NTLM-authenticated connections could be wrongly reused for requests
without any credentials set, leading to HTTP requests being sent over
the connection authenticated as a different user (CVE-2015-3143).
When parsing HTTP cookies, if the parsed cookie’s path element consists
of a single double-quote, libcurl would try to write to an invalid
heap memory address. This could allow remote attackers to cause a
denial of service (crash) (CVE-2015-3145).
When doing HTTP requests using the Negotiate authentication
method along with NTLM, the connection used would not be marked
as authenticated, making it possible to reuse it and send requests
for one user over the connection authenticated as a different user
(CVE-2015-3148).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Advisory MDVA-2015:010
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : timezone
Date : May 4, 2015
Affected: Business Server 1.0, Business Server 2.0
_______________________________________________________________________
Problem Description:
This is a maintenance and bugfix release that upgrades the timezone
data packages and the php-timezonedb packages to the 2015d version.
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
1d493b57714e045b6ba324982191397e mbs1/x86_64/timezone-2015d-1.mbs1.x86_64.rpm
f2073a5c328b90acbabc57bae0e1481b mbs1/x86_64/timezone-java-2015d-1.mbs1.x86_64.rpm
e41aafa67d05f096cd21c7bfec1cb086 mbs1/SRPMS/timezone-2015d-1.mbs1.src.rpm
Mandr
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:226
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : fcgi
Date : May 4, 2015
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated fcgi packages fix security vulnerability:
FCGI does not perform range checks for file descriptors before use of
the FD_SET macro. This FD_SET macro could allow for more than 1024
total file descriptors to be monitored in the closing state. This
may allow remote attackers to cause a denial of service (stack memory
corruption, and infinite loop or daemon crash) by opening many socket
connections to the host and crashing the service (CVE-2012-6687).
_______________________________________________________________________
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:225
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : cherokee
Date : May 4, 2015
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated cherokee packages fix security vulnerability:
The cherokee_validator_ldap_check function in validator_ldap.c in
Cherokee 1.2.103 and earlier, when LDAP is used, does not properly
consider unauthenticated-bind semantics, which allows remote attackers
to bypass authentication via an empty password (CVE-2014-4668).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4668
http://advisories.mageia.org/MGASA-2015-0181.html
_______
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:224
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : ruby
Date : May 4, 2015
Affected: Business Server 1.0, Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated ruby packages fix security vulnerability:
Ruby OpenSSL hostname matching implementation violates RFC 6125
(CVE-2015-1855).
The ruby packages for MBS2 has been updated to version 2.0.0-p645,
which fixes this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1855
http://advisories.mageia.org/MGASA-2015-0178.html
_______________________________________________________________________
Updated Package
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:223
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : directfb
Date : May 4, 2015
Affected: Business Server 1.0, Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated directfb packages fix security vulnerabilities:
Multiple integer signedness errors in the Dispatch_Write function
in proxy/dispatcher/idirectfbsurface_dispatcher.c in DirectFB allow
remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via the Voodoo interface, which triggers a
stack-based buffer overflow (CVE-2014-2977).
The Dispatch_Write function in
proxy/dispatcher/idirectfbsurface_dispatcher.c in DirectFB allows
remote attackers to cause a denial of s
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:222
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : ppp
Date : May 4, 2015
Affected: Business Server 1.0, Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated ppp packages fix security vulnerability:
Emanuele Rocca discovered that ppp was subject to a buffer
overflow when communicating with a RADIUS server. This would allow
unauthenticated users to cause a denial-of-service by crashing the
daemon (CVE-2015-3310).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3310
http://advisories.mageia.org/MGASA-2015-0173.html
________________________________________________
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:221
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : clamav
Date : May 4, 2015
Affected: Business Server 1.0, Business Server 2.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in clamav:
Fix infinite loop condition on crafted y0da cryptor file. Identified
and patch suggested by Sebastian Andrzej Siewior (CVE-2015-2221).
Fix crash on crafted petite packed file. Reported and patch supplied
by Sebastian Andrzej Siewior (CVE-2015-2222).
Fix an infinite loop condition on a crafted xz archive file. This
was reported by Dimitri Kirchner and Goulven Guiheux (CVE-2015-2668).
Apply upstream patch for possible heap overflow in H
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:220
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : curl
Date : May 4, 2015
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated curl packages fix security vulnerabilities:
NTLM-authenticated connections could be wrongly reused for requests
without any credentials set, leading to HTTP requests being sent over
the connection authenticated as a different user (CVE-2015-3143).
When doing HTTP requests using the Negotiate authentication
method along with NTLM, the connection used would not be marked
as authenticated, making it possible to reuse it and send requests
for one user over the connection authenticated as a different user
(CVE-2015-3148)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:219
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : curl
Date : May 4, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated curl packages fix security vulnerabilities:
NTLM-authenticated connections could be wrongly reused for requests
without any credentials set, leading to HTTP requests being sent over
the connection authenticated as a different user (CVE-2015-3143).
When parsing HTTP cookies, if the parsed cookie's path element consists
of a single double-quote, libcurl would try to write to an invalid
heap memory address. This could allow remote attackers to cause a
denial of service (crash) (CVE-2015-3145).
When doing HTTP re