Updated zarafa packages fix security vulnerabilities:

Robert Scheck reported that Zarafa’s WebAccess stored session
information, including login credentials, on-disk in PHP session
files. This session file would contain a user’s username and password
to the Zarafa IMAP server (CVE-2014-0103).

Robert Scheck discovered that the Zarafa Collaboration Platform has
multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448,
CVE-2014-5449, CVE-2014-5450).

A resource consumption issue was found in the way Xerces-J handled
XML declarations. A remote attacker could use an XML document with
a specially crafted declaration using a long pseudo-attribute name
that, when parsed by an application using Xerces-J, would cause that
application to use an excessive amount of CPU (CVE-2013-4002).

Updated phpmyadmin package fixes security vulnerability:

In phpMyAdmin before 4.2.9, by deceiving a logged-in user to click on
a crafted URL, it is possible to perform remote code execution and in
some cases, create a root account due to a DOM based XSS vulnerability
in the micro history feature (CVE-2014-6300).

A regression with the MDVSA-2014:179 advisory was discovered. This
advisory solves the problem by adding the missing get_random_string
function.

Updated net-snmp packages fix security vulnerabilities:

A remote denial-of-service flaw was found in the way snmptrapd handled
certain SNMP traps when started with the -OQ option. If an attacker
sent an SNMP trap containing a variable with a NULL type where an
integer variable type was expected, it would cause snmptrapd to crash
(CVE-2014-3565).

Updated perl-XML-DT package fixes security vulnerability:

The mkxmltype and mkdtskel scripts provided in perl-XML-DT allow
local users to overwrite arbitrary files via a symlink attack on a
/tmp/_xml_##### temporary file (CVE-2014-5260).

Updated libgadu packages fix security vulnerability:

Libgadu before 1.12.0 was found to not be performing SSL certificate
validation (CVE-2013-4488).

Updated java-1.7.0-openjdk packages fix an upstream regression:

This update provides IcedTea 2.5.2, which fixes several bugs, most
notably regressions in the previous release which broke Groovy and
several other Java tools and applications.

A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue
(CVE-2014-6271).

It was found that the fix for CVE-2014-6271 was incomplete, and
Bash still allowed certain characters to be injected into other
environments via specially crafted environment variables. An
attacker could potentially use this flaw to override or bypass
environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue
(CVE-2014-7169, CVE-2014-7186, CVE-2014-7187).

Additionally bash has been updated from patch level 37 to 48 using
the upstream patches at ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/
which resolves various bugs.