Resolved Bugs
1056338 – CVE-2014-1624 pyxdg: TOCTOU race condition in get_runtime_dir() when strict=False
1056339 – CVE-2014-1624 pyxdg: TOCTOU race condition in get_runtime_dir() when strict=False [fedora-all]<br
Fix CVE-2014-1624 pyxdg: TOCTOU race condition in get_runtime_dir() when strict=False
Monthly Archives: December 2014
Fedora EPEL 7 Security Update: php-horde-kronolith-4.2.4-1.el7
kronolith 4.2.4
* [jan] Make access to non-CalDAV remote calendars faster (Bug #12379).
* [jan] Continue with further events if parsing of one remote event date fails.
* [jan] Fix JS error in month view with more events today than the maximum threshold.
* [mjr] Fix fatal error when creating or modifying an entry via PUT.
* [mjr] Don’t show private event details in daily agenda emails if not the owner (Bug #13660).
Fedora EPEL 5 Security Update: phpMyAdmin4-4.0.10.7-1.el5
Fedora EPEL 6 Security Update: llvm-3.4.2-3.el6
Resolved Bugs
1088105 – CVE-2014-2893 llvm: insecure temporary file handling in clang’s scan-build utility<br
Fix for CVE-2014-2893.
CVE-2014-3627
The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache. (CVSS:5.0) (Last Update:2014-12-05)
CVE-2014-4703
lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain sensitive information via a symlink attack on the configuration file in the extra-opts flag. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4701. (CVSS:2.1) (Last Update:2014-12-05)
CVE-2014-4701
The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4702. (CVSS:2.1) (Last Update:2014-12-05)
CVE-2014-4702
The check_icmp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4701. (CVSS:2.1) (Last Update:2014-12-05)
Vuln: Zoph Multiple SQL Injection and Cross Site Scripting Vulnerabilities
Zoph Multiple SQL Injection and Cross Site Scripting Vulnerabilities
Vuln: Proticaret E-Commerce Script 'code' Parameter SQL Injection Vulnerability
Proticaret E-Commerce Script ‘code’ Parameter SQL Injection Vulnerability