Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Essential tools for hardening and securing Unix based Environments - System administrators are aware as how important their systems security is, not just the runtime of their servers. Intruders, spammers, DDOS attack, crackers, are all out there trying to get into people's computers, servers and everywhere they can lay hands on and interrupt the normal runtime of services.

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.


  Debian: 3295-1: cacti: Summary (Jun 24)
 

Security Report Summary

  Debian: 3294-1: wireshark: Summary (Jun 23)
 

Security Report Summary

  Debian: 3293-1: pyjwt: Summary (Jun 20)
 

Security Report Summary

  Debian: 3292-1: cinder: Summary (Jun 19)
 

Security Report Summary

  Debian: 3291-1: drupal7: Summary (Jun 18)
 

Security Report Summary

  Debian: 3290-1: linux: Summary (Jun 18)
 

Security Report Summary


  Fedora 20 xen-4.3.4-6.fc20 (Jun 24)
 

Heap overflow in QEMU PCNET controller, allowing guest->host escape[XSA-135, CVE-2015-3209] (#1230537)GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163]vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164]Potential unintended writes to host MSI message data field via qemu[XSA-128, CVE-2015-4103],PCI MSI mask bits inadvertently exposed to guests [XSA-129,CVE-2015-4104],Guest triggerable qemu MSI-X pass-through error messages [XSA-130,CVE-2015-4105],Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106]

  Fedora 21 xen-4.4.2-6.fc21 (Jun 24)
 

Heap overflow in QEMU PCNET controller, allowing guest->host escape[XSA-135, CVE-2015-3209].GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163].vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164].

  Fedora 21 libwmf-0.2.8.4-43.fc21 (Jun 24)
 

CVE-2015-0848 heap overflow when decoding BMP imagesCVE-2015-0848 heap overflow when decoding BMP images

  Fedora 22 xen-4.5.0-11.fc22 (Jun 24)
 

stubs-32.h is back, so revert to previous behaviour.Heap overflow in QEMU PCNET controller, allowing guest->host escape [XSA-135, CVE-2015-3209].GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163].vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164].

  Fedora 22 curl-7.40.0-5.fc22 (Jun 24)
 

- implement public key pinning for NSS backend (#1195771)- fix lingering HTTP credentials in connection re-use (CVE-2015-3236)- prevent SMB from sending off unrelated memory contents (CVE-2015-3237)- curl-config --libs now works on x86_64 without libcurl-devel.x86_64 (#1228363)

  Fedora 21 openssl-1.0.1k-10.fc21 (Jun 24)
 

Multiple moderate and low impact security issues fixed.

  Fedora 21 cups-1.7.5-17.fc21 (Jun 20)
 

This update fixed 2 security flaws.

  Fedora 22 gnome-abrt-1.2.0-1.fc22 (Jun 20)
 

Security fixes for:* CVE-2015-3315* CVE-2015-3142* CVE-2015-1869* CVE-2015-1870* CVE-2015-3151* CVE-2015-3150* CVE-2015-3159abrt:- Move the default dump location from /var/tmp/abrt to /var/spool/abrt - Use root for owner of all dump directories- Stop reading hs_error.log from /tmp- Don not save the system logs by default- Don not save dmesg if kernel.dmesg_restrict=1libreport:- Harden the code against directory traversal, symbolic and hard link attacks- Fix a bug causing that the first value of AlwaysExcludedElements was ignored- Fix missing icon for the "Stop" button icon name- Improve development documentation- Translations updatesgnome-abrt:- Enabled the Details also for the System problems- Do not crash in the testing of availabitlity of XServer- Fix 'Open problem's data directory'- Quit Application on Ctrl+Q- Translation updatessatyr:- New kernel taint flags- More secure core stacktraces from core hook

  Fedora 22 libreport-2.6.0-1.fc22 (Jun 20)
 

Security fixes for:* CVE-2015-3315* CVE-2015-3142* CVE-2015-1869* CVE-2015-1870* CVE-2015-3151* CVE-2015-3150* CVE-2015-3159abrt:- Move the default dump location from /var/tmp/abrt to /var/spool/abrt - Use root for owner of all dump directories- Stop reading hs_error.log from /tmp- Don not save the system logs by default- Don not save dmesg if kernel.dmesg_restrict=1libreport:- Harden the code against directory traversal, symbolic and hard link attacks- Fix a bug causing that the first value of AlwaysExcludedElements was ignored- Fix missing icon for the "Stop" button icon name- Improve development documentation- Translations updatesgnome-abrt:- Enabled the Details also for the System problems- Do not crash in the testing of availabitlity of XServer- Fix 'Open problem's data directory'- Quit Application on Ctrl+Q- Translation updatessatyr:- New kernel taint flags- More secure core stacktraces from core hook

  Fedora 22 abrt-2.6.0-1.fc22 (Jun 20)
 

Security fixes for:* CVE-2015-3315* CVE-2015-3142* CVE-2015-1869* CVE-2015-1870* CVE-2015-3151* CVE-2015-3150* CVE-2015-3159abrt:- Move the default dump location from /var/tmp/abrt to /var/spool/abrt - Use root for owner of all dump directories- Stop reading hs_error.log from /tmp- Don not save the system logs by default- Don not save dmesg if kernel.dmesg_restrict=1libreport:- Harden the code against directory traversal, symbolic and hard link attacks- Fix a bug causing that the first value of AlwaysExcludedElements was ignored- Fix missing icon for the "Stop" button icon name- Improve development documentation- Translations updatesgnome-abrt:- Enabled the Details also for the System problems- Do not crash in the testing of availabitlity of XServer- Fix 'Open problem's data directory'- Quit Application on Ctrl+Q- Translation updatessatyr:- New kernel taint flags- More secure core stacktraces from core hook

  Fedora 22 satyr-0.18-1.fc22 (Jun 20)
 

Security fixes for:* CVE-2015-3315* CVE-2015-3142* CVE-2015-1869* CVE-2015-1870* CVE-2015-3151* CVE-2015-3150* CVE-2015-3159abrt:- Move the default dump location from /var/tmp/abrt to /var/spool/abrt - Use root for owner of all dump directories- Stop reading hs_error.log from /tmp- Don not save the system logs by default- Don not save dmesg if kernel.dmesg_restrict=1libreport:- Harden the code against directory traversal, symbolic and hard link attacks- Fix a bug causing that the first value of AlwaysExcludedElements was ignored- Fix missing icon for the "Stop" button icon name- Improve development documentation- Translations updatesgnome-abrt:- Enabled the Details also for the System problems- Do not crash in the testing of availabitlity of XServer- Fix 'Open problem's data directory'- Quit Application on Ctrl+Q- Translation updatessatyr:- New kernel taint flags- More secure core stacktraces from core hook

  Fedora 22 kernel-4.0.5-300.fc22 (Jun 20)
 

Update to latest upstream stable release, Linux v4.0.5. Wide variety of fixes across the tree.

  Fedora 21 krb5-1.12.2-17.fc21 (Jun 20)
 

Security fix for CVE-2015-2694Security fix for CVE-2014-5353(this was fixed in an older build but the announcement was lost)

  Fedora 21 drupal7-views-3.11-1.fc21 (Jun 20)
 

- Release 3.11 is a security fix release- Upstream changelog is at https://www.drupal.org/node/2480259

  Fedora 20 drupal7-views-3.11-1.fc20 (Jun 20)
 

- Release 3.11 is a security fix release- Upstream changelog is at https://www.drupal.org/node/2480259

  Fedora 22 cups-2.0.3-1.fc22 (Jun 20)
 

New upstream bug-fix release.

  Fedora 22 drupal7-views-3.11-1.fc22 (Jun 20)
 

- Release 3.11 is a security fix release- Upstream changelog is at https://www.drupal.org/node/2480259

  Fedora 22 openssl-1.0.1k-10.fc22 (Jun 20)
 

Multiple moderate and low impact security issues fixed.

  Fedora 22 postgresql-9.4.4-1.fc22 (Jun 20)
 

update to 9.4.4 minor release

  Fedora 21 qemu-2.1.3-8.fc21 (Jun 20)
 

* User interface freezes when entering space character in Xfig (bz #1151253)* CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz #1222894)* Backport {Haswell,Broadwell}-noTSX cpu models (bz #1213053)

  Fedora 21 qpid-cpp-0.32-4.fc21 (Jun 20)
 

Removed qpid-send and qpid-receive from qpid-cpp-client-devel.Include the qpid.tests module in python-qpidBumped the release to force a build against Proton 0.9 in F22.Added qpidtoollibs to the qpid-tools package.Fixed path to qpid-ha in the systemd service descriptor.Resolves: BZ#1186308Apply patch 10.Resolves: BZ#1184488Resolves: BZ#1181721

  Fedora 21 kernel-4.0.5-200.fc21 (Jun 20)
 

Update to latest upstream stable release, Linux v4.0.5. Wide variety of fixes across the tree.

  Fedora 21 mbedtls-1.3.11-1.fc21 (Jun 18)
 

- Update to 1.3.11This release is mainly fixing a number of outstanding issues and security fixes. Minor features have been added to enhance functionality and usability.Release notes: https://tls.mbed.org/tech-updates/releases/mbedtls-1.3.11-released

  Fedora 20 python-django14-1.4.20-1.fc20 (Jun 18)
 

update to 1.4.20

  Fedora 21 Update: python-urllib3-1.10.4-3.20150503gita91975b.fc21 (Jun 18)
 

Inject pyOpenSSL. https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning https://urllib3.readthedocs.org/en/latest/security.html#pyopenssl

  Fedora 21 python-requests-2.7.0-1.fc21 (Jun 18)
 

Inject pyOpenSSL. https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning https://urllib3.readthedocs.org/en/latest/security.html#pyopenssl

  Fedora 20 mbedtls-1.3.11-1.fc20 (Jun 18)
 

- Update to 1.3.11This release is mainly fixing a number of outstanding issues and security fixes. Minor features have been added to enhance functionality and usability.Release notes: https://tls.mbed.org/tech-updates/releases/mbedtls-1.3.11-released


  Gentoo: 201506-04 Chromium: Multiple vulnerabilities (Jun 22)
 

Multiple vulnerabilities have been fixed in Chromium, the worst of which can cause arbitrary remote code execution.

  Gentoo: 201506-03 GnuTLS: Multiple vulnerabilities (Jun 22)
 

Multiple vulnerabilities have been fixed in GnuTLS, the worst of which can cause Denial of Service

  Gentoo: 201506-02 OpenSSL: Multiple vulnerabilities (Jun 22)
 

Multiple vulnerabilities have been found in OpenSSL that can result in either Denial of Service or information disclosure.

  Gentoo: 201506-01 Adobe Flash Player: Multiple vulnerabilities (Jun 21)
 

Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code.


  Red Hat: 2015:1189-01: kvm: Important Advisory (Jun 25)
 

Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1190-01: kernel: Important Advisory (Jun 25)
 

Updated kernel packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5.6 Long Life. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1184-01: flash-plugin: Critical Advisory (Jun 25)
 

An updated Adobe Flash Player package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]

  Red Hat: 2015:1185-01: nss: Moderate Advisory (Jun 25)
 

Updated nss and nss-util packages that fix one security issue, several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6 and 7. [More...]

  Red Hat: 2015:1188-01: chromium-browser: Important Advisory (Jun 25)
 

Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1186-01: php55-php: Important Advisory (Jun 25)
 

Updated php55-php packages that fix multiple security issues are now available for Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1187-01: rh-php56-php: Important Advisory (Jun 25)
 

Updated rh-php56-php packages that fix multiple security issues are now available for Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1154-01: libreswan: Moderate Advisory (Jun 23)
 

Updated libreswan packages that fix one security issue, several bugs and add two enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1139-01: kernel-rt: Important Advisory (Jun 23)
 

Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. [More...]

  Red Hat: 2015:1153-01: mailman: Moderate Advisory (Jun 23)
 

Updated mailman packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1137-01: kernel: Important Advisory (Jun 23)
 

Updated kernel packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1138-01: kernel-rt: Important Advisory (Jun 23)
 

Updated kernel-rt packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise MRG 2.5. [More...]

  Red Hat: 2015:1135-01: php: Important Advisory (Jun 23)
 

Updated php packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]


  Ubuntu: 2653-1: Python vulnerabilities (Jun 25)
 

Several security issues were fixed in Python.

  Ubuntu: 2654-1: Tomcat vulnerabilities (Jun 25)
 

Several security issues were fixed in Tomcat.

  Ubuntu: 2655-1: Tomcat vulnerabilities (Jun 25)
 

Several security issues were fixed in Tomcat.

  Ubuntu: 2644-2: Linux kernel (Utopic HWE) regression (Jun 22)
 

The system could be made to crash under certain conditions.

  Ubuntu: 2646-2: Linux kernel regression (Jun 22)
 

The system could be made to crash under certain conditions.

  Ubuntu: 2640-2: Linux kernel regression (Jun 22)
 

The system could be made to crash under certain conditions.

  Ubuntu: 2641-2: Linux kernel (OMAP4) regression (Jun 22)
 

The system could be made to crash under certain conditions.

  Ubuntu: 2642-2: Linux kernel (Trusty HWE) regression (Jun 22)
 

The system could be made to crash under certain conditions.

  Ubuntu: 2643-2: Linux kernel regression (Jun 22)
 

The system could be made to crash under certain conditions.