Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

- Social engineering is the practice of learning and obtaining valuable information by exploiting human vulnerabilities. It is an art of deception that is considered to be vital for a penetration tester when there is a lack of information about the target that can be exploited.

- When you’re dealing with a security incident it’s essential you – and the rest of your team – not only have the skills they need to comprehensively deal with an issue, but also have a framework to support them as they approach it. This framework means they can focus purely on what they need to do, following a process that removes any vulnerabilities and threats in a proper way – so everyone who depends upon the software you protect can be confident that it’s secure and functioning properly.

  Debian: DSA-4015-1: openjdk-8 security update (Nov 2)
 

Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in impersonation of Kerberos services, denial of service, sandbox bypass or HTTP header injection.
  Debian: DSA-4014-1: thunderbird security update (Nov 1)
 

Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. For the oldstable distribution (jessie), these problems have been fixed
  Debian: DSA-4013-1: openjpeg2 security update (Oct 31)
 

Multiple vulnerabilities in OpenJPEG, a JPEG 2000 image compression / decompression library, may result in denial of service or the execution of arbitrary code if a malformed JPEG 2000 file is processed.
  Debian: DSA-4012-1: libav security update (Oct 31)
 

Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. A full list of the changes is available at

  Debian: DSA-4011-1: quagga security update (Oct 30)
 

It was discovered that the bgpd daemon in the Quagga routing suite does not properly calculate the length of multi-segment AS_PATH UPDATE messages, causing bgpd to drop a session and potentially resulting in loss of network connectivity.
  Debian: DSA-4010-1: git-annex security update (Oct 30)
 

It was discovered that git-annex, a tool to manage files with git without checking their contents in, did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command.
  Debian: DSA-4009-1: shadowsocks-libev security update (Oct 29)
 

Niklas Abel discovered that insufficient input sanitising in the the ss-manager component of shadowsocks-libev, a lightweight socks5 proxy, could result in arbitrary shell command execution.
  Debian: DSA-4008-1: wget security update (Oct 28)
 

Antti Levomaeki, Christian Jalio, Joonas Pihlaja and Juhani Eronen discovered two buffer overflows in the HTTP protocol handler of the Wget download tool, which could result in the execution of arbitrary code when connecting to a malicious HTTP server.
  Debian: DSA-4007-1: curl security update (Oct 27)
 

Brian Carpenter, Geeknik Labs and 0xd34db347 discovered that cURL, an URL transfer library, incorrectly parsed an IMAP FETCH response with size 0, leading to an out-of-bounds read.
 
  Fedora 25: kernel Security Update (Nov 3)
 

The 4.13.10 update contains a number of important fixes across the tree. ---- The 4.13.9 update contains a number of important fixes across the tree.
  Fedora 25: seamonkey Security Update (Nov 3)
 

Update to 2.49.1 Based on the Firefox/Thunderbird ESR (extension support release) code version 52.4.0 Fixes various security issues, see https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ and https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ for more info. Since the version of 2.48, SeaMonkey uses another disk cache
  Fedora 26: kernel Security Update (Nov 3)
 

The 4.13.10 update contains a number of important fixes across the tree.
  Fedora 26: seamonkey Security Update (Nov 3)
 

Update to 2.49.1 Based on the Firefox/Thunderbird ESR (extension support release) code version 52.4.0 Fixes various security issues, see https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ and https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ for more info. Since the version of 2.48, SeaMonkey uses another disk cache
  Fedora 25: java-1.8.0-openjdk Security Update (Nov 1)
 

updated to aarch64-jdk8u151-b12 (from aarch64-port/jdk8u)
  Fedora 25: lucene Security Update (Nov 1)
 

Security fix for CVE-2017-12629
  Fedora 25: glusterfs Security Update (Nov 1)
 

3.10.6 bz #1504256
  Fedora 25: poppler Security Update (Nov 1)
 

Security fix for CVE-2017-14926, CVE-2017-14927 and CVE-2017-14928. ---- Security fix for CVE-2017-14617 ---- Security fix for CVE-2017-14517, CVE-2017-14518, CVE-2017-14519 and CVE-2017-14929. ---- - CVE-2017-14520 Floating point exception in Splash::scaleImageYuXd
  Fedora 25: gnome-shell Security Update (Nov 1)
 

Fix crash on fast status icon remapping
  Fedora 25: openvpn Security Update (Nov 1)
 

Maintenance release with several minor upstream bugfixes and a security fix related to legacy configurations deploying the deprecated `key-method 1` configuration option ([CVE-2017-12166](https://community.openvpn.net/openvpn/wiki/CVE-2017-12166)). From this update of, OpenVPN will use the lz4 compression library from Fedora
  Fedora 26: java-1.8.0-openjdk Security Update (Nov 1)
 

updated to aarch64-jdk8u151-b12 (from aarch64-port/jdk8u)
  Fedora 26: systemd Security Update (Nov 1)
 

- systemd-detect-virt QEMU CPUID logic update - Fix cryptsetup devices disappearing when used for btrfs - Fix rfkill on some thinkpads - Extend dbus timeouts to handle slow dbus daemon startup - Fix systemd-resolved DOS with crafted NSEC packets (LP#1725351) - Backport /etc/crypttab _netdev feature from upstream - Update hwdb (No need to reboot.)
  Fedora 26: lame Security Update (Nov 1)
 

Update to 3.100 (#1470202, #1505107)
  Fedora 26: glusterfs Security Update (Nov 1)
 

3.10.6 bz #1504256
  Fedora 26: SDL2 Security Update (Nov 1)
 

- Added audio stream conversion functions: - `SDL_NewAudioStream()` - `SDL_AudioStreamPut()` - `SDL_AudioStreamGet()` - `SDL_AudioStreamAvailable()` - `SDL_AudioStreamFlush()` - `SDL_AudioStreamClear()` - `SDL_FreeAudioStream()` - Added functions to query and set the SDL memory allocation functions: -
  Fedora 26: lucene Security Update (Nov 1)
 

Security fix for CVE-2017-12629
  Fedora 25: sssd Security Update (Oct 27)
 

Security fix for [CVE-2017-12173]
  Fedora 25: cacti Security Update (Oct 26)
 

- Update to 1.1.26 - CVE-2017-15194 Release notes:

  Fedora 25: SDL2 Security Update (Oct 26)
 

Fix CVE-2017-2888
  Fedora 26: cacti Security Update (Oct 26)
 

- Update to 1.1.26 - CVE-2017-15194 Release notes:

 
  (Oct 29)
 

Multiple vulnerabilities have been found in Apache, the worst of which may result in the loss of secrets.
  (Oct 29)
 

Multiple vulnerabilities have been found in Oracle's JDK and JRE software suites, the worst of which can be remotely exploited without authentication. [More...]
  (Oct 29)
 

Multiple vulnerabilities have been found in X.Org Server the worst of which could allow a local attacker to replace shared memory segments.
  (Oct 29)
 

Multiple vulnerabilities have been found in Asterisk, the worst of which allows remote execution of arbitrary shell commands.
  (Oct 29)
 

A vulnerability in Jython may lead to arbitrary code execution.
 
  RedHat: RHSA-2017-3115:01 Moderate: Red Hat JBoss Fuse/A-MQ 6.3 R5 security (Nov 2)
 

An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
  RedHat: RHSA-2017-3113:01 Important: Red Hat JBoss Web Server security and (Nov 2)
 

An update is now available for Red Hat JBoss Enterprise Web Server 2.1.2 for RHEL 6 and Red Hat JBoss Enterprise Web Server 2.1.2 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2017-3114:01 Important: Red Hat JBoss Web Server security and (Nov 2)
 

An update is now available for Red Hat JBoss Enterprise Web Server 2.1.2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
  RedHat: RHSA-2017-3111:01 Moderate: liblouis security update (Nov 2)
 

An update for liblouis is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
  RedHat: RHSA-2017-3110:01 Moderate: samba security update (Nov 2)
 

An update for samba is now available for Red Hat Gluster Storage 3.3 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  RedHat: RHSA-2017-3107:01 Low: Red Hat Enterprise Linux 6.5 TUS One-Month (Oct 31)
 

This is the One-Month notification for the retirement of Red Hat Enterprise Linux 6.5 Telecommunications Update Support (TUS). This notification applies only to those customers subscribed to the Telecommunications Update Support (TUS) channel for Red Hat Enterprise Linux 6.5.
  RedHat: RHSA-2017-3108:01 Low: Red Hat Enterprise Linux 7.2 Extended Update (Oct 31)
 

This is the One-Month notification for the retirement of Red Hat Enterprise Linux 7.2 Extended Update Support (EUS). This notification applies only to those customers subscribed to the Extended Update Support (EUS) channel for Red Hat Enterprise Linux 7.2.
  RedHat: RHSA-2017-3093:01 Moderate: python-django security update (Oct 31)
 

An update for python-django is now available for Red Hat OpenStack Platform 11.0 (Ocata). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  RedHat: RHSA-2017-3086:01 Low: Red Hat 'Stand-Alone' Proxy - End Of Life (Oct 31)
 

This is the final notification for the End Of Life (EOL) of Red Hat 'Stand-Alone' Proxy. Red Hat Proxy ‘Stand-Alone' (Proxy server directly connecting to the Red Hat Network): Systems registered as clients to RHN via a Red Hat Satellite
  RedHat: RHSA-2017-3082:01 Important: chromium-browser security update (Oct 30)
 

An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2017-3081:01 Important: tomcat security update (Oct 30)
 

An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
  RedHat: RHSA-2017-3080:01 Important: tomcat6 security update (Oct 30)
 

An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
  RedHat: RHSA-2017-3075:01 Important: wget security update (Oct 26)
 

An update for wget is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
  RedHat: RHSA-2017-3071:01 Moderate: ntp security update (Oct 26)
 

An update for ntp is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
 
  Slackware: 2017-306-02: openssl Security Update (Nov 3)
 

New openssl packages are available for Slackware 14.2 and -current to fix a security issue.
  Slackware: 2017-306-01: mariadb Security Update (Nov 3)
 

New mariadb packages are available for Slackware 14.1, 14.2, and -current to fix security issues.
  Slackware: 2017-300-02: wget Security Update (Oct 27)
 

New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
  Slackware: 2017-300-01: php Security Update (Oct 27)
 

New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
 
  SuSE: 2017:2924-1: important: qemu (Nov 3)
 

An update that solves 8 vulnerabilities and has two fixes An update that solves 8 vulnerabilities and has two fixes An update that solves 8 vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:2922-1: important: ceph (Nov 2)
 

An update that solves one vulnerability and has four fixes An update that solves one vulnerability and has four fixes An update that solves one vulnerability and has four fixes is now available. is now available.
  SuSE: 2017:2920-1: important: the Linux Kernel (Nov 2)
 

An update that solves 36 vulnerabilities and has 22 fixes An update that solves 36 vulnerabilities and has 22 fixes An update that solves 36 vulnerabilities and has 22 fixes is now available. is now available.
  openSUSE: 2017:2916-1: important: xen (Nov 1)
 

An update that solves 9 vulnerabilities and has two fixes An update that solves 9 vulnerabilities and has two fixes An update that solves 9 vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:2908-1: important: the Linux Kernel (Oct 30)
 

An update that solves 30 vulnerabilities and has 38 fixes An update that solves 30 vulnerabilities and has 38 fixes An update that solves 30 vulnerabilities and has 38 fixes is now available. is now available.
  openSUSE: 2017:2905-1: important: the Linux Kernel (Oct 29)
 

An update that solves three vulnerabilities and has 32 An update that solves three vulnerabilities and has 32 An update that solves three vulnerabilities and has 32 fixes is now available. fixes is now available.
  openSUSE: 2017:2902-1: important: chromium (Oct 29)
 

An update that fixes 21 vulnerabilities is now available. An update that fixes 21 vulnerabilities is now available. An update that fixes 21 vulnerabilities is now available.
  openSUSE: 2017:2896-1: important: hostapd (Oct 28)
 

An update that fixes 14 vulnerabilities is now available. An update that fixes 14 vulnerabilities is now available. An update that fixes 14 vulnerabilities is now available.
  openSUSE: 2017:2892-1: important: openvpn (Oct 28)
 

An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
  openSUSE: 2017:2884-1: important: wget (Oct 28)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  SuSE: 2017:2873-1: important: xen (Oct 27)
 

An update that fixes 9 vulnerabilities is now available. An update that fixes 9 vulnerabilities is now available. An update that fixes 9 vulnerabilities is now available.
  SuSE: 2017:2872-1: important: MozillaFirefox, mozilla-nss (Oct 27)
 

An update that fixes 9 vulnerabilities is now available. An update that fixes 9 vulnerabilities is now available. An update that fixes 9 vulnerabilities is now available.
  SuSE: 2017:2871-1: important: wget (Oct 27)
 

An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.
  openSUSE: 2017:2868-1: important: mysql-community-server (Oct 27)
 

An update that solves 13 vulnerabilities and has two fixes An update that solves 13 vulnerabilities and has two fixes An update that solves 13 vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:2864-1: important: xen (Oct 27)
 

An update that solves 9 vulnerabilities and has two fixes An update that solves 9 vulnerabilities and has two fixes An update that solves 9 vulnerabilities and has two fixes is now available. is now available.
  SuSE: 2017:2856-1: important: xen (Oct 26)
 

An update that solves 8 vulnerabilities and has one errata An update that solves 8 vulnerabilities and has one errata An update that solves 8 vulnerabilities and has one errata is now available. is now available.