Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.
| |
Debian: DSA-3985-1: chromium-browser security update (Sep 28) |
| |
Several vulnerabilities have been discovered in the chromium web browser. CVE-2017-5111
|
| |
Debian: DSA-3984-1: git security update (Sep 26) |
| |
joernchen discovered that the git-cvsserver subcommand of Git, a distributed version control system, suffers from a shell command injection vulnerability due to unsafe use of the Perl backtick operator. The git-cvsserver subcommand is reachable from the
|
| |
Debian: DSA-3983-1: samba security update (Sep 22) |
| |
Multiple security issues have been discoverd in Samba, a SMB/CIFS file, print, and login server for Unix: CVE-2017-12150
|
| |
Debian: DSA-3982-1: perl security update (Sep 21) |
| |
Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems:
|
|
|
| |
Fedora 25: php-horde-Horde-Image Security Update (Sep 28) |
| |
**Horde_Image 2.5.1** * [mjr] SECURITY: Fix more potential places for command injections.
|
| |
Fedora 25: mercurial Security Update (Sep 28) |
| |
Security fix for CVE-2017-1000115, CVE-2017-1000116
|
| |
Fedora 26: git Security Update (Sep 28) |
| |
These releases are about hardening `git shell` that is used on servers against an unsafe user input, which `git cvsserver` copes with poorly. From the release notes: * "git cvsserver" no longer is invoked by "git shell" by default, as it is old and largely unmaintained. * Various Perl scripts did not use safe_pipe_capture() instead of backticks, leaving them susceptible to
|
| |
Fedora 26: poppler Security Update (Sep 28) |
| |
- CVE-2017-14520 Floating point exception in Splash::scaleImageYuXd
|
| |
Fedora 26: moodle Security Update (Sep 28) |
| |
Patches for CVE-2017-12156, CVE-2017-12157.
|
| |
Fedora 26: php-horde-Horde-Image Security Update (Sep 28) |
| |
**Horde_Image 2.5.1** * [mjr] SECURITY: Fix more potential places for command injections.
|
| |
Fedora 26: pure-ftpd Security Update (Sep 28) |
| |
This is an update fixing loading the configuration file.
|
| |
Fedora 25: libbson Security Update (Sep 27) |
| |
This release fixes a crash when parsing an empty code string of a codewscope type.
|
| |
Fedora 25: oniguruma Security Update (Sep 27) |
| |
This new package includes additional fixes for CVE-2017-9228 .
|
| |
Fedora 26: kernel Security Update (Sep 26) |
| |
The 4.12.14 stable kernel update contains a number of important fixes across the tree.
|
| |
Fedora 26: libbson Security Update (Sep 26) |
| |
This release fixes a crash when parsing an empty code string of a codewscope type.
|
| |
Fedora 27: kernel Security Update (Sep 25) |
| |
The 4.13.3 stable update contains a number of important fixes across the tree.
|
| |
Fedora 25: mingw-LibRaw Security Update (Sep 25) |
| |
This update fixes CVE-2017-14348. ---- This update fixes CVE-2017-13735.
|
| |
Fedora 26: LibRaw Security Update (Sep 24) |
| |
Fix for possible buffer overrun in kodak_65000 decoder Fix for possible heap overrun in Canon makernotes parser Fix for CVE-2017-13735 CVE-2017-14265: Additional check for X-Trans CFA pattern data ---- Patch for CVE-2017-14348
|
| |
Fedora 26: python-jwt Security Update (Sep 24) |
| |
Upgrade to 1.5.3 and also note that 1.5.1 fixed CVE-2017-11424.
|
| |
Fedora 26: pkgconf Security Update (Sep 24) |
| |
# Security fixes - fix crash in edge case where a .pc file has misquoting in a fragment list. # Other bug fixes: - fix logic edge case when comparing relocated paths
|
| |
Fedora 26: samba Security Update (Sep 23) |
| |
Security fix for CVE-2017-12150 CVE-2017-12151 CVE-2017-12163
|
| |
Fedora 26: libmspack Security Update (Sep 23) |
| |
Security fix for CVE-2017-6419 and CVE-2017-11423
|
| |
Fedora 25: mpg123 Security Update (Sep 22) |
| |
Update to upstream release 1.25.6
|
| |
Fedora 25: drupal7-views Security Update (Sep 22) |
| |
* [7.x-3.18](https://www.drupal.org/project/views/releases/7.x-3.18) * [7.x-3.17](https://www.drupal.org/project/views/releases/7.x-3.17) * [Moderately Critical - Access Bypass - DRUPAL-SA- CONTRIB-2017-068](https://www.drupal.org/node/2902604)
|
| |
Fedora 25: krb5 Security Update (Sep 22) |
| |
- Prevent applications from accidentally implementing CVE-2017-11462 (double free if sec_context is copied). - fc26+: Add ccselect hostrealm module for ccache selection based on service hostname.
|
| |
Fedora 26: httpd Security Update (Sep 22) |
| |
This is a release fixing a security fix applied upstream, known as "optionsbleed" in popular parlance. It is relevant for hosted and co-located instances of Fedora (and why wouldn't you?).
|
| |
Fedora 26: gnome-shell Security Update (Sep 22) |
| |
Fix crash on fast status icon remapping
|
| |
Fedora 26: drupal7-views Security Update (Sep 22) |
| |
* [7.x-3.18](https://www.drupal.org/project/views/releases/7.x-3.18) * [7.x-3.17](https://www.drupal.org/project/views/releases/7.x-3.17) * [Moderately Critical - Access Bypass - DRUPAL-SA- CONTRIB-2017-068](https://www.drupal.org/node/2902604)
|
| |
Fedora 25: kernel Security Update (Sep 22) |
| |
The 4.12.13 stable kernel update contains a number of important fixes across the tree. ---- The 4.12.12 stable kernel update contains a number of important fixes across the tree.
|
| |
Fedora 26: mingw-LibRaw Security Update (Sep 21) |
| |
Update to version 0.18.4, see https://github.com/LibRaw/LibRaw/blob/0.18-stable/Changelog.txt for details. ---- Update to version 0.18.3, see for details.
|
|
|
| |
(Sep 26) |
| |
Multiple vulnerabilities have been found in LibTIFF, the worst of which could result in the execution of arbitrary code.
|
| |
(Sep 26) |
| |
A vulnerability in libsoup might allow remote attackers to execute arbitrary code.
|
| |
(Sep 25) |
| |
Multiple vulnerabilities have been found in Chromium, the worst of which could result in the execution of arbitrary code.
|
| |
(Sep 25) |
| |
Multiple vulnerabilities have been found in RAR and UnRAR, the worst of which may allow attackers to execute arbitrary code.
|
| |
(Sep 25) |
| |
Multiple vulnerabilities have been found in Tcpdump, the worst of which may allow execution of arbitrary code.
|
| |
(Sep 24) |
| |
Multiple vulnerabilities have been found in Oracle's JRE and JDK software suites, and IcedTea, the worst of which may allow execution of arbitrary code. [More...]
|
| |
(Sep 24) |
| |
Multiple vulnerabilities have been found in PHP, the worst of which could result in the execution of arbitrary code.
|
| |
(Sep 24) |
| |
Multiple vulnerabilities have been found in Mercurial, the worst of which could lead to the remote execution of arbitrary code.
|
| |
(Sep 24) |
| |
A vulnerability in Postfix may allow local users to gain root privileges.
|
| |
(Sep 24) |
| |
A vulnerability in Exim may allow local users to gain root privileges.
|
| |
(Sep 24) |
| |
A command injection vulnerability in CVS may allow remote attackers to execute arbitrary code.
|
| |
(Sep 24) |
| |
Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code.
|
| |
(Sep 24) |
| |
Multiple vulnerabilities have been found in Chromium, the worst of which could result in the execution of arbitrary code.
|
|
|
| |
Slackware: 2017-271-01: mozilla-firefox Security Update (Sep 28) |
| |
New mozilla-firefox packages are available for Slackware 14.2 and -current to fix security issues.
|
| |
Slackware: 2017-270-01: gegl Security Update (Sep 28) |
| |
New gegl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
|
| |
Slackware: 2017-266-02: python Security Update (Sep 23) |
| |
New python packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue.
|
| |
Slackware: 2017-266-01: libxml2 Security Update (Sep 23) |
| |
New libxml2 packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
|
|
|
| |
SuSE: 2017:2589-1: important: MozillaFirefox (Sep 28) |
| |
An update that fixes 16 vulnerabilities is now available. An update that fixes 16 vulnerabilities is now available. An update that fixes 16 vulnerabilities is now available.
|
| |
openSUSE: 2017:2567-1: important: openjpeg2 (Sep 25) |
| |
An update that fixes 15 vulnerabilities is now available. An update that fixes 15 vulnerabilities is now available. An update that fixes 15 vulnerabilities is now available.
|
| |
SuSE: 2017:2552-1: important: spice (Sep 22) |
| |
An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
|
| |
SuSE: 2017:2548-1: important: the Linux Kernel (Sep 21) |
| |
An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.
|
| |
SuSE: 2017:2541-1: important: xen (Sep 21) |
| |
An update that solves 10 vulnerabilities and has four fixes An update that solves 10 vulnerabilities and has four fixes An update that solves 10 vulnerabilities and has four fixes is now available. is now available.
|
| |
openSUSE: 2017:2540-1: important: xen (Sep 21) |
| |
An update that solves four vulnerabilities and has two An update that solves four vulnerabilities and has two An update that solves four vulnerabilities and has two fixes is now available. fixes is now available.
|
|
|
| |
Ubuntu 3429-1: Libplist vulnerability (Sep 25) |
| |
Libplist could be made to crash if it opened a specially crafted file.
|
| |
Ubuntu 3428-1: Emacs vulnerability (Sep 21) |
| |
Emacs could be made to run programs as your login if it opened a specially crafted file.
|
| |
Ubuntu 3427-1: Emacs vulnerability (Sep 21) |
| |
Emacs could be made to run programs as your login if it opened a specially crafted file.
|
