Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Essential tools for hardening and securing Unix based Environments - System administrators are aware as how important their systems security is, not just the runtime of their servers. Intruders, spammers, DDOS attack, crackers, are all out there trying to get into people's computers, servers and everywhere they can lay hands on and interrupt the normal runtime of services.

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

  (Oct 29)
 

Security Report Summary
  (Oct 29)
 

Security Report Summary
  (Oct 29)
 

Security Report Summary
  (Oct 28)
 

Security Report Summary
  (Oct 27)
 

Security Report Summary
  (Oct 27)
 

Security Report Summary
  (Oct 25)
 

Security Report Summary
  (Oct 24)
 

Security Report Summary
  (Oct 24)
 

Security Report Summary
 
  (Oct 28)
 

Security fix for CVE-2015-4499 A security problem was found in supportedversions of Bugzilla. Login names longer than 127 characters can be corrupted,which could lead to the creation of a user account with an unexpected emailaddress. Bugzilla 4.4.10 fixes the issue for the 4.4 branch of Bugzilla.
  (Oct 28)
 

Security fix for CVE-2015-5302 abrt-2.6.1-6.fc22 - doc: fix defaultDumpLocation in abrt.conf man page - abrt-retrace-client: use atoll for _sizeconversion - a-a-a-ccpp-local don't delete build_ids - abrt-dump-xorg: supportXorg log backtraces prefixed by (EE - bodhi: fix typo in error messageslibreport-2.6.3-1.fc22 - reporter-bugzilla: add parameter -p - fix save userschanges after reviewing dump dir files - bugzilla: don't attach build_ids -rewrite event rule parser - ureport: improve curl's error messages - curl: addposibility to use own Certificate Authority cert - Resolves CVE-2015-5302
  (Oct 28)
 

Security fix for CVE-2015-5302 abrt-2.6.1-6.fc22 - doc: fix defaultDumpLocation in abrt.conf man page - abrt-retrace-client: use atoll for _sizeconversion - a-a-a-ccpp-local don't delete build_ids - abrt-dump-xorg: supportXorg log backtraces prefixed by (EE - bodhi: fix typo in error messageslibreport-2.6.3-1.fc22 - reporter-bugzilla: add parameter -p - fix save userschanges after reviewing dump dir files - bugzilla: don't attach build_ids -rewrite event rule parser - ureport: improve curl's error messages - curl: addposibility to use own Certificate Authority cert - Resolves CVE-2015-5302
  (Oct 28)
 

Security update to October 20 Oracle CPU
  (Oct 28)
 

Security fix for CVE-2015-4499 A security problem was found in supportedversions of Bugzilla. Login names longer than 127 characters can be corrupted,which could lead to the creation of a user account with an unexpected emailaddress. Bugzilla 4.4.10 fixes the issue for the 4.4 branch of Bugzilla.
  (Oct 28)
 

=Security update to October 20 Oracle CPU
  (Oct 26)
 

Issue #2288251 by pfrenssen, SylvainM: Fix XSS vulnerability when renderingtags.
  (Oct 26)
 

Security release to fix buffer overflow bug
  (Oct 26)
 

Issue #2288251 by pfrenssen, SylvainM: Fix XSS vulnerability when renderingtags.
  (Oct 23)
 

* CVE-2015-7295: virtio-net possible remote DoS (bz #1264393) * drive-mirror:Fix coroutine reentrance (bz #1266936) * Fix udp socket 'localaddr' (bz#1268708)
  (Oct 23)
 

Update to ganglia-web 3.7.1, including security fix for CVE-2015-6816.
  (Oct 23)
 

See [jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-123](https://www.drupal.org/node/2507729) Changes since 7.x-2.5 (3commits): * Updating overlay code to match core * Issue #2466329 by hanoii:Update 1.7 to 1.7.2 * Issue #1546668 by sergey.semashko, RobLoach: Update tojQuery 1.8.3
  (Oct 23)
 

Qemu: net: virtio-net possible remote DoS [CVE-2015-7295], create a symboliclink so libvirt VMs from xen 4.0 to 4.4 can still find qemu-dm
  (Oct 23)
 

- Update to 1.3.14 - CVE-2015-5291 Release notes: https://www.trustedfirmware.org/projects/mbed-tls/ Securitynotes:

  (Oct 23)
 

Update to 2.38 Fixes various security issues, seehttps://www.mozilla.org/en-US/security/known-vulnerabilities/seamonkey/ for moreinfo.
  (Oct 23)
 

Security fix for CVE-2015-1867: issue allegedly present in pacemaker-1.1.12,fixed in pacemaker-1.1.13. * * * pacemaker-1.1.13-3.fc{21,22,23} - Update toPacemaker-1.1.13 post-release + patches (sync) - Add nagios-plugins-metadatasubpackage enabling support of selected Nagios plugins as resources recognizedby Pacemaker - Several specfile improvements: drop irrelevant stuff, rehash theincluded/excluded files + dependencies, add check scriptlet, reflect currentpackaging practice, do minor cleanups (mostly adopted from another spec)
  (Oct 23)
 

Qemu: net: virtio-net possible remote DoS [CVE-2015-7295] (#1264392)
  (Oct 23)
 

See [jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-123](https://www.drupal.org/node/2507729) Changes since 7.x-2.5 (3commits): * Updating overlay code to match core * Issue #2466329 by hanoii:Update 1.7 to 1.7.2 * Issue #1546668 by sergey.semashko, RobLoach: Update tojQuery 1.8.3
  (Oct 23)
 

Update to ganglia-web 3.7.1, including security fix for CVE-2015-6816.
  (Oct 23)
 

- Update to 1.3.14 - CVE-2015-5291 Release notes: https://www.trustedfirmware.org/projects/mbed-tls/ Securitynotes:

  (Oct 23)
 

Update to 2.38 Fixes various security issues, seehttps://www.mozilla.org/en-US/security/known-vulnerabilities/seamonkey/ for moreinfo.
 
  Red Hat: 2015:1945-01: kubernetes: Moderate Advisory (Oct 27)
 

Updated kubernetes packages that fix one security issue are now available for Red Hat OpenShift Enterprise 3.0. Red Hat Product Security has rated this update as having Moderate [More...]
  Red Hat: 2015:1943-01: qemu-kvm: Moderate Advisory (Oct 27)
 

Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]
  Red Hat: 2015:1930-01: ntp: Important Advisory (Oct 26)
 

Updated ntp packages that fix two security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:1927-01: java-1.7.0-oracle: Critical Advisory (Oct 22)
 

Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security [More...]
  Red Hat: 2015:1926-01: java-1.8.0-oracle: Critical Advisory (Oct 22)
 

Updated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security [More...]
  Red Hat: 2015:1928-01: java-1.6.0-sun: Important Advisory (Oct 22)
 

Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:1929-01: openstack-ironic-discoverd: Important Advisory (Oct 22)
 

Updated openstack-ironic-discoverd packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 7.0. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:1925-01: kvm: Important Advisory (Oct 22)
 

Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]
  Red Hat: 2015:1924-01: qemu-kvm: Important Advisory (Oct 22)
 

Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]
 
  (Oct 29)
 

New jasper packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
  (Oct 29)
 

New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
  (Oct 29)
 

New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
 
  Ubuntu: 2788-1: unzip vulnerabilities (Oct 29)
 

unzip could be made to crash or run programs as your login if it opened aspecially crafted file.
  Ubuntu: 2787-1: audiofile vulnerability (Oct 28)
 

audiofile could be made to crash or run programs as your login if itopened a specially crafted file.
  Ubuntu: 2786-1: PHP vulnerabilities (Oct 28)
 

PHP could be made to crash if it processed a specially crafted file.
  Ubuntu: 2784-1: OpenJDK 7 vulnerabilities (Oct 28)
 

Several security issues were fixed in OpenJDK 7.
  Ubuntu: 2783-1: NTP vulnerabilities (Oct 27)
 

Several security issues were fixed in NTP.
  Ubuntu: 2782-1: Apport vulnerability (Oct 27)
 

Apport could be made to run programs as an administrator.
  Ubuntu: 2781-1: MySQL vulnerabilities (Oct 26)
 

Several security issues were fixed in MySQL.
  Ubuntu: 2770-2: Oxide vulnerabilities (Oct 22)
 

Several security issues were fixed in Oxide.