Updated varnish packages fix CVE-2013-4484 and correct service behaviour

Updated varnish packages fix security vulnerabilities: Varnish before 3.0.5 allows remote attackers to cause a denial of service child-process crash and temporary caching outage via a GET request with trailing whitespace characters and no URI CVE-2013-4484. Also, the services have been converted...

Updated kernel-vserver packages fix security vulnerability

This kernel update provides an update to the 3.10 longterm branch, currently 3.10.28 and fixes the following security issues: The ath9khtcsetbssidmask function in drivers/net/wireless/ath/ath9k/htcdrvmain.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC...

Updated kernel-rt packages fix security vulnerability

This kernel update provides an update to 3.12.9 and fixes the following critical security issue: Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service system crash or...

Updated openldap packages fix security vulnerability

A denial of service flaw was found in the way the OpenLDAP server daemon slapd performed reference counting when using the rwm rewrite/remap overlay. A remote attacker able to query the OpenLDAP server could use this flaw to crash the server by immediately unbinding from the server after sending ...

Updated kernel-linus package fixes security vulnerability

This kernel update provides an update to 3.12.9 and fixes the following critical security issue: Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service system crash or...

Updated qemu package fixes security vulnerability

Sibiao Luo discovered that QEMU incorrectly handled device hot-unplugging. A local user could possibly use this flaw to cause a denial of service CVE-2013-4377. Additionally, qemu has been updated to 1.6.2, fixing several other bugs...

Updated tor package fixes security vulnerability

Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for relay identity keys and hidden-service identity keys, which might make it easier for remote attackers to...

Updated augeas package fixes security vulnerabilities

Multiple flaws were found in the way Augeas handled configuration files when updating them. An application using Augeas to update configuration files in a directory that is writable to by a different user for example, an application running as root that is updating files in a directory owned by a...

Updated ejabberd package fixes security vulnerabilities

The TLS driver in ejabberd before 2.1.12 supports 1 SSLv2 and 2 weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack CVE-2013-6169...

Updated plexus-archiver package fixes security vulnerability

Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream BZip2CompressorOutputStream in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service CPU consumption via a file with many repeating inputs CVE-2012-2098. plexus-archiver...

Updated kernel-vserver packages fix multiple vulnerabilities

This kernel update provides an update to the 3.10 longterm branch, currently 3.10.28 and fixes the following security issues: The ath9khtcsetbssidmask function in drivers/net/wireless/ath/ath9k/htcdrvmain.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC...

Updated ruby-will_paginate package fixes CVE-2013-6459

Updated ruby-willpaginate packages fix security vulnerability: Cross-Site Scripting XSS vulnerabilities were found in willpaginate gem for Ruby, where certain input related to generated pagination links were not properly sanitised before being returned. This could be exploited to execute arbitrar...

Updated moodle package fixes security vulnerabilities

Updated moodle package fixes security vulnerabilities: In Moodle before 2.4.8, some password changes on admin pages were being recorded and shown to administrators in the config log report CVE-2014-0008. In Moodle before 2.4.8, users were able to log in as a user who in a is not in the same group...

Updated chrony package fixes security vulnerability

Updated chrony package fixes security vulnerability: In the chrony control protocol some replies are significantly larger than their requests, which allows an attacker to use it in an amplification attack CVE-2014-0021. Note: in the default configuration, cmdallow is restricted to localhost, so...

Updated libvirt packages fix two vulnerabilties

Updated libvirt packages fix security vulnerabilities: It was discovered that insecure job usage could lead to denial of service against libvirtd CVE-2013-6458. It was discovered that a race condition in keepalive handling could lead to denial of service against libvirtd CVE-2014-1447...

Updated darktable package fixes two vulnerabilities

Updated darktable package fixes security vulnerabilities: Darktable before version 1.2.3 contains an embedded copy of LibRaw that incorrectly handled photo files. If a user was tricked into processing a specially crafted photo file, darktable could be made to crash, resulting in a denial of servi...

Updated icedtea-web packages fix CVE-2013-6493

Updated icedtea-web packages fix security vulnerability: LiveConnect provides a gateway between the JavaScript engine in the web browser and Java applets. An insecure temporary file use flaw was found in the LiveConnect implementation in the IcedTea-Web browser plug-in. A malicious, local user...

Updated seamonkey packages fix multiple vulnerabilities

Updated iceape packages fix security issues: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 26.0, Firefox ESR 24.x before 24.2, Thunderbird before 24.2, and SeaMonkey before 2.23 allow remote attackers to cause a denial of service memory corruption and...

Updated flite package fixes CVE-2014-0027

Updated flite packages fix security vulnerability: The playwavefromsocket function in audio/auserver.c in Flite 1.4 allows local users to modify arbitrary files via a symlink attack on /tmp/awb.wav CVE-2014-0027...

Updated kernel-tmb packages fix CVE-2014-0038

This kernel update provides an update to 3.12.9 and fixes the following critical security issue: Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service system crash or...

Updated kernel-tmb packages fix multiple vulnerabilities

This kernel update provides an update to the 3.10 longterm branch, currently 3.10.28 and fixes the following security issues: The ath9khtcsetbssidmask function in drivers/net/wireless/ath/ath9k/htcdrvmain.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC...

Updated kernel-rt packages fix multiple vulnerabilities

This kernel update provides an update to the 3.10 longterm branch, currently 3.10.28 and fixes the following security issues: The ath9khtcsetbssidmask function in drivers/net/wireless/ath/ath9k/htcdrvmain.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC...

Updated kernel-linus package fixes multiple vulnerabilities

This kernel update provides an update to the 3.10 longterm branch, currently 3.10.28 and fixes the following security issues: The ath9khtcsetbssidmask function in drivers/net/wireless/ath/ath9k/htcdrvmain.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC...

Updated springframework packages fix CVE-2013-4152

Updated springframework packages fix security vulnerability: Alvaro Munoz discovered a XML External Entity XXE injection in the Spring Framework which can be used for conducting CSRF and DoS attacks on other sites CVE-2013-4152...

Updated mupdf packages fix a buffer overflow

Updated mupdf packages fix security vulnerability: A stack-based buffer overflow was found in mupdf's xpsparsecolor function. An attacker could create a specially crafted XPS file that, when opened, could cause mupdf or an application using mupdf to crash...

Updated yaml packages fix CVE-2013-6393

Updated libyaml packages fix security vulnerabilities: Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when...

Updated kernel package fixes a critical security issue

This kernel update provides an update to 3.12.9 and fixes the following critical security issue: Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service system crash or...

Updated kernel package fixes one critical and a few other security issues

This kernel update provides an update to the 3.10 longterm branch, currently 3.10.28 and fixes the following security issues: The ath9khtcsetbssidmask function in drivers/net/wireless/ath/ath9k/htcdrvmain.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC...

Updated chromium-browser-stable package fixes multiple vulnerabilities

Use-after-free related to forms CVE-2013-6641. Unprompted sync with an attackers Google account CVE-2013-6643. Various fixes from internal audits, fuzzing and other initiatives CVE-2013-6644. Use-after-free related to speech input elements CVE-2013-6645. Use-after-free in web workers CVE-2013-664...

Updated Firefox & Thunderbird packages fix multiple security vulnerabilities

Updated firefox and thunderbird packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user...

Updated flash-player-plugin packages fix CVE-2014-0497

Adobe Flash Player 11.2.202.336 contains a fix to a critical security vulnerability found in earlier versions that could cause a crash and potentially allow an attacker to remotely take control of the affected system. This update resolves an integer underflow vulnerability that could be exploited...

Updated pidgin package fixes security vulnerabilities

Many places in the Yahoo! protocol plugin assumed incoming strings were UTF-8 and failed to transcode from non-UTF-8 encodings. This can lead to a crash when receiving strings that aren't UTF-8 CVE-2012-6152. A remote XMPP user can trigger a crash on some systems by sending a message with a...

Updated hplip package fixes security vulnerabilities

It was discovered that the HPLIP Polkit daemon incorrectly handled temporary files. A local attacker could possibly use this issue to overwrite arbitrary files. CVE-2013-6402 It was discovered that HPLIP contained an upgrade tool that would download code in an unsafe fashion. If a remote attacker...

Updated ntp packages work around security vulnerability

The "monlist" command of the NTP protocol is currently abused in a DDoS reflection attack. This is done by spoofing packets from addresses to which the attack is directed to. The ntp installations itself are not target of the attack, but they are part of the DDoS network which the attacker is...

Updated drupal package fixes security vulnerabilities

Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts CVE-2014-1475. Matt Vance and Damien Tournoud reported an access bypass vulnerability in the...

Updated libmicrohttpd package fixes security vulnerabilities

The MHDhttpunescape function in libmicrohttpd before 0.9.32 might allow remote attackers to obtain sensitive information or cause a denial of service crash via unspecified vectors that trigger an out-of-bounds read CVE-2013-7038. Stack-based buffer overflow in the MHDdigestauthcheck function in...

Updated flash-player-plugin fixes security vulnerabilities

Adobe Flash Player 11.2.202.335 contains fixes to critical security vulnerabilities found in earlier versions. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. This update resolves a vulnerability that could be used to bypass Flas...

Updated python-jinja2 package fixes two security vulnerabilities

Updated python-jinja2 packages fix security vulnerability: Jinja2, a template engine written in pure python, was found to use /tmp as a default directory for jinja2.bccache.FileSystemBytecodeCache, which is insecure because the /tmp directory is world-writable and the filenames used like...

Updated graphviz packages fix security vulnerabilities

Updated graphviz packages fix security vulnerabilities: Multiple buffer overflow vulnerabilities in graphviz due to an error within the "yyerror" function lib/cgraph/scan.l which can be exploited to cause a stack-based buffer overflow via a specially crafted file CVE-2014-0978 and the acceptance ...

Updated lightdm-gtk-greeter fixes CVE-2014-0979

Updated lightdm-gtk-greeter package fixes security vulnerability: lightdm-gtk-greeter uses the lightdm-gobject API incorrectly and does not handle lightdmgreetergetauthenticationuser returning NULL when the username of the previous authentication is invalid resulting in a NULL pointer dereference...

Updated perl-Proc-Daemon package fixes CVE-2013-7135

Updated perl-Proc-Daemon package fixes security vulnerability: It was reported that perl-Proc-Daemon, when instructed to write a pid file, does that with a umask set to 0, so the pid file ends up with mode 666, allowing any user on the system to overwrite it CVE-2013-7135...

Updated nss packages fix security vulnerability

Updated nss packages fix security vulnerability: The sslDo1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services NSS before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509...

Updated java-1.7.0-openjdk package fixes multiple security vulnerabilities

Updated java-1.7.0-openjdk packages fix security vulnerabilities: An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could...

Updated spice packages fix a security vulnerability

Updated spice packages fix security vulnerability: A stack-based buffer overflow flaw was found in the way the redshandleticket function in the spice-server library handled decryption of ticket data provided by the client. A remote user able to initiate a SPICE connection to an application acting...

Updated cups packages fix a security vulverability

Updated cups packages fix security vulnerability: Jann Horn discovered that the CUPS lppasswd tool incorrectly read a user configuration file in certain configurations. A local attacker could use this to read sensitive information from certain files, bypassing access restrictions CVE-2013-6891...

Updated libxfont packages fix security vulnerability

Updated libxfont packages fix security vulnerability: It was discovered that a buffer overflow in the processing of Glyph Bitmap Distribution fonts BDF could result in the execution of arbitrary code CVE-2013-6462...

Updated net-snmp packages fix CVE-2012-6151

Updated net-snmp packages fix security vulnerability: Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service crash or infinite loop, CPU consumption, and hang by causing the AgentX subagent to...

Updated memcached package fixes multiple security vulnerabilities

Updated memcached packages fix security vulnerability: It was reported that SASL authentication could be bypassed due to a flaw related to the managment of the SASL authentication state. With a specially crafted request, a remote attacker may be able to authenticate with invalid SASL credentials...

Updated ruby-i18n package fixes security vulnerability

Cross-site scripting XSS vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call CVE-2013-4492...

Updated x11-server package fixes security vulnerability

Bryan Quigley discovered an integer underflow in the Xorg X server which could lead to denial of service or the execution of arbitrary code CVE-2013-6424...