Updated librsync packages fix security vulnerability:

librsync before 1.0.0 used a truncated MD4 strong check sum to match
blocks. However, MD4 is not cryptographically strong. It’s possible
that an attacker who can control the contents of one part of a file
could use it to control other regions of the file, if it’s transferred
using librsync/rdiff (CVE-2014-8242).

The change to fix this is not backward compatible with older versions
of librsync. Backward compatibility can be obtained using the new
rdiff sig –hash=md4 option or through specifying the signature magic
in the API, but this should not be used when either the old or new
file contain untrusted data.

Also, any applications that use the librsync library will need to
be recompiled against the updated library. The rdiff-backup packages
have been rebuilt for this reason.

Updated tor packages fix security vulnerabilities:

disgleirio discovered that a malicious client could trigger an
assertion failure in a Tor instance providing a hidden service,
thus rendering the service inaccessible (CVE-2015-2928).

DonnchaC discovered that Tor clients would crash with an assertion
failure upon parsing specially crafted hidden service descriptors
(CVE-2015-2929).

Introduction points would accept multiple INTRODUCE1 cells on one
circuit, making it inexpensive for an attacker to overload a hidden
service with introductions. Introduction points now no longer allow
multiple cells of that type on the same circuit.

The tor package has been updated to version 0.2.4.27, fixing these
issues.

Updated asterisk packages fix security vulnerability:

When Asterisk registers to a SIP TLS device and and verifies the
server, Asterisk will accept signed certificates that match a common
name other than the one Asterisk is expecting if the signed certificate
has a common name containing a null byte after the portion of the
common name that Asterisk expected (CVE-2015-3008).

Updated perl-Module-Signature package fixes the following security
vulnerabilities reported by John Lightsey:

Module::Signature could be tricked into interpreting the unsigned
portion of a SIGNATURE file as the signed portion due to faulty
parsing of the PGP signature boundaries.

When verifying the contents of a CPAN module, Module::Signature
ignored some files in the extracted tarball that were not listed in
the signature file. This included some files in the t/ directory that
would execute automatically during make test

When generating checksums from the signed manifest, Module::Signature
used two argument open() calls to read the files. This allowed
embedding arbitrary shell commands into the SIGNATURE file that would
execute during the signature verification process.

Several modules were loaded at runtime inside the extracted module
directory. Modules like Text::Diff are not guaranteed to be available
on all platforms and could be added to a malicious module so that
they would load from the ‘.’ path in @INC.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:212
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : java-1.7.0-openjdk
 Date    : April 27, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated java-1.7.0 packages fix security vulnerabilities:
 
 An off-by-one flaw, leading to a buffer overflow, was found in the
 font parsing code in the 2D component in OpenJDK. A specially crafted
 font file could possibly cause the Java Virtual Machine to execute
 arbitrary code, allowing an untrusted Java application or applet to
 bypass Java sandbox restrictions (CVE-2015-0469).
 
 A flaw was found in the way the Hotspot component in OpenJDK
 handled phantom references. An untrusted Java application or applet
 cou

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:211
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : glusterfs
 Date    : April 27, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated glusterfs packages fix security vulnerability:
 
 glusterfs was vulnerable to a fragment header infinite loop denial
 of service attack (CVE-2014-3619).
 
 Also, the glusterfsd SysV init script was failing to properly start
 the service.  This was fixed by replacing it with systemd unit files
 for the service that work properly (mga#14049).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3619
 http://advisories.mageia.org/MGA

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:210
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : qemu
 Date    : April 27, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated qemu packages fix security vulnerabilities:
 
 A denial of service flaw was found in the way QEMU handled malformed
 Physical Region Descriptor Table (PRDT) data sent to the host's IDE
 and/or AHCI controller emulation. A privileged guest user could use
 this flaw to crash the system (rhbz#1204919).
 
 It was found that the QEMU's websocket frame decoder processed incoming
 frames without limiting resources used to process the header and the
 payload. An attacker able to access a guest's V

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:209
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : php
 Date    : April 27, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated php packages fix security vulnerabilities:
 
 Buffer Over-read in unserialize when parsing Phar (CVE-2015-2783).
 
 Buffer Overflow when parsing tar/zip/phar in phar_set_inode
 (CVE-2015-3329).
 
 Potential remote code execution with apache 2.4 apache2handler
 (CVE-2015-3330).
 
 PHP has been updated to version 5.5.24, which fixes these issues and
 other bugs.
 
 Additionally the timezonedb packages has been upgraded to the latest
 version and the PECL packages which requires so has been rebuilt
 for php-

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:208
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : setup
 Date    : April 27, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated setup package fixes security vulnerability:
 
 An issue has been identified in Mandriva Business Server 2's setup
 package where the /etc/shadow and /etc/gshadow files containing
 password hashes were created with incorrect permissions, making them
 world-readable (mga#14516).
 
 This update fixes this issue by enforcing that those files are owned
 by the root user and shadow group, and are only readable by those
 two entities.
 
 Note that this issue only affected new Mandriva Business Server
 2 installations.  System

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:207
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : perl-Module-Signature
 Date    : April 27, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated perl-Module-Signature package fixes the following security
 vulnerabilities reported by John Lightsey:
 
 Module::Signature could be tricked into interpreting the unsigned
 portion of a SIGNATURE file as the signed portion due to faulty
 parsing of the PGP signature boundaries.
 
 When verifying the contents of a CPAN module, Module::Signature
 ignored some files in the extracted tarball that were not listed in
 the signature file. This included some files in the t/ directory that
 would execute automaticall