Resolved Bugs
1091438 – CVE-2012-4230 tinymce: XSS attacks via security policy bypass<br
This update provides Roundcube 1.0.4. This is a stable security update: the security fix is described by upstream as “Fix possible CSRF attacks to some address book operations as well as to the ACL and Managesieve plugins.” More details on the update are available at http://roundcube.net/news/2014/12/18/update-1.0.4-released/ . The update should apply without any special handling by the system administrator.

Resolved Bugs
1091438 – CVE-2012-4230 tinymce: XSS attacks via security policy bypass<br
This update provides Roundcube 1.0.4. This is a stable security update: the security fix is described by upstream as “Fix possible CSRF attacks to some address book operations as well as to the ACL and Managesieve plugins.” More details on the update are available at http://roundcube.net/news/2014/12/18/update-1.0.4-released/ . The update should apply without any special handling by the system administrator.

Resolved Bugs
1091438 – CVE-2012-4230 tinymce: XSS attacks via security policy bypass<br
This update provides Roundcube 1.0.4. This is a stable security update: the security fix is described by upstream as “Fix possible CSRF attacks to some address book operations as well as to the ACL and Managesieve plugins.” More details on the update are available at http://roundcube.net/news/2014/12/18/update-1.0.4-released/ . The update should apply without any special handling by the system administrator.

Resolved Bugs
1168977 – CVE-2014-8120 thermostat: local JMX URL disclosure<br
Update to latest maintenance release. It was discovered that, in certain configurations, the Thermostat agent disclosed JMX management URLs of all local Java virtual machines to any local user. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2014-8120)

Resolved Bugs
1176191 – CVE-2014-9296 CVE-2014-9294 CVE-2014-9295 CVE-2014-9293 ntp: various flaws [fedora-all]
1176032 – CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
1176035 – CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
1176037 – CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
1176040 – CVE-2014-9296 ntp: receive() missing return on error<br
Security fix for CVE-2014-9294, CVE-2014-9295, CVE-2014-9293, CVE-2014-9296

Resolved Bugs
1168977 – CVE-2014-8120 thermostat: local JMX URL disclosure<br
Update to latest maintenance release. It was discovered that, in certain configurations, the Thermostat agent disclosed JMX management URLs of all local Java virtual machines to any local user. A local, unprivileged user could use this flaw to escalate their privileges on the system. (CVE-2014-8120)

Resolved Bugs
1176191 – CVE-2014-9296 CVE-2014-9294 CVE-2014-9295 CVE-2014-9293 ntp: various flaws [fedora-all]
1176032 – CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
1176035 – CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
1176037 – CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
1176040 – CVE-2014-9296 ntp: receive() missing return on error<br
Security fix for CVE-2014-9294, CVE-2014-9295, CVE-2014-9293, CVE-2014-9296

Resolved Bugs
1176191 – CVE-2014-9296 CVE-2014-9294 CVE-2014-9295 CVE-2014-9293 ntp: various flaws [fedora-all]
1176032 – CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
1176035 – CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
1176037 – CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
1176040 – CVE-2014-9296 ntp: receive() missing return on error<br
Security fix for CVE-2014-9294, CVE-2014-9295, CVE-2014-9293, CVE-2014-9296

Resolved Bugs
1158089 – CVE-2014-8132 libssh: Possible double free on a dangling pointer with crafted kexinit packet
1176145 – CVE-2014-8132 libssh: Possible double free on a dangling pointer with crafted kexinit packet [fedora-all]<br
Security fix for CVE-2014-8132.

Fixes for CVE-2014-9390