Updated dovecot packages fix security vulnerability.

Dovecot before 2.2.13 is vulnerable to a DoS attack against
imap/pop3-login processes. If SSL/TLS handshake was started but
wasn’t finished, the login process attempted to eventually forcibly
disconnect the client, but failed to do it correctly. This could have
left the connections hanging around for a long time (CVE-2014-3430).

Updated cifs-utils packages fix security vulnerability:

Sebastian Krahmer discovered a stack-based buffer overflow flaw in
cifscreds.c (CVE-2014-2830).

Updated libvirt packages fix security vulnerabilities:

The LXC driver (lxc/lxc_driver.c) in libvirt 1.0.1 through
1.2.1 allows local users to (1) delete arbitrary host devices
via the virDomainDeviceDettach API and a symlink attack on /dev
in the container; (2) create arbitrary nodes (mknod) via the
virDomainDeviceAttach API and a symlink attack on /dev in the
container; and cause a denial of service (shutdown or reboot host
OS) via the (3) virDomainShutdown or (4) virDomainReboot API and a
symlink attack on /dev/initctl in the container, related to paths under
/proc//root and the virInitctlSetRunLevel function (CVE-2013-6456).

libvirt was patched to prevent expansion of entities when parsing XML
files. This vulnerability allowed malicious users to read arbitrary
files or cause a denial of service (CVE-2014-0179).

An out-of-bounds read flaw was found in the way libvirt’s
qemuDomainGetBlockIoTune() function looked up the disk index in
a non-persistent (live) disk configuration while a persistent disk
configuration was being indexed. A remote attacker able to establish a
read-only connection to libvirtd could use this flaw to crash libvirtd
or, potentially, leak memory from the libvirtd process (CVE-2014-3633).

A denial of service flaw was found in the way libvirt’s
virConnectListAllDomains() function computed the number of used
domains. A remote attacker able to establish a read-only connection
to libvirtd could use this flaw to make any domain operations within
libvirt unresponsive (CVE-2014-3657).

Eric Blake discovered that libvirt incorrectly handled permissions
when processing the qemuDomainFormatXML command. An attacker with
read-only privileges could possibly use this to gain access to certain
information from the domain xml file (CVE-2014-7823).

The qemuDomainMigratePerform and qemuDomainMigrateFinish2 functions
in qemu/qemu_driver.c in libvirt do not unlock the domain when an
ACL check fails, which allow local users to cause a denial of service
via unspecified vectors (CVE-2014-8136).

The XML getters for for save images and snapshots objects don’t
check ACLs for the VIR_DOMAIN_XML_SECURE flag and might possibly dump
security sensitive information. A remote attacker able to establish
a connection to libvirtd could use this flaw to cause leak certain
limited information from the domain xml file (CVE-2015-0236).

Updated libtasn1 packages fix security vulnerabilities:

Multiple buffer boundary check issues were discovered in libtasn1
library, causing it to read beyond the boundary of an allocated buffer.
An untrusted ASN.1 input could cause an application using the library
to crash (CVE-2014-3467).

It was discovered that libtasn1 library function asn1_get_bit_der()
could incorrectly report negative bit length of the value read from
ASN.1 input. This could possibly lead to an out of bounds access in
an application using libtasn1, for example in case if application
tried to terminate read value with NUL byte (CVE-2014-3468).

A NULL pointer dereference flaw was found in libtasn1’s
asn1_read_value_type() / asn1_read_value() function. If an application
called the function with a NULL value for an ivalue argument to
determine the amount of memory needed to store data to be read from
the ASN.1 input, libtasn1 could incorrectly attempt to dereference
the NULL pointer, causing an application using the library to crash
(CVE-2014-3469).

Updated cups packages fix security vulnerabilities:

Cross-site scripting (XSS) vulnerability in scheduler/client.c
in Common Unix Printing System (CUPS) before 1.7.2 allows remote
attackers to inject arbitrary web script or HTML via the URL path,
related to the is_path_absolute function (CVE-2014-2856).

In CUPS before 1.7.4, a local user with privileges of group=lp
can write symbolic links in the rss directory and use that to gain
‘@SYSTEM’ group privilege with cupsd (CVE-2014-3537).

It was discovered that the web interface in CUPS incorrectly
validated permissions on rss files and directory index files. A local
attacker could possibly use this issue to bypass file permissions
and read arbitrary files, possibly leading to a privilege escalation
(CVE-2014-5029, CVE-2014-5030, CVE-2014-5031).

A malformed file with an invalid page header and compressed raster data
can trigger a buffer overflow in cupsRasterReadPixels (CVE-2014-9679).

Updated python-django packages fix security vulnerabilities:

Jedediah Smith discovered that Django incorrectly handled underscores
in WSGI headers. A remote attacker could possibly use this issue to
spoof headers in certain environments (CVE-2015-0219).

Mikko Ohtamaa discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to
perform a cross-site scripting attack (CVE-2015-0220).

Alex Gaynor discovered that Django incorrectly handled reading files
in django.views.static.serve(). A remote attacker could possibly use
this issue to cause Django to consume resources, resulting in a denial
of service (CVE-2015-0221).

Keryn Knight discovered that Django incorrectly handled forms with
ModelMultipleChoiceField. A remote attacker could possibly use this
issue to cause a large number of SQL queries, resulting in a database
denial of service. Note that this issue only affected python-django
(CVE-2015-0222).

Cross-site scripting (XSS) vulnerability in the contents function
in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2
allows remote attackers to inject arbitrary web script or HTML via
a model attribute in ModelAdmin.readonly_fields, as demonstrated by
a @property (CVE-2015-2241).

Updated postgresql packages fix multiple security vulnerabilities:

Granting a role without ADMIN OPTION is supposed to prevent the
grantee from adding or removing members from the granted role, but
this restriction was easily bypassed by doing SET ROLE first. The
security impact is mostly that a role member can revoke the access
of others, contrary to the wishes of his grantor. Unapproved role
member additions are a lesser concern, since an uncooperative role
member could provide most of his rights to others anyway by creating
views or SECURITY DEFINER functions (CVE-2014-0060).

The primary role of PL validator functions is to be called implicitly
during CREATE FUNCTION, but they are also normal SQL functions
that a user can call explicitly. Calling a validator on a function
actually written in some other language was not checked for and could
be exploited for privilege-escalation purposes. The fix involves
adding a call to a privilege-checking function in each validator
function. Non-core procedural languages will also need to make this
change to their own validator functions, if any (CVE-2014-0061).

If the name lookups come to different conclusions due to concurrent
activity, we might perform some parts of the DDL on a different
table than other parts. At least in the case of CREATE INDEX, this
can be used to cause the permissions checks to be performed against
a different table than the index creation, allowing for a privilege
escalation attack (CVE-2014-0062).

The MAXDATELEN constant was too small for the longest possible value of
type interval, allowing a buffer overrun in interval_out(). Although
the datetime input functions were more careful about avoiding buffer
overrun, the limit was short enough to cause them to reject some valid
inputs, such as input containing a very long timezone name. The ecpg
library contained these vulnerabilities along with some of its own
(CVE-2014-0063).

Several functions, mostly type input functions, calculated an
allocation size without checking for overflow. If overflow did
occur, a too-small buffer would be allocated and then written past
(CVE-2014-0064).

Use strlcpy() and related functions to provide a clear guarantee
that fixed-size buffers are not overrun. Unlike the preceding items,
it is unclear whether these cases really represent live issues,
since in most cases there appear to be previous constraints on the
size of the input string. Nonetheless it seems prudent to silence
all Coverity warnings of this type (CVE-2014-0065).

There are relatively few scenarios in which crypt() could return NULL,
but contrib/chkpass would crash if it did. One practical case in which
this could be an issue is if libc is configured to refuse to execute
unapproved hashing algorithms (e.g., FIPS mode) (CVE-2014-0066).

Since the temporary server started by make check uses trust
authentication, another user on the same machine could connect to it
as database superuser, and then potentially exploit the privileges of
the operating-system user who started the tests. A future release will
probably incorporate changes in the testing procedure to prevent this
risk, but some public discussion is needed first. So for the moment,
just warn people against using make check when there are untrusted
users on the same machine (CVE-2014-0067).

A user with limited clearance on a table might have access to
information in columns without SELECT rights on through server error
messages (CVE-2014-8161).

The function to_char() might read/write past the end of a buffer. This
might crash the server when a formatting template is processed
(CVE-2015-0241).

The pgcrypto module is vulnerable to stack buffer overrun that might
crash the server (CVE-2015-0243).

Emil Lenngren reported that an attacker can inject SQL commands when
the synchronization between client and server is lost (CVE-2015-0244).

This update provides PostgreSQL versions 9.3.6 and 9.2.10 that fix
these issues, as well as several others.

Updated libxml2 packages fix security vulnerabilities:

It was discovered that libxml2, a library providing support to
read, modify and write XML files, incorrectly performs entity
substituton in the doctype prolog, even if the application using
libxml2 disabled any entity substitution. A remote attacker could
provide a specially-crafted XML file that, when processed, would lead
to the exhaustion of CPU and memory resources or file descriptors
(CVE-2014-0191).

A denial of service flaw was found in libxml2, a library providing
support to read, modify and write XML and HTML files. A remote attacker
could provide a specially crafted XML file that, when processed by
an application using libxml2, would lead to excessive CPU consumption
(denial of service) based on excessive entity substitutions, even if
entity substitution was disabled, which is the parser default behavior
(CVE-2014-3660).

Updated apache-mod_security packages fix security vulnerability:

Martin Holst Swende discovered a flaw in the way mod_security handled
chunked requests. A remote attacker could use this flaw to bypass
intended mod_security restrictions, allowing them to send requests
containing content that should have been removed by mod_security
(CVE-2013-5705).

Updated lcms2 packages fix security vulnerability:

Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE
Embedded 7u51, allows remote attackers to affect availability via
unknown vectors related to 2D (CVE-2014-0459).