-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:148-1 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libssh2 Date : March 29, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated libssh2 packages fix security vulnerability: Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was reading and using the SSH_MSG_KEXINIT packet without doing sufficient range checks when negotiating a new SSH session with a remote server. A malicious attacker could man in the middle a real server and cause a client using the libssh2 library to crash (denial of service) or otherwise read and use unintended memory areas in this process (CVE-2015-1782). Update: Packages were misssing for Mandriva
Category Archives: Mandriva
Mandriva Security Advisory
[ MDVSA-2015:155 ] gnupg
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:155 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : gnupg Date : March 29, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated gnupg and libgcrypt packages fix security vulnerabilities: GnuPG before 1.4.19 is vulnerable to a side-channel attack which can potentially lead to an information leak (CVE-2014-3591). GnuPG before 1.4.19 is vulnerable to a side-channel attack on data-dependent timing variations in modular exponentiation, which can potentially lead to an information leak (CVE-2015-0837). The gnupg package has been patched to correct these issues. GnuPG2 is vulnerable to these issues through the libgcrypt library. The issues
[ MDVSA-2015:154 ] gnupg
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:154 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : gnupg Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated gnupg, gnupg2 and libgcrypt packages fix security vulnerabilities: GnuPG versions before 1.4.17 and 2.0.24 are vulnerable to a denial of service which can be caused by garbled compressed data packets which may put gpg into an infinite loop (CVE-2014-4617). The libgcrypt library before version 1.5.4 is vulnerable to an ELGAMAL side-channel attack (CVE-2014-5270). GnuPG before 1.4.19 is vulnerable to a side-channel attack which can potentially lead to an information leak (CVE-2014-3591). GnuPG before 1.4.19 i
[ MDVSA-2015:153 ] libgd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:153 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libgd Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated libgd packages fix security vulnerabilities: The gdImageCreateFromXpm function in gdxpm.c in the gd image library allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file (CVE-2014-2497). A buffer read overflow in gd_gif_in.c in the php#68601 bug referenced in the PHP 5.5.21 ChangeLog has been fixed in the libgd package. _______________________________________________________________________ References: http://cve.mitre.org/
[ MDVSA-2015:152 ] libjpeg
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:152 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libjpeg Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated libjpeg packages fix security vulnerability: Passing a specially crafted jpeg file to libjpeg-turbo could lead to stack smashing (CVE-2014-9092). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9092 http://advisories.mageia.org/MGASA-2014-0544.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: cfffdbee5761ab15865e348aeb9106c3 mbs2/x86_64/
[ MDVSA-2015:151 ] libksba
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:151 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libksba Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated libksba packages fix security vulnerability: By using special crafted S/MIME messages or ECC based OpenPGP data, it is possible to create a buffer overflow, which could lead to a denial of service (CVE-2014-9087). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9087 http://advisories.mageia.org/MGASA-2014-0498.html _______________________________________________________________________ Updated Packages: Mandriva Busi
[ MDVSA-2015:150 ] liblzo
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:150 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : liblzo Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated liblzo packages fix security vulnerability: An integer overflow in liblzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications performing LZO decompression on a compressed payload from the attacker (CVE-2014-4607). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607 http://advisories.mageia.org/MGASA-2014-0290.html __________________________________________________________
[ MDVSA-2015:149 ] libsndfile
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:149 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libsndfile Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated libsndfile packages fix security vulnerabilities: libsndfile contains multiple buffer-overflow vulnerabilities in src/sd2.c because it fails to properly bounds-check user supplied input, which may allow an attacker to execute arbitrary code or cause a denial of service (CVE-2014-9496). libsndfile contains a divide-by-zero error in src/file_io.c which may allow an attacker to cause a denial of service. _______________________________________________________________________ References: http://cve.mitre.org
[ MDVSA-2015:148 ] libssh2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:148 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libssh2 Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated libssh2 packages fix security vulnerability: Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was reading and using the SSH_MSG_KEXINIT packet without doing sufficient range checks when negotiating a new SSH session with a remote server. A malicious attacker could man in the middle a real server and cause a client using the libssh2 library to crash (denial of service) or otherwise read and use unintended memory areas in this process (CVE-2015-1782). ______________________________________________
[ MDVSA-2015:147 ] libtiff
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:147 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libtiff Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated libtiff packages fix security vulnerabilities: The libtiff image decoder library contains several issues that could cause the decoder to crash when reading crafted TIFF images (CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130, CVE-2014-9655, CVE-2015-1547). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128 http://cve.mitre.org/cgi-bin/cvename.cgi?n