Updated qt5 packages fix security vulnerability.

It was discovered that QXmlSimpleReader in Qt incorrectly handled XML entity expansion. An attacker could use this flaw to cause Qt applications to consume large amounts of resources, resulting in a denial of service CVE-2013-4549...

Updated otrs package fixes security vulnerability

An attacker could send a specially prepared HTML email to OTRS. If he can then trick an agent into following a special link to display this email, JavaScript code would be executed CVE-2014-1695...

Updated mediawiki packages fix security vulnerabilities

MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed insertion of escaped CSS values which could pass the CSS validation checks, resulting in XSS CVE-2013-6451. Chris from RationalWiki reported that SVG files could be uploaded that include external stylesheets, which could lea...

Updated zarafa packages fix security vulnerabilities

Robert Scheck discovered multiple vulnerabilities in Zarafa that could allow a remote unauthenticated attacker to crash the zarafa-server daemon, preventing access to any other legitimate Zarafa users CVE-2014-0037, CVE-2014-0079...

Updated x2goserver package fixes security vulnerability

A vulnerability in x2goserver before 4.0.0.2 in the setgid wrapper x2gosqlitewrapper.c, which does not hardcode an internal path to x2gosqlitewrapper.pl, allowing a remote attacker to change that path. A remote attacker may be able to execute arbitrary code with the privileges of the user running...

Updated tomcat packages fix CVE-2014-0050

Updated tomcat packages fix security vulnerability: It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition CVE-2014-0050. Tomcat 7 includes an...

Updated apache-commons-fileupload package fixes CVE-2014-0050

Updated apache-commons-fileupload packages fix security vulnerability: It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition CVE-2014-0050...

Updated mariadb packages provide the latest release in the 5.5 series

Updated mariadb packages fix security vulnerabilities: MariaDB has been updated to the latest release in the 5.5 series, 5.5.36, which fixes several security vulnerabilities and other bugs. See the Release Notes for more details. Note: if upgrading the main mariadb package, you should run the...

Updated chromium-browser-stable packages address multiple vulnerabilities

Use-after-free related to web contents CVE-2013-6653. Bad cast in SVG CVE-2013-6654. Use-after-free in layout CVE-2013-6655. Information leaks in XSS auditor CVE-2013-6656, CVE-2013-6657. Use-after-free in layout CVE-2013-6658. Issue with certificates validation in TLS handshake CVE-2013-6659...

Updated imapsync package fixes CVE-2014-2014

Updated imapsync package fixes security vulnerability: In imapsync before 1.584, a certificate verification failure when using the --tls option results in imapsync attempting a cleartext login CVE-2014-2014...

Updated subversion packages fix CVE-2014-0032

Updated subversion packages fix security vulnerability: The moddavsvn module in Apache Subversion before 1.8.8, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service crash via an OPTIONS request CVE-2014-0032. The package has been updated to version 1.8.8, which...

Updated subversion packages fix CVE-2014-0032

Updated subversion packages fix security vulnerability: The moddavsvn module in Apache Subversion before 1.8.8, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service crash via an OPTIONS request CVE-2014-0032. The package has been patched to correct this issue...

Updated kernel fixes security vulnerabilities

This kernel update provides an update to the upstream stable 3.12.13 maintenance release and fixes the following security issues: A flaw was found in the way cifs handled iovecs with bogus pointers userland passed down via writev during uncached writes. An unprivileged local user with access to...

Updated lxc packages fix security vulnerability

Florian Sagar discovered that the LXC sshd template set incorrect mount permissions. An attacker could possibly use this flaw to cause privilege escalation on the host CVE-2013-6441...

Updated oath-toolkit packages fix security vulnerability

It was found that comments lines starting with a hash in /etc/users.oath could prevent one-time-passwords OTP from being invalidated, leaving the OTP vulnerable to replay attacks CVE-2013-7322...

Updated xstream packages fix CVE-2013-7285

Updated xstream packages fix security vulnerability: It was found that XStream would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code executio...

Updated phpseclib and phpmyadmin packages fix security vulnerability

Cross-site scripting XSS vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action CVE-2014-1879. This upgrade provides the latest phpmyadmin version 4.1.8 to address this vulnerabilit...

Updated perl-CGI-Application packages fix CVE-2013-7329

Updated perl-CGI-Application package fixes security vulnerability: When applications using CGI::Application overload setup, which is normally the case, CGI::Application since version 4.19 has dumphtml as a default run-mode unless the application explicitly redefines it. This unexpectedly dumps a...

Updated openswan packages fix CVE-2013-6466

Updated openswan packages fix security vulnerability: A NULL pointer dereference flaw was discovered in the way Openswan's IKE daemon processed IKEv2 payloads. A remote attacker could send specially crafted IKEv2 payloads that, when processed, would lead to a denial of service daemon crash,...

Updated springframework package fixes security vulnerabilities

It was discovered by the Spring development team that the fix for the XML External Entity XXE Injection CVE-2013-4152 in the Spring Framework was incomplete. Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option ...

Updated zabbix packages fix multiple vulnerabilities

Updated zabbix packages fix security vulnerabilities: Zabbix before 2.0.11 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldapbindpassword value in the HTML source code CVE-2013-5572. Zabbix before 2.0.11 allows switchi...

Updated otrs packages fix security vulnerabilities and a missing dependency

Updated otrs package fixes security vulnerabilities: In OTRS before 3.2.14, an attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks CVE-2014-1694. In OTRS before 3.2.14, an...

Updated perl-Module-Metadata package clarifies the man page

This update clarifies the module's documentation about the code it executes i.e. it does "eval" a module to determine its version number. Previously it said that it did not execute unsafe code CVE-2013-1437...

Updated file package fixes security vulnerability

It was discovered that file before 5.17 contains a flaw in the handling of "indirect" magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files CVE-2014-1943. Additionally, other well-crafted files might result in long...

Updated flash-player-plugin package fixes security vulnerabilities

Adobe Flash Player 11.2.202.341 contains fixes to critical security vulnerabilities found in earlier versions that could cause a crash and potentially allow an attacker to remotely take control of the affected system. This update resolves a stack overflow vulnerability that could result in...

Updated libtar package fixes security vulnerability

A directory traversal attack was reported against libtar, a C library for manipulating tar archives. The application does not validate the filenames inside the tar archive, allowing to extract files in arbitrary path. An attacker can craft a tar file to override files beyond the tarextractglob an...

Updated python-numpy packages fix security vulnerabilities

f2py insecurely used a temporary file. A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running f2py CVE-2014-1858, CVE-2014-1859...

Updated freeradius package fixes security vulnerability

SSHA processing in freeradius before 2.2.3 runs into a stack-based buffer overflow in the freeradius rlmpap module if the password source uses an unusually long hashed password CVE-2014-2015...

Updated imagemagick package fixes security vulnerabilities

A buffer overflow flaw was found in the way ImageMagick handled PSD images that use RLE encoding. An attacker could create a malicious PSD image file that, when opened in ImageMagick, would cause ImageMagick to crash or, potentially, execute arbitrary code with the privileges of the user running...

Updated gnome-chemistry-utils, gnumeric and goffice packages fix security vulnerability

Heap-based buffer overflow in the mseschergetdata function in plugins/excel/ms-escher.c in GNOME Office Gnumeric before 1.12.9 allows remote attackers to cause a denial of service crash via a crafted xls file with a crafted length value. CVE-2013-6836...

Updated python & python3 packages fix multiple vulnerabilities

Updated python and python3 packages fix security vulnerabilities: A vulnerability was reported in Python's socket module, due to a boundary error within the sockrecvfrominto function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses t...

Updated puppet & puppet3 packages fix CVE-2013-4969 and a regression

Updated puppet and puppet3 packages fix security vulnerability: An unsafe use of temporary files was discovered in Puppet, a tool for centralized configuration management. An attacker can exploit this vulnerability and overwrite an arbitrary file in the system CVE-2013-4969. This update also...

Updated mongodb package fixes security vulnerability

A possible DoS issue was discovered in MongoDB CVE-2012-6619. The --objcheck command line switch has now been enabled by default in the mongod service as a protective measure...

Updated tomcat6 packages fix multiple vulnerabilities and logging

Updated tomcat6 packages fix security vulnerabilities: It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service CVE-2012-3544....

Updated rawtherapee package fixes security vulnerability

Due to flaws in the embedded copy of dcraw in rawtherapee, corrupt input files might trigger a division by zero, an infinite loop, or a null pointer dereference CVE-2013-1438...

Updated denyhosts package fixes security vulnerability

Helmut Grohne discovered that denyhosts, a tool preventing SSH brute-force attacks, could be used to perform remote denial of service against the SSH daemon. Incorrectly specified regular expressions used to detect brute force attacks in authentication logs could be exploited by a malicious user ...

Updated maradns package fixes security vulnerability

This update fixes a possible denial of service DoS vulnerability...

Updated maradns package fixes security vulnerabilities

This update fixes a possible blind spoof attack vulnerability and a possible denial of service DoS vulnerability...

Updated gnutls packages fix security vulnerability

Suman Jana reported a vulnerability that affects the certificate verification functions of gnutls 3.1.x and gnutls 3.2.x. A version 1 intermediate certificate will be considered as a CA certificate by default something that deviates from the documented behavior CVE-2014-1959...

Updated libpng12 package fixes security vulnerability

The pngdoexpandpalette function in libpng before 1.6.8 allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a PLTE chunk of zero bytes or a NULL palette, related to pngrtran.c and pngset.c CVE-2013-6954...

Updated libpng and libpng12 packages fix security vulnerability

The pngdoexpandpalette function in libpng before 1.6.8 allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a PLTE chunk of zero bytes or a NULL palette, related to pngrtran.c and pngset.c CVE-2013-6954...

Updated libgadu packages fix security vulnerability

A malicious server or man-in-the-middle could send a large value for Content-Length and cause an integer overflow which could lead to a buffer overflow in Gadu-Gadu HTTP parsing CVE-2013-6487...

Updated cxxtols package fixes security issue

A flaw in cxxtools version 2.2 allows remote attackers to cause a denial of service infinite recursion and crash via an HTTP query that contains %% double percent characters CVE-2013-7298. This update fixes the vulnerability...

Updated tntnet packages fix security vulnerability

A flaw in Tntnet before 2.2.1 allows remote attackers to obtain sensitive information via a header that ends in \n instead of \r\n, which prevents a null terminator from being added and causes Tntnet to include headers from other requests CVE-2013-7299...

Updated xbmc package fixes a security vulnerability

Due to flaws in the embedded copy of libDCR, a fork of dcraw.c, in the embedded copy of CxImage, opening a specially crafted photo file could trigger a division by zero, an infinite loop, or a null pointer dereference, resulting in a denial of service CVE-2013-1438. This update fixes those flaws...

Updated socat package fixes security vulnerability

Due to a missing check in socat before 2.0.0-b7 during assembly of the HTTP request line, a long target server name in the documentation in the PROXY-CONNECT address can cause a stack buffer overrun. Exploitation requires that the attacker is able to provide the target server name to the...

Updated pacemaker package fixes one security issue

A denial of service flaw was found in the way Pacemaker performed authentication and processing of remote connections in certain circumstances. When Pacemaker was configured to allow remote Cluster Information Base CIB configuration or resource management, a remote attacker could use this flaw to...

Updated perl-Capture-Tiny package fixes security vulnerability

perl-Capture-Tiny before 0.24 used files in /tmp in an insecure manner CVE-2014-1875...

Updated mpg123 packages fix a buffer overflow

Updated mpg123 packages fix security vulnerability: mpg123 1.14.1 and later are vulnerable to a buffer overflow that could allow a maliciously crafted audio file to crash applications that use the libmpg123 library. mpg123 has been updated to version 1.18.0, which fixes this issue, as well as...

Updated ffmpeg packages fix several security vulnerabilities

Updated ffmpeg packages fix security vulnerabilities: This updates provides ffmpeg version 1.1.8, which fixes several unspecified security vulnerabilities and other bugs which were corrected upstream...