Mandriva Linux Security Advisory MDVSA-2015:140 http://www.mandriva.com/en/support/security/ ____________________________________________________________
___________ Package : ntp Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated ntp packages fix security vulnerabilities: If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated (CVE-2014-9293). ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys (CVE-2014-9294).
Mandriva Linux Security Advisory MDVSA-2015:138 http://www.mandriva.com/en/support/security/ ____________________________________________________________
___________ Package : patch Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated patch package fixes security vulnerabilities: It was reported that a crafted diff file can make patch eat memory and later segfault (CVE-2014-9637). It was reported that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch (CVE-2015-1395). GNU patch before 2.7.4 allows remote attackers to write to arbitrary files via a symlink attack in a patch file (CVE-2015-1196).
Mandriva Linux Security Advisory MDVSA-2015:141 http://www.mandriva.com/en/support/security/ ____________________________________________________________
___________ Package : not-yet-commons-ssl Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated not-yet-commons-ssl packages fixes security vulnerability: It was discovered that the implementation used by the Not Yet Commons SSL project to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject (CVE-2014-3604). ________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:142 http://www.mandriva.com/en/support/security/ ____________________________________________________________
___________ Package : nodejs Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated nodejs package fixes security vulnerabilities: A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing (CVE-2014-5256). Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Node.js before 0.10.31, allow attackers to cause a denial of service or possibly have other impact via unknown vectors (CVE-2013-6668). The nodejs package has been updated to version 0.10.33 to fix these issues as well as several other bugs.
Mandriva Linux Security Advisory MDVSA-2015:143 http://www.mandriva.com/en/support/security/ ____________________________________________________________
___________ Package : mpfr Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated mpfr packages fix security vulnerability: A buffer overflow was reported in mpfr. This is due to incorrect GMP documentation for mpn_set_str about the size of a buffer (CVE-2014-9474).
Mandriva Linux Security Advisory MDVSA-2015:144 http://www.mandriva.com/en/support/security/ ____________________________________________________________
___________ Package : lua Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated lua and lua5.1 packages fix security vulnerability: A heap-based overflow vulnerability was found in the way Lua handles varargs functions with many fixed parameters called with few arguments, leading to application crashes or, potentially, arbitrary code execution (CVE-2014-5461).
