Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Peter Smith Releases Linux Network Security Online - Thanks so much to Peter Smith for announcing on linuxsecurity.com the release of his Linux Network Security book available free online. "In 2005 I wrote a book on Linux security. 8 years later and the publisher has gone out of business. Now that I'm free from restrictions on reproducing material from the book, I have decided to make the entire book available online."

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

(Feb 11)

Security Report Summary
(Feb 11)

Security Report Summary
(Feb 10)

Security Report Summary
(Feb 9)

Security Report Summary
(Feb 9)

Security Report Summary
(Feb 7)

Security Report Summary
(Feb 7)

Security Report Summary
(Feb 6)

Security Report Summary
(Feb 6)

Security Report Summary
(Feb 5)

Security Report Summary
(Feb 7)

A buffer overflow vulnerability in Antiword could result in execution of arbitrary code or Denial of Service.
(Feb 7)

Multiple vulnerabilities have been found in Libav, allowing attackers to execute arbitrary code or cause Denial of Service.
(Feb 7)

Multiple integer overflow errors in libevent could result in execution of arbitrary code or Denial of Service.
(Feb 7)

An SSL session fixation vulnerability in nginx may allow remote attackers to obtain sensitive information.
(Feb 7)

Multiple vulnerabilities in tcpdump could result in execution of arbitrary code or Denial of Service.
(Feb 7)

Multiple vulnerabilities have been found in MediaWiki, the worst of which may allow remote attackers to execute arbitrary code.
(Feb 7)

Multiple vulnerabilities have been found in BIND, allowing remote attackers to cause a denial of service condition.
(Feb 6)

Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code.
(Feb 6)

A vulnerability has been found in mpg123, which could result in arbitrary code execution.
Mandriva: 2015:048: postgresql (Feb 12)

Multiple vulnerabilities has been discovered and corrected in postgresql: Stephen Frost discovered that PostgreSQL incorrectly displayed certain values in error messages. An authenticated user could gain [More...]
Mandriva: 2015:047: elfutils (Feb 12)

Updated elfutils packages fix security vulnerability: Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted [More...]
Mandriva: 2015:046: ntp (Feb 12)

Updated ntp packages fix security vulnerabilities: Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly [More...]
Mandriva: 2015:045: e2fsprogs (Feb 12)

Updated e2fsprogs packages fix security vulnerability: The libext2fs library, part of e2fsprogs and utilized by its utilities, is affected by a boundary check error on block group descriptor information, leading to a heap based buffer overflow. A specially [More...]
Mandriva: 2015:044: perl-Gtk2 (Feb 12)

A vulnerability has been discovered and corrected in perl-Gtk2: Incorrect memory management in Gtk2::Gdk::Display::list_devices in perl-Gtk2 before 1.2495, where, the code was freeing memory that gtk+ still holds onto and might access later. [More...]
Mandriva: 2015:043: otrs (Feb 10)

Updated otrs package fixes security vulnerability: An attacker with valid OTRS credentials could access and manipulate ticket data of other users via the GenericInterface, if a ticket webservice is configured and not additionally secured (CVE-2014-9324). [More...]
Mandriva: 2015:042: clamav (Feb 10)

Updated clamav packages fix security vulnerabilities: ClamAV 0.98.6 is a maintenance release to fix some bugs, some of them being security bugs: [More...]
Mandriva: 2015:041: cabextract (Feb 10)

Updated cabextract packages fix security vulnerability: Libmspack, a library to provide compression and decompression of some file formats used by Microsoft, is embedded in cabextract. A specially crafted cab file can cause cabextract to hang forever. If [More...]
Mandriva: 2015:040: zarafa (Feb 10)

Updated zarafa packages fix security vulnerability: Robert Scheck discovered a flaw in Zarafa WebAccess >= 7.0.0 and Zarafa WebApp that could allow a remote unauthenticated attacker to exhaust the disk space of /tmp (CVE-2014-9465). [More...]
Mandriva: 2015:039: glibc (Feb 10)

A vulnerability has been discovered and corrected in glibc: Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors [More...]
Mandriva: 2015:037: vorbis-tools (Feb 6)

Updated vorbis-tools package fixes security vulnerability: oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file (CVE-2014-9640). [More...]
Mandriva: 2015:036: python-django (Feb 6)

Updated python-django packages fix security vulnerabilities: Jedediah Smith discovered that Django incorrectly handled underscores in WSGI headers. A remote attacker could possibly use this issue to spoof headers in certain environments (CVE-2015-0219). [More...]
Mandriva: 2015:035: libvirt (Feb 6)

Updated libvirt packages fix security vulnerability: The XML getters for for save images and snapshots objects don't check ACLs for the VIR_DOMAIN_XML_SECURE flag and might possibly dump security sensitive information. A remote attacker able to establish [More...]
Mandriva: 2015:034: jasper (Feb 6)

Updated jasper packages fix security vulnerabilities: An off-by-one flaw, leading to a heap-based buffer overflow, was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, [More...]
Mandriva: 2015:033: java-1.7.0-openjdk (Feb 6)

Updated java-1.7.0 packages fix security vulnerabilities: A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions [More...]
Mandriva: 2015:032: php (Feb 5)

Multiple vulnerabilities has been discovered and corrected in php: sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during [More...]
Mandriva: 2015:028: aircrack-ng (Feb 5)

Updated aircrack-ng package fixes security vulnerabilities: A length parameter inconsistency in Aircrack-ng before 1.2-rc1 at aireplay tcp_test() which may lead to remote code execution (CVE-2014-8322). [More...]
Mandriva: 2015:030: bugzilla (Feb 5)

Updated bugzilla packages fix security vulnerability: Some code in Bugzilla does not properly utilize 3 arguments form for open() and it is possible for an account with editcomponents permissions to inject commands into product names and other attributes [More...]
Mandriva: 2015:031: busybox (Feb 5)

Updated busybox packages fix security vulnerability: The modprobe command in busybox before 1.23.0 uses the basename of the module argument as the module to load, allowing arbitrary modules, even when some kernel subsystems try to prevent this (CVE-2014-9645). [More...]
Mandriva: 2015:029: binutils (Feb 5)

Multiple vulnerabilities has been found and corrected in binutils: Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause [More...]
Red Hat: 2015:0164-01: kernel: Moderate Advisory (Feb 10)

Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Moderate security [More...]
Red Hat: 2015:0166-01: subversion: Moderate Advisory (Feb 10)

Updated subversion packages that fix three security issues are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]
Red Hat: 2015:0163-01: chromium-browser: Important Advisory (Feb 10)

Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]
Red Hat: 2015:0165-01: subversion: Moderate Advisory (Feb 10)

Updated subversion packages that fix two security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security [More...]
Red Hat: 2015:0140-01: flash-plugin: Critical Advisory (Feb 6)

An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]
Red Hat: 2015:0134-01: java-1.7.0-ibm: Critical Advisory (Feb 5)

Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]
Red Hat: 2015:0133-01: java-1.7.1-ibm: Critical Advisory (Feb 5)

Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]
Red Hat: 2015:0136-01: java-1.5.0-ibm: Important Advisory (Feb 5)

Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Important security [More...]
Red Hat: 2015:0135-01: java-1.6.0-ibm: Critical Advisory (Feb 5)

Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security [More...]
Ubuntu: 2488-2: ClamAV vulnerability (Feb 12)

ClamAV could be made to crash or run programs if it processed aspecially crafted file.
Ubuntu: 2499-1: PostgreSQL vulnerabilities (Feb 11)

Several security issues were fixed in PostgreSQL.
Ubuntu: 2498-1: Kerberos vulnerabilities (Feb 10)

Several security issues were fixed in Kerberos.
Ubuntu: 2495-1: Oxide vulnerabilities (Feb 10)

Several security issues were fixed in Oxide.
Ubuntu: 2497-1: NTP vulnerabilities (Feb 9)

Several security issues were fixed in NTP.