-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:177
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : ctdb
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated ctdb packages fix security vulnerability:
ctdb before 2.5 is vulnerable to symlink attacks to due the
use of predictable filenames in /tmp, such as /tmp/ctdb.socket
(CVE-2013-4159).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4159
http://advisories.mageia.org/MGASA-2014-0274.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
c866ceea1e34
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:176
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : dbus
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated dbus packages fix multiple vulnerabilities:
A denial of service vulnerability in D-Bus before 1.6.20 allows a
local attacker to cause a bus-activated service that is not currently
running to attempt to start, and fail, denying other users access to
this service Additionally, in highly unusual environments the same
flaw could lead to a side channel between processes that should not
be able to communicate (CVE-2014-3477).
A flaw was reported in D-Bus's file descriptor passing feature. A
local attacker could us
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:175
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : ejabberd
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated ejabberd packages fix security vulnerability:
A flaw was discovered in ejabberd that allows clients to connect
with an unencrypted connection even if starttls_required is set
(CVE-2014-8760).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8760
http://advisories.mageia.org/MGASA-2014-0417.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:174
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : erlang
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated erlang packages fixes security vulnerability:
An FTP command injection flaw was found in Erlang's FTP module. Several
functions in the FTP module do not properly sanitize the input before
passing it into a control socket. A local attacker can use this flaw
to execute arbitrary FTP commands on a system that uses this module
(CVE-2014-1693).
This update also disables SSLv3 by default to mitigate the POODLE
issue.
_______________________________________________________________________
References:
http://c
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:173
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : ffmpeg
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated ffmpeg packages fix security vulnerabilities:
The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before
2.0.4 does not properly validate a certain bits-per-sample value, which
allows remote attackers to cause a denial of service (out-of-bounds
array access) or possibly have unspecified other impact via crafted
TAK (aka Tom's lossless Audio Kompressor) data (CVE-2014-2097).
libavcodec/wmalosslessdec.c in FFmpeg before 2.0.4 uses an incorrect
data-structure size for certain coefficients, which all
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:172
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : firebird
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated firebird packages fix a remote denial of service vulnerability:
These update fix the recently discovered security vulnerability
(CORE-4630) that may be used for a remote DoS attack performed by
unauthorized users (CVE-2014-9492).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9492
http://advisories.mageia.org/MGASA-2014-0523.html
_______________________________________________________________________
Updated Packages
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:171
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : freerdp
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated freerdp packages fix security vulnerabilities:
Integer overflows in memory allocations in client/X11/xf_graphics.c in
FreeRDP through 1.0.2 allows remote RDP servers to have an unspecified
impact through unspecified vectors (CVE-2014-0250).
Integer overflow in the license_read_scope_list function in
libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP
servers to cause a denial of service (application crash) or possibly
have unspecified other impact via a large ScopeCount value in a Scope
List i
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:170
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : gcc
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated gcc packages fix the following security issue:
Multiple integer overflow issues were found in libgfortran, the
run-time support library for the Fortran compiler. These could possibly
be used to crash a Fortran application or cause it to execute arbitrary
code CVE-2014-5044).
They also fix the following bugs:
The gcc rtl-optimization sched2 miscompiles syscall sequence wich
can cause random panic in glibc and kernel (gcc/PR61801)
clang++ fails to find cxxabi.h and cxxabi_tweaks.h during build
(mga#13543)
____
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:169
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : git
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated git packages fix security vulnerability:
It was reported that git, when used as a client on a case-insensitive
filesystem, could allow the overwrite of the .git/config file when
the client performed a git pull. Because git permitted committing
.Git/config (or any case variation), on the pull this would replace the
user's .git/config. If this malicious config file contained defined
external commands (such as for invoking and editor or an external diff
utility) it could allow for the execution of arbitrary code
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:168
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : glibc
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated glibc packages fix security vulnerabilities:
Stephane Chazelas discovered that directory traversal issue in locale
handling in glibc. glibc accepts relative paths with .. components
in the LC_* and LANG variables. Together with typical OpenSSH
configurations (with suitable AcceptEnv settings in sshd_config),
this could conceivably be used to bypass ForceCommand restrictions
(or restricted shells), assuming the attacker has sufficient level
of access to a file system location on the host to create crafted
locale