[ MDVSA-2014:105 ] openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:105 http://www.mandriva.com/en/support/security/ ___ Package : openssl Date: June 9, 2014 Affected: Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in openssl: The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake (CVE-2014-0221). OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the CCS Injection vulnerability (CVE-2014-0224). The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value (CVE-2014-3470). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470 http://www.openssl.org/news/secadv_20140605.txt ___ Updated Packages: Mandriva Enterprise Server 5: ef1687f8f4d68dd34149dbb04f3fccda mes5/i586/libopenssl0.9.8-0.9.8h-3.18mdvmes5.2.i586.rpm 3e46ee354bd0add0234eaf873f0a076c mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.18mdvmes5.2.i586.rpm 0cc60393474d11a3786965d780e39ebc mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.18mdvmes5.2.i586.rpm 16d367fe394b2f16b9f022ea7ba75a54 mes5/i586/openssl-0.9.8h-3.18mdvmes5.2.i586.rpm 223a4a6b80f1b2eb3cbfaf99473423f3 mes5/SRPMS/openssl-0.9.8h-3.18mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 85a51b41a45f6905ea778347d8b236c1 mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.18mdvmes5.2.x86_64.rpm d0bf9ef6c6e33d0c6158add14cbe04b8 mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.18mdvmes5.2.x86_64.rpm 707842b93162409157667f696996f4fc mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.18mdvmes5.2.x86_64.rpm 70f4de1608d99c970afa1786595a761d mes5/x86_64/openssl-0.9.8h-3.18mdvmes5.2.x86_64.rpm 223a4a6b80f1b2eb3cbfaf99473423f3 mes5/SRPMS/openssl-0.9.8h-3.18mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTlcOfmqjQ0CJFipgRAj2XAJ0ZZpPmhFDRDja0146szOkK/8mqYwCfTV4s D5C6zRDfJm1loSlN9RoOzgE= =JhLX -END PGP SIGNATURE-
[SECURITY] [DSA 2954-1] dovecot security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2954-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 09, 2014 http://www.debian.org/security/faq - - Package: dovecot CVE ID : CVE-2014-3430 Debian Bug : 747549 It was discovered that the Dovecot email server is vulnerable to a denial of service attack against imap/pop3-login processes due to incorrect handling of the closure of inactive SSL/TLS connections. For the stable distribution (wheezy), this problem has been fixed in version 1:2.1.7-7+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1:2.2.13~rc1-1. For the unstable distribution (sid), this problem has been fixed in version 1:2.2.13~rc1-1. We recommend that you upgrade your dovecot packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTlfRZAAoJEAVMuPMTQ89EnisP/26H2tVdVc2/oTdtLLIqWsOX 66SqlmpfX0hwggvyJcMur6plkYkxFX+Ezrmapz7Qte+qnFSIyEOI8xLw+DloAsHg qsWlZQkLcpOixbY0Xk9fziD+Hm+bv/2DauDx7IGMkto5TSumZybJWK0gbWbFuWkg 4dUnU77Nl/VBJoChG1mxx918m1RUdYMCM5/tSxNGB8Eg/hN2oRP3tx35kjnZzr74 DAVbMTcp5I6uC4EhuEqGBiR05tkT4I4a5xJ1/hAO3jOXUjc6QSSu1qRGHhsQx7Am FYzaDDdSzqnj2Pu+aQuVMYFkWCDO65zw3avlOn5qPTiMzRSx1DmdUEJGIA6kGFyL gFu4Kew4U8tmsqPaCEV9YrhvD0rVGBzpTQGgc43Ud1Nd+RUN0sUpR2BM2eYKNt+p j/TH89ihdZE0xCct99gib20Qtzj2yv0FRqVeeIGXSaF2OXI/OLJOh0MHguKPCPIQ pj/+NV3BuX8uu57ogSGO+hm+kGAv+yaHi5bWpDpZpGKDKH1PtSi6oMPlUjubXZ+C cDORh91mFL8nFTcrMvYoSsRW6kBUsBI9uAeOhDjyPAolhADwzE+KJ2Ru1S3vtLyC 7EMccBgtS7W99CZPI+TIwAIlivnCgyBHhX1H7pwgjOaPbQKbVx+Qs6+xQsrCtkVy 4bWkR7B41Z0sAu7YcoE8 =y6t5 -END PGP SIGNATURE-
[ MDVSA-2014:106 ] openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:106 http://www.mandriva.com/en/support/security/ ___ Package : openssl Date: June 9, 2014 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in openssl: The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment (CVE-2014-0195). The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake (CVE-2014-0221). OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the CCS Injection vulnerability (CVE-2014-0224). The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value (CVE-2014-3470). The updated packages have been upgraded to the 1.0.0m version where these security flaws has been fixed. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470 http://www.openssl.org/news/secadv_20140605.txt ___ Updated Packages: Mandriva Business Server 1/X86_64: 857d06ddc6423ad124b23eb760459033 mbs1/x86_64/lib64openssl1.0.0-1.0.0m-1.mbs1.x86_64.rpm d7436f2f95df5c1d64d44a745f125bd8 mbs1/x86_64/lib64openssl-devel-1.0.0m-1.mbs1.x86_64.rpm 67f6cd6da42f01fb2f6054a2f96872af mbs1/x86_64/lib64openssl-engines1.0.0-1.0.0m-1.mbs1.x86_64.rpm 5d7c5712c1ce70a2dd2596e803bc7004 mbs1/x86_64/lib64openssl-static-devel-1.0.0m-1.mbs1.x86_64.rpm 9866e03e1c112b0c4cb5587b142cfa63 mbs1/x86_64/openssl-1.0.0m-1.mbs1.x86_64.rpm 9ac714afa9a9b30419f2f1f5c9ec4e48 mbs1/SRPMS/openssl-1.0.0m-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTlcuxmqjQ0CJFipgRAtEQAJsEeYwuETVPTeadp+pdK9wJfQqgOgCfXDif 30xyBHFmHJa6MS/00iqN2aY= =9sdw -END PGP SIGNATURE-
[ MDVSA-2014:107 ] libtasn1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:107 http://www.mandriva.com/en/support/security/ ___ Package : libtasn1 Date: June 9, 2014 Affected: Business Server 1.0, Enterprise Server 5.0 ___ Problem Description: Updated libtasn1 packages fix security vulnerabilities: Multiple buffer boundary check issues were discovered in libtasn1 library, causing it to read beyond the boundary of an allocated buffer. An untrusted ASN.1 input could cause an application using the library to crash (CVE-2014-3467). It was discovered that libtasn1 library function asn1_get_bit_der() could incorrectly report negative bit length of the value read from ASN.1 input. This could possibly lead to an out of bounds access in an application using libtasn1, for example in case if application tried to terminate read value with NUL byte (CVE-2014-3468). A NULL pointer dereference flaw was found in libtasn1#039;s asn1_read_value_type() / asn1_read_value() function. If an application called the function with a NULL value for an ivalue argument to determine the amount of memory needed to store data to be read from the ASN.1 input, libtasn1 could incorrectly attempt to dereference the NULL pointer, causing an application using the library to crash (CVE-2014-3469). The packages for mes5 have been patched to correct these issues and the packages for mbs1 have been upgraded to the 3.6 version where these issues has been fixed. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469 http://advisories.mageia.org/MGASA-2014-0247.html ___ Updated Packages: Mandriva Enterprise Server 5: add1919dbd2a76f2afea69ec5b1ac4aa mes5/i586/libtasn1_3-1.5-2.2mdvmes5.2.i586.rpm 6f9d6496e709d28388fba42b36ba03bb mes5/i586/libtasn1-devel-1.5-2.2mdvmes5.2.i586.rpm bd5bee278b0bf78f0cc5c4804912db49 mes5/i586/libtasn1-tools-1.5-2.2mdvmes5.2.i586.rpm 8a020997dbaae6ab4796a44a93a00da3 mes5/SRPMS/libtasn1-1.5-2.2mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: d3ad6c9991e31c780bfd8f518c6f3c20 mes5/x86_64/lib64tasn1_3-1.5-2.2mdvmes5.2.x86_64.rpm 227253880eb5046d549a7a46483394b4 mes5/x86_64/lib64tasn1-devel-1.5-2.2mdvmes5.2.x86_64.rpm da82e349ee924a3306ffb03730557438 mes5/x86_64/libtasn1-tools-1.5-2.2mdvmes5.2.x86_64.rpm 8a020997dbaae6ab4796a44a93a00da3 mes5/SRPMS/libtasn1-1.5-2.2mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 46535ab567d7ded71f9e18d8eabd3256 mbs1/x86_64/lib64tasn1_6-3.6-1.3.mbs1.x86_64.rpm e49f8229aaacd8f678366c163b9fa357 mbs1/x86_64/lib64tasn1-devel-3.6-1.3.mbs1.x86_64.rpm a07b7cf179a799d3a77e62d0e27857d2 mbs1/x86_64/libtasn1-tools-3.6-1.3.mbs1.x86_64.rpm bcca682662591cfc74148435ed2f5cb0 mbs1/SRPMS/libtasn1-3.6-1.3.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTldgfmqjQ0CJFipgRAmryAJwNEt/Ry4LoRTh2EYAkCDcJovkamgCeLVDY 60hiEXXSq1Jhlp7EvxFVJj8= =FcbR -END PGP SIGNATURE-
[ MDVSA-2014:109 ] gnutls
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:109 http://www.mandriva.com/en/support/security/ ___ Package : gnutls Date: June 9, 2014 Affected: Enterprise Server 5.0 ___ Problem Description: Updated gnutls packages fix security vulnerability: A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code (CVE-2014-3466). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466 http://advisories.mageia.org/MGASA-2014-0248.html ___ Updated Packages: Mandriva Enterprise Server 5: a2d9b9de428cb4c54e4431ac3b90bc7c mes5/i586/gnutls-2.4.1-2.11mdvmes5.2.i586.rpm 0aeec587dd6e38321e6e1a029895933b mes5/i586/libgnutls26-2.4.1-2.11mdvmes5.2.i586.rpm 40af11121bc70873fc337e3f0ac513e2 mes5/i586/libgnutls-devel-2.4.1-2.11mdvmes5.2.i586.rpm d74c6d27f23aab10769777ada47f1174 mes5/SRPMS/gnutls-2.4.1-2.11mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 3bc708d509ad98855875dcd21159db20 mes5/x86_64/gnutls-2.4.1-2.11mdvmes5.2.x86_64.rpm bb5968c312979ac7c706949420c37b34 mes5/x86_64/lib64gnutls26-2.4.1-2.11mdvmes5.2.x86_64.rpm 390db75387d13706a7839c6e9d0283c2 mes5/x86_64/lib64gnutls-devel-2.4.1-2.11mdvmes5.2.x86_64.rpm d74c6d27f23aab10769777ada47f1174 mes5/SRPMS/gnutls-2.4.1-2.11mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTldvRmqjQ0CJFipgRAgv2AJ92OmTNZTwJbeCvI7BWxwrrXRx1xgCg0HaM tf2MKexJnpBnQ7VcYXCakq0= =nakX -END PGP SIGNATURE-
[ MDVSA-2014:108 ] gnutls
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:108 http://www.mandriva.com/en/support/security/ ___ Package : gnutls Date: June 9, 2014 Affected: Business Server 1.0 ___ Problem Description: Updated gnutls packages fix security vulnerabilities: A NULL pointer dereference flaw was discovered in GnuTLS#039;s gnutls_x509_dn_oid_name(). The function, when called with the GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its caller. However, it could previously return NULL when parsed X.509 certificates included specific OIDs (CVE-2014-3465). A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code (CVE-2014-3466). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466 http://advisories.mageia.org/MGASA-2014-0248.html ___ Updated Packages: Mandriva Business Server 1/X86_64: e9d619b4d917c9e322c43e1589e00cf9 mbs1/x86_64/gnutls-3.0.28-1.7.mbs1.x86_64.rpm ba96fe08901ad527c4a9be1985429301 mbs1/x86_64/lib64gnutls28-3.0.28-1.7.mbs1.x86_64.rpm dacba924eeafab91fd6215da5820c11e mbs1/x86_64/lib64gnutls-devel-3.0.28-1.7.mbs1.x86_64.rpm bbbdad730440b4fdfa1d1903c90f008d mbs1/x86_64/lib64gnutls-ssl27-3.0.28-1.7.mbs1.x86_64.rpm 169be2c8e116c6e639ca981233ef3b7a mbs1/SRPMS/gnutls-3.0.28-1.7.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTldtJmqjQ0CJFipgRAuYJAKCuDqqqMfnj1NlfVM2wR7GzNsd/pgCeKrIf hnMh1JBwllVk1L+UCLa6jfs= =u0HM -END PGP SIGNATURE-
[slackware-security] php (SSA:2014-160-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] php (SSA:2014-160-01) New php packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/php-5.4.29-i486-1_slack14.1.txz: Upgraded. This update fixes bugs and security issues, including a possible denial of service, and an issue where insecure default permissions on the FPM socket may allow local users to run arbitrary code as the apache user. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/php-5.3.28-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/php-5.3.28-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/php-5.3.28-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/php-5.3.28-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/php-5.3.28-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/php-5.3.28-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.4.29-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.4.29-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.4.29-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.4.29-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-5.4.29-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-5.4.29-x86_64-1.txz MD5 signatures: +-+ Slackware 13.0 package: ccea945b3f2148537e32262056c6baf3 php-5.3.28-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 538810888d000fc5c9d9c89eebcd98ca php-5.3.28-x86_64-1_slack13.0.txz Slackware 13.1 package: dcddf3bab56b9c384dc68f6d8ddac784 php-5.3.28-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 8d9211b49b895c96feba41b1d035004f php-5.3.28-x86_64-1_slack13.1.txz Slackware 13.37 package: 28280a25871c27ed5c1a4be5d53f7640 php-5.3.28-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 4a4be5f6e1731a9c45f58063d7dd19f0 php-5.3.28-x86_64-1_slack13.37.txz Slackware 14.0 package: 2eb778df214832e87f3a605a65ee82ec php-5.4.29-i486-1_slack14.0.txz Slackware x86_64 14.0 package: b18c187d6be6cb63f08744d3f93d9c35 php-5.4.29-x86_64-1_slack14.0.txz Slackware 14.1 package: 36e8852834584501a5118800a3e944cb php-5.4.29-i486-1_slack14.1.txz Slackware x86_64 14.1 package: eb6e16e0fc7e88939dc5ef8bfef5011f php-5.4.29-x86_64-1_slack14.1.txz Slackware -current package: edf4ffd856eb50241a5847d405c4e87e n/php-5.4.29-i486-1.txz Slackware x86_64 -current package: 29b6e83289af8b31f1a27cb99e06078c n/php-5.4.29-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg php-5.4.29-i486-1_slack14.1.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message
[ MDVSA-2014:111 ] otrs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:111 http://www.mandriva.com/en/support/security/ ___ Package : otrs Date: June 10, 2014 Affected: Business Server 1.0 ___ Problem Description: Updated otrs package fixes security vulnerabilities: A logged in attacker could insert special content in dynamic fields, leading to JavaScript code being executed in OTRS (CVE-2014-2553). An attacker could embed OTRS in a hidden iframe tag of another page, tricking the user into clicking links in OTRS (CVE-2014-2554). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2553 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2554 http://advisories.mageia.org/MGASA-2014-0194.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 705047cc0c626211bcc60881d3af1469 mbs1/x86_64/otrs-3.2.16-1.mbs1.noarch.rpm a5c3626c92a00103fe916aff0690d791 mbs1/SRPMS/otrs-3.2.16-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTlqXgmqjQ0CJFipgRAtJOAKDBhfF8OxMdFT7Pn5xx9Kk4i0jk2gCgme4t LHmMYXhXLyl7XsCNh15EkxY= =xUGC -END PGP SIGNATURE-
[ MDVSA-2014:112 ] python-django
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:112 http://www.mandriva.com/en/support/security/ ___ Package : python-django Date: June 10, 2014 Affected: Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in python-django: Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers (CVE-2014-1418). The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by http:\djangoproject.com. (CVE-2014-3730). The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a dotted Python path. (CVE-2014-0472). The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users (CVE-2014-0473). The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to MySQL typecasting. (CVE-2014-0474). The updated packages have been patched to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1418 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3730 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0474 ___ Updated Packages: Mandriva Enterprise Server 5: 56dc2f984f2f82fc8000a6823eaa8413 mes5/i586/python-django-1.3.7-0.3mdvmes5.2.noarch.rpm 3395a6fca97c935c2d98d2d32cad9e14 mes5/SRPMS/python-django-1.3.7-0.3mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 1f6993703a66e4a050d922dce76ceb8c mes5/x86_64/python-django-1.3.7-0.3mdvmes5.2.noarch.rpm 3395a6fca97c935c2d98d2d32cad9e14 mes5/SRPMS/python-django-1.3.7-0.3mdvmes5.2.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTlqxJmqjQ0CJFipgRAoppAJ48r1tyBrsBhwBC3ksnlYFApJXCBACgu/4Z 80F66i8fmTHg+g8N4aIuWyA= =DOsW -END PGP SIGNATURE-
[ MDVSA-2014:110 ] curl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:110 http://www.mandriva.com/en/support/security/ ___ Package : curl Date: June 10, 2014 Affected: Business Server 1.0, Enterprise Server 5.0 ___ Problem Description: Updated curl packages fix security vulnerabilities: Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user (CVE-2014-0015). libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials (CVE-2014-0138). libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site (CVE-2014-0139). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139 http://advisories.mageia.org/MGASA-2014-0153.html ___ Updated Packages: Mandriva Enterprise Server 5: dbfc65c19ac0479b0f171fb2f57b7009 mes5/i586/curl-7.19.0-2.9mdvmes5.2.i586.rpm 329ea6986634f8115f0f40189dafa13d mes5/i586/curl-examples-7.19.0-2.9mdvmes5.2.i586.rpm e90929468892b409168cbaaf5ccf7aa7 mes5/i586/libcurl4-7.19.0-2.9mdvmes5.2.i586.rpm b76ba081a80e5305b3ea502331d339f1 mes5/i586/libcurl-devel-7.19.0-2.9mdvmes5.2.i586.rpm 079bba263ad5eba412c40e97b088ff49 mes5/SRPMS/curl-7.19.0-2.9mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: d51a98de165924c8eb83db16cd2a9de1 mes5/x86_64/curl-7.19.0-2.9mdvmes5.2.x86_64.rpm 2d6dba13c1b95fe6696ef618e6d2 mes5/x86_64/curl-examples-7.19.0-2.9mdvmes5.2.x86_64.rpm 3e92dcf0f85218afd68cdf12b81b7639 mes5/x86_64/lib64curl4-7.19.0-2.9mdvmes5.2.x86_64.rpm 035cea9d1c4d9f30e442113c1890da29 mes5/x86_64/lib64curl-devel-7.19.0-2.9mdvmes5.2.x86_64.rpm 079bba263ad5eba412c40e97b088ff49 mes5/SRPMS/curl-7.19.0-2.9mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 59896a7f65dc52adff833b191c2ccd8d mbs1/x86_64/curl-7.24.0-3.5.mbs1.x86_64.rpm c519acfcdfd464dce34e5d85642cddae mbs1/x86_64/curl-examples-7.24.0-3.5.mbs1.x86_64.rpm c9c4ccf43b0115c3faf24ae6c0a4ef51 mbs1/x86_64/lib64curl4-7.24.0-3.5.mbs1.x86_64.rpm 9d8d2a5cbffd1ba844d1a6c7837f2298 mbs1/x86_64/lib64curl-devel-7.24.0-3.5.mbs1.x86_64.rpm 9dbb683a4ebda2ad649562fd66c9cb87 mbs1/SRPMS/curl-7.24.0-3.5.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTlqBfmqjQ0CJFipgRAnnBAJ4iIKbK1jBxAtipngM1xlSflmpTUQCgsxIE SB5lxqgllGcXWEW9SyPo/Fw= =hggz -END PGP SIGNATURE-
