Linux Advisory Watch: October 16th, 2015

Advisories

Linux Advisory Watch: October 16th, 2015

Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.


LinuxSecurity.com Feature Extras:

Essential tools for hardening and securing Unix based Environments - System administrators are aware as how important their systems security is, not just the runtime of their servers. Intruders, spammers, DDOS attack, crackers, are all out there trying to get into people's computers, servers and everywhere they can lay hands on and interrupt the normal runtime of services.

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.


  Debian: 3372-1: linux: Summary (Oct 13)
 

Security Report Summary

  Debian: 3371-1: spice: Summary (Oct 9)
 

Security Report Summary

 
  Fedora 22 kernel-4.2.3-200.fc22 (Oct 16)
 

The 4.2.3 stable rebase contains a number of new features and important bugfixes across the tree and improved hardware support. kernel-4.2.3-200.fc22 -Linux v4.2.3 - CVE-2015-5156 virtio-net: bug overflow with large fraglist (rhbz1243852 1266515)

  Fedora 21 fossil-1.33-1.fc21 (Oct 15)
 

Update to latest release

  Fedora 22 fossil-1.33-1.fc22 (Oct 14)
 

Update to latest release

  Fedora 21 xen-4.4.3-5.fc21 (Oct 14)
 

ide: fix ATAPI command permissions [CVE-2015-6855] (#1261792)

  Fedora 22 xen-4.5.1-10.fc22 (Oct 14)
 

ide: fix ATAPI command permissions [CVE-2015-6855] (#1261792)

  Fedora 22 icu-54.1-4.fc22 (Oct 13)
 

Security fix for CVE-2014-6585 CVE-2014-6591 CVE-2014-7923 CVE-2014-7926CVE-2014-9654

  Fedora 22 php-5.6.14-1.fc22 (Oct 13)
 

01 Oct 2015, **PHP 5.6.14** **Core:** * Fixed bug php#70370 (Bundledlibtool.m4 doesn't handle FreeBSD 10 when building extensions). (Adam) **CLIserver:** * Fixed bug php#68291 (404 on urls with '+'). (cmb) **DOM:** *Fixed bug php#70001 (Assigning to DOMNode::textContent does additional entityencoding). (cmb) **Mysqlnd:** * Fixed bug php#70456 (mysqlnd doesn't activateTCP keep-alive when connecting to a server). (Sergei Turchanov) **OpenSSL:** *Fixed bug php#55259 (openssl extension does not get the DH parameters from DHkey resource). (Jakub Zelenka) * Fixed bug php#70395 (Missing ARG_INFO foropenssl_seal()). (cmb) * Fixed bug php#60632 (openssl_seal fails with AES).(Jakub Zelenka) * Fixed bug php#68312 (Lookup for openssl.cnf causes a messagebox). (Anatol) **PDO:** * Fixed bug php#70389 (PDO constructor changesunrelated variables). (Laruence) **Phar:** * Fixed bug php#69720 (Null pointerdereference in phar_get_fp_offset()). (Stas) * Fixed bug php#70433(Uninitialized pointer in phar_make_dirstream when zip entry filename is "/").(Stas) **Phpdbg:** * Fix phpdbg_break_next() sometimes not breaking. (Bob)**Standard:** * Fixed bug php#67131 (setcookie() conditional for empty valuesnot met). (cmb) **Streams:** * Fixed bug php#70361 (HTTP stream wrapperdoesn't close keep-alive connections). (Niklas Keller)

  Fedora 21 php-5.6.14-1.fc21 (Oct 13)
 

01 Oct 2015, **PHP 5.6.14** **Core:** * Fixed bug php#70370 (Bundledlibtool.m4 doesn't handle FreeBSD 10 when building extensions). (Adam) **CLIserver:** * Fixed bug php#68291 (404 on urls with '+'). (cmb) **DOM:** *Fixed bug php#70001 (Assigning to DOMNode::textContent does additional entityencoding). (cmb) **Mysqlnd:** * Fixed bug php#70456 (mysqlnd doesn't activateTCP keep-alive when connecting to a server). (Sergei Turchanov) **OpenSSL:** *Fixed bug php#55259 (openssl extension does not get the DH parameters from DHkey resource). (Jakub Zelenka) * Fixed bug php#70395 (Missing ARG_INFO foropenssl_seal()). (cmb) * Fixed bug php#60632 (openssl_seal fails with AES).(Jakub Zelenka) * Fixed bug php#68312 (Lookup for openssl.cnf causes a messagebox). (Anatol) **PDO:** * Fixed bug php#70389 (PDO constructor changesunrelated variables). (Laruence) **Phar:** * Fixed bug php#69720 (Null pointerdereference in phar_get_fp_offset()). (Stas) * Fixed bug php#70433(Uninitialized pointer in phar_make_dirstream when zip entry filename is "/").(Stas) **Phpdbg:** * Fix phpdbg_break_next() sometimes not breaking. (Bob)**Standard:** * Fixed bug php#67131 (setcookie() conditional for empty valuesnot met). (cmb) **Streams:** * Fixed bug php#70361 (HTTP stream wrapperdoesn't close keep-alive connections). (Niklas Keller)

  Fedora 21 openjpeg2-2.1.0-7.fc21 (Oct 13)
 

This update adds a fix for CVE-2015-6581 (double free vulnerability).

  Fedora 23 php-5.6.14-1.fc23 (Oct 12)
 

01 Oct 2015, **PHP 5.6.14** **Core:** * Fixed bug php#70370 (Bundledlibtool.m4 doesn't handle FreeBSD 10 when building extensions). (Adam) **CLIserver:** * Fixed bug php#68291 (404 on urls with '+'). (cmb) **DOM:** *Fixed bug php#70001 (Assigning to DOMNode::textContent does additional entityencoding). (cmb) **Mysqlnd:** * Fixed bug php#70456 (mysqlnd doesn't activateTCP keep-alive when connecting to a server). (Sergei Turchanov) **OpenSSL:** *Fixed bug php#55259 (openssl extension does not get the DH parameters from DHkey resource). (Jakub Zelenka) * Fixed bug php#70395 (Missing ARG_INFO foropenssl_seal()). (cmb) * Fixed bug php#60632 (openssl_seal fails with AES).(Jakub Zelenka) * Fixed bug php#68312 (Lookup for openssl.cnf causes a messagebox). (Anatol) **PDO:** * Fixed bug php#70389 (PDO constructor changesunrelated variables). (Laruence) **Phar:** * Fixed bug php#69720 (Null pointerdereference in phar_get_fp_offset()). (Stas) * Fixed bug php#70433(Uninitialized pointer in phar_make_dirstream when zip entry filename is "/").(Stas) **Phpdbg:** * Fix phpdbg_break_next() sometimes not breaking. (Bob)**Standard:** * Fixed bug php#67131 (setcookie() conditional for empty valuesnot met). (cmb) **Streams:** * Fixed bug php#70361 (HTTP stream wrapperdoesn't close keep-alive connections). (Niklas Keller)

  Fedora 23 xen-4.5.1-13.fc23 (Oct 12)
 

Qemu: net: virtio-net possible remote DoS [CVE-2015-7295]

  Fedora 22 ntp-4.2.6p5-33.fc22 (Oct 11)
 

Security fix for CVE-2015-5146, CVE-2015-5194, CVE-2015-5219, CVE-2015-5195,CVE-2015-5196

  Fedora 23 spice-0.12.6-1.fc23 (Oct 11)
 

Update spice-gtk/spice-protocol/spice to new upstream releases. The spice updatefixes CVE-2015-3247, CVE-2015-5260 and CVE-2015-5261.

  Fedora 23 sssd-1.13.1-2.fc23 (Oct 11)
 

Security fix for CVE-2015-5292

  Fedora 23 spice-protocol-0.12.10-1.fc23 (Oct 11)
 

Update spice-gtk/spice-protocol/spice to new upstream releases. The spice updatefixes CVE-2015-3247, CVE-2015-5260 and CVE-2015-5261.

  Fedora 23 spice-gtk-0.30-1.fc23 (Oct 11)
 

Update spice-gtk/spice-protocol/spice to new upstream releases. The spice updatefixes CVE-2015-3247, CVE-2015-5260 and CVE-2015-5261.

  Fedora 23 mingw-spice-protocol-0.12.10-1.fc23 (Oct 11)
 

Update spice-gtk/spice-protocol/spice to new upstream releases. The spice updatefixes CVE-2015-3247, CVE-2015-5260 and CVE-2015-5261.

  Fedora 23 mingw-spice-gtk-0.30-1.fc23 (Oct 11)
 

Update spice-gtk/spice-protocol/spice to new upstream releases. The spice updatefixes CVE-2015-3247, CVE-2015-5260 and CVE-2015-5261.

  Fedora 23 postgresql-9.4.5-1.fc23 (Oct 11)
 

update to 9.4.5 per release noteshttps://www.postgresql.org/docs/9.4/static/release-9-4-5.html

  Fedora 23 freeipa-4.2.2-1.fc23 (Oct 11)
 

freeipa-4.2.2-1.fc23 - Update to upstream 4.2.2 - seehttps://www.freeipa.org/page/Releases/4.2.2

  Fedora 23 qemu-2.4.0.1-1.fc23 (Oct 11)
 

* Rebased to version 2.4.0.1 * CVE-2015-7295: virtio-net possible remote DoS (bz#1264393) * drive-mirror: Fix coroutine reentrance (bz #1266936)

  Fedora 21 qemu-2.1.3-11.fc21 (Oct 9)
 

* CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) * CVE-2015-6855:ide: divide by zero issue (bz #1261793) * CVE-2015-5278: Infinite loop inne2000_receive() (bz #1263284) * CVE-2015-5279: Heap overflow vulnerability inne2000_receive() (bz #1263287) * Make block copy more stable (bz #1264416) * Fixhang at start of live merge for large images (bz #1262901) ---- *CVE-2015-5225: heap memory corruption in vnc_refresh_server_surface (bz#1255899)

  Fedora 22 qemu-2.3.1-5.fc22 (Oct 9)
 

* Fix typo causing qemu-img to link against entire world (bz #1260996) *CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) * CVE-2015-6855:ide: divide by zero issue (bz #1261793) * CVE-2015-5278: Infinite loop inne2000_receive() (bz #1263284) * CVE-2015-5279: Heap overflow vulnerability inne2000_receive() (bz #1263287) * Make block copy more stable (bz #1264416) * Fixhang at start of live merge for large images (bz #1262901) ---- Fix emulationof various instructions, required by libm in F22 ppc64 guests.

  Fedora 22 kernel-4.1.10-200.fc22 (Oct 9)
 

kernel-4.1.10-200.fc22 - Linxu v4.1.10 - Add patch to fix soft lockups innetwork stack (rhbz 1266691)

  Fedora 23 kernel-4.2.3-300.fc23 (Oct 9)
 

The 4.2.3 stable kernel update contains a number of important fixes across thetree. kernel-4.2.3-300.fc23 - Linux v4.2.3 - Netdev fix race inresq_queue_unlink

  Fedora 21 389-ds-base-1.3.3.13-1.fc21 (Oct 8)
 

389-ds-base-1.3.3.13-1.fc21 - release 1.3.3.13 - Ticket 48265 - Complexfilter in a search request doen't work as expected. (regression) - Ticket 47981- COS cache doesn't properly mark vattr cache as invalid when there are multiplesuffixes - Ticket 48252 - db2index creates index entry from deleted records -Ticket 48228 - wrong password check if passwordInHistory is decreased. - Ticket48252 - db2index creates index entry from deleted records - Ticket 48254 - CLIdb2index fails with usage errors - Ticket 47831 - remove debug logging fromretro cl - Ticket 48245 - Man pages and help for remove-ds.pl doesn't display"-a" option - Ticket 47931 - Fix coverity issues - Ticket 47931 - memberOf &retrocl deadlocks - Ticket 48228 - wrong password check if passwordInHistory isdecreased. - Ticket 48215 - update dbverify usage in main.c - Ticket 48215 -update dbverify usage - Ticket 48215 - verify_db.pl doesn't verify DB specifiedby -a option - Ticket 47810 - memberOf plugin not properly rejecting updates -Ticket 48231 - logconv autobind handling regression caused by 47446 - Ticket48232 - winsync lastlogon attribute not syncing between DS and AD. - Ticket48206 - Crash during retro changelog trimming - Ticket 48224 - redux 2 -logconv.pl should handle *.tar.xz, *.txz, *.xz log files - Ticket 48226 - InMMR, double free coould occur under some special condition - Ticket 48224 -redux - logconv.pl should handle *.tar.xz, *.txz, *.xz log files - Ticket 48224- redux - logconv.pl should handle *.tar.xz, *.txz, *.xz log files - Ticket48224 - logconv.pl should handle *.tar.xz, *.txz, *.xz log files - Ticket 48192- Individual abandoned simple paged results request has no chance to be cleanedup - Ticket 48212 - Dynamic nsMatchingRule changes had no effect on the attrinfothus following reindexing, as well. - Ticket 48195 - Slow replication whendeleting large quantities of multi-valued attributes - Ticket 48175 - Avoidusing regex in ACL if possible

 
  Red Hat: 2015:1912-01: chromium-browser: Important Advisory (Oct 15)
 

Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1894-01: python-django: Moderate Advisory (Oct 15)
 

Updated python-django packages that fix two security issues are now available for Red Hat Enterprise Linux OpenStack Platform 6.0. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1909-01: openstack-neutron: Moderate Advisory (Oct 15)
 

Updated openstack-neutron packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0. [More...]

  Red Hat: 2015:1895-01: openstack-swift: Moderate Advisory (Oct 15)
 

Updated openstack-swift packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0. [More...]

  Red Hat: 2015:1897-01: openstack-glance: Moderate Advisory (Oct 15)
 

Updated openstack-glance packages that fix two security issues are now available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0. [More...]

  Red Hat: 2015:1896-01: qemu-kvm-rhev: Important Advisory (Oct 15)
 

Updated qemu-kvm-rhev packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]

  Red Hat: 2015:1898-01: openstack-nova: Moderate Advisory (Oct 15)
 

Updated openstack-nova packages that fix one security issue and several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0 [More...]

  Red Hat: 2015:1893-01: flash-plugin: Critical Advisory (Oct 15)
 

An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]

  Red Hat: 2015:1889-01: spice-server: Important Advisory (Oct 12)
 

An updated spice-server package that fixes two security issues is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1890-01: spice: Important Advisory (Oct 12)
 

Updated spice packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1876-01: python-django: Moderate Advisory (Oct 8)
 

Updated python-django packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 7.0. Red Hat Product Security has rated this update as having Moderate security [More...]

 
  Ubuntu: 2768-1: Firefox vulnerability (Oct 16)
 

Firefox could be made to expose sensitive information across origins

  Ubuntu: 2772-1: PostgreSQL vulnerabilities (Oct 16)
 

PostgreSQL could be made to crash or expose private information if ithandled specially crafted data.

  Ubuntu: 2771-1: Click vulnerability (Oct 15)
 

Click could be made to allow malicious apps unintended access to thesystem.

  Ubuntu: 2709-2: pollinate update (Oct 14)
 

The system would not have expected entropy available.

  Ubuntu: 2769-1: Apache Commons HttpClient (Oct 14)
 

Several security issues were fixed in commons-httpclient.

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.