Updated iceape package fixes security vulnerabilities

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 30.0, Firefox ESR 24.x before 24.6, and Thunderbird before 24.6 allow remote attackers to cause a denial of service memory corruption and application crash or possibly execute arbitrary code via unknown vectors...

Updated ctags package fixes security vulnerability

A denial of service issue was discovered in ctags 5.8. A remote attacker could cause excessive CPU usage and disk space consumption via a crafted JavaScript file by triggering an infinite loop CVE-2014-7204...

Updated openssl packages fix security vulnerabilities

This update adds support for the TLS Fallback Signaling Cipher Suite Value TLSFALLBACKSCSV, which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol...

Updated chromium-browser-stable packages fix security vulnerabilites

Updated chromium-browser-stable packages fix security vulnerabilities: Several security issues and other bugs have been fixed since our previous update. See the upstream release announcements for details. Note that as of version 35, the Chromium browser no longer supports browser plugins, includi...

Updated golang packages fix CVE-2014-7189

Updated golang packages fix security vulnerability: Go 1.1 through 1.3.2 has an issue that affects programs that use crypto/tls to implement a TLS server. If the server enables TLS client authentication using certificates and explicitly sets SessionTicketsDisabled to true in the tls.Config, then ...

Updated rsyslog packages fix CVE-2014-3634

Updated rsyslog packages fix security vulnerability: Rainer Gerhards, the rsyslog project leader, reported a vulnerability in Rsyslog. As a consequence of this vulnerability an attacker can send malformed messages to a server, if this one accepts data from untrusted sources, and trigger a denial ...

Updated bugzilla packages fix security vulnerabilities

Updated bugzilla packages fix security vulnerabilities: If a new comment was marked private to the insider group, and a flag was set in the same transaction, the comment would be visible to flag recipients even if they were not in the insider group CVE-2014-1571. An attacker creating a new Bugzil...

Updated python-requests packages fix security vulnerabilities

Updated python-requests packages fix security vulnerability: Python-requests was found to have a vulnerability, where the attacker can retrieve the passwords from /.netrc file through redirect requests, if the user has their passwords stored in the /.netrc file CVE-2014-1829. It was discovered th...

Updated fish package fixes multiple security vulnerabilities

Updated fish packages fix security vulnerability: fish, from at least version 1.16.0 to version 2.1.0 inclusive, does not check the credentials of processes communicating over the fishd universal variable server UNIX domain socket. This allows a local attacker to elevate their privileges to those...

Updated cacti package fixes multiple security vulnerabilities

Updated cacti package fixes security vulnerabilities: Multiple security issues cross-site scripting, missing input sanitising and SQL injection have been discovered in Cacti, a web interface for graphing of monitoring systems CVE-2014-5025, CVE-2014-5026, CVE-2014-5261, CVE-2014-5262...

Updated perl-Data-Dumper package fixes CVE-2014-4330

Updated perl-Data-Dumper package fixes security vulnerability: The Dumper method in Data::Dumper before 2.154, allows context-dependent attackers to cause a denial of service stack consumption and crash via an Array-Reference with many nested Array-References, which triggers a large number of...

Updated torque packages fix CVE-2014-3684

Updated torque packages fix security vulnerabilities: Chad Vizino reported that within a TORQUE Resource Manager job a non-root user could use a vulnerability in the tmadopt library call to kill processes he/she doesn't own including root-owned ones on any node in a job CVE-2014-3684. This update...

Updated perl packages fix CVE-2014-4330

Updated perl package fixes security vulnerability: The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service stack consumption and crash via an Array-Reference with many nested Array-References, which trigge...

Updated perl package fixes CVE-2014-4330

Updated perl package fixes security vulnerability: The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service stack consumption and crash via an Array-Reference with many nested Array-References, which trigge...

Updated xerces-j2 packages fix CVE-2013-4002

Updated xerces-j2 packages fix security vulnerability: A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using...

Updated mediawiki packages fix security vulnerbilities

Updated mediawiki packages fix security vulnerability: MediaWiki before 1.23.4 is vulnerable to cross-site scripting due to JavaScript injection via CSS in uploaded SVG files CVE-2014-7199. MediaWiki before 1.23.5 is vulnerable to cross-site scripting due to JavaScript injection via user-specific...

Updated squid packages fix security vulnerabilities

Updated squid packages fix security vulnerabilities: Due to incorrect buffer management Squid can be caused by an attacker to write outside its allocated SNMP buffer CVE-2014-6270. Due to incorrect bounds checking Squid pinger binary is vulnerable to denial of service or information leak attack...

Updated libvncserver & remmina packages fix security vulnerabilities

Updated libvncserver and remmina packages fix security vulnerabilities: A malicious VNC server can trigger incorrect memory management handling by advertising a large screen size parameter to the VNC client. This would result in multiple memory corruptions and could allow remote code execution on...

Updated python packages fix CVE-2014-7185

Updated python packages fix security vulnerability: Python before 2.7.8 is vulnerable to an integer overflow in the buffer type CVE-2014-7185...

Updated dbus packages fix multiple security vulnerabilities

Updated dbus packages fixes the following security issues: Alban Crequy and Simon McVittie discovered several vulnerabilities in the D-Bus message daemon: On 64-bit platforms, file descriptor passing could be abused by local users to cause heap corruption in dbus-daemon, leading to a crash, or...

Updated phpmyadmin package fixes security vulnerability

In phpMyAdmin before 4.1.14.4, with a crafted ENUM value it is possible to trigger an XSS in table search and table structure pages CVE-2014-7217...

Updated libvirt packages fix security vulnerbilities

Updated libvirt packages fix security vulnerabilities: An out-of-bounds read flaw was found in the way libvirt's qemuDomainGetBlockIoTune function looked up the disk index in a non-persistent live disk configuration while a persistent disk configuration was being indexed. A remote attacker able t...

Updated bash packages fix multiple security vulnerabilities

Updated bash packages fix security vulnerabilities: Bash has been updated to version 4.2 patch level 50, which further mitigates ShellShock-type vulnerabilities. Two such issues have already been discovered CVE-2014-6277, CVE-2014-6278. See the RedHat article on the backward-incompatible changes...

Updated bash packages fix CVE-2014-7169

Updated bash packages fix security vulnerability: It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or...

Updated kernel & related packages provide 3.10 longterm support branch

This kernel update provides an update based on upstream 3.10.54 from the 3.10 -longterm branch. It also fixes the following security issue: The kvmiommumappages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping...

Updated perl-Email-Address packages fix security vulnerabilities

Updated perl-Email-Address package fixes security vulnerability: The parse function in Email::Address module before 1.905 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service CPU consumption via an empty quoted string in an RFC 2822 address...

Updated perl-XML-DT package fix CVE-2014-5260

Updated perl-XML-DT package fixes security vulnerability: The mkxmltype and mkdtskel scripts provided in perl-XML-DT allow local users to overwrite arbitrary files via a symlink attack on a /tmp/xml temporary file CVE-2014-5260...

Updated nss packages fix CVE-2014-1568

Updated nss packages fix security vulnerability: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services NSS libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack...

Updated bash packages fix CVE-2014-6271

Updated bash packages fix security vulnerability: A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote...

Updated wireshark packages fix security vulnerabilities

Updated wireshark packages fix security vulnerabilities: RTP dissector crash CVE-2014-6421, CVE-2014-6422. MEGACO dissector infinite loop CVE-2014-6423. Netflow dissector crash CVE-2014-6424. RTSP dissector crash CVE-2014-6427. SES dissector crash CVE-2014-6428. Sniffer file parser crash...

Updated php-pear-CAS packages fix CVE-2014-4172

Updated php-pear-CAS packages fix security vulnerabilities: A flaw in php-pear-CAS before 1.3.3, utilized by Moodle, has been found which could potentially allow unauthorised access and privilege escalation CVE-2014-4172...

Updated curl packages fix security vulnerabilities

Updated curl packages fix security vulnerabilities: In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to...

Updated curl packages fix security vulnerabilities

Updated curl packages fix security vulnerabilities: In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to...

Updated gnupg packages fix CVE-2014-5270

Updated gnupg packages fix security vulnerability: The gnupg program before version 1.4.16 is vulnerable to an ELGAMAL side-channel attack CVE-2014-5270...

Updated flash-player-plugin packages fix multiple security vulnerabilities

Adobe Flash Player 11.2.202.406 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. This update resolves memory leakage vulnerabilities that could be used to bypass memory address...

Updated zarafa packages fix multiple vulnerabilities

Updated zarafa packages fix security vulnerabilities: Robert Scheck reported that Zarafa's WebAccess stored session information, including login credentials, on-disk in PHP session files. This session file would contain a user's username and password to the Zarafa IMAP server CVE-2014-0103. Rober...

Updated phpmyadmin package fix CVE-2014-6300

Updated phpmyadmin package fixes security vulnerability: In phpMyAdmin before 4.1.14.4, by deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability in the micro history featu...

Updated libgadu packages fix CVE-2013-4488

Updated libgadu packages fix security vulnerability: Libgadu before 1.12.0 was found to not be performing SSL certificate validation CVE-2013-4488...

Updated mariadb packages fix CVE-2014-4274

Updated mariadb packages fix security vulnerability: MyISAM temporary files could be used to mount a code-execution attack CVE-2014-4274. The mariadb package has been updated to version 5.5.39, which fixes this and several other issues. Refer to the upstream Changelog for more details...

Updated dump package fix CVE-2014-4607

Updated dump packages fix security vulnerability: An integer overflow in liblzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications using performing LZO decompression on a compressed payload from the attacker CVE-2014-4607. The dump package is buil...

Updated moodle packages fix security vulnerbilities

Updated moodle packages fix security vulnerabilities: In Moodle before 2.6.5, users who had not yet posted the required answer in a Q forum in order to access past posts were able to see the name of the last person who had posted, as other authors are visible in /mod/forum/view.php before the...

Updated glibc packages fix multiple security vulnerabilities

Tavis Ormandy discovered a heap-based buffer overflow in the transliteration module loading code. As a result, an attacker who can supply a crafted destination character set argument to iconv-related character conversation functions could achieve arbitrary code execution. This update removes...

Updated gtk+3.0 packages fix CVE-2014-1949

Updated gtk+3.0 packages fix security vulnerability: Clemens Fries reported that, when using Cinnamon, it was possible to bypass the screensaver lock. An attacker with physical access to the machine could use this flaw to take over the locked desktop session CVE-2014-1949. This was fixed by...

Updated procmail packages fix CVE-2014-3618

Updated procmail package fixes security vulnerability: A heap-based buffer overflow was reported in procmail's formail utility when parsing addresses with unbalanced quotes CVE-2014-3618...

Updated firefox & thunderbird packages fix security vulnerabilities

Updated firefox and thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user...

Updated libtorrent-rasterbar packages fixes uPnP forwarding all ports

Updated libtorrent-rasterbar packages fix security vulnerability: The libtorrent-rasterbar library was opening UPNP port 0, causing all ports to be forwarded from the router to the client machine...

Updated php packages fix multiple security vulnerabilities

Updated php packages fix security vulnerabilities: Integer overflow in the cdfreadpropertyinfo function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service application crash via a craft...

Updated squid packages fix CVE-2014-3609

Updated squid packages fix security vulnerability: Matthew Daley discovered that Squid 3 did not properly perform input validation in request parsing. A remote attacker could send crafted Range requests to cause a denial of service CVE-2014-3609...

Updated net-snmp packages fix CVE-2014-3565

Updated net-snmp packages fix security vulnerabilities: A remote denial-of-service flaw was found in the way snmptrapd handled certain SNMP traps when started with the "-OQ" option. If an attacker sent an SNMP trap containing a variable with a NULL type where an integer variable type was expected...

Updated ppp packages fix a security vulnerability

Updated ppp packages fix security vulnerability: A vulnerability in ppp before 2.4.7 may enable an unprivileged attacker to access privileged options CVE-2014-3158...