Mandriva Linux Security Advisory 2015-041 – Libmspack, a library to provide compression and decompression of some file formats used by Microsoft, is embedded in cabextract. A specially crafted cab file can cause cabextract to hang forever. If cabextract is exposed to any remotely-controlled user input, this issue can cause a denial-of-service.
Monthly Archives: February 2015
Mandriva Linux Security Advisory 2015-042
Mandriva Linux Security Advisory 2015-042 – ClamAV 0.98.6 is a maintenance release to fix some bugs, some of them Fix a heap out of bounds condition with crafted Yoda’s crypter files. This issue was discovered by Felix Groebert of the Google Security Team. Fix a heap out of bounds condition with crafted mew packer files. This issue was discovered by Felix Groebert of the Google Security Team. Fix a heap out of bounds condition with crafted upx packer files. This issue was discovered by Kevin Szkudlapski of Quarkslab. Fix a heap out of bounds condition with crafted upack packer files. This issue was discovered by Sebastian Andrzej Siewior. Compensate a crash due to incorrect compiler optimization when handling crafted petite packer files. This issue was discovered by Sebastian Andrzej Siewior.
Mandriva Linux Security Advisory 2015-039
Mandriva Linux Security Advisory 2015-039 – Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the gethostbyname2 function, aka GHOST. The updated packages have been patched to correct this issue.
Researcher Tries to Get Ahead of CFAA Changes, Dumps 10M Sanitized Passwords
A dump of 10 million sanitized usernames and passwords was released online, sparking debate over its legality in light of proposed changes to the Computer Fraud and Abuse Act.
[ MDVSA-2015:043 ] otrs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:043 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : otrs Date : February 10, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated otrs package fixes security vulnerability: An attacker with valid OTRS credentials could access and manipulate ticket data of other users via the GenericInterface, if a ticket webservice is configured and not additionally secured (CVE-2014-9324). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9324 http://advisories.mageia.org/MGASA-2015-0031.html _______________________________________________________________________
[ MDVSA-2015:042 ] clamav
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:042 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : clamav Date : February 10, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated clamav packages fix security vulnerabilities: ClamAV 0.98.6 is a maintenance release to fix some bugs, some of them being security bugs: Fix a heap out of bounds condition with crafted Yoda's crypter files. This issue was discovered by Felix Groebert of the Google Security Team. Fix a heap out of bounds condition with crafted mew packer files. This issue was discovered by Felix Groebert of the Google Security Team. Fix a heap out of bounds condition with crafted upx packer files. This issue was dis
[ MDVSA-2015:041 ] cabextract
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:041 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : cabextract Date : February 10, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated cabextract packages fix security vulnerability: Libmspack, a library to provide compression and decompression of some file formats used by Microsoft, is embedded in cabextract. A specially crafted cab file can cause cabextract to hang forever. If cabextract is exposed to any remotely-controlled user input, this issue can cause a denial-of-service (CVE-2014-9556). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9556
[ MDVSA-2015:040 ] zarafa
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:040 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : zarafa Date : February 10, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated zarafa packages fix security vulnerability: Robert Scheck discovered a flaw in Zarafa WebAccess >= 7.0.0 and Zarafa WebApp that could allow a remote unauthenticated attacker to exhaust the disk space of /tmp (CVE-2014-9465). This update also adds some patches from Robert Scheck which correct some packaging issues with zarafa-webaccess. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9465 http://advisories.mageia.