Updated json-c packages fix security vulnerabilities:

Florian Weimer reported that the printbuf APIs used in the json-c
library used ints for counting buffer lengths, which is inappropriate
for 32bit architectures. These functions need to be changed to using
size_t if possible for sizes, or to be hardened against negative
values if not. This could be used to cause a denial of service in
an application linked to the json-c library (CVE-2013-6370).

Florian Weimer reported that the hash function in the json-c library
was weak, and that parsing smallish JSON strings showed quadratic
timing behaviour. This could cause an application linked to the json-c
library, and that processes some specially-crafted JSON data, to use
excessive amounts of CPU (CVE-2013-6371).

Updated jbigkit packages fix security vulnerability:

Florian Weimer found a stack-based buffer overflow flaw in the libjbig
library (part of jbigkit). A specially-crafted image file read by
libjbig could be used to cause a program linked to libjbig to crash
or, potentially, to execute arbitrary code (CVE-2013-6369).

The jbigkit package has been updated to version 2.1, which fixes
this issue, as well as a few other bugs, including the ability of
corrupted input data to force the jbig85 decoder into an end-less loop.

Updated cups-filters packages fix security vulnerabilities:

Florian Weimer discovered that cups-filters incorrectly handled
memory in the urftopdf filter. An attacker could possibly use this
issue to execute arbitrary code with the privileges of the lp user
(CVE-2013-6473).

Florian Weimer discovered that cups-filters incorrectly handled
memory in the pdftoopvp filter. An attacker could possibly use this
issue to execute arbitrary code with the privileges of the lp user
(CVE-2013-6474, CVE-2013-6475).

Florian Weimer discovered that cups-filters did not restrict driver
directories in in the pdftoopvp filter. An attacker could possibly
use this issue to execute arbitrary code with the privileges of the
lp user (CVE-2013-6476).

Sebastian Krahmer discovered it was possible to use malicious
broadcast packets to execute arbitrary commands on a server running
the cups-browsed daemon (CVE-2014-2707).

In cups-filters before 1.0.53, out-of-bounds accesses in the
process_browse_data function when reading the packet variable
could leading to a crash, thus resulting in a denial of service
(CVE-2014-4337).

In cups-filters before 1.0.53, if there was only a single BrowseAllow
line in cups-browsed.conf and its host specification was invalid, this
was interpreted as if no BrowseAllow line had been specified, which
resulted in it accepting browse packets from all hosts (CVE-2014-4338).

The CVE-2014-2707 issue with malicious broadcast packets, which
had been fixed in Mageia Bug 13216 (MGASA-2014-0181), had not been
completely fixed by that update. A more complete fix was implemented
in cups-filters 1.0.53 (CVE-2014-4336).

Note that only systems that have enabled the affected feature
by using the CreateIPPPrinterQueues configuration directive in
/etc/cups/cups-browsed.conf were affected by the CVE-2014-2707 /
CVE-2014-4336 issue.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:158
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : jython
 Date    : March 29, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated jython packages fix security vulnerability:
 
 There are serveral problems with the way Jython creates class cache
 files, potentially leading to arbitrary code execution or information
 disclosure (CVE-2013-2027).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2027
 http://advisories.mageia.org/MGASA-2015-0096.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:157
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libarchive
 Date    : March 29, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated libarchive packages fix security vulnerability:
 
 Alexander Cherepanov discovered that bsdcpio, an implementation of
 the cpio program part of the libarchive project, is susceptible to
 a directory traversal vulnerability via absolute paths (CVE-2015-2304).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
 http://advisories.mageia.org/MGASA-2015-0106.html
 ___________________________________________

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:156
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libcap-ng
 Date    : March 29, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated libcap-ng packages fix security vulnerability:
 
 capng_lock() in libcap-ng before 0.7.4 sets securebits in an attempt to
 prevent regaining capabilities using setuid-root programs. This allows
 a user to run setuid programs, such as seunshare from policycoreutils,
 as uid 0 but without capabilities, which is potentially dangerous
 (CVE-2014-3215).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215
 http://advisories.mageia

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2015:017-1
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libevent
 Date    : March 29, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated libevent packages fix security vulnerability:
 
 Andrew Bartlett of Catalyst reported a defect affecting certain
 applications using the Libevent evbuffer API. This defect leaves
 applications which pass insanely large inputs to evbuffers open
 to a possible heap overflow or infinite loop. In order to exploit
 this flaw, an attacker needs to be able to find a way to provoke the
 program into trying to make a buffer chunk larger than what will fit
 into a single size_t or off_t (CVE-2014-6272).

 Update:

 Packages for Ma

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2015:148-1
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libssh2
 Date    : March 29, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated libssh2 packages fix security vulnerability:
 
 Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was
 reading and using the SSH_MSG_KEXINIT packet without doing sufficient
 range checks when negotiating a new SSH session with a remote server. A
 malicious attacker could man in the middle a real server and cause
 a client using the libssh2 library to crash (denial of service)
 or otherwise read and use unintended memory areas in this process
 (CVE-2015-1782).

 Update:

 Packages were misssing for Mandriva

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:155
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : gnupg
 Date    : March 29, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated gnupg and libgcrypt packages fix security vulnerabilities:
 
 GnuPG before 1.4.19 is vulnerable to a side-channel attack which can
 potentially lead to an information leak (CVE-2014-3591).
 
 GnuPG before 1.4.19 is vulnerable to a side-channel attack on
 data-dependent timing variations in modular exponentiation, which
 can potentially lead to an information leak (CVE-2015-0837).
 
 The gnupg package has been patched to correct these issues.
 
 GnuPG2 is vulnerable to these issues through the libgcrypt library.
 The issues 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:154
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : gnupg
 Date    : March 29, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated gnupg, gnupg2 and libgcrypt packages fix security
 vulnerabilities:
 
 GnuPG versions before 1.4.17 and 2.0.24 are vulnerable to a denial
 of service which can be caused by garbled compressed data packets
 which may put gpg into an infinite loop (CVE-2014-4617).
 
 The libgcrypt library before version 1.5.4 is vulnerable to an ELGAMAL
 side-channel attack (CVE-2014-5270).
 
 GnuPG before 1.4.19 is vulnerable to a side-channel attack which can
 potentially lead to an information leak (CVE-2014-3591).
 
 GnuPG before 1.4.19 i