Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Linux: An OS Capable of Effectively Meeting the US Governments Security Needs Heading into 2020 - As Open Source has become increasingly mainstream and widely accepted for its numerous benefits, the use of Linux as a flexible, transparent and highly secure operating system has also increasingly become a prominent choice among corporations, educational institutions and government sectors alike. With national security concerns at an all time high heading into 2020, it appears that the implementation of Linux could effectively meet the United States governments critical security needs for application development and installations.

Linux Kernel Security in a Nutshell: How to Secure Your Linux System - The Linux kernel is the core component of the Linux operating system, maintaining complete control over everything in the system. It is the interface between applications and data processing at the hardware level, connecting the system hardware to the application software. The kernel manages input/output requests from software, memory, processes, peripherals and security, among other hefty responsibilities. Needless to say, the Linux kernel is pretty important.

  Debian: DSA-4596-1: tomcat8 security update (Dec 27)
 

Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross- site scripting, denial of service via resource exhaustion and insecure redirects.
  Debian: DSA-4595-1: debian-lan-config security update (Dec 27)
 

It was discovered that debian-lan-config, a FAI config space for the Debian-LAN system, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other user principals.
  Debian: DSA-4594-1: openssl1.0 security update (Dec 27)
 

Guido Vranken discovered an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. For the oldstable distribution (stretch), this problem has been fixed
  Debian: DSA-4593-1: freeimage security update (Dec 27)
 

It was found that freeimage, a graphics library, was affected by the following two security issues: CVE-2019-12211
  Debian: DSA-4592-1: mediawiki security update (Dec 27)
 

It was discovered that the Title blacklist functionality in MediaWiki, a website engine for collaborative work, could by bypassed. For the oldstable distribution (stretch), this problem has been fixed
  RedHat: RHSA-2020-0006:01 Moderate: java-1.8.0-ibm security update (Jan 2)
 

An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
  RedHat: RHSA-2020-0005:01 Important: chromium-browser security update (Jan 2)
 

An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2020-0002:01 Important: rh-git218-git security update (Jan 2)
 

An update for rh-git218-git is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  SUSE: 2020:0001-1 moderate: java-1_8_0-ibm (Jan 2)
 

An update that fixes 16 vulnerabilities is now available.
  SUSE: 2020:0002-1 moderate: openssl-1_1 (Jan 2)
 

An update that solves one vulnerability and has three fixes is now available.
  SUSE: 2019:3394-1 moderate: python-azure-agent (Dec 30)
 

An update that solves one vulnerability and has one errata is now available.
  SUSE: 2019:3393-1 moderate: python-azure-agent (Dec 30)
 

An update that solves one vulnerability and has one errata is now available.
  SUSE: 2019:3395-1 moderate: mozilla-nspr, mozilla-nss (Dec 30)
 

An update that fixes three vulnerabilities is now available.
  SUSE: 2019:3391-1 moderate: dia (Dec 27)
 

An update that fixes one vulnerability is now available.
  SUSE: 2019:3389-1 important: the Linux Kernel (Dec 27)
 

An update that solves 24 vulnerabilities and has 75 fixes is now available.
  SUSE: 2019:3392-1 moderate: libgcrypt (Dec 27)
 

An update that solves one vulnerability and has two fixes is now available.
  SUSE: 2019:3389-1 important: the Linux Kernel (Dec 27)
 

An update that solves 24 vulnerabilities and has 75 fixes is now available.
  SUSE: 2019:3390-1 moderate: dia (Dec 27)
 

An update that fixes one vulnerability is now available.
  Debian LTS: DLA-2056-1: waitress security update (Jan 1)
 

It was discovered that there was a HTTP request smuggling vulnerability in waitress, pure-Python WSGI server. If a proxy server is used in front of waitress, an invalid request
  Debian LTS: DLA-1931-2: libgcrypt20 regression update (Jan 1)
 

It was discovered that the fix to address an ECDSA timing attack in the libgcrypt20 cryptographic library was incomplete. For Debian 8 "Jessie", this issue has been fixed in libgcrypt20
  Debian LTS: DLA-2053-1: otrs2 security update (Jan 1)
 

An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, which are in the queue where attacker doesnt have permissions.
  Debian LTS: DLA-2054-1: jhead security update (Dec 31)
 

Multiple buffer overflows have been fixed in jhead, a program to manipulate the non-image part of Exif compliant JPEG files. For Debian 8 "Jessie", these problems have been fixed in version
  Debian LTS: DLA-2055-1: igraph security update (Dec 31)
 

An issue has been found in igraph, a library for creating and manipulating graphs. A NULL pointer dereference vulneribility was detected in
  Debian LTS: DLA-2052-1: libbsd security update (Dec 30)
 

An issues has been found in libbsd, a package containing utility functions from BSD systems.
  Debian LTS: DLA-2051-1: intel-microcode security update (Dec 30)
 

This update ships updated CPU microcode for some types of Intel CPUs. In particular it provides mitigations for the TAA (TSX Asynchronous Abort) vulnerability. For affected CPUs, to fully mitigate the vulnerability it is also necessary to update the Linux kernel packages as released in
  Debian LTS: DLA-2050-1: php5 security update (Dec 29)
 

Several security bugs have been identified and fixed in php5, a server-side, HTML-embedded scripting language. The affected components include the exif module and handling of filenames
  Debian LTS: DLA-2049-1: imagemagick security update (Dec 29)
 

Multiple vulnerabilities have been found in imagemagick, an image processing toolkit. CVE-2019-19948
  Debian LTS: DLA-2048-1: libxml2 security update (Dec 28)
 

It was discovered that there was a potential denial of service vulnerability in libxml2, the GNOME XML parsing library. For Debian 8 "Jessie", this issue has been fixed in libxml2 version
  openSUSE: 2019:2710-1: moderate: spectre-meltdown-checker (Dec 31)
 

An update that fixes two vulnerabilities is now available.
  openSUSE: 2019:2712-1: important: chromium (Dec 31)
 

An update that fixes one vulnerability is now available.
  openSUSE: 2019:2709-1: moderate: LibreOffice (Dec 31)
 

An update that solves one vulnerability and has three fixes is now available.
  openSUSE: 2019:2712-1: important: chromium (Dec 31)
 

An update that fixes one vulnerability is now available.
  Mageia 2019-0422: xpdf security update (Dec 31)
 

The updated packages fix a security vulnerability: Catalog.cc in Xpdf 4.02 has a NULL pointer dereference because Catalog.pageLabels is initialized too late in the Catalog constructor. (CVE-2019-17064)
  Mageia 2019-0421: hunspell security update (Dec 31)
 

Updated hunspell packages fix security vulnerability: Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommonsubstring in suggestmgr.cxx (CVE-2019-16707).
  Mageia 2019-0420: roundcubemail security update (Dec 31)
 

The updated package fixes a security vulnerability: Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. (CVE-2019-15237)
  Mageia 2019-0419: pdfresurrect security update (Dec 31)
 

Updated pdfresurrect package fixes security vulnerabilities: A vulnerability was found in PDFResurrect 0.15 has a buffer overflow via a crafted PDF file because data associated with startxref and %%EOF is mishandled (CVE-2019-14267).
  Mageia 2019-0418: clamaw security update (Dec 31)
 

The updated packages fix an issue: Wrong permissions on /etc/freshclam.conf prevent freshclam usage with authenticated proxy. (rhbz#1733112)
  Mageia 2019-0417: filezilla security update (Dec 31)
 

Updated filezilla packages fix bugs and a security vulnerability: Filenames containing double-quotation marks were not escaped correctly when selected for opening/editing. Depending on the associated program, parts of the filename could be interpreted as commands.
  Mageia 2019-0416: libidn2 security update (Dec 31)
 

Updated libidn2 packages fix security vulnerabilities: It was discovered that Libidn2 incorrectly handled certain inputs. A attacker could possibly use this issue to impersonate domains (CVE-2019-12290).
  Mageia 2019-0415: exiv2 security update (Dec 31)
 

The updated packages fix security vulnerabilities: An integer overflow in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted PNG image file, because PngImage::readMetadata mishandles a zero value for iccOffset.