-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Advisory MDVA-2014:017 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : python-django Date : October 1, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: A regression with the MDVSA-2014:179 advisory was discovered. This advisory solves the problem by adding the missing get_random_string function. _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 0766538572edf71d8c3f2908a465e047 mbs1/x86_64/python-django-1.3.7-1.6.mbs1.noarch.rpm 48b0d60ba0bbdba4e2a01559420e508c mbs1/SRPMS/python-django-1.3.7-1.6.mbs1.src.rpm _______________________________________________________________________ To up
Category Archives: Mandriva
Mandriva Security Advisory
[ MDVSA-2014:193 ] xerces-j2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:193 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : xerces-j2 Date : October 1, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU (CVE-2013-4002). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002 https://rhn.redhat.com/errata/RHSA-2014-1319.
[ MDVSA-2014:192 ] perl-Email-Address
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:192 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : perl-Email-Address Date : October 1, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated perl-Email-Address package fixes security vulnerability: The parse function in Email::Address module before 1.905 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via an empty quoted string in an RFC 2822 address (CVE-2014-0477). The Email::Address module before 1.904 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via vectors related to backtrack
[ MDVA-2014:016 ] java-1.7.0-openjdk
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Advisory MDVA-2014:016 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : java-1.7.0-openjdk Date : September 29, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated java-1.7.0-openjdk packages fix an upstream regression: This update provides IcedTea 2.5.2, which fixes several bugs, most notably regressions in the previous release which broke Groovy and several other Java tools and applications. _______________________________________________________________________ References: http://blog.fuseyism.com/index.php/2014/09/02/icedtea-2-5-2-released-back-in-the-groovy/ http://advisories.mageia.org/MGAA-2014-0172.html _____________________________________________
[ MDVSA-2014:191 ] perl-XML-DT
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:191 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : perl-XML-DT Date : September 29, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated perl-XML-DT package fixes security vulnerability: The mkxmltype and mkdtskel scripts provided in perl-XML-DT allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_xml_##### temporary file (CVE-2014-5260). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5260 http://advisories.mageia.org/MGASA-2014-0390.html _______________________________________________________________________ Updated P
[ MDVSA-2014:190 ] bash
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:190 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : bash Date : September 26, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue (CVE-2014-7169). Additionally bash has been updated from patch level 37 to 48
[ MDVA-2014:015 ] php
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Advisory MDVA-2014:015 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : php Date : September 25, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: This is a maintenance and bugfix release that upgrades php to the latest 5.5.17 version which resolves various upstream bugs in php. Additionally, the php-timezonedb packages has been upgraded to the latest 2014.7 version, the php-suhosin packages has been upgraded to the latest 0.9.36 version which has better support for php-5.5 and the PECL packages which requires so has been rebuilt for php-5.5.17. _______________________________________________________________________ References: http://php.net/ChangeLog-5.php#5.5
[ MDVSA-2014:189 ] nss
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:189 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : nss Date : September 25, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: A vulnerability has been discovered and corrected in Mozilla NSS: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates (CVE-2014-1568). The updated NSPR packages h
[ MDVSA-2014:188 ] wireshark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:188 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : wireshark Date : September 25, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated wireshark packages fix security vulnerabilities: RTP dissector crash (CVE-2014-6421, CVE-2014-6422). MEGACO dissector infinite loop (CVE-2014-6423). Netflow dissector crash (CVE-2014-6424). RTSP dissector crash (CVE-2014-6427). SES dissector crash (CVE-2014-6428). Sniffer file parser crash (CVE-2014-6429, CVE-2014-6430, CVE-2014-6431, CVE-2014-6432). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6421
[ MDVSA-2014:187 ] curl
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:187 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : curl Date : September 25, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated curl packages fix security vulnerabilities: In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site (CVE-2014-3613). In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cook