-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:192
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : subversion
 Date    : April 3, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in
 subversion:
 
 Subversion HTTP servers with FSFS repositories are vulnerable to a
 remotely triggerable excessive memory use with certain REPORT requests
 (CVE-2015-0202).
 
 Subversion mod_dav_svn and svnserve are vulnerable to a remotely
 triggerable assertion DoS vulnerability for certain requests with
 dynamically evaluated revision numbers (CVE-2015-0248).
 
 Subversion HTTP servers allow spoofing svn:author property values
 for new revisio

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Advisory                                   MDVA-2015:006
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : nss
 Date    : April 3, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 This is a maintenance and bugfix release that upgrades NSS to the
 latest 3.18 version which resolves various upstream bugs.
 
 Additionally the rootcerts package has also been updated to the
 latest version as of 2015-03-26, which adds, removes, and distrusts
 several certificates.
 _______________________________________________________________________

 References:

 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes
 _______________________________________________________________________

 Updated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Advisory                                   MDVA-2015:005
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : nss
 Date    : April 3, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 This is a maintenance and bugfix release that upgrades NSS to the
 latest 3.18 version and NSPR to the latest 4.10.8 version which
 resolves various upstream bugs.
 
 Additionally the rootcerts package has also been updated to the
 latest version as of 2015-03-26, which adds, removes, and distrusts
 several certificates.
 _______________________________________________________________________

 References:

 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.4_release_notes
 https://developer.mozilla.org/en-US/docs

Multiple vulnerabilities has been discovered and corrected in owncloud:

* Multiple stored XSS in contacts application (oC-SA-2015-001)

* Multiple stored XSS in documents application (oC-SA-2015-002)

* Bypass of file blacklist (oC-SA-2015-004)

The updated packages have been upgraded to the 7.0.5 version where
these security flaws has been fixed.

Multiple vulnerabilities has been discovered and corrected in owncloud:

* Login bypass when using user_ldap due to unauthenticated binds
(oC-SA-2014-020)

* Login bypass when using the external FTP user backend
(oC-SA-2014-022)

* CSRF in bookmarks application (oC-SA-2014-027)

* Stored XSS in bookmarks application (oC-SA-2014-028)

* Multiple stored XSS in contacts application (oC-SA-2015-001)

* Multiple stored XSS in documents application (oC-SA-2015-002)

* Bypass of file blacklist (oC-SA-2015-004)

The updated packages have been upgraded to the 5.0.19 version where
these security flaws has been fixed.

Multiple vulnerabilities has been discovered and corrected in flac:

Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1
allows remote attackers to execute arbitrary code via a crafted .flac
file (CVE-2014-9028).

Stack-based buffer overflow in stream_decoder.c in libFLAC before
1.3.1 allows remote attackers to execute arbitrary code via a crafted
.flac file (CVE-2014-8962).

The updated packages provides a solution for these security issues.

Updated tor packages fix security vulnerabilities:

The tor package has been updated to version 0.2.4.26, which fixes
possible crashes that may be remotely trigger-able, which would
result in a denial of service, and also fixes a few other bugs.
See the release announcement for details.

The slapd service is stopped during the package upgrade to perform
upgrade on the OpenLDAP DB. The service wasn’t restarted after the
upgrade if the service was running before. This update fixes this
issue.

Updated icu packages fix security vulnerabilities:

The Regular Expressions package in International Components for Unicode
(ICU) 52 before SVN revision 292944 allows remote attackers to cause
a denial of service (memory corruption) or possibly have unspecified
other impact via vectors related to a zero-length quantifier or
look-behind expression (CVE-2014-7923, CVE-2014-7926).

The collator implementation in i18n/ucol.cpp in International
Components for Unicode (ICU) 52 through SVN revision 293126 does not
initialize memory for a data structure, which allows remote attackers
to cause a denial of service or possibly have unspecified other impact
via a crafted character sequence (CVE-2014-7940).

It was discovered that ICU incorrectly handled memory operations
when processing fonts. If an application using ICU processed crafted
data, an attacker could cause it to crash or potentially execute
arbitrary code with the privileges of the user invoking the program
(CVE-2014-6585, CVE-2014-6591).

Update:

Packages for Mandriva Business Server 1 are now being provided.

Updated graphviz packages fix security vulnerability:

Format string vulnerability in the yyerror function in
lib/cgraph/scan.l in Graphviz allows remote attackers to have
unspecified impact via format string specifiers in unknown vector,
which are not properly handled in an error string (CVE-2014-9157).

Additionally the gtkglarea2 and gtkglext packages were missing and
was required for graphviz to build, these packages are also being
provided with this advisory.