Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Peter Smith Releases Linux Network Security Online - Thanks so much to Peter Smith for announcing on linuxsecurity.com the release of his Linux Network Security book available free online. "In 2005 I wrote a book on Linux security. 8 years later and the publisher has gone out of business. Now that I'm free from restrictions on reproducing material from the book, I have decided to make the entire book available online."

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

  (Apr 16)
 

Security Report Summary
  (Apr 15)
 

Security Report Summary
  (Apr 15)
 

Security Report Summary
  (Apr 15)
 

Security Report Summary
  (Apr 12)
 

Security Report Summary
  (Apr 12)
 

Security Report Summary
  (Apr 12)
 

Security Report Summary
  (Apr 12)
 

Security Report Summary
  (Apr 11)
 

Security Report Summary
  (Apr 11)
 

Security Report Summary
  (Apr 10)
 

Security Report Summary
  (Apr 9)
 

Security Report Summary
 
  (Apr 16)
 

QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode.
  (Apr 16)
 

CVE-2015-2331: integer overflow when processing ZIP archives (#1204676,#1204677)
  (Apr 16)
 

New upstream version - 37.0.1
  (Apr 13)
 

CVE-2015-1545 openldap: slapd crashes on search with deref control and empty attr list
  (Apr 13)
 

This is an update to the set of CA certificates released with NSS version 3.18However, the package modifies the CA list to keep several legacy CAs still trusted for compatibility reasons. Please refer to the project URL for details.If you prefer to use the unchanged list provided by Mozilla, and if you accept any compatibility issues it may cause, an administrator may configure the system by executing the "ca-legacy disable" command.This update corrects the Fedora legacy classification of four root CA certificates, which had trust added or removed in the upstream 2.1 and 2.2 releases.
  (Apr 13)
 

* CVE-2015-1779 vnc: insufficient resource limiting in VNC websockets decoder (bz #1205051, bz #1199572)* Qemu: PRDT overflow from guest to host (bz #1204919, bz #1205322)* CVE-2014-8106: cirrus: insufficient blit region checks (bz #1170612, bz #1169454)* Fix .vdi disk corruption (bz #1199400)* Don't install ksm services as executable (bz #1192720)
  (Apr 13)
 

Security fix for CVE-2014-8354,CVE-2014-8355 and 4 other security issues
  (Apr 13)
 

This is an update to the set of CA certificates released with NSS version 3.18However, the package modifies the CA list to keep several legacy CAs still trusted for compatibility reasons. Please refer to the project URL for details.If you prefer to use the unchanged list provided by Mozilla, and if you accept any compatibility issues it may cause, an administrator may configure the system by executing the "ca-legacy disable" command.This update corrects the Fedora legacy classification of four root CA certificates, which had trust added or removed in the upstream 2.1 and 2.2 releases.
  (Apr 13)
 

- Added patch from Debian to avoid free on invalid pointer due to a buffer overflow (#1196751, #1207180)- Added patch from Debian for symlink directory traversal (#1178824)- Added patch from Debian to fix the directory traversal via //multiple/leading/slash (#1178824)
  (Apr 11)
 

This update fixes a bug trigged by a bogus content-length header. Under special circumstances, it could crash a varnishd subthread.New upstream release. A bugfix release.Highlights from the changelog: * 26 reported bugs fixed.* Replaced objects are now expired immediately, instead of kept around until expiry.* Memory usage on chunked backend responses is lowerFore a detailed list of changes, please see the project's announcement at
  (Apr 11)
 

fixes built in also added a couple of other entities relatedpacthes including a fix to CVE-2014-3660
  (Apr 11)
 

Long latency MMIO mapping operations are not preemptible [XSA-125, CVE-2015-2752]Unmediated PCI command register access in qemu [XSA-126, CVE-2015-2756]Certain domctl operations may be abused to lock up the host [XSA-127, CVE-2015-2751]update to xen-4.3.4
  (Apr 11)
 

Long latency MMIO mapping operations are not preemptible [XSA-125, CVE-2015-2752]Unmediated PCI command register access in qemu [XSA-126, CVE-2015-2756]Certain domctl operations may be abused to lock up the host [XSA-127, CVE-2015-2751]update to xen-4.4.2
  (Apr 10)
 

Fix for CVE-2014-9706 (rhbz#1204889, rhbz#1204890, and rhbz#1204891)
  (Apr 10)
 

Updated to latest SVN, fixing various bugs
  (Apr 10)
 

Fix for CVE-2014-9706 (rhbz#1204889, rhbz#1204890, and rhbz#1204891)
  (Apr 10)
 

Updated to latest SVN, fixing various bugs.
  (Apr 10)
 

- Added patch from Debian to avoid free on invalid pointer due to a buffer overflow (#1196751, #1207180)- Added patch from Debian for symlink directory traversal (#1178824)- Added patch from Debian to fix the directory traversal via //multiple/leading/slash (#1178824)
  (Apr 9)
 

Security fix for
  (Apr 9)
 

- Update to 4.7- Release notes can be found at https://www.drupal.org/node/2460229 - Security fix for drupal7-webform module- Upstream release notes: https://www.drupal.org/node/2457219 Release notes can be found at https://www.drupal.org/node/2454063 - Update to 4.3 - Release notes can be found at https://www.drupal.org/node/2427257 - Update to 4.2- Release notes can be found at https://www.drupal.org/node/2381793
  (Apr 9)
 

* Fixing arbitrary code execution
  (Apr 9)
 

New upstream version - 37.0.1
  (Apr 9)
 

* Fixing arbitrary code execution
  (Apr 9)
 

Security fix for
  (Apr 9)
 

- Update to 4.7- Release notes can be found at https://www.drupal.org/node/2460229 - Security fix for drupal7-webform module - Upstream release notes: https://www.drupal.org/node/2457219 Release notes can be found at https://www.drupal.org/node/2454063 - Update to 4.3 - Release notes can be found at https://www.drupal.org/node/2427257 - Update to 4.2- Release notes can be found at https://www.drupal.org/node/2381793
 
  (Apr 11)
 

Multiple vulnerabilities have been found in MySQL and MariaDB, the worst of which can allow remote attackers to cause a Denial of Service condition.
  (Apr 11)
 

Multiple vulnerabilities have been found in Xen, the worst of which can allow remote attackers to cause a Denial of Service condition.
  (Apr 11)
 

Multiple vulnerabilities have been found in Apache HTTP Server, the worst of which could lead to arbitrary code execution.
  (Apr 11)
 

A vulnerability in sudo could allow a local attacker to read arbitrary files or bypass security restrictions.
 
  Mandriva: 2015:203: batik (Apr 10)
 

Updated batik packages fix security vulnerability: Nicolas Gregoire and Kevin Schaller discovered that Batik would load XML external entities by default. If a user or automated system were tricked into opening a specially crafted SVG file, an attacker could [More...]
  Mandriva: 2015:202: ntp (Apr 10)
 

Multiple vulnerabilities has been found and corrected in ntp: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle [More...]
  Mandriva: 2015:201: arj (Apr 10)
 

Multiple vulnerabilities has been found and corrected in arj: Jakub Wilk discovered that arj follows symlinks created during unpacking of an arj archive. A remote attacker could use this flaw to perform a directory traversal attack if a user or automated [More...]
  Mandriva: 2015:200: mediawiki (Apr 10)
 

Updated mediawiki packages fix security vulnerabilities: In MediaWiki before 1.23.9, one could circumvent the SVG MIME blacklist for embedded resources. This allowed an attacker to embed JavaScript in the SVG (CVE-2015-2931). [More...]
  Mandriva: 2015:199: less (Apr 10)
 

Updated less package fixes security vulnerability: Malformed UTF-8 data could have caused an out of bounds read in the UTF-8 decoding routines, causing an invalid read access (CVE-2014-9488). [More...]
  Mandriva: 2015:198: java-1.8.0-openjdk (Apr 9)
 

Multiple vulnerabilities has been discovered and corrected in java-1.8.0-openjdk: Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component [More...]
 
  Red Hat: 2015:0854-01: java-1.8.0-oracle: Critical Advisory (Apr 17)
 

Updated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security [More...]
  Red Hat: 2015:0844-01: openstack-nova: Important Advisory (Apr 16)
 

Updated OpenStack Compute (nova) packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]
  Red Hat: 2015:0835-01: openstack-swift: Moderate Advisory (Apr 16)
 

Updated openstack-swift packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
  Red Hat: 2015:0843-01: openstack-nova: Important Advisory (Apr 16)
 

Updated OpenStack Compute (nova) packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
  Red Hat: 2015:0834-01: novnc: Moderate Advisory (Apr 16)
 

An updated novnc package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
  Red Hat: 2015:0838-01: openstack-glance: Low Advisory (Apr 16)
 

Updated openstack-glance packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]
  Red Hat: 2015:0833-01: novnc: Moderate Advisory (Apr 16)
 

An updated novnc package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]
  Red Hat: 2015:0841-01: redhat-access-plugin: Important Advisory (Apr 16)
 

An updated redhat-access-plugin-openstack package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]
  Red Hat: 2015:0836-01: openstack-swift: Moderate Advisory (Apr 16)
 

Updated openstack-swift packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]
  Red Hat: 2015:0837-01: openstack-glance: Low Advisory (Apr 16)
 

Updated openstack-glance packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
  Red Hat: 2015:0840-01: redhat-access-plugin: Important Advisory (Apr 16)
 

An updated redhat-access-plugin-openstack package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
  Red Hat: 2015:0830-01: openstack-foreman-installer: Important Advisory (Apr 16)
 

Updated Red Hat Enterprise Linux OpenStack Platform Installer packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]
  Red Hat: 2015:0816-01: chromium-browser: Important Advisory (Apr 16)
 

Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:0809-01: java-1.8.0-openjdk: Important Advisory (Apr 15)
 

Updated java-1.8.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:0808-01: java-1.6.0-openjdk: Important Advisory (Apr 15)
 

Updated java-1.6.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:0807-01: java-1.7.0-openjdk: Important Advisory (Apr 15)
 

Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:0806-01: java-1.7.0-openjdk: Critical Advisory (Apr 15)
 

Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security [More...]
  Red Hat: 2015:0813-01: flash-plugin: Critical Advisory (Apr 15)
 

An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]
  Red Hat: 2015:0803-01: kernel: Important Advisory (Apr 14)
 

Updated kernel packages that fix multiple security issues and two bugs are now available for Red Hat Enterprise Linux 6.4 Advanced Update Support. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:0797-01: xorg-x11-server: Moderate Advisory (Apr 10)
 

Updated xorg-x11-server packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More...]
  Red Hat: 2015:0795-01: qemu-kvm-rhev: Important Advisory (Apr 9)
 

Updated qemu-kvm-rhev packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
  Red Hat: 2015:0794-01: krb5: Moderate Advisory (Apr 9)
 

Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security [More...]
 
  Ubuntu: 2569-2: Apport vulnerability (Apr 16)
 

Apport could be tricked into running programs as an administrator.
  Ubuntu: 2569-1: Apport vulnerability (Apr 14)
 

Apport could be tricked into running programs as an administrator.
  Ubuntu: 2568-1: libx11, libxrender vulnerability (Apr 13)
 

libx11 could be made to crash or run programs if it processed speciallycrafted data.
  Ubuntu: 2567-1: NTP vulnerabilities (Apr 13)
 

Several security issues were fixed in NTP.
  Ubuntu: 2566-1: dpkg vulnerability (Apr 9)
 

dpkg could be tricked into bypassing source package signature checks.
  Ubuntu: 2565-1: Linux kernel vulnerabilities (Apr 9)
 

Several security issues were fixed in the kernel.
  Ubuntu: 2564-1: Linux kernel (Utopic HWE) vulnerabilities (Apr 9)
 

Several security issues were fixed in the kernel.