Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Essential tools for hardening and securing Unix based Environments - System administrators are aware as how important their systems security is, not just the runtime of their servers. Intruders, spammers, DDOS attack, crackers, are all out there trying to get into people

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

  Debian: DSA-3947-1: newsbeuter security update (Aug 18)
 

Jeriko One discovered that newsbeuter, a text-mode RSS feed reader, did not properly escape the title and description of a news article when bookmarking it. This allowed a remote attacker to run an arbitrary shell command on the client machine.
  Debian: DSA-3946-1: libmspack security update (Aug 18)
 

It was discovered that libsmpack, a library used to handle Microsoft compression formats, did not properly validate its input. A remote attacker could craft malicious CAB or CHM files and use this flaw to cause a denial of service via application crash, or potentially
  Debian: DSA-3945-1: linux security update (Aug 17)
 

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
  Debian: DSA-3944-1: mariadb-10.0 security update (Aug 17)
 

Several issues have been discovered in the MariaDB database server. The vulnerabilities are addressed by upgrading MariaDB to the new upstream version 10.0.32. Please see the MariaDB 10.0 Release Notes for further details:
  Debian: DSA-3928-2: firefox-esr security update (Aug 16)
 

The update shipped in DSA 3928-1 failed to build on the mips, mipsel and powerpc architectures for the oldstable distribution (jessie). This has been fixed in 52.3.0esr-1~deb8u2.
  Debian: DSA-3943-1: gajim security update (Aug 14)
 

Gajim, a GTK+-based XMPP/Jabber client, unconditionally implements the "XEP-0146: Remote Controlling Clients" extension, allowing a malicious XMPP server to trigger commands to leak private conversations from encrypted sessions. With this update XEP-0146 support has been disabled
  Debian: DSA-3942-1: supervisor security update (Aug 13)
 

Calum Hutton reported that the XML-RPC server in supervisor, a system for controlling process state, does not perform validation on requested XML-RPC methods, allowing an authenticated client to send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on
  Debian: DSA-3940-1: iortcw security update (Aug 13)
 

A read buffer overflow was discovered in the idtech3 (Quake III Arena) family of game engines. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted packet.
  Debian: DSA-3940-1: cvs security update (Aug 13)
 

It was discovered that CVS, a centralised version control system, did not correctly handle maliciously constructed repository URLs, which allowed an attacker to run an arbitrary shell command.
  Debian: DSA-3939-1: botan1.10 security update (Aug 12)
 

Aleksandar Nikolic discovered that an error in the x509 parser of the Botan crypto library could result in an out-of-bounds memory read, resulting in denial of service or an information leak if processing a malformed certificate.
  Debian: DSA-3938-1: libgd2 security update (Aug 12)
 

Matviy Kotoniy reported that the gdImageCreateFromGifCtx() function used to load images from GIF format files in libgd2, a library for programmatic graphics creation and manipulation, does not zero stack allocated color map buffers before their use, which may result in
  Debian: DSA-3937-1: zabbix security update (Aug 12)
 

Lilith Wyatt discovered two vulnerabilities in the Zabbix network monitoring system which may result in execution of arbitrary code or database writes by malicious proxies.
  Debian: DSA-3936-1: postgresql-9.6 security update (Aug 10)
 

Several vulnerabilities have been found in the PostgreSQL database system: CVE-2017-7546
  Debian: DSA-3935-1: postgresql-9.4 security update (Aug 10)
 

Several vulnerabilities have been found in the PostgreSQL database system: CVE-2017-7546
  Debian: DSA-3933-1: pjproject security update (Aug 10)
 

Two vulnerabilities were found in the PJSIP/PJProject communication library, which may result in denial of service. For the oldstable distribution (jessie), these problems have been fixed
  Debian: DSA-3934-1: git security update (Aug 10)
 

Joern Schneeweisz discovered that git, a distributed revision control system, did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command, for instance via git submodules.
  Debian: DSA-3932-1: subversion security update (Aug 10)
 

Several problems were discovered in Subversion, a centralised version control system. CVE-2016-8734 (jessie only)
  Debian: DSA-3930-1: freeradius security update (Aug 10)
 

Guido Vranken discovered that FreeRADIUS, an open source implementation of RADIUS, the IETF protocol for AAA (Authorisation, Authentication, and Accounting), did not properly handle memory when processing packets. This would allow a remote attacker to cause a
  Debian: DSA-3929-1: libsoup2.4 security update (Aug 10)
 

Aleksandar Nikolic of Cisco Talos discovered a stack-based buffer overflow vulnerability in libsoup2.4, a HTTP library implementation in C. A remote attacker can take advantage of this flaw by sending a specially crafted HTTP request to cause an application using the
  Debian: DSA-3928-1: firefox-esr security update (Aug 10)
 

Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, buffer overflows and other implementation errors may lead to the execution of arbitrary code, denial of service, bypass of the same-origin policy or
 
  (Aug 10)
 

An update that fixes 5 vulnerabilities is now available. An update that fixes 5 vulnerabilities is now available. An update that fixes 5 vulnerabilities is now available.
 
  Debian LTS: DLA-1059-1: strongswan security update (Aug 18)
 

It was discovered that there was a denial-of-service vulnerability in the Strongswan Virtual Private Network (VPN) software. Specific RSA signatures passed to the gmp plugin for verification could
  Debian LTS: DLA-1058-1: krb5 security update (Aug 14)
 

In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests.
  Debian LTS: DLA-1057-1: libraw security update (Aug 14)
 

Some memory corruption bugs were discovered in libraw, a raw image decoder library, which could be triggered via maliciously crafted input files to cause denial of service or other unspecified impact.
  Debian LTS: DLA-1056-1: cvs security update (Aug 13)
 

It was discovered that there was a command injection vulnerability in the CVS revision control system. For Debian 7 "Wheezy", this issue has been fixed in cvs version
  Debian LTS: DLA-1055-1: libgd2 security update (Aug 12)
 

Matviy Kotoniy reported that the gdImageCreateFromGifCtx() function used to load images from GIF format files in libgd2, a library for programmatic graphics creation and manipulation, does not zero stack
  Debian LTS: DLA-1054-1: libgxps security update (Aug 12)
 

It was discovered that there was a NULL pointer dereference in libgxps, a library to handle XML Paper Specification specifications. Specially-crafted input could lead to a remote denial of service attack.
  Debian LTS: DLA-1053-1: firefox-esr security update (Aug 12)
 

Several security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, use-after-frees, buffer overflows and other implementation errors may lead to the execution of arbitrary code, denial of service, bypass of the same-origin policy or
  Debian LTS: DLA-1052-1: subversion security update (Aug 11)
 

It was discovered that there was a arbitrary code execution vulnerability in the subversion revision control system via malicious "svn+ssh" URLs in "svn:externals" and "svn:sync-from-url".
  Debian LTS: DLA-1051-1: postgresql-9.1 security update (Aug 10)
 

Several vulnerabilities have been found in the PostgreSQL database system: CVE-2017-7486
  Debian: xchat security update (Aug 10)
 

It was discovered that there was a directory traversal vulnerability in the xchat IRC client which allowed remote IRC servers to read or modify arbitrary files via a ".." in the server name.
 
  ArchLinux: 201708-14: subversion: arbitrary command execution (Aug 15)
 

The package subversion before version 1.9.7-1 is vulnerable to arbitrary command execution.
  ArchLinux: 201708-13: strongswan: denial of service (Aug 15)
 

The package strongswan before version 5.5.3-4 is vulnerable to denial of service.
  ArchLinux: 201708-12: spice: arbitrary code execution (Aug 15)
 

The package spice before version 0.12.8+8+ga957a90b-1 is vulnerable to arbitrary code execution.
  ArchLinux: 201708-11: xorg-server: multiple issues (Aug 15)
 

The package xorg-server before version 1.19.3-3 is vulnerable to multiple issues including arbitrary code execution and information disclosure.
  ArchLinux: 201708-9: audiofile: multiple issues (Aug 15)
 

The package audiofile before version 0.3.6-4 is vulnerable to multiple issues including arbitrary code execution, arbitrary command execution and denial of service.
  ArchLinux: 201708-10: libytnef: arbitrary code execution (Aug 15)
 

The package libytnef before version 1.9.2-2 is vulnerable to arbitrary code execution.
  ArchLinux: 201708-8: jdk7-openjdk: multiple issues (Aug 14)
 

The package jdk7-openjdk before version 7.u151_2.6.11-1 is vulnerable to multiple issues including access restriction bypass, arbitrary code execution, authentication bypass, denial of service, privilege escalation, private key recovery and content spoofing.
  ArchLinux: 201708-6: git: arbitrary command execution (Aug 14)
 

The package git before version 2.14.1-1 is vulnerable to arbitrary command execution.
  ArchLinux: 201708-7: mercurial: multiple issues (Aug 14)
 

The package mercurial before version 4.2.3-1 is vulnerable to multiple issues including arbitrary command execution and arbitrary filesystem access.
  ArchLinux: 201708-5: libsoup: arbitrary code execution (Aug 10)
 

The package libsoup before version 2.58.2-1 is vulnerable to arbitrary code execution.
  ArchLinux: 201708-4: varnish: denial of service (Aug 10)
 

The package varnish before version 5.1.3-1 is vulnerable to denial of service.
  ArchLinux: 201708-3: firefox: multiple issues (Aug 10)
 

The package firefox before version 55.0-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing, information disclosure, same-origin policy bypass, access restriction bypass, cross-site scripting, incorrect calculation, sandbox escape and denial of service.
  ArchLinux: 201708-2: flashplugin: multiple issues (Aug 10)
 

The package flashplugin before version 26.0.0.151-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure.
  ArchLinux: 201708-1: lib32-flashplugin: multiple issues (Aug 10)
 

The package lib32-flashplugin before version 26.0.0.151-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure.
 
  CentOS: CESA-2017-2485: Important CentOS 6 git (Aug 17)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2017:2485
  CentOS: CESA-2017-2478: Critical CentOS 6 httpd (Aug 15)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2017:2478
  CentOS: CESA-2017-2424: Critical CentOS 6 java-1.7.0-openjdk (Aug 15)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2017:2424
  CentOS: CESA-2017-2456: Critical CentOS 6 firefox (Aug 15)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2017:2456
 
  SciLinux: Important: git on SL6.x i386/x86_64 (Aug 17)
 

A shell command injection flaw related to the handling of "ssh" URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a "clone" action on a malicious repository or a [More...]
  SciLinux: Important: httpd on SL6.x i386/x86_64 (Aug 15)
 

It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd [More...]