-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:168 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libvncserver Date : September 2, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: An integer overflow in liblzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications using performing LZO decompression on a compressed payload from the attacker (CVE-2014-4607). The libvncserver library is built with a bundled copy of minilzo, which is a part of liblzo containing the vulnerable code. The x11vnc packages is now build against the system libvncserver library to avoid security issues in the bundled copy. The icecream packages is built with a bundled copy of minilzo, which is a part of liblzo containing the vulnerable code. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607 http://advisories.mageia.org/MGASA-2014-0356.html http://advisories.mageia.org/MGASA-2014-0361.html http://advisories.mageia.org/MGASA-2014-0357.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 3195ef89e2bf6892c4da1738331454c5 mbs1/x86_64/icecream-0.9.7-4.1.mbs1.x86_64.rpm 9942649812dffc8ff156a8fa035fa3ee mbs1/x86_64/icecream-devel-0.9.7-4.1.mbs1.x86_64.rpm 96c7151c7626b5333ac3fb4cd94afb91 mbs1/x86_64/icecream-scheduler-0.9.7-4.1.mbs1.x86_64.rpm 5b32305b816bb71b46ab4b4347bac80b mbs1/x86_64/lib64vncserver0-0.9.8.2-2.1.mbs1.x86_64.rpm 52cb075b6b18de702432226a30a464fb mbs1/x86_64/lib64vncserver-devel-0.9.8.2-2.1.mbs1.x86_64.rpm 164f81cec7e32b596e08c92241825b79 mbs1/x86_64/linuxvnc-0.9.8.2-2.1.mbs1.x86_64.rpm 44514de4a51770522d18e34fdbea1bde mbs1/x86_64/x11vnc-0.9.13-2.1.mbs1.x86_64.rpm 40c47ae0434f573bef277dc9f4eae6d2 mbs1/SRPMS/icecream-0.9.7-4.1.mbs1.src.rpm 677f8c619f1f3a91f83eb81058dea5b7 mbs1/SRPMS/libvncserver-0.9.8.2-2.1.mbs1.src.rpm badb727efa60a9c7fcc022c0ee34d4ab mbs1/SRPMS/x11vnc-0.9.13-2.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFUBcVrmqjQ0CJFipgRArpAAKDkoBfIqHOIMuPQoP+s9404AEsZHQCgo9ds W6ffKfAIl2dNyf1lZI5DqIQ= =F2gL -----END PGP SIGNATURE-----
