Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Essential tools for hardening and securing Unix based Environments - System administrators are aware as how important their systems security is, not just the runtime of their servers. Intruders, spammers, DDOS attack, crackers, are all out there trying to get into people's computers, servers and everywhere they can lay hands on and interrupt the normal runtime of services.

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.


  Debian: 3278-1: libapache-mod-jk: Summary (Jun 3)
 

Security Report Summary

  Debian: 3249-2: jqueryui: Summary (Jun 2)
 

Security Report Summary

  Debian: 3277-1: wireshark: Summary (Jun 2)
 

Security Report Summary

  Debian: 3276-1: symfony: Summary (May 31)
 

Security Report Summary

  Debian: 3269-2: postgresql-9.1: Summary (May 31)
 

Security Report Summary

  Debian: 3275-1: fusionforge: Summary (May 30)
 

Security Report Summary

  Debian: 3274-1: virtualbox: Summary (May 28)
 

Security Report Summary


  Fedora 21 batik-1.8-0.18.svn1230816.fc21 (Jun 4)
 

Security fix for CVE-2015-0250

  Fedora 20 batik-1.8-0.12.svn1230816.fc20 (Jun 4)
 

Security fix for CVE-2015-0250

  Fedora 22 pcs-0.9.139-4.fc22 (Jun 4)
 

Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed)

  Fedora 21 pcs-0.9.137-4.fc21 (Jun 4)
 

Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed)

  Fedora 21 netty-4.0.28-1.fc21 (Jun 4)
 

Security fix for CVE-2015-2156

  Fedora 22 batik-1.8-0.18.svn1230816.fc22 (Jun 4)
 

Security fix for CVE-2015-0250

  Fedora 20 pcs-0.9.115-3.fc20 (Jun 4)
 

Fix for CVE-2015-1848, CVE-2015-3983 (sessions not signed)

  Fedora 22 nss-util-3.19.1-1.0.fc22 (Jun 2)
 

Security fix for CVE-2015-4000Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_noteshttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes

  Fedora 22 nss-3.19.1-1.0.fc22 (Jun 2)
 

Security fix for CVE-2015-4000Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_noteshttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes

  Fedora 21 httpd-2.4.12-1.fc21 (Jun 2)
 

Update to new version 2.4.12.

  Fedora 22 nss-softokn-3.19.1-1.0.fc22 (Jun 2)
 

Security fix for CVE-2015-4000Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_noteshttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes

  Fedora 22 libtiff-4.0.3-20.fc22 (Jun 2)
 

CVE-2014-9655 and CVE-2015-1547 #1190710

  Fedora 21 libinfinity-0.6.6-1.fc21 (Jun 1)
 

Security update to make libinfinity properly check certificates:https://github.com/gobby/gobby/issues/61

  Fedora 21 kernel-4.0.4-202.fc21 (Jun 1)
 

The 4.0.4-202 update contains a fix for a namespace crash issue.

  Fedora 21 nss-softokn-3.19.1-1.0.fc21 (Jun 1)
 

Security fix for CVE-2015-4000Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_noteshttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes

  Fedora 21 nss-util-3.19.1-1.0.fc21 (Jun 1)
 

Security fix for CVE-2015-4000Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_noteshttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes

  Fedora 21 nss-3.19.1-1.0.fc21 (Jun 1)
 

Security fix for CVE-2015-4000Update to the upstream NSS 3.19.1 release, which includes a fix for the recently published logjam attack.The previous 3.19 release made several notable changes related to the TLS protocol, one of them was to disable the SSL 3 protocol by default.For the full list of changes in the 3.19 and 3.19.1 releases, please refer to the upstream release notes documents:https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_noteshttps://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes

  Fedora 20 libinfinity-0.6.6-1.fc20 (Jun 1)
 

Security update to make libinfinity properly check certificates:https://github.com/gobby/gobby/issues/61

  Fedora 22 kernel-4.0.4-303.fc22 (Jun 1)
 

The 4.0.4-303 update contains a fix for a namespace crash issue.

  Fedora 22 ntfs-3g-2015.3.14-2.fc22 (Jun 1)
 

Fix CVE-2015-3202.

  Fedora 21 php-ZendFramework-1.12.13-1.fc21 (Jun 1)
 

**Zend Framework 1.12.13*** 567: Cast int and float to string when creating headers**Zend Framework 1.12.12*** 493: PHPUnit not being installed* 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase* 513: Save time and space when cloning PHPUnit* 515: !IE conditional comments bug* 516: Zend_Locale does not honor parentLocale configuration* 518: Run travis build also on PHP 7 builds* 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmaillAddress* 536: Zend_Measure_Number convert some decimal numbers to roman with space char* 537: Extend view renderer controller fix (#440)* 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server* 541: Fixed errors in tests on PHP7* 542: Correctly reset the sub-path when processing routes* 545: Fixed path delimeters being stripped by chain routes affecting later routes* 546: TravisCI: Skip memcache(d) on PHP 5.2* 547: Session Validators throw 'general' Session Exception during Session start* 550: Notice "Undefined index: browser_version"* 557: doc: Zend Framework Dependencies table unreadable* 559: Fixes a typo in Zend_Validate messages for SK* 561: Zend_Date not expected year* 564: Zend_Application tries to load ZendX_Application_Resource_FrontController during instantiation**Security*** **ZF2015-04**: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately.

  Fedora 22 libinfinity-0.6.6-1.fc22 (Jun 1)
 

Security update to make libinfinity properly check certificates:https://github.com/gobby/gobby/issues/61

  Fedora 20 php-ZendFramework-1.12.13-1.fc20 (Jun 1)
 

**Zend Framework 1.12.13*** 567: Cast int and float to string when creating headers**Zend Framework 1.12.12*** 493: PHPUnit not being installed* 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase* 513: Save time and space when cloning PHPUnit* 515: !IE conditional comments bug* 516: Zend_Locale does not honor parentLocale configuration* 518: Run travis build also on PHP 7 builds* 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmaillAddress* 536: Zend_Measure_Number convert some decimal numbers to roman with space char* 537: Extend view renderer controller fix (#440)* 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server* 541: Fixed errors in tests on PHP7* 542: Correctly reset the sub-path when processing routes* 545: Fixed path delimeters being stripped by chain routes affecting later routes* 546: TravisCI: Skip memcache(d) on PHP 5.2* 547: Session Validators throw 'general' Session Exception during Session start* 550: Notice "Undefined index: browser_version"* 557: doc: Zend Framework Dependencies table unreadable* 559: Fixes a typo in Zend_Validate messages for SK* 561: Zend_Date not expected year* 564: Zend_Application tries to load ZendX_Application_Resource_FrontController during instantiation**Security*** **ZF2015-04**: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately.

  Fedora 21 gcab-0.4-7.fc21 (May 30)
 

Security fix for CVE-2015-0552

  Fedora 21 libtiff-4.0.3-20.fc21 (May 30)
 

Security fix for CVE-2014-9655, CVE-2015-1547

  Fedora 20 torque-4.2.10-3.fc20 (May 30)
 

Bugfix - #1215207 create/install service files for these

  Fedora 21 suricata-2.0.8-1.fc21 (May 30)
 

This update fixes a bug in the DER parser which is used todecode SSL/TLS certificates could crash Suricata. Also, those processing large numbers of (untrusted) pcap files need to updateas a malformed pcap could crash Suricata.

  Fedora 22 torque-4.2.10-3.fc22 (May 30)
 

Bugfix - #1215207 create/install service files for these

  Fedora 21 torque-4.2.10-3.fc21 (May 30)
 

Bugfix - #1215207 create/install service files for these

  Fedora 22 zeromq-4.0.5-3.fc22 (May 30)
 

Cherry-pick a fix for the protocol downgrade attack (CVE-2014-9721)

  Fedora 22 netty-4.0.28-1.fc22 (May 30)
 

Security fix for CVE-2015-2156

  Fedora 22 php-ZendFramework-1.12.13-1.fc22 (May 30)
 

**Zend Framework 1.12.13*** 567: Cast int and float to string when creating headers**Zend Framework 1.12.12*** 493: PHPUnit not being installed* 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase* 513: Save time and space when cloning PHPUnit* 515: !IE conditional comments bug* 516: Zend_Locale does not honor parentLocale configuration* 518: Run travis build also on PHP 7 builds* 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmaillAddress* 536: Zend_Measure_Number convert some decimal numbers to roman with space char* 537: Extend view renderer controller fix (#440)* 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server* 541: Fixed errors in tests on PHP7* 542: Correctly reset the sub-path when processing routes* 545: Fixed path delimeters being stripped by chain routes affecting later routes* 546: TravisCI: Skip memcache(d) on PHP 5.2* 547: Session Validators throw 'general' Session Exception during Session start* 550: Notice "Undefined index: browser_version"* 557: doc: Zend Framework Dependencies table unreadable* 559: Fixes a typo in Zend_Validate messages for SK* 561: Zend_Date not expected year* 564: Zend_Application tries to load ZendX_Application_Resource_FrontController during instantiation**Security*** **ZF2015-04**: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately.

  Fedora 22 python-django-1.8.2-1.fc22 (May 30)
 

fix CVE-2015-3982 - Fixed session flushing in the cached_db backend

  Fedora 21 mingw-LibRaw-0.16.2-1.fc21 (May 28)
 

Update to version 0.16.2, see https://www.libraw.org/download#changelog for details.Update to version 0.16.1, see https://www.libraw.org/download#changelog for details.Security fix for CVE-2015-3885.

  Fedora 21 LibRaw-0.16.2-1.fc21 (May 28)
 

Latest upstream bugfix.Fixed dcraw vulnerability in ljpeg_start()


  Gentoo: 201505-03 phpMyAdmin: Multiple vulnerabilities (May 31)
 

Multiple vulnerabilities have been found in phpMyAdmin, the worst of which could lead to arbitrary code execution.

  Gentoo: 201505-02 Adobe Flash Player: Multiple vulnerabilities (May 31)
 

Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code.


  Red Hat: 2015:1072-01: openssl: Moderate Advisory (Jun 4)
 

Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1064-01: python27: Moderate Advisory (Jun 4)
 

Updated python27 collection packages that fix multiple security issues and several bugs are now available as part of Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1066-01: php54: Moderate Advisory (Jun 4)
 

Updated php54 collection packages that fix multiple security issues and several bugs are now available as part of Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1052-01: thermostat1: Moderate Advisory (Jun 4)
 

Updated thermostat1 collection packages that fix one security issue, several bugs, and add various enhancements are now available as part of Red Hat Software Collections 2. [More...]

  Red Hat: 2015:1053-01: php55: Moderate Advisory (Jun 4)
 

Updated php55 collection packages that fix multiple security issues and several bugs are now available as part of Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1044-01: virtio-win: Important Advisory (Jun 3)
 

An updated virtio-win package that fixes one security issue and two bugs is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1043-01: virtio-win: Important Advisory (Jun 3)
 

An updated virtio-win package that fixes one security issue and two bugs is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1042-01: kernel: Important Advisory (Jun 2)
 

Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]


  Ubuntu: 2627-1: t1utils vulnerability (Jun 3)
 

t1utils could be made to crash or run programs as your login if itopened a specially crafted file.

  Ubuntu: 2626-1: Qt vulnerabilities (Jun 3)
 

Qt could be made to crash or run programs as your login if it opened aspecially crafted file.

  Ubuntu: 2625-1: Apache HTTP Server update (Jun 2)
 

Several security improvements have been made to the Apache HTTP Server.

  Ubuntu: 2623-1: ipsec-tools vulnerability (Jun 1)
 

ipsec-tools could be made to crash if it received specially crafted networktraffic.

  Ubuntu: 2624-1: OpenSSL update (Jun 1)
 

The export cipher suites have been disabled in OpenSSL.