Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Peter Smith Releases Linux Network Security Online - Thanks so much to Peter Smith for announcing on linuxsecurity.com the release of his Linux Network Security book available free online. "In 2005 I wrote a book on Linux security. 8 years later and the publisher has gone out of business. Now that I'm free from restrictions on reproducing material from the book, I have decided to make the entire book available online."

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

(Apr 9)

Security Report Summary
(Apr 7)

Security Report Summary
(Apr 6)

Security Report Summary
(Apr 6)

Security Report Summary
(Apr 6)

Security Report Summary
(Apr 6)

Security Report Summary
(Apr 2)

Security Report Summary
(Apr 10)

Fix for CVE-2014-9706 (rhbz#1204889, rhbz#1204890, and rhbz#1204891)
(Apr 10)

Updated to latest SVN, fixing various bugs
(Apr 10)

Fix for CVE-2014-9706 (rhbz#1204889, rhbz#1204890, and rhbz#1204891)
(Apr 10)

Updated to latest SVN, fixing various bugs.
(Apr 10)

- Added patch from Debian to avoid free on invalid pointer due to a buffer overflow (#1196751, #1207180)- Added patch from Debian for symlink directory traversal (#1178824)- Added patch from Debian to fix the directory traversal via //multiple/leading/slash (#1178824)
(Apr 9)

Security fix for
(Apr 9)

- Update to 4.7- Release notes can be found at https://www.drupal.org/node/2460229- Security fix for drupal7-webform module- Upstream release notes: https://www.drupal.org/node/2457219 Release notes can be found at https://www.drupal.org/node/2454063- Update to 4.3- Release notes can be found at https://www.drupal.org/node/2427257 Update to 4.2- Release notes can be found at https://www.drupal.org/node/2381793
(Apr 9)

* Fixing arbitrary code execution
(Apr 9)

New upstream version - 37.0.1
(Apr 9)

* Fixing arbitrary code execution
(Apr 9)

Security fix for
(Apr 9)

- Update to 4.7- Release notes can be found at https://www.drupal.org/node/2460229 Security fix for drupal7-webform module- Upstream release notes: https://www.drupal.org/node/2457219 Release notes can be found at https://www.drupal.org/node/2454063- Update to 4.3- Release notes can be found at https://www.drupal.org/node/2427257 Update to 4.2- Release notes can be found at https://www.drupal.org/node/2381793
(Apr 8)

Security fix for CVE-2015-1815
(Apr 8)

CVE-2015-0296 texlive rpm scriptlet allows unprivileged user to delete arbitrary files. This update fixes this issue
(Apr 8)

Security fix for CVE-2015-1815
(Apr 7)

fixes built in also added a couple of other entities relatedpacthes including a fix to CVE-2014-3660
(Apr 7)

The 3.19.3 rebase contains improved hardware support, a number of new features, and many important fixes across the tree.
(Apr 7)

Update to 2.33.1Fixes various security issues, see https://www.mozilla.org/en-US/security/known-vulnerabilities/seamonkey/ for more info.Update to 2.33Fixes various security issues, see https://www.mozilla.org/en-US/security/known-vulnerabilities/seamonkey/ for more info.
(Apr 7)

Patches security vulnerability discussed here:https://bugzilla.redhat.com/show_bug.cgi?id=1181483Latest upstream release.Latest upstream release.
(Apr 7)

Update to 2.33.1Fixes various security issues, see https://www.mozilla.org/en-US/security/known-vulnerabilities/seamonkey/ for more info.
(Apr 7)

Patches security vulnerability discussed here:https://bugzilla.redhat.com/show_bug.cgi?id=1181483Latest upstream release.Latest upstream release.
(Apr 6)

Security fix for CVE-2015-1783
(Apr 6)

CVE-2015-1827: It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash.CVE-2015-0283: It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time.These issues were discovered by Sumit Bose of Red Hat.
(Apr 6)

CVE-2015-1827: It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash.CVE-2015-0283: It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time.These issues were discovered by Sumit Bose of Red Hat.
(Apr 6)

Security fix for CVE-2015-1783
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Security fix for CVE-2014-9130
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to upstream release 0.2.5.11.
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

* Fix privilege escalation via user creation with a crafted POST request
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Security fix for CVE-2014-9130
(Apr 5)

Update to latest versions of the respective branches. f20 has been updated from 2.5.x to 2.6.x because 2.5.x is EOL.
(Apr 5)

Update to version 31.6.
(Apr 5)

Security fix for CVE-2015-2331.
(Apr 5)

Update to upstream release 0.2.5.11.
(Apr 5)

Security fix for CVE-2015-2331.
(Apr 5)

Security fix for CVE-2015-0778
(Apr 5)

Security fix for CVE-2015-0778
(Apr 5)

* Fix privilege escalation via user creation with a crafted POST request
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to latest versions of the respective branches. f20 has been updated from 2.5.x to 2.6.x because 2.5.x is EOL.
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 5)

Update to Qt 5.4.1
(Apr 4)

Update to latest upstream - 37.0
(Apr 4)

Security fix for CVE-2014-9472Security fix for CVE-2015-1165Security fix for CVE-2015-1464
(Apr 4)

Security fixes for CVE-2014-9637, CVE-2015-1196, and an infinite loop with a crafted diff.
(Apr 2)

CVE-2015-0296 texlive rpm scriptlet allows unprivileged user to delete arbitrary files. This update fixes this issue
(Apr 2)

Security fix for CVE-2014-6585, CVE-2014-6591
(Apr 2)

Update to upstream 1.7 release for security fixes
(Apr 2)

Update to latest upstream - 37.0
(Apr 2)

Update to upstream 1.7 release for security fixes
(Apr 7)

Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, the worst of which may allow user-assisted execution of arbitrary code.
Mandriva: 2015:202: ntp (Apr 10)

Multiple vulnerabilities has been found and corrected in ntp: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle [More...]
Mandriva: 2015:201: arj (Apr 10)

Multiple vulnerabilities has been found and corrected in arj: Jakub Wilk discovered that arj follows symlinks created during unpacking of an arj archive. A remote attacker could use this flaw to perform a directory traversal attack if a user or automated [More...]
Mandriva: 2015:200: mediawiki (Apr 10)

Updated mediawiki packages fix security vulnerabilities: In MediaWiki before 1.23.9, one could circumvent the SVG MIME blacklist for embedded resources. This allowed an attacker to embed JavaScript in the SVG (CVE-2015-2931). [More...]
Mandriva: 2015:199: less (Apr 10)

Updated less package fixes security vulnerability: Malformed UTF-8 data could have caused an out of bounds read in the UTF-8 decoding routines, causing an invalid read access (CVE-2014-9488). [More...]
Mandriva: 2015:198: java-1.8.0-openjdk (Apr 9)

Multiple vulnerabilities has been discovered and corrected in java-1.8.0-openjdk: Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component [More...]
Mandriva: 2015:193: libtasn1 (Apr 7)

Updated libtasn1 packages fix security vulnerability: The libtasn1 library before version 4.4 is vulnerable to a two-byte stack overflow in asn1_der_decoding (CVE-2015-2806). [More...] _______________________________________________________________________
Mandriva: 2015:196: cups-filters (Apr 7)

Updated cups-filters package fixes security vulnerability: cups-browsed in cups-filters before 1.0.66 contained a bug in the remove_bad_chars\(\) function, where it failed to reliably filter out illegal characters if there were two or more subsequent illegal [More...]
Mandriva: 2015:195: python-django (Apr 7)

A vulnerability has been discovered and corrected in python-django: The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct [More...]
Mandriva: 2015:192: subversion (Apr 3)

Multiple vulnerabilities has been discovered and corrected in subversion: Subversion HTTP servers with FSFS repositories are vulnerable to a remotely triggerable excessive memory use with certain REPORT requests [More...]
Mandriva: 2015:161-1: icu (Apr 2)

Updated icu packages fix security vulnerabilities: The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified [More...]
Mandriva: 2015:191: owncloud (Apr 2)

Multiple vulnerabilities has been discovered and corrected in owncloud: * Multiple stored XSS in contacts application (oC-SA-2015-001) * Multiple stored XSS in documents application (oC-SA-2015-002) [More...]
Mandriva: 2015:190: owncloud (Apr 2)

Multiple vulnerabilities has been discovered and corrected in owncloud: * Login bypass when using user_ldap due to unauthenticated binds (oC-SA-2014-020) [More...]
Mandriva: 2015:189: tor (Apr 2)

Updated tor packages fix security vulnerabilities: The tor package has been updated to version 0.2.4.26, which fixes possible crashes that may be remotely trigger-able, which would result in a denial of service, and also fixes a few other bugs. [More...]
Mandriva: 2015:188: flac (Apr 2)

Multiple vulnerabilities has been discovered and corrected in flac: Heap-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file (CVE-2014-9028). [More...]
Mandriva: 2015:187: graphviz (Apr 2)

Updated graphviz packages fix security vulnerability: Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, [More...]
Red Hat: 2015:0797-01: xorg-x11-server: Moderate Advisory (Apr 10)

Updated xorg-x11-server packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More...]
Red Hat: 2015:0795-01: qemu-kvm-rhev: Important Advisory (Apr 9)

Updated qemu-kvm-rhev packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
Red Hat: 2015:0794-01: krb5: Moderate Advisory (Apr 9)

Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security [More...]
Red Hat: 2015:0788-01: novnc: Moderate Advisory (Apr 7)

An updated novnc package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 6.0. Red Hat Product Security has rated this update as having Moderate security [More...]
Red Hat: 2015:0790-01: openstack-nova: Important Advisory (Apr 7)

Updated openstack-nova packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 6.0. [More...]
Red Hat: 2015:0783-01: kernel: Important Advisory (Apr 7)

Updated kernel packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]
Red Hat: 2015:0782-01: kernel: Important Advisory (Apr 7)

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.5 Extended Update Support. Red Hat Product Security has rated this update as having Important security [More...]
Red Hat: 2015:0778-01: chromium-browser: Critical Advisory (Apr 6)

Updated chromium-browser packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security [More...]
Ubuntu: 2566-1: dpkg vulnerability (Apr 9)

dpkg could be tricked into bypassing source package signature checks.
Ubuntu: 2565-1: Linux kernel vulnerabilities (Apr 9)

Several security issues were fixed in the kernel.
Ubuntu: 2564-1: Linux kernel (Utopic HWE) vulnerabilities (Apr 9)

Several security issues were fixed in the kernel.
Ubuntu: 2563-1: Linux kernel vulnerabilities (Apr 8)

Several security issues were fixed in the kernel.
Ubuntu: 2562-1: Linux kernel (Trusty HWE) vulnerabilities (Apr 8)

Several security issues were fixed in the kernel.
Ubuntu: 2561-1: Linux kernel (OMAP4) vulnerabilities (Apr 8)

Several security issues were fixed in the kernel.
Ubuntu: 2560-1: Linux kernel vulnerabilities (Apr 8)

Several security issues were fixed in the kernel.
Ubuntu: 2559-1: Libtasn1 vulnerability (Apr 8)

Libtasn1 could be made to crash or run programs if it processed speciallycrafted data.
Ubuntu: 2558-1: Mailman vulnerability (Apr 7)

Mailman could be made to run programs if it processed a specially craftedlist name.
Ubuntu: 2556-1: Oxide vulnerabilities (Apr 7)

Several security issues were fixed in Oxide.
Ubuntu: 2557-1: Firefox vulnerability (Apr 7)

Firefox could be made to bypass SSL certificate verification.
Ubuntu: 2552-1: Thunderbird vulnerabilities (Apr 2)

Several security issues were fixed in Thunderbird.