Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Essential tools for hardening and securing Unix based Environments - System administrators are aware as how important their systems security is, not just the runtime of their servers. Intruders, spammers, DDOS attack, crackers, are all out there trying to get into people's computers, servers and everywhere they can lay hands on and interrupt the normal runtime of services.

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

  (Oct 13)
 

Security Report Summary
  (Oct 9)
 

Security Report Summary
 
  (Oct 16)
 

The 4.2.3 stable rebase contains a number of new features and important bugfixes across the tree and improved hardware support. kernel-4.2.3-200.fc22 -Linux v4.2.3 - CVE-2015-5156 virtio-net: bug overflow with large fraglist (rhbz1243852 1266515)
  (Oct 15)
 

Update to latest release
  (Oct 14)
 

Update to latest release
  (Oct 14)
 

ide: fix ATAPI command permissions [CVE-2015-6855] (#1261792)
  (Oct 14)
 

ide: fix ATAPI command permissions [CVE-2015-6855] (#1261792)
  (Oct 13)
 

Security fix for CVE-2014-6585 CVE-2014-6591 CVE-2014-7923 CVE-2014-7926CVE-2014-9654
  (Oct 13)
 

01 Oct 2015, **PHP 5.6.14** **Core:** * Fixed bug php#70370 (Bundledlibtool.m4 doesn't handle FreeBSD 10 when building extensions). (Adam) **CLIserver:** * Fixed bug php#68291 (404 on urls with '+'). (cmb) **DOM:** *Fixed bug php#70001 (Assigning to DOMNode::textContent does additional entityencoding). (cmb) **Mysqlnd:** * Fixed bug php#70456 (mysqlnd doesn't activateTCP keep-alive when connecting to a server). (Sergei Turchanov) **OpenSSL:** *Fixed bug php#55259 (openssl extension does not get the DH parameters from DHkey resource). (Jakub Zelenka) * Fixed bug php#70395 (Missing ARG_INFO foropenssl_seal()). (cmb) * Fixed bug php#60632 (openssl_seal fails with AES).(Jakub Zelenka) * Fixed bug php#68312 (Lookup for openssl.cnf causes a messagebox). (Anatol) **PDO:** * Fixed bug php#70389 (PDO constructor changesunrelated variables). (Laruence) **Phar:** * Fixed bug php#69720 (Null pointerdereference in phar_get_fp_offset()). (Stas) * Fixed bug php#70433(Uninitialized pointer in phar_make_dirstream when zip entry filename is "/").(Stas) **Phpdbg:** * Fix phpdbg_break_next() sometimes not breaking. (Bob)**Standard:** * Fixed bug php#67131 (setcookie() conditional for empty valuesnot met). (cmb) **Streams:** * Fixed bug php#70361 (HTTP stream wrapperdoesn't close keep-alive connections). (Niklas Keller)
  (Oct 13)
 

01 Oct 2015, **PHP 5.6.14** **Core:** * Fixed bug php#70370 (Bundledlibtool.m4 doesn't handle FreeBSD 10 when building extensions). (Adam) **CLIserver:** * Fixed bug php#68291 (404 on urls with '+'). (cmb) **DOM:** *Fixed bug php#70001 (Assigning to DOMNode::textContent does additional entityencoding). (cmb) **Mysqlnd:** * Fixed bug php#70456 (mysqlnd doesn't activateTCP keep-alive when connecting to a server). (Sergei Turchanov) **OpenSSL:** *Fixed bug php#55259 (openssl extension does not get the DH parameters from DHkey resource). (Jakub Zelenka) * Fixed bug php#70395 (Missing ARG_INFO foropenssl_seal()). (cmb) * Fixed bug php#60632 (openssl_seal fails with AES).(Jakub Zelenka) * Fixed bug php#68312 (Lookup for openssl.cnf causes a messagebox). (Anatol) **PDO:** * Fixed bug php#70389 (PDO constructor changesunrelated variables). (Laruence) **Phar:** * Fixed bug php#69720 (Null pointerdereference in phar_get_fp_offset()). (Stas) * Fixed bug php#70433(Uninitialized pointer in phar_make_dirstream when zip entry filename is "/").(Stas) **Phpdbg:** * Fix phpdbg_break_next() sometimes not breaking. (Bob)**Standard:** * Fixed bug php#67131 (setcookie() conditional for empty valuesnot met). (cmb) **Streams:** * Fixed bug php#70361 (HTTP stream wrapperdoesn't close keep-alive connections). (Niklas Keller)
  (Oct 13)
 

This update adds a fix for CVE-2015-6581 (double free vulnerability).
  (Oct 12)
 

01 Oct 2015, **PHP 5.6.14** **Core:** * Fixed bug php#70370 (Bundledlibtool.m4 doesn't handle FreeBSD 10 when building extensions). (Adam) **CLIserver:** * Fixed bug php#68291 (404 on urls with '+'). (cmb) **DOM:** *Fixed bug php#70001 (Assigning to DOMNode::textContent does additional entityencoding). (cmb) **Mysqlnd:** * Fixed bug php#70456 (mysqlnd doesn't activateTCP keep-alive when connecting to a server). (Sergei Turchanov) **OpenSSL:** *Fixed bug php#55259 (openssl extension does not get the DH parameters from DHkey resource). (Jakub Zelenka) * Fixed bug php#70395 (Missing ARG_INFO foropenssl_seal()). (cmb) * Fixed bug php#60632 (openssl_seal fails with AES).(Jakub Zelenka) * Fixed bug php#68312 (Lookup for openssl.cnf causes a messagebox). (Anatol) **PDO:** * Fixed bug php#70389 (PDO constructor changesunrelated variables). (Laruence) **Phar:** * Fixed bug php#69720 (Null pointerdereference in phar_get_fp_offset()). (Stas) * Fixed bug php#70433(Uninitialized pointer in phar_make_dirstream when zip entry filename is "/").(Stas) **Phpdbg:** * Fix phpdbg_break_next() sometimes not breaking. (Bob)**Standard:** * Fixed bug php#67131 (setcookie() conditional for empty valuesnot met). (cmb) **Streams:** * Fixed bug php#70361 (HTTP stream wrapperdoesn't close keep-alive connections). (Niklas Keller)
  (Oct 12)
 

Qemu: net: virtio-net possible remote DoS [CVE-2015-7295]
  (Oct 11)
 

Security fix for CVE-2015-5146, CVE-2015-5194, CVE-2015-5219, CVE-2015-5195,CVE-2015-5196
  (Oct 11)
 

Update spice-gtk/spice-protocol/spice to new upstream releases. The spice updatefixes CVE-2015-3247, CVE-2015-5260 and CVE-2015-5261.
  (Oct 11)
 

Security fix for CVE-2015-5292
  (Oct 11)
 

Update spice-gtk/spice-protocol/spice to new upstream releases. The spice updatefixes CVE-2015-3247, CVE-2015-5260 and CVE-2015-5261.
  (Oct 11)
 

Update spice-gtk/spice-protocol/spice to new upstream releases. The spice updatefixes CVE-2015-3247, CVE-2015-5260 and CVE-2015-5261.
  (Oct 11)
 

Update spice-gtk/spice-protocol/spice to new upstream releases. The spice updatefixes CVE-2015-3247, CVE-2015-5260 and CVE-2015-5261.
  (Oct 11)
 

Update spice-gtk/spice-protocol/spice to new upstream releases. The spice updatefixes CVE-2015-3247, CVE-2015-5260 and CVE-2015-5261.
  (Oct 11)
 

update to 9.4.5 per release noteshttps://www.postgresql.org/docs/9.4/release-9-4-5.html
  (Oct 11)
 

freeipa-4.2.2-1.fc23 - Update to upstream 4.2.2 - seehttps://www.freeipa.org/page/Releases/4.2.2
  (Oct 11)
 

* Rebased to version 2.4.0.1 * CVE-2015-7295: virtio-net possible remote DoS (bz#1264393) * drive-mirror: Fix coroutine reentrance (bz #1266936)
  (Oct 9)
 

* CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) * CVE-2015-6855:ide: divide by zero issue (bz #1261793) * CVE-2015-5278: Infinite loop inne2000_receive() (bz #1263284) * CVE-2015-5279: Heap overflow vulnerability inne2000_receive() (bz #1263287) * Make block copy more stable (bz #1264416) * Fixhang at start of live merge for large images (bz #1262901) ---- *CVE-2015-5225: heap memory corruption in vnc_refresh_server_surface (bz#1255899)
  (Oct 9)
 

* Fix typo causing qemu-img to link against entire world (bz #1260996) *CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) * CVE-2015-6855:ide: divide by zero issue (bz #1261793) * CVE-2015-5278: Infinite loop inne2000_receive() (bz #1263284) * CVE-2015-5279: Heap overflow vulnerability inne2000_receive() (bz #1263287) * Make block copy more stable (bz #1264416) * Fixhang at start of live merge for large images (bz #1262901) ---- Fix emulationof various instructions, required by libm in F22 ppc64 guests.
  (Oct 9)
 

kernel-4.1.10-200.fc22 - Linxu v4.1.10 - Add patch to fix soft lockups innetwork stack (rhbz 1266691)
  (Oct 9)
 

The 4.2.3 stable kernel update contains a number of important fixes across thetree. kernel-4.2.3-300.fc23 - Linux v4.2.3 - Netdev fix race inresq_queue_unlink
  (Oct 8)
 

389-ds-base-1.3.3.13-1.fc21 - release 1.3.3.13 - Ticket 48265 - Complexfilter in a search request doen't work as expected. (regression) - Ticket 47981- COS cache doesn't properly mark vattr cache as invalid when there are multiplesuffixes - Ticket 48252 - db2index creates index entry from deleted records -Ticket 48228 - wrong password check if passwordInHistory is decreased. - Ticket48252 - db2index creates index entry from deleted records - Ticket 48254 - CLIdb2index fails with usage errors - Ticket 47831 - remove debug logging fromretro cl - Ticket 48245 - Man pages and help for remove-ds.pl doesn't display"-a" option - Ticket 47931 - Fix coverity issues - Ticket 47931 - memberOf &retrocl deadlocks - Ticket 48228 - wrong password check if passwordInHistory isdecreased. - Ticket 48215 - update dbverify usage in main.c - Ticket 48215 -update dbverify usage - Ticket 48215 - verify_db.pl doesn't verify DB specifiedby -a option - Ticket 47810 - memberOf plugin not properly rejecting updates -Ticket 48231 - logconv autobind handling regression caused by 47446 - Ticket48232 - winsync lastlogon attribute not syncing between DS and AD. - Ticket48206 - Crash during retro changelog trimming - Ticket 48224 - redux 2 -logconv.pl should handle *.tar.xz, *.txz, *.xz log files - Ticket 48226 - InMMR, double free coould occur under some special condition - Ticket 48224 -redux - logconv.pl should handle *.tar.xz, *.txz, *.xz log files - Ticket 48224- redux - logconv.pl should handle *.tar.xz, *.txz, *.xz log files - Ticket48224 - logconv.pl should handle *.tar.xz, *.txz, *.xz log files - Ticket 48192- Individual abandoned simple paged results request has no chance to be cleanedup - Ticket 48212 - Dynamic nsMatchingRule changes had no effect on the attrinfothus following reindexing, as well. - Ticket 48195 - Slow replication whendeleting large quantities of multi-valued attributes - Ticket 48175 - Avoidusing regex in ACL if possible
 
  Red Hat: 2015:1912-01: chromium-browser: Important Advisory (Oct 15)
 

Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:1894-01: python-django: Moderate Advisory (Oct 15)
 

Updated python-django packages that fix two security issues are now available for Red Hat Enterprise Linux OpenStack Platform 6.0. Red Hat Product Security has rated this update as having Moderate security [More...]
  Red Hat: 2015:1909-01: openstack-neutron: Moderate Advisory (Oct 15)
 

Updated openstack-neutron packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0. [More...]
  Red Hat: 2015:1895-01: openstack-swift: Moderate Advisory (Oct 15)
 

Updated openstack-swift packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0. [More...]
  Red Hat: 2015:1897-01: openstack-glance: Moderate Advisory (Oct 15)
 

Updated openstack-glance packages that fix two security issues are now available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0. [More...]
  Red Hat: 2015:1896-01: qemu-kvm-rhev: Important Advisory (Oct 15)
 

Updated qemu-kvm-rhev packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. [More...]
  Red Hat: 2015:1898-01: openstack-nova: Moderate Advisory (Oct 15)
 

Updated openstack-nova packages that fix one security issue and several bugs, and add various enhancements are now available for Red Hat Enterprise Linux OpenStack Platform 5.0, 6.0, and 7.0 [More...]
  Red Hat: 2015:1893-01: flash-plugin: Critical Advisory (Oct 15)
 

An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]
  Red Hat: 2015:1889-01: spice-server: Important Advisory (Oct 12)
 

An updated spice-server package that fixes two security issues is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:1890-01: spice: Important Advisory (Oct 12)
 

Updated spice packages that fix two security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:1876-01: python-django: Moderate Advisory (Oct 8)
 

Updated python-django packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 7.0. Red Hat Product Security has rated this update as having Moderate security [More...]
 
  Ubuntu: 2768-1: Firefox vulnerability (Oct 16)
 

Firefox could be made to expose sensitive information across origins
  Ubuntu: 2772-1: PostgreSQL vulnerabilities (Oct 16)
 

PostgreSQL could be made to crash or expose private information if ithandled specially crafted data.
  Ubuntu: 2771-1: Click vulnerability (Oct 15)
 

Click could be made to allow malicious apps unintended access to thesystem.
  Ubuntu: 2709-2: pollinate update (Oct 14)
 

The system would not have expected entropy available.
  Ubuntu: 2769-1: Apache Commons HttpClient (Oct 14)
 

Several security issues were fixed in commons-httpclient.