Updated gnutls package fix security vulnerability:

An out-of-bounds memory write flaw was found in the way GnuTLS
parsed certain ECC (Elliptic Curve Cryptography) certificates or
certificate signing requests (CSR). A malicious user could create a
specially crafted ECC certificate or a certificate signing request
that, when processed by an application compiled against GnuTLS (for
example, certtool), could cause that application to crash or execute
arbitrary code with the permissions of the user running the application
(CVE-2014-8564).

Updated curl packages fix security vulnerability:

Symeon Paraschoudis discovered that the curl_easy_duphandle() function
in cURL has a bug that can lead to libcurl eventually sending off
sensitive data that was not intended for sending, while performing
a HTTP POST operation. This bug requires CURLOPT_COPYPOSTFIELDS and
curl_easy_duphandle() to be used in that order, and then the duplicate
handle must be used to perform the HTTP POST. The curl command line
tool is not affected by this problem as it does not use this sequence
(CVE-2014-3707).

Updated dbus packages fixes the following security issues:

Alban Crequy and Simon McVittie discovered several vulnerabilities
in the D-Bus message daemon:

On 64-bit platforms, file descriptor passing could be abused by local
users to cause heap corruption in dbus-daemon, leading to a crash,
or potentially to arbitrary code execution (CVE-2014-3635).

A denial-of-service vulnerability in dbus-daemon allowed local
attackers to prevent new connections to dbus-daemon, or disconnect
existing clients, by exhausting descriptor limits (CVE-2014-3636).

Malicious local users could create D-Bus connections to dbus-daemon
which could not be terminated by killing the participating processes,
resulting in a denial-of-service vulnerability (CVE-2014-3637).

dbus-daemon suffered from a denial-of-service vulnerability in the
code which tracks which messages expect a reply, allowing local
attackers to reduce the performance of dbus-daemon (CVE-2014-3638).

dbus-daemon did not properly reject malicious connections from local
users, resulting in a denial-of-service vulnerability (CVE-2014-3639).

The patch issued by the D-Bus maintainers for CVE-2014-3636 was
based on incorrect reasoning, and does not fully prevent the attack
described as CVE-2014-3636 part A, which is repeated below. Preventing
that attack requires raising the system dbus-daemon’s RLIMIT_NOFILE
(ulimit -n) to a higher value.

By queuing up the maximum allowed number of fds, a malicious sender
could reach the system dbus-daemon’s RLIMIT_NOFILE (ulimit -n,
typically 1024 on Linux). This would act as a denial of service in
two ways:

* new clients would be unable to connect to the dbus-daemon
* when receiving a subsequent message from a non-malicious client
that contained a fd, dbus-daemon would receive the MSG_CTRUNC flag,
indicating that the list of fds was truncated; kernel fd-passing APIs
do not provide any way to recover from that, so dbus-daemon responds
to MSG_CTRUNC by disconnecting the sender, causing denial of service
to that sender.

This update also resolves the CVE-2014-7824 security vulnerability.

Updated wpa_supplicant packages fix security vulnerability:

A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
for executing action scripts. An unsanitized string received from a
remote device can be passed to a system() call resulting in arbitrary
command execution under the privileges of the wpa_cli/hostapd_cli
process (which may be root in common use cases) (CVE-2014-3686).

Using the wpa_supplicant package, systems are exposed to the
vulnerability if operating as a WPS registrar.

Updated wget package fixes security vulnerability:

Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP (CVE-2014-4877).

The default settings in wget have been changed such that wget no longer
creates local symbolic links, but rather traverses them and retrieves
the pointed-to file in such a retrieval. The old behaviour can be
attained by passing the –retr-symlinks=no option to the wget command.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:212
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : wget
 Date    : October 29, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated wget package fixes security vulnerability:
 
 Wget was susceptible to a symlink attack which could create arbitrary
 files, directories or symbolic links and set their permissions when
 retrieving a directory recursively through FTP (CVE-2014-4877).
 
 The default settings in wget have been changed such that wget no longer
 creates local symbolic links, but rather traverses them and retrieves
 the pointed-to file in such a retrieval. The old behaviour can be
 attained by passing the --retr-symlinks=no option to the wget co

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:211
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : wpa_supplicant
 Date    : October 29, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated wpa_supplicant packages fix security vulnerability:
 
 A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
 for executing action scripts. An unsanitized string received from a
 remote device can be passed to a system() call resulting in arbitrary
 command execution under the privileges of the wpa_cli/hostapd_cli
 process (which may be root in common use cases) (CVE-2014-3686).
 
 Using the wpa_supplicant package, systems are exposed to the
 vulnerability if operating as a WPS registrar.
 ______

Multiple vulnerabilities has been discovered and corrected in mariadb:

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier
and 5.6.20 and earlier allows remote authenticated users to affect
availability via vectors related to SERVER:INNODB DML FOREIGN KEYS
(CVE-2014-6464).

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and eariler
and 5.6.20 and earlier allows remote authenticated users to affect
availability via vectors related to SERVER:OPTIMIZER (CVE-2014-6469).

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier,
and 5.6.20 and earlier, allows remote authenticated users to affect
confidentiality, integrity, and availability via vectors related to
SERVER:DML (CVE-2014-6507).

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier
and 5.6.20 and earlier allows remote authenticated users to affect
confidentiality, integrity, and availability via vectors related to
SERVER:DML (CVE-2014-6555).

Unspecified vulnerability in Oracle MySQL Server 5.5.39 and
earlier, and 5.6.20 and earlier, allows remote attackers to affect
confidentiality via vectors related to C API SSL CERTIFICATE HANDLING
(CVE-2014-6559).

The updated packages have been upgraded to the 5.5.40 version which
is not vulnerable to these issues.

Additionally MariaDB 5.5.40 removed the bundled copy of jemalloc from
the source tarball and only builds with jemalloc if a system copy
of the jemalloc library is detecting during the build. This update
provides the jemalloc library packages to resolve this issue.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:210
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : mariadb
 Date    : October 28, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in mariadb:
 
 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier
 and 5.6.20 and earlier allows remote authenticated users to affect
 availability via vectors related to SERVER:INNODB DML FOREIGN KEYS
 (CVE-2014-6464).
 
 Unspecified vulnerability in Oracle MySQL Server 5.5.39 and eariler
 and 5.6.20 and earlier allows remote authenticated users to affect
 availability via vectors related to SERVER:OPTIMIZER (CVE-2014-6469).
 
 Unspecified vulnerabilit

Updated lua and lua5.1 packages fix security vulnerability:

A heap-based overflow vulnerability was found in the way Lua handles
varargs functions with many fixed parameters called with few arguments,
leading to application crashes or, potentially, arbitrary code
execution (CVE-2014-5461).