MidnightBSD

Advisories for mageia_project

CVE-2014-3421 LOW

lisp/gnus/gnus-fun.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/gnus.face.ppm temporary file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
gnu emacs *
gnu emacs 20.2
gnu emacs 23.1
gnu emacs 24.2
gnu emacs 23.4
gnu emacs 21.3
gnu emacs 24.1
gnu emacs 20.3
gnu emacs 21.3.1
gnu emacs 20.1
gnu emacs 20.7
gnu emacs 21.2
gnu emacs 23.3
gnu emacs 21.4
gnu emacs 23.2
gnu emacs 20.4
mageia_project mageia 4
gnu emacs 22.3
gnu emacs 20.5
gnu emacs 22.2
gnu emacs 21.2.1
gnu emacs 20.0
gnu emacs 21.1
gnu emacs 20.6
mageia_project mageia 3
gnu emacs 22.1
gnu emacs 21
CVE-2014-3422 LOW

lisp/emacs-lisp/find-gc.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file under /tmp/esrc/.

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
gnu emacs *
gnu emacs 20.2
gnu emacs 23.1
gnu emacs 24.2
gnu emacs 23.4
gnu emacs 21.3
gnu emacs 24.1
gnu emacs 20.3
gnu emacs 21.3.1
gnu emacs 20.1
gnu emacs 20.7
gnu emacs 21.2
gnu emacs 23.3
gnu emacs 21.4
gnu emacs 23.2
gnu emacs 20.4
mageia_project mageia 4
gnu emacs 22.3
gnu emacs 20.5
gnu emacs 22.2
gnu emacs 21.2.1
gnu emacs 20.0
gnu emacs 21.1
gnu emacs 20.6
mageia_project mageia 3
gnu emacs 22.1
gnu emacs 21
CVE-2014-3423 LOW

lisp/net/browse-url.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a /tmp/Mosaic.##### temporary file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
gnu emacs *
gnu emacs 20.2
gnu emacs 23.1
gnu emacs 24.2
gnu emacs 23.4
gnu emacs 21.3
gnu emacs 24.1
gnu emacs 20.3
gnu emacs 21.3.1
gnu emacs 20.1
gnu emacs 20.7
gnu emacs 21.2
gnu emacs 23.3
gnu emacs 21.4
gnu emacs 23.2
gnu emacs 20.4
mageia_project mageia 4
gnu emacs 22.3
gnu emacs 20.5
gnu emacs 22.2
gnu emacs 21.2.1
gnu emacs 20.0
gnu emacs 21.1
gnu emacs 20.6
mageia_project mageia 3
gnu emacs 22.1
gnu emacs 21
CVE-2014-3424 LOW

lisp/net/tramp-sh.el in GNU Emacs 24.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a /tmp/tramp.##### temporary file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-59,

Products Affected

Vendor Product Version
gnu emacs *
gnu emacs 20.2
gnu emacs 23.1
gnu emacs 24.2
gnu emacs 23.4
gnu emacs 21.3
gnu emacs 24.1
gnu emacs 20.3
gnu emacs 21.3.1
gnu emacs 20.1
gnu emacs 20.7
gnu emacs 21.2
gnu emacs 23.3
gnu emacs 21.4
gnu emacs 23.2
gnu emacs 20.4
mageia_project mageia 4
gnu emacs 22.3
gnu emacs 20.5
gnu emacs 22.2
gnu emacs 21.2.1
gnu emacs 20.0
gnu emacs 21.1
gnu emacs 20.6
mageia_project mageia 3
gnu emacs 22.1
gnu emacs 21
CVE-2014-3533 LOW

dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor.

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,

Products Affected

Vendor Product Version
freedesktop dbus 1.6.14
freedesktop dbus 1.5.2
freedesktop dbus 1.4.6
freedesktop dbus 1.4.16
freedesktop dbus 1.4.14
freedesktop dbus 1.5.6
freedesktop dbus 1.5.0
freedesktop dbus 1.4.1
opensuse opensuse 12.3
freedesktop dbus 1.6.12
freedesktop dbus 1.5.8
freedesktop dbus 1.5.4
freedesktop dbus 1.5.12
freedesktop dbus 1.6.10
freedesktop dbus 1.6.20
freedesktop dbus 1.8.4
freedesktop dbus 1.3.0
freedesktop dbus 1.4.22
mageia_project mageia 4
freedesktop dbus 1.4.0
freedesktop dbus 1.6.2
freedesktop dbus 1.6.18
freedesktop dbus 1.4.18
freedesktop dbus 1.4.24
freedesktop dbus 1.5.10
freedesktop dbus 1.6.16
freedesktop dbus 1.4.26
freedesktop dbus 1.4.10
freedesktop dbus 1.4.4
freedesktop dbus 1.4.12
freedesktop dbus 1.8.2
freedesktop dbus 1.4.8
mageia_project mageia 3
debian debian_linux 7.0
freedesktop dbus 1.6.0
freedesktop dbus 1.3.1
freedesktop dbus 1.8.0
freedesktop dbus 1.4.20
CVE-2014-4668 MEDIUM

The cherokee_validator_ldap_check function in validator_ldap.c in Cherokee 1.2.103 and earlier, when LDAP is used, does not properly consider unauthenticated-bind semantics, which allows remote attackers to bypass authentication via an empty password.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
cherokee-project cherokee 1.2.98
cherokee-project cherokee 1.2.102
fedoraproject fedora 20
cherokee-project cherokee 1.2.2
cherokee-project cherokee 1.2.99
mageia_project mageia 4
cherokee-project cherokee *
fedoraproject fedora 21
cherokee-project cherokee 1.2.101
fedoraproject fedora 22
CVE-2014-7824 LOW

D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1.

CVSS 2.0

Severity: LOW

Problem Type: CWE-399,

Products Affected

Vendor Product Version
freedesktop dbus 1.6.14
canonical ubuntu_linux 12.04
freedesktop dbus 1.6.12
freedesktop dbus 1.9.0
freedesktop dbus 1.6.10
freedesktop dbus 1.6.20
freedesktop dbus 1.8.6
freedesktop dbus 1.6.8
freedesktop dbus 1.8.4
canonical ubuntu_linux 14.04
mageia_project mageia 4
freedesktop dbus 1.6.2
freedesktop dbus 1.8.8
freedesktop dbus 1.6.18
freedesktop dbus 1.6.24
freedesktop dbus 1.6.16
freedesktop dbus 1.6.22
debian debian_linux 8.0
canonical ubuntu_linux 14.10
freedesktop dbus 1.6.4
freedesktop dbus 1.8.2
mageia_project mageia 3
debian debian_linux 7.0
freedesktop dbus 1.6.0
freedesktop dbus 1.6.6
freedesktop dbus 1.8.0
CVE-2014-8763 MEDIUM

DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
mageia_project mageia 3.0
dokuwiki dokuwiki *
mageia_project mageia 4.0
CVE-2014-8764 MEDIUM

DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
mageia_project mageia 3.0
dokuwiki dokuwiki *
mageia_project mageia 4.0
CVE-2014-9037 MEDIUM

WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
wordpress wordpress 3.8.4
wordpress wordpress 3.8.2
wordpress wordpress 3.9.2
wordpress wordpress 3.9
wordpress wordpress 3.9.1
debian debian_linux 8.0
wordpress wordpress 3.8
wordpress wordpress *
wordpress wordpress 4.0
mageia_project mageia 3
debian debian_linux 7.0
mageia_project mageia 4
wordpress wordpress 3.8.3
wordpress wordpress 3.8.1
CVE-2014-9039 MEDIUM

wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-254,

Products Affected

Vendor Product Version
wordpress wordpress 3.8.4
wordpress wordpress 3.8.2
wordpress wordpress 3.9.2
wordpress wordpress 3.9
wordpress wordpress 3.9.1
debian debian_linux 8.0
wordpress wordpress 3.8
wordpress wordpress *
wordpress wordpress 4.0
mageia_project mageia 3
debian debian_linux 7.0
mageia_project mageia 4
wordpress wordpress 3.8.3
wordpress wordpress 3.8.1
CVE-2014-9274 HIGH

UnRTF allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code as demonstrated by a file containing the string "{\cb-999999999".

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
debian debian_linux 8.0
unrtf_project unrtf *
debian debian_linux 7.0
mageia_project mageia 4
fedoraproject fedora 21
CVE-2015-2296 MEDIUM

The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
python requests 2.5.2
python requests 2.4.1
python requests 2.3.0
python requests 2.5.3
python requests 2.2.1
python requests 2.1.0
python requests 2.5.0
python requests 2.5.1
canonical ubuntu_linux 14.10
python requests 2.4.0
python requests 2.4.3
canonical ubuntu_linux 14.04
python requests 2.4.2
mageia_project mageia 4.0