Updated glibc packages fix security vulnerabilities:

Stephane Chazelas discovered that directory traversal issue in locale
handling in glibc. glibc accepts relative paths with .. components
in the LC_* and LANG variables. Together with typical OpenSSH
configurations (with suitable AcceptEnv settings in sshd_config),
this could conceivably be used to bypass ForceCommand restrictions
(or restricted shells), assuming the attacker has sufficient level
of access to a file system location on the host to create crafted
locale definitions there (CVE-2014-0475).

David Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where
posix_spawn_file_actions_addopen fails to copy the path argument
(glibc bz #17048) which can, in conjunction with many common memory
management techniques from an application, lead to a use after free,
or other vulnerabilities (CVE-2014-4043).

This update also fixes the following issues: x86: Disable x87 inline
functions for SSE2 math (glibc bz #16510) malloc: Fix race in free()
of fastbin chunk (glibc bz #15073)

Tavis Ormandy discovered a heap-based buffer overflow in the
transliteration module loading code. As a result, an attacker who can
supply a crafted destination character set argument to iconv-related
character conversation functions could achieve arbitrary code
execution.

This update removes support of loadable gconv transliteration
modules. Besides the security vulnerability, the module loading code
had functionality defects which prevented it from working for the
intended purpose (CVE-2014-5119).

Adhemerval Zanella Netto discovered out-of-bounds reads in additional
code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)
that can be used to crash the systems, causing a denial of service
conditions (CVE-2014-6040).

The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of “$((… ))”
where “…” can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass the
WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817).

The vfprintf function in stdio-common/vfprintf.c in GNU C Library
(aka glibc) 2.5, 2.12, and probably other versions does not properly
restrict the use of the alloca function when allocating the SPECS
array, which allows context-dependent attackers to bypass the
FORTIFY_SOURCE format-string protection mechanism and cause a denial
of service (crash) or possibly execute arbitrary code via a crafted
format string using positional parameters and a large number of format
specifiers (CVE-2012-3406).

The nss_dns implementation of getnetbyname could run into an infinite
loop if the DNS response contained a PTR record of an unexpected format
(CVE-2014-9402).

Also glibc lock elision (new feature in glibc 2.18) has been disabled
as it can break glibc at runtime on newer Intel hardware (due to
hardware bug)

Under certain conditions wscanf can allocate too little memory
for the to-be-scanned arguments and overflow the allocated buffer
(CVE-2015-1472).

The incorrect use of “__libc_use_alloca (newsize)” caused a different
(and weaker) policy to be enforced which could allow a denial of
service attack (CVE-2015-1473).

Updated git packages fix security vulnerability:

It was reported that git, when used as a client on a case-insensitive
filesystem, could allow the overwrite of the .git/config file when
the client performed a git pull. Because git permitted committing
.Git/config (or any case variation), on the pull this would replace the
user’s .git/config. If this malicious config file contained defined
external commands (such as for invoking and editor or an external diff
utility) it could allow for the execution of arbitrary code with the
privileges of the user running the git client (CVE-2014-9390).

Updated glpi package fixes security vulnerabilities:

Due to a bug in GLPI before 0.84.7, a user without access to cost
information can in fact see the information when selecting cost as
a search criteria (CVE-2014-5032).

An issue in GLPI before 0.84.8 may allow arbitrary local files to be
included by PHP through an autoload function (CVE-2014-8360).

SQL injection vulnerability in ajax/getDropdownValue.php in GLPI
before 0.85.1 allows remote authenticated users to execute arbitrary
SQL commands via the condition parameter (CVE-2014-9258).

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:184
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : setup
 Date    : March 30, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated setup package fixes security vulnerability:
 
 An issue has been identified in Mandriva Business Server 2's setup
 package where the /etc/shadow and /etc/gshadow files containing
 password hashes were created with incorrect permissions, making them
 world-readable (mga#14516).
 
 This update fixes this issue by enforcing that those files are owned
 by the root user and shadow group, and are only readable by those
 two entities.
 
 Note that this issue only affected new Mandriva Business Server
 2 installations.  System

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:183
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : wireshark
 Date    : March 30, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated wireshark package fixes security vulnerabilies:
 
 The WCP dissector could crash (CVE-2015-2188).
 
 The pcapng file parser could crash (CVE-2015-2189).
 
 The TNEF dissector could go into an infinite loop (CVE-2015-2191).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2188
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2189
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2191
 http://advisories.mageia.org/M

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:182
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : tcpdump
 Date    : March 30, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated tcpdump package fixes security vulnerabilities:
 
 Several vulnerabilities have been discovered in tcpdump. These
 vulnerabilities might result in denial of service (application
 crash) or, potentially, execution of arbitrary code (CVE-2015-0261,
 CVE-2015-2153, CVE-2015-2154, CVE-2015-2155).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0261
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2153
 http://cve.mitre.org/c

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2015:145-1
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libxfont
 Date    : March 30, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated libxfont packages fix security vulnerabilities:
 
 Ilja van Sprundel discovered that libXfont incorrectly handled font
 metadata file parsing. A local attacker could use this issue to cause
 libXfont to crash, or possibly execute arbitrary code in order to
 gain privileges (CVE-2014-0209).
 
 Ilja van Sprundel discovered that libXfont incorrectly handled X Font
 Server replies. A malicious font server could return specially-crafted
 data that could cause libXfont to crash, or possibly execute arbitrary
 code (CVE-2014-02

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2015:147-1
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libtiff
 Date    : March 30, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated libtiff packages fix security vulnerabilities:
 
 The libtiff image decoder library contains several issues that
 could cause the decoder to crash when reading crafted TIFF images
 (CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130,
 CVE-2014-9655, CVE-2015-1547).

 Update:

 Packages for Mandriva Business Server 1 are now being provided.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127
 http://cve.mitre.org/cgi-bi

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:181
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : drupal
 Date    : March 30, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated drupal packages fix security vulnerabilities:
 
 An information disclosure vulnerability was discovered in Drupal
 before 7.27. When pages are cached for anonymous users, form state
 may leak between anonymous users. Sensitive or private information
 recorded for one anonymous user could thus be disclosed to other
 users interacting with the same form at the same time (CVE-2014-2983).
 
 Multiple security issues in Drupal before 7.29, including a denial
 of service issue, an access bypass issue in the File module, and
 mul

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:180
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : apache-mod_wsgi
 Date    : March 30, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated apache-mod_wsgi package fixes security vulnerabilities:
 
 apache-mod_wsgi before 4.2.4 contained an off-by-one error in
 applying a limit to the number of supplementary groups allowed for
 a daemon process group. The result could be that if more groups
 than the operating system allowed were specified to the option
 supplementary-groups, then memory corruption or a process crash
 could occur.
 
 It was discovered that mod_wsgi incorrectly handled errors when
 setting up the working directory and group access righ