Mandriva Linux Security Advisory 2014-179 – Updated python-django packages fix security vulnerabilities. These releases address an issue with reverse() generating external URLs, a denial of service involving file uploads, a potential session hijacking issue in the remote-user middleware, and a data leak in the administrative interface.

Mandriva Linux Security Advisory 2014-175 – When converting IBM930 code with iconv(), if IBM930 code which includes invalid multibyte character 0xffff is specified, then iconv() segfaults. Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library allows context-dependent attackers to cause a denial of service or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules. Crashes were reported in the IBM code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364). The updated packages have been patched to correct these issues.

Mandriva Linux Security Advisory 2014-176 – The libgcrypt library before version 1.5.4 is vulnerable to an ELGAMAL side-channel attack.

Mandriva Linux Security Advisory 2014-177 – Matthew Daley discovered that Squid 3 did not properly perform input validation in request parsing. A remote attacker could send crafted Range requests to cause a denial of service.

Mandriva Linux Security Advisory 2014-178 – A vulnerability in ppp before 2.4.7 may enable an unprivileged attacker to access privileged options.

Debian Linux Security Advisory 3019-1 – Boris ‘pi’ Piwinger and Tavis Ormandy reported a heap overflow vulnerability in procmail’s formail utility when processing specially-crafted email headers. A remote attacker could use this flaw to cause formail to crash, resulting in a denial of service or data loss, or possibly execute arbitrary code.