Mandriva Linux Security Advisory 2014-243 – Multiple vulnerabilities has been discovered and corrected in libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to cause a denial of service via a long password. Cross-site scripting vulnerability in the redirection feature in url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter. This upgrade provides the latest phpmyadmin version to address these vulnerabilities.

Mandriva Linux Security Advisory 2014-239 – In libFLAC before 1.3.1, a stack overflow. and a heap overflow. which may result in arbitrary code execution, can be triggered by passing a maliciously crafted.flac file to the libFLAC decoder.

Mandriva Linux Security Advisory 2014-242 – An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash. The perl-YAML-LibYAML package is also affected, as it was derived from the same code. Both have been patched to fix this issue.

Gentoo Linux Security Advisory 201412-30 – Multiple vulnerabilities have been found in Varnish, the worst of which could allow a remote attacker to create a Denial of Service condition. Versions less than 3.0.5 are affected.

Mandriva Linux Security Advisory 2014-250 – Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive. Additionally, a null pointer dereference in the copyin_link function which could cause a denial of service has also been fixed.

Mandriva Linux Security Advisory 2014-251 – It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation. It was found that RPM could encounter an integer overflow, leading to a stack-based buffer overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.

Mandriva Linux Security Advisory 2014-245 – A flaw was discovered in mutt. A specially crafted mail header could cause mutt to crash, leading to a denial of service condition. The mutt package has been updated to version 1.5.23 and patched to fix this issue.

Mandriva Linux Security Advisory 2014-244 – Buffer overflow in certain client utilities in OpenAFS before 1.6.2 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a long fileserver ACL entry. Integer overflow in ptserver in OpenAFS before 1.6.2 allows remote attackers to cause a denial of service via a large list from the IdToName RPC, which triggers a heap-based buffer overflow. OpenAFS before 1.4.15, 1.6.x before 1.6.5, and 1.7.x before 1.7.26 uses weak encryption for Kerberos keys, which makes it easier for remote attackers to obtain the service key. The vos command in OpenAFS 1.6.x before 1.6.5, when using the -encrypt option, only enables integrity protection and sends data in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network. Buffer overflow in the GetStatistics64 remote procedure call in OpenAFS 1.4.8 before 1.6.7 allows remote attackers to cause a denial of service via a crafted statsVersion argument. A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior. The updated packages have been upgraded to the 1.4.15 version and patched to correct these issues.

Gentoo Linux Security Advisory 201412-12 – Multiple vulnerabilities have been found in D-Bus, possibly resulting in local Denial of Service. Versions less than 1.8.10 are affected.

Mandriva Linux Security Advisory 2014-247 – Josh Duart of the Google Security Team discovered heap-based buffer overflow flaws in JasPer, which could lead to denial of service or the execution of arbitrary code.