Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

Peter Smith Releases Linux Network Security Online - Thanks so much to Peter Smith for announcing on linuxsecurity.com the release of his Linux Network Security book available free online. "In 2005 I wrote a book on Linux security. 8 years later and the publisher has gone out of business. Now that I'm free from restrictions on reproducing material from the book, I have decided to make the entire book available online."

  (May 7)
 

Security Report Summary
  (May 7)
 

Security Report Summary
  (May 6)
 

Security Report Summary
  (May 5)
 

Security Report Summary
  (May 4)
 

Security Report Summary
  (May 3)
 

Security Report Summary
  (May 2)
 

Security Report Summary
  (May 2)
 

Security Report Summary
  (May 2)
 

Security Report Summary
  (May 2)
 

Security Report Summary
  (May 2)
 

Security Report Summary
  (May 1)
 

Security Report Summary
  (May 1)
 

Security Report Summary
  (May 8)
 

Fix build for all versions, previous try wasn't correct and back with dpkg-perl-libexecdir.patchRevert location of dpkg/parsechangelog . Security fix for CVE-2014-8625 and Security fix for CVE-2015-0840 Security fix for CVE-2014-8625 and Security fix for CVE-2015-0840
  (May 8)
 

**WordPress 4.2 “Powell” *** Upstream announcement https://wordpress.org/news/2021/02/wordpress-is-freedom/ 4.2.1 Security Release*** Upstream announcement https://wordpress.org/news/2015/04/wordpress-4-2-1/
  (May 8)
 

Fix for ARM-only CVE-2014-3152
  (May 8)
 

Fix for ARM-only CVE-2014-3152
  (May 8)
 

Fixes for security issues: rhbz#1205752 rhbz#1205753
  (May 8)
 

Security fix for CVE-2013-7398, CVE-2013-7397
  (May 8)
 

Fix for ARM-only CVE-2014-3152
  (May 8)
 

Security fix for CVE-2014-0225
  (May 8)
 

TestDisk 7.0 fixes several stack overflows. The new photorec is faster.qphotorec is a qt4 version of PhotoRec.Full release notes: https://www.cgsecurity.org/wiki/TestDisk_7.0_Release
  (May 4)
 

Fix CVE-2015-0295, CVE-2015-1858, CVE-2015-1859 and CVE-2015-1860
  (May 4)
 

Update to 7.42.0 which fixes various CVE's
  (May 4)
 

Update to OpenSSL 1.0.2a which fixes various CVE's
  (May 4)
 

Update to 1.6.3 which fixes CVE-2014-3591 CVE-2015-0837
  (May 4)
 

Fix CVE-2014-9655 and CVE-2015-1547
  (May 4)
 

release 1.3.3.10 with a fix for CVE-2015-1854
  (May 3)
 

Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by unauthenticated clientsUpstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169Note that mod_copy is not loaded/enabled by default in the Fedora package.
  (May 3)
 

Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by *unauthenticated clients*Upstream report:http://bugs.proftpd.org/show_bug.cgi?id=4169This update contains a backported fix for this issue.Note that mod_copy is not loaded/enabled by default in the Fedora package.
  (May 3)
 

The 4.0.1 stable update contains a number of important fixes across the tree.
  (May 3)
 

Security fix for bug 1216891
  (May 3)
 

fixes CVE-2015-3420: SSL/TLS handshake failures leading to a crash of the login process- dovecot updated to 2.2.16- auth: Don't crash if master user login is attempted without any configured master=yes passdbs- Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages.- String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all.- fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes.- dovecot updated to 2.2.16- auth: Don't crash if master user login is attempted without any configured master=yes passdbs- Parsing UTF-8 text for mails could have caused broken results sometimes if buffering was split in the middle of a UTF-8 character. This affected at least searching messages.- String sanitization for some logged output wasn't done properly: UTF-8 text could have been truncated wrongly or the truncation may not have happened at all.- fts-lucene: Lookups from virtual mailbox consisting of over 32 physical mailboxes could have caused crashes.
  (May 3)
 

ClamAV 0.98.7=============This release contains new scanning features and bug fixes. - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305. - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files.
  (May 3)
 

Update to the latest stable release of ikiwiki.See for the list of changes.
  (May 3)
 

Update to the latest stable release of ikiwiki.See for the list of changes.
  (May 2)
 

- require credentials to match for NTLM re-use (CVE-2015-3143)- fix invalid write with a zero-length host name in URL (CVE-2015-3144)- fix invalid write in cookie path sanitization code (CVE-2015-3145)- close Negotiate connections when done (CVE-2015-3148)
  (May 2)
 

ClamAV 0.98.7=============This release contains new scanning features and bug fixes. - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305. - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files.
  (May 2)
 

Information leak through XEN_DOMCTL_gettscinfo [XSA-132, CVE-2015-3340]
  (May 2)
 

Information leak through XEN_DOMCTL_gettscinfo [XSA-132,CVE-2015-3340]
  (May 1)
 

Update to 1.6.3 which fixes CVE-2014-3591 CVE-2015-0837
  (May 1)
 

Update to 7.42.0 which fixes various CVE's
  (May 1)
 

Fix CVE-2015-0295, CVE-2015-1858, CVE-2015-1859 and CVE-2015-1860
  (May 1)
 

This update fixes CVE-2015-1860, a buffer overflow when loading some specific invalid GIF image files, which could be exploited for denial of service (application crash) and possibly even arbitrary code execution attacks. The security patch is backported from Qt 4.(Please note that Qt 3 is NOT vulnerable to the simultaneously published issues CVE-2015-1858 and CVE-2015-1859.)
  (May 1)
 

Update to OpenSSL 1.0.2a which fixes various CVE's
  (May 1)
 

Fix CVE-2014-9655 and CVE-2015-1547
  (May 1)
 

This update fixes CVE-2015-1860, a buffer overflow when loading some specific invalid GIF image files, which could be exploited for denial of service (application crash) and possibly even arbitrary code execution attacks. The security patch is backported from Qt 4.(Please note that Qt 3 is NOT vulnerable to the simultaneously published issues CVE-2015-1858 and CVE-2015-1859.)
  (Apr 30)
 

- Update to 3.7.2- CVE-2015-1868External References:https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/
  (Apr 30)
 

Update to new version 2.1.20.Fix dependency on python-dns.
  (Apr 30)
 

- Update to 3.4.4- CVE-2015-1868Release notes:https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-344External References:https://doc.powerdns.com/md/security/powerdns-advisory-2015-01/
  (Apr 30)
 

Fix crash when too many connections are used
  (Apr 30)
 

Security fix for CVE-2015-1859, CVE-2015-1858, CVE-2015-1860
  (Apr 30)
 

R50f is a required security and bugfix release: * Add a patch marker for vendor patch versioning to mksh.1 * SECURITY: make unset HISTFILE actually work * Document some more issues with the current history code * Remove some unused code * RCSID-only sync with OpenBSD, for bogus and irrelevant changes * Also disable field splitting for alias 'local= ypeset' * Fix read -n-1 to not be identical to read -N-1 * Several fixes and improvements to lksh(1) and mksh(1) manpages * More code (int