5993 matches found
Updated privoxy package fixes security vulnerability
The logrotate configuration of the privoxy package did not function properly, causing its log files not to be rotated. The log files could potentially fill up the disk...
Updated php-smarty packages fix security vulnerabilities
Cross-site scripting XSS vulnerability in the SmartyException class in Smarty aka smarty-php before 3.1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that trigger a Smarty exception CVE-2012-4437. Smarty before 3.1.21 allows remote attackers to bypass t...
Updated libvirt packages fix security vulnerability
Eric Blake discovered that libvirt incorrectly handled permissions when processing the qemuDomainFormatXML command. An attacker with read-only privileges could possibly use this to gain access to certain information from the domain xml file CVE-2014-7823...
Updated wireshark packages fix security vulnerabilities
SigComp UDVM buffer overflow CVE-2014-8710. AMQP crash CVE-2014-8711. NCP crashes CVE-2014-8712, CVE-2014-8713. TN5250 infinite loops CVE-2014-8714...
Updated kernel packages fix security vulnerabilities
This kernel update is based on upstream -longterm 3.10.60 and fixes the following security issues: The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 does not properly handle the writing of a non- canonical address to a model-specific register, which allows...
Updated qemu packages fix security vulnerabilities
The Advanced Threat Research team at Intel Security reported that guest provided parameter were insufficiently validated in rectangle functions in the vmware-vga driver. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileg...
Updated kdebase4-runtime and kwebkitpart packages fix security vulnerability
kwebkitpart and the bookmarks:// io slave were not sanitizing input correctly allowing to some javascript being executed on the context of the referenced hostname CVE-2014-8600...
Updated kernel-tmb packages fix security vulnerabilities
This kernel-tmb update is based on upstream -longterm 3.10.58 and fixes the following security issues: The kvmiommumappages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to 1...
Updated dbus packages fix security vulnerabilitiy
The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on incorrect reasoning, and does not fully prevent the attack described as "CVE-2014-3636 part A", which is repeated below. Preventing that attack requires raising the system dbus-daemon's RLIMITNOFILE ulimit -n to a higher...
Updated gnutls package fix security vulnerability
An out-of-bounds memory write flaw was found in the way GnuTLS parsed certain ECC Elliptic Curve Cryptography certificates or certificate signing requests CSR. A malicious user could create a specially crafted ECC certificate or a certificate signing request that, when processed by an application...
Updated kernel-linus packages fix security vulnerabilities
This kernel-linus update is based on upstream -longterm 3.10.58 and fixes the following security issues: The kvmiommumappages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to ...
Updated kernel-vserver packages fix security vulnerabilities
This kernel-vserver update provides an upgrade to the upstream 3.14 -longterm branch, currently based on 3.14.23 and fixes the following security issues: The kvmiommumappages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a...
Updated kernel-linus packages fix security vulnerabilities
This kernel-linus update is based on upstream -longterm 3.14.23 and fixes the following security issues: The kvmiommumappages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to ...
Updated kernel-tmb packages fix security vulnerabilities
This kernel-tmb update is based on upstream -longterm 3.14.23 and fixes the following security issues: The kvmiommumappages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to 1...
Updated kernel packages fix security vulnerabilities
This kernel update is based on upstream longterm 3.10.58 and fixes the following security issues: The kvmiommumappages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to 1 cause...
Updated kernel packages fix security vulnerabilities
This kernel update is based on upstream -longterm 3.14.23 and fixes the following security issues: The kvmiommumappages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to 1 caus...
Updated claws-mail package fixes security vulnerability
This update provides claws-mail version 3.11.1, which includes several fixes and improvements related to SSL/TLS, and fixes other bugs as well. See the upstream news for more details...
Updated getmail package fixes security vulnerabilities
The IMAP-over-SSL implementation in getmail 4.0.0 through 4.43.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof IMAP servers and obtain sensitive information via a crafted certificate CVE-2014-7273. The IMAP-over-SSL implementation in getmai...
Updated flash-player-plugin packages fix multiple security vulnerabilities
Adobe Flash Player 11.2.202.418 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. This update resolves memory corruption vulnerabilities that could lead to code execution CVE-2014-0558,...
Updated libreoffice packages fix security vulnerability
A vulnerability in LibreOffice allows an attacker to send a document which when opened will trigger the prompt to "Update Links" but if the user cancels that prompt may still generate and insert into the document an OLE2 preview image of a file on the victims filesystem, Data exposure is possible...
Updated libreoffice packages fix security vulnerabilities
It was discovered during routine code review that LibreOffice unconditionally executed certain VBA macros on loading Microsoft Office documents, contrary to user expectations CVE-2014-0247. A vulnerability in LibreOffice allows an attacker to send a document which when opened will trigger the...
Updated curl packages fix CVE-2014-3707
Updated curl packages fix security vulnerability: Symeon Paraschoudis discovered that the curleasyduphandle function in cURL has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending, while performing a HTTP POST operation. This bug requires...
Updated kdebase4-workspace packages fix security vulnerability and various bugs
This update fixes a security vulnerability in the KDE workspace configuration module for setting the date and time CVE-2014-8651, mga14487, and fixes some additional issues: - fix kcm botching unrelated user settings mga3310, bko254430, - do not popup during initialization 0 B Removable media...
Updated ruby packages fix CVE-2014-8080
Updated ruby packages fix security vulnerability: Due to unrestricted entity expansion, when reading text nodes from an XML document, the REXML parser in Ruby can be coerced into allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of servic...
Updated php packages fix security vulnerability
An out-of-bounds read flaw was found in file's donote function in the way the file utility determined the note headers of a elf file. This could possibly lead to file executable crash CVE-2014-3710. PHP uses an embedded copy of file's libmagic library, and was therefore affected. It has been...
Updated apt packages fix security vulnerability
The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the "http" apt method binary, or potentially to arbitrary cod...
Updated pulseaudio package fixes RTP remote crash vulnerability
PulseAudio versions shipped in Mageia 3 and 4 were vulnerable to a remote RTP attack which could crash the PulseAudio server simply by sending an empty UDP packet. Additionally, the version of PulseAudio shipped in Mageia 4 was a pre-release version of PulseAudio v5 and has been updated to the...
Updated [package] package fix CVE-2014-3710
Updated file packages fix security vulnerability: An out-of-bounds read flaw was found in file's donote function in the way the file utility determined the note headers of a elf file. This could possibly lead to file executable crash CVE-2014-3710...
Updated dokuwiki packages fix security vulnerabilities
inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call CVE-2014-8761. The ajaxmediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access...
Updated zabbix package fixes security vulnerability
It was reported that the Zabbix frontend supported an XML data import feature, where on the server it used DOMDocument to parse the XML. By default, DOMDocument also parses the external DTD, which could allow a remote attacker to use a crafted XML file causing Zabbix to read an arbitrary local...
Updated quassel packages fix security vulnerability
Due to and out-of-bounds read issue in Quassel core in The ECB Blowfish decryption function, a malicious client can cause either denial of service or disclosure of information from process memory by using an improperly formed message CVE-2014-8483...
Updated MythTV packages to harden against SSDP reflection attacks
Updated MythTV packages to harden against SSDP reflection attacks MythTV's UPNP component was suseptable to SSDP reflection attacks and has been hardened to disallow SSDP device discovery from non-local addresses as mitigation. Additionally, a popular schedules retrieval service, Schedules Direct...
Updated php-ZendFramework packages fix security vulnerabilities
Due to a bug in PHP's LDAP extension, when ZendFramework's Zendldap class is used for logins, an attacker can login as any user by using a null byte to bypass the empty password check and perform an unauthenticated LDAP bind CVE-2014-8088. The sqlsrv PHP extension, which provides the ability to...
Updated KDE 4 and related packages move to KDE 4.12.5
This KDE 4 update provides an upgrade to the last stable version of KDE Applications and Development Platform for the 4.12 series, and updates Plasma Workspaces to 4.11.12. This update fixes several security vulnerabilities - KMail/KIO POP3 SSL MITM Flaw CVE-2014-3494 - mga13545 - KAuth PID Reuse...
Updated konversation package fixes security vulnerability
Due to and out-of-bounds read issue in Konversation in The ECB Blowfish decryption function, a malicious client can cause either denial of service or disclosure of information from process memory by using an improperly formed message CVE-2014-8483...
Updated wpa_supplicant and hostapd packages fix security vulnerability
A vulnerability was found in the mechanism wpacli and hostapdcli use for executing action scripts. An unsanitized string received from a remote device can be passed to a system call resulting in arbitrary command execution under the privileges of the wpacli/hostapdcli process which may be root in...
Updated php packages fix security vulnerabilities
An integer overflow flaw in PHP's unserialize function was reported. If unserialize were used on untrusted data, this issue could lead to a crash or potentially information disclosure CVE-2014-3669. A heap corruption issue was reported in PHP's exifthumbnail function. A specially-crafted JPEG ima...
Updated nginx packages fix CVE-2014-3616
Updated nginx package fixes security vulnerability: Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it was possible to reuse cached SSL sessions in unrelated contexts, allowing virtual host confusion attacks in some configurations by an attacker in a privileged network position...
Updated wget packages fix CVE-2014-4877
Updated wget package fixes security vulnerability: Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP CVE-2014-4877. The default settings in wget have been changed...
Updated chromium-browser-stable packages fix security vulnerabilities
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash or, potentially, execute arbitrary code with the privileges of the user running Chromium CVE-2014-3188, CVE-2014-3189, CVE-2014-3190, CVE-2014-3191,...
Updated qemu packages fix multiple security vulnerabilities
Updated qemu packages fix security vulnerabilities: Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host CVE-2013-4544. Multiple integer overflow, input...
Updated drupal packages fix security vulnerability
An SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries, and thereby completely control the Drupal site. This vulnerability can be exploited by remote attackers without any kind of...
Updated pidgin packages fix security vulnerabilities
In Pidgin before 2.10.10, both of libpurple's bundled SSL/TLS plugins one for GnuTLS and one for NSS failed to check that the Basic Constraints extension allowed intermediate certificates to act as CAs. This allowed anyone with any valid certificate to create a fake certificate for any arbitrary...
Updated firefox and thunderbird packages fix security vulnerabilities
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it CVE-2014-1574, CVE-2014-1578, CVE-2014-1581, CVE-2014-1576,...
Updated mariadb packages fix security vulnerabilities
This update provides MariaDB 5.5.40, which fixes several security issues and other bugs...
Updated java-1.7.0-openjdk packages fix security vulnerabilities
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511, CVE-2014-6504, CVE-2014-6519. It was...
Updated ejabberd packages fix security vulnerability
A flaw was discovered in ejabberd that allows clients to connect with an unencrypted connection even if starttlsrequired is set CVE-2014-8760...
Updated phpmyadmin package fixes security vulnerability
In phpMyAdmin before 4.1.14.6, with a crafted database or table name it is possible to trigger an XSS in SQL debug output when enabled and in server monitor page when viewing and analysing executed queries CVE-2014-8326...
Updated lua and lua5.1 packages fix security vulnerability
A heap-based overflow vulnerability was found in the way Lua handles varargs functions with many fixed parameters called with few arguments, leading to application crashes or, potentially, arbitrary code execution CVE-2014-5461...
Updated libxml2 packages fix security vulnerability
A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption denial of service bas...