In phpMyAdmin before 4.2.9, by deceiving a logged-in user to click on
a crafted URL, it is possible to perform remote code execution and in
some cases, create a root account due to a DOM based XSS vulnerability
in the micro history feature (CVE-2014-6300).
A remote denial-of-service flaw was found in the way snmptrapd handled
certain SNMP traps when started with the -OQ option. If an attacker
sent an SNMP trap containing a variable with a NULL type where an
integer variable type was expected, it would cause snmptrapd to crash
(CVE-2014-3565).
The mkxmltype and mkdtskel scripts provided in perl-XML-DT allow
local users to overwrite arbitrary files via a symlink attack on a
/tmp/_xml_##### temporary file (CVE-2014-5260).
Multiple vulnerabilities has been discovered and corrected in libvirt:
An out-of-bounds read flaw was found in the way libvirt’s
qemuDomainGetBlockIoTune() function looked up the disk index in
a non-persistent (live) disk configuration while a persistent disk
configuration was being indexed. A remote attacker able to establish a
read-only connection to libvirtd could use this flaw to crash libvirtd
or, potentially, leak memory from the libvirtd process (CVE-2014-3633).
A denial of service flaw was found in the way libvirt’s
virConnectListAllDomains() function computed the number of used
domains. A remote attacker able to establish a read-only connection
to libvirtd could use this flaw to make any domain operations within
libvirt unresponsive (CVE-2014-3657).
The updated libvirt packages have been upgraded to the 1.1.3.6 version
and patched to resolve these security flaws.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Advisory MDVA-2014:018
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : timezone
Date : October 3, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
This is a maintenance and bugfix release that upgrades the timezone
data packages to the 2014g version.
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
0a1bda6ed3fb936cd1ce76528cce8e52 mbs1/x86_64/timezone-2014g-1.mbs1.x86_64.rpm
cdca8c5afa60b40bbe08d3b939880722 mbs1/x86_64/timezone-java-2014g-1.mbs1.x86_64.rpm
87f855e977ac8cbb448a18ef4ffb1ab3 mbs1/SRPMS/timezone-2014g-1.mbs1.src.rpm
_______________________________________________________
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:195
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : libvirt
Date : October 3, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in libvirt:
An out-of-bounds read flaw was found in the way libvirt's
qemuDomainGetBlockIoTune() function looked up the disk index in
a non-persistent (live) disk configuration while a persistent disk
configuration was being indexed. A remote attacker able to establish a
read-only connection to libvirtd could use this flaw to crash libvirtd
or, potentially, leak memory from the libvirtd process (CVE-2014-3633).
A denial of service flaw was found in the wa
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:194
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : phpmyadmin
Date : October 3, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
A vulnerability has been discovered and corrected in phpmyadmin:
With a crafted ENUM value it is possible to trigger an XSS in table
search and table structure pages (CVE-2014-7217).
This upgrade provides the latest phpmyadmin version (4.2.9.1) to
address this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7217
http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php
_________________________________