Updated mediawiki packages fix security vulnerabilies:

In MediaWiki before 1.23.7, a missing CSRF check could allow reflected
XSS on wikis that allow raw HTML (CVE-2014-9276).

MediaWiki’s mangling, in MediaWiki before 1.23.7, could
allow an article editor to inject code into API consumers that
blindly unserialize PHP representations of the page from the API
(CVE-2014-9277).

This update provides MediaWiki 1.23.7, which fixes these security
issues and other bugs.

Updated yaml and perl-YAML-LibYAML packages fix security vulnerability:

An assertion failure was found in the way the libyaml library parsed
wrapped strings. An attacker able to load specially crafted YAML input
into an application using libyaml could cause the application to crash
(CVE-2014-9130).

The perl-YAML-LibYAML package is also affected, as it was derived
from the same code. Both have been patched to fix this issue.

Multiple vulnerabilities has been discovered and corrected in
phpmyadmin:

libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.7, 4.1.x
before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to
cause a denial of service (resource consumption) via a long password
(CVE-2014-9218).

Cross-site scripting (XSS) vulnerability in the redirection feature in
url.php in phpMyAdmin 4.2.x before 4.2.13.1 allows remote attackers
to inject arbitrary web script or HTML via the url parameter
(CVE-2014-9219).

This upgrade provides the latest phpmyadmin version (4.2.13.1) to
address these vulnerabilities.

Multiple vulnerabilities has been found and corrected in openafs:

Buffer overflow in certain client utilities in OpenAFS before 1.6.2
allows remote authenticated users to cause a denial of service (crash)
and possibly execute arbitrary code via a long fileserver ACL entry
(CVE-2013-1794).

Integer overflow in ptserver in OpenAFS before 1.6.2 allows remote
attackers to cause a denial of service (crash) via a large list
from the IdToName RPC, which triggers a heap-based buffer overflow
(CVE-2013-1795).

OpenAFS before 1.4.15, 1.6.x before 1.6.5, and 1.7.x before 1.7.26
uses weak encryption (DES) for Kerberos keys, which makes it easier
for remote attackers to obtain the service key (CVE-2013-4134).

The vos command in OpenAFS 1.6.x before 1.6.5, when using the -encrypt
option, only enables integrity protection and sends data in cleartext,
which allows remote attackers to obtain sensitive information by
sniffing the network (CVE-2013-4135).

Buffer overflow in the GetStatistics64 remote procedure call (RPC) in
OpenAFS 1.4.8 before 1.6.7 allows remote attackers to cause a denial
of service (crash) via a crafted statsVersion argument (CVE-2014-0159).

A denial of service flaw was found in libxml2, a library providing
support to read, modify and write XML and HTML files. A remote attacker
could provide a specially crafted XML file that, when processed by
an application using libxml2, would lead to excessive CPU consumption
(denial of service) based on excessive entity substitutions, even if
entity substitution was disabled, which is the parser default behavior
(CVE-2014-3660).

The updated packages have been upgraded to the 1.4.15 version and
patched to correct these issues.

Updated mutt packages fix security vulnerability:

A flaw was discovered in mutt. A specially crafted mail header
could cause mutt to crash, leading to a denial of service condition
(CVE-2014-9116).

The mutt package has been updated to version 1.5.23 and patched to
fix this issue.

Updated bind packages fix security vulnerability:

By making use of maliciously-constructed zones or a rogue server,
an attacker can exploit an oversight in the code BIND 9 uses to
follow delegations in the Domain Name Service, causing BIND to issue
unlimited queries in an attempt to follow the delegation. This can
lead to resource exhaustion and denial of service (up to and including
termination of the named server process) (CVE-2014-8500).

Updated file packages fix security vulnerability:

An out-of-bounds read flaw was found in file’s donote() function in the
way the file utility determined the note headers of a elf file. This
could possibly lead to file executable crash (CVE-2014-3710).

Updated perl-Mojolicious package fixes security vulnerability:

An assumption in Mojolicious before 5.48 CGI parameter handling that
can result in parameter injection attacks.

This is a maintenance and bugfix release that upgrades the timezone
data packages to the 2014j version.

Updated libksba packages fix security vulnerability:

By using special crafted S/MIME messages or ECC based OpenPGP data,
it is possible to create a buffer overflow, which could lead to a
denial of service (CVE-2014-9087).