Category Archives: Mandriva

Mandriva Security Advisory

[ MDVSA-2015:232 ] libtasn1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:232
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libtasn1
 Date    : May 8, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated libtasn1 packages fix security vulnerability:
 
 A malformed certificate input could cause a heap overflow read in the
 DER decoding functions of Libtasn1. The heap overflow happens in the
 function _asn1_extract_der_octet() (CVE-2015-3622).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3622
 http://advisories.mageia.org/MGASA-2015-0200.html
 _________________________________________________________________

MDVSA-2015:231: perl-XML-LibXML

Updated perl-XML-LibXML package fixes security vulnerability:

Tilmann Haak from xing.com discovered that XML::LibXML did not respect
the expand_entities parameter to disable processing of external
entities in some circumstances. This may allow attackers to gain
read access to otherwise protected ressources, depending on how the
library is used (CVE-2015-3451).

[ MDVSA-2015:231 ] perl-XML-LibXML

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:231
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : perl-XML-LibXML
 Date    : May 7, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated perl-XML-LibXML package fixes security vulnerability:
 
 Tilmann Haak from xing.com discovered that XML::LibXML did not respect
 the expand_entities parameter to disable processing of external
 entities in some circumstances. This may allow attackers to gain
 read access to otherwise protected ressources, depending on how the
 library is used (CVE-2015-3451).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-

MDVSA-2015:228: nodejs

Updated nodejs package fixes security vulnerability:

It was found that libuv does not call setgoups before calling
setuid/setgid. This may potentially allow an attacker to gain elevated
privileges (CVE-2015-0278).

The libuv library is bundled with nodejs, and a fixed version of
libuv is included with nodejs as of version 0.10.37. The nodejs
package has been updated to version 0.10.38 to fix this issue, as
well as several other bugs.

MDVSA-2015:229: net-snmp

Updated net-snmp packages fix security vulnerability:

It was discovered that the snmp_pdu_parse() function could leave
incompletely parsed varBind variables in the list of variables. A
remote, unauthenticated attacker could exploit this flaw to cause a
crash or, potentially, execute arbitrary code.

[ MDVSA-2015:230 ] squid

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:230
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : squid
 Date    : May 6, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated squid packages fix security vulnerability:
 
 Squid configured with client-first SSL-bump does not correctly validate
 X509 server certificate domain / hostname fields (CVE-2015-3455).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3455
 http://advisories.mageia.org/MGASA-2015-0191.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 2/X86_64:
 1b42519307a1a965

[ MDVSA-2015:229 ] net-snmp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:229
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : net-snmp
 Date    : May 6, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated net-snmp packages fix security vulnerability:
 
 It was discovered that the snmp_pdu_parse() function could leave
 incompletely parsed varBind variables in the list of variables. A
 remote, unauthenticated attacker could exploit this flaw to cause a
 crash or, potentially, execute arbitrary code.
 _______________________________________________________________________

 References:

 http://advisories.mageia.org/MGASA-2015-0187.html
 ______________________________________________________________________

[ MDVSA-2015:228 ] nodejs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:228
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : nodejs
 Date    : May 6, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated nodejs package fixes security vulnerability:
 
 It was found that libuv does not call setgoups before calling
 setuid/setgid. This may potentially allow an attacker to gain elevated
 privileges (CVE-2015-0278).
 
 The libuv library is bundled with nodejs, and a fixed version of
 libuv is included with nodejs as of version 0.10.37.  The nodejs
 package has been updated to version 0.10.38 to fix this issue, as
 well as several other bugs.
 _______________________________________________________________________

 References:

 h