Debian Linux Security Advisory 3218-1 – Ignacio R. Morelle discovered that missing path restrictions in the “Battle of Wesnoth” game could result in the disclosure of arbitrary files in the user’s home directory if malicious campaigns/maps are loaded.

HP Security Bulletin HPSBGN03316 1 – A potential security vulnerability has been discovered with the HP Support Solution Framework used from HP support web pages to identify products, find solutions and help with HP update downloads. The vulnerability could be exploited to allow an unauthorized download of software on the customer machine. Revision 1 of this advisory.

Mandriva Linux Security Advisory 2015-203 – Nicolas Gregoire and Kevin Schaller discovered that Batik would load XML external entities by default. If a user or automated system were tricked into opening a specially crafted SVG file, an attacker could possibly obtain access to arbitrary files or cause resource consumption.

Debian Linux Security Advisory 3219-1 – Stefan Roas discovered a way to cause a buffer overflow in DBD-FireBird, a Perl DBI driver for the Firebird RDBMS, in certain error conditions, due to the use of the sprintf() function to write to a fixed-size memory buffer.

Mandriva Linux Security Advisory 2015-202 – The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC. The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service by spoofing the source IP address of a peer. The updated packages provides a solution for these security issues.

Mandriva Linux Security Advisory 2015-201 – Jakub Wilk discovered that arj follows symlinks created during unpacking of an arj archive. A remote attacker could use this flaw to perform a directory traversal attack if a user or automated system were tricked into processing a specially crafted arj archive. Jakub Wilk discovered that arj does not sufficiently protect from directory traversal while unpacking an arj archive containing file paths with multiple leading slashes. A remote attacker could use this flaw to write to arbitrary files if a user or automated system were tricked into processing a specially crafted arj archive. Jakub Wilk and Guillem Jover discovered a buffer overflow vulnerability in arj. A remote attacker could use this flaw to cause an application crash or, possibly, execute arbitrary code with the privileges of the user running arj. The updated packages provides a solution for these security issues.

Red Hat Security Advisory 2015-0800-01 – OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. It was discovered that OpenSSL would accept ephemeral RSA keys when using non-export RSA cipher suites. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method. An integer underflow flaw, leading to a buffer overflow, was found in the way OpenSSL decoded malformed Base64-encoded inputs. An attacker able to make an application using OpenSSL decode a specially crafted Base64-encoded input could use this flaw to cause the application to crash. Note: this flaw is not exploitable via the TLS/SSL protocol because the data being transferred is not Base64-encoded.

Mandriva Linux Security Advisory 2015-199 – Updated less package fixes security vulnerability. Malformed UTF-8 data could have caused an out of bounds read in the UTF-8 decoding routines, causing an invalid read access.

Mandriva Linux Security Advisory 2015-200 – In MediaWiki before 1.23.9, one could circumvent the SVG MIME blacklist for embedded resources. This allowed an attacker to embed JavaScript in the SVG. In MediaWiki before 1.23.9, the SVG filter to prevent injecting JavaScript using animate elements was incorrect. In MediaWiki before 1.23.9, a stored XSS vulnerability exists due to the way attributes were expanded in MediaWiki’s Html class, in combination with LanguageConverter substitutions. In MediaWiki before 1.23.9, MediaWiki’s SVG filtering could be bypassed with entity encoding under the Zend interpreter. This could be used to inject JavaScript. In MediaWiki before 1.23.9, one could bypass the style filtering for SVG files to load external resources. This could violate the anonymity of users viewing the SVG. In MediaWiki before 1.23.9, MediaWiki versions using PBKDF2 for password hashing are vulnerable to DoS attacks using extremely long passwords. In MediaWiki before 1.23.9, MediaWiki is vulnerable to Quadratic Blowup DoS attacks, under both HHVM and Zend PHP. In MediaWiki before 1.23.9, the MediaWiki feature allowing a user to preview another user’s custom JavaScript could be abused for privilege escalation. In MediaWiki before 1.23.9, function names were not sanitized in Lua error backtraces, which could lead to XSS. In MediaWiki before 1.23.9, the CheckUser extension did not prevent CSRF attacks on the form allowing checkusers to look up sensitive information about other users. Since the use of CheckUser is logged, the CSRF could be abused to defame a trusted user or flood the logs with noise. The mediawiki package has been updated to version 1.23.9, fixing these issues and other bugs.