Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

- Social engineering is the practice of learning and obtaining valuable information by exploiting human vulnerabilities. It is an art of deception that is considered to be vital for a penetration tester when there is a lack of information about the target that can be exploited.

- When you’re dealing with a security incident it’s essential you – and the rest of your team – not only have the skills they need to comprehensively deal with an issue, but also have a framework to support them as they approach it. This framework means they can focus purely on what they need to do, following a process that removes any vulnerabilities and threats in a proper way – so everyone who depends upon the software you protect can be confident that it’s secure and functioning properly.

  (Dec 28)
 

This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed image files are processed.
  (Dec 23)
 

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
  (Dec 21)
 

Hanno Boeck, Juraj Somorovsky and Craig Young discovered that the TLS implementation in Bouncy Castle is vulnerable to an adaptive chosen ciphertext attack against RSA keys.
  (Dec 21)
 

Gabriel Corona reported that sensible-browser from sensible-utils, a collection of small utilities used to sensibly select and spawn an appropriate browser, editor or pager, does not validate strings before launching the program specified by the BROWSER environment variable,
  (Dec 21)
 

Multiple vulnerabilities were discovered in Enigmail, an OpenPGP extension for Thunderbird, which could result in a loss of confidentiality, faked signatures, plain text leaks and denial of service. Additional information can be found under
  Fedora 27: libexif Security Update (Dec 28)
 

Patch for CVE-2016-6328
  Fedora 27: webkitgtk4 Security Update (Dec 28)
 

This update addresses the following vulnerabilities: * [CVE-2017-13866](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13866), [CVE-2017-13870](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13870), [CVE-2017-7156](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7156), [CVE-2017-13856](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13856)
  Fedora 27: asterisk Security Update (Dec 28)
 

Update to upstream 14.7.4 release to address AST-2017-012 security issue ---- Update to upstream 14.7.3 release for security alert AST-2017-013 ---- Update to upstream 14.7.2 release for bug fixes
  Fedora 27: sensible-utils Security Update (Dec 28)
 

Update to version 0.0.11, see utils_0.0.11_changelog for details.
  Fedora 27: shellinabox Security Update (Dec 28)
 

Disable SSHv1 options.
  Fedora 26: python-mistune Security Update (Dec 27)
 

Update to 0.8.3, fixing CVE-2017-15612 and CVE-2017-16876
  Fedora 26: ruby Security Update (Dec 26)
 

Update to Ruby 2.4.2.
  Fedora 26: evince Security Update (Dec 26)
 

CVE-2017-1000159 Command injection when exporting DVI to PDF
  Fedora 26: shellinabox Security Update (Dec 26)
 

Disable SSHv1 options.
  Fedora 26: lynx Security Update (Dec 26)
 

- update to the latest upstream pre-release (fixes CVE-2017-1000211)
  Fedora 26: asterisk Security Update (Dec 26)
 

Update to upstream 13.18.4 release to address AST-2017-012/CVE-2017-17664 security issue
  Fedora 26: sensible-utils Security Update (Dec 26)
 

Update to version 0.0.11, see utils_0.0.11_changelog for details.
  Fedora 27: json-c Security Update (Dec 24)
 

- Patch: - Avoid invalid free and crash explicitly instead of silently enabling the caller to commit undefined behaviour.
  Fedora 27: kernel Security Update (Dec 24)
 

The 4.14.8 stable kernel update contains a number of important fixes across the tree.
  Fedora 26: json-c Security Update (Dec 24)
 

- Patch: - Avoid invalid free and crash explicitly instead of silently enabling the caller to commit undefined behaviour.
  Fedora 26: kernel Security Update (Dec 24)
 

The 4.14.8 stable kernel update contains a number of important fixes across the tree. ---- The 4.14.7 stable kernel update contains a number of important fixes across the tree.
  Fedora 27: kernel Security Update (Dec 21)
 

The 4.14.7 stable kernel update contains a number of important fixes across the tree.
  (Dec 21)
 

This is the 6-month notification for the retirement of Red Hat Enterprise MRG Version 2 for Red Hat Enterprise Linux 6. This notification applies only to those customers subscribed to Red Hat Enterprise MRG Version 2 for Red Hat Enterprise Linux 6.
  Slackware: 2017-356-01: mozilla-thunderbird Security Update (Dec 22)
 

New mozilla-thunderbird packages are available for Slackware 14.2 and -current to fix a security issue.
  SuSE: 2017:3440-1: important: java-1_7_1-ibm (Dec 27)
 

An update that fixes 16 vulnerabilities is now available. An update that fixes 16 vulnerabilities is now available. An update that fixes 16 vulnerabilities is now available.
  SuSE: 2017:3435-1: important: GraphicsMagick (Dec 27)
 

An update that fixes 14 vulnerabilities is now available. An update that fixes 14 vulnerabilities is now available. An update that fixes 14 vulnerabilities is now available.
  openSUSE: 2017:3433-1: important: Mozilla Thunderbird (Dec 25)
 

An update that fixes four vulnerabilities is now available. An update that fixes four vulnerabilities is now available. An update that fixes four vulnerabilities is now available.
  openSUSE: 2017:3434-1: important: Mozilla Thunderbird (Dec 25)
 

An update that fixes four vulnerabilities is now available. An update that fixes four vulnerabilities is now available. An update that fixes four vulnerabilities is now available.
  openSUSE: 2017:3431-1: important: evince (Dec 23)
 

An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
  SuSE: 2017:3428-1: important: evince (Dec 23)
 

An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
  openSUSE: 2017:3427-1: important: enigmail (Dec 22)
 

An update that contains security fixes can now be installed. An update that contains security fixes can now be installed. An update that contains security fixes can now be installed.
  openSUSE: 2017:3420-1: important: ImageMagick (Dec 22)
 

An update that solves 32 vulnerabilities and has one errata An update that solves 32 vulnerabilities and has one errata An update that solves 32 vulnerabilities and has one errata is now available. is now available.
  openSUSE: 2017:3419-1: important: enigmail (Dec 22)
 

An update that contains security fixes can now be installed. An update that contains security fixes can now be installed. An update that contains security fixes can now be installed.
  SuSE: 2017:3411-1: important: java-1_8_0-ibm (Dec 22)
 

An update that fixes 17 vulnerabilities is now available. An update that fixes 17 vulnerabilities is now available. An update that fixes 17 vulnerabilities is now available.
  (Dec 28)
 

A vulnerability was found in the Mercurial version control system which could lead to remote arbitrary code execution.
  (Dec 27)
 

Multiple security issues have been found in the Mozilla Thunderbird mail client including information leaks, unintended JavaScript execution and sender address spoofing.
  (Dec 25)
 

Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems:
  (Dec 25)
 

Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems:
  (Dec 23)
 

Hanno Böck found several buffer overflows in GIMP, the GNU Image Manipulation Program, which could lead to application crash or other unspecified behaviour if a user opened untrusted input files.
  (Dec 23)
 

Multiple vulnerabilities have been discovered in Irssi, a terminal based IRC client, which may lead to denial of service or other unspecified impact.
  (Dec 23)
 

Multiple vulnerabilities were discovered in Enigmail, an OpenPGP extension for Thunderbird, which could result in a loss of confidentiality, faked signatures, plain text leaks and denial of service. Additional information can be found under
  (Dec 23)
 

Several vulnerabilities were discovered in rsync, a fast, versatile, remote (and local) file-copying tool, allowing a remote attacker to bypass intended access restrictions or cause a denial of service.
  (Dec 21)
 

Several vulnerabilities were discovered in wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following issues.