Updated gnupg packages fix security vulnerabilities

Updated gnupg and gnupg2 packages fix security vulnerabilities: Hanno Böck discovered that GnuPG incorrectly handled certain malformed keyrings. If a user or automated system were tricked into opening a malformed keyring, a remote attacker could use this issue to cause GnuPG to crash, resulting i...

Updated mariadb packages fix security vulnerabilities

Updated mariadb packages fix security vulnerability: The mariadb packages have been updated to versions 5.5.45 and 10.0.21 for Mageia 4 and Mageia 5, respectively. The key length for creating Diffie- Hellman keys has been increased to 2048 bits, and other bugs have been fixed. See the upstream...

Updated libxml2 packages fix security vulnerabilities

Updated libxml2 packages fix security vulnerability: The xmlreader in libxml2 allows remote attackers to cause a denial of service memory consumption via crafted XML data, related to an XML Entity Expansion XEE attack CVE-2015-1819. The libxml2 package has been patched to fix this issue, as well ...

Updated squid packages fix CVE-2015-5400

Updated squid packages fix security vulnerability: Alex Rousskov discovered that Squid configured with cachepeer and operating on explicit proxy traffic does not correctly handle CONNECT method peer responses. In some configurations, it allows remote clients to bypass security in an explicit...

Updated ruby-rack packages fix CVE-2015-3225

Updated ruby-rack packages fix security vulnerability: lib/rack/utils.rb in Rack before 1.5.4 allows remote attackers to cause a denial of service SystemStackError via a request with a large parameter depth CVE-2015-3225...

Updated xmltooling packages fix CVE-2015-0851

Updated xmltooling and opensaml packages fix security vulnerability: The InCommon Shibboleth Training team discovered that XMLTooling, a C++ XML parsing library, did not properly handle an exception when parsing well-formed but schema-invalid XML. This could allow remote attackers to cause a deni...

Updated ntp packages fix security vulnerabilities

Updated ntp packages fix security vulnerability: A flaw was found in the way ntpd processed certain remote configuration packets. An attacker could use a specially crafted package to cause ntpd to crash if the attacker had authenticated access to remote ntpd configuration CVE-2015-5146. It was...

Updated pure-ftpd packages fix security vulnerability

Updated pure-ftpd packages fix security vulnerability: It was reported that the process handling a user session could be crashed by trying to match a file pattern longer than the maximum length for a path...

Updated chromium-browser packages fix security vulnerabilities

Updated chromium-browser-stable packages fix security vulnerabilities: Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash or, potentially, execute arbitrary code with the privileges of the user running Chromiu...

Updated pcre packages fix security vulnerabilities

Updated pcre packages fix security vulnerabilities: The pcre package has been updated to the latest CVS as of September 2, 2015, aka 8.38-RC1, which fixes several bugs, including many buffer, stack, and integer overflows...

Updated libidn packages fix CVE-2015-2059

Updated libidn packages fix security vulnerability: In libidn before 1.31, stringpreputf8toucs4 did not validate that the input UTF-8 string was actually valid UTF-8, which could lead to out-of-bounds reads CVE-2015-2059...

Updated vorbis-tools packages fix CVE-2015-6749

Updated vorbis-tools package fixes security vulnerability: A buffer overread is possible in vorbis-tools in oggenc/audio.c when opening a specially crafted AIFF file CVE-2015-6749...

Updated struts packages fix CVE-2015-0899

Updated struts packages fix security vulnerability: The Validator in Apache Struts 1.1 and later contains a function to efficiently define rules for input validation across multiple pages during screen transitions. This function contains a vulnerability where input validation may be bypassed. Whe...

Updated ruby-RubyGems packages fix security vulnerabilities

Updated ruby-RubyGems package fixes security vulnerability: RubyGems does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack" CVE-2015-3900...

Updated php packages fix security vulnerabilities

Updated php packages fix security vulnerabilities: The php package has been updated to version 5.6.13, which fixes several security issues and other bugs. See the upstream ChangeLog for more details...

Updated util-linux packages fix CVE-2015-5224

Updated util-linux packages fix security vulnerability: The chfn and chsh commands in util-linux's login-utils are vulnerable to a file name collision due to incorrect mkstemp usage. If the chfn and chsh binaries are both setuid-root they eventually call mkostemp in such a way that an attacker...

Updated screen packages fix CVE-2015-6806

Updated screen package fixes security vulnerability: A vulnerability was found in screen causing a stack overflow which results in crashing the screen server process, resulting in denial of service CVE-2015-6806...

Updated webmin packages fix CVE-2015-1990

Updated webmin package fixes security vulnerability: A malicious website could create links or Javascript referencing the xmlrpc.cgi script, triggered when a user logged into Webmin visits the attacking site CVE-2015-1990...

Updated squashfs-tools packages fix security vulnerabilities

Updated squashfs-tools package fixes security vulnerabilities: The unsquashfs command from squashfs-tools is vulnerable to integer CVE-2015-4645 and stack CVE-2015-4646 overflows...

Updated lighttpd packages fix CVE-2015-3200 & other bugs

Updated lighttpd packages fix security vulnerability: modauth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character CVE-2015-3200. The...

Updated freeimage packages fix security vulnerabilities

Updated freeimage packages fix security vulnerability: FreeImage is vulnerable to an integer overflow in PluginPCX.cpp, making the PCX loader vulnerable to malicious images with a bad window specification CVE-2015-0852. Moreover, FreeImage was built in Mageia against a number of bundled libraries...

Updated jsoup package fixes security vulnerability

Jsoup before 1.8.3 was vulnerable to a possible XSS issue in the validator, related to how it handled tags without a closing '' when reaching EOF CVE-2015-6748...

Updated hplip packages fix CVE-2015-0839

Updated hplip packages fix security vulnerability: It was reported that the hp-plugin utility, included in the hplip package, downloads a binary driver and verifies it via a key specified by the key's short ID. A man-in-the-middle attacker could use this flaw to generate a key with the expected...

Updated openafs package fixes security vulnerabilities

Updated openafs packages fix security vulnerabilities: Memory allocated by vos for VLDB entry structures was not cleared prior to use, meaning stack data could be sent over the network, possibly in the clear if crypt mode was not in use CVE-2015-3282. The default use by bos of clear rather than...

Updated bind packages fix security vulnerabilities

Updated bind packages fix security vulnerability: Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from ...

Updated iceape packages fix security vulnerabilities

Updated iceape packages fix security issues: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to cause a denial of service memory corruption and application crash or possibly...

Updated audit packages fix security vulnerability

When auditing the filesystem the names of files are logged. These filenames can contain escape sequences, when viewed using the ausearch programs "-i" option for example this can result in the escape sequences being processed unsafely by the terminal program being used to view the data...

Updated glusterfs packages fix security vulnerability

There were cases where setuid could fail even when the caller is UID 0 The glusterd.service file was ommitted from the glusterfs package This update resolves both of these issues...

Updated glusterfs packages fix security vulnerability

There were cases where setuid could fail even when the caller is UID 0 The glusterd.service file was set as executable but that is not necessary. This update resolves both of these issues...

Updated firefox package fixes security vulnerability

Updated firefox packages fix security vulnerabilities: A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox CVE-2015-4497. A flaw wa...

Updated thunderbird packages fix security vulnerabilities

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird CVE-2015-4473, CVE-2015-4491, CVE-2015-4487, CVE-2015-4488,...

Updated subversion packages fix security vulnerabilities

Subversion's modauthzsvn does not properly restrict anonymous access in some mixed anonymous/authenticated environments when using Apache httpd 2.4. The result is that anonymous access may be possible to files for which only authenticated access should be possible CVE-2015-3184. Subversion server...

Updated python-django and python-django14 packages fix security vulnerabilities

Lin Hua Cheng discovered that Django incorrectly handled the session store. A remote attacker could use this issue to cause the session store to fill up, resulting in a denial of service...

Updated drupal packages fix security vulnerabilities

Cross-site scripting XSS vulnerability in the Autocomplete system in Drupal before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files CVE-2015-6658. SQL injection vulnerability in the SQL comment filtering system in the Database API i...

Updated vlc packages fix security vulnerabilities

Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, a multimedia player and streamer, could dereference an arbitrary pointer due to insufficient restrictions on a writable buffer. This could allow remote attackers to execute arbitrary code via crafted 3GP files CVE-2015-5949...

Updated cgit package fixes security vulnerability

cgit in Mageia 4/5 bundles an old git that is being subject to a minor security issue CVE-2014-9390. The cgit package was updated to its latest upstream release, and updates the bundled git to the non-vulnerable version 2.5.0, which contains various bug fixes...

Updated wireshark packages fix security vulnerabilities

The wireshark package has been updated to version 1.12.7, which fixes several security issues where a malformed packet trace could cause it to crash or go into an infinite loop, and fixes several other bugs as well. See the release notes for details...

Updated gnutls packages fix security vulnerabilities

It was reported that GnuTLS does not check whether the two signature algorithms match on certificate import CVE-2015-0294. Kurt Roeckx discovered that decoding a specific certificate with very long DistinguishedName DN entries leads to double free. A remote attacker can take advantage of this fla...

Updated vlc packages fix security vulnerability

Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, a multimedia player and streamer, could dereference an arbitrary pointer due to insufficient restrictions on a writable buffer. This could allow remote attackers to execute arbitrary code via crafted 3GP files CVE-2015-5949...

Updated x11-server packages fix security vulnerability

The authentication setup in XWayland 1.16.x and 1.17.x before 1.17.2 starts the server in non-authenticating mode, which allows local users to read from or send information to arbitrary X11 clients via vectors involving a UNIX socket CVE-2015-3164...

Updated libcryptopp package fixes security vulnerability

Evgeny Sidorov discovered that libcryptopp did not properly implement blinding to mask private key operations for the Rabin-Williams digital signature algorithm. This could allow remote attackers to mount a timing attack and retrieve the user's private key CVE-2015-2141...

Updated mediawiki packages fix security vulnerabilities

The mediawiki package has been updated to version 1.23.10, which fixes multiple security issues and other bugs. See the release announcement for more details...

Updated openssh packages fix security vulnerabilities

Privilege seaparation weakness related to PAM support allowing the attacker to impersonate other users was found in openssh package. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate oth...

Updated php packages fix security vulnerabilities

The php package has been updated to version 5.6.12, which fixes several security issues and other bugs. See the upstream ChangeLog for more details...

Updated php packages fix security vulnerabilities

The php package has been updated to version 5.5.28, which fixes several security issues and other bugs. See the upstream ChangeLog for more details...

Updated kdepim package fixes security vulnerability

This update fixes a security vulnerability in kdepim : kmail doesn't encrypt attachments when "automatic encryption" is selected CVE-2014-8878...

Updated gdk-pixbuf2.0 package fixes security vulnerability

Security researcher Gustavo Grieco reported a heap overflow in gdk-pixbuf. This issue is triggered by the scaling of a malformed bitmap format image and results in a potentially exploitable crash CVE-2015-4491...

Updated owncloud package fixes security vulnerabilities

In ownCloud before 6.0.8 and 8.0.4, a bug in the SDK used to connect ownCloud against the Dropbox server might allow the owner of "Dropbox.com" to gain access to any files on the ownCloud server if an external Dropbox storage was mounted CVE-2015-4715. In ownCloud before 6.0.8 and 8.0.4, the...

Updated firefox packages fixes security vulnerabilities

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479,...

Updated flash-player-plugin package fixes security vulnerabilities

Adobe Flash Player 11.2.202.508 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. This update resolves type confusion vulnerabilities that could lead to code execution CVE-2015-5128,...