-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:073 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : file Date : April 9, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated file packages fix security vulnerabilities: The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345 http://advisories.mageia.org/MGASA-2014-0142.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 4b4561e9f1573586faf3e776a8f4fe74 mbs1/x86_64/file-5.12-1.1.mbs1.x86_64.rpm a0fe4f9fdc9139483ff2646c457457d0 mbs1/x86_64/lib64magic1-5.12-1.1.mbs1.x86_64.rpm 23d2709d6591a1bf152803f31435d36a mbs1/x86_64/lib64magic-devel-5.12-1.1.mbs1.x86_64.rpm 69dc8737c1c20341a2f062ee382cfdf1 mbs1/x86_64/lib64magic-static-devel-5.12-1.1.mbs1.x86_64.rpm b73482de9b5c0d944c558ac4db1f26f9 mbs1/x86_64/python-magic-5.12-1.1.mbs1.noarch.rpm 436b242b459fa885153668f6cae2056f mbs1/SRPMS/file-5.12-1.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTRUPamqjQ0CJFipgRAlI1AKDbGsuPUDuBLEObQHXwP7OpO0jHhgCfYGrn YRR4xBW2cZ0XFAUpzAV8yz0= =UhvO -----END PGP SIGNATURE-----