Mandriva Security Advisory
A vulnerability has been discovered and corrected in python-django:
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x,
1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does
not properly validate URLs, which allows remote attackers to conduct
cross-site scripting (XSS) attacks via a control character in a URL,
as demonstrated by a x08javascript: URL (CVE-2015-2317).
The updated packages provides a solution for this security issue.
Updated cups-filters package fixes security vulnerability:
cups-browsed in cups-filters before 1.0.66 contained a bug in the
remove_bad_chars() function, where it failed to reliably filter
out illegal characters if there were two or more subsequent illegal
characters, allowing execution of arbitrary commands with the rights
of the lp user, using forged print service announcements on DNS-SD
servers (CVE-2015-2265).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:196 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : cups-filters Date : April 7, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated cups-filters package fixes security vulnerability: cups-browsed in cups-filters before 1.0.66 contained a bug in the remove_bad_chars() function, where it failed to reliably filter out illegal characters if there were two or more subsequent illegal characters, allowing execution of arbitrary commands with the rights of the lp user, using forged print service announcements on DNS-SD servers (CVE-2015-2265). _______________________________________________________________________ References: http://cve.mit
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:195 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : python-django Date : April 7, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: A vulnerability has been discovered and corrected in python-django: The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a x08javascript: URL (CVE-2015-2317). The updated packages provides a solution for this security issue. ____________________________________________________
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:193 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libtasn1 Date : April 7, 2015 Affected: Business Server 1.0, Business Server 2.0 _______________________________________________________________________ Problem Description: Updated libtasn1 packages fix security vulnerability: The libtasn1 library before version 4.4 is vulnerable to a two-byte stack overflow in asn1_der_decoding (CVE-2015-2806). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2806 http://advisories.mageia.org/MGASA-2015-0128.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 6ee2
Multiple vulnerabilities has been discovered and corrected in
subversion:
Subversion HTTP servers with FSFS repositories are vulnerable to a
remotely triggerable excessive memory use with certain REPORT requests
(CVE-2015-0202).
Subversion mod_dav_svn and svnserve are vulnerable to a remotely
triggerable assertion DoS vulnerability for certain requests with
dynamically evaluated revision numbers (CVE-2015-0248).
Subversion HTTP servers allow spoofing svn:author property values
for new revisions (CVE-2015-0251).
The updated packages have been upgraded to the 1.7.20 and 1.8.13
versions where these security flaws has been fixed.
This is a maintenance and bugfix release that upgrades MariaDB to
the latest 5.5.42 version which resolves various upstream bugs.
This is a maintenance and bugfix release that upgrades NSS to the
latest 3.18 version and NSPR to the latest 4.10.8 version which
resolves various upstream bugs.
Additionally the rootcerts package has also been updated to the
latest version as of 2015-03-26, which adds, removes, and distrusts
several certificates.
This is a maintenance and bugfix release that upgrades NSS to the
latest 3.18 version which resolves various upstream bugs.
Additionally the rootcerts package has also been updated to the
latest version as of 2015-03-26, which adds, removes, and distrusts
several certificates.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Advisory MDVA-2015:007 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : mariadb Date : April 3, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: This is a maintenance and bugfix release that upgrades MariaDB to the latest 5.5.42 version which resolves various upstream bugs. _______________________________________________________________________ References: https://mariadb.com/kb/en/mariadb-5542-changelog/ _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 71c8d8fded75bbaae327a48198419c6b mbs1/x86_64/lib64mariadb18-5.5.42-1.mbs1.x86_64.rpm 3f8a6e51d3212ed73b0ad57e3bd37f6a mbs1/x86_64/li