Category Archives: Mandriva

Mandriva Security Advisory

[ MDVSA-2014:186 ] bash

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:186
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : bash
 Date    : September 24, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 A flaw was found in the way Bash evaluated certain specially crafted
 environment variables. An attacker could use this flaw to override or
 bypass environment restrictions to execute shell commands. Certain
 services and applications allow remote unauthenticated attackers to
 provide environment variables, allowing them to exploit this issue
 (CVE-2014-6271).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
 https://rhn.redhat.co

[ MDVSA-2014:185 ] libgadu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:185
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libgadu
 Date    : September 24, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated libgadu packages fix security vulnerability:
 
 Libgadu before 1.12.0 was found to not be performing SSL certificate
 validation (CVE-2013-4488).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4488
 http://advisories.mageia.org/MGASA-2014-0375.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 de3454fe7c663ecd08d4e1eeb2638776  mbs1/x86_64/

[ MDVSA-2014:184 ] net-snmp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:184
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : net-snmp
 Date    : September 24, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated net-snmp packages fix security vulnerabilities:
 
 A remote denial-of-service flaw was found in the way snmptrapd handled
 certain SNMP traps when started with the -OQ option. If an attacker
 sent an SNMP trap containing a variable with a NULL type where an
 integer variable type was expected, it would cause snmptrapd to crash
 (CVE-2014-3565).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3565
 http://advisories.mageia.

[ MDVSA-2014:183 ] phpmyadmin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:183
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : phpmyadmin
 Date    : September 24, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated phpmyadmin package fixes security vulnerability:
 
 In phpMyAdmin before 4.2.9, by deceiving a logged-in user to click on
 a crafted URL, it is possible to perform remote code execution and in
 some cases, create a root account due to a DOM based XSS vulnerability
 in the micro history feature (CVE-2014-6300).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6300
 http://advisories.mageia.org/MGASA-2014-0383.html
 _______

[ MDVSA-2014:182 ] zarafa

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:182
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : zarafa
 Date    : September 24, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated zarafa packages fix security vulnerabilities:
 
 Robert Scheck reported that Zarafa's WebAccess stored session
 information, including login credentials, on-disk in PHP session
 files. This session file would contain a user's username and password
 to the Zarafa IMAP server (CVE-2014-0103).
 
 Robert Scheck discovered that the Zarafa Collaboration Platform has
 multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448,
 CVE-2014-5449, CVE-2014-5450).
 _______________________________________________

[ MDVSA-2014:181 ] dump

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:181
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : dump
 Date    : September 24, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated dump packages fix security vulnerability:
 
 An integer overflow in liblzo before 2.07 allows attackers to cause
 a denial of service or possibly code execution in applications using
 performing LZO decompression on a compressed payload from the attacker
 (CVE-2014-4607).
 
 The dump package is built with a bundled copy of minilzo, which is
 a part of liblzo containing the vulnerable code.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?nam

[ MDVA-2014:014 ] mediawiki

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Advisory                                   MDVA-2014:014
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : mediawiki
 Date    : September 22, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 This update provides MediaWiki 1.23.3, which fixes several bugs.
 _______________________________________________________________________

 References:

 http://advisories.mageia.org/MGAA-2014-0170.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 a4c54a101474c76abb19b62aa49dc12d  mbs1/x86_64/mediawiki-1.23.3-1.mbs1.noarch.rpm
 876aa46509eca08888392ea248a669ef  mbs1/x86_64/mediawiki-mysql-1.23.3-1.mbs1.noarch.rpm
 2418d49bba28fe6dd1b57805e

[ MDVSA-2014:180 ] gnupg

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:180
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : gnupg
 Date    : September 22, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated gnupg packages fix security vulnerability:
 
 The gnupg program before version 1.4.16 is vulnerable to an ELGAMAL
 side-channel attack (CVE-2014-5270).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270
 http://advisories.mageia.org/MGASA-2014-0381.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 9181a3cd9d0ddb0ef93bf14cc11b2d99  mbs1/x86