Mandriva Linux Security Advisory 2014-185 – Libgadu before 1.12.0 was found to not be performing SSL certificate validation.

Mandriva Linux Security Advisory 2014-183 – In phpMyAdmin before 4.2.9, by deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability in the micro history feature.

Debian Linux Security Advisory 3032-1 – Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell.

Gentoo Linux Security Advisory 201409-9 – A parsing flaw related to functions and environments in Bash could allow attackers to inject code. The unaffected packages listed in GLSA 201409-09 had an incomplete fix. Versions less than 4.2_p48-r1 are affected.

Slackware Security Advisory – New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix a security issue.

Mandriva Linux Security Advisory 2014-189 – Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The updated NSPR packages have been upgraded to the latest 4.10.7 version. The updated NSS packages have been upgraded to the latest 3.17.1 version which is not vulnerable to this issue. Additionally the rootcerts package has also been updated to the latest version as of 2014-08-05.

Mandriva Linux Security Advisory 2014-187 – In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site. In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level Domains , thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.

Slackware Security Advisory – New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.

Mandriva Linux Security Advisory 2014-188 – Updated wireshark packages fix security vulnerabilities related to RTP dissector crash, MEGACO dissector infinite loop, Netflow dissector crash, RTSP dissector crash, SES dissector crash, and sniffer file parser crash.