-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:203
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : batik
 Date    : April 10, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated batik packages fix security vulnerability:
 
 Nicolas Gregoire and Kevin Schaller discovered that Batik would load
 XML external entities by default. If a user or automated system were
 tricked into opening a specially crafted SVG file, an attacker could
 possibly obtain access to arbitrary files or cause resource consumption
 (CVE-2015-0250).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0250
 http://advis

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:202
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : ntp
 Date    : April 10, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in ntp:
 
 The symmetric-key feature in the receive function in ntp_proto.c
 in ntpd in NTP before 4.2.8p2 requires a correct MAC only if the MAC
 field has a nonzero length, which makes it easier for man-in-the-middle
 attackers to spoof packets by omitting the MAC (CVE-2015-1798).
 
 The symmetric-key feature in the receive function in ntp_proto.c
 in ntpd in NTP before 4.2.8p2 performs state-variable updates
 upon receiving certain invalid packets, which ma

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:201
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : arj
 Date    : April 10, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in arj:
 
 Jakub Wilk discovered that arj follows symlinks created during
 unpacking of an arj archive. A remote attacker could use this flaw
 to perform a directory traversal attack if a user or automated
 system were tricked into processing a specially crafted arj archive
 (CVE-2015-0556).
 
 Jakub Wilk discovered that arj does not sufficiently protect from
 directory traversal while unpacking an arj archive containing
 file paths with multiple leading slashes. A remote attacker

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:200
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : mediawiki
 Date    : April 10, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated mediawiki packages fix security vulnerabilities:
 
 In MediaWiki before 1.23.9, one could circumvent the SVG MIME blacklist
 for embedded resources. This allowed an attacker to embed JavaScript
 in the SVG (CVE-2015-2931).
 
 In MediaWiki before 1.23.9, the SVG filter to prevent injecting
 JavaScript using animate elements was incorrect (CVE-2015-2932).
 
 In MediaWiki before 1.23.9, a stored XSS vulnerability exists due
 to the way attributes were expanded in MediaWiki's Html class, in
 combination with LanguageCo

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:199
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : less
 Date    : April 10, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated less package fixes security vulnerability:
 
 Malformed UTF-8 data could have caused an out of bounds read
 in the UTF-8 decoding routines, causing an invalid read access
 (CVE-2014-9488).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9488
 http://advisories.mageia.org/MGASA-2015-0139.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 

Multiple vulnerabilities has been discovered and corrected in
java-1.8.0-openjdk:

Multiple flaws were found in the way the Hotspot component in OpenJDK
verified bytecode from the class files, and in the way this component
generated code for bytecode. An untrusted Java application or applet
could possibly use these flaws to bypass Java sandbox restrictions
(CVE-2014-6601, CVE-2015-0437).

Multiple improper permission check issues were discovered in the
JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions (CVE-2015-0412, CVE-2014-6549, CVE-2015-0408).

A flaw was found in the way the Hotspot garbage collector handled
phantom references. An untrusted Java application or applet could
use this flaw to corrupt the Java Virtual Machine memory and,
possibly, execute arbitrary code, bypassing Java sandbox restrictions
(CVE-2015-0395).

A flaw was found in the way the DER (Distinguished Encoding Rules)
decoder in the Security component in OpenJDK handled negative length
values. A specially crafted, DER-encoded input could cause a Java
application to enter an infinite loop when decoded (CVE-2015-0410).

A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher
text using a padding oracle attack (CVE-2014-3566).

Note: This update disables SSL 3.0 by default to address this
issue. The jdk.tls.disabledAlgorithms security property can be used
to re-enable SSL 3.0 support if needed. For additional information,
refer to the Red Hat Bugzilla bug linked to in the References section.

It was discovered that the SSL/TLS implementation in the JSSE component
in OpenJDK failed to properly check whether the ChangeCipherSpec was
received during the SSL/TLS connection handshake. An MITM attacker
could possibly use this flaw to force a connection to be established
without encryption being enabled (CVE-2014-6593).

An information leak flaw was found in the Swing component in
OpenJDK. An untrusted Java application or applet could use this flaw
to bypass certain Java sandbox restrictions (CVE-2015-0407).

A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted
Java application or applet could possibly use this flaw to bypass
certain Java sandbox restrictions (CVE-2014-6587).

Multiple boundary check flaws were found in the font parsing code
in the 2D component in OpenJDK. A specially crafted font file could
allow an untrusted Java application or applet to disclose portions
of the Java Virtual Machine memory (CVE-2014-6585, CVE-2014-6591).

Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error
log files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack (CVE-2015-0383).

The updated packages provides a solution for these security issues.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:198
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : java-1.8.0-openjdk
 Date    : April 9, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in
 java-1.8.0-openjdk:
 
 Multiple flaws were found in the way the Hotspot component in OpenJDK
 verified bytecode from the class files, and in the way this component
 generated code for bytecode. An untrusted Java application or applet
 could possibly use these flaws to bypass Java sandbox restrictions
 (CVE-2014-6601, CVE-2015-0437).
 
 Multiple improper permission check issues were discovered in the
 JAX-WS, Libraries, and RMI components in OpenJDK. An untru

This is a maintenance and bugfix release that upgrades the timezone
data packages and the php-timezonedb packages to the 2015b version.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Advisory                                   MDVA-2015:008
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : timezone
 Date    : April 8, 2015
 Affected: Business Server 1.0, Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 This is a maintenance and bugfix release that upgrades the timezone
 data packages and the php-timezonedb packages to the 2015b version.
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 3fd2843c03ebd93fc3bebfb72ed74124  mbs1/x86_64/php-timezonedb-2015.2-1.mbs1.x86_64.rpm
 34eea86083b0e4523c3807dff5c30333  mbs1/x86_64/timezone-2015b-1.mbs1.x86_64.rpm
 fdf8a95ee87d80683d7f3c1549237339  mbs1/x86_64/timezone-java-2015b-1.mbs1.x86_64

Updated libtasn1 packages fix security vulnerability:

The libtasn1 library before version 4.4 is vulnerable to a two-byte
stack overflow in asn1_der_decoding (CVE-2015-2806).