-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:153
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : libgd
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated libgd packages fix security vulnerabilities:
The gdImageCreateFromXpm function in gdxpm.c in the gd image library
allows remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via a crafted color table in an
XPM file (CVE-2014-2497).
A buffer read overflow in gd_gif_in.c in the php#68601 bug referenced
in the PHP 5.5.21 ChangeLog has been fixed in the libgd package.
_______________________________________________________________________
References:
http://cve.mitre.org/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:152
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : libjpeg
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated libjpeg packages fix security vulnerability:
Passing a specially crafted jpeg file to libjpeg-turbo could lead to
stack smashing (CVE-2014-9092).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9092
http://advisories.mageia.org/MGASA-2014-0544.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
cfffdbee5761ab15865e348aeb9106c3 mbs2/x86_64/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:151
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : libksba
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated libksba packages fix security vulnerability:
By using special crafted S/MIME messages or ECC based OpenPGP data,
it is possible to create a buffer overflow, which could lead to a
denial of service (CVE-2014-9087).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9087
http://advisories.mageia.org/MGASA-2014-0498.html
_______________________________________________________________________
Updated Packages:
Mandriva Busi
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:150
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : liblzo
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated liblzo packages fix security vulnerability:
An integer overflow in liblzo before 2.07 allows attackers to
cause a denial of service or possibly code execution in applications
performing LZO decompression on a compressed payload from the attacker
(CVE-2014-4607).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://advisories.mageia.org/MGASA-2014-0290.html
__________________________________________________________
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:149
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : libsndfile
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated libsndfile packages fix security vulnerabilities:
libsndfile contains multiple buffer-overflow vulnerabilities in
src/sd2.c because it fails to properly bounds-check user supplied
input, which may allow an attacker to execute arbitrary code or cause
a denial of service (CVE-2014-9496).
libsndfile contains a divide-by-zero error in src/file_io.c which
may allow an attacker to cause a denial of service.
_______________________________________________________________________
References:
http://cve.mitre.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:148
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : libssh2
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated libssh2 packages fix security vulnerability:
Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was
reading and using the SSH_MSG_KEXINIT packet without doing sufficient
range checks when negotiating a new SSH session with a remote server. A
malicious attacker could man in the middle a real server and cause
a client using the libssh2 library to crash (denial of service)
or otherwise read and use unintended memory areas in this process
(CVE-2015-1782).
______________________________________________
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:147
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : libtiff
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated libtiff packages fix security vulnerabilities:
The libtiff image decoder library contains several issues that
could cause the decoder to crash when reading crafted TIFF images
(CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130,
CVE-2014-9655, CVE-2015-1547).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128
http://cve.mitre.org/cgi-bin/cvename.cgi?n
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:146
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : libvncserver
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated libvncserver packages fix security vulnerabilities:
An integer overflow in liblzo before 2.07 allows attackers to cause
a denial of service or possibly code execution in applications using
performing LZO decompression on a compressed payload from the attacker
(CVE-2014-4607).
The libvncserver library is built with a bundled copy of minilzo,
which is a part of liblzo containing the vulnerable code.
A malicious VNC server can trigger incorrect memory management handling
by advertising a large screen size
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:145
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : libxfont
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated libxfont packages fix security vulnerabilities:
Ilja van Sprundel discovered that libXfont incorrectly handled font
metadata file parsing. A local attacker could use this issue to cause
libXfont to crash, or possibly execute arbitrary code in order to
gain privileges (CVE-2014-0209).
Ilja van Sprundel discovered that libXfont incorrectly handled X Font
Server replies. A malicious font server could return specially-crafted
data that could cause libXfont to crash, or possibly execute arbitrary
code (CVE-2014-02
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:144
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : lua
Date : March 29, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated lua and lua5.1 packages fix security vulnerability:
A heap-based overflow vulnerability was found in the way Lua handles
varargs functions with many fixed parameters called with few arguments,
leading to application crashes or, potentially, arbitrary code
execution (CVE-2014-5461).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461
http://advisories.mageia.org/MGASA-2014-0414.html
_________________________________________