Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

Peter Smith Releases Linux Network Security Online - Thanks so much to Peter Smith for announcing on linuxsecurity.com the release of his Linux Network Security book available free online. "In 2005 I wrote a book on Linux security. 8 years later and the publisher has gone out of business. Now that I'm free from restrictions on reproducing material from the book, I have decided to make the entire book available online."

Securing a Linux Web Server - With the significant prevalence of Linux web servers globally, security is often touted as a strength of the platform for such a purpose. However, a Linux based web server is only as secure as its configuration and very often many are quite vulnerable to compromise. While specific configurations vary wildly due to environments or specific use, there are various general steps that can be taken to insure basic security considerations are in place.

(Sep 26)

Security Report Summary
(Sep 25)

Security Report Summary
(Sep 25)

Security Report Summary
(Sep 24)

Security Report Summary
(Sep 24)

Security Report Summary
(Sep 23)

Security Report Summary
(Sep 20)

Security Report Summary
(Sep 20)

Security Report Summary
(Sep 18)

Security Report Summary
(Sep 25)

A parsing flaw related to functions and environments in Bash could allow attackers to inject code. The unaffected packages listed in GLSA 201409-09 had an incomplete fix.
(Sep 24)

A parsing flaw related to functions and environments in Bash could allow attackers to inject code.
(Sep 19)

A vulnerability in libxml2 allows a remote attacker to cause Denial of Service.
(Sep 19)

A vulnerability in c-icap could result in Denial of Service.
(Sep 19)

Multiple vulnerabilities have been found in Chromium, the worst of which can allow remote attackers to cause Denial of Service.
(Sep 19)

Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code.
Mandriva: 2014:190: bash (Sep 26)

It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain [More...]
Mandriva: 2014:189: nss (Sep 25)

A vulnerability has been discovered and corrected in Mozilla NSS: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable [More...]
Mandriva: 2014:188: wireshark (Sep 25)

Updated wireshark packages fix security vulnerabilities: RTP dissector crash (CVE-2014-6421, CVE-2014-6422). MEGACO dissector infinite loop (CVE-2014-6423). [More...]
Mandriva: 2014:187: curl (Sep 25)

Updated curl packages fix security vulnerabilities: In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use [More...]
Mandriva: 2014:186: bash (Sep 24)

A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue [More...]
Mandriva: 2014:185: libgadu (Sep 24)

Updated libgadu packages fix security vulnerability: Libgadu before 1.12.0 was found to not be performing SSL certificate validation (CVE-2013-4488). [More...] _______________________________________________________________________
Mandriva: 2014:184: net-snmp (Sep 24)

Updated net-snmp packages fix security vulnerabilities: A remote denial-of-service flaw was found in the way snmptrapd handled certain SNMP traps when started with the -OQ option. If an attacker sent an SNMP trap containing a variable with a NULL type where an [More...]
Mandriva: 2014:183: phpmyadmin (Sep 24)

Updated phpmyadmin package fixes security vulnerability: In phpMyAdmin before 4.2.9, by deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability [More...]
Mandriva: 2014:182: zarafa (Sep 24)

Updated zarafa packages fix security vulnerabilities: Robert Scheck reported that Zarafa's WebAccess stored session information, including login credentials, on-disk in PHP session files. This session file would contain a user's username and password [More...]
Mandriva: 2014:181: dump (Sep 24)

Updated dump packages fix security vulnerability: An integer overflow in liblzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications using performing LZO decompression on a compressed payload from the attacker [More...]
Mandriva: 2014:180: gnupg (Sep 22)

Updated gnupg packages fix security vulnerability: The gnupg program before version 1.4.16 is vulnerable to an ELGAMAL side-channel attack (CVE-2014-5270). [More...] _______________________________________________________________________
Red Hat: 2014:1307-01: nss: Important Advisory (Sep 26)

Updated nss packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
Red Hat: 2014:1306-01: bash: Important Advisory (Sep 25)

Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security [More...]
Red Hat: 2014:1294-01: bash: Critical Advisory (Sep 24)

Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat [More...]
Red Hat: 2014:1293-01: bash: Critical Advisory (Sep 24)

Updated bash packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security [More...]
Red Hat: 2014:1292-01: haproxy: Moderate Advisory (Sep 24)

An updated haproxy package that fixes one security issue is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]
Red Hat: 2014:1281-01: kernel: Moderate Advisory (Sep 22)

Updated kernel packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]
Red Hat: 2014:1268-01: qemu-kvm-rhev: Moderate Advisory (Sep 22)

Updated qemu-kvm-rhev packages that fix multiple security issues are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. [More...]
(Sep 25)

New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
(Sep 24)

New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. [More Info...]
(Sep 24)

New bash packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
Ubuntu: 2363-2: Bash vulnerability (Sep 25)

Bash allowed bypassing environment restrictions in certain environments.
Ubuntu: 2363-1: Bash vulnerability (Sep 25)

Bash allowed bypassing environment restrictions in certain environments.
Ubuntu: 2360-1: Firefox vulnerabilities (Sep 24)

Fraudulent security certificates could allow sensitive information tobe exposed when accessing the Internet.
Ubuntu: 2360-2: Thunderbird vulnerabilities (Sep 24)

Fraudulent security certificates could allow sensitive information tobe exposed when accessing the Internet.
Ubuntu: 2361-1: NSS vulnerability (Sep 24)

Fraudulent security certificates could allow sensitive information tobe exposed when accessing the Internet.
Ubuntu: 2362-1: Bash vulnerability (Sep 24)

Bash allowed bypassing environment restrictions in certain environments.
Ubuntu: 2359-1: Linux kernel vulnerabilities (Sep 23)

Several security issues were fixed in the kernel.
Ubuntu: 2355-1: Linux kernel (EC2) vulnerabilities (Sep 23)

Several security issues were fixed in the kernel.
Ubuntu: 2356-1: Linux kernel vulnerabilities (Sep 23)

Several security issues were fixed in the kernel.
Ubuntu: 2357-1: Linux kernel (OMAP4) vulnerabilities (Sep 23)

Several security issues were fixed in the kernel.
Ubuntu: 2358-1: Linux kernel (Trusty HWE) vulnerabilities (Sep 23)

Several security issues were fixed in the kernel.
Ubuntu: 2354-1: Linux kernel vulnerabilities (Sep 23)

Several security issues were fixed in the kernel.
Ubuntu: 2353-1: APT vulnerability (Sep 23)

APT could be made to crash or run programs if it received specially craftednetwork traffic.
Ubuntu: 2352-1: DBus vulnerabilities (Sep 22)

Several security issues were fixed in DBus.
Ubuntu: 2351-1: nginx vulnerability (Sep 22)

nginx could be made to expose sensitive information over the network.
Ubuntu: 2350-1: NSS update (Sep 22)

NSS was updated to refresh the CA certificates bundle.