6011 matches found
Updated tor packages fix security vulnerabilities
The tor package has been updated to version 0.2.4.26, which fixes possible crashes that may be remotely trigger-able, which would result in a denial of service, and also fixes a few other bugs. See the release announcement for details...
Updated owncloud packages fix security vulnerabilities
Updated owncloud package fixes security vulnerabilities: Owncloud version 6.0.7 fixes several unspecified security vulnerabilities, as well as many other bugs. See the upstream Changelog for more information...
Updated python-requests packages fix security vulnerability
In python-requests before 2.6.0, a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing CVE-2015-2296...
Updated setup package fixes security vulnerability
An issue has been identified in Mageia 4's setup package where the /etc/shadow and /etc/gshadow files containing password hashes were created with incorrect permissions, making them world-readable mga14516. This update fixes this issue by enforcing that those files are owned by the root user and...
Updated dokuwiki package fixes security vulnerability
DokuWiki before 20140929d is vulnerable to a cross-site scripting XSS issue in the user manager. The user's details were not properly escaped in the user manager's edit form. This allows a registered user to edit her own name using the change profile option to include malicious JavaScript code. T...
Updated krb5 package fixes security vulnerability
MIT Kerberos 5 through 1.13.1 incorrectly expects that a krb5readmessage data field is represented as a string ending with a '\0' character, which allows remote attackers to cause a denial of service NULL pointer dereference via a zero-byte version string or cause a denial of service out-of-bound...
Updated wireshark package fixes security vulnerabilies
The WCP dissector could crash CVE-2015-2188. The pcapng file parser could crash CVE-2015-2189. The TNEF dissector could go into an infinite loop CVE-2015-2191...
Updated drupal packages fix security vulnerabilities
Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password CVE-2015-2559. Under certain circumstances, malicious users can construct a URL that will trick users into being redirected to a 3rd...
Updated libxfont package fixes security vulnerabilities
The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures...
Updated tcpdump package fixes security vulnerabilities
Several vulnerabilities have been discovered in tcpdump. These vulnerabilities might result in denial of service application crash or, potentially, execution of arbitrary code CVE-2015-0261, CVE-2015-2153, CVE-2015-2154, CVE-2015-2155...
Updated firefox packages fix security vulnerabilities
A flaw was discovered in the implementation of typed array bounds checking in the Javascript just-in-time compilation. If a user were tricked in to opening a specially crafted website, an attacked could exploit this to execute arbitrary code with the privileges of the user invoking Firefox...
Updated libtiff packages fix security vulnerabilities
The libtiff image decoder library contains several issues that could cause the decoder to crash when reading crafted TIFF images CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130, CVE-2014-9655, CVE-2015-1547...
Updated openssl packages fix security vulnerabilities
Updated openssl packages fix security vulnerabilities: The function ASN1TYPEcmp will crash with an invalid read if an attempt is made to compare ASN.1 boolean types. Since ASN1TYPEcmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verificati...
Updated moodle packages fix security vulnerabilities
Updated moodle package fixes security vulnerabilities: In Moodle before 2.6.9, by modifying URL a logged in user can view the list of another user's contacts, number of unread messages and list of their courses CVE-2015-2266. In Moodle before 2.6.9, authentication in mdeploy can be bypassed. It i...
Updated flash-player-plugin package fixes security vulnerabilities
Adobe Flash Player 11.2.202.451 contains fixes to critical security vulnerabilities found in earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. This update resolves memory corruption vulnerabilities that could lead to code execution...
Updated 389-ds-base packages fix security vulnerabilities
An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog that is exposed via the 'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain cases use this flaw to read data from the Changelog, which could include sensitive...
Updated libssh2 packages fix CVE-2015-1782
Updated libssh2 packages fix security vulnerability: Mariusz Ziulek reported that libssh2, a SSH2 client-side library, was reading and using the SSHMSGKEXINIT packet without doing sufficient range checks when negotiating a new SSH session with a remote server. A malicious attacker could man in th...
Updated qt3, qt4 and qtbase5 packages fix security vulnerability
The builtin BMP decoder in QtGui prior to Qt 5.5 contained a bug that would lead to a divsion by zero when loading certain corrupt BMP files CVE-2015-0295. This in turn would cause the application loading these hand crafted BMPs to crash. Qt3, Qt4 and qtbase5 have been patched to prevent this...
Updated libarchive packages fix security vulnerability
Updated libarchive packages fix security vulnerability: Alexander Cherepanov discovered that bsdcpio, an implementation of the "cpio" program part of the libarchive project, is susceptible to a directory traversal vulnerability via absolute paths...
Updated gnupg and libgcrypt packages fix security vulnerabilities
GnuPG before 1.4.19 is vulnerable to a side-channel attack which can potentially lead to an information leak CVE-2014-3591. GnuPG before 1.4.19 is vulnerable to a side-channel attack on data-dependent timing variations in modular exponentiation, which can potentially lead to an information leak...
Updated pngcrush package fixes security vulnerability
pngcrush-1.7.84 fixes defects reported by Coverity-scan, so it should be more resistant to crashes due to malformed input files, such as the one presented in CVE-2015-2158...
Updated icu packages fix security vulnerability
It was discovered that ICU incorrectly handled memory operations when processing fonts. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program CVE-2014-6585, CVE-2014-6591...
Updated vsftpd package fixes security vulnerability
The vsftp daemon was not handling the "denyfile" option properly, allowing unauthorized access in some specific scenarios CVE-2015-1419...
Updated librsvg packages fix security vulnerabilities
Atte Kettunen's fuzz testing found several vulnerabilities in librsvg: - Invalid memory access caused by incorrect handling of a pattern paint server with an xlink:href to a unexpected type bgo744299 - Infinite loop in the handling of gradients bgo738169 - Heap-buffer-overflow when there's a...
Updated apache packages fix CVE-2015-0228
Updated apache packages fix security vulnerability: In the modlua module in the Apache HTTP Server through 2.4.10, a maliciously crafted websockets PING after a script calls r:wsupgrade can cause a child process crash CVE-2015-0228...
Updated putty and filezilla packages fix CVE-2015-2157
Updated putty and filezilla packages fix security vulnerability: PuTTY suite versions 0.51 to 0.63 fail to clear SSH-2 private key information from memory when loading and saving key files to disk, leading to potential disclosure. The issue affects keys stored on disk in encrypted and unencrypted...
Updated jython packages fix CVE-2013-2027
Updated jython packages fix security vulnerability: There are serveral problems with the way Jython creates class cache files, potentially leading to arbitrary code execution or information disclosure CVE-2013-2027...
Updated mapserver packages fix CVE-2013-7262 and packaging issues
Updated mapserver packages fix security vulnerability: SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TI...
Updated vlc package fixes security vulnerability
Updated vlc packages 2.1.6 are an upgrade with some fixes. Some of the problems fixed upstream were already fixed by a previous Mageia update to VLC see the link to MGASA-2015-0053. VLC versions before 2.1.5 contain a vulnerability in the transcode module that may allow a corrupted stream to...
Updated python packages fix CVE-2014-9365
Updated python packages fix security vulnerability: When Python's standard library HTTP clients httplib, urllib, urllib2, xmlrpclib are used to access resources with HTTPS, by default the certificate is not checked against any trust store, nor is the hostname in the certificate checked against th...
Updated vorbis-tools packages fix security vulnerabilities
Updated vorbis-tools package fixes security vulnerabilities: oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service divide-by-zero error and crash via a WAV file with the number of channels set to zero CVE-2014-9638. Integer overflow in oggenc in vorbis-tools 1.4.0 allo...
Updated maradns packages fix a security vulnerability
maradns versions prior to 1.4.16 are vulnerable to a DoS-vulnerability through which a malicious authorative DNS-server can cause an infinite chain of referrals. For further details on the vulnerability, see references...
Updated dokuwiki packages fix CVE-2015-2172
Updated dokuwiki package fixes security vulnerability: DokuWiki before 20140929c has a security issue in the ACL plugins remote API component. The plugin failed to check for superuser permissions before executing ACL addition or deletion. This means everybody with permissions to call the XMLRPC A...
Updated php packages fix security vulnerabilities
Updated php packages fix security vulnerabilities: It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code CVE-2015-1351. It was...
Updated sympa packages fix CVE-2015-1306
Updated sympa packages fix security vulnerability: A vulnerability have been discovered in Sympa web interface that allows access to files on the server filesystem. This breach allows to send to a list or a user any file readable by the Sympa user, located on the server filesystem, using the Symp...
Updated apache-poi packages fix CVE-2014-9527
Updated apache-poi packages fixes security vulnerability: A denial of service flaw was found in the way the HSLFSlideShow class implementation in Apache POI handled certain PPT files. A remote attacker could submit a specially crafted PPT file that would cause Apache POI to hang indefinitely...
Updated e2fsprogs packages fix CVE-2015-1572
Updated e2fsprogs packages fix security vulnerability: The libext2fs library, part of e2fsprogs and utilized by its utilities, is affected by a boundary check error on block group descriptor information, leading to a heap based buffer overflow. A specially crafted filesystem image can be used to...
Updated cabextract packages fix CVE-2015-2060
A directory traversal issue in cabextract allows writing to locations outside of the current working directory, when extracting a crafted cab file that encodes the filenames in a certain manner CVE-2015-2060...
Updated firefox and thunderbird packages fix security vulnerabilities
Updated firefox and thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user...
Updated freetype2 packages fix security vulnerabilities
Updated freetype2 packages fix security vulnerabilities: The ttsbitdecoderloadimage function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service out-of-bounds read or possibly have unspecified other...
Updated samba packages fix CVE-2015-0240
Updated samba packages fix security vulnerabilities: An uninitialized pointer use flaw was found in the Samba daemon smbd. A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of...
Updated bind packages fix CVE-2015-1349
Updated bind packages fix security vulnerability: Jan-Piet Mens discovered that the BIND DNS server would crash when processing an invalid DNSSEC key rollover, either due to an error on the zone operator's part, or due to interference with network traffic by an attacker. This issue affects...
Updated tomcat packages fix CVE-2014-0227
Updated tomcat packages fix security vulnerability: In Apache Tomcat 7.x before 7.0.55, it was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request CVE-2014-0227...
Updated ruby-sprockets packages fix CVE-2014-7819
Updated ruby-sprockets packages fix security vulnerabilities: Multiple directory traversal vulnerabilities in server.rb in Sprockets 2.12.x before 2.12.3, allow remote attackers to determine the existence of files outside the application root via a ../ dot dot slash sequence with double slashes o...
Updated kernel-tmb packages fix security vulnerabilities
This kernel-tmb update is based on upstream -longterm 3.14.32 and fixes the following security issues: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a deni...
Updated kernel-linus packages fix security vulnerabilities
This kernel-linus update is based on upstream -longterm 3.14.32 and fixes the following security issues: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a...
Updated cpio package fixes security vulnerability
In GNU Cpio 2.11, the --no-absolute-filenames option limits extracting contents of an archive to be strictly inside a current directory. However, it can be bypassed with symlinks. While extracting an archive, it will extract symlinks and then follow them if they are referenced in further entries...
Updated kernel-vserver packages fix security vulnerabilities
This kernel-vserver update is based on upstream -longterm 3.14.32 and fixes the following security issues: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a...
Updated sudo packages fix CVE-2014-9680
Updated sudo packages fix security vulnerability: Prior to sudo 1.8.12, the TZ environment variable was passed through unchecked. Most libc tzset implementations support passing an absolute pathname in the time zone to point to an arbitrary, user-controlled file. This may be used to exploit bugs ...
Updated kernel-rt packages fix security vulnerabilities
This kernel-rt update provides as upgrade to upstream 3.14 longterm branch, currently based on 3.14.32 and fixes the following security issues: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types,...