Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system.

Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.


LinuxSecurity.com Feature Extras:

Essential tools for hardening and securing Unix based Environments - System administrators are aware as how important their systems security is, not just the runtime of their servers. Intruders, spammers, DDOS attack, crackers, are all out there trying to get into people's computers, servers and everywhere they can lay hands on and interrupt the normal runtime of services.

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.


  Debian: 3384-1: virtualbox: Summary (Oct 29)
 

Security Report Summary

  Debian: 3383-1: wordpress: Summary (Oct 29)
 

Security Report Summary

  Debian: 3332-2: wordpress: Summary (Oct 29)
 

Security Report Summary

  Debian: 3382-1: phpmyadmin: Summary (Oct 28)
 

Security Report Summary

  Debian: 3381-1: openjdk-7: Summary (Oct 27)
 

Security Report Summary

  Debian: 3380-1: php5: Summary (Oct 27)
 

Security Report Summary

  Debian: 3379-1: miniupnpc: Summary (Oct 25)
 

Security Report Summary

  Debian: 3378-1: gdk-pixbuf: Summary (Oct 24)
 

Security Report Summary

  Debian: 3377-1: mysql-5.5: Summary (Oct 24)
 

Security Report Summary

 
  Fedora 22 bugzilla-4.4.10-1.fc22 (Oct 28)
 

Security fix for CVE-2015-4499 A security problem was found in supportedversions of Bugzilla. Login names longer than 127 characters can be corrupted,which could lead to the creation of a user account with an unexpected emailaddress. Bugzilla 4.4.10 fixes the issue for the 4.4 branch of Bugzilla.

  Fedora 22 abrt-2.6.1-6.fc22 (Oct 28)
 

Security fix for CVE-2015-5302 abrt-2.6.1-6.fc22 - doc: fix defaultDumpLocation in abrt.conf man page - abrt-retrace-client: use atoll for _sizeconversion - a-a-a-ccpp-local don't delete build_ids - abrt-dump-xorg: supportXorg log backtraces prefixed by (EE - bodhi: fix typo in error messageslibreport-2.6.3-1.fc22 - reporter-bugzilla: add parameter -p - fix save userschanges after reviewing dump dir files - bugzilla: don't attach build_ids -rewrite event rule parser - ureport: improve curl's error messages - curl: addposibility to use own Certificate Authority cert - Resolves CVE-2015-5302

  Fedora 22 libreport-2.6.3-1.fc22 (Oct 28)
 

Security fix for CVE-2015-5302 abrt-2.6.1-6.fc22 - doc: fix defaultDumpLocation in abrt.conf man page - abrt-retrace-client: use atoll for _sizeconversion - a-a-a-ccpp-local don't delete build_ids - abrt-dump-xorg: supportXorg log backtraces prefixed by (EE - bodhi: fix typo in error messageslibreport-2.6.3-1.fc22 - reporter-bugzilla: add parameter -p - fix save userschanges after reviewing dump dir files - bugzilla: don't attach build_ids -rewrite event rule parser - ureport: improve curl's error messages - curl: addposibility to use own Certificate Authority cert - Resolves CVE-2015-5302

  Fedora 22 java-1.8.0-openjdk-1.8.0.65-3.b17.fc22 (Oct 28)
 

Security update to October 20 Oracle CPU

  Fedora 21 bugzilla-4.4.10-1.fc21 (Oct 28)
 

Security fix for CVE-2015-4499 A security problem was found in supportedversions of Bugzilla. Login names longer than 127 characters can be corrupted,which could lead to the creation of a user account with an unexpected emailaddress. Bugzilla 4.4.10 fixes the issue for the 4.4 branch of Bugzilla.

  Fedora 21 java-1.8.0-openjdk-1.8.0.65-3.b17.fc21 (Oct 28)
 

=Security update to October 20 Oracle CPU

  Fedora 22 drupal7-active_tags-2.0-0.9.alpha1.fc22 (Oct 26)
 

Issue #2288251 by pfrenssen, SylvainM: Fix XSS vulnerability when renderingtags.

  Fedora 21 pixman-0.32.8-1.fc21 (Oct 26)
 

Security release to fix buffer overflow bug

  Fedora 21 drupal7-active_tags-2.0-0.9.alpha1.fc21 (Oct 26)
 

Issue #2288251 by pfrenssen, SylvainM: Fix XSS vulnerability when renderingtags.

  Fedora 22 qemu-2.3.1-7.fc22 (Oct 23)
 

* CVE-2015-7295: virtio-net possible remote DoS (bz #1264393) * drive-mirror:Fix coroutine reentrance (bz #1266936) * Fix udp socket 'localaddr' (bz#1268708)

  Fedora 22 ganglia-3.7.2-6.fc22 (Oct 23)
 

Update to ganglia-web 3.7.1, including security fix for CVE-2015-6816.

  Fedora 22 drupal7-jquery_update-2.6-1.fc22 (Oct 23)
 

See [jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-123](https://www.drupal.org/node/2507729) Changes since 7.x-2.5 (3commits): * Updating overlay code to match core * Issue #2466329 by hanoii:Update 1.7 to 1.7.2 * Issue #1546668 by sergey.semashko, RobLoach: Update tojQuery 1.8.3

  Fedora 22 xen-4.5.1-13.fc22 (Oct 23)
 

Qemu: net: virtio-net possible remote DoS [CVE-2015-7295], create a symboliclink so libvirt VMs from xen 4.0 to 4.4 can still find qemu-dm

  Fedora 22 mbedtls-1.3.14-1.fc22 (Oct 23)
 

- Update to 1.3.14 - CVE-2015-5291 Release notes: https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.2-and-1.3.14-and-polarssl-1.2.17-released Securitynotes: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01

  Fedora 22 seamonkey-2.38-1.fc22 (Oct 23)
 

Update to 2.38 Fixes various security issues, seehttps://www.mozilla.org/security/known-vulnerabilities/seamonkey.html for moreinfo.

  Fedora 22 pacemaker-1.1.13-3.fc22 (Oct 23)
 

Security fix for CVE-2015-1867: issue allegedly present in pacemaker-1.1.12,fixed in pacemaker-1.1.13. * * * pacemaker-1.1.13-3.fc{21,22,23} - Update toPacemaker-1.1.13 post-release + patches (sync) - Add nagios-plugins-metadatasubpackage enabling support of selected Nagios plugins as resources recognizedby Pacemaker - Several specfile improvements: drop irrelevant stuff, rehash theincluded/excluded files + dependencies, add check scriptlet, reflect currentpackaging practice, do minor cleanups (mostly adopted from another spec)

  Fedora 21 xen-4.4.3-6.fc21 (Oct 23)
 

Qemu: net: virtio-net possible remote DoS [CVE-2015-7295] (#1264392)

  Fedora 21 drupal7-jquery_update-2.6-1.fc21 (Oct 23)
 

See [jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-123](https://www.drupal.org/node/2507729) Changes since 7.x-2.5 (3commits): * Updating overlay code to match core * Issue #2466329 by hanoii:Update 1.7 to 1.7.2 * Issue #1546668 by sergey.semashko, RobLoach: Update tojQuery 1.8.3

  Fedora 21 ganglia-3.7.2-6.fc21 (Oct 23)
 

Update to ganglia-web 3.7.1, including security fix for CVE-2015-6816.

  Fedora 21 mbedtls-1.3.14-1.fc21 (Oct 23)
 

- Update to 1.3.14 - CVE-2015-5291 Release notes: https://tls.mbed.org/tech-updates/releases/mbedtls-2.1.2-and-1.3.14-and-polarssl-1.2.17-released Securitynotes: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01

  Fedora 21 seamonkey-2.38-1.fc21 (Oct 23)
 

Update to 2.38 Fixes various security issues, seehttps://www.mozilla.org/security/known-vulnerabilities/seamonkey.html for moreinfo.

 
  Red Hat: 2015:1945-01: kubernetes: Moderate Advisory (Oct 27)
 

Updated kubernetes packages that fix one security issue are now available for Red Hat OpenShift Enterprise 3.0. Red Hat Product Security has rated this update as having Moderate [More...]

  Red Hat: 2015:1943-01: qemu-kvm: Moderate Advisory (Oct 27)
 

Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1930-01: ntp: Important Advisory (Oct 26)
 

Updated ntp packages that fix two security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1927-01: java-1.7.0-oracle: Critical Advisory (Oct 22)
 

Updated java-1.7.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security [More...]

  Red Hat: 2015:1926-01: java-1.8.0-oracle: Critical Advisory (Oct 22)
 

Updated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security [More...]

  Red Hat: 2015:1928-01: java-1.6.0-sun: Important Advisory (Oct 22)
 

Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1929-01: openstack-ironic-discoverd: Important Advisory (Oct 22)
 

Updated openstack-ironic-discoverd packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 7.0. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1925-01: kvm: Important Advisory (Oct 22)
 

Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1924-01: qemu-kvm: Important Advisory (Oct 22)
 

Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]

 
  Slackware: 2015-302-02: jasper: Security Update (Oct 29)
 

New jasper packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

  Slackware: 2015-302-03: ntp: Security Update (Oct 29)
 

New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

  Slackware: 2015-302-01: curl: Security Update (Oct 29)
 

New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

 
  Ubuntu: 2788-1: unzip vulnerabilities (Oct 29)
 

unzip could be made to crash or run programs as your login if it opened aspecially crafted file.

  Ubuntu: 2787-1: audiofile vulnerability (Oct 28)
 

audiofile could be made to crash or run programs as your login if itopened a specially crafted file.

  Ubuntu: 2786-1: PHP vulnerabilities (Oct 28)
 

PHP could be made to crash if it processed a specially crafted file.

  Ubuntu: 2784-1: OpenJDK 7 vulnerabilities (Oct 28)
 

Several security issues were fixed in OpenJDK 7.

  Ubuntu: 2783-1: NTP vulnerabilities (Oct 27)
 

Several security issues were fixed in NTP.

  Ubuntu: 2782-1: Apport vulnerability (Oct 27)
 

Apport could be made to run programs as an administrator.

  Ubuntu: 2781-1: MySQL vulnerabilities (Oct 26)
 

Several security issues were fixed in MySQL.

  Ubuntu: 2770-2: Oxide vulnerabilities (Oct 22)
 

Several security issues were fixed in Oxide.