Resolved Bugs
1112418 – CVE-2014-4607 lzo: lzo1x_decompress_safe() integer overflow
1131793 – CVE-2014-4607 grub2: lzo: lzo1x_decompress_safe() integer overflow [fedora-all]<br
Security fix for CVE-2014-4607

Resolved Bugs
1080243 – CVE-2014-2583 pam: path traversal issue in pam_timestamp’s format_timestamp_name()
1038557 – pam: password hashes aren’t compared case-sensitively [fedora-all]
1038555 – CVE-2013-7041 pam: pam_userdb case insensitive password hash comparison
1120104 – pam segfaults on unexpected /etc/security/opasswd contents<br
Update fixing minor security issues and bugs.

Resolved Bugs
1167537 – CVE-2014-9029 jasper: incorrect component number check in COC, RGN and QCC marker segment decoders (oCERT-2014-009)
1170650 – CVE-2014-9029 jasper: incorrect component number check in COC, RGN and QCC marker segment decoders (oCERT-2014-009) [fedora-all]<br
Fixes CVE-2014-9029 vulnerability.

Resolved Bugs
1020220 – CVE-2013-4440 pwgen: non-tty passwords are trivially weak by default
1020222 – CVE-2013-4440 pwgen: non-tty passwords are trivially weak by default [fedora-all]
1020258 – CVE-2013-4442 pwgen: silent fallback to insecure entropy
1020259 – CVE-2013-4442 pwgen: silent fallback to insecure entropy [fedora-all]<br
Update to 2.07 (bug 1159526) fixes:
– CVE-2013-4440 (bug 1020222, 1020223)
– CVE-2013-4442 (bug 1020259, 1020261)

Resolved Bugs
1170597 – CVE-2014-9218 phpMyAdmin: Denial of Service with long passwords
1170598 – CVE-2014-9218 phpMyAdmin: Denial of Service with long passwords [fedora-all]
1170604 – CVE-2014-9219 phpMyAdmin: XSS vulnerability in redirection mechanism
1170605 – CVE-2014-9219 phpMyAdmin: XSS vulnerability in redirection mechanism [fedora-all]<br
phpMyAdmin 4.2.13.1 (2014-12-03)
================================
– [security] XSS vulnerability in redirection mechanism
– [security] DOS attack with long passwords

Resolved Bugs
1056338 – CVE-2014-1624 pyxdg: TOCTOU race condition in get_runtime_dir() when strict=False
1056339 – CVE-2014-1624 pyxdg: TOCTOU race condition in get_runtime_dir() when strict=False [fedora-all]<br
Fix CVE-2014-1624 pyxdg: TOCTOU race condition in get_runtime_dir() when strict=False

Resolved Bugs
1108639 – CVE-2014-3004 castor: XML External Entity (XXE) attacks via a crafted XML document
1108691 – CVE-2014-3004 castor: XML External Entity (XXE) attacks via a crafted XML document [fedora-all]<br
Update to latest upstream point release containing fix for CVE-2014-3004

Resolved Bugs
1169886 – kde-plasma-networkmanagement, kde-plasma-nm: creates OpenVPN connections vulnerable to MITM attack
1169888 – kde-plasma-networkmanagement, kde-plasma-nm: created OpenVPN connections vulnerable to MITM attack [fedora-all]<br
Add option for server certificate verification.

kronolith 4.2.4
* [jan] Make access to non-CalDAV remote calendars faster (Bug #12379).
* [jan] Continue with further events if parsing of one remote event date fails.
* [jan] Fix JS error in month view with more events today than the maximum threshold.
* [mjr] Fix fatal error when creating or modifying an entry via PUT.
* [mjr] Don’t show private event details in daily agenda emails if not the owner (Bug #13660).

Resolved Bugs
1170597 – CVE-2014-9218 phpMyAdmin: Denial of Service with long passwords
1170598 – CVE-2014-9218 phpMyAdmin: Denial of Service with long passwords [fedora-all]
1170604 – CVE-2014-9219 phpMyAdmin: XSS vulnerability in redirection mechanism
1170605 – CVE-2014-9219 phpMyAdmin: XSS vulnerability in redirection mechanism [fedora-all]<br
phpMyAdmin 4.2.13.1 (2014-12-03)
================================
– [security] XSS vulnerability in redirection mechanism
– [security] DOS attack with long passwords