6011 matches found
Updated wireshark packages fix security vulnerabilities
The wireshark package has been updated to version 1.12.7, which fixes several security issues where a malformed packet trace could cause it to crash or go into an infinite loop, and fixes several other bugs as well. See the release notes for details...
Updated vlc packages fix security vulnerability
Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, a multimedia player and streamer, could dereference an arbitrary pointer due to insufficient restrictions on a writable buffer. This could allow remote attackers to execute arbitrary code via crafted 3GP files CVE-2015-5949...
Updated x11-server packages fix security vulnerability
The authentication setup in XWayland 1.16.x and 1.17.x before 1.17.2 starts the server in non-authenticating mode, which allows local users to read from or send information to arbitrary X11 clients via vectors involving a UNIX socket CVE-2015-3164...
Updated php packages fix security vulnerabilities
The php package has been updated to version 5.6.12, which fixes several security issues and other bugs. See the upstream ChangeLog for more details...
Updated mediawiki packages fix security vulnerabilities
The mediawiki package has been updated to version 1.23.10, which fixes multiple security issues and other bugs. See the release announcement for more details...
Updated libcryptopp package fixes security vulnerability
Evgeny Sidorov discovered that libcryptopp did not properly implement blinding to mask private key operations for the Rabin-Williams digital signature algorithm. This could allow remote attackers to mount a timing attack and retrieve the user's private key CVE-2015-2141...
Updated php packages fix security vulnerabilities
The php package has been updated to version 5.5.28, which fixes several security issues and other bugs. See the upstream ChangeLog for more details...
Updated openssh packages fix security vulnerabilities
Privilege seaparation weakness related to PAM support allowing the attacker to impersonate other users was found in openssh package. Attackers who could successfully compromise the pre-authentication process for remote code execution and who had valid credentials on the host could impersonate oth...
Updated kdepim package fixes security vulnerability
This update fixes a security vulnerability in kdepim : kmail doesn't encrypt attachments when "automatic encryption" is selected CVE-2014-8878...
Updated gdk-pixbuf2.0 package fixes security vulnerability
Security researcher Gustavo Grieco reported a heap overflow in gdk-pixbuf. This issue is triggered by the scaling of a malformed bitmap format image and results in a potentially exploitable crash CVE-2015-4491...
Updated owncloud package fixes security vulnerabilities
In ownCloud before 6.0.8 and 8.0.4, a bug in the SDK used to connect ownCloud against the Dropbox server might allow the owner of "Dropbox.com" to gain access to any files on the ownCloud server if an external Dropbox storage was mounted CVE-2015-4715. In ownCloud before 6.0.8 and 8.0.4, the...
Updated flash-player-plugin package fixes security vulnerabilities
Adobe Flash Player 11.2.202.508 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. This update resolves type confusion vulnerabilities that could lead to code execution CVE-2015-5128,...
Updated qemu package fixes security vulnerability
Matt Tait discovered that QEMU incorrectly handled the virtual PCNET driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process CVE-2015-3209. Kurt Seifried discovered that QEMU incorrectly handl...
Updated firefox packages fixes security vulnerabilities
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox CVE-2015-4473, CVE-2015-4475, CVE-2015-4478, CVE-2015-4479,...
Updated cacti package fixes security vulnerability
Cross-site scripting XSS vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors CVE-2015-2665. SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors...
Updated wordpress package fixes security vulnerability
The wordpress package has been updated to version 3.9.8, fixing three cross-site scripting issues CVE-2015-5732, CVE-2015-5733, CVE-2015-5734, a potential timing side-channel attack in Customizer CVe-2015-5730, an issue in Heartbeat where an attacker could lock a post from being edited...
Updated libunwind package fixes security vulnerability
An invalid DWOPbregXX opcodes can access dwarftounwregnummap one item past the end CVE-2015-3239...
Updated ghostscript package fixes security vulnerability
GhostScript is vulnerable to an integer overflow when processing a crafted PostScript file using the ps2pdf command CVE-2015-3228...
Updated firefox package fixes CVE-2015-4495
Updated firefox packages fix security vulnerability: Security researcher Cody Crews reported on a way to violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer in Firefox. This would allow an attacker to read and steal sensitive local files on the...
Updated lxc package fixes security vulnerability
Roman Fiedler discovered that LXC had a directory traversal flaw when creating lock files. A local attacker could exploit this flaw to create an arbitrary file as the root user CVE-2015-1331. Roman Fiedler discovered that LXC incorrectly trusted the container's proc filesystem to set up AppArmor...
Updated ipython package fixes security vulnerability
JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack CVE-2015-4707. POST requests exposed via the...
Updated moodle package fixes security vulnerabilities
In Moodle before 2.8.7, phishing is possible when redirecting to external site using referer headers in error messages CVE-2015-3272. In Moodle before 2.8.7, several web services returning user information did not clean text in text custom profile fields, leading to possible XSS CVE-2015-3274. In...
Updated php package fixes security vulnerabilities
Updated php packages fix security vulnerabilities: The php package has been updated to version 5.6.11, fixing several bugs and security issues. See the upstream Changelog for more details...
Updated pdns package fixes security vulnerability
In MGASA-2015-0189, the pdns and pdns-recursor packages were updated to fix a denial of service issue CVE-2015-1868. The fix was incomplete. The packages have been updated again to versions 3.3.3 and 3.6.4, respectively, to completely fix this issue...
Updated remind package fixes security vulnerability
Buffer overflow in remind before 3.1.15 in the DumpSysVar function in src/var.c...
Updated bind package fixes security vulnerability
An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit CVE-2015-5477...
Updated icu package fixes security vulnerability
It was discovered that ICU Layout Engine was missing multiple boundary checks. These could lead to buffer overflows memory corruption. A specially crafted file could cause an application using ICU to parse untrusted font files to crash and, possibly, execute arbitrary code CVE-2015-4760...
Updated groovy package fixes security vulnerability
When an application has Groovy on the classpath and that it uses standard Java serialization mechanim to communicate between servers, or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications whic...
Updated freeradius package fixes security vulnerability
The FreeRADIUS server relies on OpenSSL to perform certificate validation, including Certificate Revocation List CRL checks. The FreeRADIUS usage of OpenSSL, in CRL application, limits the checks to leaf certificates, therefore not detecting revocation of intermediate CA certificates. An unexpire...
Updated openssh package fixes security vulnerability
The OpenSSH server, when keyboard-interactive challenge response authentication is enabled and PAM is being used the default configuration in Mageia, can be tricked into allowing more password attempts than the MaxAuthTries setting would normally allow in one connection, which can aid an attacker...
Updated python-django and python-django14 packages fix security vulnerabilities
Eric Peterson and Lin Hua Cheng discovered that a new empty record used to be created in the session storage every time a session was accessed and an unknown session key was provided in the request cookie. This could allow remote attackers to saturate the session store or cause other users' sessi...
Updated ansible package fixes security vulnerability
Update to 1.9.2. Fixes CVE-2015-3908 hostname and cert matching in some modules and plugins and another not yet issued CVE on chroot/jail/zone connection plugins as well as a number of bugfixes...
Updated springframework package fixes security vulnerability
In Spring Framework before 3.2.14, if DTD is not entirely disabled, inline DTD declarations can be used to perform denial of service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protec...
Updated wordpress package fixes security vulnerabilities
WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site CVE-2015-5622. WordPress versions 4.2.2 and earlier are affected by an issue where it was possible for a user with Subscriber...
Updated chromium-browser package fixes security vulnerabilities
Chromium-browser 44.0.2403.107 fixes several security issues: PDFium, as used in Google Chrome before 44.0.2403.89, does not properly handle certain out-of-memory conditions, which allows remote attackers to cause a denial of service heap-based buffer overflow or possibly have unspecified other...
Updated stunnel package fixes security vulnerability
Johan Olofsson discovered an authentication bypass vulnerability in Stunnel, a program designed to work as an universal SSL tunnel for network daemons. When Stunnel in server mode is used with the redirect option and certificate-based authentication is enabled with "verify = 2" or higher, then on...
Updated icu package fixes security vulnerability
The ucnviogetConverterName function in common/ucnvio.cpp in International Components for Unicode ICU mishandles converter names with initial x- substrings, which allows remote attackers to cause a denial of service read of uninitialized memory or possibly have unspecified other impact via a craft...
Updated icu package fixes security vulnerabilities
The ICU Project's ICU4C library, before 55.1, contains a heap-based buffer overflow in the resolveImplicitLevels function of ubidi.c CVE-2014-8146. The ICU Project's ICU4C library, before 55.1, contains an integer overflow in the resolveImplicitLevels function of ubidi.c due to the assignment of ...
Updated thunderbird package fixes security vulnerabilities
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird CVE-2015-2724, CVE-2015-2734, CVE-2015-2735, CVE-2015-2736,...
Updated wesnoth packages fix security vulnerability
Toom Lõhmus discovered that the Lua API and preprocessor in the Battle for Wesnoth game up to version 1.12.2 included could lead to client-side authentication information disclosure using maliciously crafted files with the .pdb extension CVE-2015-5069, CVE-2015-5070. This issue has been fixed usi...
Updated expat package fixes security vulnerability
Multiple integer overflows in the XMLGetBuffer function in Expat through 2.1.0 allow remote attackers to cause a denial of service heap-based buffer overflow or possibly have unspecified other impact via crafted XML data CVE-2015-1283...
Updated wesnoth packages fix security vulnerability
Toom Lõhmus discovered that the Lua API and preprocessor in the Battle for Wesnoth game up to version 1.12.2 included could lead to client-side authentication information disclosure using maliciously crafted files with the .pdb extension CVE-2015-5069, CVE-2015-5070. This issue has been fixed in...
Updated apache package fixes security vulnerabilities
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension...
Updated java-1.8.0-openjdk package fixes security vulnerabilities
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733. A flaw was fou...
Updated mariadb package fixes security vulnerabilities
The mariadb package has been updated to versions 5.5.44 and 10.0.20 in Mageia 4 and Mageia 5, respectively. Both fix an issue where the client is vulnerable to a man-in-the-middle attack when using the --ssl option, where the SSL/TLS protection could be disabled CVE-2015-3152. The Mageia 4 update...
Updated libuser package fixes security vulnerabilities
Two flaws were found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser for example, userhelper to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate the...
Updated java-1.7.0-openjdk package fixes security vulnerabilities
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733. A flaw was fou...
Updated php package fixes security vulnerabilities
Segfault in Phar::convertToData on invalid file CVE-2015-5589. Buffer overflow and stack smashing error in pharfixfilepath CVE-2015-5590. The php package has been updated to version 5.5.27, which fixes these issues, as well as other possible bugs and security issues, including the BACKRONYM flaw,...
Updated flash-player-plugin package fixes security vulnerabilities
Adobe Flash Player 11.2.202.491 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. This...
Updated openssl package fixes security vulnerability
During certificate verification, OpenSSL starting from version 1.0.1n and 1.0.2b will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted...