Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Peter Smith Releases Linux Network Security Online - Thanks so much to Peter Smith for announcing on linuxsecurity.com the release of his Linux Network Security book available free online. "In 2005 I wrote a book on Linux security. 8 years later and the publisher has gone out of business. Now that I'm free from restrictions on reproducing material from the book, I have decided to make the entire book available online."

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

(Oct 29)

Security Report Summary
(Oct 28)

Security Report Summary
(Oct 27)

Security Report Summary
(Oct 26)

Security Report Summary
(Oct 26)

Security Report Summary
(Oct 23)

Security Report Summary
Mandriva: 2014:212: wget (Oct 29)

Updated wget package fixes security vulnerability: Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP (CVE-2014-4877). [More...]
Mandriva: 2014:211: wpa_supplicant (Oct 29)

Updated wpa_supplicant packages fix security vulnerability: A vulnerability was found in the mechanism wpa_cli and hostapd_cli use for executing action scripts. An unsanitized string received from a remote device can be passed to a system() call resulting in arbitrary [More...]
Mandriva: 2014:210: mariadb (Oct 28)

Multiple vulnerabilities has been discovered and corrected in mariadb: Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:INNODB DML FOREIGN KEYS [More...]
Mandriva: 2014:209: java-1.7.0-openjdk (Oct 24)

Multiple vulnerabilities has been discovered and corrected in java-1.7.0-openjdk: Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet [More...]
Mandriva: 2014:206: ctags (Oct 24)

Updated ctags package fixes security vulnerability: A denial of service issue was discovered in ctags 5.8. A remote attacker could cause excessive CPU usage and disk space consumption via a crafted JavaScript file by triggering an infinite loop [More...]
Mandriva: 2014:207: ejabberd (Oct 24)

Updated ejabberd packages fix security vulnerability: A flaw was discovered in ejabberd that allows clients to connect with an unencrypted connection even if starttls_required is set (CVE-2014-8760). [More...]
Mandriva: 2014:208: phpmyadmin (Oct 24)

Updated phpmyadmin package fixes security vulnerability: In phpMyAdmin before 4.2.10.1, with a crafted database or table name it is possible to trigger an XSS in SQL debug output when enabled and in server monitor page when viewing and analysing executed queries [More...]
Mandriva: 2014:205: lua (Oct 24)

Updated lua and lua5.1 packages fix security vulnerability: A heap-based overflow vulnerability was found in the way Lua handles varargs functions with many fixed parameters called with few arguments, leading to application crashes or, potentially, arbitrary code [More...]
Mandriva: 2014:204: libxml2 (Oct 23)

A vulnerability has been found and corrected in libxml2: A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by [More...]
Mandriva: 2014:203: openssl (Oct 23)

Multiple vulnerabilities has been discovered and corrected in openssl: OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade. Some client applications (such as browsers) will reconnect [More...]
Mandriva: 2014:202: php (Oct 23)

A vulnerability has been discovered and corrected in php: A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially-crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code [More...]
Red Hat: 2014:1768-01: php53: Important Advisory (Oct 30)

Updated php53 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]
Red Hat: 2014:1767-01: php: Important Advisory (Oct 30)

Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]
Red Hat: 2014:1764-01: wget: Moderate Advisory (Oct 30)

An updated wget package that fixes one security issue is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security [More...]
Red Hat: 2014:1763-01: kernel: Important Advisory (Oct 30)

Updated kernel packages that fix two security issues are now available for Red Hat Enterprise Linux 6.2 Advanced Update Support. Red Hat Product Security has rated this update as having Important security [More...]
Red Hat: 2014:1744-01: v8314-v8: Moderate Advisory (Oct 30)

Updated v8314-v8 packages that fix multiple security issues are now available for Red Hat Software Collections 1. Red Hat Product Security has rated this update as having Moderate security [More...]
Red Hat: 2014:1724-01: kernel: Important Advisory (Oct 28)

Updated kernel packages that fix several security issues and bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security [More...]
Red Hat: 2014:1668-01: kernel: Important Advisory (Oct 23)

Updated kernel packages that fix one security issue, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 6.5 Extended Update Support. [More...]
(Oct 29)

New wget packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
(Oct 24)

New pidgin packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. [More Info...]
(Oct 24)

New glibc packages are available for Slackware 14.1 and -current to fix security issues. [More Info...]
Ubuntu: 2394-1: Linux kernel (Trusty HWE) vulnerabilities (Oct 30)

Several security issues were fixed in the kernel.
Ubuntu: 2395-1: Linux kernel vulnerabilities (Oct 30)

Several security issues were fixed in the kernel.
Ubuntu: 2393-1: Wget vulnerability (Oct 30)

Wget could be made to overwrite files.
Ubuntu: 2392-1: systemd-shim vulnerability (Oct 30)

A denial of service issue was fixed in systemd-shim.
Ubuntu: 2391-1: php5 vulnerabilities (Oct 30)

Several security issues were fixed in PHP.
Ubuntu: 2390-1: Pidgin vulnerabilities (Oct 28)

Several security issues were fixed in Pidgin.
Ubuntu: 2389-1: libxml2 vulnerability (Oct 27)

libxml2 could be made to consume resources if it processed a speciallycrafted file.
Ubuntu: 2388-2: OpenJDK 7 vulnerabilities (Oct 23)

Several security issues were fixed in OpenJDK 7.