Linux Advisory Watch: August 14th, 2015

Advisories

Linux Advisory Watch: August 14th, 2015

Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Essential tools for hardening and securing Unix based Environments - System administrators are aware as how important their systems security is, not just the runtime of their servers. Intruders, spammers, DDOS attack, crackers, are all out there trying to get into people's computers, servers and everywhere they can lay hands on and interrupt the normal runtime of services.

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.


  Debian: 3335-1: request-tracker4: Summary (Aug 13)
 

Security Report Summary

  Debian: 3334-1: gnutls28: Summary (Aug 12)
 

Security Report Summary

  Debian: 3333-1: iceweasel: Summary (Aug 12)
 

Security Report Summary

  Debian: 3332-1: wordpress: Summary (Aug 11)
 

Security Report Summary

  Debian: 3331-1: subversion: Summary (Aug 10)
 

Security Report Summary

  Debian: 3321-2: opensaml2: Summary (Aug 8)
 

Security Report Summary

  Debian: 3330-1: activemq: Summary (Aug 7)
 

Security Report Summary

  Debian: 3329-1: linux: Summary (Aug 7)
 

Security Report Summary


  Fedora 22 gnutls-3.3.17-1.fc22 (Aug 13)
 

updated to 3.3.17

  Fedora 22 pcre-8.37-3.fc22 (Aug 13)
 

This release fixes buffer overflows when compiling certain expressions.

  Fedora 22 wordpress-4.2.4-1.fc22 (Aug 13)
 

**WordPress 4.2.4 Security and Maintenance Release**WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.Our thanks to those who have practiced responsible disclosure of security issues.WordPress 4.2.4 also fixes four bugs. For more information, see: the release notes or consult the list of changes.* the release notes: https://codex.wordpress.org/Version_4.2.4* the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=33573&stop_rev=33396**WordPress 4.2.3 Security and Maintenance Release**WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.Our thanks to those who have practiced responsible disclosure of security issues.WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see:* the release notes: https://codex.wordpress.org/Version_4.2.3* the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=33382&stop_rev=32430

  Fedora 22 nbd-3.11-1.fc22 (Aug 13)
 

* Fix unsafe signal handlers to avoid DoS attack [CVE-2015-0847].

  Fedora 21 nbd-3.11-1.fc21 (Aug 13)
 

* Fix unsafe signal handlers to avoid DoS attack [CVE-2015-0847].

  Fedora 21 wordpress-4.2.4-1.fc21 (Aug 13)
 

**WordPress 4.2.4 Security and Maintenance Release**WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.Our thanks to those who have practiced responsible disclosure of security issues.WordPress 4.2.4 also fixes four bugs. For more information, see: the release notes or consult the list of changes.* the release notes: https://codex.wordpress.org/Version_4.2.4* the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=33573&stop_rev=33396**WordPress 4.2.3 Security and Maintenance Release**WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.Our thanks to those who have practiced responsible disclosure of security issues.WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see:* the release notes: https://codex.wordpress.org/Version_4.2.3* the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=33382&stop_rev=32430

  Fedora 21 kernel-4.1.4-100.fc21 (Aug 12)
 

Update to latest upstream stable release, Linux v4.1.4. Fixes across the tree.

  Fedora 22 devscripts-2.15.8-1.fc22 (Aug 12)
 

Update to version 2.15.8, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.8_changelog for details. Fixes CVE-2015-5705.Update to version 2.15.7, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.7_changelog for details.This update fixes licensecheck refusing to parse some text files such as C++ source files.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.This update fixes licensecheck refusing to parse some text files such as C++ source files.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.Update to version 2.15.7, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.7_changelog for details.This update fixes licensecheck refusing to parse some text files such as C++ source files.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.This update fixes licensecheck refusing to parse some text files such as C++ source files.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.

  Fedora 21 devscripts-2.15.8-1.fc21 (Aug 12)
 

Update to version 2.15.8, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.8_changelog for details. Fixes CVE-2015-5705.Update to version 2.15.7, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.7_changelog for details.This update fixes licensecheck refusing to parse some text files such as C++ source files.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.This update fixes licensecheck refusing to parse some text files such as C++ source files.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.Update to version 2.15.7, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.7_changelog for details.This update fixes licensecheck refusing to parse some text files such as C++ source files.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.This update fixes licensecheck refusing to parse some text files such as C++ source files.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.Update to version 2.15.6, see https://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.15.6_changelog for details.

  Fedora 22 xfsprogs-3.2.2-2.fc22 (Aug 12)
 

Gabriel Vlasiu reported that xfs_metadump, part of the xfsprogs suite of tools for the XFS filesystem, did not properly obfuscate data. xfs_metadump properly obfuscates active metadata, but the rest of the space within that fs block comes through in the clear. This could lead to exposure of stale disk data via the produced metadump image.The expectation of xfs_metadump is to obfuscate all but the shortest names in the metadata, as noted in the manpage:By default, xfs_metadump obfuscates most file (regular file, directory and symbolic link) names and extended attribute names to allow the dumps to be sent without revealing confidential information. Extended attribute values are zeroed and no data is copied. The only exceptions are file or attribute names that are 4 or less characters in length. Also file names that span extents (this can only occur with the mkfs.xfs(8) options where -n size > -b size) are not obfuscated. Names between 5 and 8 characters in length inclusively are partially obfuscated.While the xfs_metadump tool can be run by unprivileged users, it requires appropriate permissions to access block devices (such as root) where the sensitive data might be dumped. An unprivileged user, without access to the block device, could not use this flaw to obtain sensitive data they would not otherwise have permission to access.

  Fedora 21 xen-4.4.2-9.fc21 (Aug 12)
 

QEMU heap overflow flaw while processing certain ATAPI commands.[XSA-138, CVE-2015-5154] (#1247142)rebuild efi grub.cfg if it is present (#1239309),add gcc5 build fixes, one needed for the following patch,modify gnutls use in line with Fedora's crypto policies (#117935)

  Fedora 22 pure-ftpd-1.0.36-7.fc22 (Aug 12)
 

* denial of service in glob_()

  Fedora 22 kernel-4.1.4-200.fc22 (Aug 12)
 

Update to latest upstream stable release, Linux v4.1.4. Fixes across the tree.

  Fedora 22 xen-4.5.1-5.fc22 (Aug 12)
 

QEMU heap overflow flaw while processing certain ATAPI commands.[XSA-138, CVE-2015-5154] (#1247142)try again to fix xen-qemu-dom0-disk-backend.service (#1242246)correct qemu location in xen-qemu-dom0-disk-backend.service (#1242246),rebuild efi grub.cfg if it is present (#1239309),re-enable remus by building with libnl3,modify gnutls use in line with Fedora's crypto policies (#1179352)

  Fedora 21 lxc-1.0.7-2.fc21 (Aug 10)
 

Security fix for CVE-2015-1331, CVE-2015-1334.

  Fedora 22 lxc-1.1.2-2.fc22 (Aug 10)
 

Security fix for CVE-2015-1331, CVE-2015-1334.

  Fedora 22 elasticsearch-1.6.1-0.fc22 (Aug 10)
 

updated to securty update of 1.6.1 - https://www.elastic.co/blog/elasticsearch-1-7-0-and-1-6-1-releasedupdated to 1.6.0

  Fedora 22 rubygems-2.4.8-100.fc22 (Aug 10)
 

Update to RubyGems 2.4.8.

  Fedora 23 lxc-1.1.2-2.fc23 (Aug 10)
 

Security fix for CVE-2015-1331, CVE-2015-1334.

  Fedora 23 rubygems-2.4.8-100.fc23 (Aug 10)
 

Update to RubyGems 2.4.8.

  Fedora 23 wordpress-4.2.4-1.fc23 (Aug 10)
 

**WordPress 4.2.4 Security and Maintenance Release**WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.Our thanks to those who have practiced responsible disclosure of security issues.WordPress 4.2.4 also fixes four bugs. For more information, see: the release notes or consult the list of changes.* the release notes: https://codex.wordpress.org/Version_4.2.4* the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=33573&stop_rev=33396

  Fedora 23 firefox-39.0.3-1.fc23 (Aug 10)
 

Firefox security release. See:https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/

  Fedora 23 xen-4.5.1-5.fc23 (Aug 10)
 

QEMU heap overflow flaw while processing certain ATAPI commands.[XSA-138, CVE-2015-5154] (#1247142)try again to fix xen-qemu-dom0-disk-backend.service (#1242246)

  Fedora 21 community-mysql-5.6.26-1.fc21 (Aug 10)
 

Update to 5.6.26

  Fedora 23 community-mysql-5.6.26-1.fc23 (Aug 10)
 

Update to 5.6.26

  Fedora 22 community-mysql-5.6.26-1.fc22 (Aug 10)
 

Update to 5.6.26

  Fedora 21 firefox-39.0.3-1.fc21 (Aug 7)
 

Firefox security release. See:https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/

  Fedora 22 firefox-39.0.3-1.fc22 (Aug 7)
 

Firefox security release. See:https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/

  Fedora 21 drupal6-cck-2.10-1.fc21 (Aug 7)
 

https://www.drupal.org/project/cck

  Fedora 21 lighttpd-1.4.36-1.fc21 (Aug 7)
 

Latest upstream security release:https://www.lighttpd.net/2015/7/26/1.4.36/

  Fedora 22 drupal6-cck-2.10-1.fc22 (Aug 7)
 

https://www.drupal.org/project/cck

  Fedora 22 mantis-1.2.19-3.fc22 (Aug 7)
 

Security fix for CVE-2015-5059

  Fedora 22 lighttpd-1.4.36-1.fc22 (Aug 7)
 

Latest upstream security release:https://www.lighttpd.net/2015/7/26/1.4.36/

  Fedora 21 mantis-1.2.19-3.fc21 (Aug 7)
 

Security fix for CVE-2015-5059

  Fedora 22 opensaml-java-openws-1.5.5-2.fc22 (Aug 7)
 

* OpenSAML Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification

  Fedora 22 opensaml-java-2.5.3-9.fc22 (Aug 7)
 

* OpenSAML Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification

  Fedora 21 opensaml-java-openws-1.5.5-2.fc21 (Aug 7)
 

* OpenSAML Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification

  Fedora 21 opensaml-java-2.5.3-9.fc21 (Aug 7)
 

* OpenSAML Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification

  Fedora 22 openstack-swift-2.2.0-5.fc22 (Aug 7)
 

This update fixes CVE-2015-1856, unauthorized deletion of versioned Swift object.


  Red Hat: 2015:1623-01: kernel: Important Advisory (Aug 13)
 

Updated kernel packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1603-01: flash-plugin: Critical Advisory (Aug 12)
 

An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]

  Red Hat: 2015:1583-01: kernel: Moderate Advisory (Aug 11)
 

Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6.5 Extended Update Support. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1581-01: firefox: Important Advisory (Aug 7)
 

Updated firefox packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1565-01: kernel-rt: Moderate Advisory (Aug 6)
 

Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. [More...]

  Red Hat: 2015:1564-01: kernel-rt: Moderate Advisory (Aug 6)
 

Updated kernel-rt packages that fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise MRG 2.5. [More...]

  Red Hat: 2015:1534-01: kernel: Moderate Advisory (Aug 6)
 

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]


  Slackware: 2015-219-01: mozilla-firefox: Security Update (Aug 7)
 

New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]

  Slackware: 2015-219-02: mozilla-nss: Security Update (Aug 7)
 

New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]


  Ubuntu: 2702-2: Ubufox update (Aug 11)
 

This update provides compatible packages for Firefox 40.

  Ubuntu: 2702-1: Firefox vulnerabilities (Aug 11)
 

Firefox could be made to crash or run programs as your login if itopened a malicious website.

  Ubuntu: 2707-1: Firefox vulnerability (Aug 7)
 

Firefox could be made to expose sensitive information from local files.

  Ubuntu: 2705-1: Keystone vulnerabilities (Aug 6)
 

Keystone could be made to expose sensitive information over thenetwork.

  Ubuntu: 2703-1: Cinder vulnerability (Aug 6)
 

Cinder could be made to access unintended files over the network by anauthenticated user.

  Ubuntu: 2704-1: Swift vulnerabilities (Aug 6)
 

Several security issues were fixed in Swift.

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.