General Esm W900

Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

- Social engineering is the practice of learning and obtaining valuable information by exploiting human vulnerabilities. It is an art of deception that is considered to be vital for a penetration tester when there is a lack of information about the target that can be exploited.

- When you’re dealing with a security incident it’s essential you – and the rest of your team – not only have the skills they need to comprehensively deal with an issue, but also have a framework to support them as they approach it. This framework means they can focus purely on what they need to do, following a process that removes any vulnerabilities and threats in a proper way – so everyone who depends upon the software you protect can be confident that it’s secure and functioning properly.

  Debian: DSA-3874-1: ettercap security update (Jun 9)
 

Agostino Sarubbo and AromalUllas discovered that ettercap, a network security tool for traffic interception, contains vulnerabilities that allowed an attacker able to provide maliciously crafted filters to cause a denial-of-service via application crash.
  Debian: DSA-3873-1: perl security update (Jun 5)
 

The cPanel Security Team reported a time of check to time of use (TOCTTOU) race condition flaw in File::Path, a core module from Perl to create or remove directory trees. An attacker can take advantage of this flaw to set the mode on an attacker-chosen file to a attacker-chosen
  Debian: DSA-3872-1: nss security update (Jun 1)
 

Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in denial of service or information disclosure.
  Debian: DSA-3871-1: zookeeper security update (Jun 1)
 

It was discovered that Zookeeper, a service for maintaining configuration information, didn't restrict access to the computationally expensive wchp/wchc commands which could result in denial of service by elevated CPU consumption.
  Debian: DSA-3870-1: wordpress security update (Jun 1)
 

Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to force password resets, and perform various cross-site scripting and cross-site request forgery attacks.
  Debian: DSA-3869-1: tnef security update (Jun 1)
 

It was discovered that tnef, a tool used to unpack MIME attachments of type "application/ms-tnef", did not correctly validate its input. An attacker could exploit this by tricking a user into opening a malicious attachment, which would result in a denial-of-service by
 
  Fedora 25: mingw-poppler Security Update (Jun 9)
 

This update fixes CVEs 2017-7511 and 2017-9083.
  Fedora 25: freeradius Security Update (Jun 9)
 

Upgrade FreeRADIUS to upstream v3.0.14 release. The release includes fixes for various issues, including security issues, one of which is CVE-2017-9148.
  Fedora 24: mingw-poppler Security Update (Jun 9)
 

This update fixes CVEs 2017-7511 and 2017-9083.
  Fedora 24: sudo Security Update (Jun 8)
 

- update to 1.8.20p2 - added sudo package to dnf/yum protected packages ---- - update to 1.8.20p1 - fixes CVE-2017-1000367
  Fedora 25: poppler Security Update (Jun 5)
 

CVE-2017-7511 poppler: Null pointer dereference in pdfunite via crafted documents
  Fedora 25: libtasn1 Security Update (Jun 5)
 

Update to 4.12 (#1456190)
  Fedora 25: dropbear Security Update (Jun 4)
 

Security fixes for CVE-2017-9078 CVE-2017-9079
  Fedora 24: dropbear Security Update (Jun 4)
 

Security fixes for CVE-2017-9078 CVE-2017-9079
  Fedora 26: samba Security Update (Jun 3)
 

Security fix for CVE-2017-7494
  Fedora 26: libvncserver Security Update (Jun 3)
 

Update to latest stable release, include fixes for gnutls and gtk-vnc compatibility.
  Fedora 25: wget Security Update (Jun 2)
 

Fixed CVE-2017-6508: CRLF injection in the url_parse function in url.c
  Fedora 25: sudo Security Update (Jun 2)
 

- update to 1.8.20p2 - added sudo package to dnf/yum protected packages ---- - update to 1.8.20p1 - fixes CVE-2017-1000367
  Fedora 25: squirrelmail Security Update (Jun 2)
 

fix insufficient escaping of user-supplied data (CVE-2017-7692)
  Fedora 24: squirrelmail Security Update (Jun 2)
 

fix insufficient escaping of user-supplied data (CVE-2017-7692)
  Fedora 24: chromium-native_client Security Update (Jun 2)
 

Update to chromium 58. Move chrome-remote-desktop to user systemd service. Security fixes for CVE-2017-5068, CVE-2017-5057, CVE-2017-5058, CVE-2017-5059, CVE-2017-5060, CVE-2017-5061, CVE-2017-5062, CVE-2017-5063, CVE-2017-5064, CVE-2017-5065, CVE-2017-5066, CVE-2017-5067, CVE-2017-5069 ---- Security fix for CVE-2017-5055, CVE-2017-5054, CVE-2017-5052, CVE-2017-5056, CVE-2017-5053
  Fedora 24: chromium Security Update (Jun 2)
 

Update to chromium 58. Move chrome-remote-desktop to user systemd service. Security fixes for CVE-2017-5068, CVE-2017-5057, CVE-2017-5058, CVE-2017-5059, CVE-2017-5060, CVE-2017-5061, CVE-2017-5062, CVE-2017-5063, CVE-2017-5064, CVE-2017-5065, CVE-2017-5066, CVE-2017-5067, CVE-2017-5069 ---- Security fix for CVE-2017-5055, CVE-2017-5054, CVE-2017-5052, CVE-2017-5056, CVE-2017-5053
  Fedora 25: kernel Security Update (Jun 1)
 

Rebase to 4.11.3
  Fedora 25: puppet Security Update (Jun 1)
 

Security fix for CVE-2017-2295 and fix for using systemd service provider in a chroot.
 
  (Jun 7)
 

Multiple vulnerabilities have been found in WebKitGTK+, the worst of which allows remote attackers to execute arbitrary code.
  (Jun 6)
 

Multiple vulnerabilities have been found in FreeType, the worst of which allows remote attackers to execute arbitrary code.
  (Jun 6)
 

An out-of-bounds data access in minicom might allow remote attackers to execute arbitrary code.
  (Jun 6)
 

Multiple vulnerabilities have been found in Wireshark, the worst of which allows remote attackers to cause a Denial of Service condition.
  (Jun 6)
 

A vulnerability in PCRE library allows remote attackers to cause a Denial of Service condition.
  (Jun 6)
 

A vulnerability in Pidgin might allow remote attackers to execute arbitrary code.
  (Jun 6)
 

A vulnerability in a bundled copy of PuTTY in FileZilla might allow remote attackers to execute arbitrary code or cause a denial of service. [More...]
  (Jun 6)
 

Multiple vulnerabilities have been found in MuPDF, the worst of which allows remote attackers to cause a Denial of Service condition or have other unspecified impact. [More...]
  (Jun 6)
 

A vulnerability has been found in Libtirpc and RPCBind which may allow a remote attacker to cause a Denial of Service condition.
  (Jun 6)
 

Multiple vulnerabilities have been found in ImageWorsener, the worst of which allows remote attackers to cause a Denial of Service condition or have other unspecified impact. [More...]
  (Jun 6)
 

Multiple vulnerabilities in D-Bus might allow an attacker to overwrite files with a fixed filename in arbitrary directories or conduct a symlink attack. [More...]
  (Jun 6)
 

A vulnerability in Git might allow remote attackers to bypass security restrictions.
  (Jun 6)
 

Multiple vulnerabilities have been found in QEMU, the worst of which may allow a remote attacker to cause a Denial of Service or gain elevated privileges from a guest VM. [More...]
  (Jun 6)
 

Multiple vulnerabilities have been found in Shadow, the worst of which might allow privilege escalation.
  (Jun 6)
 

Gentoo's MUNGE ebuilds are vulnerable to privilege escalation due to improper permissions.
 
  Slackware: 2017-158-01: irssi Security Update (Jun 8)
 

New irssi packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
 
  openSUSE: 2017:1513-1: important: the Linux Kernel (Jun 8)
 

An update that solves 8 vulnerabilities and has 68 fixes is An update that solves 8 vulnerabilities and has 68 fixes is An update that solves 8 vulnerabilities and has 68 fixes is now available. now available.
  openSUSE: 2017:1507-1: important: java-1_8_0-openjdk (Jun 8)
 

An update that fixes 8 vulnerabilities is now available. An update that fixes 8 vulnerabilities is now available. An update that fixes 8 vulnerabilities is now available.
  openSUSE: 2017:1501-1: important: chromium (Jun 7)
 

An update that fixes 16 vulnerabilities is now available. An update that fixes 16 vulnerabilities is now available. An update that fixes 16 vulnerabilities is now available.
  openSUSE: 2017:1502-1: important: chromium (Jun 7)
 

An update that fixes 16 vulnerabilities is now available. An update that fixes 16 vulnerabilities is now available. An update that fixes 16 vulnerabilities is now available.
  openSUSE: 2017:1497-1: important: deluge (Jun 6)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  openSUSE: 2017:1475-1: important: mariadb (Jun 2)
 

An update that solves two vulnerabilities and has 5 fixes An update that solves two vulnerabilities and has 5 fixes An update that solves two vulnerabilities and has 5 fixes is now available. is now available.
  SuSE: 2017:1471-1: important: strongswan (Jun 1)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
 
  Ubuntu 3253-2: Nagios regression (Jun 7)
 

USN-3253-1 introduced a regression in Nagios.
  Ubuntu 3316-1: FreeRADIUS vulnerability (Jun 7)
 

FreeRADIUS would allow unintended access over the network.
  Ubuntu 3312-2: Linux kernel (Xenial HWE) vulnerabilities (Jun 7)
 

Several security issues were fixed in the Linux kernel.
  Ubuntu 3314-1: Linux kernel vulnerabilities (Jun 7)
 

Several security issues were fixed in the Linux kernel.
  Ubuntu 3313-2: Linux kernel (HWE) vulnerability (Jun 7)
 

The system could be made to run programs as an administrator.
  Ubuntu 3313-1: Linux kernel vulnerability (Jun 7)
 

The system could be made to run programs as an administrator.
  Ubuntu 3312-1: Linux kernel vulnerabilities (Jun 7)
 

Several security issues were fixed in the Linux kernel.
  Ubuntu 3311-1: libnl vulnerability (Jun 6)
 

libnl could be made to crash or run programs.
  Ubuntu 3310-1: lintian vulnerability (Jun 6)
 

lintian could be made to run programs if it processed a specially crafted package.
  Ubuntu 3309-1: Libtasn1 vulnerability (Jun 5)
 

Libtasn1 could be made to crash or run programs as your login if it opened a specially crafted file.
  Ubuntu 3308-1: Puppet vulnerabilities (Jun 5)
 

Several security issues were fixed in Puppet.
  Ubuntu 3306-1: libsndfile vulnerabilities (Jun 1)
 

Several security issues were fixed in libsndfile.
  Ubuntu 3307-1: OpenLDAP vulnerability (Jun 1)
 

OpenLDAP could be made to crash if it received specially crafted network traffic.