Linux Advisory Watch: September 7th, 2015

Advisories

Linux Advisory Watch: September 7th, 2015

Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Essential tools for hardening and securing Unix based Environments - System administrators are aware as how important their systems security is, not just the runtime of their servers. Intruders, spammers, DDOS attack, crackers, are all out there trying to get into people's computers, servers and everywhere they can lay hands on and interrupt the normal runtime of services.

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.


  Debian: 3353-1: openslp-dfsg: Summary (Sep 5)
 

Security Report Summary

  Debian: 3352-1: screen: Summary (Sep 4)
 

Security Report Summary

  Debian: 3351-1: chromium-browser: Summary (Sep 3)
 

Security Report Summary

  Debian: 3350-1: bind9: Summary (Sep 2)
 

Security Report Summary

  Debian: 3349-1: qemu-kvm: Summary (Sep 2)
 

Security Report Summary

  Debian: 3348-1: qemu: Summary (Sep 2)
 

Security Report Summary

  Debian: 3347-1: pdns: Summary (Sep 2)
 

Security Report Summary

  Debian: 3346-1: drupal7: Summary (Aug 31)
 

Security Report Summary


  Fedora 23 bind99-9.9.7-7.P3.fc23 (Sep 6)
 

Fixed https://bugzilla.redhat.com/show_bug.cgi?id=1259563https://bugzilla.redhat.com/show_bug.cgi?id=1259691

  Fedora 23 drupal6-ctools-1.14-1.fc23 (Sep 6)
 

**See [Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141.](https://www.drupal.org/node/2554145)** **This is anincremental security and bugfix release for ctools.** Looking to fix future D6CTools issues? Find japerry or merlinofchaos in #drupal-scotch, #drupal-contribute, or #drupal-panels -- and become a maintainer for D6 CTools. Changessince 6.x-1.13: * Harden AJAX link handling * Content type plugins do notproperly inherit "edit" permission * Various lint fixes * Fix typo * Issue\#2512850 by DamienMcKenna, mw4ll4c3: PHP 5.4+ compatibility * Issue \#2010124by davidwhthomas: ctools_access_get_loggedin_context doesn't fully load currentuser in context

  Fedora 23 drupal6-6.37-1.fc23 (Sep 6)
 

Maintenance and security release of the Drupal 6 series. This release fixes**security vulnerabilities**. Sites are [urged to upgradeimmediately](https://www.drupal.org/node/1494290) after reading the notes belowand the security announcement: [Drupal Core - Critical - MultipleVulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) Noother fixes are included. No changes have been made to the .htaccess,robots.txt or default settings.php files in this release, so upgrading customversions of those files is not necessary. #### Known issues: None. #### Majorchanges since 6.36: * For security reasons, the autocomplete system now makesAjax requests to non-clean URLs only, although protection is also in place forcustom code that does so using clean URLs. There is a new form API #processfunction on autocomplete-enabled text fields that is required for theautocomplete functionality to work; custom and contributed modules should ensurethat they are not overriding this #process function accidentally when alteringtext fields on forms. Part of the security fix also includes changes totheme_textfield(); it is recommended that sites which override this themefunction make those changes as well (see the theme_textfield section of thisdiff for details). * When form API token validation fails (for example, when across-site request forgery attempt is detected, or a user tries to submit a formafter having logged out and back in again in the meantime), the form API nowskips calling form element value callbacks, except for a select list ofcallbacks provided by Drupal core that are known to be safe. In rare cases, thiscould lead to data loss when a user submits a form and receives a tokenvalidation error, but the overall effect is expected to be minor.

  Fedora 23 dnsperf-2.0.0.0-18.fc23 (Sep 6)
 

rebase to 9.10.3rc1 due to https://bugzilla.redhat.com/show_bug.cgi?id=1259690

  Fedora 23 bind-9.10.3-0.1.rc1.fc23 (Sep 6)
 

rebase to 9.10.3rc1 due to https://bugzilla.redhat.com/show_bug.cgi?id=1259690

  Fedora 23 bind-dyndb-ldap-8.0-3.fc23 (Sep 6)
 

rebase to 9.10.3rc1 due to https://bugzilla.redhat.com/show_bug.cgi?id=1259690

  Fedora 21 drupal6-views_bulk_operations-1.17-1.fc21 (Sep 6)
 

## 6.x-1.17 Fixes #2516976: Fix security issue and make release to bring backD6 releases.

  Fedora 21 php-twig-1.20.0-1.fc21 (Sep 6)
 

## 1.20.0 (2015-08-12) * forbid access to the Twig environment from templatesand internal parts of Twig_Template * fixed limited RCEs when in sandbox mode *deprecated Twig_Template::getEnvironment() * deprecated the _self variable forusage outside of the from and import tags * added Twig_BaseNodeVisitor to easethe compatibility of node visitors between 1.x and 2.x ## 1.19.0 (2015-07-31)* fixed wrong error message when including an undefined template in a childtemplate * added support for variadic filters, functions, and tests * addedsupport for extra positional arguments in macros * added ignore_missing flag tothe source function * fixed batch filter with zero items * deprecatedTwig_Environment::clearTemplateCache() * fixed sandbox disabling when using theinclude function

  Fedora 21 mingw-gdk-pixbuf-2.31.6-1.fc21 (Sep 6)
 

Security fix for CVE-2015-4491

  Fedora 21 gdk-pixbuf2-2.31.6-1.fc21 (Sep 6)
 

Security fix for CVE-2015-4491

  Fedora 21 drupal7-7.39-1.fc21 (Sep 6)
 

Updated to 7.39 * [Release notes](https://www.drupal.org/drupal-7.39-release-notes) * [Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003)

  Fedora 21 drupal6-6.37-1.fc21 (Sep 6)
 

Maintenance and security release of the Drupal 6 series. This release fixes**security vulnerabilities**. Sites are [urged to upgradeimmediately](https://www.drupal.org/node/1494290) after reading the notes belowand the security announcement: [Drupal Core - Critical - MultipleVulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) Noother fixes are included. No changes have been made to the .htaccess,robots.txt or default settings.php files in this release, so upgrading customversions of those files is not necessary. #### Known issues: None. #### Majorchanges since 6.36: * For security reasons, the autocomplete system now makesAjax requests to non-clean URLs only, although protection is also in place forcustom code that does so using clean URLs. There is a new form API #processfunction on autocomplete-enabled text fields that is required for theautocomplete functionality to work; custom and contributed modules should ensurethat they are not overriding this #process function accidentally when alteringtext fields on forms. Part of the security fix also includes changes totheme_textfield(); it is recommended that sites which override this themefunction make those changes as well (see the theme_textfield section of thisdiff for details). * When form API token validation fails (for example, when across-site request forgery attempt is detected, or a user tries to submit a formafter having logged out and back in again in the meantime), the form API nowskips calling form element value callbacks, except for a select list ofcallbacks provided by Drupal core that are known to be safe. In rare cases, thiscould lead to data loss when a user submits a form and receives a tokenvalidation error, but the overall effect is expected to be minor.

  Fedora 21 drupal6-ctools-1.14-1.fc21 (Sep 6)
 

**See [Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141.](https://www.drupal.org/node/2554145)** **This is anincremental security and bugfix release for ctools.** Looking to fix future D6CTools issues? Find japerry or merlinofchaos in #drupal-scotch, #drupal-contribute, or #drupal-panels -- and become a maintainer for D6 CTools. Changessince 6.x-1.13: * Harden AJAX link handling * Content type plugins do notproperly inherit "edit" permission * Various lint fixes * Fix typo * Issue\#2512850 by DamienMcKenna, mw4ll4c3: PHP 5.4+ compatibility * Issue \#2010124by davidwhthomas: ctools_access_get_loggedin_context doesn't fully load currentuser in context

  Fedora 22 drupal6-views_bulk_operations-1.17-1.fc22 (Sep 6)
 

## 6.x-1.17 Fixes #2516976: Fix security issue and make release to bring backD6 releases.

  Fedora 22 mingw-gdk-pixbuf-2.31.6-1.fc22 (Sep 6)
 

Security fix for CVE-2015-4491

  Fedora 22 gdk-pixbuf2-2.31.6-1.fc22 (Sep 6)
 

Security fix for CVE-2015-4491

  Fedora 22 drupal7-7.39-1.fc22 (Sep 6)
 

Updated to 7.39 * [Release notes](https://www.drupal.org/drupal-7.39-release-notes) * [Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003)

  Fedora 22 drupal6-ctools-1.14-1.fc22 (Sep 6)
 

**See [Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141.](https://www.drupal.org/node/2554145)** **This is anincremental security and bugfix release for ctools.** Looking to fix future D6CTools issues? Find japerry or merlinofchaos in #drupal-scotch, #drupal-contribute, or #drupal-panels -- and become a maintainer for D6 CTools. Changessince 6.x-1.13: * Harden AJAX link handling * Content type plugins do notproperly inherit "edit" permission * Various lint fixes * Fix typo * Issue\#2512850 by DamienMcKenna, mw4ll4c3: PHP 5.4+ compatibility * Issue \#2010124by davidwhthomas: ctools_access_get_loggedin_context doesn't fully load currentuser in context

  Fedora 22 drupal6-6.37-1.fc22 (Sep 6)
 

Maintenance and security release of the Drupal 6 series. This release fixes**security vulnerabilities**. Sites are [urged to upgradeimmediately](https://www.drupal.org/node/1494290) after reading the notes belowand the security announcement: [Drupal Core - Critical - MultipleVulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) Noother fixes are included. No changes have been made to the .htaccess,robots.txt or default settings.php files in this release, so upgrading customversions of those files is not necessary. #### Known issues: None. #### Majorchanges since 6.36: * For security reasons, the autocomplete system now makesAjax requests to non-clean URLs only, although protection is also in place forcustom code that does so using clean URLs. There is a new form API #processfunction on autocomplete-enabled text fields that is required for theautocomplete functionality to work; custom and contributed modules should ensurethat they are not overriding this #process function accidentally when alteringtext fields on forms. Part of the security fix also includes changes totheme_textfield(); it is recommended that sites which override this themefunction make those changes as well (see the theme_textfield section of thisdiff for details). * When form API token validation fails (for example, when across-site request forgery attempt is detected, or a user tries to submit a formafter having logged out and back in again in the meantime), the form API nowskips calling form element value callbacks, except for a select list ofcallbacks provided by Drupal core that are known to be safe. In rare cases, thiscould lead to data loss when a user submits a form and receives a tokenvalidation error, but the overall effect is expected to be minor.

  Fedora 23 drupal6-6.37-1.fc23 (Sep 5)
 

Maintenance and security release of the Drupal 6 series. This release fixes**security vulnerabilities**. Sites are [urged to upgradeimmediately](https://www.drupal.org/node/1494290) after reading the notes belowand the security announcement: [Drupal Core - Critical - MultipleVulnerabilities - SA-CORE-2015-003](https://www.drupal.org/SA-CORE-2015-003) Noother fixes are included. No changes have been made to the .htaccess,robots.txt or default settings.php files in this release, so upgrading customversions of those files is not necessary. #### Known issues: None. #### Majorchanges since 6.36: * For security reasons, the autocomplete system now makesAjax requests to non-clean URLs only, although protection is also in place forcustom code that does so using clean URLs. There is a new form API #processfunction on autocomplete-enabled text fields that is required for theautocomplete functionality to work; custom and contributed modules should ensurethat they are not overriding this #process function accidentally when alteringtext fields on forms. Part of the security fix also includes changes totheme_textfield(); it is recommended that sites which override this themefunction make those changes as well (see the theme_textfield section of thisdiff for details). * When form API token validation fails (for example, when across-site request forgery attempt is detected, or a user tries to submit a formafter having logged out and back in again in the meantime), the form API nowskips calling form element value callbacks, except for a select list ofcallbacks provided by Drupal core that are known to be safe. In rare cases, thiscould lead to data loss when a user submits a form and receives a tokenvalidation error, but the overall effect is expected to be minor.

  Fedora 23 drupal6-ctools-1.14-1.fc23 (Sep 5)
 

**See [Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141.](https://www.drupal.org/node/2554145)** **This is anincremental security and bugfix release for ctools.** Looking to fix future D6CTools issues? Find japerry or merlinofchaos in #drupal-scotch, #drupal-contribute, or #drupal-panels -- and become a maintainer for D6 CTools. Changessince 6.x-1.13: * Harden AJAX link handling * Content type plugins do notproperly inherit "edit" permission * Various lint fixes * Fix typo * Issue\#2512850 by DamienMcKenna, mw4ll4c3: PHP 5.4+ compatibility * Issue \#2010124by davidwhthomas: ctools_access_get_loggedin_context doesn't fully load currentuser in context

  Fedora 23 bind99-9.9.7-7.P3.fc23 (Sep 5)
 

Fixed https://bugzilla.redhat.com/show_bug.cgi?id=1259563https://bugzilla.redhat.com/show_bug.cgi?id=1259691

  Fedora 22 ca-certificates-2015.2.5-1.0.fc22 (Sep 4)
 

This is an update to the set of CA certificates version 2.5 as released with NSSversion 3.19.3 However, as in previous versions of the ca-certificatespackage, the CA list has been modified to keep several legacy CAs still trustedfor compatibility reasons. Please refer to the project URL for details. Ifyou prefer to use the unchanged list provided by Mozilla, and if you accept anycompatibility issues it may cause, an administrator may configure the system byexecuting the "ca-legacy disable" command.

  Fedora 23 vorbis-tools-1.4.0-22.fc23 (Sep 4)
 

- oggenc: fix large alloca on bad AIFF input (CVE-2015-6749)

  Fedora 23 rolekit-0.4.0-4.rc1.fc23 (Sep 4)
 

rolekit-0.4.0-3.rc1.fc23 - Added support for installing roles throughkickstart - Added support for providing setting values through stdin - Enableddeploying Domain Controller and Database Server with no mandatory options -New API feature: sanitize() which will remove sensitive information from thesettings output (such as autogenerated passwords once they have been recorded)rolekit-0.4.0-4.rc1.fc23 - Fix permissions on role JSON settings files to avoidleaking sensitive info

  Fedora 23 libvdpau-1.1.1-1.fc23 (Sep 4)
 

Update to 1.1.1 Security fix for CVE-2015-5198, CVE-2015-5199, CVE-2015-5200

  Fedora 23 libwmf-0.2.8.4-46.fc23 (Sep 4)
 

libwmf-0.2.8.4-46.fc23 - Related: rhbz#1227244 CVE-2015-4696 fix patchcontext

  Fedora 22 struts-1.3.10-14.fc22 (Sep 4)
 

fix CVE-2015-0899

  Fedora 23 wireshark-1.12.7-2.fc23 (Sep 3)
 

- Enable libnl3 (see rhbz#1207386, rhbz#1247566) - Remove airpcap switch(doesn't have any effect on Linux) - Backport patch no. 11 - Fixedbuilding with F24+ * Ver. 1.12.7

  Fedora 23 qemu-2.4.0-2.fc23 (Sep 3)
 

* CVE-2015-5225: heap memory corruption in vnc_refresh_server_surface (bz#1255899)

  Fedora 22 mediawiki-1.25.2-2.fc22 (Sep 3)
 

* (T94116) SECURITY: Compare API watchlist token in constant time * (T97391)SECURITY: Escape error message strings in thumb.php * (T106893) SECURITY: Don'tleak autoblocked IP addresses on Special:DeletedContributions * (T102562) FixInstantCommons parameters to handle the new HTTPS-only policy of WikimediaCommons. * (T100767) Setting a configuration setting for skin or extension tofalse in LocalSettings.php was not working. * (T100635) API action=opensearchjson output no longer breaks when $wgDebugToolbar is enabled. * (T102522) Usingan extension.json or skin.json file which has a "manifest_version" property for1.26 compatability will no longer trigger warnings. * (T86156) RunningupdateSearchIndex.php will not throw an error as page_restrictions has beenadded to the locked table list. * Special:Version would throw notices if usingSVN due to an incorrectly named variable. Add an additional check that an indexis defined.

  Fedora 21 mediawiki-1.24.3-1.fc21 (Sep 3)
 

* (T94116) SECURITY: Compare API watchlist token in constant time * (T97391)SECURITY: Escape error message strings in thumb.php * (T106893) SECURITY: Don'tleak autoblocked IP addresses on Special:DeletedContributions * Update jQueryfrom v1.11.2 to v1.11.3. * (T102562) Fix InstantCommons parameters to handlethe new HTTPS-only policy of Wikimedia Commons.

  Fedora 23 erlang-17.4-5.fc23 (Sep 1)
 

Security fix for CVE-2015-2774

  Fedora 23 xen-4.5.1-6.fc23 (Sep 1)
 

Use after free in QEMU/Xen block unplug protocol [XSA-139, CVE-2015-5166] QEMUleak of uninitialized heap memory in rtl8139 device model [XSA-140,CVE-2015-5165]

  Fedora 21 qemu-2.1.3-9.fc21 (Sep 1)
 

* Fix crash in qemu_spice_create_display (bz #1163047) * CVE-2015-3209: pcnet:multi-tmd buffer overflow in the tx path (bz #1230536) * CVE-2015-3214: i8254:out-of-bounds memory access (bz #1243728) * CVE-2015-5154: ide: atapi: heapoverflow during I/O buffer memory access (bz #1247141) * CVE-2015-5745: bufferoverflow in virtio-serial (bz #1251160) * CVE-2015-5165: rtl8139 uninitializedheap memory information leakage to guest (bz #1249755)

  Fedora 23 gnutls-3.4.4-1.fc23 (Aug 31)
 

new upstream release

  Fedora 23 ca-certificates-2015.2.5-1.0.fc23 (Aug 31)
 

This is an update to the set of CA certificates version 2.5 as released with NSSversion 3.19.3 However, as in previous versions of the ca-certificatespackage, the CA list has been modified to keep several legacy CAs still trustedfor compatibility reasons. Please refer to the project URL for details. Ifyou prefer to use the unchanged list provided by Mozilla, and if you accept anycompatibility issues it may cause, an administrator may configure the system byexecuting the "ca-legacy disable" command.


  Red Hat: 2015:1736-01: openshift: Moderate Advisory (Sep 3)
 

Updated openshift packages that fix one security issue are now available for Red Hat OpenShift Enterprise 3.0. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1723-01: openstack-nova: Moderate Advisory (Sep 3)
 

Updated openstack-nova packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 7.0. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1718-01: qemu-kvm-rhev: Moderate Advisory (Sep 3)
 

Updated qemu-kvm-rhev packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 7. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1714-01: spice: Important Advisory (Sep 3)
 

An updated spice package that fixes one security issue is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1715-01: spice-server: Important Advisory (Sep 3)
 

An updated spice-server package that fixes one security issue is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1712-01: chromium-browser: Important Advisory (Sep 3)
 

Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1708-01: libXfont: Important Advisory (Sep 3)
 

An updated libXfont package that fixes three security issues is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1699-01: nss-softokn: Moderate Advisory (Sep 1)
 

Updated nss-softokn packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More...]

  Red Hat: 2015:1695-01: jakarta-taglibs-standard: Important Advisory (Aug 31)
 

Updated jakarta-taglibs-standard packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]

  Red Hat: 2015:1694-01: gdk-pixbuf2: Moderate Advisory (Aug 31)
 

Updated gdk-pixbuf2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More...]


  Slackware: 2015-246-01: seamonkey: Security Update (Sep 3)
 

New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]

  Slackware: 2015-245-01: bind: Security Update (Sep 2)
 

New bind packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]

  Slackware: 2015-244-01: gdk-pixbuf2: Security Update (Sep 1)
 

New gdk-pixbuf2 packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]


  Ubuntu: 2731-1: Linux kernel vulnerability (Sep 3)
 

The system could be made to expose sensitive information.

  Ubuntu: 2734-1: Linux kernel vulnerability (Sep 3)
 

The system could be made to crash or run programs as an administrator.

  Ubuntu: 2733-1: Linux kernel (Trusty HWE) vulnerability (Sep 3)
 

The system could be made to crash or run programs as an administrator.

  Ubuntu: 2729-1: libvdpau vulnerabilities (Sep 3)
 

libvdpau could be made to run programs as an administrator.

  Ubuntu: 2730-1: OpenSLP vulnerabilities (Sep 3)
 

OpenSLP could be made to crash if it received specially crafted networktraffic.

  Ubuntu: 2728-1: Bind vulnerability (Sep 2)
 

Bind could be made to crash if it received specially crafted networktraffic.

  Ubuntu: 2727-1: GnuTLS vulnerabilities (Sep 1)
 

GnuTLS could be made to crash or run programs if it processed a speciallycrafted certificate.

  Ubuntu: 2726-1: Expat vulnerability (Aug 31)
 

Expat could be made to crash or run programs as your login if it opened aspecially crafted file.

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.