Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.
| |
Fedora 26: tomcat Security Update (Nov 10) |
| |
This update includes a rebase from 8.0.46 up to 8.0.47 which resolves a single CVE along with various other bugs/features: rhbz#1497682 CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615
|
| |
Fedora 25: ansible Security Update (Nov 8) |
| |
Update to ansible 2.4.1.0 with various bugfixes. See https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md for a full list of changes.
|
| |
Fedora 26: ansible Security Update (Nov 8) |
| |
Update to ansible 2.4.1.0 with various bugfixes. See https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md for a full list of changes.
|
| |
Fedora 25: kernel Security Update (Nov 7) |
| |
The 4.13.11 update contains a number of important fixes across the tree.
|
| |
Fedora 25: nodejs Security Update (Nov 7) |
| |
# 2017-10-24, Version 6.11.5 'Boron' (LTS), @MylesBorins This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ for details on patched vulnerabilities. ## Notable Changes * zlib: * CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an error to be raised when a raw deflate
|
| |
Fedora 25: php Security Update (Nov 7) |
| |
**PHP version 7.0.25** (26 Oct 2017) **Core:** * Fixed bug php#75241 (Null pointer dereference in zend_mm_alloc_small()). (Laruence) * Fixed bug php#75236 (infinite loop when printing an error-message). (Andrea) * Fixed bug php#75252 (Incorrect token formatting on two parse errors in one request). (Nikita) * Fixed bug php#75220 (Segfault when calling is_callable on parent).
|
| |
Fedora 26: wget Security Update (Nov 7) |
| |
new upstream release with CVE fixes
|
| |
Fedora 26: libgcrypt Security Update (Nov 7) |
| |
Minor security update release 1.7.9.
|
| |
Fedora 26: kernel Security Update (Nov 7) |
| |
The 4.13.11 update contains a number of important fixes across the tree.
|
| |
Fedora 26: poppler Security Update (Nov 7) |
| |
Resolves: rhbz#1505731 rebuild for qt5 5.9.2 ---- Security fix for CVE-2017-14926, CVE-2017-14927 and CVE-2017-14928. ---- Security fix for CVE-2017-14617 ---- Security fix for CVE-2017-14517, CVE-2017-14518, CVE-2017-14519 and CVE-2017-14929.
|
| |
Fedora 26: php Security Update (Nov 7) |
| |
**PHP version 7.1.11** (26 Oct 2017) **Core:** * Fixed bug php#75241 (Null pointer dereference in zend_mm_alloc_small()). (Laruence) * Fixed bug php#75236 (infinite loop when printing an error-message). (Andrea) * Fixed bug php#75252 (Incorrect token formatting on two parse errors in one request). (Nikita) * Fixed bug php#75220 (Segfault when calling is_callable on parent).
|
| |
Fedora 26: rpm Security Update (Nov 7) |
| |
This latest stable release on rpm 4.13.x branch brings in several important bugfixes. For details see release notes at http://rpm.org/wiki/Releases/4.13.0.2.
|
| |
Fedora 26: qemu Security Update (Nov 7) |
| |
* Fix usb3 drive issues with windows guests (bz #1493196) * CVE-2017-15038: 9p: information disclosure when reading extended attributes (bz #1499111) * CVE-2017-15268: potential memory exhaustion via websock connection to VNC (bz #1496882) * CVE-2017-14167: multiboot OOB access while loading kernel image (bz #1489376) * CVE-2017-13672: vga: OOB read access during display update (bz
|
| |
Fedora 26: community-mysql Security Update (Nov 6) |
| |
A quarter year regular dose of fixed CVE's. https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-20.html . rhbz#1497694: Fix owner and perms on log file in post script CVE fixes: rhbz#1503701 CVE-2017-10155 CVE-2017-10227 CVE-2017-10268 CVE-2017-10276 CVE-2017-10279 CVE-2017-10283 CVE-2017-10286 CVE-2017-10294 CVE-2017-10314
|
| |
Fedora 26: modulemd Security Update (Nov 6) |
| |
This update fixes CVE-2017-1002157 -- possible arbitrary code execution when loading multiple documents with `load_all` / `loads_all`.
|
| |
Fedora 25: modulemd Security Update (Nov 6) |
| |
This update fixes CVE-2017-1002157 -- possible arbitrary code execution when loading multiple documents with `load_all` / `loads_all`.
|
| |
Fedora 25: community-mysql Security Update (Nov 6) |
| |
A quarter year regular dose of fixed CVE's. https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-20.html . rhbz#1497694: Fix owner and perms on log file in post script CVE fixes: rhbz#1503701 CVE-2017-10155 CVE-2017-10227 CVE-2017-10268 CVE-2017-10276 CVE-2017-10279 CVE-2017-10283 CVE-2017-10286 CVE-2017-10294 CVE-2017-10314
|
| |
Fedora 25: kernel Security Update (Nov 3) |
| |
The 4.13.10 update contains a number of important fixes across the tree. ---- The 4.13.9 update contains a number of important fixes across the tree.
|
| |
Fedora 25: seamonkey Security Update (Nov 3) |
| |
Update to 2.49.1 Based on the Firefox/Thunderbird ESR (extension support release) code version 52.4.0 Fixes various security issues, see https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ and https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ for more info. Since the version of 2.48, SeaMonkey uses another disk cache
|
| |
Fedora 26: kernel Security Update (Nov 3) |
| |
The 4.13.10 update contains a number of important fixes across the tree.
|
| |
Fedora 26: seamonkey Security Update (Nov 3) |
| |
Update to 2.49.1 Based on the Firefox/Thunderbird ESR (extension support release) code version 52.4.0 Fixes various security issues, see https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ and https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ for more info. Since the version of 2.48, SeaMonkey uses another disk cache
|
|
|
| |
RedHat: RHSA-2017-3151:01 Critical: chromium-browser security update (Nov 7) |
| |
An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
|
| |
RedHat: RHSA-2017-3141:01 Important: rhvm-appliance security, bug fix, (Nov 7) |
| |
An update for rhvm-appliance is now available for RHEV 4.X RHEV-H and Agents for RHEL-7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
|
| |
RedHat: RHSA-2017-3123:01 Critical: Red Hat JBoss Enterprise Application (Nov 6) |
| |
A security update is now available for Red Hat JBoss Enterprise Application Platform 7 for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
|
| |
RedHat: RHSA-2017-3124:01 Critical: Red Hat JBoss Enterprise Application (Nov 6) |
| |
A security update is now available for Red Hat JBoss Enterprise Application Platform 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
|
| |
RedHat: RHSA-2017-3115:01 Moderate: Red Hat JBoss Fuse/A-MQ 6.3 R5 security (Nov 2) |
| |
An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
|
| |
RedHat: RHSA-2017-3113:01 Important: Red Hat JBoss Web Server security and (Nov 2) |
| |
An update is now available for Red Hat JBoss Enterprise Web Server 2.1.2 for RHEL 6 and Red Hat JBoss Enterprise Web Server 2.1.2 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
|
| |
RedHat: RHSA-2017-3114:01 Important: Red Hat JBoss Web Server security and (Nov 2) |
| |
An update is now available for Red Hat JBoss Enterprise Web Server 2.1.2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
|
| |
RedHat: RHSA-2017-3111:01 Moderate: liblouis security update (Nov 2) |
| |
An update for liblouis is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
|
| |
RedHat: RHSA-2017-3110:01 Moderate: samba security update (Nov 2) |
| |
An update for samba is now available for Red Hat Gluster Storage 3.3 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
|
|
|
| |
Slackware: 2017-306-02: openssl Security Update (Nov 3) |
| |
New openssl packages are available for Slackware 14.2 and -current to fix a security issue.
|
| |
Slackware: 2017-306-01: mariadb Security Update (Nov 3) |
| |
New mariadb packages are available for Slackware 14.1, 14.2, and -current to fix security issues.
|
|
|
| |
openSUSE: 2017:2993-1: important: krb5 (Nov 10) |
| |
An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
|
| |
openSUSE: 2017:2991-1: important: webkit2gtk3 (Nov 10) |
| |
An update that fixes 40 vulnerabilities is now available. An update that fixes 40 vulnerabilities is now available. An update that fixes 40 vulnerabilities is now available.
|
| |
SuSE: 2017:2989-1: important: java-1_8_0-openjdk (Nov 10) |
| |
An update that fixes 19 vulnerabilities is now available. An update that fixes 19 vulnerabilities is now available. An update that fixes 19 vulnerabilities is now available.
|
| |
SuSE: 2017:2981-1: important: openssl (Nov 10) |
| |
An update that solves one vulnerability and has 5 fixes is An update that solves one vulnerability and has 5 fixes is An update that solves one vulnerability and has 5 fixes is now available. now available.
|
| |
SuSE: 2017:2969-1: important: qemu (Nov 10) |
| |
An update that solves 29 vulnerabilities and has two fixes An update that solves 29 vulnerabilities and has two fixes An update that solves 29 vulnerabilities and has two fixes is now available. is now available.
|
| |
SuSE: 2017:2968-1: important: openssl1 (Nov 10) |
| |
An update that solves one vulnerability and has 6 fixes is An update that solves one vulnerability and has 6 fixes is An update that solves one vulnerability and has 6 fixes is now available. now available.
|
| |
SuSE: 2017:2963-1: important: kvm (Nov 10) |
| |
An update that solves 23 vulnerabilities and has 6 fixes is An update that solves 23 vulnerabilities and has 6 fixes is An update that solves 23 vulnerabilities and has 6 fixes is now available. now available.
|
| |
openSUSE: 2017:2953-1: important: chromium (Nov 8) |
| |
An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
|
| |
SuSE: 2017:2948-1: important: krb5 (Nov 8) |
| |
An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
|
| |
SuSE: 2017:2946-1: important: qemu (Nov 8) |
| |
An update that solves 33 vulnerabilities and has two fixes An update that solves 33 vulnerabilities and has two fixes An update that solves 33 vulnerabilities and has two fixes is now available. is now available.
|
| |
openSUSE: 2017:2943-1: important: libwpd (Nov 7) |
| |
An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
|
| |
openSUSE: 2017:2941-1: important: qemu (Nov 7) |
| |
An update that solves 12 vulnerabilities and has four fixes An update that solves 12 vulnerabilities and has four fixes An update that solves 12 vulnerabilities and has four fixes is now available. is now available.
|
| |
openSUSE: 2017:2938-1: important: qemu (Nov 7) |
| |
An update that solves 8 vulnerabilities and has two fixes An update that solves 8 vulnerabilities and has two fixes An update that solves 8 vulnerabilities and has two fixes is now available. is now available.
|
| |
SuSE: 2017:2936-1: important: qemu (Nov 6) |
| |
An update that solves 12 vulnerabilities and has four fixes An update that solves 12 vulnerabilities and has four fixes An update that solves 12 vulnerabilities and has four fixes is now available. is now available.
|
| |
SuSE: 2017:2933-1: important: webkit2gtk3 (Nov 6) |
| |
An update that fixes 40 vulnerabilities is now available. An update that fixes 40 vulnerabilities is now available. An update that fixes 40 vulnerabilities is now available.
|
| |
SuSE: 2017:2931-1: important: libwpd (Nov 6) |
| |
An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
|
| |
SuSE: 2017:2924-1: important: qemu (Nov 3) |
| |
An update that solves 8 vulnerabilities and has two fixes An update that solves 8 vulnerabilities and has two fixes An update that solves 8 vulnerabilities and has two fixes is now available. is now available.
|
| |
SuSE: 2017:2922-1: important: ceph (Nov 2) |
| |
An update that solves one vulnerability and has four fixes An update that solves one vulnerability and has four fixes An update that solves one vulnerability and has four fixes is now available. is now available.
|
| |
SuSE: 2017:2920-1: important: the Linux Kernel (Nov 2) |
| |
An update that solves 36 vulnerabilities and has 22 fixes An update that solves 36 vulnerabilities and has 22 fixes An update that solves 36 vulnerabilities and has 22 fixes is now available. is now available.
|
|
|
| |
Debian LTS: DLA-1168-1: graphicsmagick security update (Nov 10) |
| |
A remote denial of service vulnerability has been discovered in graphicsmagick, a collection of image processing tools and associated libraries.
|
| |
Debian LTS: DLA-1166-2: tomcat7 regression update (Nov 10) |
| |
The update for tomcat7 issued as DLA-1166-1 caused a regressions whereby every request, including for the root document (/), returned HTTP status 404. Updated packages are now available to address this problem. For reference, the original
|
| |
(Nov 9) |
| |
A security vulnerability was discovered in OpenSSL, the Secure Sockets Layer toolkit. CVE-2017-3735
|
| |
Debian LTS: DLA-1167-1: ruby-yajl security update (Nov 8) |
| |
A vulnerability was found in ruby-yajl, an interface to Yajl, a JSON stream-based parser library. When a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This may result
|
| |
Debian LTS: DLA-1166-1: tomcat7 security update (Nov 7) |
| |
A remote code execution vulnerability has been discovered in tomcat7. When HTTP PUT was enabled (e.g., via setting the readonly initialization
|
| |
Debian LTS: DLA-1164-1: mupdf security update (Nov 7) |
| |
Two security issues were discovered in mupdf, a lightweight PDF viewer. CVE-2017-14687 MuPDF allows attackers to cause a denial of service or possibly have
|
| |
Debian LTS: DLA-1163-1: apr-util security update (Nov 6) |
| |
It was discovered that there was an out-of-bounds read access in apr-util, a support/portability library used by many applications. A local user with write access to the database could have made a process
|
| |
Debian LTS: DLA-1162-1: apr security update (Nov 6) |
| |
It was discovered that there was an out-of-bounds memory vulnerability in apr, a support/portability library for various applications. When the apr_exp_time*() or apr_os_exp_time*() functions were invoked
|
| |
Debian LTS: DLA-1161-1: redis security update (Nov 5) |
| |
It was discovered that there was a "Cross Protocol Scripting" attack in the Redis key-value database. "POST" and "Host:" command strings (which are not valid in the Redis
|
| |
Debian LTS: DLA-1160-1: wordpress security update (Nov 4) |
| |
WordPress, a web blogging tool, was affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than
|
| |
Debian LTS: DLA-1159-1: graphicsmagick security update (Nov 3) |
| |
Maor Shwartz, Jeremy Heng and Terry Chia discovered two security vulnerabilities in Graphicsmagick, a collection of image processing tool s.
|
| |
Debian LTS: DLA-1158-1: bchunk security update (Nov 3) |
| |
Several vulnerabilities were discovered in bchunk, a tool to convert a CD image in .bin/.cue format into a set of .iso and .cdr/.wav tracks. It was possible to trigger a heap-based buffer overflow with an resultant invalid free when processing a malformed CUE (.cue) file
|
|
|
| |
ArchLinux: 201711-18: postgresql-old-upgrade: multiple issues (Nov 10) |
| |
The package postgresql-old-upgrade before version 9.6.6-1 is vulnerable to multiple issues including access restriction bypass and information disclosure.
|
| |
ArchLinux: 201711-17: postgresql: multiple issues (Nov 10) |
| |
The package postgresql before version 10.1-1 is vulnerable to multiple issues including access restriction bypass and information disclosure.
|
| |
ArchLinux: 201711-16: libextractor: denial of service (Nov 10) |
| |
The package libextractor before version 1.6-1 is vulnerable to denial of service.
|
| |
ArchLinux: 201711-15: lib32-openssl: multiple issues (Nov 10) |
| |
The package lib32-openssl before version 1:1.1.0.g-1 is vulnerable to multiple issues including information disclosure and denial of service.
|
| |
ArchLinux: 201711-14: openssl: multiple issues (Nov 8) |
| |
The package openssl before version 1.1.0.g-1 is vulnerable to multiple issues including information disclosure and denial of service.
|
| |
ArchLinux: 201711-13: libzip: arbitrary code execution (Nov 8) |
| |
The package libzip before version 1.3.0-1 is vulnerable to arbitrary code execution.
|
| |
ArchLinux: 201711-12: chromium: arbitrary code execution (Nov 7) |
| |
The package chromium before version 62.0.3202.89-1 is vulnerable to arbitrary code execution.
|
| |
ArchLinux: 201711-10: libcurl-compat: information disclosure (Nov 6) |
| |
The package libcurl-compat before version 7.56.1-1 is vulnerable to information disclosure.
|
| |
ArchLinux: 201711-11: libcurl-gnutls: information disclosure (Nov 6) |
| |
The package libcurl-gnutls before version 7.56.1-1 is vulnerable to information disclosure.
|
| |
ArchLinux: 201711-9: lib32-libcurl-gnutls: information disclosure (Nov 6) |
| |
The package lib32-libcurl-gnutls before version 7.56.1-1 is vulnerable to information disclosure.
|
| |
ArchLinux: 201711-8: lib32-libcurl-compat: information disclosure (Nov 6) |
| |
The package lib32-libcurl-compat before version 7.56.1-1 is vulnerable to information disclosure.
|
| |
ArchLinux: 201711-6: curl: information disclosure (Nov 6) |
| |
The package curl before version 7.56.1-1 is vulnerable to information disclosure.
|
| |
ArchLinux: 201711-7: lib32-curl: information disclosure (Nov 6) |
| |
The package lib32-curl before version 7.56.1-1 is vulnerable to information disclosure.
|
| |
ArchLinux: 201711-5: zathura-pdf-mupdf: arbitrary code execution (Nov 6) |
| |
The package zathura-pdf-mupdf before version 0.3.1-4 is vulnerable to arbitrary code execution.
|
| |
ArchLinux: 201711-4: mupdf: arbitrary code execution (Nov 6) |
| |
The package mupdf before version 1.11-5 is vulnerable to arbitrary code execution.
|
| |
ArchLinux: 201711-3: mupdf-tools: arbitrary code execution (Nov 6) |
| |
The package mupdf-tools before version 1.11-5 is vulnerable to arbitrary code execution.
|
| |
ArchLinux: 201711-2: libmupdf: arbitrary code execution (Nov 6) |
| |
The package libmupdf before version 1.11-5 is vulnerable to arbitrary code execution.
|
| |
ArchLinux: 201711-1: mupdf-gl: arbitrary code execution (Nov 6) |
| |
The package mupdf-gl before version 1.11-5 is vulnerable to arbitrary code execution.
|
|
|
| |
(Nov 2) |
| |
Multiple flaws were found in the processing of translation tables inliblouis. An attacker could crash or potentially execute arbitrary codeusing malicious translation tables. (CVE-2014-8184, CVE-2017-13738,CVE-2017-13740, CVE-2017-13741, CVE-2017-13742, CVE-2017-13743,CVE-2017-13744)
|
