Updated perl-Gtk2 packages fix a security vulnerability

Updated perl-Gtk2 packages fix security vulnerability: Incorrect memory management in Gtk2::Gdk::Display::listdevices in perl-Gtk2 before 1.2495, where, the code was freeing memory that gtk+ still holds onto and might access later. The perl-Gtk2 package has been updated to version 1.2495 to fix...

Updated hivex packages fix CVE-2014-9273

Updated hivex packages fix security vulnerability: lib/handle.c in Hivex before 1.3.11 allows local users to execute arbitrary code and gain privileges via a small hive files, which triggers an out-of-bounds read or write CVE-2014-9273...

Updated e2fsprogs packages fix CVE-2015-0247

Updated e2fsprogs packages fix security vulnerability: The libext2fs library, part of e2fsprogs and utilized by its utilities, is affected by a boundary check error on block group descriptor information, leading to a heap based buffer overflow. A specially crafted filesystem image can be used to...

Updated moodle packages fix CVE-2015-1493

Updated moodle package fixes security vulnerability: In Moodle before 2.6.8, parameter "file" passed to scripts serving JS was not always cleaned from including "../" in the path, allowing to read files located outside of moodle directory. All OS's are affected, but especially vulnerable are...

Updated clamav packages fix security vulnerabilities

ClamAV 0.98.6 is a maintenance release to fix some bugs, some of them being security bugs: Fix a heap out of bounds condition with crafted Yoda's crypter files. This issue was discovered by Felix Groebert of the Google Security Team. Fix a heap out of bounds condition with crafted mew packer file...

Updated polarssl packages fix CVE-2015-1182

Updated polarssl packages fix security vulnerability: A vulnerability was discovered in PolarSSL in its certificate parser. A remote attacker could exploit this flaw using specially crafted certificates to mount a denial of service against an application linked against the library application...

Updated flash-player-plugin packages fix security vulnerabilities

Adobe Flash Player 11.2.202.442 contains fixes to critical security vulnerabilities found in earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. This update resolves use-after-free vulnerabilities that could lead to code execution...

Updated zarafa packages fix CVE-2014-9465 and some packaging issues

Updated zarafa packages fix security vulnerability: Robert Scheck discovered a flaw in Zarafa WebAccess = 7.0.0 and Zarafa WebApp that could allow a remote unauthenticated attacker to exhaust the disk space of /tmp CVE-2014-9465. This update also adds some patches from Robert Scheck which correct...

Updated vlc packages fix security vulnerabilities

Updated vlc packages fix security vulnerabilities: On 32 bit builds, parsing of update status files with a size of 4294967295 or more lead to an integer truncation caused by a cast to sizet in a call to malloc and a subsequent buffer overflow. This happened prior to checking the files' signature...

Updated cabextract packages fix CVE-2014-9556

Updated cabextract packages fix security vulnerability: Libmspack, a library to provide compression and decompression of some file formats used by Microsoft, is embedded in cabextract. A specially crafted cab file can cause cabextract to hang forever. If cabextract is exposed to any...

Updated hexchat packages fix security vulnerability

HexChat did not verify that the server hostname matched the domain name in the subject's Common Name CN or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name...

Updated vorbis-tools package fixes security vulnerability

oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service out-of-bounds read via a crafted raw file CVE-2014-9640...

Updated libvirt packages fix CVE-2015-0236

Updated libvirt packages fix security vulnerability: The XML getters for save images and snapshots objects don't check ACLs for the VIRDOMAINXMLSECURE flag and might possibly dump security sensitive information. A remote attacker able to establish a connection to libvirtd could use this flaw to...

Updated kdebase4-runtime packages fix CVE-2013-7252 and several bugs

Updated kdebase4-runtime packages fix security vulnerability: kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack CVE-2013-7252. This...

Updated bugzilla packages fix CVE-2014-8630

Updated bugzilla packages fix security vulnerability: Some code in Bugzilla does not properly utilize 3 arguments form for open and it is possible for an account with editcomponents permissions to inject commands into product names and other attributes CVE-2014-8630...

Updated icu packages fix security vulnerabilities

Updated icu packages fix security vulnerabilities: The Regular Expressions package in International Components for Unicode ICU 52 before SVN revision 292944 allows remote attackers to cause a denial of service memory corruption or possibly have unspecified other impact via vectors related to a...

Updated privoxy packages fix security vulnerabilities

Updated privoxy packages fix security issues: Fixed a DoS issue in case of client requests with incorrect chunk-encoded body. When compiled with assertions enabled the default they could previously cause Privoxy to abort. Fixed multiple segmentation faults and memory leaks in the pcrs code. This...

Updated php packages fix security vulnerabilities

Updated php and libgd packages fix security vulnerabilities: Double free vulnerability in the zendtshashgracefuldestroy function in zendtshash.c in the Zend Engine in PHP before 5.5.21 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vecto...

Updated busybox packages fix CVE-2014-9645

Updated busybox packages fix security vulnerability: The modprobe command in busybox before 1.23.0 uses the basename of the module argument as the module to load, allowing arbitrary modules, even when some kernel subsystems try to prevent this CVE-2014-9645...

Updated python-pillow packages fix CVE-2014-9601

Updated python-pillow packages fix security vulnerability: Pillow before 2.7.0 and 2.6.2 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed CVE-2014-9601...

Updated flash-player-plugin packages fix security vulnerabilities

Adobe Flash Player 11.2.202.440 contains fixes to critical security vulnerabilities found in earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe reports that CVE-2015-0311 is already being actively exploited in the wild via...

Updated aircrack-ng packages fix security vulnerabilities

Updated aircrack-ng package fixes security vulnerabilities: A length parameter inconsistency in Aircrack-ng before 1.2-rc1 at aireplay tcptest which may lead to remote code execution CVE-2014-8322. A missing check for data format in Aircrack-ng before 1.2-rc1 at buddy-ng which may lead to denial ...

Updated jasper packages fix security vulnerabilities

Updated jasper packages fix security vulnerabilities: An off-by-one flaw, leading to a heap-based buffer overflow, was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code CVE-2014-815...

Updated java-1.7.0-openjdk packages fix security vulnerabilities

Updated java-1.7.0 packages fix security vulnerabilities: A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions CVE-2014-6601. Multiple improper...

Updated chromium-browser-stable packages fix security vulnerabilities

Updated chromium-browser packages fix security vulnerabilities: Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering duplicate BLOB references,...

Updated freeciv packages fix a security vulnerability

Updated freeciv packages to latest bugfix version, also fixing security vulnerability Freeciv 2.4.1 in Mageia 4 was built against an embedded version of lua 5.1, vulnerable to the following security issue: A heap-based overflow vulnerability was found in the way Lua handles varargs functions with...

Updated elfutils packages fix CVE-2014-9447

Updated elfutils packages fix security vulnerability: Directory traversal vulnerability in the readlongnames function in libelf/elfbegin.c in elfutils allows remote attackers to write to arbitrary files to the root directory via a / slash in a crafted archive, as demonstrated using the ar program...

Updated otrs package fixes CVE-2014-9324

Updated otrs package fixes security vulnerability: An attacker with valid OTRS credentials could access and manipulate ticket data of other users via the GenericInterface, if a ticket webservice is configured and not additionally secured CVE-2014-9324...

Updated moodle package fixes security vulnerabilities

Updated moodle package fixes security vulnerabilities: In Moodle before 2.6.7, absence of a capability check in AJAX backend script in the LTI module could allow any enrolled user to search the list of registered tools CVE-2015-0211. In Moodle before 2.6.7, the course summary on course request...

Updated binutils packages fix security vulnerabilities

Updated binutils packages fix security vulnerabilities: Multiple security issues have been found in binutils. These vulnerabilities include multiple memory safety errors, buffer overflows, use-after-frees and other implementation errors may lead to the execution of arbitrary code, the bypass of...

Updated coreutils packages fix CVE-2014-9471

Updated coreutils packages fix security vulnerability: Bertrand Jacquin and Fiedler Roman discovered date and touch incorrectly handled user-supplied input. An attacker could possibly use this to cause a denial of service or potentially execute code CVE-2014-9471...

Updated file packages fix security vulnerabilities

Updated file packages fix security vulnerabilities: Alexander Cherepanov reported that using the file command on a specially-crafted ELF binary could lead to a denial of service due to uncontrolled resource consumption while processing ELF section headers CVE-2014-9620, CVE-2014-9621. As part of...

Updated iceape package fixes security vulnerabilities

Updated iceape packages fix security issues: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 allow remote attackers to cause a denial of service memory corruption and...

Updated python-django and python-django14 packages fix security vulnerabilities

Jedediah Smith discovered that Django incorrectly handled underscores in WSGI headers. A remote attacker could possibly use this issue to spoof headers in certain environments CVE-2015-0219. Mikko Ohtamaa discovered that Django incorrectly handled user-supplied redirect URLs. A remote attacker...

Updated firefox and thunderbird packages fixes security vulnerabilities

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it CVE-2014-8634. It was found that the Beacon interface...

Updated flash-player-plugin packages fix security vulnerabilities

Adobe Flash Player 11.2.202.429 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. This update resolves an improper file validation issue CVE-2015-0301. This update resolves an information...

Updated python-pip packages fix CVE-2014-8991

Updated python-pip packages fix security vulnerability: pip 1.3 through 1.5.6 allows local users to cause a denial of service prevention of package installation by creating a /tmp/pip-build- file for another user CVE-2014-8991...

Updated openssl packages fix security vulnerabilities

A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack CVE-2014-3571. A memory leak can occur in the dtls1bufferrecord function under certain conditions. In particular this could occur if an...

Updated glpi package fixes security vulnerabilities

Updated glpi package fixes security vulnerabilities: Due to a bug in GLPI before 0.84.7, a user without access to cost information can in fact see the information when selecting cost as a search criteria CVE-2014-5032. An issue in GLPI before 0.84.8 may allow arbitrary local files to be included ...

Updated mpfr packages fix CVE-2014-9474

Updated mpfr packages fix security vulnerability: A buffer overflow was reported in mpfr. This is due to incorrect GMP documentation for mpnsetstr about the size of a buffer CVE-2014-9474...

Updated curl packages fix CVE-2014-8150

Updated curl packages fix security vulnerability: When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those will be sent along to the proxy too, which allows the program to...

Updated gcab packages fix CVE-2015-0552

Updated gcab packages fix security vulnerability: Jakub Wilk reported a directory traversal vulnerability due to gcab not filtering leading slashes from paths in CAB files CVE-2015-0552...

Updated wireshark packages fix security vulnerabilities

Updated wireshark packages fix security vulnerabilities: The DEC DNA Routing Protocol dissector could crash CVE-2015-0562. The SMTP dissector could crash CVE-2015-0563. Wireshark could crash while decypting TLS/SSL sessions CVE-2015-0564...

Updated unrtf package fixes security vulnerability

Updated unrtf package fixes security vulnerability: Hanno Böck also reported a number of other crashes in unrtf besides the ones associated with CVE-2014-9275. These could allow a denial of service when opening a malicious malformed RTF file which causes unrtf to crash...

Updated libssh packages fix CVE-2014-8132

Updated libssh packages fix security vulnerability: Double free vulnerability in the sshpacketkexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet CVE-2014-8132...

Updated libsndfile packages fix CVE-2014-9496

Updated libsndfile packages fix security vulnerabilities: libsndfile contains multiple buffer-overflow vulnerabilities in src/sd2.c because it fails to properly bounds-check user supplied input, which may allow an attacker to execute arbitrary code or cause a denial of service CVE-2014-9496...

Updated glibc packages fix security vulnerabilities

The vfprintf function in stdio-common/vfprintf.c in GNU C Library aka glibc 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context- dependent attackers to bypass the FORTIFYSOURCE format-string...

Updated asterisk packages fix CVE-2014-9374

Updated asterisk packages fix security vulnerability: Double free vulnerability in the WebSocket Server reshttpwebsocket module in Asterisk Open Source 11.x before 11.14.2 allows remote attackers to cause a denial of service crash by sending a zero length frame after a non-zero length frame...

Updated ettercap packages fix security vulnerabilities

Updated ettercap package fixes security vulnerabilities: Heap-based buffer overflow in the dissectorpostgresql function in dissectors/ecpostgresql.c in Ettercap before 8.1 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted password length value...

Updated apache packages fix CVE-2014-8109

Updated apache packages fix security vulnerability: modlua.c in the modlua module in the Apache HTTP Server through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers...