG2E
ANIOWWJG8qXFbIvshY55fww=
=iolc
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:160
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : ipython
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated ipython package fixes security vulnerability:

In IPython before 1.2, the origin of websocket requests was not
verified within the IPython notebook server. If an attacker has
knowledge of an IPython kernel id they can run arbitrary code on
a user’s machine when the client visits a crafted malicious page
(CVE-2014-3429).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3429
http://advisories.mageia.org/MGASA-2014-0320.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
74c3f90dc998257d2f9b3213e789ef93 mbs2/x86_64/ipython-1.1.0-3.1.mbs2.noarch.rpm
8506ea9a865d5ca6a81197e95e06befb mbs2/SRPMS/ipython-1.1.0-3.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGDJGmqjQ0CJFipgRAlAVAKCBoqH4mGomrHH2QXZOeYDM3gyB6QCePNGg
ewFVoDZTnCxu57ztSU8BkK8=
=6Q5N
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:161
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : icu
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated icu packages fix security vulnerabilities:

The Regular Expressions package in International Components for Unicode
(ICU) 52 before SVN revision 292944 allows remote attackers to cause
a denial of service (memory corruption) or possibly have unspecified
other impact via vectors related to a zero-length quantifier or
look-behind expression (CVE-2014-7923, CVE-2014-7926).

The collator implementation in i18n/ucol.cpp in International
Components for Unicode (ICU) 52 through SVN revision 293126 does not
initialize memory for a data structure, which allows remote attackers
to cause a denial of service or possibly have unspecified other impact
via a crafted character sequence (CVE-2014-7940).

It was discovered that ICU incorrectly handled memory operations
when processing fonts. If an application using ICU processed crafted
data, an attacker could cause it to crash or potentially execute
arbitrary code with the privileges of the user invoking the program
(CVE-2014-6585, CVE-2014-6591).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7923
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7926
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591
http://advisories.mageia.org/MGASA-2015-0047.html
http://advisories.mageia.org/MGASA-2015-0102.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
60e38e537ccb5f492fcb51b2236cdf46 mbs2/x86_64/icu-52.1-2.1.mbs2.x86_64.rpm
843d58cbad812ed991821b5904b965d7 mbs2/x86_64/icu-data-52.1-2.1.mbs2.noarch.rpm
b78d857c511b2565dab1572451414a1f mbs2/x86_64/icu-doc-52.1-2.1.mbs2.noarch.rpm
335a5c448cbee673e993505c5f6f242f mbs2/x86_64/lib64icu52-52.1-2.1.mbs2.x86_64.rpm
5cc709b1ca853103c20412d9dd47f4e4 mbs2/x86_64/lib64icu-devel-52.1-2.1.mbs2.x86_64.rpm
8592fceada74edaee92503b81628d5ed mbs2/SRPMS/icu-52.1-2.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGDNvmqjQ0CJFipgRAv14AJ9FObEyt8cbKcQXbZNz9uBc7Hft2wCgqyDQ
x9W6InWtKLk7MxoJiiKaAao=
=euQt
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:162
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : gtk+3.0
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated gtk+3.0 packages fix security vulnerability:

Clemens Fries reported that, when using Cinnamon, it was possible to
bypass the screensaver lock. An attacker with physical access to the
machine could use this flaw to take over the locked desktop session
(CVE-2014-1949).

This was fixed by including a patch for the root cause of the issue in
gtk+3.0, which came from the implementation of popup menus in GtkWindow
(bgo#722106).

This update also includes other patches from upstream to fix bugs
affecting GtkFileChooser (bgo#386569, bgo#719977) and GtkSpinButton
(bgo#709491), and a crash related to clipboard handling (bgo#719314).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1949
http://advisories.mageia.org/MGASA-2014-0374.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
e3ae4df5ec401079c4a7ce2f3d2215e8 mbs2/x86_64/gtk+3.0-3.10.6-5.1.mbs2.x86_64.rpm
ada010a4b9ec261466b7a84667307c22 mbs2/x86_64/lib64gail3_0-3.10.6-5.1.mbs2.x86_64.rpm
76fe719ea817c92af101e585043a9ade mbs2/x86_64/lib64gail3.0-devel-3.10.6-5.1.mbs2.x86_64.rpm
c526223a0e26ef700e521ae71f4e0433 mbs2/x86_64/lib64gtk+3_0-3.10.6-5.1.mbs2.x86_64.rpm
dde3ff74d3392b7e3574ac4e44023039 mbs2/x86_64/lib64gtk+3.0-devel-3.10.6-5.1.mbs2.x86_64.rpm
791d51dbf5239f91a4cd87881d9a368c mbs2/x86_64/lib64gtk-gir3.0-3.10.6-5.1.mbs2.x86_64.rpm
5b52b3399c57432ad316dc42f888f0cb mbs2/SRPMS/gtk+3.0-3.10.6-5.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGDQhmqjQ0CJFipgRAgMmAKDxm9N/R8xgZkcPh5TQochNmJP6xwCgtzvz
0Sjcg4/u2HWIK2ZBTr4Wn/4=
=WNWe
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:163
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : grub2
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated grub2 package fixes security vulnerability:

The grub2 package is built with a bundled copy of minilzo, which is
a part of liblzo containing the vulnerable code.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://advisories.mageia.org/MGASA-2014-0358.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
06048e055cfa26ffaaa9f1d3322671bc mbs2/x86_64/grub2-2.00-59.1.mbs2.x86_64.rpm
8d26f9314e7c14f90a5cf29fb5ddae53 mbs2/x86_64/grub2-efi-2.00-59.1.mbs2.x86_64.rpm
4aea4b65de40c7a16df07fa3f1aa13ea mbs2/x86_64/grub2-mageia-theme-2.00-59.1.mbs2.noarch.rpm
cb1d56a5066b8bada2217848174759b0 mbs2/SRPMS/grub2-2.00-59.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGDUfmqjQ0CJFipgRApaxAJ0WHBwT/Zb/ydrmiDnVXoHWPKthFwCaAiAf
T6vr6iHOhqcs6UO9Mk5EVgU=
=eGog
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:164
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : bash
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated bash packages fix security vulnerability:

A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue
(CVE-2014-6271).

This vulnerability can be exposed and exploited through several
other pieces of software and should be considered highly critical.
Please refer to the RedHat Knowledge Base article and blog post for
more information.

It was found that the fix for CVE-2014-6271 was incomplete, and
Bash still allowed certain characters to be injected into other
environments via specially crafted environment variables. An
attacker could potentially use this flaw to override or bypass
environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue
(CVE-2014-7169).

Bash has been updated to version 4.2 patch level 50, which further
mitigates ShellShock-type vulnerabilities. Two such issues have
already been discovered (CVE-2014-6277, CVE-2014-6278).

See the RedHat article on the backward-incompatible changes introduced
by the latest patch, caused by adding prefixes and suffixes to the
variable names used for exporting functions. Note that the RedHat
article mentions these variable names will have parentheses “()”
at the end of their names, however, the latest upstream patch uses
two percent signs “%%” at the end instead.

Two other unrelated security issues in the parser have also been
fixed in this update (CVE-2014-7186, CVE-2014-7187).

All users and sysadmins are advised to update their bash package
immediately.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
http://advisories.mageia.org/MGASA-2014-0388.html
http://advisories.mageia.org/MGASA-2014-0393.html
http://advisories.mageia.org/MGASA-2014-0388.html
https://access.redhat.com/articles/1200223
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
ebf6cac32e8da7f0ab0e083ecb6de7e2 mbs2/x86_64/bash-4.2-53.1.mbs2.x86_64.rpm
3890f0026741d63daec44302d872a8d6 mbs2/x86_64/bash-doc-4.2-53.1.mbs2.x86_64.rpm
b44e2a3c7978c291964aee99ac3b2505 mbs2/SRPMS/bash-4.2-53.1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGDlPmqjQ0CJFipgRAgZqAKCOGmz4PsgRwFYU2B+vk3VTyX205QCg8eC/
m5oihNthH+rhu6BJ7GeCQ5o=
=hcA1
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:165
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : bind
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated bind packages fix security vulnerabilities:

By making use of maliciously-constructed zones or a rogue server,
an attacker can exploit an oversight in the code BIND 9 uses to
follow delegations in the Domain Name Service, causing BIND to issue
unlimited queries in an attempt to follow the delegation. This can
lead to resource exhaustion and denial of service (up to and including
termination of the named server process) (CVE-2014-8500).

Jan-Piet Mens discovered that the BIND DNS server would crash when
processing an invalid DNSSEC key rollover, either due to an error
on the zone operator’s part, or due to interference with network
traffic by an attacker. This issue affects configurations with the
directives “dnssec-lookaside auto;” (as enabled in the Mandriva
default configuration) or “dnssec-validation auto;” (CVE-2015-1349).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1349
http://advisories.mageia.org/MGASA-2014-0524.html
http://advisories.mageia.org/MGASA-2015-0082.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
a2cf83873b09b47275d0030063a236c8 mbs2/x86_64/bind-9.10.1.P2-7.mbs2.x86_64.rpm
83d97de0884ef84b933cb06bfbbce24a mbs2/x86_64/bind-devel-9.10.1.P2-7.mbs2.x86_64.rpm
633a8a160c3be4dda5f134550288df8f mbs2/x86_64/bind-doc-9.10.1.P2-7.mbs2.noarch.rpm
40760cee0f0c97261b80d159ab60cb32 mbs2/x86_64/bind-sdb-9.10.1.P2-7.mbs2.x86_64.rpm
ec17a87a3d0e50c4a1c33c84adc0c08b mbs2/x86_64/bind-utils-9.10.1.P2-7.mbs2.x86_64.rpm
95f44b351208cfcbf15108dc707b0f21 mbs2/SRPMS/bind-9.10.1.P2-7.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGDuOmqjQ0CJFipgRAqQsAJ9YWfOhd3JZjB1DstzQh7xCT2fJWQCfYwBx
FGoDrVNSJeks4jEO5ZrIaN8=
=0F9B
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:166
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : clamav
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Updated clamav packages fix security vulnerabilities:

ClamAV 0.98.6 is a maintenance release to fix some bugs, some of them
being security bugs:

Certain javascript files causes ClamAV to segfault when scanned with
the -a (list archived files) (CVE-2013-6497).

A heap buffer overflow was reported in ClamAV when scanning a specially
crafted y0da Crypter obfuscated PE file (CVE-2014-9050).

Fix a heap out of bounds condition with crafted Yoda’s crypter
files. This issue was discovered by Felix Groebert of the Google
Security Team.

Fix a heap out of bounds condition with crafted mew packer files. This
issue was discovered by Felix Groebert of the Google Security Team.

Fix a heap out of bounds condition with crafted upx packer files. This
issue was discovered by Kevin Szkudlapski of Quarkslab.

Fix a heap out of bounds condition with crafted upack packer
files. This issue was discovered by Sebastian Andrzej Siewior
(CVE-2014-9328).

Compensate a crash due to incorrect compiler optimization when handling
crafted petite packer files. This issue was discovered by Sebastian
Andrzej Siewior.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9328
http://advisories.mageia.org/MGASA-2014-0487.html
http://advisories.mageia.org/MGASA-2015-0056.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
5781f3fb473c28be1c6db82299e8158b mbs2/x86_64/clamav-0.98.6-1.mbs2.x86_64.rpm
cd06d7fda902515ba1d31a6bf8b1ba61 mbs2/x86_64/clamav-db-0.98.6-1.mbs2.noarch.rpm
7c87fba97be024301257ef272c73043e mbs2/x86_64/clamav-milter-0.98.6-1.mbs2.x86_64.rpm
36b005c2cc9a66acee24d068214639de mbs2/x86_64/clamd-0.98.6-1.mbs2.x86_64.rpm
a0b2df71df6d51081ce80cf6f519e03a mbs2/x86_64/lib64clamav6-0.98.6-1.mbs2.x86_64.rpm
51818f721f02ebd467581e8ea0a1d88e mbs2/x86_64/lib64clamav-devel-0.98.6-1.mbs2.x86_64.rpm
79b8eb204c68882b97e044afc513cad5 mbs2/SRPMS/clamav-0.98.6-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGDywmqjQ0CJFipgRAqmUAKC3GOL9ZGRrsBvCnvUv6NmFcA9gSQCeL9Qh
QB0W/EH/A+ifyLlKPugXYIU=
=Wn7C
—–END PGP SIGNATURE—–

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:017-1

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : libevent

Date : March 29, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated libevent packages fix security vulnerability:

Andrew Bartlett of Catalyst reported a defect affecting certain

applications using the Libevent evbuffer API. This defect leaves

applications which pass insanely large inputs to evbuffers open

to a possible heap overflow or infinite loop. In order to exploit

this flaw, an attacker needs to be able to find a way to provoke the

program into trying to make a buffer chunk larger than what will fit

into a single size_t or off_t (CVE-2014-6272).

Update:

Packages for Mandriva Business Server 2 are now being provided.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6272

http://advisories.mageia.org/MGASA-2015-0009.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

c51132b310fb74179927370b6b82ec0c mbs2/x86_64/lib64event5-2.0.21-6.1.mbs2.x86_64.rpm

d14d946ff417ba2f4564473b2c0d7094 mbs2/x86_64/lib64event-devel-2.0.21-6.1.mbs2.x86_64.rpm

ed0c011d6883d2d3aef40acab4282264 mbs2/SRPMS/libevent-2.0.21-6.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD4DBQFVGBeLmqjQ0CJFipgRAlvqAJ9AJIYf86OrzdqwJtJLCcW4EOxOawCUDlCq

wPNs6EnHj7JJDBlED3W+SA==

=qVEI

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:063

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : openssl

Date : March 27, 2015

Affected: Business Server 1.0

_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in openssl:

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before

0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL

servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate

brute-force decryption by offering a weak ephemeral RSA key in a

noncompliant role, related to the FREAK issue. NOTE: the scope of

this CVE is only client code based on OpenSSL, not EXPORT_RSA issues

associated with servers or other TLS implementations (CVE-2015-0204).

Use-after-free vulnerability in the d2i_ECPrivateKey function in

crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r,

1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote

attackers to cause a denial of service (memory corruption and

application crash) or possibly have unspecified other impact via a

malformed Elliptic Curve (EC) private-key file that is improperly

handled during import (CVE-2015-0209).

The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before

0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before

1.0.2a does not properly perform boolean-type comparisons, which allows

remote attackers to cause a denial of service (invalid read operation

and application crash) via a crafted X.509 certificate to an endpoint

that uses the certificate-verification feature (CVE-2015-0286).

The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL

before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2

before 1.0.2a does not reinitialize CHOICE and ADB data structures,

which might allow attackers to cause a denial of service (invalid

write operation and memory corruption) by leveraging an application

that relies on ASN.1 structure reuse (CVE-2015-0287).

The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL

before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2

before 1.0.2a might allow attackers to cause a denial of service

(NULL pointer dereference and application crash) via an invalid

certificate key (CVE-2015-0288).

The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before

1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not

properly handle a lack of outer ContentInfo, which allows attackers to

cause a denial of service (NULL pointer dereference and application

crash) by leveraging an application that processes arbitrary PKCS#7

data and providing malformed data with ASN.1 encoding, related to

crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c (CVE-2015-0289).

The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before

1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote

attackers to cause a denial of service (s2_lib.c assertion failure and

daemon exit) via a crafted CLIENT-MASTER-KEY message (CVE-2015-0293).

The updated packages have been upgraded to the 1.0.0r version where

these security flaws has been fixed.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293

http://openssl.org/news/secadv_20150319.txt

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

53d5722ae81a78c5134095b4ce1ca4c1 mbs1/x86_64/lib64openssl1.0.0-1.0.0r-1.mbs1.x86_64.rpm

d5f2804c2acbb03238c6873f223cb32e mbs1/x86_64/lib64openssl-devel-1.0.0r-1.mbs1.x86_64.rpm

02652b2787411a1021b5679d02537333 mbs1/x86_64/lib64openssl-engines1.0.0-1.0.0r-1.mbs1.x86_64.rpm

c7370089da58f7222be84775e0e81fe0 mbs1/x86_64/lib64openssl-static-devel-1.0.0r-1.mbs1.x86_64.rpm

a62309229fe9996ad36cd0f32653e3e1 mbs1/x86_64/openssl-1.0.0r-1.mbs1.x86_64.rpm

43aa60276406d5862d77001ea8504a6c mbs1/SRPMS/openssl-1.0.0r-1.mbs1.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFVIgmqjQ0CJFipgRArIGAJ4mjCxkv3T4SFHmj8+xIBGQkakFtwCg1MUc

wkA4Fc1LCZ++56EKAB1GEhI=

=EV2C

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:064

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : cabextract

Date : March 27, 2015

Affected: Business Server 1.0, Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated cabextract packages fix security vulnerabilities:

Libmspack, a library to provide compression and decompression of

some file formats used by Microsoft, is embedded in cabextract. A

specially crafted cab file can cause cabextract to hang forever. If

cabextract is exposed to any remotely-controlled user input, this

issue can cause a denial-of-service (CVE-2014-9556).

A directory traversal issue in cabextract allows writing to locations

outside of the current working directory, when extracting a crafted cab

file that encodes the filenames in a certain manner (CVE-2015-2060).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9556

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2060

http://advisories.mageia.org/MGASA-2015-0052.html

http://advisories.mageia.org/MGASA-2015-0086.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

2bd16856301647c18d718e0e868aba01 mbs1/x86_64/cabextract-1.5-1.1.mbs1.x86_64.rpm

43cfdda9d1ee817e8b4a60da9183c6dd mbs1/SRPMS/cabextract-1.5-1.1.mbs1.src.rpm

Mandriva Business Server 2/X86_64:

ede0dc8abe944e4df715c34d732729de mbs2/x86_64/cabextract-1.5-1.mbs2.x86_64.rpm

1bb71b7987acf91955241586a8ad79e7 mbs2/SRPMS/cabextract-1.5-1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFVYXmqjQ0CJFipgRAj/AAJ46luTJQaax8dkpysWHb5Kg+9ejNgCgsPrM

WxLE8hYDK0DDCeXDthMaukE=

=Dfna

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:065

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : cpio

Date : March 27, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated cpio package fixes security vulnerabilities:

Heap-based buffer overflow in the process_copy_in function in GNU

Cpio 2.11 allows remote attackers to cause a denial of service via

a large block value in a cpio archive (CVE-2014-9112).

Additionally, a null pointer dereference in the copyin_link function

which could cause a denial of service has also been fixed.

In GNU Cpio 2.11, the –no-absolute-filenames option limits

extracting contents of an archive to be strictly inside a current

directory. However, it can be bypassed with symlinks. While extracting

an archive, it will extract symlinks and then follow them if they

are referenced in further entries. This can be exploited by a rogue

archive to write files outside the current directory (CVE-2015-1197).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9112

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197

http://advisories.mageia.org/MGASA-2014-0528.html

http://advisories.mageia.org/MGASA-2015-0080.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

c6a401b3926824f66db80f0f9549cd5f mbs2/x86_64/cpio-2.11-7.1.mbs2.x86_64.rpm

c34268ad5a7305e1e1bbc0a8b7d12462 mbs2/SRPMS/cpio-2.11-7.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFVegmqjQ0CJFipgRAgh9AKDYcgqoGYprdfuvWGkPNCaYWHRo7ACeLcRt

V5LqvRGheentKhj2nQsZMQI=

=Xgf3

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:066

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : cpio

Date : March 27, 2015

Affected: Business Server 1.0

_______________________________________________________________________

Problem Description:

Updated cpio package fixes security vulnerability:

In GNU Cpio 2.11, the –no-absolute-filenames option limits

extracting contents of an archive to be strictly inside a current

directory. However, it can be bypassed with symlinks. While extracting

an archive, it will extract symlinks and then follow them if they

are referenced in further entries. This can be exploited by a rogue

archive to write files outside the current directory (CVE-2015-1197).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197

http://advisories.mageia.org/MGASA-2015-0080.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

0a3f9d35c8cdf60f6aa34dd8fe95a915 mbs1/x86_64/cpio-2.11-3.2.mbs1.x86_64.rpm

4962644977a7fa8da61ef6f4b269cff5 mbs1/SRPMS/cpio-2.11-3.2.mbs1.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFVf/mqjQ0CJFipgRArC5AKCrjADYDy0ZFmElCSuG+8SCnvKCCACgsQ+c

mkkuPPTdXy0r/Vy6ka5u4zQ=

=qmJW

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:067

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : e2fsprogs

Date : March 27, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated e2fsprogs packages fix security vulnerabilities:

The libext2fs library, part of e2fsprogs and utilized by its utilities,

is affected by a boundary check error on block group descriptor

information, leading to a heap based buffer overflow. A specially

crafted filesystem image can be used to trigger the vulnerability

(CVE-2015-0247).

The libext2fs library, part of e2fsprogs and utilized by its utilities,

is affected by a boundary check error on block group descriptor

information, leading to a heap based buffer overflow. A specially

crafted filesystem image can be used to trigger the vulnerability. This

is due to an incomplete fix for CVE-2015-0247 (CVE-2015-1572).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0247

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1572

http://advisories.mageia.org/MGASA-2015-0061.html

http://advisories.mageia.org/MGASA-2015-0088.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

eec47532aa44fb2fd82e0c9abf87df90 mbs2/x86_64/e2fsprogs-1.42.9-3.1.mbs2.x86_64.rpm

2d52b27b48dc6759e207ab2a9677b184 mbs2/x86_64/lib64ext2fs2-1.42.9-3.1.mbs2.x86_64.rpm

ee0ae965aee3e8deef7012e6efd212e9 mbs2/x86_64/lib64ext2fs-devel-1.42.9-3.1.mbs2.x86_64.rpm

937e2c54a6b068568850fa6ec81e8e39 mbs2/SRPMS/e2fsprogs-1.42.9-3.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFVnrmqjQ0CJFipgRAmG9AJ9Xlurjetk5WLYDKTw9dyYMBf689wCfeJ65

LnWkcyltJYrKxJxpXW8fabU=

=TRZn

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:068

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : e2fsprogs

Date : March 27, 2015

Affected: Business Server 1.0

_______________________________________________________________________

Problem Description:

Updated e2fsprogs packages fix security vulnerability:

The libext2fs library, part of e2fsprogs and utilized by its utilities,

is affected by a boundary check error on block group descriptor

information, leading to a heap based buffer overflow. A specially

crafted filesystem image can be used to trigger the vulnerability. This

is due to an incomplete fix for CVE-2015-0247 (CVE-2015-1572).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1572

http://advisories.mageia.org/MGASA-2015-0088.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

c381ffdfcbbc6436d12a691fb189bc4a mbs1/x86_64/e2fsprogs-1.42.2-3.2.mbs1.x86_64.rpm

c412ea8214cae65e0b6c2f7a59fccb86 mbs1/x86_64/lib64ext2fs2-1.42.2-3.2.mbs1.x86_64.rpm

a566011e1f49cb0c344ee9f0264292d9 mbs1/x86_64/lib64ext2fs-devel-1.42.2-3.2.mbs1.x86_64.rpm

4243113dd7da88065f540ac404204d93 mbs1/SRPMS/e2fsprogs-1.42.2-3.2.mbs1.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFVo+mqjQ0CJFipgRArXtAJ4r2U4OWc8l7MyGJSca6dEjJ8l8GwCeKUQl

MYwXCIfIiWyNcxR9AU2XSA8=

=cjrW

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:069

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : krb5

Date : March 27, 2015

Affected: Business Server 1.0, Business Server 2.0

_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in krb5:

The krb5_gss_process_context_token function in

lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library

in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2,

and 1.13.x before 1.13.1 does not properly maintain security-context

handles, which allows remote authenticated users to cause a denial of

service (use-after-free and double free, and daemon crash) or possibly

execute arbitrary code via crafted GSSAPI traffic, as demonstrated

by traffic to kadmind (CVE-2014-5352).

MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that

a krb5_read_message data field is represented as a string ending

with a '\0' character, which allows remote attackers to (1) cause a

denial of service (NULL pointer dereference) via a zero-byte version

string or (2) cause a denial of service (out-of-bounds read) by

omitting the '\0' character, related to appl/user_user/server.c and

lib/krb5/krb/recvauth.c (CVE-2014-5355).

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c

in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2,

and 1.13.x before 1.13.1 does not properly handle partial XDR

deserialization, which allows remote authenticated users to cause

a denial of service (use-after-free and double free, and daemon

crash) or possibly execute arbitrary code via malformed XDR data,

as demonstrated by data sent to kadmind (CVE-2014-9421).

The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in

kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through

1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to

bypass a kadmin/* authorization check and obtain administrative access

by leveraging access to a two-component principal with an initial

kadmind substring, as demonstrated by a ka/x principal (CVE-2014-9422).

The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c

in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through

1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer

data to clients, which allows remote attackers to obtain sensitive

information from process heap memory by sniffing the network for data

in a handle field (CVE-2014-9423).

The updated packages provides a solution for these security issues.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5355

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

d16c14ab1f1118f6a45ca8b10946592d mbs1/x86_64/krb5-1.9.2-3.9.mbs1.x86_64.rpm

69550d4ca7209fd770d12f860dc79384 mbs1/x86_64/krb5-pkinit-openssl-1.9.2-3.9.mbs1.x86_64.rpm

9efe0acd6d6c74fa2a909e9a9ffde20d mbs1/x86_64/krb5-server-1.9.2-3.9.mbs1.x86_64.rpm

11a94275292d6274d1ed4f97a1130f42 mbs1/x86_64/krb5-server-ldap-1.9.2-3.9.mbs1.x86_64.rpm

fcc1186dd10cb14a2dc53f18505692b6 mbs1/x86_64/krb5-workstation-1.9.2-3.9.mbs1.x86_64.rpm

6066de4cc667f3c1131d5aefd9e6d575 mbs1/x86_64/lib64krb53-1.9.2-3.9.mbs1.x86_64.rpm

f2fc9461926ca7002dffbcc799e6050a mbs1/x86_64/lib64krb53-devel-1.9.2-3.9.mbs1.x86_64.rpm

0d75002a9a47138a816f44dd54f5d988 mbs1/SRPMS/krb5-1.9.2-3.9.mbs1.src.rpm

Mandriva Business Server 2/X86_64:

d1d41c48bba7fc797361b0b0c1dc3cac mbs2/x86_64/krb5-1.12.2-5.2.mbs2.x86_64.rpm

36f8ec3d0e0c417dcfa4a6dd4944511f mbs2/x86_64/krb5-pkinit-openssl-1.12.2-5.2.mbs2.x86_64.rpm

db5ca7ca6bcd12a84a80e9f9e87989b7 mbs2/x86_64/krb5-server-1.12.2-5.2.mbs2.x86_64.rpm

7733ebaaa61857f6603c3b83e646f840 mbs2/x86_64/krb5-server-ldap-1.12.2-5.2.mbs2.x86_64.rpm

b44248c417e0a7fdd424608fa14d6cb6 mbs2/x86_64/krb5-workstation-1.12.2-5.2.mbs2.x86_64.rpm

35c0bb1be4397c3a0b35e47b0b19ce48 mbs2/x86_64/lib64krb53-1.12.2-5.2.mbs2.x86_64.rpm

1bd6f285438bd3c467ba6a31f9637ad1 mbs2/x86_64/lib64krb53-devel-1.12.2-5.2.mbs2.x86_64.rpm

2cbc3f6dc36592f29d219032fd1c2a5b mbs2/SRPMS/krb5-1.12.2-5.2.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFXh8mqjQ0CJFipgRAl7VAJ45HBQZktx6Krmqmm70+JWinSoZ2ACfShV0

snDp2iHrVdrynbk0NtkpsOw=

=CKC9

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:070

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : libvirt

Date : March 27, 2015

Affected: Business Server 1.0

_______________________________________________________________________

Problem Description:

Updated libvirt packages fixes security vulnerabilities:

The qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions

in qemu/qemu_driver.c in libvirt do not unlock the domain when an

ACL check fails, which allow local users to cause a denial of service

via unspecified vectors (CVE-2014-8136).

The XML getters for for save images and snapshots objects don't

check ACLs for the VIR_DOMAIN_XML_SECURE flag and might possibly dump

security sensitive information. A remote attacker able to establish

a connection to libvirtd could use this flaw to cause leak certain

limited information from the domain xml file (CVE-2015-0236).

The updated packages provides the latest 1.1.3.9 version whish has

more robust fixes for MDVSA-2015:023 and MDVSA-2015:035.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8136

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0236

http://advisories.mageia.org/MGASA-2015-0002.html

http://advisories.mageia.org/MGASA-2015-0046.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

99a0f91dc4b2d55b3181c652974681b2 mbs1/x86_64/lib64virt0-1.1.3.9-1.mbs1.x86_64.rpm

ae56bfd12fcccbde9bf33745aa8fe293 mbs1/x86_64/lib64virt-devel-1.1.3.9-1.mbs1.x86_64.rpm

b5fd2fb0bd54b9844dc9fb32e934e918 mbs1/x86_64/libvirt-utils-1.1.3.9-1.mbs1.x86_64.rpm

9572550b9b1a5b701746202a96d4fafb mbs1/x86_64/python-libvirt-1.1.3.9-1.mbs1.x86_64.rpm

98a126adc7ee4d4d93b5bc06a0312ec2 mbs1/SRPMS/libvirt-1.1.3.9-1.mbs1.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFXsamqjQ0CJFipgRAomUAJ9H1uH5Qp4NMFZQPRwc+jkuIjKEvgCg5+RL

SntyU7tGIRM3fvowPflePBE=

=8r5s

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:071

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : libpng12

Date : March 27, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated libpng12 package fixes security vulnerabilities:

The png_do_expand_palette function in libpng before 1.6.8 allows remote

attackers to cause a denial of service (NULL pointer dereference and

application crash) via a PLTE chunk of zero bytes or a NULL palette,

related to pngrtran.c and pngset.c (CVE-2013-6954).

An integer overflow leading to a heap-based buffer overflow was found

in the png_set_sPLT() and png_set_text_2() API functions of libpng. An

attacker could create a specially-crafted image file and render it

with an application written to explicitly call png_set_sPLT() or

png_set_text_2() function, could cause libpng to crash or execute

arbitrary code with the permissions of the user running such an

application (CVE-2013-7353).

An integer overflow leading to a heap-based buffer overflow was found

in the png_set_unknown_chunks() API function of libpng. An attacker

could create a specially-crafted image file and render it with an

application written to explicitly call png_set_unknown_chunks()

function, could cause libpng to crash or execute arbitrary code

with the permissions of the user running such an application

(CVE-2013-7354).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6954

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7353

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7354

http://advisories.mageia.org/MGASA-2014-0076.html

http://advisories.mageia.org/MGASA-2014-0211.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

67f6c1e2cbf315f3e5270adb49046092 mbs2/x86_64/lib64png12_0-1.2.50-5.1.mbs2.x86_64.rpm

e985ececed0be928b1d2d6166fec5e66 mbs2/x86_64/lib64png12-devel-1.2.50-5.1.mbs2.x86_64.rpm

b21bbda94814f3a3f766bf68794d47f9 mbs2/SRPMS/libpng12-1.2.50-5.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFX3XmqjQ0CJFipgRAuPFAKCHWqewJjAQ4udioySawYnWhibWCACeJj+k

r3cPyDQhhoFCVIx9Uzn826s=

=fpkm

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:072

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : gnutls

Date : March 27, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated gnutls packages fix security vulnerabilities:

Suman Jana reported a vulnerability that affects the certificate

verification functions of gnutls 3.1.x and gnutls 3.2.x. A version

1 intermediate certificate will be considered as a CA certificate

by default (something that deviates from the documented behavior)

(CVE-2014-1959).

It was discovered that GnuTLS did not correctly handle certain errors

that could occur during the verification of an X.509 certificate,

causing it to incorrectly report a successful verification. An attacker

could use this flaw to create a specially crafted certificate that

could be accepted by GnuTLS as valid for a site chosen by the attacker

(CVE-2014-0092).

A NULL pointer dereference flaw was discovered in GnuTLS's

gnutls_x509_dn_oid_name(). The function, when called with the

GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its

caller. However, it could previously return NULL when parsed X.509

certificates included specific OIDs (CVE-2014-3465).

A flaw was found in the way GnuTLS parsed session ids from Server

Hello packets of the TLS/SSL handshake. A malicious server could use

this flaw to send an excessively long session id value and trigger a

buffer overflow in a connecting TLS/SSL client using GnuTLS, causing

it to crash or, possibly, execute arbitrary code (CVE-2014-3466).

An out-of-bounds memory write flaw was found in the way GnuTLS

parsed certain ECC (Elliptic Curve Cryptography) certificates or

certificate signing requests (CSR). A malicious user could create a

specially crafted ECC certificate or a certificate signing request

that, when processed by an application compiled against GnuTLS (for

example, certtool), could cause that application to crash or execute

arbitrary code with the permissions of the user running the application

(CVE-2014-8564).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3465

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8564

http://advisories.mageia.org/MGASA-2014-0077.html

http://advisories.mageia.org/MGASA-2014-0117.html

http://advisories.mageia.org/MGASA-2014-0248.html

http://advisories.mageia.org/MGASA-2014-0458.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

b239be2e5451b8a248f3fafc39c8a368 mbs2/x86_64/gnutls-3.2.7-2.1.mbs2.x86_64.rpm

75483984c673db0830e6b848f38139f6 mbs2/x86_64/lib64gnutls28-3.2.7-2.1.mbs2.x86_64.rpm

03dee0e97f9f581a7c95cf9964718b80 mbs2/x86_64/lib64gnutls-devel-3.2.7-2.1.mbs2.x86_64.rpm

9c2c4c1da7626e6ca30fa153cc4f59fd mbs2/x86_64/lib64gnutls-ssl27-3.2.7-2.1.mbs2.x86_64.rpm

22ee1f810b74ff75be0a21cddc62adf5 mbs2/x86_64/lib64gnutls-xssl0-3.2.7-2.1.mbs2.x86_64.rpm

54b2549475fd9f9992d716cf6b731bb9 mbs2/SRPMS/gnutls-3.2.7-2.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFX8ImqjQ0CJFipgRAm3uAKDIx9haU6gaooOBcIY+5bTG3UTE3gCeJb4X

pCQ/tRYagfGY71a1whO53bY=

=Cxpz

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:073

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : openldap

Date : March 27, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in openldap:

The deref_parseCtrl function in servers/slapd/overlays/deref.c in

OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a

denial of service (NULL pointer dereference and crash) via an empty

attribute list in a deref control in a search request (CVE-2015-1545).

Double free vulnerability in the get_vrFilter function in

servers/slapd/filter.c in OpenLDAP 2.4.40 allows remote attackers to

cause a denial of service (crash) via a crafted search query with a

matched values control (CVE-2015-1546).

The updated packages provides a solution for these security issues.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1546

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

8cf3267fdb2dd7fe3e3d45560bdb21d0 mbs2/x86_64/lib64ldap2.4_2-2.4.40-1.mbs2.x86_64.rpm

865d9a982ce84212ac326c3c1e765bd7 mbs2/x86_64/lib64ldap2.4_2-devel-2.4.40-1.mbs2.x86_64.rpm

5257553f4101f109f611fb4a1169e032 mbs2/x86_64/lib64ldap2.4_2-static-devel-2.4.40-1.mbs2.x86_64.rpm

559e20b8fb73db0a2596ae53debb1171 mbs2/x86_64/openldap-2.4.40-1.mbs2.x86_64.rpm

d768c2cfd50d48df2c6d50cba2804f22 mbs2/x86_64/openldap-back_bdb-2.4.40-1.mbs2.x86_64.rpm

ca1be9bfd5f8494412dacd1704446a3d mbs2/x86_64/openldap-back_mdb-2.4.40-1.mbs2.x86_64.rpm

10616f8ee850c96f6f31a56c04b2f5c8 mbs2/x86_64/openldap-back_sql-2.4.40-1.mbs2.x86_64.rpm

abe8987076d7c071cf0556717824f968 mbs2/x86_64/openldap-clients-2.4.40-1.mbs2.x86_64.rpm

167cde52384ff479dbf66c9c3b9c1875 mbs2/x86_64/openldap-doc-2.4.40-1.mbs2.x86_64.rpm

7bb0cde0c37e82616d7e1c2f51339ea9 mbs2/x86_64/openldap-servers-2.4.40-1.mbs2.x86_64.rpm

fa9deaf6135eb3443dfa4ea2d5906d03 mbs2/x86_64/openldap-servers-devel-2.4.40-1.mbs2.x86_64.rpm

712530d38d7091f1feab1b0f214d8440 mbs2/x86_64/openldap-testprogs-2.4.40-1.mbs2.x86_64.rpm

e2a1576a5731e854ac0395c65014b8ea mbs2/x86_64/openldap-tests-2.4.40-1.mbs2.x86_64.rpm

38e739f91027490ef87474d6053b663f mbs2/SRPMS/openldap-2.4.40-1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFYFxmqjQ0CJFipgRApm0AJ4xcpT1u7CPnC7I7aiJTISBkiS08ACghGEn

vp6R7J2vex/HG9fkmQLo5EI=

=FTac

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:074

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : openldap

Date : March 27, 2015

Affected: Business Server 1.0

_______________________________________________________________________

Problem Description:

A vulnerability has been discovered and corrected in openldap:

The deref_parseCtrl function in servers/slapd/overlays/deref.c in

OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a

denial of service (NULL pointer dereference and crash) via an empty

attribute list in a deref control in a search request (CVE-2015-1545).

The updated packages provides a solution for these security issues.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1545

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

f3d273a0c95e56257e22eaf18cee6736 mbs1/x86_64/lib64ldap2.4_2-2.4.33-4.2.mbs1.x86_64.rpm

52027b79a75fb4079922abb6d8118825 mbs1/x86_64/lib64ldap2.4_2-devel-2.4.33-4.2.mbs1.x86_64.rpm

2b995254554c7b0eedd11582be51bbbd mbs1/x86_64/lib64ldap2.4_2-static-devel-2.4.33-4.2.mbs1.x86_64.rpm

69e95a83d160585836c442956ab36373 mbs1/x86_64/openldap-2.4.33-4.2.mbs1.x86_64.rpm

73c277441c0306b03133c17fea8b8ccf mbs1/x86_64/openldap-clients-2.4.33-4.2.mbs1.x86_64.rpm

30294a4d6ff5598198f7cdd9d2bea05d mbs1/x86_64/openldap-doc-2.4.33-4.2.mbs1.x86_64.rpm

b43adb7168e7fe719cd980003c1be7a2 mbs1/x86_64/openldap-servers-2.4.33-4.2.mbs1.x86_64.rpm

090de690808dc5e432a372349acd405d mbs1/x86_64/openldap-testprogs-2.4.33-4.2.mbs1.x86_64.rpm

f0cc189b31a629302488840eb12eb763 mbs1/x86_64/openldap-tests-2.4.33-4.2.mbs1.x86_64.rpm

1887cf299db014a962c8c71373da1113 mbs1/SRPMS/openldap-2.4.33-4.2.mbs1.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFYL7mqjQ0CJFipgRAhCFAJ4vH2ujhX387cICndj2Oa0Z9BdGgACfSzSn

jkUq9mNdelJc9A2x1H7J/Cw=

=QLGZ

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:075

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : python

Date : March 27, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated python packages fix security vulnerabilities:

A vulnerability was reported in Python's socket module, due to

a boundary error within the sock_recvfrom_into() function, which

could be exploited to cause a buffer overflow. This could be used

to crash a Python application that uses the socket.recvfrom_info()

function or, possibly, execute arbitrary code with the permissions

of the user running vulnerable Python code (CVE-2014-1912).

This updates the python package to version 2.7.6, which fixes several

other bugs, including denial of service flaws due to unbound readline()

calls in the ftplib and nntplib modules (CVE-2013-1752).

Denial of service flaws due to unbound readline() calls in the imaplib,

poplib, and smtplib modules (CVE-2013-1752).

A gzip bomb and unbound read denial of service flaw in python XMLRPC

library (CVE-2013-1753).

Python are susceptible to arbitrary process memory reading by a user

or adversary due to a bug in the _json module caused by insufficient

bounds checking. The bug is caused by allowing the user to supply a

negative value that is used an an array index, causing the scanstring

function to access process memory outside of the string it is intended

to access (CVE-2014-4616).

The CGIHTTPServer Python module does not properly handle URL-encoded

path separators in URLs. This may enable attackers to disclose a CGI

script's source code or execute arbitrary scripts in the server's

document root (CVE-2014-4650).

Python before 2.7.8 is vulnerable to an integer overflow in the buffer

type (CVE-2014-7185).

When Python's standard library HTTP clients (httplib, urllib,

urllib2, xmlrpclib) are used to access resources with HTTPS, by

default the certificate is not checked against any trust store,

nor is the hostname in the certificate checked against the requested

host. It was possible to configure a trust root to be checked against,

however there were no faculties for hostname checking (CVE-2014-9365).

The python-pip and tix packages was added due to missing build

dependencies.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1753

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7185

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365

http://advisories.mageia.org/MGASA-2014-0085.html

http://advisories.mageia.org/MGASA-2014-0139.html

http://advisories.mageia.org/MGASA-2014-0285.html

http://advisories.mageia.org/MGASA-2014-0399.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

d58b1b80b3dc737786ed59c11716efd7 mbs2/x86_64/lib64python2.7-2.7.9-1.mbs2.x86_64.rpm

094be70fc92a99ec299026414043a5ed mbs2/x86_64/lib64python-devel-2.7.9-1.mbs2.x86_64.rpm

daaaff2334797306a8be9d6a8f4fa69a mbs2/x86_64/python-2.7.9-1.mbs2.x86_64.rpm

3418e101353fde429817cfea0298193b mbs2/x86_64/python3-pip-1.4.1-4.2.mbs2.noarch.rpm

e0e7d10ce59e9eccd69d760fb377c5b2 mbs2/x86_64/python-docs-2.7.9-1.mbs2.noarch.rpm

eaf8978737e06d46ddd2ee6d78658ae4 mbs2/x86_64/python-pip-1.4.1-4.2.mbs2.noarch.rpm

ea585f2ec67cb5a4838c1fc08e615fa5 mbs2/x86_64/tix-8.4.3-9.mbs2.x86_64.rpm

5f83e970c318d9dad119943e986f8182 mbs2/x86_64/tix-devel-8.4.3-9.mbs2.x86_64.rpm

a6b1667ad8ab5000b1eef329713aa5c3 mbs2/x86_64/tkinter-2.7.9-1.mbs2.x86_64.rpm

7ce085d9fb460e1093513d5579174697 mbs2/x86_64/tkinter-apps-2.7.9-1.mbs2.x86_64.rpm

85e67e3e2373ea06f2b2eb0e69682937 mbs2/SRPMS/python-2.7.9-1.mbs2.src.rpm

407d147f773bbc3fc3c5430619ee0f65 mbs2/SRPMS/python-pip-1.4.1-4.2.mbs2.src.rpm

b561abc0b4fec04f0c398068faa5952f mbs2/SRPMS/tix-8.4.3-9.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFY0qmqjQ0CJFipgRAnTSAKDqsSqyFLO4F/4mq6ZmL7fZ+yYhjgCeNkAn

fc0CS3IgYNQdHz4EMRvQ9Tg=

=giLB

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:076

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : python3

Date : March 27, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated python3 packages fix security vulnerabilities:

ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary

edited zips (CVE-2013-7338).

A vulnerability was reported in Python's socket module, due to

a boundary error within the sock_recvfrom_into() function, which

could be exploited to cause a buffer overflow. This could be used

to crash a Python application that uses the socket.recvfrom_info()

function or, possibly, execute arbitrary code with the permissions

of the user running vulnerable Python code (CVE-2014-1912).

It was reported that a patch added to Python 3.2 caused a race

condition where a file created could be created with world read/write

permissions instead of the permissions dictated by the original umask

of the process. This could allow a local attacker that could win the

race to view and edit files created by a program using this call. Note

that prior versions of Python, including 2.x, do not include the

vulnerable _get_masked_mode() function that is used by os.makedirs()

when exist_ok is set to True (CVE-2014-2667).

Python are susceptible to arbitrary process memory reading by a user

or adversary due to a bug in the _json module caused by insufficient

bounds checking. The bug is caused by allowing the user to supply a

negative value that is used an an array index, causing the scanstring

function to access process memory outside of the string it is intended

to access (CVE-2014-4616).

The CGIHTTPServer Python module does not properly handle URL-encoded

path separators in URLs. This may enable attackers to disclose a CGI

script's source code or execute arbitrary scripts in the server's

document root (CVE-2014-4650).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7338

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2667

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650

http://advisories.mageia.org/MGASA-2014-0085.html

http://advisories.mageia.org/MGASA-2014-0140.html

http://advisories.mageia.org/MGASA-2014-0216.html

http://advisories.mageia.org/MGASA-2014-0285.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

56f95c3e025bb7111ee5c54dfa85f383 mbs2/x86_64/lib64python3.3-3.3.2-14.1.mbs2.x86_64.rpm

cff088862bad2bccba25080f5123c308 mbs2/x86_64/lib64python3-devel-3.3.2-14.1.mbs2.x86_64.rpm

bee9faadbee55220b5be84138d183943 mbs2/x86_64/python3-3.3.2-14.1.mbs2.x86_64.rpm

763832c9969a3b6b6f7d4afefe3d8abd mbs2/x86_64/python3-docs-3.3.2-14.1.mbs2.noarch.rpm

c25f48cc46129556b7618bebe4b0d1f0 mbs2/x86_64/tkinter3-3.3.2-14.1.mbs2.x86_64.rpm

482e45791ec634dda30134cd5513fccc mbs2/x86_64/tkinter3-apps-3.3.2-14.1.mbs2.x86_64.rpm

08451430f2a306c8f64ba1e6828a93dd mbs2/SRPMS/python3-3.3.2-14.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFY5lmqjQ0CJFipgRAtcGAKDPo0tffXqgxDunkoEz0ZzVnKVA/gCfdO06

rhBP84L6S2hc3D7h/cvqeyE=

=nvR4

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:077

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : python-numpy

Date : March 27, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated python-numpy packages fix security vulnerabilities:

f2py insecurely used a temporary file. A local attacker could use this

flaw to perform a symbolic link attack to modify an arbitrary file

accessible to the user running f2py (CVE-2014-1858, CVE-2014-1859).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1858

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1859

http://advisories.mageia.org/MGASA-2014-0089.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

b263b7e787b22bdcd742b33c8955f364 mbs2/x86_64/python3-numpy-1.8.0-1.1.mbs2.x86_64.rpm

7157c0c9db9435121b784a6d1d78b6d0 mbs2/x86_64/python3-numpy-devel-1.8.0-1.1.mbs2.x86_64.rpm

2c8b2227f573844df99543e7bcb46107 mbs2/x86_64/python-numpy-1.8.0-1.1.mbs2.x86_64.rpm

3162e4fa35bb17378ce3e373a81db035 mbs2/x86_64/python-numpy-devel-1.8.0-1.1.mbs2.x86_64.rpm

650dd731f7edfcae89fcc8e45ccf4993 mbs2/SRPMS/python-numpy-1.8.0-1.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFZENmqjQ0CJFipgRAiqfAKDshMjOCS6jOvsnLDxzalMgK8CSdwCdHled

sKz45XSD3pC1xBUS45LMrSc=

=bep1

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:078

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : mutt

Date : March 28, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated mutt packages fix security vulnerability:

A flaw was discovered in mutt. A specially crafted mail header

could cause mutt to crash, leading to a denial of service condition

(CVE-2014-9116).

The mutt package has been updated to version 1.5.23 and patched to

fix this issue.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9116

http://advisories.mageia.org/MGASA-2014-0509.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

096cdb20d094451a3f339961899e4a87 mbs2/x86_64/mutt-1.5.23-1.mbs2.x86_64.rpm

8ac9ec32af9cca8795c293097eaf71e4 mbs2/x86_64/mutt-doc-1.5.23-1.mbs2.x86_64.rpm

213776e6f7ee93c7804c38149b9a66f8 mbs2/x86_64/mutt-utf8-1.5.23-1.mbs2.x86_64.rpm

30372d7a02d573e751e11c2c4e70ed23 mbs2/SRPMS/mutt-1.5.23-1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFjIsmqjQ0CJFipgRAjY0AJ96GvgEnuxkmeuwzKTnktoaiS/hVACgqhpB

D9k4LneYsCLxuNPsCYuVszg=

=ykAo

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:079

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : php

Date : March 28, 2015

Affected: Business Server 1.0

_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in php:

S. Paraschoudis discovered that PHP incorrectly handled memory in

the enchant binding. A remote attacker could use this issue to cause

PHP to crash, resulting in a denial of service, or possibly execute

arbitrary code (CVE-2014-9705).

Taoguang Chen discovered that PHP incorrectly handled unserializing

objects. A remote attacker could use this issue to cause PHP to crash,

resulting in a denial of service, or possibly execute arbitrary code

(CVE-2015-0273).

It was discovered that PHP incorrectly handled memory in the phar

extension. A remote attacker could use this issue to cause PHP to

crash, resulting in a denial of service, or possibly execute arbitrary

code (CVE-2015-2301).

Use-after-free vulnerability in the process_nested_data function in

ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before

5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute

arbitrary code via a crafted unserialize call that leverages improper

handling of duplicate numerical keys within the serialized properties

of an object. NOTE: this vulnerability exists because of an incomplete

fix for CVE-2014-8142 (CVE-2015-0231).

An integer overflow flaw, leading to a heap-based buffer overflow,

was found in the way libzip, which is embedded in PHP, processed

certain ZIP archives. If an attacker were able to supply a specially

crafted ZIP archive to an application using libzip, it could cause

the application to crash or, possibly, execute arbitrary code

(CVE-2015-2331).

It was discovered that the PHP opcache component incorrectly handled

memory. A remote attacker could possibly use this issue to cause

PHP to crash, resulting in a denial of service, or possibly execute

arbitrary code (CVE-2015-1351).

It was discovered that the PHP PostgreSQL database extension

incorrectly handled certain pointers. A remote attacker could possibly

use this issue to cause PHP to crash, resulting in a denial of service,

or possibly execute arbitrary code (CVE-2015-1352).

The updated php packages have been patched and upgraded to the 5.5.23

version which is not vulnerable to these issues. The libzip packages

has been patched to address the CVE-2015-2331 flaw.

Additionally the php-xdebug package has been upgraded to the latest

2.3.2 and the PECL packages which requires so has been rebuilt for

php-5.5.23.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9705

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2301

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331

http://php.net/ChangeLog-5.php#5.5.22

http://php.net/ChangeLog-5.php#5.5.23

http://www.ubuntu.com/usn/usn-2535-1/

http://www.ubuntu.com/usn/usn-2501-1/

https://bugzilla.redhat.com/show_bug.cgi?id=1204676

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

3c1e2ab81c1731c63a99a4a7c66d48d3 mbs1/x86_64/apache-mod_php-5.5.23-1.mbs1.x86_64.rpm

6a12e93ebf52d6cb505652cb919b73c3 mbs1/x86_64/lib64php5_common5-5.5.23-1.mbs1.x86_64.rpm

92ae97e82c0bae091c65847f672f0369 mbs1/x86_64/lib64zip2-0.10.1-2.1.mbs1.x86_64.rpm

ac28732246df9bf58921740921560c67 mbs1/x86_64/lib64zip-devel-0.10.1-2.1.mbs1.x86_64.rpm

538fad85574f17991959c00f0b4a43b1 mbs1/x86_64/libzip-0.10.1-2.1.mbs1.x86_64.rpm

70d44c88afb55e2b1519e8d3a71f274c mbs1/x86_64/php-apc-3.1.15-1.17.mbs1.x86_64.rpm

2e2f9c88f1d92bc4f3f0e4df3908fd73 mbs1/x86_64/php-apc-admin-3.1.15-1.17.mbs1.x86_64.rpm

e3d5f3fb0fcace77e78209986102b171 mbs1/x86_64/php-bcmath-5.5.23-1.mbs1.x86_64.rpm

1ca44e20629234028499eda497f27059 mbs1/x86_64/php-bz2-5.5.23-1.mbs1.x86_64.rpm

473167211cea7e0b62916e66921ee5a4 mbs1/x86_64/php-calendar-5.5.23-1.mbs1.x86_64.rpm

214618465b0e9b1dac6efb3b4f52b988 mbs1/x86_64/php-cgi-5.5.23-1.mbs1.x86_64.rpm

6b178d78c6dd197b6643e7e493bce359 mbs1/x86_64/php-cli-5.5.23-1.mbs1.x86_64.rpm

c1d4dd5178780fc999f449024ebde36e mbs1/x86_64/php-ctype-5.5.23-1.mbs1.x86_64.rpm

152132662ebefb9ade6fa67465b9af2a mbs1/x86_64/php-curl-5.5.23-1.mbs1.x86_64.rpm

01961ff4ec2820dd005d336f0671fe04 mbs1/x86_64/php-dba-5.5.23-1.mbs1.x86_64.rpm

96a7ecb45d71793af39558a1369853e2 mbs1/x86_64/php-devel-5.5.23-1.mbs1.x86_64.rpm

2106bf2eb5a17f18379add6b17408ed3 mbs1/x86_64/php-doc-5.5.23-1.mbs1.noarch.rpm

c657e211cc4627a792f67e6c9f5eb06b mbs1/x86_64/php-dom-5.5.23-1.mbs1.x86_64.rpm

675db3e8eb585640b7a04a04e5ffce93 mbs1/x86_64/php-enchant-5.5.23-1.mbs1.x86_64.rpm

bf345e51365465268e696684b77c9cc8 mbs1/x86_64/php-exif-5.5.23-1.mbs1.x86_64.rpm

69352287afb24b38ba68f995ddece5ab mbs1/x86_64/php-fileinfo-5.5.23-1.mbs1.x86_64.rpm

bbf3d7067c2bbc71a4a9ae5e353c6f8e mbs1/x86_64/php-filter-5.5.23-1.mbs1.x86_64.rpm

c6a25a432547a0e8d404dab281963d74 mbs1/x86_64/php-fpm-5.5.23-1.mbs1.x86_64.rpm

889332d46d1d9f1a2cf6421b6a5b5e3f mbs1/x86_64/php-ftp-5.5.23-1.mbs1.x86_64.rpm

86a90c9565562b5b360eb11d431536e7 mbs1/x86_64/php-gd-5.5.23-1.mbs1.x86_64.rpm

dba72038f9098f7332e969b19c9d65a8 mbs1/x86_64/php-gettext-5.5.23-1.mbs1.x86_64.rpm

b25d3f9ded7322a2b28942648ec74ff4 mbs1/x86_64/php-gmp-5.5.23-1.mbs1.x86_64.rpm

9bf5bfcb843c2d3b71855792e6b2050e mbs1/x86_64/php-hash-5.5.23-1.mbs1.x86_64.rpm

284a394dbe68e756c8813a53c0a89c66 mbs1/x86_64/php-iconv-5.5.23-1.mbs1.x86_64.rpm

9df2ec7f05f9a7955770e3ed4513cbfb mbs1/x86_64/php-imap-5.5.23-1.mbs1.x86_64.rpm

e5947618cc905d249191bcc2066ffed1 mbs1/x86_64/php-ini-5.5.23-1.mbs1.x86_64.rpm

d4f9e91e2877d6aaff0ee07bc5bdd95b mbs1/x86_64/php-intl-5.5.23-1.mbs1.x86_64.rpm

071ba0290df66c3ac1b0f0fa18ec2195 mbs1/x86_64/php-json-5.5.23-1.mbs1.x86_64.rpm

62146a98a0d24ee66cebd23887fc43fa mbs1/x86_64/php-ldap-5.5.23-1.mbs1.x86_64.rpm

03a94596eaf34eaac0c7e6f88a6aa7cb mbs1/x86_64/php-mbstring-5.5.23-1.mbs1.x86_64.rpm

d966c79af040bd5c18dc4a2771bf7184 mbs1/x86_64/php-mcrypt-5.5.23-1.mbs1.x86_64.rpm

9ab71c0a90c649b4c31386a3582a5d26 mbs1/x86_64/php-mssql-5.5.23-1.mbs1.x86_64.rpm

80dd51f72e2cd0d854904dc7595a4bb0 mbs1/x86_64/php-mysql-5.5.23-1.mbs1.x86_64.rpm

88bc7c5a10b7a7f12b71b342afbbd18e mbs1/x86_64/php-mysqli-5.5.23-1.mbs1.x86_64.rpm

231ec6adca00980d04f39ce5fd866a83 mbs1/x86_64/php-mysqlnd-5.5.23-1.mbs1.x86_64.rpm

2c831cf0074977bf76d413c5e9b3f9de mbs1/x86_64/php-odbc-5.5.23-1.mbs1.x86_64.rpm

1a4553dcf596125aab2976b2f8c4792c mbs1/x86_64/php-opcache-5.5.23-1.mbs1.x86_64.rpm

4cb160e28e8899628c6e698376add11f mbs1/x86_64/php-openssl-5.5.23-1.mbs1.x86_64.rpm

aa04993c7abe0539302a36527ad4674a mbs1/x86_64/php-pcntl-5.5.23-1.mbs1.x86_64.rpm

57b65d1dec0785825ea2cc8462a2256d mbs1/x86_64/php-pdo-5.5.23-1.mbs1.x86_64.rpm

6d5b8bf803d93067f4bce7daad5379ba mbs1/x86_64/php-pdo_dblib-5.5.23-1.mbs1.x86_64.rpm

3785dea886512d3473b1cda3d762aa9c mbs1/x86_64/php-pdo_mysql-5.5.23-1.mbs1.x86_64.rpm

330c62452427e64106c47fcd1e674ed6 mbs1/x86_64/php-pdo_odbc-5.5.23-1.mbs1.x86_64.rpm

a3803c5de5acbb0d3c6a26c42b8ec39b mbs1/x86_64/php-pdo_pgsql-5.5.23-1.mbs1.x86_64.rpm

2f6a19bc0adc914b46fbab06e3dc7ac7 mbs1/x86_64/php-pdo_sqlite-5.5.23-1.mbs1.x86_64.rpm

4d452c2c81e21f9ce1d08afadba60d6a mbs1/x86_64/php-pgsql-5.5.23-1.mbs1.x86_64.rpm

39c301d412cbd28256f141fd409ea561 mbs1/x86_64/php-phar-5.5.23-1.mbs1.x86_64.rpm

9c78e1c9192cd1219f1415424156c491 mbs1/x86_64/php-posix-5.5.23-1.mbs1.x86_64.rpm

5bb762bd20418abbd99c38d0d14127d1 mbs1/x86_64/php-readline-5.5.23-1.mbs1.x86_64.rpm

e97eb930df1a35f0646e62f88dd8b1e6 mbs1/x86_64/php-recode-5.5.23-1.mbs1.x86_64.rpm

2b4a91ff5da098a80fa0a74b184f9621 mbs1/x86_64/php-session-5.5.23-1.mbs1.x86_64.rpm

5ecc3ef7dde9a12cc70308c323c650f9 mbs1/x86_64/php-shmop-5.5.23-1.mbs1.x86_64.rpm

7380aeaced54d09831dc4828772a9b4f mbs1/x86_64/php-snmp-5.5.23-1.mbs1.x86_64.rpm

030ca0276e74f616a1cc8866cc4a3149 mbs1/x86_64/php-soap-5.5.23-1.mbs1.x86_64.rpm

ba8b4a7dafc450564d41bf54de7b2ea2 mbs1/x86_64/php-sockets-5.5.23-1.mbs1.x86_64.rpm

61859f052b4a89c1d4ea9bff4251041f mbs1/x86_64/php-sqlite3-5.5.23-1.mbs1.x86_64.rpm

81639f4e567c6358f8d1b22c9e2acf98 mbs1/x86_64/php-sybase_ct-5.5.23-1.mbs1.x86_64.rpm

2f4a24db6aedc32c32f8a1d202a798e2 mbs1/x86_64/php-sysvmsg-5.5.23-1.mbs1.x86_64.rpm

aab6b3451a848ebf916418e28303fb23 mbs1/x86_64/php-sysvsem-5.5.23-1.mbs1.x86_64.rpm

6820a01599b0e7d543cd6faa5adf1aee mbs1/x86_64/php-sysvshm-5.5.23-1.mbs1.x86_64.rpm

ed7aa5fc5226ede2325b64f862ba121b mbs1/x86_64/php-tidy-5.5.23-1.mbs1.x86_64.rpm

6fd07a6cfcff5b6f5791b3c173d6de3f mbs1/x86_64/php-tokenizer-5.5.23-1.mbs1.x86_64.rpm

7130ab17ba8d88e08abbff8cc5ce9406 mbs1/x86_64/php-wddx-5.5.23-1.mbs1.x86_64.rpm

bb977de60a780898623b458e8be594fc mbs1/x86_64/php-xdebug-2.3.2-1.mbs1.x86_64.rpm

f66d72fa26d7c2ddf28cbd9834f50981 mbs1/x86_64/php-xml-5.5.23-1.mbs1.x86_64.rpm

52b65a29cce730602f7788545d8c68eb mbs1/x86_64/php-xmlreader-5.5.23-1.mbs1.x86_64.rpm

8e7ce89111d36fa56003a7b2cfb5ca17 mbs1/x86_64/php-xmlrpc-5.5.23-1.mbs1.x86_64.rpm

64a27f8e54344c459ffa5a2bb1c33521 mbs1/x86_64/php-xmlwriter-5.5.23-1.mbs1.x86_64.rpm

506d5cd854c2d3140f38b67137fe4f16 mbs1/x86_64/php-xsl-5.5.23-1.mbs1.x86_64.rpm

3e74425e2868a46bf8db184feaeac041 mbs1/x86_64/php-zip-5.5.23-1.mbs1.x86_64.rpm

fa27aa395c0d87bf832471e3f6f06c68 mbs1/x86_64/php-zlib-5.5.23-1.mbs1.x86_64.rpm

5be5023a4703f52af150c7fbcb2c4e5a mbs1/SRPMS/libzip-0.10.1-2.1.mbs1.src.rpm

bdf35808447e6b0224eb958adf086dc5 mbs1/SRPMS/php-5.5.23-1.mbs1.src.rpm

a5047c3b6e20db0167f65ff6ad667e99 mbs1/SRPMS/php-apc-3.1.15-1.17.mbs1.src.rpm

2eb2949f57a66f2eed5110181ce7f8ce mbs1/SRPMS/php-xdebug-2.3.2-1.mbs1.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFkMLmqjQ0CJFipgRAs8jAJ0Zs7seobOHtc5hQKmofiNNPEG5OQCfVwCF

cHIjCqsYPKSYavI4KbIB1QA=

=4VI0

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:080

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : php

Date : March 28, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in php:

It was discovered that the file utility contains a flaw in the handling

of indirect magic rules in the libmagic library, which leads to an

infinite recursion when trying to determine the file type of certain

files (CVE-2014-1943).

A flaw was found in the way the file utility determined the type of

Portable Executable (PE) format files, the executable format used on

Windows. A malicious PE file could cause the file utility to crash or,

potentially, execute arbitrary code (CVE-2014-2270).

The BEGIN regular expression in the awk script detector in

magic/Magdir/commands in file before 5.15 uses multiple wildcards

with unlimited repetitions, which allows context-dependent attackers

to cause a denial of service (CPU consumption) via a crafted ASCII

file that triggers a large amount of backtracking, as demonstrated

via a file with many newline characters (CVE-2013-7345).

PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain

socket with world-writable permissions by default, which allows any

local user to connect to it and execute PHP scripts as the apache user

(CVE-2014-0185).

A flaw was found in the way file's Composite Document Files (CDF)

format parser handle CDF files with many summary info entries.

The cdf_unpack_summary_info() function unnecessarily repeatedly read

the info from the same offset. This led to many file_printf() calls in

cdf_file_property_info(), which caused file to use an excessive amount

of CPU time when parsing a specially-crafted CDF file (CVE-2014-0237).

A flaw was found in the way file parsed property information from

Composite Document Files (CDF) files. A property entry with 0 elements

triggers an infinite loop (CVE-2014-0238).

The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type

Confusion issue related to the SPL ArrayObject and SPLObjectStorage

Types (CVE-2014-3515).

It was discovered that PHP is vulnerable to a heap-based buffer

overflow in the DNS TXT record parsing. A malicious server or

man-in-the-middle attacker could possibly use this flaw to execute

arbitrary code as the PHP interpreter if a PHP application uses

dns_get_record() to perform a DNS query (CVE-2014-4049).

A flaw was found in the way file parsed property information from

Composite Document Files (CDF) files, where the mconvert() function did

not correctly compute the truncated pascal string size (CVE-2014-3478).

Multiple flaws were found in the way file parsed property information

from Composite Document Files (CDF) files, due to insufficient boundary

checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480,

CVE-2014-3487).

The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type

Confusion issue that can cause it to leak arbitrary process memory

(CVE-2014-4721).

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL

component in PHP through 5.5.14 allows context-dependent attackers to

cause a denial of service or possibly have unspecified other impact via

crafted ArrayIterator usage within applications in certain web-hosting

environments (CVE-2014-4698).

Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL

component in PHP through 5.5.14 allows context-dependent attackers to

cause a denial of service or possibly have unspecified other impact

via crafted iterator usage within applications in certain web-hosting

environments (CVE-2014-4670).

file before 5.19 does not properly restrict the amount of data read

during a regex search, which allows remote attackers to cause a

denial of service (CPU consumption) via a crafted file that triggers

backtracking during processing of an awk rule, due to an incomplete

fix for CVE-2013-7345 (CVE-2014-3538).

Integer overflow in the cdf_read_property_info function in cdf.c

in file through 5.19, as used in the Fileinfo component in PHP

before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to

cause a denial of service (application crash) via a crafted CDF

file. NOTE: this vulnerability exists because of an incomplete fix

for CVE-2012-1571 (CVE-2014-3587).

Multiple buffer overflows in the php_parserr function in

ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow

remote DNS servers to cause a denial of service (application crash)

or possibly execute arbitrary code via a crafted DNS record, related

to the dns_get_record function and the dn_expand function. NOTE:

this issue exists because of an incomplete fix for CVE-2014-4049

(CVE-2014-3597).

An integer overflow flaw in PHP's unserialize() function was

reported. If unserialize() were used on untrusted data, this

issue could lead to a crash or potentially information disclosure

(CVE-2014-3669).

A heap corruption issue was reported in PHP's exif_thumbnail()

function. A specially-crafted JPEG image could cause the PHP

interpreter to crash or, potentially, execute arbitrary code

(CVE-2014-3670).

If client-supplied input was passed to PHP's cURL client as a URL to

download, it could return local files from the server due to improper

handling of null bytes (PHP#68089).

An out-of-bounds read flaw was found in file's donote() function in the

way the file utility determined the note headers of a elf file. This

could possibly lead to file executable crash (CVE-2014-3710).

A use-after-free flaw was found in PHP unserialize(). An untrusted

input could cause PHP interpreter to crash or, possibly, execute

arbitrary code when processed using unserialize() (CVE-2014-8142).

Double free vulnerability in the zend_ts_hash_graceful_destroy function

in zend_ts_hash.c in the Zend Engine in PHP before 5.5.21 allows remote

attackers to cause a denial of service or possibly have unspecified

other impact via unknown vectors (CVE-2014-9425).

sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when

mmap is used to read a .php file, does not properly consider the

mapping's length during processing of an invalid file that begins

with a # character and lacks a newline character, which causes an

out-of-bounds read and might allow remote attackers to obtain sensitive

information from php-cgi process memory by leveraging the ability to

upload a .php file or trigger unexpected code execution if a valid

PHP script is present in memory locations adjacent to the mapping

(CVE-2014-9427).

Use after free vulnerability in unserialize() in PHP before 5.5.21

(CVE-2015-0231).

Free called on an uninitialized pointer in php-exif in PHP before

5.5.21 (CVE-2015-0232).

The readelf.c source file has been removed from PHP's bundled copy of

file's libmagic, eliminating exposure to denial of service issues in

ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620

and CVE-2014-9621 in PHP's fileinfo module.

S. Paraschoudis discovered that PHP incorrectly handled memory in

the enchant binding. A remote attacker could use this issue to cause

PHP to crash, resulting in a denial of service, or possibly execute

arbitrary code (CVE-2014-9705).

Taoguang Chen discovered that PHP incorrectly handled unserializing

objects. A remote attacker could use this issue to cause PHP to crash,

resulting in a denial of service, or possibly execute arbitrary code

(CVE-2015-0273).

It was discovered that PHP incorrectly handled memory in the phar

extension. A remote attacker could use this issue to cause PHP to

crash, resulting in a denial of service, or possibly execute arbitrary

code (CVE-2015-2301).

Use-after-free vulnerability in the process_nested_data function in

ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before

5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute

arbitrary code via a crafted unserialize call that leverages improper

handling of duplicate numerical keys within the serialized properties

of an object. NOTE: this vulnerability exists because of an incomplete

fix for CVE-2014-8142 (CVE-2015-0231).

The exif_process_unicode function in ext/exif/exif.c in PHP before

5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote

attackers to execute arbitrary code or cause a denial of service

(uninitialized pointer free and application crash) via crafted EXIF

data in a JPEG image (CVE-2015-0232).

An integer overflow flaw, leading to a heap-based buffer overflow,

was found in the way libzip, which is embedded in PHP, processed

certain ZIP archives. If an attacker were able to supply a specially

crafted ZIP archive to an application using libzip, it could cause

the application to crash or, possibly, execute arbitrary code

(CVE-2015-2331).

It was discovered that the PHP opcache component incorrectly handled

memory. A remote attacker could possibly use this issue to cause

PHP to crash, resulting in a denial of service, or possibly execute

arbitrary code (CVE-2015-1351).

It was discovered that the PHP PostgreSQL database extension

incorrectly handled certain pointers. A remote attacker could possibly

use this issue to cause PHP to crash, resulting in a denial of service,

or possibly execute arbitrary code (CVE-2015-1352).

PHP contains a bundled copy of the file utility's libmagic library,

so it was vulnerable to the libmagic issues.

The updated php packages have been patched and upgraded to the 5.5.23

version which is not vulnerable to these issues. The libzip packages

has been patched to address the CVE-2015-2331 flaw.

A bug in the php zip extension that could cause a crash has been fixed

(mga#13820)

Additionally the jsonc and timezonedb packages has been upgraded to

the latest versions and the PECL packages which requires so has been

rebuilt for php-5.5.23.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0185

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3597

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4698

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4721

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9425

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9621

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9705

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0232

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2301

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331

http://php.net/ChangeLog-5.php#5.5.9

http://php.net/ChangeLog-5.php#5.5.10

http://php.net/ChangeLog-5.php#5.5.11

http://php.net/ChangeLog-5.php#5.5.12

http://php.net/ChangeLog-5.php#5.5.13

http://php.net/ChangeLog-5.php#5.5.14

http://php.net/ChangeLog-5.php#5.5.15

http://php.net/ChangeLog-5.php#5.5.16

http://php.net/ChangeLog-5.php#5.5.17

http://php.net/ChangeLog-5.php#5.5.18

http://php.net/ChangeLog-5.php#5.5.19

http://php.net/ChangeLog-5.php#5.5.20

http://php.net/ChangeLog-5.php#5.5.21

http://php.net/ChangeLog-5.php#5.5.22

http://php.net/ChangeLog-5.php#5.5.23

http://www.ubuntu.com/usn/usn-2535-1/

http://www.ubuntu.com/usn/usn-2501-1/

https://bugzilla.redhat.com/show_bug.cgi?id=1204676

http://advisories.mageia.org/MGASA-2014-0163.html

http://advisories.mageia.org/MGASA-2014-0178.html

http://advisories.mageia.org/MGASA-2014-0215.html

http://advisories.mageia.org/MGASA-2014-0258.html

http://advisories.mageia.org/MGASA-2014-0284.html

http://advisories.mageia.org/MGASA-2014-0324.html

http://advisories.mageia.org/MGASA-2014-0367.html

http://advisories.mageia.org/MGASA-2014-0430.html

http://advisories.mageia.org/MGASA-2014-0441.html

http://advisories.mageia.org/MGASA-2014-0542.html

http://advisories.mageia.org/MGASA-2015-0040.html

https://bugs.mageia.org/show_bug.cgi?id=13820

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

a4e09575e26b690bd44801a126795ce9 mbs2/x86_64/apache-mod_php-5.5.23-1.mbs2.x86_64.rpm

e156aaf446f543279f758b767e5ce6f2 mbs2/x86_64/lib64php5_common5-5.5.23-1.mbs2.x86_64.rpm

cf1653dd6b3606ff8983739fe7728502 mbs2/x86_64/lib64zip2-0.11.2-1.1.mbs2.x86_64.rpm

2ed6c588ca428a502ab995726d497527 mbs2/x86_64/lib64zip-devel-0.11.2-1.1.mbs2.x86_64.rpm

91fd4a50d38c904247519a34f71ac9a7 mbs2/x86_64/libzip-0.11.2-1.1.mbs2.x86_64.rpm

0fad2aa8ca3bed422588c7d7c349e3e7 mbs2/x86_64/php-bcmath-5.5.23-1.mbs2.x86_64.rpm

b797a14554b170f1f2c307eebd5011ce mbs2/x86_64/php-bz2-5.5.23-1.mbs2.x86_64.rpm

83abadd87c78c719b585acbfcbf1f54a mbs2/x86_64/php-calendar-5.5.23-1.mbs2.x86_64.rpm

71b728b5c58335c37e9ee059a98179b5 mbs2/x86_64/php-cgi-5.5.23-1.mbs2.x86_64.rpm

d6047e2545b396ad29b2619c3d811b49 mbs2/x86_64/php-cli-5.5.23-1.mbs2.x86_64.rpm

933344ca17f96bd844db47c993b8ce1a mbs2/x86_64/php-ctype-5.5.23-1.mbs2.x86_64.rpm

0278a991ed7a7ea1d51c6651b1157744 mbs2/x86_64/php-curl-5.5.23-1.mbs2.x86_64.rpm

a3f172d95d061f6a2ba9ce562f1068ac mbs2/x86_64/php-dba-5.5.23-1.mbs2.x86_64.rpm

d239cccc6594bfe8169c0b5300ca1dd0 mbs2/x86_64/php-devel-5.5.23-1.mbs2.x86_64.rpm

73a234b9c369a20c349fca7f425b405a mbs2/x86_64/php-doc-5.5.23-1.mbs2.noarch.rpm

ab4caa5f1a397e2f267479f08616d027 mbs2/x86_64/php-dom-5.5.23-1.mbs2.x86_64.rpm

016b8d010a1866935f2a6889b712300c mbs2/x86_64/php-enchant-5.5.23-1.mbs2.x86_64.rpm

f9bd5f358336ea8a997f85f4d690fd40 mbs2/x86_64/php-exif-5.5.23-1.mbs2.x86_64.rpm

9f0ef885d5e7abb84c1b0c6242bd1a54 mbs2/x86_64/php-fileinfo-5.5.23-1.mbs2.x86_64.rpm

f551fc699944abdbd78cd1f74e1db713 mbs2/x86_64/php-filter-5.5.23-1.mbs2.x86_64.rpm

10c6ad89a0707acdff025ee0166b4361 mbs2/x86_64/php-fpm-5.5.23-1.mbs2.x86_64.rpm

fad5946e3ff8bf1d3b7215fee229b934 mbs2/x86_64/php-ftp-5.5.23-1.mbs2.x86_64.rpm

c74071a614cc4f8d5ac612736264aad2 mbs2/x86_64/php-gd-5.5.23-1.mbs2.x86_64.rpm

788e0972b5aa918a0c8ce2b0e30270a6 mbs2/x86_64/php-gettext-5.5.23-1.mbs2.x86_64.rpm

996120d4c1fa233bdb38aedf0718f593 mbs2/x86_64/php-gmp-5.5.23-1.mbs2.x86_64.rpm

e032d9a3c8e078242347623f1ff51b5a mbs2/x86_64/php-hash-5.5.23-1.mbs2.x86_64.rpm

c1da3a1898b05995091ad1c2237bdf6a mbs2/x86_64/php-iconv-5.5.23-1.mbs2.x86_64.rpm

37b4a5d86006024878d397a8478d5a42 mbs2/x86_64/php-imap-5.5.23-1.mbs2.x86_64.rpm

bd10d9a55ee8db73b4d80dae1e14e4e0 mbs2/x86_64/php-ini-5.5.23-1.mbs2.x86_64.rpm

4cb54cd72bd26728bb29f5d00a5174af mbs2/x86_64/php-interbase-5.5.23-1.mbs2.x86_64.rpm

2713dca82ad94d88b379db3fa012ed2d mbs2/x86_64/php-intl-5.5.23-1.mbs2.x86_64.rpm

f0a9187b81e038400dae4e01123b751c mbs2/x86_64/php-json-5.5.23-1.mbs2.x86_64.rpm

c395a0cb573d9432c9e4c2a4b92d1d0f mbs2/x86_64/php-ldap-5.5.23-1.mbs2.x86_64.rpm

f2374e34b874072d2268acf1c72b383a mbs2/x86_64/php-mbstring-5.5.23-1.mbs2.x86_64.rpm

7ca3ce3a9464933af1a147c206c25d0d mbs2/x86_64/php-mcrypt-5.5.23-1.mbs2.x86_64.rpm

dbe828f1c2caa3eef932fc0c14a7e2e9 mbs2/x86_64/php-mssql-5.5.23-1.mbs2.x86_64.rpm

995e9f09906309252d850618c3fffaa6 mbs2/x86_64/php-mysql-5.5.23-1.mbs2.x86_64.rpm

c474c1f1dc45f14ea5357092277d2f22 mbs2/x86_64/php-mysqli-5.5.23-1.mbs2.x86_64.rpm

cdcb4872386b83ef3969f918bf99f941 mbs2/x86_64/php-mysqlnd-5.5.23-1.mbs2.x86_64.rpm

cbb1652273fb07f216c50b8d1b5445c2 mbs2/x86_64/php-odbc-5.5.23-1.mbs2.x86_64.rpm

29ab61a3d1d00ad57c875d87b62d2e12 mbs2/x86_64/php-opcache-5.5.23-1.mbs2.x86_64.rpm

349f796a960ef2207b30a06e386f2653 mbs2/x86_64/php-openssl-5.5.23-1.mbs2.x86_64.rpm

7a7411900384da8741e32a3f6f8036c2 mbs2/x86_64/php-pcntl-5.5.23-1.mbs2.x86_64.rpm

ba3b14e45177b257ada03f7ff4b16deb mbs2/x86_64/php-pdo-5.5.23-1.mbs2.x86_64.rpm

ae5b57dbff67c7595e154313321ff693 mbs2/x86_64/php-pdo_dblib-5.5.23-1.mbs2.x86_64.rpm

8782f71797f7cb271a514b735b19621a mbs2/x86_64/php-pdo_firebird-5.5.23-1.mbs2.x86_64.rpm

ac39db58d4100f3d2d24593d3b5907fc mbs2/x86_64/php-pdo_mysql-5.5.23-1.mbs2.x86_64.rpm

210b990793c2d616fb0aecc4fde28eb6 mbs2/x86_64/php-pdo_odbc-5.5.23-1.mbs2.x86_64.rpm

6ae4df7959ddd3a8a0724ddddbe41a71 mbs2/x86_64/php-pdo_pgsql-5.5.23-1.mbs2.x86_64.rpm

1f9bdab81fa668dd583abe873892993e mbs2/x86_64/php-pdo_sqlite-5.5.23-1.mbs2.x86_64.rpm

f0cbb5dde255f5c8fa3e04e3a5314ab1 mbs2/x86_64/php-pgsql-5.5.23-1.mbs2.x86_64.rpm

e46ac8c820911a6091540e135f103154 mbs2/x86_64/php-phar-5.5.23-1.mbs2.x86_64.rpm

5050a745bfc3b1f5eeced2dd85f79721 mbs2/x86_64/php-posix-5.5.23-1.mbs2.x86_64.rpm

c9093134a518c07f4e8a188987f853d3 mbs2/x86_64/php-readline-5.5.23-1.mbs2.x86_64.rpm

2b48c3f35573e00b5ba4327e8edc05f2 mbs2/x86_64/php-recode-5.5.23-1.mbs2.x86_64.rpm

ae2157230db4d6e28698db384c8f7fcb mbs2/x86_64/php-session-5.5.23-1.mbs2.x86_64.rpm

2610a739bfa29ff11e648c7baa1d8bc3 mbs2/x86_64/php-shmop-5.5.23-1.mbs2.x86_64.rpm

b7999e11cf9d2ab510263e32cabaf312 mbs2/x86_64/php-snmp-5.5.23-1.mbs2.x86_64.rpm

ab665c30f0d2f13baa1c6475b7df7cac mbs2/x86_64/php-soap-5.5.23-1.mbs2.x86_64.rpm

f331837ba716316cef094765a1700101 mbs2/x86_64/php-sockets-5.5.23-1.mbs2.x86_64.rpm

134f8bb18790bd023e73919a794703a0 mbs2/x86_64/php-sqlite3-5.5.23-1.mbs2.x86_64.rpm

4b4aa44d0ac56629610bb0444f199df5 mbs2/x86_64/php-sybase_ct-5.5.23-1.mbs2.x86_64.rpm

fc69f644f36308d81f37f356b76e40a1 mbs2/x86_64/php-sysvmsg-5.5.23-1.mbs2.x86_64.rpm

981b7ef6715aacfe9250b206dbbbad31 mbs2/x86_64/php-sysvsem-5.5.23-1.mbs2.x86_64.rpm

91c006555173d03f1d25899947702673 mbs2/x86_64/php-sysvshm-5.5.23-1.mbs2.x86_64.rpm

62e5fa5fa8b4d89d7835f2f68169af14 mbs2/x86_64/php-tidy-5.5.23-1.mbs2.x86_64.rpm

0c5a9237c710dd098c8bb56018f7a142 mbs2/x86_64/php-timezonedb-2015.1-1.mbs2.x86_64.rpm

d94aa68a9ce76bce5c962c58f37ac5a5 mbs2/x86_64/php-tokenizer-5.5.23-1.mbs2.x86_64.rpm

317c7da32daa223560dc08bbae89d98d mbs2/x86_64/php-wddx-5.5.23-1.mbs2.x86_64.rpm

9b2cf90dfc6f6bdc0431a6f94d43a947 mbs2/x86_64/php-xml-5.5.23-1.mbs2.x86_64.rpm

0a1b6e0beeb36f24f9250a352fbff1e9 mbs2/x86_64/php-xmlreader-5.5.23-1.mbs2.x86_64.rpm

598925bc71347774e805b6fcfcbcf590 mbs2/x86_64/php-xmlrpc-5.5.23-1.mbs2.x86_64.rpm

49a1f8e773e98bb101488b805670651c mbs2/x86_64/php-xmlwriter-5.5.23-1.mbs2.x86_64.rpm

0b7c2f2fe7b3103631dd07d12d443e06 mbs2/x86_64/php-xsl-5.5.23-1.mbs2.x86_64.rpm

5cb68626d863213de934655dac8342c8 mbs2/x86_64/php-zip-5.5.23-1.mbs2.x86_64.rpm

a27bab106c0ba87f220ff35937210a63 mbs2/x86_64/php-zlib-5.5.23-1.mbs2.x86_64.rpm

3dd6a6eeb12c7207446053e4785d6974 mbs2/SRPMS/libzip-0.11.2-1.1.mbs2.src.rpm

5d69769d822628a5bf1485eaa1251b8e mbs2/SRPMS/php-5.5.23-1.mbs2.src.rpm

0a629c11ca23ba56d57f61a754def293 mbs2/SRPMS/php-timezonedb-2015.1-1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFlFxmqjQ0CJFipgRApIaAJ0TuOLlCRGmp4O6TdNSKUpeRBS2xACgzIEB

yZuDdHZcMPOQTP7seWcvVWc=

=esZS

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:081

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : samba

Date : March 28, 2015

Affected: Business Server 1.0

_______________________________________________________________________

Problem Description:

Updated samba packages fix security vulnerabilities:

An uninitialized pointer use flaw was found in the Samba daemon

(smbd). A malicious Samba client could send specially crafted netlogon

packets that, when processed by smbd, could potentially lead to

arbitrary code execution with the privileges of the user running smbd

(by default, the root user) (CVE-2015-0240).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240

http://advisories.mageia.org/MGASA-2015-0084.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

4ac8f8f9652ad4ca155e19153c6899c8 mbs1/x86_64/lib64netapi0-3.6.25-1.mbs1.x86_64.rpm

70811f103aaf352706212264cd1bdd07 mbs1/x86_64/lib64netapi-devel-3.6.25-1.mbs1.x86_64.rpm

124038bf590e4b24d44032ff319877cb mbs1/x86_64/lib64smbclient0-3.6.25-1.mbs1.x86_64.rpm

8654538cb5fe0ec9f4e1f843b48bfe3e mbs1/x86_64/lib64smbclient0-devel-3.6.25-1.mbs1.x86_64.rpm

0a0b66090334e58925651eaf5a93db4b mbs1/x86_64/lib64smbclient0-static-devel-3.6.25-1.mbs1.x86_64.rpm

af20d1ba0b94c53e49dcd62e9dc2862b mbs1/x86_64/lib64smbsharemodes0-3.6.25-1.mbs1.x86_64.rpm

5e52b9faf84405b9082073077e573b2c mbs1/x86_64/lib64smbsharemodes-devel-3.6.25-1.mbs1.x86_64.rpm

46a0608a84712e469dd32918391e8c3d mbs1/x86_64/lib64wbclient0-3.6.25-1.mbs1.x86_64.rpm

b9244f130c1bdfc160d3d720088e38ba mbs1/x86_64/lib64wbclient-devel-3.6.25-1.mbs1.x86_64.rpm

c715497f62eeeafa889ff7471c79bdfc mbs1/x86_64/nss_wins-3.6.25-1.mbs1.x86_64.rpm

d22d02173ec97c95eb7328024b9e82ee mbs1/x86_64/samba-client-3.6.25-1.mbs1.x86_64.rpm

00bd57d9b85d09366628b1f46505bd85 mbs1/x86_64/samba-common-3.6.25-1.mbs1.x86_64.rpm

9d4637b0de9d912bcd5506fed360d0a2 mbs1/x86_64/samba-doc-3.6.25-1.mbs1.noarch.rpm

7d7f6be0de70100422674ae8cf5172a5 mbs1/x86_64/samba-domainjoin-gui-3.6.25-1.mbs1.x86_64.rpm

55ea454169eb18e357a656872b9b6254 mbs1/x86_64/samba-server-3.6.25-1.mbs1.x86_64.rpm

8ee941751deb9362569b7d6396747408 mbs1/x86_64/samba-swat-3.6.25-1.mbs1.x86_64.rpm

05f58113d2b78614278ee9698d297e49 mbs1/x86_64/samba-virusfilter-clamav-3.6.25-1.mbs1.x86_64.rpm

c8ed9bb7d1636d82ca1aad0100d058a4 mbs1/x86_64/samba-virusfilter-fsecure-3.6.25-1.mbs1.x86_64.rpm

658617b2a62a7aba97bba8a0b81e2962 mbs1/x86_64/samba-virusfilter-sophos-3.6.25-1.mbs1.x86_64.rpm

c8071cdc97727ad4749c522f8eb7e1ba mbs1/x86_64/samba-winbind-3.6.25-1.mbs1.x86_64.rpm

ee22c6311d482ec4a8358d2d4a2a48e0 mbs1/SRPMS/samba-3.6.25-1.mbs1.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFlNBmqjQ0CJFipgRAne5AJ4l/PaNKpbcDYC6cDmOgUTaiaedoACgm+Bk

2v2AIePJXBUsvmVJ9qs7z0M=

=ZeNI

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:082

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : samba

Date : March 28, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated samba packages fix security vulnerabilities:

In Samba before 3.6.23, the SAMR server neglects to ensure that

attempted password changes will update the bad password count, and does

not set the lockout flags. This would allow a user unlimited attempts

against the password by simply calling ChangePasswordUser2 repeatedly.

This is available without any other authentication (CVE-2013-4496).

Information leak vulnerability in the VFS code, allowing an

authenticated user to retrieve eight bytes of uninitialized memory

when shadow copy is enabled (CVE-2014-0178).

Samba versions before 3.6.24, 4.0.19, and 4.1.9 are vulnerable

to a denial of service on the nmbd NetBIOS name services daemon. A

malformed packet can cause the nmbd server to loop the CPU and prevent

any further NetBIOS ame service (CVE-2014-0244).

Samba versions before 3.6.24, 4.0.19, and 4.1.9 are affected

by a denial of service crash involving overwriting memory on an

authenticated connection to the smbd file server (CVE-2014-3493).

An uninitialized pointer use flaw was found in the Samba daemon

(smbd). A malicious Samba client could send specially crafted netlogon

packets that, when processed by smbd, could potentially lead to

arbitrary code execution with the privileges of the user running smbd

(by default, the root user) (CVE-2015-0240).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4496

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0178

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0244

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3493

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240

http://advisories.mageia.org/MGASA-2014-0138.html

http://advisories.mageia.org/MGASA-2014-0279.html

http://advisories.mageia.org/MGASA-2015-0084.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

d5eebcafd60491a0234a65d554fe8215 mbs2/x86_64/lib64netapi0-3.6.25-1.mbs2.x86_64.rpm

00e4940a6c0d55c938244e089d435040 mbs2/x86_64/lib64netapi-devel-3.6.25-1.mbs2.x86_64.rpm

a8d521d5ff42f668b2701e5930f47e82 mbs2/x86_64/lib64smbclient0-3.6.25-1.mbs2.x86_64.rpm

fb75164165fce2046f92160cfaf1a05b mbs2/x86_64/lib64smbclient0-devel-3.6.25-1.mbs2.x86_64.rpm

d18bb1a8d87c85a525dc604b09790aae mbs2/x86_64/lib64smbclient0-static-devel-3.6.25-1.mbs2.x86_64.rpm

186cef9f46545399665b85f43fbed408 mbs2/x86_64/lib64smbsharemodes0-3.6.25-1.mbs2.x86_64.rpm

952887304f08621ae17d2a80f5bff8f0 mbs2/x86_64/lib64smbsharemodes-devel-3.6.25-1.mbs2.x86_64.rpm

fd1b2a84abeddad8d700fd2f03044b9c mbs2/x86_64/lib64wbclient0-3.6.25-1.mbs2.x86_64.rpm

22141daaf825543f94ac3d717c7fc546 mbs2/x86_64/lib64wbclient-devel-3.6.25-1.mbs2.x86_64.rpm

83167c8ea7e8fafee55988ad3bbf0cbe mbs2/x86_64/nss_wins-3.6.25-1.mbs2.x86_64.rpm

d02c7826925091daf21f612a491f3d10 mbs2/x86_64/samba-client-3.6.25-1.mbs2.x86_64.rpm

747f22b55716d64c3f8c68dc4f644f4a mbs2/x86_64/samba-common-3.6.25-1.mbs2.x86_64.rpm

7b4bb64285d633bcf7ee027c74112316 mbs2/x86_64/samba-doc-3.6.25-1.mbs2.noarch.rpm

ae8b375a7415d5f18654a5771639cb73 mbs2/x86_64/samba-domainjoin-gui-3.6.25-1.mbs2.x86_64.rpm

5e93bbf392bb83baa9a6eff2fd4975ed mbs2/x86_64/samba-server-3.6.25-1.mbs2.x86_64.rpm

4cf2f7bbebc7d62840514ae984c6c6ba mbs2/x86_64/samba-swat-3.6.25-1.mbs2.x86_64.rpm

34c333a6ddc9c59fe446cddf67120fac mbs2/x86_64/samba-virusfilter-clamav-3.6.25-1.mbs2.x86_64.rpm

a126f6022cd26bc032282cab61dc097b mbs2/x86_64/samba-virusfilter-fsecure-3.6.25-1.mbs2.x86_64.rpm

a5d673260f527fd58519dbcd62950b84 mbs2/x86_64/samba-virusfilter-sophos-3.6.25-1.mbs2.x86_64.rpm

49592172e00aee408edcccc73b3cde65 mbs2/x86_64/samba-winbind-3.6.25-1.mbs2.x86_64.rpm

546147333706f85b79bc5a7390c9899f mbs2/SRPMS/samba-3.6.25-1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFlU3mqjQ0CJFipgRAorMAJ4wSA7ksJ9nMr3mhnow+9+M0qg8fQCfech+

Q9OQhX7dd+rb3g6WzLJErO4=

=5rd1

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:083

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : samba4

Date : March 28, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in samba4:

Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before

4.2rc4, when an Active Directory Domain Controller (AD DC)

is configured, allows remote authenticated users to set the LDB

userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain

privileges, by leveraging delegation of authority for user-account

or computer-account creation (CVE-2014-8143).

An uninitialized pointer use flaw was found in the Samba daemon

(smbd). A malicious Samba client could send specially crafted netlogon

packets that, when processed by smbd, could potentially lead to

arbitrary code execution with the privileges of the user running smbd

(by default, the root user) (CVE-2015-0240).

The updated packages provides a solution for these security issues.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8143

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240

https://www.samba.org/samba/history/samba-4.1.15.html

https://www.samba.org/samba/history/samba-4.1.16.html

https://www.samba.org/samba/history/samba-4.1.17.html

https://www.samba.org/samba/security/CVE-2014-8143

https://www.samba.org/samba/security/CVE-2015-0240

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

7a21c3baa011c68360bcaa5a086d0122 mbs2/x86_64/lib64samba41-4.1.17-1.mbs2.x86_64.rpm

e67ad9bd1020e4de0afa2b91c29fc99d mbs2/x86_64/lib64samba4-dc0-4.1.17-1.mbs2.x86_64.rpm

46ed288d10dd123272dd812ae56ec6ee mbs2/x86_64/lib64samba4-devel-4.1.17-1.mbs2.x86_64.rpm

1a4f3437669ca98899dfcdf2e8881870 mbs2/x86_64/lib64samba4-smbclient0-4.1.17-1.mbs2.x86_64.rpm

cea478050042fea1d543c6988dc9e5d3 mbs2/x86_64/lib64samba4-smbclient-devel-4.1.17-1.mbs2.x86_64.rpm

078bdb566527115b87ae84051af53f83 mbs2/x86_64/lib64samba4-test0-4.1.17-1.mbs2.x86_64.rpm

f907110b336f2151532d332a96704444 mbs2/x86_64/lib64samba4-test-devel-4.1.17-1.mbs2.x86_64.rpm

9f02113c351530d89f660c57ad738e0d mbs2/x86_64/lib64samba4-wbclient0-4.1.17-1.mbs2.x86_64.rpm

a4ee31b7ca1c9c10840b5128780c10ae mbs2/x86_64/lib64samba4-wbclient-devel-4.1.17-1.mbs2.x86_64.rpm

361e64104d96f176acb1ea2b7a7dcab3 mbs2/x86_64/python-samba4-4.1.17-1.mbs2.x86_64.rpm

728fe28155e9ea617eb7b3e8c1f81560 mbs2/x86_64/samba4-4.1.17-1.mbs2.x86_64.rpm

f95961c85294f2eb4e67412c333a8600 mbs2/x86_64/samba4-client-4.1.17-1.mbs2.x86_64.rpm

20260736d550aed06b930a80378f1ade mbs2/x86_64/samba4-common-4.1.17-1.mbs2.x86_64.rpm

ba87fe4573774f2b6d39eb244906b8e2 mbs2/x86_64/samba4-dc-4.1.17-1.mbs2.x86_64.rpm

77d4df40799cb8b265bf04e948cb4c09 mbs2/x86_64/samba4-pidl-4.1.17-1.mbs2.noarch.rpm

0473c05efdc448e87195f0162e106ad9 mbs2/x86_64/samba4-test-4.1.17-1.mbs2.x86_64.rpm

0c947489754bd227bb70f4d13e42ac1c mbs2/x86_64/samba4-vfs-glusterfs-4.1.17-1.mbs2.x86_64.rpm

3a6a91b25a097b2aee84dbd05b628fbf mbs2/x86_64/samba4-winbind-4.1.17-1.mbs2.x86_64.rpm

302dd7340f910fac0a6d185ebac1c708 mbs2/x86_64/samba4-winbind-clients-4.1.17-1.mbs2.x86_64.rpm

3954449c55b63201fb6c82e123f42420 mbs2/x86_64/samba4-winbind-krb5-locator-4.1.17-1.mbs2.x86_64.rpm

e30ce619fe04c7005bade1fb2051cdf2 mbs2/x86_64/samba4-winbind-modules-4.1.17-1.mbs2.x86_64.rpm

b7a4a89d736ebde71080926777ebf1bd mbs2/SRPMS/samba4-4.1.17-1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFlh+mqjQ0CJFipgRAkoZAKCwlrjIFlckh4Ufxi8VtlnPSDRFnACfYdAB

JPQ7KCtyJGZ0kJGXZggwq7U=

=OGlL

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:084

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : tomcat

Date : March 28, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated tomcat package fixes security vulnerabilities:

It was discovered that the Apache Commons FileUpload package for Java

could enter an infinite loop while processing a multipart request with

a crafted Content-Type, resulting in a denial-of-service condition

(CVE-2014-0050).

Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding

without properly handling (1) a large total amount of chunked data or

(2) whitespace characters in an HTTP header value within a trailer

field, which allows remote attackers to cause a denial of service by

streaming data (CVE-2013-4322).

Apache Tomcat 7.x before 7.0.50 allows attackers to obtain Tomcat

internals information by leveraging the presence of an untrusted web

application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML

document containing an external entity declaration in conjunction

with an entity reference, related to an XML External Entity (XXE)

issue (CVE-2013-4590).

Integer overflow in the parseChunkHeader function in

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in

Apache Tomcat before 6.0.40 and 7.x before 7.0.53 allows remote

attackers to cause a denial of service (resource consumption) via a

malformed chunk size in chunked transfer coding of a request during

the streaming of data (CVE-2014-0075).

java/org/apache/catalina/servlets/DefaultServlet.java in the default

servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not

properly restrict XSLT stylesheets, which allows remote attackers

to bypass security-manager restrictions and read arbitrary files

via a crafted web application that provides an XML external entity

declaration in conjunction with an entity reference, related to an

XML External Entity (XXE) issue (CVE-2014-0096).

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in

Apache Tomcat before 6.0.40 and 7.x before 7.0.53, when operated

behind a reverse proxy, allows remote attackers to conduct HTTP

request smuggling attacks via a crafted Content-Length HTTP header

(CVE-2014-0099).

Apache Tomcat before 6.0.40 and 7.x before 7.0.54 does not properly

constrain the class loader that accesses the XML parser used with

an XSLT stylesheet, which allows remote attackers to read arbitrary

files via a crafted web application that provides an XML external

entity declaration in conjunction with an entity reference, related

to an XML External Entity (XXE) issue, or read files associated with

different web applications on a single Tomcat instance via a crafted

web application (CVE-2014-0119).

In Apache Tomcat 7.x before 7.0.55, it was possible to craft a

malformed chunk as part of a chunked request that caused Tomcat to

read part of the request body as a new request (CVE-2014-0227).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0075

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0096

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0099

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227

http://advisories.mageia.org/MGASA-2014-0110.html

http://advisories.mageia.org/MGASA-2014-0149.html

http://advisories.mageia.org/MGASA-2014-0268.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

58f55f0050c7ac4eb3c31308cc62d244 mbs2/x86_64/tomcat-7.0.59-1.mbs2.noarch.rpm

9c28750a8ec902d5bde42748a14d99ab mbs2/x86_64/tomcat-admin-webapps-7.0.59-1.mbs2.noarch.rpm

b62639d405462dc9f28fd4afe11ddd57 mbs2/x86_64/tomcat-docs-webapp-7.0.59-1.mbs2.noarch.rpm

57b85f852426d5c7e282542165d2ea6f mbs2/x86_64/tomcat-el-2.2-api-7.0.59-1.mbs2.noarch.rpm

8410dbab11abe4f307576ecd657e427c mbs2/x86_64/tomcat-javadoc-7.0.59-1.mbs2.noarch.rpm

aaffb8c0cd7d82c6dcb1b0ecc00dc7c8 mbs2/x86_64/tomcat-jsp-2.2-api-7.0.59-1.mbs2.noarch.rpm

538438ca90caa2eb6f49bca3bb6e0e2e mbs2/x86_64/tomcat-jsvc-7.0.59-1.mbs2.noarch.rpm

9a2d902c3a3e24af3f2da240c42c787f mbs2/x86_64/tomcat-lib-7.0.59-1.mbs2.noarch.rpm

af5562b305ae7fd1406a9c94c9316cb5 mbs2/x86_64/tomcat-log4j-7.0.59-1.mbs2.noarch.rpm

3349a91a1667f299641e16aed4c3aadc mbs2/x86_64/tomcat-servlet-3.0-api-7.0.59-1.mbs2.noarch.rpm

4777adcbc177da7e1b8b158d6186141c mbs2/x86_64/tomcat-webapps-7.0.59-1.mbs2.noarch.rpm

b832a8fcd47ae9fb696ca9424bd2a934 mbs2/SRPMS/tomcat-7.0.59-1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFl05mqjQ0CJFipgRAniKAKC/MpUAj48M/7CzWXB4hv87uo99lwCg4Em4

9yRzhuJFw0DWd+dOc4antEU=

=SHMh

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:085

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : subversion

Date : March 28, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated subversion packages fix security vulnerabilities:

The mod_dav_svn module in Apache Subversion before 1.8.8, when

SVNListParentPath is enabled, allows remote attackers to cause a

denial of service (crash) via an OPTIONS request (CVE-2014-0032).

Ben Reser discovered that Subversion did not correctly validate SSL

certificates containing wildcards. A remote attacker could exploit this

to perform a man in the middle attack to view sensitive information

or alter encrypted communications (CVE-2014-3522).

Bert Huijben discovered that Subversion did not properly handle

cached credentials. A malicious server could possibly use this issue

to obtain credentials cached for a different server (CVE-2014-3528).

A NULL pointer dereference flaw was found in the way mod_dav_svn

handled REPORT requests. A remote, unauthenticated attacker could

use a crafted REPORT request to crash mod_dav_svn (CVE-2014-3580).

A NULL pointer dereference flaw was found in the way mod_dav_svn

handled URIs for virtual transaction names. A remote, unauthenticated

attacker could send a request for a virtual transaction name that

does not exist, causing mod_dav_svn to crash (CVE-2014-8108).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0032

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3522

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3528

http://advisories.mageia.org/MGASA-2014-0105.html

http://advisories.mageia.org/MGASA-2014-0339.html

http://advisories.mageia.org/MGASA-2014-0545.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

3c1e67f77228815883b105a8e62a10e0 mbs2/x86_64/apache-mod_dav_svn-1.8.11-1.mbs2.x86_64.rpm

35c5f1efb679c09bc48d917b94954713 mbs2/x86_64/lib64svn0-1.8.11-1.mbs2.x86_64.rpm

56722eb7ac7b08654d795a5981ebd210 mbs2/x86_64/lib64svnjavahl1-1.8.11-1.mbs2.x86_64.rpm

e1479d1c61864767d56a147bb4ee9b7f mbs2/x86_64/perl-SVN-1.8.11-1.mbs2.x86_64.rpm

7c4d79f31b0559c22cc84f39a06f9da0 mbs2/x86_64/perl-svn-devel-1.8.11-1.mbs2.x86_64.rpm

14720ab01668a9d04b566d5102c09f68 mbs2/x86_64/python-svn-1.8.11-1.mbs2.x86_64.rpm

07db3a7142457efc1e0547fd40bbf03f mbs2/x86_64/python-svn-devel-1.8.11-1.mbs2.x86_64.rpm

8d0511abbed2c57f505183bf00c4ab0d mbs2/x86_64/ruby-svn-1.8.11-1.mbs2.x86_64.rpm

8d062f6dd429b87f2b1d432c92e9a84a mbs2/x86_64/ruby-svn-devel-1.8.11-1.mbs2.x86_64.rpm

31e14a18991a2383065a069d53d3cd4e mbs2/x86_64/subversion-1.8.11-1.mbs2.x86_64.rpm

1ce1c374c428409e8a6380d64b8706f8 mbs2/x86_64/subversion-devel-1.8.11-1.mbs2.x86_64.rpm

052411de41e785decc0bc130e2756eff mbs2/x86_64/subversion-doc-1.8.11-1.mbs2.x86_64.rpm

98c1473e3721e4c9a6996db448c6ff36 mbs2/x86_64/subversion-server-1.8.11-1.mbs2.x86_64.rpm

6ad3881116530af4d889bb6c142d70dc mbs2/x86_64/subversion-tools-1.8.11-1.mbs2.x86_64.rpm

3fb0c871a5771c8fe4c6475b5ac0406c mbs2/x86_64/svn-javahl-1.8.11-1.mbs2.x86_64.rpm

45e0624a89e4c79d4739cd4eb22d9a29 mbs2/SRPMS/subversion-1.8.11-1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFl6JmqjQ0CJFipgRAgkVAJ4xKUzteqhyYcBC4AuYoZ7Lv3oQZQCfROhl

NaJSaZq4W6qIMwD8fhQF5Ls=

=R/mF

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:086

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : libssh

Date : March 28, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated libssh packages fix security vulnerabilities:

When using libssh before 0.6.3, a libssh-based server, when accepting

a new connection, forks and the child process handles the request. The

RAND_bytes() function of openssl doesn't reset its state after the

fork, but simply adds the current process id (getpid) to the PRNG

state, which is not guaranteed to be unique. The most important

consequence is that servers using EC (ECDSA) or DSA certificates may

under certain conditions leak their private key (CVE-2014-0017).

Double free vulnerability in the ssh_packet_kexinit function in kex.c

in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to

cause a denial of service via a crafted kexinit packet (CVE-2014-8132).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0017

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8132

http://advisories.mageia.org/MGASA-2014-0119.html

http://advisories.mageia.org/MGASA-2015-0014.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

a08812e6aa98461ceab65992eb628853 mbs2/x86_64/lib64ssh4-0.5.5-2.1.mbs2.x86_64.rpm

b647e4b792d2f530e13be40be19d2807 mbs2/x86_64/lib64ssh-devel-0.5.5-2.1.mbs2.x86_64.rpm

97a766a7cdd74f26e6a3b78d50c7afd3 mbs2/SRPMS/libssh-0.5.5-2.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFmH/mqjQ0CJFipgRAm6/AJ9pcSVNx9C/TT5m74Ki9LtvvGsEJQCfYR1J

ibvK/fxTwbA65o8Itk1EJ4s=

=E0zA

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:156

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : libcap-ng

Date : March 29, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated libcap-ng packages fix security vulnerability:

capng_lock() in libcap-ng before 0.7.4 sets securebits in an attempt to

prevent regaining capabilities using setuid-root programs. This allows

a user to run setuid programs, such as seunshare from policycoreutils,

as uid 0 but without capabilities, which is potentially dangerous

(CVE-2014-3215).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215

http://advisories.mageia.org/MGASA-2014-0251.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

d7910e82f2b1d8282828cfffaad3703f mbs2/x86_64/lib64cap-ng0-0.7.3-4.1.mbs2.x86_64.rpm

49a2cc4bcab4c29487e336e110963ef2 mbs2/x86_64/lib64cap-ng-devel-0.7.3-4.1.mbs2.x86_64.rpm

ef852b7a611b29caa5c3f1fee0c1d671 mbs2/x86_64/libcap-ng-utils-0.7.3-4.1.mbs2.x86_64.rpm

dba156d41f8404ec4ca97a2897fc3ff0 mbs2/x86_64/python-libcap-ng-0.7.3-4.1.mbs2.x86_64.rpm

f35f6189efd650eefcee3eac3b204e8a mbs2/SRPMS/libcap-ng-0.7.3-4.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGBgWmqjQ0CJFipgRAgEyAKCQR7tvQGDusQchSovEexu2K/QqHgCeNWJ8

vAl9B+KXazsSuHjGcUtThzk=

=7fja

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:029-1

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : binutils

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in binutils:

Multiple integer overflows in the (1) _objalloc_alloc function in

objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU

libiberty, as used by binutils 2.22, allow remote attackers to cause

a denial of service (crash) via vectors related to the addition of

CHUNK_HEADER_SIZE to the length, which triggers a heap-based buffer

overflow (CVE-2012-3509).

The srec_scan function in bfd/srec.c in libdbfd in GNU binutils

before 2.25 allows remote attackers to cause a denial of service

(out-of-bounds read) via a small S-record (CVE-2014-8484).

The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24

and earlier allows remote attackers to cause a denial of service

(crash) and possibly execute arbitrary code via crafted section group

headers in an ELF file (CVE-2014-8485).

The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils

2.24 and earlier allows remote attackers to cause a denial of service

(out-of-bounds write) and possibly have other unspecified impact via a

crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable

(CVE-2014-8501).

Heap-based buffer overflow in the pe_print_edata function in

bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote

attackers to cause a denial of service (crash) and possibly have

other unspecified impact via a truncated export table in a PE file

(CVE-2014-8502).

Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c

in GNU binutils 2.24 and earlier allows remote attackers to cause a

denial of service (crash) and possibly have other unspecified impact

via a crafted ihex file (CVE-2014-8503).

Stack-based buffer overflow in the srec_scan function in bfd/srec.c

in GNU binutils 2.24 and earlier allows remote attackers to cause a

denial of service (crash) and possibly have other unspecified impact

via a crafted file (CVE-2014-8504).

Multiple directory traversal vulnerabilities in GNU binutils 2.24 and

earlier allow local users to delete arbitrary files via a .. (dot dot)

or full path name in an archive to (1) strip or (2) objcopy or create

arbitrary files via (3) a .. (dot dot) or full path name in an archive

to ar (CVE-2014-8737).

The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU

binutils 2.24 and earlier allows remote attackers to cause a denial of

service (invalid write, segmentation fault, and crash) via a crafted

extended name table in an archive (CVE-2014-8738).

The updated packages provides a solution for these security issues.

Update:

Packages for Mandriva Business Server 2 are now being provided.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3509

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8484

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8485

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8501

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8502

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8503

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8504

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8738

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

dc026aaba26fcaff7238a08bb74e5e1e mbs2/x86_64/binutils-2.24-7.1.mbs2.x86_64.rpm

a2ea284bf36db7b8af26db37c93a00a0 mbs2/x86_64/lib64binutils-devel-2.24-7.1.mbs2.x86_64.rpm

aa10193862adefdea23ca40720acb3b9 mbs2/SRPMS/binutils-2.24-7.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGQscmqjQ0CJFipgRAq9CAJ9l4LgB0wYho493y/1tfaPCh3Ju5gCdFWEA

DJ6GHfMVJcIHBLLdt+W8RZI=

=j1f3

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:145-1

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : libxfont

Date : March 30, 2015

Affected: Business Server 1.0

_______________________________________________________________________

Problem Description:

Updated libxfont packages fix security vulnerabilities:

Ilja van Sprundel discovered that libXfont incorrectly handled font

metadata file parsing. A local attacker could use this issue to cause

libXfont to crash, or possibly execute arbitrary code in order to

gain privileges (CVE-2014-0209).

Ilja van Sprundel discovered that libXfont incorrectly handled X Font

Server replies. A malicious font server could return specially-crafted

data that could cause libXfont to crash, or possibly execute arbitrary

code (CVE-2014-0210, CVE-2014-0211).

The bdf parser reads a count for the number of properties defined

in a font from the font file, and allocates arrays with entries for

each property based on that count. It never checked to see if that

count was negative, or large enough to overflow when multiplied by

the size of the structures being allocated, and could thus allocate

the wrong buffer size, leading to out of bounds writes (CVE-2015-1802).

If the bdf parser failed to parse the data for the bitmap for any

character, it would proceed with an invalid pointer to the bitmap

data and later crash when trying to read the bitmap from that pointer

(CVE-2015-1803).

The bdf parser read metrics values as 32-bit integers, but stored them

into 16-bit integers. Overflows could occur in various operations

leading to out-of-bounds memory access (CVE-2015-1804).

Update:

Packages for Mandriva Business Server 1 are now being provided.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0209

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0210

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0211

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1802

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1803

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1804

http://advisories.mageia.org/MGASA-2014-0278.html

http://advisories.mageia.org/MGASA-2015-0113.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

d2c275699149c2afae7b517dbe555ea7 mbs1/x86_64/lib64xfont1-1.4.5-2.3.mbs1.x86_64.rpm

1ebf0a5cc41bec2bde12a377f2b6ac41 mbs1/x86_64/lib64xfont1-devel-1.4.5-2.3.mbs1.x86_64.rpm

ac4432d86d5295a45887f8d8562ff84d mbs1/x86_64/lib64xfont1-static-devel-1.4.5-2.3.mbs1.x86_64.rpm

8bf1820116cfdb93bd322c31d19b7afd mbs1/SRPMS/libxfont-1.4.5-2.3.mbs1.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGTdMmqjQ0CJFipgRArq2AJ9/Z1oWqYkyMG3CLMs91cFi7UHAPwCg3SXO

1att+sTOzkp4cyw0zLf3Ph4=

=03yV

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:147-1

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : libtiff

Date : March 30, 2015

Affected: Business Server 1.0

_______________________________________________________________________

Problem Description:

Updated libtiff packages fix security vulnerabilities:

The libtiff image decoder library contains several issues that

could cause the decoder to crash when reading crafted TIFF images

(CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130,

CVE-2014-9655, CVE-2015-1547).

Update:

Packages for Mandriva Business Server 1 are now being provided.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8129

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8130

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9655

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1547

http://advisories.mageia.org/MGASA-2015-0112.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

f8727a71ac4ec2d7d4f1b633d6953822 mbs1/x86_64/lib64tiff5-4.0.4-0.1.mbs1.x86_64.rpm

32cdb5ebbe9aa26837e492bbc226f6eb mbs1/x86_64/lib64tiff-devel-4.0.4-0.1.mbs1.x86_64.rpm

917c2cf43c35469c768e62f9b670efd0 mbs1/x86_64/lib64tiff-static-devel-4.0.4-0.1.mbs1.x86_64.rpm

36ff180f975358b530230a3c0bf6ee64 mbs1/x86_64/libtiff-progs-4.0.4-0.1.mbs1.x86_64.rpm

abad0883b65d252bd62ca2ea163a0754 mbs1/SRPMS/libtiff-4.0.4-0.1.mbs1.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGTbVmqjQ0CJFipgRArgvAKClh2UJrmBXsf9fE9hhJT1ITcrnywCgk2fw

y1E86Ix3dMzcD9nL8mwuqi0=

=dhzn

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:168

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : glibc

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated glibc packages fix security vulnerabilities:

Stephane Chazelas discovered that directory traversal issue in locale

handling in glibc. glibc accepts relative paths with .. components

in the LC_* and LANG variables. Together with typical OpenSSH

configurations (with suitable AcceptEnv settings in sshd_config),

this could conceivably be used to bypass ForceCommand restrictions

(or restricted shells), assuming the attacker has sufficient level

of access to a file system location on the host to create crafted

locale definitions there (CVE-2014-0475).

David Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where

posix_spawn_file_actions_addopen fails to copy the path argument

(glibc bz #17048) which can, in conjunction with many common memory

management techniques from an application, lead to a use after free,

or other vulnerabilities (CVE-2014-4043).

This update also fixes the following issues: x86: Disable x87 inline

functions for SSE2 math (glibc bz #16510) malloc: Fix race in free()

of fastbin chunk (glibc bz #15073)

Tavis Ormandy discovered a heap-based buffer overflow in the

transliteration module loading code. As a result, an attacker who can

supply a crafted destination character set argument to iconv-related

character conversation functions could achieve arbitrary code

execution.

This update removes support of loadable gconv transliteration

modules. Besides the security vulnerability, the module loading code

had functionality defects which prevented it from working for the

intended purpose (CVE-2014-5119).

Adhemerval Zanella Netto discovered out-of-bounds reads in additional

code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)

that can be used to crash the systems, causing a denial of service

conditions (CVE-2014-6040).

The function wordexp() fails to properly handle the WRDE_NOCMD

flag when processing arithmetic inputs in the form of "$((… ))"

where "…" can be anything valid. The backticks in the arithmetic

epxression are evaluated by in a shell even if WRDE_NOCMD forbade

command substitution. This allows an attacker to attempt to pass

dangerous commands via constructs of the above form, and bypass the

WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817).

The vfprintf function in stdio-common/vfprintf.c in GNU C Library

(aka glibc) 2.5, 2.12, and probably other versions does not properly

restrict the use of the alloca function when allocating the SPECS

array, which allows context-dependent attackers to bypass the

FORTIFY_SOURCE format-string protection mechanism and cause a denial

of service (crash) or possibly execute arbitrary code via a crafted

format string using positional parameters and a large number of format

specifiers (CVE-2012-3406).

The nss_dns implementation of getnetbyname could run into an infinite

loop if the DNS response contained a PTR record of an unexpected format

(CVE-2014-9402).

Also glibc lock elision (new feature in glibc 2.18) has been disabled

as it can break glibc at runtime on newer Intel hardware (due to

hardware bug)

Under certain conditions wscanf can allocate too little memory

for the to-be-scanned arguments and overflow the allocated buffer

(CVE-2015-1472).

The incorrect use of "__libc_use_alloca (newsize)" caused a different

(and weaker) policy to be enforced which could allow a denial of

service attack (CVE-2015-1473).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3406

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0475

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7817

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9402

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1473

http://advisories.mageia.org/MGASA-2014-0314.html

http://advisories.mageia.org/MGASA-2014-0376.html

http://advisories.mageia.org/MGASA-2014-0496.html

http://advisories.mageia.org/MGASA-2015-0013.html

http://advisories.mageia.org/MGASA-2015-0072.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

4813a9b0e1c42bf56140e891d79e2353 mbs2/x86_64/glibc-2.18-10.1.mbs2.x86_64.rpm

00e7c5806f84e66faff537c7dbdd2d75 mbs2/x86_64/glibc-devel-2.18-10.1.mbs2.x86_64.rpm

befbdbd1e160b4e9228d9a2857ef470b mbs2/x86_64/glibc-doc-2.18-10.1.mbs2.noarch.rpm

aac9ed0c364fd778af009708eccaceab mbs2/x86_64/glibc-i18ndata-2.18-10.1.mbs2.x86_64.rpm

b6afecf4b2a18feb469935718e47c0e5 mbs2/x86_64/glibc-profile-2.18-10.1.mbs2.x86_64.rpm

b3744f2fb467493e0eac75895f6daf61 mbs2/x86_64/glibc-static-devel-2.18-10.1.mbs2.x86_64.rpm

1145e4c5b240eb61f096f7ec45767f69 mbs2/x86_64/glibc-utils-2.18-10.1.mbs2.x86_64.rpm

c09e1bc71aeaa471c72cea6828f054cf mbs2/x86_64/nscd-2.18-10.1.mbs2.x86_64.rpm

3d03bd7c7f066d36f97e5fee3db8c2b3 mbs2/SRPMS/glibc-2.18-10.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGO6TmqjQ0CJFipgRApv6AKCttgtUwlS7NqmGCqL0ift/1utqmgCfdGsR

srQv9Hgp0MxVLn0efzx6+BU=

=VrqI

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:169

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : git

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated git packages fix security vulnerability:

It was reported that git, when used as a client on a case-insensitive

filesystem, could allow the overwrite of the .git/config file when

the client performed a git pull. Because git permitted committing

.Git/config (or any case variation), on the pull this would replace the

user's .git/config. If this malicious config file contained defined

external commands (such as for invoking and editor or an external diff

utility) it could allow for the execution of arbitrary code with the

privileges of the user running the git client (CVE-2014-9390).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390

http://advisories.mageia.org/MGASA-2014-0546.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

ef3f480ca48a2a9611bd11fa8a045892 mbs2/x86_64/git-1.8.5.6-1.mbs2.x86_64.rpm

efd3deae08fd17b80008bd3dc881d1f7 mbs2/x86_64/git-arch-1.8.5.6-1.mbs2.x86_64.rpm

c60432719a43e70eb929c1c75c93fdda mbs2/x86_64/git-core-1.8.5.6-1.mbs2.x86_64.rpm

10fb62c0748447bd1b960789125e8d1b mbs2/x86_64/git-core-oldies-1.8.5.6-1.mbs2.x86_64.rpm

dafec670f61de3e9942a97377b604859 mbs2/x86_64/git-cvs-1.8.5.6-1.mbs2.x86_64.rpm

879edb749813e5e175e90c88d2188eb9 mbs2/x86_64/git-email-1.8.5.6-1.mbs2.x86_64.rpm

1261450cb657453cd10a055301e42e01 mbs2/x86_64/gitk-1.8.5.6-1.mbs2.x86_64.rpm

8b4e493293c55a955e439233ae55ec99 mbs2/x86_64/git-prompt-1.8.5.6-1.mbs2.x86_64.rpm

2a4694ce47fe835f532cd7acc734e7b3 mbs2/x86_64/git-svn-1.8.5.6-1.mbs2.x86_64.rpm

39c2ff102bf754a4ca9a6d9d70fbc79c mbs2/x86_64/gitview-1.8.5.6-1.mbs2.x86_64.rpm

35bb63e42cfe602a24ae790fe3ddbd54 mbs2/x86_64/gitweb-1.8.5.6-1.mbs2.x86_64.rpm

d464e9766d38928a7fe9510382356724 mbs2/x86_64/lib64git-devel-1.8.5.6-1.mbs2.x86_64.rpm

644c0f388c821f9192485494ac3199d5 mbs2/x86_64/perl-Git-1.8.5.6-1.mbs2.x86_64.rpm

261134d774a1b833817d8855214a9412 mbs2/SRPMS/git-1.8.5.6-1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGPUcmqjQ0CJFipgRAh4wAKDuznNiViTa2PaV8idvg0tSlPIzMACg7AqX

AknCsk/2slzIzxNpACLxeDI=

=Vdej

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:170

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : gcc

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated gcc packages fix the following security issue:

Multiple integer overflow issues were found in libgfortran, the

run-time support library for the Fortran compiler. These could possibly

be used to crash a Fortran application or cause it to execute arbitrary

code CVE-2014-5044).

They also fix the following bugs:

The gcc rtl-optimization sched2 miscompiles syscall sequence wich

can cause random panic in glibc and kernel (gcc/PR61801)

clang++ fails to find cxxabi.h and cxxabi_tweaks.h during build

(mga#13543)

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5044

http://advisories.mageia.org/MGASA-2014-0306.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

ba6459e361ef674646c7c4c9dbb7bc99 mbs2/x86_64/gcc-4.8.2-5.1.mbs2.x86_64.rpm

4931854eae0f31c0692fd02529cdb2c4 mbs2/x86_64/gcc-c++-4.8.2-5.1.mbs2.x86_64.rpm

06d81754cc48c49ecf453bb1016c0749 mbs2/x86_64/gcc-cpp-4.8.2-5.1.mbs2.x86_64.rpm

36412262a678f4180641754f0331b1e6 mbs2/x86_64/gcc-doc-4.8.2-5.1.mbs2.noarch.rpm

ce7727c770409270fe59da4459bce549 mbs2/x86_64/gcc-doc-pdf-4.8.2-5.1.mbs2.noarch.rpm

283e870ad330408eaf500e9bee543d89 mbs2/x86_64/gcc-gfortran-4.8.2-5.1.mbs2.x86_64.rpm

03045262f7a3772062e676587b17dfe4 mbs2/x86_64/gcc-gnat-4.8.2-5.1.mbs2.x86_64.rpm

abeae6b9f2361cb5a930551dceb520c3 mbs2/x86_64/gcc-java-4.8.2-5.1.mbs2.x86_64.rpm

b50e3e67d3c6542e93826d91faa9529e mbs2/x86_64/gcc-objc-4.8.2-5.1.mbs2.x86_64.rpm

c58e9435e5f0f9b92954ca609cca09c0 mbs2/x86_64/gcc-objc++-4.8.2-5.1.mbs2.x86_64.rpm

c5bf6d07d3096fcc99ccba1cbaa8d914 mbs2/x86_64/gcc-plugins-4.8.2-5.1.mbs2.x86_64.rpm

50d15d7bd78675abbe87c5410b1813fa mbs2/x86_64/gcj-tools-4.8.2-5.1.mbs2.x86_64.rpm

83b5a52d9f232b739818fdb6dacf1c53 mbs2/x86_64/lib64gcj14-4.8.2-5.1.mbs2.x86_64.rpm

9eacc2a8bdbcfc3688ca1e92bb520395 mbs2/x86_64/lib64gcj_bc1-4.8.2-5.1.mbs2.x86_64.rpm

da6de30ec90f20a91d97dff2dfabcca1 mbs2/x86_64/lib64gcj-devel-4.8.2-5.1.mbs2.x86_64.rpm

703709c2995a8493e01a4bede882b679 mbs2/x86_64/lib64gcj-static-devel-4.8.2-5.1.mbs2.x86_64.rpm

9c29e871dc33ae226f72fce01d0699b5 mbs2/x86_64/libasan0-4.8.2-5.1.mbs2.x86_64.rpm

f8e1128a346c13a30da8d9e2093be2e0 mbs2/x86_64/libasan-devel-4.8.2-5.1.mbs2.x86_64.rpm

551a21703f62c6ca434010eb315328ec mbs2/x86_64/libatomic1-4.8.2-5.1.mbs2.x86_64.rpm

5300b338ee1b78be849644c4bbcc3e28 mbs2/x86_64/libatomic-devel-4.8.2-5.1.mbs2.x86_64.rpm

48e82623a5b3c25eed4914642e178fc8 mbs2/x86_64/libgcc1-4.8.2-5.1.mbs2.x86_64.rpm

dcc2346374a1e293ca90425b48b2293f mbs2/x86_64/libgcj14-base-4.8.2-5.1.mbs2.x86_64.rpm

6c488c65cdaf1f35623dd138db094271 mbs2/x86_64/libgcj14-src-4.8.2-5.1.mbs2.x86_64.rpm

cdf7cc896cb02bb3a8a468d3618135d7 mbs2/x86_64/libgfortran3-4.8.2-5.1.mbs2.x86_64.rpm

2b66c7207f002a2847b85dac2bbe280b mbs2/x86_64/libgnat1-4.8.2-5.1.mbs2.x86_64.rpm

c3afd2ddc6cd6c67bc9e22ec988ee88f mbs2/x86_64/libgomp1-4.8.2-5.1.mbs2.x86_64.rpm

c02c7a1a19b45abf54b21bc45b66846c mbs2/x86_64/libgomp-devel-4.8.2-5.1.mbs2.x86_64.rpm

0d8837075cc22def07d34843bb069530 mbs2/x86_64/libitm1-4.8.2-5.1.mbs2.x86_64.rpm

88fde39165d0f5d301efcbaf52753ae7 mbs2/x86_64/libitm-devel-4.8.2-5.1.mbs2.x86_64.rpm

ffcad7fa410ee670701207b9ed7f63c7 mbs2/x86_64/libmudflap0-4.8.2-5.1.mbs2.x86_64.rpm

f83f7c31e43b0cf9cd5358d14df29b71 mbs2/x86_64/libmudflap-devel-4.8.2-5.1.mbs2.x86_64.rpm

477874d761e9d5defa958d1bfca621ce mbs2/x86_64/libobjc4-4.8.2-5.1.mbs2.x86_64.rpm

fee115f9249303074ba0099847832f45 mbs2/x86_64/libquadmath0-4.8.2-5.1.mbs2.x86_64.rpm

87f90458fa35e0092e55d04753616658 mbs2/x86_64/libquadmath-devel-4.8.2-5.1.mbs2.x86_64.rpm

58f0d2c67eba4e233f0a0d3457d37899 mbs2/x86_64/libstdc++6-4.8.2-5.1.mbs2.x86_64.rpm

625181b8fca022e2b6fa201ac5817432 mbs2/x86_64/libstdc++-devel-4.8.2-5.1.mbs2.x86_64.rpm

11aa798cc7ec61fc2f2331de28ced16e mbs2/x86_64/libstdc++-docs-4.8.2-5.1.mbs2.noarch.rpm

a6446a827c6f6f63de42dfc4e5de30e2 mbs2/x86_64/libstdc++-static-devel-4.8.2-5.1.mbs2.x86_64.rpm

82a7116c7ed0d9e47ef0aac472120cb9 mbs2/x86_64/libtsan0-4.8.2-5.1.mbs2.x86_64.rpm

d418516d321b7dc42ea2a8434f75d310 mbs2/x86_64/libtsan-devel-4.8.2-5.1.mbs2.x86_64.rpm

a5bddc5fec6d4314a162a5dcabdfbe4c mbs2/SRPMS/gcc-4.8.2-5.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGPg5mqjQ0CJFipgRAurgAKDmS8h+ZC9UTdlIk0wMW9GOFTDSxgCgvsjR

TomVz6DV9ZGXfzS+QLdpSAs=

=VtVs

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:171

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : freerdp

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated freerdp packages fix security vulnerabilities:

Integer overflows in memory allocations in client/X11/xf_graphics.c in

FreeRDP through 1.0.2 allows remote RDP servers to have an unspecified

impact through unspecified vectors (CVE-2014-0250).

Integer overflow in the license_read_scope_list function in

libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP

servers to cause a denial of service (application crash) or possibly

have unspecified other impact via a large ScopeCount value in a Scope

List in a Server License Request packet (CVE-2014-0791).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0250

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0791

http://advisories.mageia.org/MGASA-2014-0287.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

f58926e69fb73deb6d43618d753032d2 mbs2/x86_64/freerdp-1.0.2-2.1.mbs2.x86_64.rpm

d946df0f02ad4e47196f5ef5092ef486 mbs2/x86_64/lib64freerdp1-1.0.2-2.1.mbs2.x86_64.rpm

9831f499aa56d22a3012d04fb3b5d31a mbs2/x86_64/lib64freerdp-devel-1.0.2-2.1.mbs2.x86_64.rpm

50d7514ee73b7e94b59a7c6053ebf5f3 mbs2/SRPMS/freerdp-1.0.2-2.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGP1tmqjQ0CJFipgRAmNaAJsFy2WJu72gb3bk1QJhlB8iuseBhwCfT1UL

hevoqNTXZrFYtL2kJ+i8YwA=

=SiWj

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:172

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : firebird

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated firebird packages fix a remote denial of service vulnerability:

These update fix the recently discovered security vulnerability

(CORE-4630) that may be used for a remote DoS attack performed by

unauthorized users (CVE-2014-9492).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9492

http://advisories.mageia.org/MGASA-2014-0523.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

9fc125a03dbe78fe1f15114b5ff20d0d mbs2/x86_64/firebird-2.5.2.26540-4.1.mbs2.x86_64.rpm

993a8eb80f8e0d2f538ab75e92e6ee6b mbs2/x86_64/firebird-classic-2.5.2.26540-4.1.mbs2.x86_64.rpm

db3d5cfd88f4ef8eef14196ae11555ec mbs2/x86_64/firebird-devel-2.5.2.26540-4.1.mbs2.x86_64.rpm

14a25b3fc18471a8b544be15bd121677 mbs2/x86_64/firebird-server-classic-2.5.2.26540-4.1.mbs2.x86_64.rpm

fda466f3e5dba0cfb43a0ca4793c960a mbs2/x86_64/firebird-server-common-2.5.2.26540-4.1.mbs2.x86_64.rpm

7cfd12e87dd399b481208fb55bd1147b mbs2/x86_64/firebird-server-superserver-2.5.2.26540-4.1.mbs2.x86_64.rpm

416ad4f594dcaa59d7caad37109aec04 mbs2/x86_64/firebird-superclassic-2.5.2.26540-4.1.mbs2.x86_64.rpm

2ad0015b0f931c1babe1b7442d021d4e mbs2/x86_64/firebird-superserver-2.5.2.26540-4.1.mbs2.x86_64.rpm

6cc40f88c46b300b6ae38fab06663ad3 mbs2/x86_64/firebird-utils-classic-2.5.2.26540-4.1.mbs2.x86_64.rpm

232d512548f7111773c40a18f2874dda mbs2/x86_64/firebird-utils-common-2.5.2.26540-4.1.mbs2.x86_64.rpm

00989653f1c199a363942992bae5eee7 mbs2/x86_64/firebird-utils-superserver-2.5.2.26540-4.1.mbs2.x86_64.rpm

e27508ee7bcd8407ed47e18f66f9c206 mbs2/x86_64/lib64fbclient2-2.5.2.26540-4.1.mbs2.x86_64.rpm

fbab849c4b2b8923522b0d90ee8cd770 mbs2/x86_64/lib64fbembed2-2.5.2.26540-4.1.mbs2.x86_64.rpm

5a31913c210852e281c3f3cb11c6bfca mbs2/SRPMS/firebird-2.5.2.26540-4.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGP5zmqjQ0CJFipgRAg1sAKDtzoEV3qWlhCFPwYf+uoydryLKIgCgwFic

ogAI9tFzWTWbXRAdD75mOVQ=

=KfYF

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:173

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : ffmpeg

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated ffmpeg packages fix security vulnerabilities:

The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before

2.0.4 does not properly validate a certain bits-per-sample value, which

allows remote attackers to cause a denial of service (out-of-bounds

array access) or possibly have unspecified other impact via crafted

TAK (aka Tom's lossless Audio Kompressor) data (CVE-2014-2097).

libavcodec/wmalosslessdec.c in FFmpeg before 2.0.4 uses an incorrect

data-structure size for certain coefficients, which allows remote

attackers to cause a denial of service (memory corruption) or possibly

have unspecified other impact via crafted WMA data (CVE-2014-2098).

The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before

2.0.4 does not properly calculate line sizes, which allows remote

attackers to cause a denial of service (out-of-bounds array access)

or possibly have unspecified other impact via crafted Microsoft RLE

video data (CVE-2014-2099).

The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB)

muxer (libavformat/mpegtsenc.c) in FFmpeg before 2.0.4 allows remote

attackers to have unspecified impact and vectors, which trigger an

out-of-bounds write (CVE-2014-2263).

An integer overflow in LZO decompression in FFmpeg before 2.0.5 allows

remote attackers to have an unspecified impact by embedding compressed

data in a video file (CVE-2014-4610).

A heap-based buffer overflow in the encode_slice function in

libavcodec/proresenc_kostya.c in FFmpeg before 2.0.6 can cause a

crash, allowing a malicious image file to cause a denial of service

(CVE-2014-5271).

libavcodec/iff.c in FFmpeg before 2.0.6 allows an attacker to have

an unspecified impact via a crafted iff image, which triggers an

out-of-bounds array access, related to the rgb8 and rgbn formats

(CVE-2014-5272).

libavcodec/mjpegdec.c in FFmpeg before 2.0.6 considers only dimension

differences, and not bits-per-pixel differences, when determining

whether an image size has changed, which allows remote attackers to

cause a denial of service (out-of-bounds access) or possibly have

unspecified other impact via crafted MJPEG data (CVE-2014-8541).

libavcodec/utils.c in FFmpeg before 2.0.6 omits a certain codec ID

during enforcement of alignment, which allows remote attackers to

cause a denial of service (out-of-bounds access) or possibly have

unspecified other impact via crafted JV data (CVE-2014-8542).

libavcodec/mmvideo.c in FFmpeg before 2.0.6 does not consider all lines

of HHV Intra blocks during validation of image height, which allows

remote attackers to cause a denial of service (out-of-bounds access)

or possibly have unspecified other impact via crafted MM video data

(CVE-2014-8543).

libavcodec/tiff.c in FFmpeg before 2.0.6 does not properly validate

bits-per-pixel fields, which allows remote attackers to cause a denial

of service (out-of-bounds access) or possibly have unspecified other

impact via crafted TIFF data (CVE-2014-8544).

libavcodec/pngdec.c in FFmpeg before 2.0.6 accepts the monochrome-black

format without verifying that the bits-per-pixel value is 1, which

allows remote attackers to cause a denial of service (out-of-bounds

access) or possibly have unspecified other impact via crafted PNG data

(CVE-2014-8545).

Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.0.6 allows

remote attackers to cause a denial of service (out-of-bounds access)

or possibly have unspecified other impact via crafted Cinepak video

data (CVE-2014-8546).

libavcodec/gifdec.c in FFmpeg before 2.0.6 does not properly compute

image heights, which allows remote attackers to cause a denial of

service (out-of-bounds access) or possibly have unspecified other

impact via crafted GIF data (CVE-2014-8547).

Off-by-one error in libavcodec/smc.c in FFmpeg before 2.0.6 allows

remote attackers to cause a denial of service (out-of-bounds access) or

possibly have unspecified other impact via crafted Quicktime Graphics

(aka SMC) video data (CVE-2014-8548).

This updates provides ffmpeg version 2.0.6, which fixes these issues

and several other bugs which were corrected upstream.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2097

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2098

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2099

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2263

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4610

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5271

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5272

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8541

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8542

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8543

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8544

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8545

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8546

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8547

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8548

http://advisories.mageia.org/MGASA-2014-0280.html

http://advisories.mageia.org/MGASA-2014-0464.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

8a9ecf4fab1f2dcf4dfd9a29338e9c5f mbs2/x86_64/ffmpeg-2.0.6-1.mbs2.x86_64.rpm

86cd6d9b3b8994e732524939d92b4f02 mbs2/x86_64/lib64avcodec55-2.0.6-1.mbs2.x86_64.rpm

2069d9c7c6741566667ac5e0be3e63fe mbs2/x86_64/lib64avfilter3-2.0.6-1.mbs2.x86_64.rpm

ccf0782d7b74ff242981d2d35802e9dc mbs2/x86_64/lib64avformat55-2.0.6-1.mbs2.x86_64.rpm

355f61f5f0165b9c036294a04465ec03 mbs2/x86_64/lib64avutil52-2.0.6-1.mbs2.x86_64.rpm

3c36defce59d0a33ac6e55060296e3b8 mbs2/x86_64/lib64ffmpeg-devel-2.0.6-1.mbs2.x86_64.rpm

2849fe3ed8db3a5bdd3bca39a82c0319 mbs2/x86_64/lib64ffmpeg-static-devel-2.0.6-1.mbs2.x86_64.rpm

b72d2fb78ea6b4fe6aa1ff2e37472107 mbs2/x86_64/lib64postproc52-2.0.6-1.mbs2.x86_64.rpm

10ce8047dda53bf7ad0007a87e84b876 mbs2/x86_64/lib64swresample0-2.0.6-1.mbs2.x86_64.rpm

edd887245323880301363a65d29a9b5b mbs2/x86_64/lib64swscaler2-2.0.6-1.mbs2.x86_64.rpm

11b5a62983996246cc3e743c711990a5 mbs2/SRPMS/ffmpeg-2.0.6-1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGP+xmqjQ0CJFipgRAosZAKDubqT8Zk2U6+022d7Jfn1unWZ3fgCg572b

fqGIVXCejXBSKHSxZX3HBUI=

=Xs+u

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:174

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : erlang

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated erlang packages fixes security vulnerability:

An FTP command injection flaw was found in Erlang's FTP module. Several

functions in the FTP module do not properly sanitize the input before

passing it into a control socket. A local attacker can use this flaw

to execute arbitrary FTP commands on a system that uses this module

(CVE-2014-1693).

This update also disables SSLv3 by default to mitigate the POODLE

issue.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1693

http://advisories.mageia.org/MGASA-2014-0553.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

c3782d8e70c2560d22368c5cf191c2de mbs2/x86_64/erlang-appmon-R16B02-3.1.mbs2.x86_64.rpm

aecdc45f5a81807249581c7244e37569 mbs2/x86_64/erlang-asn1-R16B02-3.1.mbs2.x86_64.rpm

477308c25e90cd9518e3b5518dd4f794 mbs2/x86_64/erlang-base-R16B02-3.1.mbs2.x86_64.rpm

5f3d6f1d15ba896c28487190328395b0 mbs2/x86_64/erlang-common_test-R16B02-3.1.mbs2.x86_64.rpm

6f28db799e6740f3a34ce1a1f7a2966f mbs2/x86_64/erlang-compiler-R16B02-3.1.mbs2.x86_64.rpm

36e6b99c911c5416725e1d849329a438 mbs2/x86_64/erlang-cosEventDomain-R16B02-3.1.mbs2.x86_64.rpm

ba146d18f9759ce77027c3ff65025bc4 mbs2/x86_64/erlang-cosEvent-R16B02-3.1.mbs2.x86_64.rpm

c62b33ca7302a1e25da1b118844fd257 mbs2/x86_64/erlang-cosFileTransfer-R16B02-3.1.mbs2.x86_64.rpm

bb9160c5dfcccc5b506fce6bc6dce5b3 mbs2/x86_64/erlang-cosNotification-R16B02-3.1.mbs2.x86_64.rpm

e514be216077fae803723a972df68ddc mbs2/x86_64/erlang-cosProperty-R16B02-3.1.mbs2.x86_64.rpm

999b7f423e8ad3a4ec9789c1b0228f44 mbs2/x86_64/erlang-cosTime-R16B02-3.1.mbs2.x86_64.rpm

31459904189e725bc21e894b0479ce0a mbs2/x86_64/erlang-cosTransactions-R16B02-3.1.mbs2.x86_64.rpm

b5c015e8d8b30ae7809e08c3551985d8 mbs2/x86_64/erlang-crypto-R16B02-3.1.mbs2.x86_64.rpm

c807878d781f028af448cc2b7bcb988b mbs2/x86_64/erlang-debugger-R16B02-3.1.mbs2.x86_64.rpm

a97e3c12ae0325d78bf6001ce23428a3 mbs2/x86_64/erlang-devel-R16B02-3.1.mbs2.x86_64.rpm

21362da5ce27a71bcc9d4aa4465cabc5 mbs2/x86_64/erlang-dialyzer-R16B02-3.1.mbs2.x86_64.rpm

2adab55b7e7389bc5400ef4fef7c027a mbs2/x86_64/erlang-diameter-R16B02-3.1.mbs2.x86_64.rpm

e4b575315ec1423361711503fd160145 mbs2/x86_64/erlang-docbuilder-R16B02-3.1.mbs2.x86_64.rpm

7d556a1077b9ab6ceec582831be37905 mbs2/x86_64/erlang-edoc-R16B02-3.1.mbs2.x86_64.rpm

4be0a333cef6fb9956fceaf89d715468 mbs2/x86_64/erlang-eldap-R16B02-3.1.mbs2.x86_64.rpm

53c53de3b5efc19e193d7c56001a8a07 mbs2/x86_64/erlang-emacs-R16B02-3.1.mbs2.x86_64.rpm

7eac22f0cc244076781ca2803c662768 mbs2/x86_64/erlang-erl_docgen-R16B02-3.1.mbs2.x86_64.rpm

80249961f16f82dbc66f7de771e98735 mbs2/x86_64/erlang-erl_interface-R16B02-3.1.mbs2.x86_64.rpm

fbf5c957d14e3c09a43eafd03cb19ab2 mbs2/x86_64/erlang-et-R16B02-3.1.mbs2.x86_64.rpm

73cfce1e58cdb676a470ee16d84b52a2 mbs2/x86_64/erlang-eunit-R16B02-3.1.mbs2.x86_64.rpm

76553169fa04132330658a8b6dfc21af mbs2/x86_64/erlang-gs-R16B02-3.1.mbs2.x86_64.rpm

ef9e5fe8657eea48de2d5b7c1a230587 mbs2/x86_64/erlang-hipe-R16B02-3.1.mbs2.x86_64.rpm

1fbbab73409ab496bf65acfef0159b12 mbs2/x86_64/erlang-ic-R16B02-3.1.mbs2.x86_64.rpm

13029c97b65202f4246267568a08665d mbs2/x86_64/erlang-inets-R16B02-3.1.mbs2.x86_64.rpm

82769f0678e9653e60f34b8e1204022c mbs2/x86_64/erlang-jinterface-R16B02-3.1.mbs2.x86_64.rpm

164e49370da7c102a102e3d7938692fd mbs2/x86_64/erlang-manpages-R16B02-3.1.mbs2.x86_64.rpm

ea23fe6568707738a77744047b1784af mbs2/x86_64/erlang-megaco-R16B02-3.1.mbs2.x86_64.rpm

6ccadf1b58574ffe626ff7b11e96294e mbs2/x86_64/erlang-mnesia-R16B02-3.1.mbs2.x86_64.rpm

ddfc6f940edc76a2c96776f632a0359b mbs2/x86_64/erlang-observer-R16B02-3.1.mbs2.x86_64.rpm

236ccf95ce563e21883810dec7aec43f mbs2/x86_64/erlang-odbc-R16B02-3.1.mbs2.x86_64.rpm

9ad313bfab1ba9c8efcbc0e65b179ddf mbs2/x86_64/erlang-orber-R16B02-3.1.mbs2.x86_64.rpm

227fee7ff295d10ff377cd5e85bc260d mbs2/x86_64/erlang-os_mon-R16B02-3.1.mbs2.x86_64.rpm

f9466de44e540cfc315d6d187c73933e mbs2/x86_64/erlang-otp_mibs-R16B02-3.1.mbs2.x86_64.rpm

ea1ded7ffbf11aebeefa69d5ed4e46ed mbs2/x86_64/erlang-parsetools-R16B02-3.1.mbs2.x86_64.rpm

79401ec3c2a53510b5c18fa5ec9c48cd mbs2/x86_64/erlang-percept-R16B02-3.1.mbs2.x86_64.rpm

71bc4854a1521759767da77f6dbafd95 mbs2/x86_64/erlang-pman-R16B02-3.1.mbs2.x86_64.rpm

a029b242eedb3b776c2a0a514c276ba8 mbs2/x86_64/erlang-public_key-R16B02-3.1.mbs2.x86_64.rpm

abb2e8ca95dc45ce97e73f24db27456a mbs2/x86_64/erlang-reltool-R16B02-3.1.mbs2.x86_64.rpm

3a4517790ca1f36a78efaf2c64d11de1 mbs2/x86_64/erlang-runtime_tools-R16B02-3.1.mbs2.x86_64.rpm

166a784fcc6045fbb9efbef6290641d7 mbs2/x86_64/erlang-snmp-R16B02-3.1.mbs2.x86_64.rpm

827213abaec61dcde9e8f779e7a8d331 mbs2/x86_64/erlang-ssh-R16B02-3.1.mbs2.x86_64.rpm

093a3ccdd934156cb434c0b795d8d982 mbs2/x86_64/erlang-ssl-R16B02-3.1.mbs2.x86_64.rpm

72e9c7fb38a3116b1a00d2c4fccbf88e mbs2/x86_64/erlang-stack-R16B02-3.1.mbs2.x86_64.rpm

8b77c2ca0438ec1c1adbc99280291f8c mbs2/x86_64/erlang-syntax_tools-R16B02-3.1.mbs2.x86_64.rpm

03bae9355926cd7ecc29476eabac629e mbs2/x86_64/erlang-test_server-R16B02-3.1.mbs2.x86_64.rpm

1f23126813a9f02705174b9f243ac8be mbs2/x86_64/erlang-toolbar-R16B02-3.1.mbs2.x86_64.rpm

df9f88f56c816780d093c5d8426779ce mbs2/x86_64/erlang-tools-R16B02-3.1.mbs2.x86_64.rpm

b65670938b9d8c22226e7189349eb5c4 mbs2/x86_64/erlang-tv-R16B02-3.1.mbs2.x86_64.rpm

d5bc3f1de4e19b43f26f35a05b133f23 mbs2/x86_64/erlang-typer-R16B02-3.1.mbs2.x86_64.rpm

1d9ca7574b5fea1a3730c5db14357387 mbs2/x86_64/erlang-webtool-R16B02-3.1.mbs2.x86_64.rpm

95f2dba7a7a8ec8150eae75f2a4a1a1d mbs2/x86_64/erlang-wx-R16B02-3.1.mbs2.x86_64.rpm

2ea9cb729265b4eb387367b154d1d5aa mbs2/x86_64/erlang-xmerl-R16B02-3.1.mbs2.x86_64.rpm

5426c5858d7b207f8cdcd5ad4beb3ed3 mbs2/SRPMS/erlang-R16B02-3.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGQBGmqjQ0CJFipgRAlMOAJ4+XKgZ2ajTf/2V3nFSk3g0aRxWbgCbBX3D

V03y7WmjZTY0C9ZyD13tQfg=

=GBGW

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:175

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : ejabberd

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated ejabberd packages fix security vulnerability:

A flaw was discovered in ejabberd that allows clients to connect

with an unencrypted connection even if starttls_required is set

(CVE-2014-8760).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8760

http://advisories.mageia.org/MGASA-2014-0417.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

ab7eeabb38579e6305010c3bccc25b02 mbs2/x86_64/ejabberd-2.1.13-4.1.mbs2.x86_64.rpm

3288d271f3046c3ccb22f559a939b26e mbs2/x86_64/ejabberd-devel-2.1.13-4.1.mbs2.x86_64.rpm

c9b61289264513216738b9e1d50d5030 mbs2/x86_64/ejabberd-doc-2.1.13-4.1.mbs2.x86_64.rpm

d7f92f6a82446c927446856e20f78e4c mbs2/SRPMS/ejabberd-2.1.13-4.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGQNtmqjQ0CJFipgRAqPnAJsEBXdcoV8F0Rir9lQwI9xawRG4iwCffv5C

cCZUZjNknXas+zLzNzhuxMI=

=PLoV

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:176

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : dbus

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated dbus packages fix multiple vulnerabilities:

A denial of service vulnerability in D-Bus before 1.6.20 allows a

local attacker to cause a bus-activated service that is not currently

running to attempt to start, and fail, denying other users access to

this service Additionally, in highly unusual environments the same

flaw could lead to a side channel between processes that should not

be able to communicate (CVE-2014-3477).

A flaw was reported in D-Bus's file descriptor passing feature. A

local attacker could use this flaw to cause a service or application

to disconnect from the bus, typically resulting in that service or

application exiting (CVE-2014-3532).

A flaw was reported in D-Bus's file descriptor passing feature. A local

attacker could use this flaw to cause an invalid file descriptor to be

forwarded to a service or application, causing it to disconnect from

the bus, typically resulting in that service or application exiting

(CVE-2014-3533).

On 64-bit platforms, file descriptor passing could be abused by local

users to cause heap corruption in dbus-daemon, leading to a crash,

or potentially to arbitrary code execution (CVE-2014-3635).

A denial-of-service vulnerability in dbus-daemon allowed local

attackers to prevent new connections to dbus-daemon, or disconnect

existing clients, by exhausting descriptor limits (CVE-2014-3636).

Malicious local users could create D-Bus connections to dbus-daemon

which could not be terminated by killing the participating processes,

resulting in a denial-of-service vulnerability (CVE-2014-3637).

dbus-daemon suffered from a denial-of-service vulnerability in the

code which tracks which messages expect a reply, allowing local

attackers to reduce the performance of dbus-daemon (CVE-2014-3638).

dbus-daemon did not properly reject malicious connections from local

users, resulting in a denial-of-service vulnerability (CVE-2014-3639).

The patch issued by the D-Bus maintainers for CVE-2014-3636 was

based on incorrect reasoning, and does not fully prevent the attack

described as CVE-2014-3636 part A, which is repeated below. Preventing

that attack requires raising the system dbus-daemon's RLIMIT_NOFILE

(ulimit -n) to a higher value.

By queuing up the maximum allowed number of fds, a malicious sender

could reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n,

typically 1024 on Linux). This would act as a denial of service in

two ways:

* new clients would be unable to connect to the dbus-daemon

* when receiving a subsequent message from a non-malicious client

that contained a fd, dbus-daemon would receive the MSG_CTRUNC flag,

indicating that the list of fds was truncated; kernel fd-passing

APIs do not provide any way to recover from that, so dbus-daemon

responds to MSG_CTRUNC by disconnecting the sender, causing denial

of service to that sender.

This update resolves the issue (CVE-2014-7824).

non-systemd processes can make dbus-daemon think systemd failed to

activate a system service, resulting in an error reply back to the

requester, causing a local denial of service (CVE-2015-0245).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3477

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3532

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3635

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3636

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3637

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3638

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3639

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7824

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0245

http://advisories.mageia.org/MGASA-2014-0266.html

http://advisories.mageia.org/MGASA-2014-0294.html

http://advisories.mageia.org/MGASA-2014-0395.html

http://advisories.mageia.org/MGASA-2014-0457.html

http://advisories.mageia.org/MGASA-2015-0071.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

4c85ec34d47fb953f2433bf88fce54a2 mbs2/x86_64/dbus-1.6.18-3.1.mbs2.x86_64.rpm

403eb9b553300e5047e2ddc6ff5ec5eb mbs2/x86_64/dbus-doc-1.6.18-3.1.mbs2.noarch.rpm

c1ee9cbf21bf2950e84c2b9492f83115 mbs2/x86_64/dbus-x11-1.6.18-3.1.mbs2.x86_64.rpm

ec6f98afb3cbe37c6e6fe1810cfdc661 mbs2/x86_64/lib64dbus1_3-1.6.18-3.1.mbs2.x86_64.rpm

1e09c319aeef5f11776bdddf1122dc97 mbs2/x86_64/lib64dbus-devel-1.6.18-3.1.mbs2.x86_64.rpm

4e03062a15901014196d248d2ff03794 mbs2/SRPMS/dbus-1.6.18-3.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGQT2mqjQ0CJFipgRAgO/AKCBAPOsYvHsjKwLt5sj544QLjj14wCcD+FE

MOoQRPbV7iRulHZ6WK9r7t0=

=rDgp

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:177

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : ctdb

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated ctdb packages fix security vulnerability:

ctdb before 2.5 is vulnerable to symlink attacks to due the

use of predictable filenames in /tmp, such as /tmp/ctdb.socket

(CVE-2013-4159).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4159

http://advisories.mageia.org/MGASA-2014-0274.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

c866ceea1e345f1bf51beccd85ccec4d mbs2/x86_64/ctdb-1.2.46-5.1.mbs2.x86_64.rpm

22b9d9a8b48c79bf8ba643bb7ea68605 mbs2/x86_64/ctdb-devel-1.2.46-5.1.mbs2.x86_64.rpm

b931af82a488694ca8d0f43b2b3fe4c1 mbs2/SRPMS/ctdb-1.2.46-5.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGQVumqjQ0CJFipgRAk6iAJsHufIBVt4L/4EEwcAg6nW7z/fqmQCgoVCP

AyTI5zTD4XMpAbuBUmNk+zY=

=Fpar

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:178

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : ctags

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated ctags package fixes security vulnerability:

A denial of service issue was discovered in ctags 5.8. A remote

attacker could cause excessive CPU usage and disk space consumption

via a crafted JavaScript file by triggering an infinite loop

(CVE-2014-7204).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7204

http://advisories.mageia.org/MGASA-2014-0415.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

4a50a2822974564f3ef9ff7bca9ef2c9 mbs2/x86_64/ctags-5.8-8.1.mbs2.x86_64.rpm

e6f22736e136bdf4b3321bbe5e0c06ba mbs2/SRPMS/ctags-5.8-8.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGQZumqjQ0CJFipgRAlnFAJ9OZPaHEWH2AwgwOvcgrGEYetZ+8wCgoKGB

+nNEUjhZWByIl0E6fNIjlaQ=

=PrDt

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:179

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : coreutils

Date : March 30, 2015

Affected: Business Server 1.0, Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated coreutils packages fix security vulnerability:

Bertrand Jacquin and Fiedler Roman discovered date and touch

incorrectly handled user-supplied input. An attacker could possibly

use this to cause a denial of service or potentially execute code

(CVE-2014-9471).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9471

http://advisories.mageia.org/MGASA-2015-0029.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

e57ac9d21b8cd869845ebd0068cc00dd mbs1/x86_64/coreutils-8.15-3.2.mbs1.x86_64.rpm

41cbfd54c9aaec5e55c10ce8f9bd50ac mbs1/x86_64/coreutils-doc-8.15-3.2.mbs1.noarch.rpm

3b0c14b44630987ec57869fe21e97d93 mbs1/SRPMS/coreutils-8.15-3.2.mbs1.src.rpm

Mandriva Business Server 2/X86_64:

14b8f79d6149a143e3d114bb3ad0e6af mbs2/x86_64/coreutils-8.21-8.1.mbs2.x86_64.rpm

a5b5f4f7c12db82afb17f62e2ae369ba mbs2/x86_64/coreutils-doc-8.21-8.1.mbs2.noarch.rpm

bd4be75011bb4d6586d3556b27b882f3 mbs2/SRPMS/coreutils-8.21-8.1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGQlrmqjQ0CJFipgRAuZ1AKCJ8c7Myv4rg8gvuIz4rZWBpVyCOACfYpI/

Ykj2prin4CbYGsV/Xw4PePo=

=VHCl

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:180

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : apache-mod_wsgi

Date : March 30, 2015

Affected: Business Server 2.0

_______________________________________________________________________

Problem Description:

Updated apache-mod_wsgi package fixes security vulnerabilities:

apache-mod_wsgi before 4.2.4 contained an off-by-one error in

applying a limit to the number of supplementary groups allowed for

a daemon process group. The result could be that if more groups

than the operating system allowed were specified to the option

supplementary-groups, then memory corruption or a process crash

could occur.

It was discovered that mod_wsgi incorrectly handled errors when

setting up the working directory and group access rights. A malicious

application could possibly use this issue to cause a local privilege

escalation when using daemon mode (CVE-2014-8583).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8583

http://advisories.mageia.org/MGASA-2014-0323.html

http://advisories.mageia.org/MGASA-2014-0513.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:

fe28e7f7ec4bcd1b1fc01bb8239161f6 mbs2/x86_64/apache-mod_wsgi-3.5-1.mbs2.x86_64.rpm

9ffc188c8b7268e5e6bf4a06f00b7ed4 mbs2/SRPMS/apache-mod_wsgi-3.5-1.mbs2.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGQvvmqjQ0CJFipgRAgsBAJ42vmQsrUPihW1hGkbtKk0Y3oI0mgCdHFv6

xZx1mrUnzusOvQ03rznAyZ8=

=s6q1

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:181

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : drupal

Date : March 30, 2015

Affected: Business Server 1.0

_______________________________________________________________________

Problem Description:

Updated drupal packages fix security vulnerabilities:

An information disclosure vulnerability was discovered in Drupal

before 7.27. When pages are cached for anonymous users, form state

may leak between anonymous users. Sensitive or private information

recorded for one anonymous user could thus be disclosed to other

users interacting with the same form at the same time (CVE-2014-2983).

Multiple security issues in Drupal before 7.29, including a denial

of service issue, an access bypass issue in the File module, and

multiple cross-site scripting issues (CVE-2014-5019, CVE-2014-5020,

CVE-2014-5021, CVE-2014-5022).

A denial of service issue exists in Drupal before 7.31, due to XML

entity expansion in a publicly accessible XML-RPC endpoint.

An SQL Injection issue exists in Drupal before 7.32 due to the way

the Drupal core handles prepared statements. A malicious user can

inject arbitrary SQL queries, and thereby completely control the

Drupal site. This vulnerability can be exploited by remote attackers

without any kind of authentication required (CVE-2014-3704).

Aaron Averill discovered that a specially crafted request can give a

user access to another user's session, allowing an attacker to hijack

a random session (CVE-2014-9015).

Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered

that the password hashing API allows an attacker to send specially

crafted requests resulting in CPU and memory exhaustion. This may lead

to the site becoming unavailable or unresponsive (denial of service)

(CVE-2014-9016). anonymous users (CVE-2014-9016).

Password reset URLs can be forged under certain circumstances, allowing

an attacker to gain access to another user's account without knowing

the account's password (CVE-2015-2559).

Under certain circumstances, malicious users can construct a URL

that will trick users into being redirected to a 3rd party website,

thereby exposing the users to potential social engineering attacks. In

addition, several URL-related API functions in Drupal 6 and 7 can be

tricked into passing through external URLs when not intending to,

potentially leading to additional open redirect vulnerabilities

(CVE-2015-2749, CVE-2015-2750).

The drupal package has been updated to version 7.35 to fix this

issue and other bugs. See the upstream advisory and release notes

for more details.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2983

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5019

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5020

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5021

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5022

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9015

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9016

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2559

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2749

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2750

http://advisories.mageia.org/MGASA-2014-0322.html

http://advisories.mageia.org/MGASA-2014-0329.html

http://advisories.mageia.org/MGASA-2014-0423.html

http://advisories.mageia.org/MGASA-2014-0492.html

http://advisories.mageia.org/MGASA-2015-0121.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

8181a2b7b02a918304059853aa485f98 mbs1/x86_64/drupal-7.35-1.mbs1.noarch.rpm

68e0c245147c7044c5ea3c55a0d3951a mbs1/x86_64/drupal-mysql-7.35-1.mbs1.noarch.rpm

bde1b563b01f56120c032086167239a4 mbs1/x86_64/drupal-postgresql-7.35-1.mbs1.noarch.rpm

2e9f67e53b0472ae175b9853a05c7af2 mbs1/x86_64/drupal-sqlite-7.35-1.mbs1.noarch.rpm

f9519474702357f27e4bb03557064d9d mbs1/SRPMS/drupal-7.35-1.mbs1.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGTXBmqjQ0CJFipgRAuMOAJ9CQl8dyrZJuFJWL9Y/MI9x3IcHtQCfc/s3

7fYwyk+8ldbJhjqKI46bLHk=

=3jEr

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:182

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : tcpdump

Date : March 30, 2015

Affected: Business Server 1.0

_______________________________________________________________________

Problem Description:

Updated tcpdump package fixes security vulnerabilities:

Several vulnerabilities have been discovered in tcpdump. These

vulnerabilities might result in denial of service (application

crash) or, potentially, execution of arbitrary code (CVE-2015-0261,

CVE-2015-2153, CVE-2015-2154, CVE-2015-2155).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0261

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2153

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2154

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2155

http://advisories.mageia.org/MGASA-2015-0114.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

4829c1dbca37ba621fd50ff5913b077a mbs1/x86_64/tcpdump-4.2.1-2.3.mbs1.x86_64.rpm

019a6bab6842cb11bea42654e68a3acf mbs1/SRPMS/tcpdump-4.2.1-2.3.mbs1.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGTjgmqjQ0CJFipgRAl28AKDePZgMHC0Ra9VFNg8e6qZpnAqm/gCfTm9X

TakDk3BJ6fLQjvT0Er3Kt80=

=Qi9U

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:183

http://www.mandriva.com/en/support/security/

_______________________________________________________________________

Package : wireshark

Date : March 30, 2015

Affected: Business Server 1.0

_______________________________________________________________________

Problem Description:

Updated wireshark package fixes security vulnerabilies:

The WCP dissector could crash (CVE-2015-2188).

The pcapng file parser could crash (CVE-2015-2189).

The TNEF dissector could go into an infinite loop (CVE-2015-2191).

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2188

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2189

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2191

http://advisories.mageia.org/MGASA-2015-0117.html

_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:

6d8c1cd5215a6b93f6776cb9eaea168d mbs1/x86_64/dumpcap-1.10.13-1.mbs1.x86_64.rpm

5e740cd2337badcd20ed3185c448c984 mbs1/x86_64/lib64wireshark3-1.10.13-1.mbs1.x86_64.rpm

0659c01e1ce283b7d44da0dd43cd19af mbs1/x86_64/lib64wireshark-devel-1.10.13-1.mbs1.x86_64.rpm

671b312b50dff997a93c84df5abb923c mbs1/x86_64/lib64wiretap3-1.10.13-1.mbs1.x86_64.rpm

f5c4cf40b98440506a5ecfe01cede9fe mbs1/x86_64/lib64wsutil3-1.10.13-1.mbs1.x86_64.rpm

08e0ec6cb7d7d50aaba9d2bbb07b5e39 mbs1/x86_64/rawshark-1.10.13-1.mbs1.x86_64.rpm

b31a0821770260e9ffdb2a2c69ccc9ed mbs1/x86_64/tshark-1.10.13-1.mbs1.x86_64.rpm

28488c26afbe812ae882b11351d20da1 mbs1/x86_64/wireshark-1.10.13-1.mbs1.x86_64.rpm

387bc687f897adcabedf7aeb3b1d90de mbs1/x86_64/wireshark-tools-1.10.13-1.mbs1.x86_64.rpm

6e705c2645d1018132ebd0c6124db7a9 mbs1/SRPMS/wireshark-1.10.13-1.mbs1.src.rpm

_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

_______________________________________________________________________

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

<security*mandriva.com>

—–BEGIN PGP SIGNATURE—–

Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVGUIFmqjQ0CJFipgRAiz+AJwPhHr0olDTgl9l2Yy16jfgYqwetgCaAnQH

kJLNQ+DGpez/CW1+gdohqXU=

=SBXh

—–END PGP SIGNATURE—–

To unsubscribe, send a email to sympa@mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://store.mandriva.com

_______________________________________________________

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:184
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : setup
 Date    : March 30, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated setup package fixes security vulnerability:
 
 An issue has been identified in Mandriva Business Server 2's setup
 package where the /etc/shadow and /etc/gshadow files containing
 password hashes were created with incorrect permissions, making them
 world-readable (mga#14516).
 
 This update fixes this issue by enforcing that those files are owned
 by the root user and shadow group, and are only readable by those
 two entities.
 
 Note that this issue only affected new Mandriva Business Server
 2 installations.  Systems that were updated from previous Mandriva
 versions were not affected.
 _______________________________________________________________________

 References:

 http://advisories.mageia.org/MGASA-2015-0116.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 2/X86_64:
 2a2f789705e9b8c97d5623958c2f5f04  mbs2/x86_64/setup-2.7.20-10.1.mbs2.noarch.rpm 
 ddde4c6e2740f104c72d51089bda7091  mbs2/SRPMS/setup-2.7.20-10.1.mbs2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team

Autor	Marijo Plepelic
Cert id	NCERT-REF-2015-03-0036-ADV
Cve	CERT-CVE-DUMMY
ID izvornika	CERT-ORIGID-DUMMY
Proizvod	CERT-DUMMY-PRODUCT
Izvor	http://www.adobe.com/

Sigurnosni nedostaci većeg broja programskih paketa

Archives

More in Preporuke

Sigurnosni nedostatak python modula urllib3 i requests