Getsocial, S.A. Security Vulnerabilities

Mandriva Linux Security Advisory : socat (MDVSA-2013:170)

A vulnerability has been discovered and corrected in socat : Under certain circumstances an FD leak occurs and can be misused for denial of service attacks against socat running in server mode (CVE-2013-3571). The updated packages have been upgraded to the latest version (1.7.2.2) which is not...

Mandriva Linux Security Advisory : openvpn (MDVSA-2013:167)

Updated openvpn package fixes security vulnerability : OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function. Plaintext recovery may be possible using a padding oracle attack on the CBC mode cipher...

Mandriva Linux Security Advisory : python-httplib2 (MDVSA-2013:168)

Updated python-httplib2 packages fix security vulnerability : httplib2 only validates SSL certificates on the first request to a connection, and doesn't report validation failures on subsequent requests...

Mandriva Linux Security Advisory : krb5 (MDVSA-2013:166)

A vulnerability has been discovered and corrected in krb5 : The kpasswd service provided by kadmind was vulnerable to a UDP ping-pong attack (CVE-2002-2443). The updated packages have been patched to correct this...

Mandriva Linux Security Advisory : mesa (MDVSA-2013:164)

Updated mesa packages fix security vulnerability : It was discovered that Mesa incorrectly handled certain arrays. An attacker could use this issue to cause Mesa to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2012-5129). Mesa has also been updated to version...

Mandriva Linux Security Advisory : glibc (MDVSA-2013:163)

Multiple vulnerabilities has been discovered and corrected in glibc : Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of service (memory corruption and...

Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:161)

Updated java-1.7.0-openjdk packages fix security vulnerabilities : Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption (CVE-2013-1569, CVE-2013-2383,...

Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2013:160)

Updated phpmyadmin package fixes security vulnerabilities : In some PHP versions, the preg_replace() function can be tricked into executing arbitrary PHP code on the server. This is done by passing a crafted argument as the regular expression, containing a null byte. phpMyAdmin does not correctly.....

Mandriva Linux Security Advisory : clamav (MDVSA-2013:159)

ClamAV 0.97.8 addresses several reported potential security...

Mandriva Linux Security Advisory : krb5 (MDVSA-2013:158)

A vulnerability has been discovered and corrected in krb5 : The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a....

Mandriva Linux Security Advisory : apache-mod_security (MDVSA-2013:156)

A vulnerability has been found and corrected in apache-mod_security : ModSecurity before 2.7.3 allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML external entity declaration in conjunction...

Mandriva Linux Security Advisory : util-linux (MDVSA-2013:154)

A vulnerability has been found and corrected in util-linux : An information disclosure flaw was found in the way the mount command reported errors. A local attacker could use this flaw to determine the existence of files and directories they do not have access to (CVE-2013-0157). Additionally for.....

Mandriva Linux Security Advisory : curl (MDVSA-2013:151)

Updated curl packages fix security vulnerability : libcurl is vulnerable to a cookie leak vulnerability when doing requests across domains with matching tails. This vulnerability can be used to hijack sessions in targetted attacks since registering domains using a known domain's name as an ending.....

Mandriva Linux Security Advisory : subversion (MDVSA-2013:153)

Multiple vulnerabilities has been found and corrected in subversion : Subversion's mod_dav_svn Apache HTTPD server module will use excessive amounts of memory when a large number of properties are set or deleted on a node. This can lead to a DoS. There are no known instances of this problem being.....

Mandriva Linux Security Advisory : roundcubemail (MDVSA-2013:149)

A vulnerability has been found and corrected in roundcubemail : A local file inclusion flaw was found in the way RoundCube Webmail, a browser-based multilingual IMAP client, performed validation of the 'generic_message_footer' value provided via web user interface in certain circumstances. A...

Mandriva Linux Security Advisory : ganglia (MDVSA-2013:080)

Updated ganglia packages fix security vulnerability : There is a security issue in Ganglia Web going back to at least 3.1.7 which can lead to arbitrary script being executed with web user privileges possibly leading to a machine compromise. Additionally, an issue where active NFS mounts caused...

Mandriva Linux Security Advisory : squid (MDVSA-2013:129)

Updated squid packages fix security vulnerability : Due to missing input validation, the Squid cachemgr.cgi tool in Squid before 3.1.22 and 3.2.4 is vulnerable to a denial of service attack when processing specially crafted requests (CVE-2012-5643). It was discovered that the patch for...

Mandriva Linux Security Advisory : pixman (MDVSA-2013:116)

Updated pixman packages fix security vulnerability : Stack-based buffer overflow in libpixman has unspecified impact and attack vectors...

Mandriva Linux Security Advisory : ircd-hybrid (MDVSA-2013:093)

Updated ircd-hybrid packages fix security vulnerability : Bob Nomnomnom reported a Denial of Service vulnerability in IRCD-Hybrid, an Internet Relay Chat server. A remote attacker may use an error in the masks validation and crash the server (CVE-2013-0238). Please note that due to the previously.....

Mandriva Linux Security Advisory : socat (MDVSA-2013:127)

Updated socat package fixes security vulnerability : Heap-based buffer overflow in the xioscan_readline function in xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0-b1 through 2.0.0-b4 allows local users to execute arbitrary code via the READLINE address...

Mandriva Linux Security Advisory : cups (MDVSA-2013:034)

Updated cups packages fixes bugs and security vulnerabilities : During the process of CUPS socket activation code refactoring in favour of systemd capability a security flaw was found in the way CUPS service honoured Listen localhost:631 cupsd.conf configuration option. The setting was recognized.....

Mandriva Linux Security Advisory : libxslt (MDVSA-2013:141)

Updated libxslt packages fix security vulnerability : Nicholas Gregoire discovered that libxslt incorrectly handled certain empty values. If a user or automated system were tricked into processing a specially crafted XSLT document, a remote attacker could cause libxslt to crash, causing a denial...

Mandriva Linux Security Advisory : lynx (MDVSA-2013:101)

Updated lynx package fixes security vulnerability : Lynx does not verify that the server's certificate is signed by a trusted certification authority, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate, related to improper use of a certain GnuTLS function...

Mandriva Linux Security Advisory : argyllcms (MDVSA-2013:090)

A security issue was identified and fixed in argyllcms : An integer overflow flaw, leading to a heap-based buffer overflow, was found in Ghostscript's International Color Consortium Format library (icclib). An attacker could create a specially crafted PostScript or PDF file with embedded images...

Mandriva Linux Security Advisory : net-snmp (MDVSA-2013:049)

A vulnerability has been discovered and corrected in net-snmp : An array index error, leading to out-of heap-based buffer read flaw was found in the way net-snmp agent performed entries lookup in the extension table. When certain MIB subtree was handled by the extend directive, a remote attacker...

Mandriva Linux Security Advisory : usbmuxd (MDVSA-2013:133)

Updated usbmuxd packages fix security vulnerability : It was discovered that usbmuxd did not correctly perform bounds checking when processing the SerialNumber field of USB devices. An attacker with physical access could use this to crash usbmuxd or potentially execute arbitrary code as the...

Mandriva Linux Security Advisory : sudo (MDVSA-2013:054)

Multiple vulnerabilities has been found and corrected in sudo : A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated...

Mandriva Linux Security Advisory : automake (MDVSA-2013:031)

A vulnerability has been discovered and corrected in automake : A race condition in automake (lib/am/distdir.am) could allow a local attacker to run arbitrary code with the privileges of the user running make distcheck (CVE-2012-3386). The updated packages have been patched to correct this issue......

Mandriva Linux Security Advisory : dnsmasq (MDVSA-2013:072)

Updated dnsmasq packages fix security vulnerabilities : When dnsmasq before 2.63 is used in conjunctions with certain configurations of libvirtd, network packets from prohibited networks (e.g. packets that should not be passed in) may be sent to the dnsmasq application and processed. This can...

Mandriva Linux Security Advisory : ncpfs (MDVSA-2013:048)

Multiple vulnerabilities has been discovered and corrected in ncpfs : ncpfs 2.2.6 and earlier attempts to use (1) ncpmount to append to the /etc/mtab file and (2) ncpumount to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users.....

Mandriva Linux Security Advisory : tor (MDVSA-2013:132)

Updated tor package fixes security vulnerabilities : Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, which allows remote relays to bypass intended anonymity properties by reading this chain and then determining the set....

Mandriva Linux Security Advisory : libytnef (MDVSA-2013:099)

Updated libytnef package fixes security vulnerability : Function DecompressRTF() in libytnef 1.5 leads to a buffer overflow on certain TNEF files (presumably, on files, generated by some recent versions of MS...

Mandriva Linux Security Advisory : accountsservice (MDVSA-2013:060)

Updated accountsservice packages fix security vulnerability : Florian Weimer discovered that AccountsService incorrectly handled privileges when copying certain files to the system cache directory. A local attacker could exploit this issue to read arbitrary files, bypassing intended permissions...

Mandriva Linux Security Advisory : libexif (MDVSA-2013:035)

Multiple vulnerabilities has been discovered and corrected in libexif : A heap-based out-of-bounds array read in the exif_entry_get_value function in libexif/exif-entry.c in libexif 0.6.20 and earlier allows remote attackers to cause a denial of service or possibly obtain potentially sensitive...

Mandriva Linux Security Advisory : imagemagick (MDVSA-2013:092)

Updated imagemagick packages fix security vulnerability : The Magick_png_malloc function in coders/png.c in ImageMagick 6.7.8-6 and earlier does not use the proper variable type for the allocation size, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG file.....

Mandriva Linux Security Advisory : ocaml-xml-light (MDVSA-2013:107)

Updated ocaml-xml-light packages fix security vulnerability : OCaml Xml-Light Library before r234 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via unspecified...

Mandriva Linux Security Advisory : glib2.0 (MDVSA-2013:083)

Updated glib2.0 packages fix security vulnerability : It was discovered that the version of glib shipped with MBS 1 does not sanitise certain DBUS related environment variables. When used in combination with a setuid application which utilises dbus via glib, a local user could gain escalated...

Mandriva Linux Security Advisory : boost (MDVSA-2013:065)

Updated boost packages fix security vulnerability : A security flaw was found in the way ordered_malloc() routine implementation in Boost, the free peer-reviewed portable C++ source libraries, performed 'next-size' and 'max_size' parameters sanitization, when allocating memory. If an application,.....

Mandriva Linux Security Advisory : fail2ban (MDVSA-2013:078)

Updated fail2ban package fixes security vulnerability : fail2ban before 0.8.8 didn't escape the content of \ (if used in custom action files), which could cause issues on the system running fail2ban as it scans log files, depending on what content is matched, since that content could contain...

Mandriva Linux Security Advisory : perl (MDVSA-2013:113)

Updated perl packages fix security vulnerability : It was discovered that Perl's 'x' string repeat operator is vulnerable to a heap-based buffer overflow. An attacker could use this to execute arbitrary code (CVE-2012-5195). The _compile function in Maketext.pm in the Locale::Maketext...

Mandriva Linux Security Advisory : libxslt (MDVSA-2013:047)

A vulnerability has been discovered and corrected in libxslt : The XSL implementation in libxslt allows remote attackers to cause a denial of service (incorrect read operation) via unspecified vectors (CVE-2012-2825). libxslt 1.1.26 and earlier does not properly manage memory, which might allow...

Mandriva Linux Security Advisory : html2ps (MDVSA-2013:041)

A vulnerability has been found and corrected in html2ps : Directory traversal vulnerability in html2ps before 1.0b7 allows remote attackers to read arbitrary files via directory traversal sequences in SSI directives (CVE-2009-5067). The updated packages have been upgraded to the 1.0b7 version...

Mandriva Linux Security Advisory : freetype2 (MDVSA-2013:039)

Updated freetype2 packages fixes security vulnerabilities : A NULL pointer de-reference flaw was found in the way Freetype font rendering engine handled Glyph bitmap distribution format (BDF) fonts. A remote attacker could provide a specially crafted BDF font file, which once processed in an...

Mandriva Linux Security Advisory : icecast (MDVSA-2013:091)

Updated icecast package fixes security vulnerability : Icecast didn't strip newlines from log entries, therefore allowing users to forge log entries...

Mandriva Linux Security Advisory : bash (MDVSA-2013:032)

A vulnerability was found and corrected in bash : A stack-based buffer overflow flaw was found in the way bash, the GNU Bourne Again shell, expanded certain /dev/fd file names when checking file names ('test' command) and evaluating /dev/fd file names in conditinal command expressions. A remote...

Mandriva Linux Security Advisory : libupnp (MDVSA-2013:098)

Updated libupnp packages fix security vulnerabilities : The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet...

Mandriva Linux Security Advisory : backuppc (MDVSA-2013:062)

Updated backuppc packages fix security vulnerabilities : Cross-site scripting (XSS) vulnerability in RestoreFile.pm in BackupPC 3.1.0, 3.2.1, and possibly other earlier versions allows remote attackers to inject arbitrary web script or HTML via the share parameter in a RestoreFile action to...

Mandriva Linux Security Advisory : python-httplib2 (MDVSA-2013:119)

python-httplib2 ships its own copy of the Mozilla NSS certificates, but it should use the system-wide ones provided by the rootcerts package instead. This has been...

Mandriva Linux Security Advisory : wordpress (MDVSA-2013:137)

This update provides WordPress 3.4.2, a maintenance and security...

Mandriva Linux Security Advisory : stunnel (MDVSA-2013:130)

Updated stunnel packages fix security vulnerability : stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code via a crafted request that triggers a...