A vulnerability has been discovered and corrected in Mozilla NSS:
Antoine Delignat-Lavaud, security researcher at Inria Paris in
team Prosecco, reported an issue in Network Security Services (NSS)
libraries affecting all versions. He discovered that NSS is vulnerable
to a variant of a signature forgery attack previously published
by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1
values involved in a signature and could lead to the forging of RSA
certificates (CVE-2014-1568).
The updated NSPR packages have been upgraded to the latest 4.10.7
version.
The updated NSS packages have been upgraded to the latest 3.17.1
version which is not vulnerable to this issue.
Additionally the rootcerts package has also been updated to the latest
version as of 2014-08-05.
This is a maintenance and bugfix release that upgrades php to the
latest 5.5.17 version which resolves various upstream bugs in php.
Additionally, the php-timezonedb packages has been upgraded to the
latest 2014.7 version, the php-suhosin packages has been upgraded to
the latest 0.9.36 version which has better support for php-5.5 and
the PECL packages which requires so has been rebuilt for php-5.5.17.
An integer overflow in liblzo before 2.07 allows attackers to cause
a denial of service or possibly code execution in applications using
performing LZO decompression on a compressed payload from the attacker
(CVE-2014-4607).
The dump package is built with a bundled copy of minilzo, which is
a part of liblzo containing the vulnerable code.
Multiple vulnerabilities has been discovered and corrected in libvirt:
An out-of-bounds read flaw was found in the way libvirt’s
qemuDomainGetBlockIoTune() function looked up the disk index in
a non-persistent (live) disk configuration while a persistent disk
configuration was being indexed. A remote attacker able to establish a
read-only connection to libvirtd could use this flaw to crash libvirtd
or, potentially, leak memory from the libvirtd process (CVE-2014-3633).
A denial of service flaw was found in the way libvirt’s
virConnectListAllDomains() function computed the number of used
domains. A remote attacker able to establish a read-only connection
to libvirtd could use this flaw to make any domain operations within
libvirt unresponsive (CVE-2014-3657).
The updated libvirt packages have been upgraded to the 1.1.3.6 version
and patched to resolve these security flaws.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Advisory MDVA-2014:018
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : timezone
Date : October 3, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
This is a maintenance and bugfix release that upgrades the timezone
data packages to the 2014g version.
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
0a1bda6ed3fb936cd1ce76528cce8e52 mbs1/x86_64/timezone-2014g-1.mbs1.x86_64.rpm
cdca8c5afa60b40bbe08d3b939880722 mbs1/x86_64/timezone-java-2014g-1.mbs1.x86_64.rpm
87f855e977ac8cbb448a18ef4ffb1ab3 mbs1/SRPMS/timezone-2014g-1.mbs1.src.rpm
_______________________________________________________
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:195
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : libvirt
Date : October 3, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in libvirt:
An out-of-bounds read flaw was found in the way libvirt's
qemuDomainGetBlockIoTune() function looked up the disk index in
a non-persistent (live) disk configuration while a persistent disk
configuration was being indexed. A remote attacker able to establish a
read-only connection to libvirtd could use this flaw to crash libvirtd
or, potentially, leak memory from the libvirtd process (CVE-2014-3633).
A denial of service flaw was found in the wa
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:194
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : phpmyadmin
Date : October 3, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
A vulnerability has been discovered and corrected in phpmyadmin:
With a crafted ENUM value it is possible to trigger an XSS in table
search and table structure pages (CVE-2014-7217).
This upgrade provides the latest phpmyadmin version (4.2.9.1) to
address this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7217
http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php
_________________________________