This update fixes a bug in the DER parser which is used to
decode SSL/TLS certificates could crash Suricata. Also, those processing large numbers of (untrusted) pcap files need to update
as a malformed pcap could crash Suricata.

* **ZF2015-04**: ZendMail and ZendHttp were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either ZendMail or ZendHttp (which includes users of ZendMvc), we recommend upgrading immediately.

This is an update to the set of CA certificates released with NSS version 3.18.1
However, the package modifies the CA list to keep several legacy CAs still trusted for compatibility reasons. Please refer to the project URL for details.
If you prefer to use the unchanged list provided by Mozilla, and if you accept any compatibility issues it may cause, an administrator may configure the system by executing the “ca-legacy disable” command.
This update adds a manual page for the ca-legacy command.
This update changes the names of the possible values in the ca-legacy configuration file. It still uses the term legacy=disable to override the compatibility option and follow the upstream Mozilla.org decision. However it now uses the term legacy=default for the default configuration, to make it more obvious that the legacy certificates won’t be kept enabled forever.

Resolved Bugs
1218426 – gnutls: MD5-based ServerKeyExchange signature accepted by default (GNUTLS-SA-2015-2)
1218513 – gnutls: MD5-based ServerKeyExchange signature accepted by default (GNUTLS-SA-2015-2) [fedora-all]<br
updated to 3.3.15 (#1218426,#1218513)

Resolved Bugs
1216134 – CVE-2015-2694 krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass [fedora-21]
1216133 – CVE-2015-2694 krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass<br
Security fix for CVE-2015-2694

Resolved Bugs
1216134 – CVE-2015-2694 krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass [fedora-21]
1174544 – CVE-2014-5353 krb5: NULL pointer dereference when using a ticket policy name as a password policy name [fedora-all]
1216133 – CVE-2015-2694 krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass
1174543 – CVE-2014-5353 krb5: NULL pointer dereference when using a ticket policy name as a password policy name<br
Security fix for CVE-2015-2694
Security fix for CVE-2014-5353
(this was fixed in an older build but the announcement was lost)

Resolved Bugs
1206036 – Impossible to reduce the display brightness under the new kernel – Toshiba Z30 laptop
1215989 – Backlight is non-responsive on Toshiba Satellite
1218074 – CVE-2015-3636 kernel: ping sockets: use-after-free leading to local privilege escalation
1218110 – CVE-2015-3636 kernel: ping sockets: use-after-free leading to local privilege escalation [fedora-all]
1218662 – I/O errors, broken ncq trim since Samsung SSD update EXT0DB6Q
1182816 – Touchpad wont work with Asus TP500LA 360-degree flipping touchscreen panel.<br
The 4.0.2 stable update contains a number of important fixes across the tree.

Resolved Bugs
1209902 – CVE-2015-2924 NetworkManager: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements
1205195 – _nl_get_vtable: assertion ‘vtable.handle’ failed
1209903 – CVE-2015-2924 NetworkManager: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements [fedora-all]
1168573 – nmcli doesn’t indicate when Wi-Fi plugin is missing
1161232 – NetworkManager split dns with DNSMasq not working with VPN
1203904 – NetworkManager-openvpn uses 100% CPU
1119663 – nmtui exit with assertion failed
1162636 – bridged interface not coming up after suspend/resume<br
This is an update of NetworkManager, the VPN plugins, applet and connection editor to 1.0.2 stable release.
The update includes bug fixes, feature additions, translation updates and a fix for the CVE-2015-2924 denial of service security issue with low impact.

This update fixes a bug in the DER parser which is used to
decode SSL/TLS certificates could crash Suricata. Also, those processing large numbers of (untrusted) pcap files need to update
as a malformed pcap could crash Suricata.