Mandriva Linux Security Advisory 2014-183 – In phpMyAdmin before 4.2.9, by deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability in the micro history feature.

Mandriva Linux Security Advisory 2014-185 – Libgadu before 1.12.0 was found to not be performing SSL certificate validation.

Mandriva Linux Security Advisory 2014-181 – An integer overflow in liblzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications using performing LZO decompression on a compressed payload from the attacker. The dump package is built with a bundled copy of minilzo, which is a part of liblzo containing the vulnerable code.

Mandriva Linux Security Advisory 2014-182 – Robert Scheck reported that Zarafa’s WebAccess stored session information, including login credentials, on-disk in PHP session files. This session file would contain a user’s username and password to the Zarafa IMAP server. Robert Scheck discovered that the Zarafa Collaboration Platform has multiple incorrect default permissions.

Gentoo Linux Security Advisory 201409-9 – A parsing flaw related to functions and environments in Bash could allow attackers to inject code. The unaffected packages listed in GLSA 201409-09 had an incomplete fix. Versions less than 4.2_p48-r1 are affected.

Mandriva Linux Security Advisory 2014-187 – In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site. In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level Domains , thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.

Mandriva Linux Security Advisory 2014-189 – Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The updated NSPR packages have been upgraded to the latest 4.10.7 version. The updated NSS packages have been upgraded to the latest 3.17.1 version which is not vulnerable to this issue. Additionally the rootcerts package has also been updated to the latest version as of 2014-08-05.

Slackware Security Advisory – New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix a security issue.

Slackware Security Advisory – New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.

Mandriva Linux Security Advisory 2014-188 – Updated wireshark packages fix security vulnerabilities related to RTP dissector crash, MEGACO dissector infinite loop, Netflow dissector crash, RTSP dissector crash, SES dissector crash, and sniffer file parser crash.