-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:059
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : nss
 Date    : March 13, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in the Mozilla
 NSS and NSPR packages:
 
 The cert_TestHostName function in lib/certdb/certdb.c in the
 certificate-checking implementation in Mozilla Network Security
 Services (NSS) before 3.16 accepts a wildcard character that is
 embedded in an internationalized domain name's U-label, which might
 allow man-in-the-middle attackers to spoof SSL servers via a crafted
 certificate (CVE-2014-1492).
 
 Use-after-free vulnerability in the CERT_DestroyCertificate function
 in li

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:058
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : kernel
 Date    : March 13, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in the Linux
 kernel:
 
 The Crypto API in the Linux kernel before 3.18.5 allows local users
 to load arbitrary kernel modules via a bind system call for an
 AF_ALG socket with a module name in the salg_name field, a different
 vulnerability than CVE-2014-9644 (CVE-2013-7421).
 
 arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before
 3.17.2 on Intel processors does not ensure that the value in the CR4
 control register remains the same after a VM entry, which allow

Multiple vulnerabilities has been found and corrected in the Linux
kernel:

The Crypto API in the Linux kernel before 3.18.5 allows local users
to load arbitrary kernel modules via a bind system call for an
AF_ALG socket with a module name in the salg_name field, a different
vulnerability than CVE-2014-9644 (CVE-2013-7421).

arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before
3.17.2 on Intel processors does not ensure that the value in the CR4
control register remains the same after a VM entry, which allows host
OS users to kill arbitrary processes or cause a denial of service
(system disruption) by leveraging /dev/kvm access, as demonstrated by
PR_SET_TSC prctl calls within a modified copy of QEMU (CVE-2014-3690).

arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation
in the Linux kernel through 3.18.1 allows local users to bypass the
espfix protection mechanism, and consequently makes it easier for
local users to bypass the ASLR protection mechanism, via a crafted
application that makes a set_thread_area system call and later reads
a 16-bit value (CVE-2014-8133).

net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before
3.18 generates incorrect conntrack entries during handling of certain
iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols,
which allows remote attackers to bypass intended access restrictions
via packets with disallowed port numbers (CVE-2014-8160).

The Linux kernel through 3.17.4 does not properly restrict dropping
of supplemental group memberships in certain namespace scenarios,
which allows local users to bypass intended file permissions by
leveraging a POSIX ACL containing an entry for the group category
that is more restrictive than the entry for the other category, aka
a negative groups issue, related to kernel/groups.c, kernel/uid16.c,
and kernel/user_namespace.c (CVE-2014-8989).

The __switch_to function in arch/x86/kernel/process_64.c in the Linux
kernel through 3.18.1 does not ensure that Thread Local Storage (TLS)
descriptors are loaded before proceeding with other steps, which makes
it easier for local users to bypass the ASLR protection mechanism via
a crafted application that reads a TLS base address (CVE-2014-9419).

The rock_continue function in fs/isofs/rock.c in the Linux kernel
through 3.18.1 does not restrict the number of Rock Ridge continuation
entries, which allows local users to cause a denial of service
(infinite loop, and system crash or hang) via a crafted iso9660 image
(CVE-2014-9420).

The batadv_frag_merge_packets function in
net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in
the Linux kernel through 3.18.1 uses an incorrect length field during
a calculation of an amount of memory, which allows remote attackers
to cause a denial of service (mesh-node system crash) via fragmented
packets (CVE-2014-9428).

Race condition in the key_gc_unused_keys function in security/keys/gc.c
in the Linux kernel through 3.18.2 allows local users to cause a denial
of service (memory corruption or panic) or possibly have unspecified
other impact via keyctl commands that trigger access to a key structure
member during garbage collection of a key (CVE-2014-9529).

The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in
the Linux kernel before 3.18.2 does not validate a length value in
the Extensions Reference (ER) System Use Field, which allows local
users to obtain sensitive information from kernel memory via a crafted
iso9660 image (CVE-2014-9584).

The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel
through 3.18.2 does not properly choose memory locations for the
vDSO area, which makes it easier for local users to bypass the ASLR
protection mechanism by guessing a location at the end of a PMD
(CVE-2014-9585).

The Crypto API in the Linux kernel before 3.18.5 allows local users
to load arbitrary kernel modules via a bind system call for an
AF_ALG socket with a parenthesized module template expression in
the salg_name field, as demonstrated by the vfat(aes) expression,
a different vulnerability than CVE-2013-7421 (CVE-2014-9644).

Off-by-one error in the ecryptfs_decode_from_filename function in
fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel
before 3.18.2 allows local users to cause a denial of service (buffer
overflow and system crash) or possibly gain privileges via a crafted
filename (CVE-2014-9683).

The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel
before 3.18.5, when the guest OS lacks SYSENTER MSR initialization,
allows guest OS users to gain guest OS privileges or cause a denial
of service (guest OS crash) by triggering use of a 16-bit code segment
for emulation of a SYSENTER instruction (CVE-2015-0239).

The updated packages provides a solution for these security issues.

Multiple vulnerabilities has been found and corrected in the Mozilla
NSS and NSPR packages:

The cert_TestHostName function in lib/certdb/certdb.c in the
certificate-checking implementation in Mozilla Network Security
Services (NSS) before 3.16 accepts a wildcard character that is
embedded in an internationalized domain name’s U-label, which might
allow man-in-the-middle attackers to spoof SSL servers via a crafted
certificate (CVE-2014-1492).

Use-after-free vulnerability in the CERT_DestroyCertificate function
in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used
in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird
before 24.7, allows remote attackers to execute arbitrary code via
vectors that trigger certain improper removal of an NSSCertificate
structure from a trust domain (CVE-2014-1544).

Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x
before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox
before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before
31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2,
Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124
on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does
not properly parse ASN.1 values in X.509 certificates, which makes
it easier for remote attackers to spoof RSA signatures via a crafted
certificate, aka a signature malleability issue (CVE-2014-1568).

The definite_length_decoder function in lib/util/quickder.c in
Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x
before 3.17.3 does not ensure that the DER encoding of an ASN.1
length is properly formed, which allows remote attackers to conduct
data-smuggling attacks by using a long byte sequence for an encoding,
as demonstrated by the SEC_QuickDERDecodeItem function’s improper
handling of an arbitrary-length encoding of 0x00 (CVE-2014-1569).

Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote
attackers to execute arbitrary code or cause a denial of service
(out-of-bounds write) via vectors involving the sprintf and console
functions (CVE-2014-1545).

The sqlite3 packages have been upgraded to the 3.8.6 version due to
an prerequisite to nss-3.17.x.

Additionally the rootcerts package has also been updated to the
latest version as of 2014-11-17, which adds, removes, and distrusts
several certificates.

The updated packages provides a solution for these security issues.

Multiple vulnerabilities has been found and corrected in the Linux
kernel:

The Crypto API in the Linux kernel before 3.18.5 allows local users
to load arbitrary kernel modules via a bind system call for an
AF_ALG socket with a parenthesized module template expression in
the salg_name field, as demonstrated by the vfat(aes) expression,
a different vulnerability than CVE-2013-7421 (CVE-2014-9644).

net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before
3.18 generates incorrect conntrack entries during handling of certain
iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols,
which allows remote attackers to bypass intended access restrictions
via packets with disallowed port numbers (CVE-2014-8160).

The Crypto API in the Linux kernel before 3.18.5 allows local users
to load arbitrary kernel modules via a bind system call for an
AF_ALG socket with a module name in the salg_name field, a different
vulnerability than CVE-2014-9644 (CVE-2013-7421).

The updated packages provides a solution for these security issues.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:057
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : kernel
 Date    : March 10, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in the Linux
 kernel:
 
 The Crypto API in the Linux kernel before 3.18.5 allows local users
 to load arbitrary kernel modules via a bind system call for an
 AF_ALG socket with a parenthesized module template expression in
 the salg_name field, as demonstrated by the vfat(aes) expression,
 a different vulnerability than CVE-2013-7421 (CVE-2014-9644).
 
 net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before
 3.18 generates incorrect conntrack entries during handl

Updated rpm packages fix security vulnerabilities:

It was found that RPM wrote file contents to the target
installation directory under a temporary name, and verified its
cryptographic signature only after the temporary file has been
written completely. Under certain conditions, the system interprets
the unverified temporary file contents and extracts commands from
it. This could allow an attacker to modify signed RPM files in such
a way that they would execute code chosen by the attacker during
package installation (CVE-2013-6435).

It was found that RPM could encounter an integer overflow, leading to
a stack-based buffer overflow, while parsing a crafted CPIO header
in the payload section of an RPM file. This could allow an attacker
to modify signed RPM files in such a way that they would execute code
chosen by the attacker during package installation (CVE-2014-8118).

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:056
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : rpm
 Date    : March 9, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated rpm packages fix security vulnerabilities:
 
 It was found that RPM wrote file contents to the target
 installation directory under a temporary name, and verified its
 cryptographic signature only after the temporary file has been
 written completely. Under certain conditions, the system interprets
 the unverified temporary file contents and extracts commands from
 it. This could allow an attacker to modify signed RPM files in such
 a way that they would execute code chosen by the attacker during
 package installation (CVE-201

Updated freetype2 packages fix security vulnerabilities:

The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType
before 2.5.4 does not properly check for an integer overflow, which
allows remote attackers to cause a denial of service (out-of-bounds
read) or possibly have unspecified other impact via a crafted OpenType
font (CVE-2014-9656).

The tt_face_load_hdmx function in truetype/ttpload.c in FreeType
before 2.5.4 does not establish a minimum record size, which allows
remote attackers to cause a denial of service (out-of-bounds read)
or possibly have unspecified other impact via a crafted TrueType font
(CVE-2014-9657).

The tt_face_load_kern function in sfnt/ttkern.c in FreeType before
2.5.4 enforces an incorrect minimum table length, which allows
remote attackers to cause a denial of service (out-of-bounds read)
or possibly have unspecified other impact via a crafted TrueType font
(CVE-2014-9658).

The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4
does not properly handle a missing ENDCHAR record, which allows remote
attackers to cause a denial of service (NULL pointer dereference)
or possibly have unspecified other impact via a crafted BDF font
(CVE-2014-9660).

type42/t42parse.c in FreeType before 2.5.4 does not consider that
scanning can be incomplete without triggering an error, which allows
remote attackers to cause a denial of service (use-after-free) or
possibly have unspecified other impact via a crafted Type42 font
(CVE-2014-9661).

The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before
2.5.4 validates a certain length field before that field’s value
is completely calculated, which allows remote attackers to cause a
denial of service (out-of-bounds read) or possibly have unspecified
other impact via a crafted cmap SFNT table (CVE-2014-9663).

FreeType before 2.5.4 does not check for the end of the data during
certain parsing actions, which allows remote attackers to cause a
denial of service (out-of-bounds read) or possibly have unspecified
other impact via a crafted Type42 font, related to type42/t42parse.c
and type1/t1load.c (CVE-2014-9664).

The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before
2.5.4 proceeds with a count-to-size association without restricting
the count value, which allows remote attackers to cause a denial of
service (integer overflow and out-of-bounds read) or possibly have
unspecified other impact via a crafted embedded bitmap (CVE-2014-9666).

sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length
calculations without restricting the values, which allows remote
attackers to cause a denial of service (integer overflow and
out-of-bounds read) or possibly have unspecified other impact via a
crafted SFNT table (CVE-2014-9667).

Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4
allow remote attackers to cause a denial of service (out-of-bounds
read or memory corruption) or possibly have unspecified other impact
via a crafted cmap SFNT table (CVE-2014-9669).

Multiple integer signedness errors in the pcf_get_encodings function
in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to
cause a denial of service (integer overflow, NULL pointer dereference,
and application crash) via a crafted PCF file that specifies negative
values for the first column and first row (CVE-2014-9670).

Off-by-one error in the pcf_get_properties function in pcf/pcfread.c
in FreeType before 2.5.4 allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via a crafted
PCF file with a 0xffffffff size value that is improperly incremented
(CVE-2014-9671).

Array index error in the parse_fond function in base/ftmac.c in
FreeType before 2.5.4 allows remote attackers to cause a denial
of service (out-of-bounds read) or obtain sensitive information
from process memory via a crafted FOND resource in a Mac font file
(CVE-2014-9672).

Integer signedness error in the Mac_Read_POST_Resource function in
base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to
cause a denial of service (heap-based buffer overflow) or possibly
have unspecified other impact via a crafted Mac font (CVE-2014-9673).

The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before
2.5.4 proceeds with adding to length values without validating the
original values, which allows remote attackers to cause a denial of
service (integer overflow and heap-based buffer overflow) or possibly
have unspecified other impact via a crafted Mac font (CVE-2014-9674).

bdf/bdflib.c in FreeType before 2.5.4 identifies property names by
only verifying that an initial substring is present, which allows
remote attackers to discover heap pointer values and bypass the ASLR
protection mechanism via a crafted BDF font (CVE-2014-9675).

Updated bind packages fix security vulnerability:

Jan-Piet Mens discovered that the BIND DNS server would crash when
processing an invalid DNSSEC key rollover, either due to an error
on the zone operator’s part, or due to interference with network
traffic by an attacker. This issue affects configurations with the
directives “dnssec-lookaside auto;” (as enabled in the Mageia default
configuration) or “dnssec-validation auto;” (CVE-2015-1349).