Mandriva Security Advisory
Updated perl and perl-Data-Dumper packages fixes security
vulnerability:
The Dumper method in Data::Dumper before 2.154, allows
context-dependent attackers to cause a denial of service (stack
consumption and crash) via an Array-Reference with many nested
Array-References, which triggers a large number of recursive calls
to the DD_dump function (CVE-2014-4330).
The Data::Dumper module bundled with perl and the perl-Data-Dumper
packages has been updated to fix this issue.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:201 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : kernel Date : October 21, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in the Linux kernel: The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel before 3.14.3 does not properly consider which pages must be locked, which allows local users to cause a denial of service (system crash) by triggering a memory-usage pattern that requires removal of page-table mappings (CVE-2014-3122). Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in th
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:200 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : bugzilla Date : October 21, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated bugzilla packages fix security vulnerabilities: If a new comment was marked private to the insider group, and a flag was set in the same transaction, the comment would be visible to flag recipients even if they were not in the insider group (CVE-2014-1571). An attacker creating a new Bugzilla account can override certain parameters when finalizing the account creation that can lead to the user being created with a different email address than originally requested. The overridden login name could be automatic
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:199 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : perl Date : October 21, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated perl and perl-Data-Dumper packages fixes security vulnerability: The Dumper method in Data::Dumper before 2.154, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function (CVE-2014-4330). The Data::Dumper module bundled with perl and the perl-Data-Dumper packages has been updated to fix this issue. ________________________________________________
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:198 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : mediawiki Date : October 21, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated mediawiki packages fix security vulnerability: MediaWiki before 1.23.4 is vulnerable to cross-site scripting due to JavaScript injection via CSS in uploaded SVG files (CVE-2014-7199). MediaWiki before 1.23.5 is vulnerable to cross-site scripting due to JavaScript injection via user-specificed CSS in certain special pages (CVE-2014-7295). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7199 http://cve.mitre.org/cgi
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:197 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : python Date : October 21, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated python packages fix security vulnerability: Python before 2.7.8 is vulnerable to an integer overflow in the buffer type (CVE-2014-7185). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7185 http://advisories.mageia.org/MGASA-2014-0399.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: dcefcf76c1a242a7f6f1b6db782df456 mbs1/x86_64/lib64pyt
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:196 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : rsyslog Date : October 21, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated rsyslog packages fix security vulnerability: Rainer Gerhards, the rsyslog project leader, reported a vulnerability in Rsyslog. As a consequence of this vulnerability an attacker can send malformed messages to a server, if this one accepts data from untrusted sources, and trigger a denial of service attack (CVE-2014-3634). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3634 http://cve.mitre.org/cgi-bin/cvename.cgi?name
This is a maintenance and bugfix release that upgrades the timezone
data packages to the 2014g version.
Updated dump packages fix security vulnerability:
An integer overflow in liblzo before 2.07 allows attackers to cause
a denial of service or possibly code execution in applications using
performing LZO decompression on a compressed payload from the attacker
(CVE-2014-4607).
The dump package is built with a bundled copy of minilzo, which is
a part of liblzo containing the vulnerable code.
Updated perl-Email-Address package fixes security vulnerability:
The parse function in Email::Address module before 1.905 for Perl
uses an inefficient regular expression, which allows remote attackers
to cause a denial of service (CPU consumption) via an empty quoted
string in an RFC 2822 address (CVE-2014-0477).
The Email::Address module before 1.904 for Perl uses an inefficient
regular expression, which allows remote attackers to cause a denial
of service (CPU consumption) via vectors related to backtracking into
the phrase (CVE-2014-4720).