Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Essential tools for hardening and securing Unix based Environments - System administrators are aware as how important their systems security is, not just the runtime of their servers. Intruders, spammers, DDOS attack, crackers, are all out there trying to get into people

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

  Fedora 25: mingw-poppler Security Update (Oct 12)
 

This update fixes CVE-2017-14520.
  Fedora 26: chromium Security Update (Oct 12)
 

Update to 61.0.3163.100. Security fix for CVE-2017-5111, CVE-2017-5112, CVE-2017-5113, CVE-2017-5114, CVE-2017-5115, CVE-2017-5116, CVE-2017-5117, CVE-2017-5118, CVE-2017-5119, CVE-2017-5120, CVE-2017-5121, CVE-2017-5122
  Fedora 26: mingw-poppler Security Update (Oct 12)
 

This update fixes CVE-2017-14520.
  Fedora 27: mingw-poppler Security Update (Oct 12)
 

This update fixes CVE-2017-14520.
  Fedora 25: git Security Update (Oct 11)
 

These releases are about hardening `git shell` that is used on servers against an unsafe user input, which `git cvsserver` copes with poorly. From the release notes: * "git cvsserver" no longer is invoked by "git shell" by default, as it is old and largely unmaintained. * Various Perl scripts did not use safe_pipe_capture() instead of backticks, leaving them susceptible to
  Fedora 27: check-mk Security Update (Oct 11)
 

Security fix for CVE-2017-1495
  Fedora 25: ImageMagick Security Update (Oct 11)
 

6.9.9-15 ---- Rebuilt for ImageMagick 6.9.9-13
  Fedora 25: tor Security Update (Oct 11)
 

update to upstream release 0.2.9.12 (SECURITY) (#1494860)
  Fedora 25: rubygem-rmagick Security Update (Oct 11)
 

6.9.9-15 ---- Rebuilt for ImageMagick 6.9.9-13
  Fedora 26: rubygem-rmagick Security Update (Oct 10)
 

6.9.9-15 ---- Rebuilt for ImageMagick 6.9.9-13
  Fedora 26: ImageMagick Security Update (Oct 10)
 

6.9.9-15 ---- Rebuilt for ImageMagick 6.9.9-13
  Fedora 27: tor Security Update (Oct 10)
 

update to upstream release 0.3.1.7 ---- update to upstream release 0.2.9.12 (SECURITY) (#1494860)
  Fedora 27: recode Security Update (Oct 10)
 

Security fix for buffer overflow due to long input filenames [see Bug 1422550 and 1422545]
  Fedora 27: xen Security Update (Oct 10)
 

ARM: Some memory not scrubbed at boot [XSA-245] Qemu: vga: reachable assert failure during during display update [CVE-2017-13673] (#1486591) Qemu: vga: OOB read access during display update [CVE-2017-13672] (#1486562)
  Fedora 25: libmspack Security Update (Oct 8)
 

Security fix for CVE-2017-6419 and CVE-2017-11423
  Fedora 25: samba Security Update (Oct 6)
 

Security fix for CVE-2017-12150 CVE-2017-12151 CVE-2017-12163
  Fedora 26: dnsmasq Security Update (Oct 6)
 

CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496
  Fedora 25: MySQL-zrm Security Update (Oct 6)
 

Fix command logging
  Fedora 26: MySQL-zrm Security Update (Oct 5)
 

Fix command logging
  Fedora 27: yadifa Security Update (Oct 5)
 

20170912: YADIFA 2.2.6 --- Fixes an issue where a maliciously crafted message may block the server.
 
  RedHat: RHSA-2017-2889:01 Important: Red Hat JBoss BPM Suite 6.4.6 security (Oct 12)
 

An update is now available for Red Hat JBoss BPM Suite. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
  RedHat: RHSA-2017-2888:01 Important: Red Hat JBoss BRMS 6.4.6 security (Oct 12)
 

An update is now available for Red Hat JBoss BRMS. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
  RedHat: RHSA-2017-2886:01 Important: rh-mysql57-mysql security and bug fix (Oct 12)
 

An update for rh-mysql57-mysql is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2017-2885:01 Important: thunderbird security update (Oct 11)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2017-2882:01 Moderate: httpd security update (Oct 11)
 

An update for httpd is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
  RedHat: RHSA-2017-2869:01 Important: kernel security and bug fix update (Oct 10)
 

An update for kernel is now available for Red Hat Enterprise Linux 7.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
 
  Slackware: 2017-279-02: openjpeg Security Update (Oct 6)
 

New openjpeg packages are available for Slackware 14.2 and -current to fix security issues.
  Slackware: 2017-279-03: xorg-server Security Update (Oct 6)
 

New xorg-server packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
  Slackware: 2017-279-01: curl Security Update (Oct 6)
 

New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue.
 
  SuSE: 2017:2723-1: important: the Linux Kernel (Oct 13)
 

An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
  SuSE: 2017:2717-1: important: git (Oct 12)
 

An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
  openSUSE: 2017:2710-1: important: MozillaThunderbird (Oct 12)
 

An update that fixes 9 vulnerabilities is now available. An update that fixes 9 vulnerabilities is now available. An update that fixes 9 vulnerabilities is now available.
  openSUSE: 2017:2707-1: important: MozillaThunderbird (Oct 12)
 

An update that fixes 9 vulnerabilities is now available. An update that fixes 9 vulnerabilities is now available. An update that fixes 9 vulnerabilities is now available.
  SuSE: 2017:2701-1: important: SLES 12-SP2 Docker image (Oct 11)
 

An update that fixes 47 vulnerabilities is now available. An update that fixes 47 vulnerabilities is now available. An update that fixes 47 vulnerabilities is now available.
  SuSE: 2017:2700-1: important: SLES 12-SP1 Docker image (Oct 11)
 

An update that fixes 143 vulnerabilities is now available. An update that fixes 143 vulnerabilities is now available. An update that fixes 143 vulnerabilities is now available.
  SuSE: 2017:2699-1: important: SLES 12 Docker image (Oct 11)
 

An update that fixes 140 vulnerabilities is now available. An update that fixes 140 vulnerabilities is now available. An update that fixes 140 vulnerabilities is now available.
  SuSE: 2017:2694-1: important: the Linux Kernel (Oct 10)
 

An update that solves 8 vulnerabilities and has 25 fixes is An update that solves 8 vulnerabilities and has 25 fixes is An update that solves 8 vulnerabilities and has 25 fixes is now available. now available.
  SuSE: 2017:2688-1: important: MozillaFirefox, mozilla-nss (Oct 10)
 

An update that fixes 9 vulnerabilities is now available. An update that fixes 9 vulnerabilities is now available. An update that fixes 9 vulnerabilities is now available.
  SuSE: 2017:2655-1: important: portus (Oct 6)
 

An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
 
  Ubuntu 3439-1: Ruby vulnerabilities (Oct 5)
 

A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Ruby. Software Description: - ruby1.9.1: Object-oriented scripting language Details: It was discovered that Ruby incorrectly handled certain inputs. [More...]
 
  Debian LTS: DLA-1132-1: xen security update (Oct 11)
 

Multiple vulnerabilities have been discovered in the Xen hypervisor: CVE-2017-10912
  Debian LTS: DLA-1131-1: imagemagick security update (Oct 11)
 

This updates fixes numerous vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure, or the
  Debian LTS: DLA-1129-1: qemu security update (Oct 8)
 

Multiple vulnerabilities were discovered in qemu, a fast processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems:
  Debian LTS: DLA-1128-1: qemu-kvm security update (Oct 8)
 

Multiple vulnerabilities were discovered in qemu-kvm, a full virtualization solution for Linux hosts on x86 hardware with x86 guests based on the Quick Emulator(Qemu).
  Debian LTS: DLA-1127-1: sam2p security update (Oct 8)
 

Several vulnerabilites, like heap-based buffer overflows, integer signedness or overflow errors have been found by fpbibi and have been fixed by upstream.
  Debian LTS: DLA-1126-1: libxfont security update (Oct 7)
 

It was discovered that there two vulnerabilities the library providing font selection and rasterisation, libxfont: * CVE-2017-13720: If a pattern contained a '?' character any character
  Debian LTS: DLA-1125-1: botan1.10 security update (Oct 6)
 

CVE-2017-14737 Fix of cache-based side channel attack, which could recover information about RSA secret keys.
  Debian LTS: DLA-1124-1: dnsmasq security update (Oct 6)
 

Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher, Ron Bowes and Gynvael Coldwind of the Google Security Team discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, which may result in denial of service, information
  Debian LTS: DLA-1123-1: golang security update (Oct 6)
 

It was discovered that there was an issue in the Go programming language library where an attacker could generate a MIME request such that the server ran out of file descriptors.
  Debian LTS: DLA-1122-1: asterisk security update (Oct 5)
 

A security vulnerability was discovered in Asterisk, an Open Source PBX and telephony toolkit, that may lead to unauthorized command execution.
  Debian LTS: DLA-1121-1: curl security update (Oct 5)
 

It was discovered that there was a out-of-bounds read vulnerability in curl, a command-line and library for transferring data over HTTP/FTP, etc. A malicious FTP server could abuse this to prevent curl-based clients from interacting with it.
 
  ArchLinux: 201710-19: thunderbird: multiple issues (Oct 13)
 

The package thunderbird before version 52.4.0-1 is vulnerable to multiple issues including arbitrary code execution, access restriction bypass and cross-site scripting.
  ArchLinux: 201710-18: pcre2: denial of service (Oct 13)
 

The package pcre2 before version 10.30-1 is vulnerable to denial of service.
  ArchLinux: 201710-17: botan: information disclosure (Oct 13)
 

The package botan before version 2.3.0-1 is vulnerable to information disclosure.
  ArchLinux: 201710-16: go-pie: arbitrary command execution (Oct 13)
 

The package go-pie before version 2:1.9.1-1 is vulnerable to arbitrary command execution.
  ArchLinux: 201710-15: go: arbitrary command execution (Oct 13)
 

The package go before version 2:1.9.1-1 is vulnerable to arbitrary command execution.
  ArchLinux: 201710-14: wireshark-cli: denial of service (Oct 12)
 

The package wireshark-cli before version 2.4.2-1 is vulnerable to denial of service.
  ArchLinux: 201710-13: flyspray: cross-site scripting (Oct 12)
 

The package flyspray before version 1.0rc6-1 is vulnerable to cross- site scripting.
  ArchLinux: 201710-11: lame: denial of service (Oct 10)
 

The package lame before version 3.99.5-4 is vulnerable to denial of service.
  ArchLinux: 201710-10: xorg-server: multiple issues (Oct 10)
 

The package xorg-server before version 1.19.4-1 is vulnerable to multiple issues including arbitrary code execution and denial of service.
  ArchLinux: 201710-12: salt: multiple issues (Oct 10)
 

The package salt before version 2017.7.2-1 is vulnerable to multiple issues including denial of service and directory traversal.
  ArchLinux: 201710-9: lib32-krb5: arbitrary code execution (Oct 6)
 

The package lib32-krb5 before version 1.15.2-1 is vulnerable to arbitrary code execution.
  ArchLinux: 201710-7: libcurl-compat: multiple issues (Oct 6)
 

The package libcurl-compat before version 7.56.0-1 is vulnerable to multiple issues including information disclosure and denial of service.
  ArchLinux: 201710-8: krb5: multiple issues (Oct 6)
 

The package krb5 before version 1.15.2-1 is vulnerable to multiple issues including arbitrary code execution and denial of service.
  ArchLinux: 201710-5: libcurl-gnutls: multiple issues (Oct 6)
 

The package libcurl-gnutls before version 7.56.0-1 is vulnerable to multiple issues including information disclosure and denial of service.
  ArchLinux: 201710-6: lib32-libcurl-compat: multiple issues (Oct 6)
 

The package lib32-libcurl-compat before version 7.56.0-1 is vulnerable to multiple issues including information disclosure and denial of service.
  ArchLinux: 201710-4: lib32-libcurl-gnutls: multiple issues (Oct 6)
 

The package lib32-libcurl-gnutls before version 7.56.0-1 is vulnerable to multiple issues including information disclosure and denial of service.
  ArchLinux: 201710-2: curl: denial of service (Oct 6)
 

The package curl before version 7.56.0-1 is vulnerable to denial of service.
  ArchLinux: 201710-3: lib32-curl: multiple issues (Oct 6)
 

The package lib32-curl before version 7.56.0-1 is vulnerable to multiple issues including information disclosure and denial of service.
 
  (Oct 11)
 

A use-after-free flaw was found in the way httpd handled invalid andpreviously unregistered HTTP methods specified in the Limit directive usedin an .htaccess file. A remote attacker could possibly use this flaw todisclose portions of the server memory, or cause httpd child process tocrash. (CVE-2017-9798)
  (Oct 6)
 

Previously, VMs with memory larger than 64GB running on Hyper-V withWindows Server hosts reported potential memory size of 4TB and more, butcould not use more than 64GB. This was happening because the Memory TypeRange Register (MTRR) for memory above 64GB was omitted. With this update,the /proc/mtrr file has been fixed to show correct base/size if they aremore than 44 bit wide. As a result, the whole size of memory is nowavailable as expected under the described circumstances.
  (Oct 5)
 

It was found that authenticating to a PostgreSQL database account withan empty password was possible despite libpq's refusal to send an emptypassword. A remote attacker could potentially use this flaw to gain accessto database accounts with empty passwords. (CVE-2017-7546)