Updated libtasn1 packages fix security vulnerability:
A malformed certificate input could cause a heap overflow read in the
DER decoding functions of Libtasn1. The heap overflow happens in the
function _asn1_extract_der_octet() (CVE-2015-3622).
Category Archives: Mandriva
Mandriva Security Advisory
[ MDVSA-2015:232 ] libtasn1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:232 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libtasn1 Date : May 8, 2015 Affected: Business Server 1.0, Business Server 2.0 _______________________________________________________________________ Problem Description: Updated libtasn1 packages fix security vulnerability: A malformed certificate input could cause a heap overflow read in the DER decoding functions of Libtasn1. The heap overflow happens in the function _asn1_extract_der_octet() (CVE-2015-3622). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3622 http://advisories.mageia.org/MGASA-2015-0200.html _________________________________________________________________
MDVSA-2015:231: perl-XML-LibXML
Updated perl-XML-LibXML package fixes security vulnerability:
Tilmann Haak from xing.com discovered that XML::LibXML did not respect
the expand_entities parameter to disable processing of external
entities in some circumstances. This may allow attackers to gain
read access to otherwise protected ressources, depending on how the
library is used (CVE-2015-3451).
[ MDVSA-2015:231 ] perl-XML-LibXML
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:231 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : perl-XML-LibXML Date : May 7, 2015 Affected: Business Server 1.0, Business Server 2.0 _______________________________________________________________________ Problem Description: Updated perl-XML-LibXML package fixes security vulnerability: Tilmann Haak from xing.com discovered that XML::LibXML did not respect the expand_entities parameter to disable processing of external entities in some circumstances. This may allow attackers to gain read access to otherwise protected ressources, depending on how the library is used (CVE-2015-3451). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-
MDVSA-2015:230: squid
Updated squid packages fix security vulnerability:
Squid configured with client-first SSL-bump does not correctly validate
X509 server certificate domain / hostname fields (CVE-2015-3455).
MDVSA-2015:228: nodejs
Updated nodejs package fixes security vulnerability:
It was found that libuv does not call setgoups before calling
setuid/setgid. This may potentially allow an attacker to gain elevated
privileges (CVE-2015-0278).
The libuv library is bundled with nodejs, and a fixed version of
libuv is included with nodejs as of version 0.10.37. The nodejs
package has been updated to version 0.10.38 to fix this issue, as
well as several other bugs.
MDVSA-2015:229: net-snmp
Updated net-snmp packages fix security vulnerability:
It was discovered that the snmp_pdu_parse() function could leave
incompletely parsed varBind variables in the list of variables. A
remote, unauthenticated attacker could exploit this flaw to cause a
crash or, potentially, execute arbitrary code.
[ MDVSA-2015:230 ] squid
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:230 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : squid Date : May 6, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated squid packages fix security vulnerability: Squid configured with client-first SSL-bump does not correctly validate X509 server certificate domain / hostname fields (CVE-2015-3455). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3455 http://advisories.mageia.org/MGASA-2015-0191.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 1b42519307a1a965
[ MDVSA-2015:229 ] net-snmp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:229 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : net-snmp Date : May 6, 2015 Affected: Business Server 1.0, Business Server 2.0 _______________________________________________________________________ Problem Description: Updated net-snmp packages fix security vulnerability: It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables. A remote, unauthenticated attacker could exploit this flaw to cause a crash or, potentially, execute arbitrary code. _______________________________________________________________________ References: http://advisories.mageia.org/MGASA-2015-0187.html ______________________________________________________________________
[ MDVSA-2015:228 ] nodejs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:228 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : nodejs Date : May 6, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated nodejs package fixes security vulnerability: It was found that libuv does not call setgoups before calling setuid/setgid. This may potentially allow an attacker to gain elevated privileges (CVE-2015-0278). The libuv library is bundled with nodejs, and a fixed version of libuv is included with nodejs as of version 0.10.37. The nodejs package has been updated to version 0.10.38 to fix this issue, as well as several other bugs. _______________________________________________________________________ References: h