Mandriva Security Advisory
This is a maintenance and bugfix release that upgrades php to the
latest 5.5.17 version which resolves various upstream bugs in php.
Additionally, the php-timezonedb packages has been upgraded to the
latest 2014.7 version, the php-suhosin packages has been upgraded to
the latest 0.9.36 version which has better support for php-5.5 and
the PECL packages which requires so has been rebuilt for php-5.5.17.
This is a maintenance and bugfix release that upgrades the timezone
data packages to the 2014g version.
Updated dump packages fix security vulnerability:
An integer overflow in liblzo before 2.07 allows attackers to cause
a denial of service or possibly code execution in applications using
performing LZO decompression on a compressed payload from the attacker
(CVE-2014-4607).
The dump package is built with a bundled copy of minilzo, which is
a part of liblzo containing the vulnerable code.
Updated perl-Email-Address package fixes security vulnerability:
The parse function in Email::Address module before 1.905 for Perl
uses an inefficient regular expression, which allows remote attackers
to cause a denial of service (CPU consumption) via an empty quoted
string in an RFC 2822 address (CVE-2014-0477).
The Email::Address module before 1.904 for Perl uses an inefficient
regular expression, which allows remote attackers to cause a denial
of service (CPU consumption) via vectors related to backtracking into
the phrase (CVE-2014-4720).
Updated zarafa packages fix security vulnerabilities:
Robert Scheck reported that Zarafa’s WebAccess stored session
information, including login credentials, on-disk in PHP session
files. This session file would contain a user’s username and password
to the Zarafa IMAP server (CVE-2014-0103).
Robert Scheck discovered that the Zarafa Collaboration Platform has
multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448,
CVE-2014-5449, CVE-2014-5450).
A vulnerability has been discovered and corrected in phpmyadmin:
With a crafted ENUM value it is possible to trigger an XSS in table
search and table structure pages (CVE-2014-7217).
This upgrade provides the latest phpmyadmin version (4.2.9.1) to
address this vulnerability.
Multiple vulnerabilities has been discovered and corrected in libvirt:
An out-of-bounds read flaw was found in the way libvirt’s
qemuDomainGetBlockIoTune() function looked up the disk index in
a non-persistent (live) disk configuration while a persistent disk
configuration was being indexed. A remote attacker able to establish a
read-only connection to libvirtd could use this flaw to crash libvirtd
or, potentially, leak memory from the libvirtd process (CVE-2014-3633).
A denial of service flaw was found in the way libvirt’s
virConnectListAllDomains() function computed the number of used
domains. A remote attacker able to establish a read-only connection
to libvirtd could use this flaw to make any domain operations within
libvirt unresponsive (CVE-2014-3657).
The updated libvirt packages have been upgraded to the 1.1.3.6 version
and patched to resolve these security flaws.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Advisory MDVA-2014:018 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : timezone Date : October 3, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: This is a maintenance and bugfix release that upgrades the timezone data packages to the 2014g version. _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 0a1bda6ed3fb936cd1ce76528cce8e52 mbs1/x86_64/timezone-2014g-1.mbs1.x86_64.rpm cdca8c5afa60b40bbe08d3b939880722 mbs1/x86_64/timezone-java-2014g-1.mbs1.x86_64.rpm 87f855e977ac8cbb448a18ef4ffb1ab3 mbs1/SRPMS/timezone-2014g-1.mbs1.src.rpm _______________________________________________________
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:195 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libvirt Date : October 3, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in libvirt: An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune() function looked up the disk index in a non-persistent (live) disk configuration while a persistent disk configuration was being indexed. A remote attacker able to establish a read-only connection to libvirtd could use this flaw to crash libvirtd or, potentially, leak memory from the libvirtd process (CVE-2014-3633). A denial of service flaw was found in the wa
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:194 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : phpmyadmin Date : October 3, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: A vulnerability has been discovered and corrected in phpmyadmin: With a crafted ENUM value it is possible to trigger an XSS in table search and table structure pages (CVE-2014-7217). This upgrade provides the latest phpmyadmin version (4.2.9.1) to address this vulnerability. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7217 http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php _________________________________