Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

Peter Smith Releases Linux Network Security Online - Thanks so much to Peter Smith for announcing on linuxsecurity.com the release of his Linux Network Security book available free online. "In 2005 I wrote a book on Linux security. 8 years later and the publisher has gone out of business. Now that I'm free from restrictions on reproducing material from the book, I have decided to make the entire book available online."

  (May 21)
 

Security Report Summary
  (May 20)
 

Security Report Summary
  (May 20)
 

Security Report Summary
  (May 19)
 

Security Report Summary
  (May 19)
 

Security Report Summary
  (May 18)
 

Security Report Summary
  (May 18)
 

Security Report Summary
  (May 15)
 

Security Report Summary
  (May 20)
 

**WordPress 4.2 “Powell” *** Upstream announcement https://wordpress.org/news/2021/02/wordpress-is-freedom/ 4.2.1 Security Release*** Upstream announcement https://wordpress.org/news/2021/02/wordpress-is-freedom/ 4.2.2 Security and Maintenance Release*** Upstream announcement https://wordpress.org/news/2015/05/wordpress-4-2-2/
  (May 20)
 

**WordPress 4.2 “Powell” *** Upstream announcement https://wordpress.org/news/2021/02/wordpress-is-freedom/ 4.2.1 Security Release*** Upstream announcement https://wordpress.org/news/2021/02/wordpress-is-freedom/ 4.2.2 Security and Maintenance Release*** Upstream announcement https://wordpress.org/news/2015/05/wordpress-4-2-2/
  (May 19)
 

fixes CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process- dovecot updated to 2.2.16- auth: Don't crash if master user login is attempted without any configured master=yes passdbs- Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages.- String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all.- fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes.- dovecot updated to 2.2.16- auth: Don't crash if master user login is attempted without any configured master=yes passdbs- Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages.- String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all.- fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes.
  (May 19)
 

* **ZF2015-04**: Zend\Mail and Zend\Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend\Mail or Zend\Http (which includes users of Zend\Mvc), we recommend upgrading immediately.
  (May 19)
 

Update to new upstream.
  (May 19)
 

Update to new upstream.
  (May 19)
 

* **ZF2015-04**: Zend\Mail and Zend\Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend\Mail or Zend\Http (which includes users of Zend\Mvc), we recommend upgrading immediately.
  (May 19)
 

fixes CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process- dovecot updated to 2.2.16- auth: Don't crash if master user login is attempted without any configured master=yes passdbs- Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages.- String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all.- fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes.- dovecot updated to 2.2.16- auth: Don't crash if master user login is attempted without any configured master=yes passdbs- Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages.- String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all.- fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes.
  (May 19)
 

Update to 4.5 (#1217282)
  (May 17)
 

phpMyAdmin 4.4.6.1 (2015-05-13)=============================== - [security] CSRF vulnerability in setup - [security] Vulnerability allowing man-in-the-middle attack
  (May 17)
 

This update for NetworkManager fixes a number of bugs and a low-impact security issue for IPv6.
  (May 17)
 

phpMyAdmin 4.4.6.1 (2015-05-13)=============================== - [security] CSRF vulnerability in setup - [security] Vulnerability allowing man-in-the-middle attack
  (May 17)
 

updated to 8u45-b14. fixes rhbz#1123870
  (May 17)
 

t1utils Version 1.39 (2015-02-26)================================= * t1disasm: Security fixes for buffer overrun reported by Jakub Wilk and Niels Thykier.t1utils Version 1.38 (2013-09-29)================================= * t1disasm: Fix an infinite loop on some fonts reported by Niels Thykier.
  (May 17)
 

t1utils Version 1.39 (2015-02-26)================================= * t1disasm: Security fixes for buffer overrun reported by Jakub Wilk and Niels Thykier.t1utils Version 1.38 (2013-09-29)================================= * t1disasm: Fix an infinite loop on some fonts reported by Niels Thykier.
  (May 17)
 

* CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access (bz #1221152)
  (May 14)
 

Update to new upstream.
  (May 14)
 

Update to new upstream.
  (May 14)
 

Security fix for CVE-2015-3146
  (May 14)
 

updated to 3.3.15 (#1218426,#1218513)
  (May 14)
 

This is an update to the set of CA certificates released with NSS version 3.18.1However, the package modifies the CA list to keep several legacy CAs still trusted for compatibility reasons. Please refer to the project URL for details.If you prefer to use the unchanged list provided by Mozilla, and if you accept any compatibility issues it may cause, an administrator may configure the system by executing the "ca-legacy disable" command.This update adds a manual page for the ca-legacy command.This update changes the names of the possible values in the ca-legacy configuration file. It still uses the term legacy=disable to override the compatibility option and follow the upstream Mozilla.org decision. However it now uses the term legacy=default for the default configuration, to make it more obvious that the legacy certificates won't be kept enabled forever.
  Red Hat: 2015:1021-01: java-1.5.0-ibm: Important Advisory (May 20)
 

Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:1020-01: java-1.7.1-ibm: Critical Advisory (May 20)
 

Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]
  Red Hat: 2015:1012-01: thunderbird: Important Advisory (May 18)
 

An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
  (May 17)
 

New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]
  Ubuntu: 2618-1: python-dbusmock vulnerability (May 21)
 

python-dbusmock could be tricked into running arbitrary programs.
  Ubuntu: 2609-1: Apport vulnerabilities (May 21)
 

Apport could be tricked into creating arbitrary files as an administrator,resulting in privilege escalation.
  Ubuntu: 2617-1: FUSE vulnerability (May 21)
 

FUSE could be made to overwrite files as the administrator.
  Ubuntu: 2610-1: Oxide vulnerabilities (May 21)
 

Several security issues were fixed in Oxide.
  Ubuntu: 2616-1: Linux kernel vulnerabilities (May 20)
 

Several security issues were fixed in the kernel.
  Ubuntu: 2611-1: Linux kernel vulnerability (May 20)
 

The system could be made to crash if it received specially craftednetwork traffic.
  Ubuntu: 2612-1: Linux kernel (OMAP4) vulnerabilities (May 20)
 

Several security issues were fixed in the kernel.
  Ubuntu: 2613-1: Linux kernel (Trusty HWE) vulnerabilities (May 20)
 

Several security issues were fixed in the kernel.
  Ubuntu: 2615-1: Linux kernel (Utopic HWE) vulnerabilities (May 20)
 

Several security issues were fixed in the kernel.
  Ubuntu: 2614-1: Linux kernel vulnerabilities (May 20)
 

Several security issues were fixed in the kernel.
  Ubuntu: 2603-1: Thunderbird vulnerabilities (May 18)
 

Several security issues were fixed in Thunderbird.