Resolved Bugs
1101346 – CVE-2014-3248 puppet: Ruby modules could be loaded from the current working directory
1107892 – CVE-2014-3248 facter: puppet: Ruby modules could be loaded from the current working directory [epel-all]<br
Patch facter 1.6 series for Bug 1107891 – CVE-2014-3248
See http://puppetlabs.com/security/cve/cve-2014-3248 for more
information from upstream.

Resolved Bugs
1151278 – php-ZendFramework2: various flaws [fedora-all]
1151276 – CVE-2014-8088 php-ZendFramework: null byte issue, connect to LDAP without knowing the password (ZF2014-05)
1151277 – CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)<br
Security release
* ZF2014-05, which mititages null byte poisoning of the password provided for LDAP authentication, thus prevening unauthorized LDAP binding. This corrects for unpatched versions of PHP (versions 5.5.11 and below, 5.4.27 and below, and any prior releases).
* ZF2014-06, which mitigates null byte poisoning of quoted SQL values provided to the sqlsrv extension, thus preventing a potential SQL injection vector.

Upstreamed security patch (CVE-2014-5356 – Glance store DoS through disk space exhaustion)

Resolved Bugs
1151281 – php-ZendFramework2: various flaws [epel-7]
1151276 – CVE-2014-8088 php-ZendFramework: null byte issue, connect to LDAP without knowing the password (ZF2014-05)
1151277 – CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)<br
Security release
* ZF2014-05, which mititages null byte poisoning of the password provided for LDAP authentication, thus prevening unauthorized LDAP binding. This corrects for unpatched versions of PHP (versions 5.5.11 and below, 5.4.27 and below, and any prior releases).
* ZF2014-06, which mitigates null byte poisoning of quoted SQL values provided to the sqlsrv extension, thus preventing a potential SQL injection vector.

Resolved Bugs
1151279 – php-ZendFramework: various flaws [epel-6]
1151276 – CVE-2014-8088 php-ZendFramework: null byte issue, connect to LDAP without knowing the password (ZF2014-05)
1151277 – CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)<br
Contains fixes for two security relevant bugs:
* “ZF2014-05: Anonymous authentication in ldap_bind() function of PHP, using null byte” (http://framework.zend.com/security/advisory/ZF2014-05)
* “ZF2014-06: SQL injection vector when manually quoting values for sqlsrv extension, using null byte” (http://framework.zend.com/security/advisory/ZF2014-06)

Resolved Bugs
1149728 – CVE-2014-7273 CVE-2014-7274 CVE-2014-7275 getmail: various flaws related to IMAP4-over-SSL certificate validation<br
update to 4.46.0

Resolved Bugs
1150091 – CVE-2014-1571 CVE-2014-1572 CVE-2014-1573 bugzilla: security fixes release
1150092 – CVE-2014-1573 CVE-2014-1572 CVE-2014-1571 bugzilla: security fixes release [fedora-all]<br
Security fix for CVE-2014-1571, CVE-2014-1572, CVE-2014-1573

Resolved Bugs
1150091 – CVE-2014-1571 CVE-2014-1572 CVE-2014-1573 bugzilla: security fixes release
1150092 – CVE-2014-1573 CVE-2014-1572 CVE-2014-1571 bugzilla: security fixes release [fedora-all]<br
Security fix for CVE-2014-1571, CVE-2014-1572, CVE-2014-1573

rebase to 2014.1.3

Resolved Bugs
1142373 – CVE-2014-3634 rsyslog: remote syslog PRI vulnerability
1148942 – CVE-2014-3634 rsyslog: remote syslog PRI vulnerability [fedora-all]<br
Security fix for CVE-2014-3634