Mandriva Security Advisory
Updated perl-Plack package fixes security vulnerability:
Plack::App::File would previously strip trailing slashes off provided
paths. This in combination with the common pattern of serving files
with Plack::Middleware::Static could allow an attacker to bypass a
whitelist of generated files (CVE-2014-5269).
Updated icecast package fixes security vulnerability:
Icecast did not properly handle the launching of scripts on connect
or disconnect of sources. This could result in sensitive information
from these scripts leaking to (external) clients (CVE-2014-9018).
Updated glibc package fixes security vulnerability:
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of $((… “))
where … can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass the
WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817).
Updated wordpress package fixes security vulnerabilities:
XSS in wptexturize() via comments or posts, exploitable for
unauthenticated users (CVE-2014-9031).
XSS in media playlists (CVE-2014-9032).
CSRF in the password reset process (CVE-2014-9033).
Denial of service for giant passwords. The phpass library by Solar
Designer was used in both projects without setting a maximum password
length, which can lead to CPU exhaustion upon hashing (CVE-2014-9034).
XSS in Press This (CVE-2014-9035).
XSS in HTML filtering of CSS in posts (CVE-2014-9036).
Hash comparison vulnerability in old-style MD5-stored passwords
(CVE-2014-9037).
SSRF: Safe HTTP requests did not sufficiently block the loopback IP
address space (CVE-2014-9038).
Previously an email address change would not invalidate a previous
password reset email (CVE-2014-9039).
Multiple vulnerabilities has been found and corrected in the Linux
kernel:
The WRMSR processing functionality in the KVM subsystem in the
Linux kernel through 3.17.2 does not properly handle the writing of a
non-canonical address to a model-specific register, which allows guest
OS users to cause a denial of service (host OS crash) by leveraging
guest OS privileges, related to the wrmsr_interception function in
arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c
(CVE-2014-3610).
Race condition in the __kvm_migrate_pit_timer function in
arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through
3.17.2 allows guest OS users to cause a denial of service (host OS
crash) by leveraging incorrect PIT emulation (CVE-2014-3611).
arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before
3.12 does not have an exit handler for the INVEPT instruction, which
allows guest OS users to cause a denial of service (guest OS crash)
via a crafted application (CVE-2014-3645).
arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through
3.17.2 does not have an exit handler for the INVVPID instruction,
which allows guest OS users to cause a denial of service (guest OS
crash) via a crafted application (CVE-2014-3646).
arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel
through 3.17.2 does not properly perform RIP changes, which allows
guest OS users to cause a denial of service (guest OS crash) via a
crafted application (CVE-2014-3647).
The SCTP implementation in the Linux kernel through 3.17.2 allows
remote attackers to cause a denial of service (system crash) via
a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and
net/sctp/sm_statefuns.c (CVE-2014-3673).
The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c
in the SCTP implementation in the Linux kernel through 3.17.2 allows
remote attackers to cause a denial of service (panic) via duplicate
ASCONF chunks that trigger an incorrect uncork within the side-effect
interpreter (CVE-2014-3687).
arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel before
3.17.2 on Intel processors does not ensure that the value in the CR4
control register remains the same after a VM entry, which allows host
OS users to kill arbitrary processes or cause a denial of service
(system disruption) by leveraging /dev/kvm access, as demonstrated by
PR_SET_TSC prctl calls within a modified copy of QEMU (CVE-2014-3690).
kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2
does not properly handle private syscall numbers during use of the
perf subsystem, which allows local users to cause a denial of service
(out-of-bounds read and OOPS) or bypass the ASLR protection mechanism
via a crafted application (CVE-2014-7825).
kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2
does not properly handle private syscall numbers during use of the
ftrace subsystem, which allows local users to gain privileges or
cause a denial of service (invalid pointer dereference) via a crafted
application (CVE-2014-7826).
The pivot_root implementation in fs/namespace.c in the Linux kernel
through 3.17 does not properly interact with certain locations of
a chroot directory, which allows local users to cause a denial of
service (mount-tree loop) via . (dot) values in both arguments to
the pivot_root system call (CVE-2014-7970).
The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux
kernel through 3.17.2 miscalculates the number of pages during
the handling of a mapping failure, which allows guest OS users to
cause a denial of service (host OS page unpinning) or possibly have
unspecified other impact by leveraging guest OS privileges. NOTE: this
vulnerability exists because of an incorrect fix for CVE-2014-3601
(CVE-2014-8369).
The updated packages provides a solution for these security issues.
Multiple vulnerabilities has been discovered and corrected in
phpmyadmin:
* Multiple XSS vulnerabilities (CVE-2014-8958).
* Local file inclusion vulnerability (CVE-2014-8959).
* XSS vulnerability in error reporting functionality (CVE-2014-8960).
* Leakage of line count of an arbitrary file (CVE-2014-8961).
This upgrade provides the latest phpmyadmin version (4.2.12) to
address these vulnerabilities.
Updated libvncserver packages fix security vulnerabilities:
A malicious VNC server can trigger incorrect memory management handling
by advertising a large screen size parameter to the VNC client. This
would result in multiple memory corruptions and could allow remote
code execution on the VNC client (CVE-2014-6051, CVE-2014-6052).
A malicious VNC client can trigger multiple DoS conditions on the VNC
server by advertising a large screen size, ClientCutText message length
and/or a zero scaling factor parameter (CVE-2014-6053, CVE-2014-6054).
A malicious VNC client can trigger multiple stack-based buffer
overflows by passing a long file and directory names and/or
attributes (FileTime) when using the file transfer message feature
(CVE-2014-6055).
Additionally libvncserver has been built against the new system
minilzo library which is also being provided with this advisory.
This is a maintenance and bugfix release that upgrades php to the
latest 5.5.19 version which resolves various upstream bugs in php.
Additionally, the php-timezonedb packages has been upgraded to the
latest 2014.10 version and the PECL packages which requires so has
been rebuilt for php-5.5.19.
Updated ruby packages fix security vulnerabilities:
Will Wood discovered that Ruby incorrectly handled the encodes()
function. An attacker could possibly use this issue to cause Ruby to
crash, resulting in a denial of service, or possibly execute arbitrary
code. The default compiler options for affected releases should reduce
the vulnerability to a denial of service (CVE-2014-4975).
Due to an incomplete fix for CVE-2014-8080, 100% CPU utilization can
occur as a result of recursive expansion with an empty String. When
reading text nodes from an XML document, the REXML parser in Ruby can
be coerced into allocating extremely large string objects which can
consume all of the memory on a machine, causing a denial of service
(CVE-2014-8090).
Additionally ruby has been upgraded to patch level 374.
Updated imagemagick packages fix security vulnerabilities:
ImageMagick is vulnerable to a denial of service due to out-of-bounds
memory accesses in the resize code (CVE-2014-8354), PCX parser
(CVE-2014-8355), DCM decoder (CVE-2014-8562), and JPEG decoder
(CVE-2014-8716).