Updated libksba packages fix security vulnerabilities:

The libksba package has been updated to version 1.3.3, which fixes
an integer overflow in the DN decoder and a couple of other minor bugs.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:216
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : ntop
 Date    : April 29, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated ntop package fixes security vulnerability:
 
 Lack of filtering in the title parameter of links to rrdPlugin allowed
 cross-site-scripting (XSS) attacks against users of the web interface
 (CVE-2014-4165).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4165
 http://advisories.mageia.org/MGASA-2015-0168.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:215
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : t1utils
 Date    : April 29, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated t1utils package fixes security vulnerabilities:
 
 The t1utils package has been updated to version 1.39, which fixes a
 buffer overrun, infinite loop, and stack overflow in t1disasm.
 _______________________________________________________________________

 References:

 http://advisories.mageia.org/MGASA-2015-0167.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 e6ffae2c3a23340e29900e0c61d48217  mbs1/x86_64/t1utils-1.39-1.mbs1.x86_64.r

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:214
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libksba
 Date    : April 29, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated libksba packages fix security vulnerabilities:
 
 The libksba package has been updated to version 1.3.3, which fixes
 an integer overflow in the DN decoder and a couple of other minor bugs.
 _______________________________________________________________________

 References:

 http://advisories.mageia.org/MGASA-2015-0166.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 abe289a7af246825d6221094e5178908  mbs1/x86_64/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:213
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : lftp
 Date    : April 29, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated lftp packages fix security vulnerability:
 
 lftp incorrectly validates wildcard SSL certificates containing literal
 IP addresses, so under certain conditions, it would allow and use a
 wildcard match specified in the CN field, allowing a malicious server
 to participate in a MITM attack or just fool users into believing
 that it is a legitimate site (CVE-2014-0139).
 
 lftp was affected by this issue as it uses code from cURL for checking
 SSL certificates.  The curl package was fixed in MDVSA-2015:098.
 __________________

Updated glusterfs packages fix security vulnerability:

glusterfs was vulnerable to a fragment header infinite loop denial
of service attack (CVE-2014-3619).

Also, the glusterfsd SysV init script was failing to properly start
the service. This was fixed by replacing it with systemd unit files
for the service that work properly (mga#14049).

Updated java-1.7.0 packages fix security vulnerabilities:

An off-by-one flaw, leading to a buffer overflow, was found in the
font parsing code in the 2D component in OpenJDK. A specially crafted
font file could possibly cause the Java Virtual Machine to execute
arbitrary code, allowing an untrusted Java application or applet to
bypass Java sandbox restrictions (CVE-2015-0469).

A flaw was found in the way the Hotspot component in OpenJDK
handled phantom references. An untrusted Java application or applet
could use this flaw to corrupt the Java Virtual Machine memory and,
possibly, execute arbitrary code, bypassing Java sandbox restrictions
(CVE-2015-0460).

A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE
to raise an exception, possibly causing an application using JSSE to
exit unexpectedly (CVE-2015-0488).

A flaw was discovered in the Beans component in OpenJDK. An untrusted
Java application or applet could use this flaw to bypass certain Java
sandbox restrictions (CVE-2015-0477).

A directory traversal flaw was found in the way the jar tool extracted
JAR archive files. A specially crafted JAR archive could cause jar
to overwrite arbitrary files writable by the user running jar when
the archive was extracted (CVE-2005-1080, CVE-2015-0480).

It was found that the RSA implementation in the JCE component in
OpenJDK did not follow recommended practices for implementing RSA
signatures (CVE-2015-0478).

Updated setup package fixes security vulnerability:

An issue has been identified in Mandriva Business Server 2’s setup
package where the /etc/shadow and /etc/gshadow files containing
password hashes were created with incorrect permissions, making them
world-readable (mga#14516).

This update fixes this issue by enforcing that those files are owned
by the root user and shadow group, and are only readable by those
two entities.

Note that this issue only affected new Mandriva Business Server
2 installations. Systems that were updated from previous Mandriva
versions were not affected.

This update was already issued as MDVSA-2015:184, but the latter was
withdrawn as it generated .rpmnew files for critical configuration
files, and rpmdrake might propose the user to use those basically empty
files, thus leading to loss of passwords or partition table. This new
update ensures that such .rpmnew files are not kept after the update.

Updated php packages fix security vulnerabilities:

Buffer Over-read in unserialize when parsing Phar (CVE-2015-2783).

Buffer Overflow when parsing tar/zip/phar in phar_set_inode
(CVE-2015-3329).

Potential remote code execution with apache 2.4 apache2handler
(CVE-2015-3330).

PHP has been updated to version 5.5.24, which fixes these issues and
other bugs.

Additionally the timezonedb packages has been upgraded to the latest
version and the PECL packages which requires so has been rebuilt
for php-5.5.24.

Updated qemu packages fix security vulnerabilities:

A denial of service flaw was found in the way QEMU handled malformed
Physical Region Descriptor Table (PRDT) data sent to the host’s IDE
and/or AHCI controller emulation. A privileged guest user could use
this flaw to crash the system (rhbz#1204919).

It was found that the QEMU’s websocket frame decoder processed incoming
frames without limiting resources used to process the header and the
payload. An attacker able to access a guest’s VNC console could use
this flaw to trigger a denial of service on the host by exhausting
all available memory and CPU (CVE-2015-1779).