Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

- Social engineering is the practice of learning and obtaining valuable information by exploiting human vulnerabilities. It is an art of deception that is considered to be vital for a penetration tester when there is a lack of information about the target that can be exploited.

- When you’re dealing with a security incident it’s essential you – and the rest of your team – not only have the skills they need to comprehensively deal with an issue, but also have a framework to support them as they approach it. This framework means they can focus purely on what they need to do, following a process that removes any vulnerabilities and threats in a proper way – so everyone who depends upon the software you protect can be confident that it’s secure and functioning properly.

  (Dec 21)
 

Hanno Boeck, Juraj Somorovsky and Craig Young discovered that the TLS implementation in Bouncy Castle is vulnerable to an adaptive chosen ciphertext attack against RSA keys.
  (Dec 21)
 

Gabriel Corona reported that sensible-browser from sensible-utils, a collection of small utilities used to sensibly select and spawn an appropriate browser, editor or pager, does not validate strings before launching the program specified by the BROWSER environment variable,
  (Dec 21)
 

Multiple vulnerabilities were discovered in Enigmail, an OpenPGP extension for Thunderbird, which could result in a loss of confidentiality, faked signatures, plain text leaks and denial of service. Additional information can be found under
  (Dec 20)
 

Francesco Sirocco discovered a flaw in otrs2, the Open Ticket Request System, which could result in session information disclosure when cookie support is disabled. A remote attacker can take advantage of this flaw to take over an agent's session if the agent is tricked into clicking a
  (Dec 17)
 

Several vulnerabilities were discovered in rsync, a fast, versatile, remote (and local) file-copying tool, allowing a remote attacker to bypass intended access restrictions or cause a denial of service.
  (Dec 17)
 

It was discovered that malformed jumbogram packets could result in denial of service against OpenAFS, an implementation of the Andrew distributed file system.
  (Dec 17)
 

Two vulnerabilities were discovered in the Open Ticket Request System which could result in information disclosure or the execution of arbitrary shell commands by logged-in agents.
  (Dec 17)
 

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:
  Fedora 27: kernel Security Update (Dec 21)
 

The 4.14.7 stable kernel update contains a number of important fixes across the tree.
  Fedora 26: libextractor Security Update (Dec 19)
 

Patch for CVE-2017-17440
  Fedora 26: wayland Security Update (Dec 19)
 

This update fixes a possible heap overflow when parsing malicious cursor files. See https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html for details.
  Fedora 26: qt5-qtbase Security Update (Dec 19)
 

Security fix for QDnsLookup crash on unix when DNS response is over 512 bytes, see also https://bugreports.qt.io/browse/QTBUG-64742
  Fedora 26: kernel Security Update (Dec 19)
 

The 4.14.6 update contains various fixes across the tree.
  Fedora 26: optipng Security Update (Dec 19)
 

Security fix for CVE-2017-1000229 and CVE-2017-16938
  Fedora 26: LibRaw Security Update (Dec 19)
 

  Fedora 26: python35 Security Update (Dec 19)
 

Security fix for CVE-2017-1000158
  Fedora 26: python34 Security Update (Dec 19)
 

Security fix for CVE-2017-1000158
  Fedora 27: python34 Security Update (Dec 19)
 

Security fix for CVE-2017-1000158
  Fedora 27: nodejs Security Update (Dec 19)
 

https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V8.md
  Fedora 27: libextractor Security Update (Dec 19)
 

Patch for CVE-2017-17440
  Fedora 27: xen Security Update (Dec 19)
 

another patch related to the [XSA-240, CVE-2017-15595] issue x86 PV guests may gain access to internally used page [XSA-248] broken x86 shadow mode refcount overflow check [XSA-249] improper x86 shadow mode refcount error handling [XSA-250] improper bug check in x86 log-dirty handling [XSA-251]
  Fedora 27: wayland Security Update (Dec 19)
 

This update fixes a possible heap overflow when parsing malicious cursor files. See https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html for details.
  Fedora 27: glibc Security Update (Dec 19)
 

This update fixes minor security bugs (CVE-2017-17426, CVE-2017-15804), contains single-threaded optimizations for `malloc`, and increases compatibility with IBM POWER 9 hardware.
  Fedora 27: qt5-qtbase Security Update (Dec 19)
 

Security fix for QDnsLookup crash on unix when DNS response is over 512 bytes, see also https://bugreports.qt.io/browse/QTBUG-64742
  Fedora 27: optipng Security Update (Dec 19)
 

Security fix for CVE-2017-1000229 and CVE-2017-16938
  Fedora 27: python35 Security Update (Dec 19)
 

Security fix for CVE-2017-1000158
  Fedora 26: python26 Security Update (Dec 18)
 

Fix for CVE-2017-1000158
  Fedora 27: perl-DBD-MySQL Security Update (Dec 18)
 

Security fix for CVE-2017-10789
  Fedora 27: python26 Security Update (Dec 18)
 

Fix for CVE-2017-1000158
  Fedora 27: kernel Security Update (Dec 18)
 

The 4.14.6 update contains various fixes across the tree.
  Fedora 26: tor Security Update (Dec 17)
 

update to upstream release 0.3.1.9. Fixes: * CVE-2017-8819: Replay-cache ineffective for v2 onion services * CVE-2017-8820: Remote DoS attack against directory authorities * CVE-2017-8821: An attacker can make Tor ask for a password * CVE-2017-8822: Relays can pick themselves in a circuit path * CVE-2017-8823: Use-after-free in onion service v2
  Fedora 27: tor Security Update (Dec 17)
 

update to upstream release 0.3.1.9. Fixes various CVEs: CVE-2017-8819: Replay- cache ineffective for v2 onion services CVE-2017-8820: Remote DoS attack against directory authorities CVE-2017-8821: An attacker can make Tor ask for a password CVE-2017-8822: Relays can pick themselves in a circuit path CVE-2017-8823: Use- after-free in onion service v2
  Fedora 27: python-dulwich Security Update (Dec 15)
 

Update to 0.18.6
  (Dec 14)
 

Multiple vulnerabilities have been found in cURL, the worst of which may allow execution of arbitrary code.
  (Dec 14)
 

Multiple vulnerabilities have been found in OpenSSL, the worst of which may lead to a Denial of Service condition.
  (Dec 14)
 

Multiple vulnerabilities have been discovered in OpenCV, the worst of which may result in a denial of service condition.
  (Dec 14)
 

Multiple vulnerabilities have been discovered in WebKitGTK+, the worst of which may lead to arbitrary code execution.
  (Dec 21)
 

This is the 6-month notification for the retirement of Red Hat Enterprise MRG Version 2 for Red Hat Enterprise Linux 6. This notification applies only to those customers subscribed to Red Hat Enterprise MRG Version 2 for Red Hat Enterprise Linux 6.
  (Dec 20)
 

This is the One-Year notification for the retirement of Red Hat Enterprise Linux 6.7 Extended Update Support (EUS). This notification applies only to those customers subscribed to the Extended Update Support (EUS) channel for Red Hat Enterprise Linux 6.7.
  (Dec 19)
 

An update for rh-ruby24-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  (Dec 18)
 

An update for cfme, cfme-appliance, and cfme-gemset is now available for CloudForms Management Engine 5.7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  (Dec 18)
 

An update for heketi is now available for Red Hat Gluster Storage 3.3 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  (Dec 18)
 

An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  (Dec 15)
 

An update is now available for JBoss Core Services on RHEL 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
  (Dec 15)
 

An update is now available for JBoss Core Services on RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
  (Dec 15)
 

An update is now available for Red Hat JBoss Core Services. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
  (Dec 14)
 

An update for qemu-kvm-rhev is now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  (Dec 14)
 

An update for qemu-kvm-rhev is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  (Dec 14)
 

An update for qemu-kvm-rhev is now available for Red Hat OpenStack Platform 10.0 (Newton). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  (Dec 14)
 

An update for qemu-kvm-rhev is now available for Red Hat OpenStack Platform 11.0 (Ocata). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  (Dec 14)
 

An update for qemu-kvm-rhev is now available for Red Hat OpenStack Platform 9.0 (Mitaka). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  (Dec 14)
 

An update for qemu-kvm-rhev is now available for Red Hat OpenStack Platform 8.0 (Liberty). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  (Dec 14)
 

An update for go-toolset-7 and go-toolset-7-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  Slackware: 2017-353-01: ruby Security Update (Dec 20)
 

New ruby packages are available for Slackware 14.2 and -current to fix a security issue.
  SuSE: 2017:3411-1: important: java-1_8_0-ibm (Dec 22)
 

An update that fixes 17 vulnerabilities is now available. An update that fixes 17 vulnerabilities is now available. An update that fixes 17 vulnerabilities is now available.
  SuSE: 2017:3388-1: important: ImageMagick (Dec 20)
 

An update that solves 32 vulnerabilities and has one errata An update that solves 32 vulnerabilities and has one errata An update that solves 32 vulnerabilities and has one errata is now available. is now available.
  SuSE: 2017:3378-1: important: ImageMagick (Dec 20)
 

An update that fixes 26 vulnerabilities is now available. An update that fixes 26 vulnerabilities is now available. An update that fixes 26 vulnerabilities is now available.
  SuSE: 2017:3369-1: important: java-1_6_0-ibm (Dec 19)
 

An update that fixes 15 vulnerabilities is now available. An update that fixes 15 vulnerabilities is now available. An update that fixes 15 vulnerabilities is now available.
  openSUSE: 2017:3344-1: important: chromium (Dec 16)
 

An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
  openSUSE: 2017:3345-1: important: openssl (Dec 16)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  openSUSE: 2017:3346-1: important: chromium (Dec 16)
 

An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
  SuSE: 2017:3343-1: important: openssl (Dec 16)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3340-1: important: the Linux Kernel (Live Patch 13 for SLE 12 SP1) (Dec 15)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3337-1: important: the Linux Kernel (Live Patch 15 for SLE 12 SP1) (Dec 15)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3338-1: important: the Linux Kernel (Live Patch 22 for SLE 12 SP1) (Dec 15)
 

An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
  SuSE: 2017:3336-1: important: the Linux Kernel (Live Patch 17 for SLE 12 SP1) (Dec 15)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3332-1: important: the Linux Kernel (Live Patch 14 for SLE 12 SP1) (Dec 15)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3324-1: important: the Linux Kernel (Live Patch 2 for SLE 12 SP3) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:3323-1: important: the Linux Kernel (Live Patch 11 for SLE 12 SP1) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3321-1: important: the Linux Kernel (Live Patch 10 for SLE 12 SP1) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3322-1: important: the Linux Kernel (Live Patch 21 for SLE 12 SP1) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3320-1: important: the Linux Kernel (Live Patch 19 for SLE 12 SP1) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3318-1: important: the Linux Kernel (Live Patch 20 for SLE 12 SP1) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3319-1: important: the Linux Kernel (Live Patch 1 for SLE 12 SP3) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:3316-1: important: the Linux Kernel (Live Patch 12 for SLE 12 SP1) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3317-1: important: the Linux Kernel (Live Patch 4 for SLE 12 SP3) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3315-1: important: the Linux Kernel (Live Patch 29 for SLE 12) (Dec 14)
 

An update that solves one vulnerability and has one errata An update that solves one vulnerability and has one errata An update that solves one vulnerability and has one errata is now available. is now available.
  SuSE: 2017:3313-1: important: the Linux Kernel (Live Patch 18 for SLE 12 SP1) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3314-1: important: the Linux Kernel (Live Patch 3 for SLE 12 SP3) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:3312-1: important: the Linux Kernel (Live Patch 16 for SLE 12 SP1) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3309-1: important: the Linux Kernel (Live Patch 23 for SLE 12) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3310-1: important: the Linux Kernel (Live Patch 7 for SLE 12 SP2) (Dec 14)
 

An update that solves three vulnerabilities and has two An update that solves three vulnerabilities and has two An update that solves three vulnerabilities and has two fixes is now available. fixes is now available.
  SuSE: 2017:3308-1: important: the Linux Kernel (Live Patch 19 for SLE 12) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3306-1: important: the Linux Kernel (Live Patch 3 for SLE 12 SP2) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:3307-1: important: the Linux Kernel (Live Patch 28 for SLE 12) (Dec 14)
 

An update that solves two vulnerabilities and has one An update that solves two vulnerabilities and has one An update that solves two vulnerabilities and has one errata is now available. errata is now available.
  SuSE: 2017:3304-1: important: the Linux Kernel (Live Patch 18 for SLE 12) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3305-1: important: the Linux Kernel (Live Patch 27 for SLE 12) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3303-1: important: the Linux Kernel (Live Patch 26 for SLE 12) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3302-1: important: the Linux Kernel (Live Patch 21 for SLE 12) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3301-1: important: the Linux Kernel (Live Patch 25 for SLE 12) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3299-1: important: the Linux Kernel (Live Patch 22 for SLE 12) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3300-1: important: the Linux Kernel (Live Patch 10 for SLE 12 SP2) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:3297-1: important: the Linux Kernel (Live Patch 13 for SLE 12 SP2) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:3296-1: important: the Linux Kernel (Live Patch 9 for SLE 12 SP2) (Dec 14)
 

An update that solves three vulnerabilities and has two An update that solves three vulnerabilities and has two An update that solves three vulnerabilities and has two fixes is now available. fixes is now available.
  SuSE: 2017:3295-1: important: the Linux Kernel (Live Patch 12 for SLE 12 SP2) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:3293-1: important: the Linux Kernel (Live Patch 24 for SLE 12) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3292-1: important: the Linux Kernel (Live Patch 2 for SLE 12 SP2) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:3290-1: important: the Linux Kernel (Live Patch 5 for SLE 12 SP2) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:3291-1: important: the Linux Kernel (Live Patch 6 for SLE 12 SP2) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:3289-1: important: the Linux Kernel (Live Patch 17 for SLE 12) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3287-1: important: the Linux Kernel (Live Patch 20 for SLE 12) (Dec 14)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:3288-1: important: the Linux Kernel (Live Patch 4 for SLE 12 SP2) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:3286-1: important: the Linux Kernel (Live Patch 8 for SLE 12 SP2) (Dec 14)
 

An update that solves three vulnerabilities and has two An update that solves three vulnerabilities and has two An update that solves three vulnerabilities and has two fixes is now available. fixes is now available.
  SuSE: 2017:3285-1: important: the Linux Kernel (Live Patch 14 for SLE 12 SP2) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:3284-1: important: the Linux Kernel (Live Patch 11 for SLE 12 SP2) (Dec 14)
 

An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes An update that solves two vulnerabilities and has two fixes is now available. is now available.
  (Dec 18)
 

Several security issues were fixed in PHP.
  (Dec 15)
 

USN-3509-1 introduced a regression in the Linux kernel for Ubuntu 16.04 LTS.
  (Dec 15)
 

USN-3509-2 introduced a regression in the Linux HWE kernel for Ubuntu 14.04 LTS.
  (Dec 17)
 

The package lib32-openssl-1.0 before version 1.0.2.n-1 is vulnerable to multiple issues including information disclosure, private key recovery and denial of service.
  (Dec 16)
 

The package tor before version 0.3.1.9-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and denial of service.
  (Dec 16)
 

The package openssl-1.0 before version 1.0.2.m-1 is vulnerable to multiple issues including information disclosure and denial of service.
  (Dec 16)
 

The package chromium before version 63.0.3239.108-1 is vulnerable to cross-site scripting.
  (Dec 14)
 

The package quagga before version 1.2.2-1 is vulnerable to denial of service.
  (Dec 14)
 

The package qt5-webengine before version 5.10.0-1 is vulnerable to multiple issues including arbitrary code execution, cross-site scripting, access restriction bypass, content spoofing and information disclosure.
  (Dec 19)
 

Privilege escalation flaws were found in the initialization scripts ofPostgreSQL. An attacker with access to the postgres user account could usethese flaws to obtain root access on the server machine. (CVE-2017-12172,CVE-2017-15097)Note: This patch drops the script privileges from root to the postgresuser. Therefore, this update works properly only if the postgres user haswrite access to the postgres' home directory, such as the one in thedefault configuration (/var/lib/pgsql).
  (Dec 21)
 

Several vulnerabilities were discovered in wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following issues.
  (Dec 20)
 

Francesco Sirocco discovered a flaw in otrs2, the Open Ticket Request System, which could result in session information disclosure when cookie support is disabled. A remote attacker can take advantage of this flaw to take over an agent's session if the agent is tricked into clicking a
  (Dec 20)
 

Marcin Noga discovered two vulnerabilities in LibreOffice, which could result in the execution of arbitrary code if a malformed PPT or DOC document is opened.
  (Dec 20)
 

CVE-2017-17432 It was discovered that malformed jumbogram packets could result in denial of service against OpenAFS, an implementation of the Andrew
  (Dec 19)
 

Four vulnerabilities were discovered in the Open Ticket Request System which could result in information disclosure or the execution of arbitrary shell commands by logged-in agents.
  (Dec 18)
 

CVE-2017-15412 It was detected that some function calls in the XPath extensions functions could result in memory corruption due to "use after free".
  (Dec 16)
 

It was discovered that there was a command-injection vulnerability in kildclient, a "MUD" multiplayer real-time virtual world game. For Debian 7 "Wheezy", this issue has been fixed in kildclient version
  (Dec 15)
 

Reportbug, a tool designed to make the reporting of bugs in Debian easier, was further enhanced to automatically detect bug reports for potential regressions caused by a security update. After user confirmation an additional email with a copy of the report will be
  (Dec 15)
 

It was discovered that there was a vulnerability in sensible-browser, a utility to start the most suitable web browser based on your environment or configuration.
  (Dec 15)
 

An erlang TLS server configured with cipher suites using RSA key exchange, may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM)