-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:068
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : e2fsprogs
Date : March 27, 2015
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated e2fsprogs packages fix security vulnerability:
The libext2fs library, part of e2fsprogs and utilized by its utilities,
is affected by a boundary check error on block group descriptor
information, leading to a heap based buffer overflow. A specially
crafted filesystem image can be used to trigger the vulnerability. This
is due to an incomplete fix for CVE-2015-0247 (CVE-2015-1572).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:067
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : e2fsprogs
Date : March 27, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated e2fsprogs packages fix security vulnerabilities:
The libext2fs library, part of e2fsprogs and utilized by its utilities,
is affected by a boundary check error on block group descriptor
information, leading to a heap based buffer overflow. A specially
crafted filesystem image can be used to trigger the vulnerability
(CVE-2015-0247).
The libext2fs library, part of e2fsprogs and utilized by its utilities,
is affected by a boundary check error on block group descriptor
information, leading to a heap based buffer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:066
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : cpio
Date : March 27, 2015
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated cpio package fixes security vulnerability:
In GNU Cpio 2.11, the --no-absolute-filenames option limits
extracting contents of an archive to be strictly inside a current
directory. However, it can be bypassed with symlinks. While extracting
an archive, it will extract symlinks and then follow them if they
are referenced in further entries. This can be exploited by a rogue
archive to write files outside the current directory (CVE-2015-1197).
_______________________________________________________________________
Ref
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:065
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : cpio
Date : March 27, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated cpio package fixes security vulnerabilities:
Heap-based buffer overflow in the process_copy_in function in GNU
Cpio 2.11 allows remote attackers to cause a denial of service via
a large block value in a cpio archive (CVE-2014-9112).
Additionally, a null pointer dereference in the copyin_link function
which could cause a denial of service has also been fixed.
In GNU Cpio 2.11, the --no-absolute-filenames option limits
extracting contents of an archive to be strictly inside a current
directory. However, it can be
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:064
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : cabextract
Date : March 27, 2015
Affected: Business Server 1.0, Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated cabextract packages fix security vulnerabilities:
Libmspack, a library to provide compression and decompression of
some file formats used by Microsoft, is embedded in cabextract. A
specially crafted cab file can cause cabextract to hang forever. If
cabextract is exposed to any remotely-controlled user input, this
issue can cause a denial-of-service (CVE-2014-9556).
A directory traversal issue in cabextract allows writing to locations
outside of the current working directory, when extract
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:063
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : openssl
Date : March 27, 2015
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in openssl:
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before
0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL
servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate
brute-force decryption by offering a weak ephemeral RSA key in a
noncompliant role, related to the FREAK issue. NOTE: the scope of
this CVE is only client code based on OpenSSL, not EXPORT_RSA issues
associated with servers or other TLS implementa