Updated phpmyadmin package fixes security vulnerability:

In phpMyAdmin before 4.2.9, by deceiving a logged-in user to click on
a crafted URL, it is possible to perform remote code execution and in
some cases, create a root account due to a DOM based XSS vulnerability
in the micro history feature (CVE-2014-6300).

Updated zarafa packages fix security vulnerabilities:

Robert Scheck reported that Zarafa’s WebAccess stored session
information, including login credentials, on-disk in PHP session
files. This session file would contain a user’s username and password
to the Zarafa IMAP server (CVE-2014-0103).

Robert Scheck discovered that the Zarafa Collaboration Platform has
multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448,
CVE-2014-5449, CVE-2014-5450).

Updated dump packages fix security vulnerability:

An integer overflow in liblzo before 2.07 allows attackers to cause
a denial of service or possibly code execution in applications using
performing LZO decompression on a compressed payload from the attacker
(CVE-2014-4607).

The dump package is built with a bundled copy of minilzo, which is
a part of liblzo containing the vulnerable code.

This is a maintenance and bugfix release that upgrades php to the
latest 5.5.17 version which resolves various upstream bugs in php.

Additionally, the php-timezonedb packages has been upgraded to the
latest 2014.7 version, the php-suhosin packages has been upgraded to
the latest 0.9.36 version which has better support for php-5.5 and
the PECL packages which requires so has been rebuilt for php-5.5.17.

A vulnerability has been discovered and corrected in Mozilla NSS:

Antoine Delignat-Lavaud, security researcher at Inria Paris in
team Prosecco, reported an issue in Network Security Services (NSS)
libraries affecting all versions. He discovered that NSS is vulnerable
to a variant of a signature forgery attack previously published
by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1
values involved in a signature and could lead to the forging of RSA
certificates (CVE-2014-1568).

The updated NSPR packages have been upgraded to the latest 4.10.7
version.

The updated NSS packages have been upgraded to the latest 3.17.1
version which is not vulnerable to this issue.

Additionally the rootcerts package has also been updated to the latest
version as of 2014-08-05.

Updated wireshark packages fix security vulnerabilities:

RTP dissector crash (CVE-2014-6421, CVE-2014-6422).

MEGACO dissector infinite loop (CVE-2014-6423).

Netflow dissector crash (CVE-2014-6424).

RTSP dissector crash (CVE-2014-6427).

SES dissector crash (CVE-2014-6428).

Sniffer file parser crash (CVE-2014-6429, CVE-2014-6430, CVE-2014-6431,
CVE-2014-6432).

Updated curl packages fix security vulnerabilities:

In cURL before 7.38.0, libcurl can be fooled to both sending cookies
to wrong sites and into allowing arbitrary sites to set cookies for
others. For this problem to trigger, the client application must use
the numerical IP address in the URL to access the site (CVE-2014-3613).

In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top
Level Domains (TLDs), thus making them apply broader than cookies are
allowed. This can allow arbitrary sites to set cookies that then would
get sent to a different and unrelated site or domain (CVE-2014-3620).

It was found that the fix for CVE-2014-6271 was incomplete, and
Bash still allowed certain characters to be injected into other
environments via specially crafted environment variables. An
attacker could potentially use this flaw to override or bypass
environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue
(CVE-2014-7169, CVE-2014-7186, CVE-2014-7187).

Additionally bash has been updated from patch level 37 to 48 using
the upstream patches at ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/
which resolves various bugs.

Updated java-1.7.0-openjdk packages fix an upstream regression:

This update provides IcedTea 2.5.2, which fixes several bugs, most
notably regressions in the previous release which broke Groovy and
several other Java tools and applications.

Updated perl-XML-DT package fixes security vulnerability:

The mkxmltype and mkdtskel scripts provided in perl-XML-DT allow
local users to overwrite arbitrary files via a symlink attack on a
/tmp/_xml_##### temporary file (CVE-2014-5260).