Updated cpio package fixes security vulnerability:

Heap-based buffer overflow in the process_copy_in function in GNU
Cpio 2.11 allows remote attackers to cause a denial of service via
a large block value in a cpio archive (CVE-2014-9112).

Additionally, a null pointer dereference in the copyin_link function
which could cause a denial of service has also been fixed.

Updated qemu packages fix security vulnerabilities:

During migration, the values read from migration stream during ram load
are not validated. Especially offset in host_from_stream_offset() and
also the length of the writes in the callers of the said function. A
user able to alter the savevm data (either on the disk or over the
wire during migration) could use either of these flaws to corrupt QEMU
process memory on the (destination) host, which could potentially
result in arbitrary code execution on the host with the privileges
of the QEMU process (CVE-2014-7840).

Paolo Bonzini of Red Hat discovered that the blit region checks were
insufficient in the Cirrus VGA emulator in qemu. A privileged guest
user could use this flaw to write into qemu address space on the host,
potentially escalating their privileges to those of the qemu host
process (CVE-2014-8106).

Updated graphviz packages fix security vulnerability:

Format string vulnerability in the yyerror function in
lib/cgraph/scan.l in Graphviz allows remote attackers to have
unspecified impact via format string specifiers in unknown vector,
which are not properly handled in an error string (CVE-2014-9157).

Updated jasper packages fix security vulnerability:

Josh Duart of the Google Security Team discovered heap-based buffer
overflow flaws in JasPer, which could lead to denial of service
(application crash) or the execution of arbitrary code (CVE-2014-9029).

Updated openvpn packages fix security vulnerability:

Dragana Damjanovic discovered that OpenVPN incorrectly handled certain
control channel packets. An authenticated attacker could use this
issue to cause an OpenVPN server to crash, resulting in a denial of
service (CVE-2014-8104).

The openvpn packages has been updated to the 2.3.2 version and patched
to correct this issue.

Updated mutt packages fix security vulnerability:

A flaw was discovered in mutt. A specially crafted mail header
could cause mutt to crash, leading to a denial of service condition
(CVE-2014-9116).

The mutt package has been updated to version 1.5.23 and patched to
fix this issue.

Multiple vulnerabilities has been found and corrected in openafs:

Buffer overflow in certain client utilities in OpenAFS before 1.6.2
allows remote authenticated users to cause a denial of service (crash)
and possibly execute arbitrary code via a long fileserver ACL entry
(CVE-2013-1794).

Integer overflow in ptserver in OpenAFS before 1.6.2 allows remote
attackers to cause a denial of service (crash) via a large list
from the IdToName RPC, which triggers a heap-based buffer overflow
(CVE-2013-1795).

OpenAFS before 1.4.15, 1.6.x before 1.6.5, and 1.7.x before 1.7.26
uses weak encryption (DES) for Kerberos keys, which makes it easier
for remote attackers to obtain the service key (CVE-2013-4134).

The vos command in OpenAFS 1.6.x before 1.6.5, when using the -encrypt
option, only enables integrity protection and sends data in cleartext,
which allows remote attackers to obtain sensitive information by
sniffing the network (CVE-2013-4135).

Buffer overflow in the GetStatistics64 remote procedure call (RPC) in
OpenAFS 1.4.8 before 1.6.7 allows remote attackers to cause a denial
of service (crash) via a crafted statsVersion argument (CVE-2014-0159).

A denial of service flaw was found in libxml2, a library providing
support to read, modify and write XML and HTML files. A remote attacker
could provide a specially crafted XML file that, when processed by
an application using libxml2, would lead to excessive CPU consumption
(denial of service) based on excessive entity substitutions, even if
entity substitution was disabled, which is the parser default behavior
(CVE-2014-3660).

The updated packages have been upgraded to the 1.4.15 version and
patched to correct these issues.

Multiple vulnerabilities has been discovered and corrected in
phpmyadmin:

libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x
before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to
cause a denial of service (resource consumption) via a long password
(CVE-2014-9218).

Cross-site scripting (XSS) vulnerability in the redirection feature in
url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers
to inject arbitrary web script or HTML via the url parameter
(CVE-2014-9219).

This upgrade provides the latest phpmyadmin version (4.2.13.1) to
address these vulnerabilities.

Updated yaml and perl-YAML-LibYAML packages fix security vulnerability:

An assertion failure was found in the way the libyaml library parsed
wrapped strings. An attacker able to load specially crafted YAML input
into an application using libyaml could cause the application to crash
(CVE-2014-9130).

The perl-YAML-LibYAML package is also affected, as it was derived
from the same code. Both have been patched to fix this issue.

Updated mediawiki packages fix security vulnerabilies:

In MediaWiki before 1.23.7, a missing CSRF check could allow reflected
XSS on wikis that allow raw HTML (CVE-2014-9276).

MediaWiki’s mangling, in MediaWiki before 1.23.7, could
allow an article editor to inject code into API consumers that
blindly unserialize PHP representations of the page from the API
(CVE-2014-9277).

This update provides MediaWiki 1.23.7, which fixes these security
issues and other bugs.