It was reported that a crafted diff file can make patch eat memory and later segfault (CVE-2014-9637).
It was reported that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch (CVE-2015-1395).
GNU patch before 2.7.4 allows remote attackers to write to arbitrary files via a symlink attack in a patch file (CVE-2015-1196).
Package : not-yet-commons-ssl Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________
It was discovered that the implementation used by the Not Yet Commons SSL project to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject (CVE-2014-3604). ________________________________________________________
A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive JSON.parse calls and the parsed objects are significantly deep, you may experience the process aborting while parsing (CVE-2014-5256).
Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Node.js before 0.10.31, allow attackers to cause a denial of service or possibly have other impact via unknown vectors (CVE-2013-6668).
The nodejs package has been updated to version 0.10.33 to fix these issues as well as several other bugs.
Package : lua Date : March 29, 2015 Affected: Business Server 2.0 _______________________________________________________________________
Problem Description:
Updated lua and lua5.1 packages fix security vulnerability:
A heap-based overflow vulnerability was found in the way Lua handles varargs functions with many fixed parameters called with few arguments, leading to application crashes or, potentially, arbitrary code execution (CVE-2014-5461).