Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Peter Smith Releases Linux Network Security Online - Thanks so much to Peter Smith for announcing on linuxsecurity.com the release of his Linux Network Security book available free online. "In 2005 I wrote a book on Linux security. 8 years later and the publisher has gone out of business. Now that I'm free from restrictions on reproducing material from the book, I have decided to make the entire book available online."

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

(Feb 19)

Security Report Summary
(Feb 18)

Security Report Summary
(Feb 17)

Multiple vulnerabilities have been found in Chromium, the worst of which can allow remote attackers to cause Denial of Service or gain escalated privileges.
(Feb 15)

Multiple vulnerabilities have been found in Oracle's Java SE Development Kit and Runtime Environment, the worst of which could lead to execution of arbitrary code.
(Feb 15)

Two vulnerabilities have been found in GNU cpio, the worst of which could result in execution of arbitrary code.
(Feb 15)

Two vulnerabilities have been found in libpng, possibly resulting in execution of arbitrary code.
Mandriva: 2015:048: postgresql (Feb 12)

Multiple vulnerabilities has been discovered and corrected in postgresql: Stephen Frost discovered that PostgreSQL incorrectly displayed certain values in error messages. An authenticated user could gain [More...]
Mandriva: 2015:047: elfutils (Feb 12)

Updated elfutils packages fix security vulnerability: Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted [More...]
Mandriva: 2015:046: ntp (Feb 12)

Updated ntp packages fix security vulnerabilities: Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly [More...]
Mandriva: 2015:045: e2fsprogs (Feb 12)

Updated e2fsprogs packages fix security vulnerability: The libext2fs library, part of e2fsprogs and utilized by its utilities, is affected by a boundary check error on block group descriptor information, leading to a heap based buffer overflow. A specially [More...]
Mandriva: 2015:044: perl-Gtk2 (Feb 12)

A vulnerability has been discovered and corrected in perl-Gtk2: Incorrect memory management in Gtk2::Gdk::Display::list_devices in perl-Gtk2 before 1.2495, where, the code was freeing memory that gtk+ still holds onto and might access later. [More...]
Red Hat: 2015:0246-01: openstack-glance: Important Advisory (Feb 19)

Updated openstack-glance packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 4.0 and Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6 and 7. [More...]
(Feb 16)

New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues. [More Info...]
(Feb 16)

New patch packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
(Feb 16)

New sudo packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
Ubuntu: 2504-1: NSS update (Feb 19)

NSS was updated to refresh the CA certificates bundle.
Ubuntu: 2503-1: Bind vulnerability (Feb 18)

Bind could be made to crash if it received specially crafted networktraffic.
Ubuntu: 2502-1: unzip vulnerabilities (Feb 17)

unzip could be made to run programs if it opened a specially crafted file.
Ubuntu: 2501-1: PHP vulnerabilities (Feb 17)

Several security issues were fixed in PHP.
Ubuntu: 2500-1: X.Org X server vulnerabilities (Feb 17)

Several security issues were fixed in the X.Org X server.
Ubuntu: 2488-2: ClamAV vulnerability (Feb 12)

ClamAV could be made to crash or run programs if it processed aspecially crafted file.