Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

LinuxSecurity.com Feature Extras:

A Critical Exim Vulnerability, Lilocked Ransomware on the Rise, but Linux Not to Blame - Exim may be the Internets most popular email server, but the MTAs recent history with security vulnerabilities is concerning to say the least. This past Friday, the Exim team warned about a critical flaw in its software , affecting all Exim servers running version 4.92.1 and before. When exploited, the bug enables attackers to run malicious code with root privileges. Exim released version 4.92.2 on Friday, September 6, to address the issue, and recommends that users running a prior version of Exim update immediately.

Which Linux Distros Are Most Focused On Privacy? - With over 200 distros to choose from, which one actually offers the most privacy-oriented experience?

  Debian: DSA-4539-2: openssh regression update (Oct 7)
 

A change introduced in openssl 1.1.1d (which got released as DSA 4539-1) requires sandboxing features which are not available in Linux kernels before 3.19, resulting in OpenSSH rejecting connection attempts if running on an old kernel. This does not affect Linux kernels shipped in
  Debian: DSA-4542-1: jackson-databind security update (Oct 6)
 

It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary
  Debian: DSA-4541-1: libapreq2 security update (Oct 4)
 

Max Kellermann reported a NULL pointer dereference flaw in libapreq2, a generic Apache request library, allowing a remote attacker to cause a denial of service against an application using the library (application crash) if an invalid nested "multipart" body is processed.
 
  Fedora 29: krb5 FEDORA-2019-dc4e1d0fb6 (Oct 10)
 

Fix KDC crash when logging PKINIT enctypes (CVE-2019-14844) This is a purely denial-of-service issue, though it is unauthenticated, and is unlikely to trigger by accident.
  Fedora 29: SDL2 FEDORA-2019-8ef33a69ca (Oct 10)
 

Update to 2.0.10 to fix security issues.
  Fedora 29: suricata FEDORA-2019-ded15d6582 (Oct 9)
 

This is a bugfix release where some of the bugs fixed are security bugs. Please update.
  Fedora 30: suricata FEDORA-2019-fddfb520ec (Oct 9)
 

This is a bugfix release where some of the bugs fixed are security bugs. Please update.
  Fedora 30: chromium FEDORA-2019-e53c0c7765 (Oct 8)
 

Chromium 77.0.3865.90 update. See the official announcement on https://chromereleases.googleblog.com/2019/09/stable-channel-update-for-desktop.html and https://chromereleases.googleblog.com/2019/09/stable-channel-update-for-desktop_18.html
  Fedora 31: kernel-tools FEDORA-2019-b1de72b00b (Oct 7)
 

Linux 5.3.4
  Fedora 31: kernel FEDORA-2019-b1de72b00b (Oct 7)
 

Linux 5.3.4
  Fedora 31: kernel-headers FEDORA-2019-b1de72b00b (Oct 7)
 

Linux 5.3.4
  Fedora 31: runc FEDORA-2019-bd4843561c (Oct 7)
 

Resolves: #1757214, #1757290 - CVE-2019-16884 ---- add patch for cgroupsv2
  Fedora 31: cutter-re FEDORA-2019-e931422a81 (Oct 7)
 

- Rebase radare2 to 3.9.0 - Rebase cutter-re to 1.9.0 - Fix CVE-2019-14745 in radare2 on F31
  Fedora 31: radare2 FEDORA-2019-e931422a81 (Oct 7)
 

- Rebase radare2 to 3.9.0 - Rebase cutter-re to 1.9.0 - Fix CVE-2019-14745 in radare2 on F31
  Fedora 31: libdwarf FEDORA-2019-4fa597c615 (Oct 7)
 

Update to latest upstream release
  Fedora 31: suricata FEDORA-2019-52b360546c (Oct 7)
 

This is a bugfix release where some of the bugs fixed are security bugs. Please update.
  Fedora 31: golang FEDORA-2019-1b8cbd39ff (Oct 7)
 

* Rebase to 1.13.1 * Security fix for CVE-2019-16276
  Fedora 29: mbedtls FEDORA-2019-89891f3e4a (Oct 6)
 

- Update to 2.16.3 - Side channel attack on deterministic ECDSA (CVE-2019-16910) Release notes: https://www.trustedfirmware.org/projects/mbed-tls/ Security Advisory:

  Fedora 30: mbedtls FEDORA-2019-07940971b2 (Oct 6)
 

- Update to 2.16.3 - Side channel attack on deterministic ECDSA (CVE-2019-16910) Release notes: https://www.trustedfirmware.org/projects/mbed-tls/ Security Advisory:

  Fedora 31: exim FEDORA-2019-e080507ba5 (Oct 6)
 

This is an update fixing CVE-2019-16928.
  Fedora 31: znc FEDORA-2019-233d9b9a5e (Oct 6)
 

Update to 1.7.5 ---- Fixes CVE-2019-12816
  Fedora 31: scapy FEDORA-2019-20d6b8f9c4 (Oct 5)
 

bugfix bump to version 2.4.3
  Fedora 29: mosquitto FEDORA-2019-d99e2329cb (Oct 4)
 

1.6.7 Fix potential crash when reloading config. Client library: * Don't use / in autogenerated client ids, to avoid confusing with topics. * Fix mosquitto_max_inflight_messages_set() and mosquitto_int_option(..., MOSQ_OPT_*_MAX, ...) behaviour. * Fix regression on use of
  Fedora 30: mosquitto FEDORA-2019-8b83c261dd (Oct 4)
 

1.6.7 Fix potential crash when reloading config. Client library: * Don't use / in autogenerated client ids, to avoid confusing with topics. * Fix mosquitto_max_inflight_messages_set() and mosquitto_int_option(..., MOSQ_OPT_*_MAX, ...) behaviour. * Fix regression on use of
  Fedora 31: mosquitto FEDORA-2019-4c69fb4cd7 (Oct 4)
 

1.6.7 Fix potential crash when reloading config. Client library: * Don't use / in autogenerated client ids, to avoid confusing with topics. * Fix mosquitto_max_inflight_messages_set() and mosquitto_int_option(..., MOSQ_OPT_*_MAX, ...) behaviour. * Fix regression on use of
 
  RedHat: RHSA-2019-3024:01 Moderate: ovirt-web-ui security and bug fix update (Oct 10)
 

An update for ovirt-web-ui is now available for Red Hat Virtualization Engine 4.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  RedHat: RHSA-2019-3023:01 Moderate: ovirt-engine-ui-extensions security and (Oct 10)
 

An update for ovirt-engine-ui-extensions is now available for Red Hat Virtualization Engine 4.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  RedHat: RHSA-2019-3011:01 Moderate: Red Hat Virtualization security, bug fix, (Oct 10)
 

An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
  RedHat: RHSA-2019-3002:01 Important: Red Hat FIS 2.0 on Fuse 6.3.0 R13 (Oct 10)
 

An update is now available for Red Hat Fuse Integration Services. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
  RedHat: RHSA-2019-2998:01 Important: Red Hat OpenShift Application Runtimes (Oct 10)
 

An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
  RedHat: RHSA-2019-2995:01 Important: Red Hat A-MQ Broker 7.5 release and (Oct 10)
 

Red Hat A-MQ Broker 7.5 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
  RedHat: RHSA-2019-2975:01 Important: kernel security and bug fix update (Oct 8)
 

An update for kernel is now available for Red Hat Enterprise Linux 7.5 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2019-2980:01 Important: python security update (Oct 8)
 

An update for python is now available for Red Hat Enterprise Linux 7.5 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2019-2978:01 Important: polkit security update (Oct 8)
 

An update for polkit is now available for Red Hat Enterprise Linux 7.5 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2019-2979:01 Important: wget security update (Oct 8)
 

An update for wget is now available for Red Hat Enterprise Linux 7.5 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2019-2977:01 Important: bind security update (Oct 8)
 

An update for bind is now available for Red Hat Enterprise Linux 7.5 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2019-2973:01 Important: Red Hat JBoss Enterprise Application (Oct 7)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 6, 7, and 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2019-2974:01 Important: Red Hat JBoss Enterprise Application (Oct 7)
 

A security update is now available for Red Hat JBoss Enterprise Application Platform from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2019-2966:01 Important: Red Hat Quay v3.1.1 security update (Oct 3)
 

Updated Quay packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
  RedHat: RHSA-2019-2964:01 Important: patch security update (Oct 3)
 

An update for patch is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
 
  SUSE: 2019:2622-1 important: libopenmpt (Oct 9)
 

An update that fixes one vulnerability is now available.
  SUSE: 2019:1487-2 moderate: python-requests (Oct 9)
 

An update that fixes one vulnerability is now available.
  SUSE: 2019:2620-1 important: MozillaFirefox (Oct 9)
 

An update that fixes 38 vulnerabilities is now available.
  SUSE: 2019:14190-1 moderate: dnsmasq (Oct 8)
 

An update that solves one vulnerability and has one errata is now available.
  SUSE: 2019:2600-1 important: the Linux Kernel (Live Patch 27 for SLE 12 SP3) (Oct 8)
 

An update that fixes two vulnerabilities is now available.
  SUSE: 2019:2613-1 important: the Linux Kernel (Live Patch 32 for SLE 12 SP1) (Oct 8)
 

An update that fixes one vulnerability is now available.
  SUSE: 2019:2617-1 moderate: kubernetes, patchinfo (Oct 8)
 

An update that fixes two vulnerabilities is now available.
  SUSE: 2019:2601-1 important: the Linux Kernel (Live Patch 32 for SLE 12 SP2) (Oct 8)
 

An update that fixes two vulnerabilities is now available.
  SUSE: 2019:2572-1 important: the Linux Kernel (Live Patch 10 for SLE 15) (Oct 8)
 

An update that solves one vulnerability and has one errata is now available.
  SUSE: 2019:2558-1 moderate: compat-openssl098 (Oct 4)
 

An update that fixes two vulnerabilities is now available.
  SUSE: 2019:2559-1 moderate: nginx (Oct 4)
 

An update that fixes three vulnerabilities is now available.
  SUSE: 2019:2561-1 moderate: openssl-1_0_0 (Oct 4)
 

An update that solves two vulnerabilities and has one errata is now available.
  SUSE: 2019:2550-1 important: bind (Oct 4)
 

An update that solves one vulnerability and has two fixes is now available.
  SUSE: 2019:2536-1 moderate: sqlite3 (Oct 3)
 

An update that fixes one vulnerability is now available.
  SUSE: 2019:2533-1 moderate: sqlite3 (Oct 3)
 

An update that fixes one vulnerability is now available.
  SUSE: 2018:4088-3 important: git (Oct 3)
 

An update that fixes one vulnerability is now available.
 
  Ubuntu 4151-2: Python vulnerabilities (Oct 10)
 

Several security issues were fixed in Python.
  Ubuntu 4153-1: Octavia vulnerability (Oct 10)
 

Octavia could allow unintended access to network services.
  Ubuntu 4152-1: libsoup vulnerability (Oct 9)
 

libsoup could be made to crash if it received specially crafted network traffic.
  Ubuntu 4151-1: Python vulnerabilities (Oct 9)
 

Several security issues were fixed in Python.
  Ubuntu 4149-1: Unbound vulnerability (Oct 8)
 

Unbound could be made to crash if it received a specially crafted NOTIFY query.
  Ubuntu 4148-1: OpenEXR vulnerabilities (Oct 7)
 

Several security issues were fixed in OpenEXR.
  Ubuntu 4147-1: Linux kernel vulnerabilities (Oct 4)
 

Several security issues were fixed in the Linux kernel.
  Ubuntu 4146-2: ClamAV vulnerabilities (Oct 3)
 

Several security issues were fixed in ClamAV.
 
  Debian LTS: DLA-1956-1: ruby-openid security update (Oct 11)
 

ruby-openid performed discovery first, and then verification. This allowed an attacker to change the URL used for discovery and trick the server into connecting to the URL. This server in turn could be a private server not publicly accessible.
  Debian LTS: DLA-1954-1: lucene-solr security update (Oct 10)
 

A security vulnerability was discovered in lucene-solr, an enterprise search server. The DataImportHandler, an optional but popular module to pull in data
  Debian LTS: DLA-1953-1: clamav security update (Oct 10)
 

It was discovered that clamav, the open source antivirus engine, is affected by the following security vulnerabilities: CVE-2019-12625
  Debian LTS: DLA-1952-1: rsyslog security update (Oct 9)
 

It was discovered that there were two vulnerabilities in the rsyslog system/kernel logging daemon in the parsers for AIX and Cisco log messages respectfully.
  Debian LTS: DLA-1951-1: libtomcrypt security update (Oct 9)
 

It was discovered that there was a denial of service vulnerability in the libtomcrypt cryptographic library. An out-of-bounds read and crash could occur via carefully-crafted
  Debian LTS: DLA-1950-1: openjpeg2 security update (Oct 8)
 

A heap buffer overflow vulnerability was discovered in openjpeg2, the open-source JPEG 2000 codec. This vulnerability is caused by insufficient validation of width and height of image components in color_apply_icc_profile (src/bin/common/color.c). Remote attackers might leverage this vulnerability
  Debian LTS: DLA-1949-1: xen security update (Oct 8)
 

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation.
  Debian LTS: DLA-1948-1: ruby-mini-magick security update (Oct 7)
 

In lib/mini_magick/image.rb in ruby-mini-magick, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character
  Debian LTS: DLA-1942-2: phpbb3 regression update (Oct 7)
 

CVE-2019-16993 In phpBB, includes/acp/acp_bbcodes.php had improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An
  Debian LTS: DLA-1947-1: libreoffice security update (Oct 6)
 

Several vulnerabilities were discovered in LibreOffice, the office productivity suite.
  Debian LTS: DLA-1946-1: novnc security update (Oct 5)
 

An XSS vulnerability was discovered in noVNC in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
  Debian LTS: DLA-1945-1: openconnect security update (Oct 3)
 

A vulnerability was discovered by Lukas Kupczyk of the Advanced Research Team at CrowdStrike Intelligence in OpenConnect, an open client for Cisco AnyConnect, Pulse, GlobalProtect VPN. A malicious HTTP server
  Debian LTS: DLA-1944-1: libapreq2 security update (Oct 3)
 

It was discovered that there was a remotely-exploitable null pointer dereference in libapreq2, a library for manipulating HTTP requests. For Debian 8 "Jessie", this issue has been fixed in libapreq2 version
 
  ArchLinux: 201910-5: ruby2.5: multiple issues (Oct 3)
 

The package ruby2.5 before version 2.5.7-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing, cross-site scripting, denial of service and insufficient validation.
  ArchLinux: 201910-4: ruby-rdoc: cross-site scripting (Oct 3)
 

The package ruby-rdoc before version 6.1.2-1 is vulnerable to cross- site scripting.
  ArchLinux: 201910-3: systemd: access restriction bypass (Oct 3)
 

The package systemd before version 243.0-1 is vulnerable to access restriction bypass.
  ArchLinux: 201910-2: ruby: multiple issues (Oct 3)
 

The package ruby before version 2.6.5-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing, denial of service and insufficient validation.
  ArchLinux: 201910-1: exim: arbitrary code execution (Oct 3)
 

The package exim before version 4.92.3-1 is vulnerable to arbitrary code execution.
 
  SciLinux: SLSA-2019-2964-1 Important: patch on SL7.x x86_64 (Oct 3)
 

patch: do_ed_script in pch.c does not block strings beginning with a ! character (CVE-2018-20969) * patch: OS shell command injection when processing crafted patch files (CVE-2019-13638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. SL7 x86_64 [More...]
 
  openSUSE: 2019:2306-1: important: libopenmpt (Oct 10)
 

An update that fixes one vulnerability is now available.
  openSUSE: 2019:2300-1: moderate: sqlite3 (Oct 8)
 

An update that fixes one vulnerability is now available.
  openSUSE: 2019:2298-1: moderate: sqlite3 (Oct 8)
 

An update that fixes one vulnerability is now available.
  openSUSE: 2019:2294-1: moderate: rust (Oct 8)
 

An update that solves two vulnerabilities and has two fixes is now available.
  openSUSE: 2019:2292-1: moderate: putty (Oct 8)
 

An update that fixes two vulnerabilities is now available.
  openSUSE: 2019:2286-1: moderate: lxc (Oct 7)
 

An update that fixes one vulnerability is now available.
  openSUSE: 2019:2288-1: moderate: singularity (Oct 7)
 

An update that solves one vulnerability and has one errata is now available.
  openSUSE: 2019:2280-1: moderate: libseccomp (Oct 7)
 

An update that solves one vulnerability and has two fixes is now available.
  openSUSE: 2019:2281-1: important: dovecot23 (Oct 7)
 

An update that fixes three vulnerabilities is now available.
  openSUSE: 2019:2279-1: moderate: jasper (Oct 7)
 

An update that fixes two vulnerabilities is now available.
  openSUSE: 2019:2278-1: important: dovecot23 (Oct 7)
 

An update that fixes three vulnerabilities is now available.
  openSUSE: 2019:2282-1: moderate: jasper (Oct 7)
 

An update that fixes two vulnerabilities is now available.
  openSUSE: 2019:2283-1: moderate: libseccomp (Oct 7)
 

An update that solves one vulnerability and has two fixes is now available.
  openSUSE: 2019:2276-1: moderate: putty (Oct 7)
 

An update that fixes two vulnerabilities is now available.
  openSUSE: 2019:2277-1: moderate: putty (Oct 7)
 

An update that fixes two vulnerabilities is now available.
  openSUSE: 2019:2271-1: important: php7 (Oct 6)
 

An update that solves two vulnerabilities and has one errata is now available.
  openSUSE: 2019:2263-1: important: bind (Oct 6)
 

An update that solves one vulnerability and has two fixes is now available.
  openSUSE: 2019:2260-1: important: MozillaFirefox (Oct 6)
 

An update that fixes 29 vulnerabilities is now available.
  openSUSE: 2019:2269-1: moderate: openssl-1_0_0 (Oct 6)
 

An update that solves two vulnerabilities and has one errata is now available.
  openSUSE: 2019:2259-1: moderate: python-numpy (Oct 6)
 

An update that fixes one vulnerability is now available.
  openSUSE: 2019:2264-1: moderate: nginx (Oct 6)
 

An update that fixes three vulnerabilities is now available.
  openSUSE: 2019:2265-1: important: bind (Oct 6)
 

An update that solves one vulnerability and has two fixes is now available.
  openSUSE: 2019:2268-1: moderate: openssl-1_0_0 (Oct 6)
 

An update that solves two vulnerabilities and has one errata is now available.
  openSUSE: 2019:2251-1: important: MozillaFirefox (Oct 5)
 

An update that fixes 29 vulnerabilities is now available.
  openSUSE: 2019:2248-1: important: MozillaThunderbird (Oct 4)
 

An update that fixes 27 vulnerabilities is now available.
  openSUSE: 2019:2249-1: important: MozillaThunderbird (Oct 4)
 

An update that fixes 27 vulnerabilities is now available.
  openSUSE: 2019:2247-1: moderate: mosquitto (Oct 3)
 

An update that fixes one vulnerability is now available.
  openSUSE: 2019:2245-1: moderate: lxc (Oct 3)
 

An update that fixes one vulnerability is now available.
  openSUSE: 2019:2244-1: moderate: rust (Oct 3)
 

An update that solves two vulnerabilities and has two fixes is now available.
 
  Mageia 2019-0293: xpdf security update (Oct 6)
 

The updated xpdf packages fix security vulnerabilities: An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpIdiv case. (CVE-2019-10018)
  Mageia 2019-0292: thunderbird security update (Oct 3)
 

Updated thunderbird packages fix security vulnerability: Spoofing a message author via a crafted S/MIME message (CVE-2019-11755) It also fixes various other bugs, as listed in the releasenotes.