Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

- Social engineering is the practice of learning and obtaining valuable information by exploiting human vulnerabilities. It is an art of deception that is considered to be vital for a penetration tester when there is a lack of information about the target that can be exploited.

- When you’re dealing with a security incident it’s essential you – and the rest of your team – not only have the skills they need to comprehensively deal with an issue, but also have a framework to support them as they approach it. This framework means they can focus purely on what they need to do, following a process that removes any vulnerabilities and threats in a proper way – so everyone who depends upon the software you protect can be confident that it’s secure and functioning properly.

  Debian: DSA-3924-1: varnish security update (Aug 2)
 

A denial of service vulnerability was discovered in Varnish, a state of the art, high-performance web accelerator. Specially crafted HTTP requests can cause the Varnish daemon to assert and restart, clearing the cache in the process.
  Debian: DSA-3923-1: freerdp security update (Aug 1)
 

Tyler Bohan of Talos discovered that FreeRDP, a free implementation of the Remote Desktop Protocol (RDP), contained several vulnerabilities that allowed a malicious remote server or a man-in-the-middle to either cause a DoS by forcibly terminating the client, or execute
  Debian: DSA-3922-1: mysql-5.5 security update (Jul 28)
 

Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.57, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible
  Debian: DSA-3921-1: enigmail update (Jul 28)
 

In DSA 3918 Thunderbird was upgraded to the latest ESR series. This update upgrades Enigmail, the OpenPGP extention for Thunderbird, to version 1.9.8.1 to restore full compatibility.
 
  Fedora 25: rt Security Update (Aug 3)
 

Security fix for CVE-2016-6127 CVE-2017-5361 CVE-2017-5943 CVE-2017-5944
  Fedora 24: rt Security Update (Aug 3)
 

Security fix for CVE-2016-6127 CVE-2017-5361 CVE-2017-5943 CVE-2017-5944
  Fedora 24: evince Security Update (Aug 3)
 

- CVE-2017-1000083: Evince command injection vulnerability in CBT handler (#1468488)
  Fedora 26: rt Security Update (Aug 3)
 

Security fix for CVE-2016-6127 CVE-2017-5361 CVE-2017-5943 CVE-2017-5944
  Fedora 25: open-vm-tools Security Update (Aug 2)
 

Fix /tmp race conditions in libDeployPkg (CVE-2015-5191).
  Fedora 25: glpi Security Update (Aug 2)
 

* various security fixes (https://github.com/glpi-project/glpi/issues/2475, https://github.com/glpi-project/glpi/issues/2476, https://github.com/glpi-project/glpi/issues/2492), * fix regressions on self service portal: * self-service users should not be auto assigned as tech * type and category fields are not selectable
  Fedora 25: seamonkey Security Update (Aug 2)
 

Update to 2.48 Fixes various security issues, see http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html for more info.
  Fedora 26: glpi Security Update (Aug 2)
 

* various security fixes (https://github.com/glpi-project/glpi/issues/2475, https://github.com/glpi-project/glpi/issues/2476, https://github.com/glpi-project/glpi/issues/2492), * fix regressions on self service portal: * self-service users should not be auto assigned as tech * type and category fields are not selectable
  Fedora 26: seamonkey Security Update (Aug 2)
 

Update to 2.48 Fixes various security issues, see http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html for more info.
  Fedora 25: gcc Security Update (Aug 1)
 

Fixes CVE-2017-11671. Fixed bugs ( ): 31468, 43434, 45053, 49244, 50345, 53915, 56469, 60818, 60992, 61636, 61729, 62045, 64238, 65542, 65705, 65972, 66295, 66669, 67353, 67440, 68163, 68491, 68972, 69264, 69699, 69804, 69823, 69953, 70601, 70844, 70878, 71294, 71310, 71444, 71458, 71510, 71778, 71838, 72775, 73650, 75964, 76731, 77333, 77563, 77728, 77850,
  Fedora 25: libtool Security Update (Aug 1)
 

Fixes CVE-2017-11671. Fixed bugs ( ): 31468, 43434, 45053, 49244, 50345, 53915, 56469, 60818, 60992, 61636, 61729, 62045, 64238, 65542, 65705, 65972, 66295, 66669, 67353, 67440, 68163, 68491, 68972, 69264, 69699, 69804, 69823, 69953, 70601, 70844, 70878, 71294, 71310, 71444, 71458, 71510, 71778, 71838, 72775, 73650, 75964, 76731, 77333, 77563, 77728, 77850,
  Fedora 25: gcc-python-plugin Security Update (Aug 1)
 

Fixes CVE-2017-11671. Fixed bugs ( ): 31468, 43434, 45053, 49244, 50345, 53915, 56469, 60818, 60992, 61636, 61729, 62045, 64238, 65542, 65705, 65972, 66295, 66669, 67353, 67440, 68163, 68491, 68972, 69264, 69699, 69804, 69823, 69953, 70601, 70844, 70878, 71294, 71310, 71444, 71458, 71510, 71778, 71838, 72775, 73650, 75964, 76731, 77333, 77563, 77728, 77850,
  Fedora 25: mingw-c-ares Security Update (Aug 1)
 

New version, security fix for CVE-2017-1000381.
  Fedora 24: php-PHPMailer Security Update (Aug 1)
 

Update to 5.2.24: fixes XSS vulnerability CVE-2017-11503.
  Fedora 26: mingw-c-ares Security Update (Aug 1)
 

New version, security fix for CVE-2017-1000381.
  Fedora 25: runc Security Update (Jul 31)
 

V1.0 final release ---- bump runc commit ---- Update to latest release candidate
  Fedora 25: moodle Security Update (Jul 31)
 

Fix for multiple CVEs
  Fedora 24: moodle Security Update (Jul 31)
 

Fix for multiple CVEs
  Fedora 24: jackson-databind Security Update (Jul 31)
 

Security fix for CVE-2017-7525
  Fedora 26: freerdp Security Update (Jul 31)
 

Update to latest snapshot that contains fixes for the latest Talos discovered CVEs.
  Fedora 26: remmina Security Update (Jul 31)
 

Update to latest snapshot that contains fixes for the latest Talos discovered CVEs.
  Fedora 26: moodle Security Update (Jul 31)
 

Fix for multiple CVEs
  Fedora 25: webkitgtk4 Security Update (Jul 30)
 

This update addresses the following vulnerabilities: * [CVE-2017-7018](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7018), [CVE-2017-7030](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7030), [CVE-2017-7034](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7034), [CVE-2017-7037](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7037),
  Fedora 25: mingw-librsvg2 Security Update (Jul 28)
 

MinGW cross compiled librsvg 2.40.18 release, fixing CVE-2017-11464 (division- by-zero in the Gaussian blur code).
  Fedora 25: php-PHPMailer Security Update (Jul 28)
 

Update to 5.2.24: fixes XSS vulnerability CVE-2017-11503.
  Fedora 24: mingw-librsvg2 Security Update (Jul 28)
 

MinGW cross compiled librsvg 2.40.18 release, fixing CVE-2017-11464 (division- by-zero in the Gaussian blur code).
  Fedora 26: mingw-librsvg2 Security Update (Jul 28)
 

MinGW cross compiled librsvg 2.40.18 release, fixing CVE-2017-11464 (division- by-zero in the Gaussian blur code).
  Fedora 25: freeradius Security Update (Jul 27)
 

- Upgrade to upstream v3.0.15 release. See upstream ChangeLog for details (in freeradius-doc subpackage). - Resolves: Bug#1471848 CVE-2017-10978 freeradius: Out-of-bounds read/write due to improper output buffer size check in make_secret() - Resolves: Bug#1471860 CVE-2017-10983 freeradius: Out-of-bounds read in
  Fedora 25: mingw-poppler Security Update (Jul 27)
 

This update fixes multiple security vulnerabilities (CVE-2017-7515, CVE-2017-9775, CVE-2017-9776, CVE-2017-9865).
  Fedora 25: minicom Security Update (Jul 27)
 

Rebuilt to new upstream version 2.7.1 fixes rhbz#1443071 and rhbz#1443129
  Fedora 24: bind99 Security Update (Jul 27)
 

Fixes CVE-2017-3142 and CVE-2017-3143
  Fedora 24: dhcp Security Update (Jul 27)
 

Fixes CVE-2017-3142 and CVE-2017-3143
  Fedora 24: mingw-poppler Security Update (Jul 27)
 

This update fixes multiple security vulnerabilities (CVE-2017-7515, CVE-2017-9775, CVE-2017-9776, CVE-2017-9865).
  Fedora 24: minicom Security Update (Jul 27)
 

Rebuilt to new upstream version 2.7.1 fixes rhbz#1443071 and rhbz#1443129
  Fedora 26: webkitgtk4 Security Update (Jul 27)
 

This update addresses the following vulnerabilities: * [CVE-2017-7018](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7018), [CVE-2017-7030](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7030), [CVE-2017-7034](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7034), [CVE-2017-7037](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7037),
  Fedora 26: php-symfony Security Update (Jul 27)
 

## 2.8.25 (2017-07-17) * security #23507 [Security] validate empty passwords again (xabbuh) * bug #23526 [HttpFoundation] Set meta refresh time to 0 in RedirectResponse content (jnvsor) * bug #23540 Disable inlining deprecated services (alekitto) * bug #23468 [DI] Handle root namespace in service definitions (ro0NL) * bug #23256 [Security] Fix authentication.failure event
  Fedora 26: freeradius Security Update (Jul 27)
 

- Upgrade to upstream v3.0.15 release. See upstream ChangeLog for details (in freeradius-doc subpackage). - Resolves: Bug#1471848 CVE-2017-10978 freeradius: Out-of-bounds read/write due to improper output buffer size check in make_secret() - Resolves: Bug#1471860 CVE-2017-10983 freeradius: Out-of-bounds read in
  Fedora 26: mingw-poppler Security Update (Jul 27)
 

This update fixes multiple security vulnerabilities (CVE-2017-7515, CVE-2017-9775, CVE-2017-9776, CVE-2017-9865).
  Fedora 26: minicom Security Update (Jul 27)
 

Rebuilt to new upstream version 2.7.1 fixes rhbz#1443071 and rhbz#1443129
  Fedora 26: golang Security Update (Jul 27)
 

* Bump to 1.8.3 * Security fix for CVE-2017-8932 * add support for 28+bit OIDs in asn1
 
  Slackware: 2017-213-01: gnupg Security Update (Aug 2)
 

New gnupg packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.
  Slackware: 2017-209-01: squashfs-tools Security Update (Jul 28)
 

New squashfs-tools packages are available for Slackware 14.2 and -current to fix security issues.
 
  SuSE: 2017:2041-1: important: the Linux Kernel (Aug 3)
 

An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
  SuSE: 2017:2040-1: important: libzypp, zypper (Aug 3)
 

An update that solves three vulnerabilities and has 6 fixes An update that solves three vulnerabilities and has 6 fixes An update that solves three vulnerabilities and has 6 fixes is now available. is now available.
  SuSE: 2017:2034-1: important: mariadb (Aug 3)
 

An update that fixes 5 vulnerabilities is now available. An update that fixes 5 vulnerabilities is now available. An update that fixes 5 vulnerabilities is now available.
  SuSE: 2017:2035-1: important: mariadb (Aug 3)
 

An update that fixes 5 vulnerabilities is now available. An update that fixes 5 vulnerabilities is now available. An update that fixes 5 vulnerabilities is now available.
  openSUSE: 2017:1994-1: important: chromium (Jul 28)
 

An update that fixes 21 vulnerabilities is now available. An update that fixes 21 vulnerabilities is now available. An update that fixes 21 vulnerabilities is now available.
  openSUSE: 2017:1993-1: important: chromium (Jul 28)
 

An update that fixes 21 vulnerabilities is now available. An update that fixes 21 vulnerabilities is now available. An update that fixes 21 vulnerabilities is now available.
 
  Ubuntu 0027-1: Linux kernel vulnerability (Aug 3)
 

Several security issues were fixed in the kernel.
  Ubuntu 3378-2: Linux kernel (Xenial HWE) vulnerabilities (Aug 3)
 

Several security issues were fixed in the Linux kernel.
  Ubuntu 3377-1: Linux kernel vulnerabilities (Aug 3)
 

Several security issues were fixed in the Linux kernel.
  Ubuntu 3378-1: Linux kernel vulnerabilities (Aug 3)
 

Several security issues were fixed in the Linux kernel.
  Ubuntu 3377-2: Linux kernel (HWE) vulnerabilities (Aug 3)
 

Several security issues were fixed in the Linux kernel.
  Ubuntu 3370-2: Apache HTTP Server vulnerability (Aug 1)
 

Apache HTTP Server could be made to crash or leak sensitive information if it received specially crafted network traffic.
  Ubuntu 3294-2: Bash vulnerability (Aug 1)
 

A security issues were fixed in Bash.
  Ubuntu 3366-2: OpenJDK 8 regression (Jul 31)
 

USN 3366-1 introduced a regression in OpenJDK 8.
  Ubuntu 3373-1: Apache HTTP Server vulnerabilities (Jul 31)
 

Several security issues were fixed in Apache HTTP Server.
  Ubuntu 3372-1: NSS vulnerability (Jul 31)
 

Several security issues were fixed in NSS.
  Ubuntu 3371-1: Linux kernel (HWE) kernel vulnerabilities (Jul 28)
 

Several security issues were fixed in the Linux kernel.