Updated elfutils packages fix security vulnerabilities:

The libdw library provides support for accessing DWARF debugging
information inside ELF files. An integer overflow flaw in
check_section(), leading to a heap-based buffer overflow, was found
in the libdw library. A malicious ELF file could cause an application
using libdw (such as eu-readelf) to crash or, potentially, execute
arbitrary code with the privileges of the user running the application
(CVE-2014-0172).

Directory traversal vulnerability in the read_long_names function in
libelf/elf_begin.c in elfutils allows remote attackers to write to
arbitrary files to the root directory via a / (slash) in a crafted
archive, as demonstrated using the ar program (CVE-2014-9447).

Updated imagemagick package fixes security vulnerabilities:

A buffer overflow flaw was found in the way ImageMagick handled PSD
images that use RLE encoding. An attacker could create a malicious PSD
image file that, when opened in ImageMagick, would cause ImageMagick
to crash or, potentially, execute arbitrary code with the privileges
of the user running ImageMagick (CVE-2014-1958).

A buffer overflow flaw was found in the way ImageMagick writes PSD
images when the input data has a large number of unlabeled layers
(CVE-2014-2030).

ImageMagick is vulnerable to a denial of service due to out-of-bounds
memory accesses in the resize code (CVE-2014-8354), PCX parser
(CVE-2014-8355), DCM decoder (CVE-2014-8562), and JPEG decoder
(CVE-2014-8716).

Updated cups-filters packages fix security vulnerabilities:

Florian Weimer discovered that cups-filters incorrectly handled
memory in the urftopdf filter. An attacker could possibly use this
issue to execute arbitrary code with the privileges of the lp user
(CVE-2013-6473).

Florian Weimer discovered that cups-filters incorrectly handled
memory in the pdftoopvp filter. An attacker could possibly use this
issue to execute arbitrary code with the privileges of the lp user
(CVE-2013-6474, CVE-2013-6475).

Florian Weimer discovered that cups-filters did not restrict driver
directories in in the pdftoopvp filter. An attacker could possibly
use this issue to execute arbitrary code with the privileges of the
lp user (CVE-2013-6476).

Sebastian Krahmer discovered it was possible to use malicious
broadcast packets to execute arbitrary commands on a server running
the cups-browsed daemon (CVE-2014-2707).

In cups-filters before 1.0.53, out-of-bounds accesses in the
process_browse_data function when reading the packet variable
could leading to a crash, thus resulting in a denial of service
(CVE-2014-4337).

In cups-filters before 1.0.53, if there was only a single BrowseAllow
line in cups-browsed.conf and its host specification was invalid, this
was interpreted as if no BrowseAllow line had been specified, which
resulted in it accepting browse packets from all hosts (CVE-2014-4338).

The CVE-2014-2707 issue with malicious broadcast packets, which
had been fixed in Mageia Bug 13216 (MGASA-2014-0181), had not been
completely fixed by that update. A more complete fix was implemented
in cups-filters 1.0.53 (CVE-2014-4336).

Note that only systems that have enabled the affected feature
by using the CreateIPPPrinterQueues configuration directive in
/etc/cups/cups-browsed.conf were affected by the CVE-2014-2707 /
CVE-2014-4336 issue.

Updated jbigkit packages fix security vulnerability:

Florian Weimer found a stack-based buffer overflow flaw in the libjbig
library (part of jbigkit). A specially-crafted image file read by
libjbig could be used to cause a program linked to libjbig to crash
or, potentially, to execute arbitrary code (CVE-2013-6369).

The jbigkit package has been updated to version 2.1, which fixes
this issue, as well as a few other bugs, including the ability of
corrupted input data to force the jbig85 decoder into an end-less loop.

Updated json-c packages fix security vulnerabilities:

Florian Weimer reported that the printbuf APIs used in the json-c
library used ints for counting buffer lengths, which is inappropriate
for 32bit architectures. These functions need to be changed to using
size_t if possible for sizes, or to be hardened against negative
values if not. This could be used to cause a denial of service in
an application linked to the json-c library (CVE-2013-6370).

Florian Weimer reported that the hash function in the json-c library
was weak, and that parsing smallish JSON strings showed quadratic
timing behaviour. This could cause an application linked to the json-c
library, and that processes some specially-crafted JSON data, to use
excessive amounts of CPU (CVE-2013-6371).

Updated squid packages fix security vulnerabilities:

Due to incorrect state management, Squid before 3.3.12 is vulnerable
to a denial of service attack when processing certain HTTPS requests
if the SSL-Bump feature is enabled (CVE-2014-0128).

Matthew Daley discovered that Squid 3 did not properly perform input
validation in request parsing. A remote attacker could send crafted
Range requests to cause a denial of service (CVE-2014-3609).

Due to incorrect buffer management Squid can be caused by an attacker
to write outside its allocated SNMP buffer (CVE-2014-6270).

Due to incorrect bounds checking Squid pinger binary is vulnerable to
denial of service or information leak attack when processing larger
than normal ICMP or ICMPv6 packets (CVE-2014-7141).

Due to incorrect input validation Squid pinger binary is vulnerable
to denial of service or information leak attacks when processing ICMP
or ICMPv6 packets (CVE-2014-7142).

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:158
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : jython
 Date    : March 29, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated jython packages fix security vulnerability:
 
 There are serveral problems with the way Jython creates class cache
 files, potentially leading to arbitrary code execution or information
 disclosure (CVE-2013-2027).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2027
 http://advisories.mageia.org/MGASA-2015-0096.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:157
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libarchive
 Date    : March 29, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated libarchive packages fix security vulnerability:
 
 Alexander Cherepanov discovered that bsdcpio, an implementation of
 the cpio program part of the libarchive project, is susceptible to
 a directory traversal vulnerability via absolute paths (CVE-2015-2304).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
 http://advisories.mageia.org/MGASA-2015-0106.html
 ___________________________________________

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:156
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libcap-ng
 Date    : March 29, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated libcap-ng packages fix security vulnerability:
 
 capng_lock() in libcap-ng before 0.7.4 sets securebits in an attempt to
 prevent regaining capabilities using setuid-root programs. This allows
 a user to run setuid programs, such as seunshare from policycoreutils,
 as uid 0 but without capabilities, which is potentially dangerous
 (CVE-2014-3215).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215
 http://advisories.mageia

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2015:017-1
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libevent
 Date    : March 29, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated libevent packages fix security vulnerability:
 
 Andrew Bartlett of Catalyst reported a defect affecting certain
 applications using the Libevent evbuffer API. This defect leaves
 applications which pass insanely large inputs to evbuffers open
 to a possible heap overflow or infinite loop. In order to exploit
 this flaw, an attacker needs to be able to find a way to provoke the
 program into trying to make a buffer chunk larger than what will fit
 into a single size_t or off_t (CVE-2014-6272).

 Update:

 Packages for Ma