An errata patch for LibreSSL has been released for OpenBSD 6.8 and
OpenBSD 6.9.
Compensate for the expiry of the DST Root X3 certificate. The use of an
unnecessary expired certificate in certificate chains can cause validation
errors.
Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:
https://www.openbsd.org/errata68.html
https://www.openbsd.org/errata69.html
Thursday, September 30, 2021
[USN-5094-2] Linux kernel (Raspberry Pi) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5094-2
September 30, 2021
linux-raspi2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-raspi2: Linux kernel for Raspberry Pi systems
Details:
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly perform reference counting in some situations,
leading to a use-after-free vulnerability. An attacker who could start and
control a VM could possibly use this to expose sensitive information or
execute arbitrary code. (CVE-2021-22543)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
Alois Wohlschlager discovered that the overlay file system in the Linux
kernel did not restrict private clones in some situations. An attacker
could use this to expose sensitive information. (CVE-2021-3732)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
It was discovered that the Xilinx 10/100 Ethernet Lite device driver in the
Linux kernel could report pointer addresses in some situations. An attacker
could use this information to ease the exploitation of another
vulnerability. (CVE-2021-38205)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1096-raspi2 4.15.0-1096.102
linux-image-raspi2 4.15.0.1096.94
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5094-2
https://ubuntu.com/security/notices/USN-5094-1
CVE-2021-22543, CVE-2021-3679, CVE-2021-3732, CVE-2021-38204,
CVE-2021-38205
Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1096.102
Ubuntu Security Notice USN-5094-2
September 30, 2021
linux-raspi2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-raspi2: Linux kernel for Raspberry Pi systems
Details:
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly perform reference counting in some situations,
leading to a use-after-free vulnerability. An attacker who could start and
control a VM could possibly use this to expose sensitive information or
execute arbitrary code. (CVE-2021-22543)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
Alois Wohlschlager discovered that the overlay file system in the Linux
kernel did not restrict private clones in some situations. An attacker
could use this to expose sensitive information. (CVE-2021-3732)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
It was discovered that the Xilinx 10/100 Ethernet Lite device driver in the
Linux kernel could report pointer addresses in some situations. An attacker
could use this information to ease the exploitation of another
vulnerability. (CVE-2021-38205)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1096-raspi2 4.15.0-1096.102
linux-image-raspi2 4.15.0.1096.94
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5094-2
https://ubuntu.com/security/notices/USN-5094-1
CVE-2021-22543, CVE-2021-3679, CVE-2021-3732, CVE-2021-38204,
CVE-2021-38205
Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1096.102
[USN-5091-2] Linux kernel (Raspberry Pi) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5091-2
September 30, 2021
linux-raspi, linux-raspi-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-raspi-5.4: Linux kernel for Raspberry Pi systems
Details:
Ofek Kirzner, Adam Morrison, Benedict Schlueter, and Piotr Krysiuk
discovered that the BPF verifier in the Linux kernel missed possible
mispredicted branches due to type confusion, allowing a side-channel
attack. An attacker could use this to expose sensitive information.
(CVE-2021-33624)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
It was discovered that the Virtio console implementation in the Linux
kernel did not properly validate input lengths in some situations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2021-38160)
Michael Wakabayashi discovered that the NFSv4 client implementation in the
Linux kernel did not properly order connection setup operations. An
attacker controlling a remote NFS server could use this to cause a denial
of service on the client. (CVE-2021-38199)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1044-raspi 5.4.0-1044.48
linux-image-raspi 5.4.0.1044.79
linux-image-raspi2 5.4.0.1044.79
Ubuntu 18.04 LTS:
linux-image-5.4.0-1044-raspi 5.4.0-1044.48~18.04.1
linux-image-raspi-hwe-18.04 5.4.0.1044.47
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5091-2
https://ubuntu.com/security/notices/USN-5091-1
CVE-2021-33624, CVE-2021-3679, CVE-2021-38160, CVE-2021-38199,
CVE-2021-38204
Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1044.48
https://launchpad.net/ubuntu/+source/linux-raspi-5.4/5.4.0-1044.48~18.04.1
Ubuntu Security Notice USN-5091-2
September 30, 2021
linux-raspi, linux-raspi-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-raspi-5.4: Linux kernel for Raspberry Pi systems
Details:
Ofek Kirzner, Adam Morrison, Benedict Schlueter, and Piotr Krysiuk
discovered that the BPF verifier in the Linux kernel missed possible
mispredicted branches due to type confusion, allowing a side-channel
attack. An attacker could use this to expose sensitive information.
(CVE-2021-33624)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
It was discovered that the Virtio console implementation in the Linux
kernel did not properly validate input lengths in some situations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2021-38160)
Michael Wakabayashi discovered that the NFSv4 client implementation in the
Linux kernel did not properly order connection setup operations. An
attacker controlling a remote NFS server could use this to cause a denial
of service on the client. (CVE-2021-38199)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1044-raspi 5.4.0-1044.48
linux-image-raspi 5.4.0.1044.79
linux-image-raspi2 5.4.0.1044.79
Ubuntu 18.04 LTS:
linux-image-5.4.0-1044-raspi 5.4.0-1044.48~18.04.1
linux-image-raspi-hwe-18.04 5.4.0.1044.47
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5091-2
https://ubuntu.com/security/notices/USN-5091-1
CVE-2021-33624, CVE-2021-3679, CVE-2021-38160, CVE-2021-38199,
CVE-2021-38204
Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1044.48
https://launchpad.net/ubuntu/+source/linux-raspi-5.4/5.4.0-1044.48~18.04.1
Wednesday, September 29, 2021
[USN-5096-1] Linux kernel (OEM) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5096-1
September 29, 2021
linux-oem-5.13 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-5.13: Linux kernel for OEM systems
Details:
Valentina Palmiotti discovered that the io_uring subsystem in the Linux
kernel could be coerced to free adjacent memory. A local attacker could use
this to execute arbitrary code. (CVE-2021-41073)
Benedict Schlueter discovered that the BPF subsystem in the Linux kernel
did not properly protect against Speculative Store Bypass (SSB) side-
channel attacks in some situations. A local attacker could possibly use
this to expose sensitive information. (CVE-2021-34556)
Piotr Krysiuk discovered that the BPF subsystem in the Linux kernel did not
properly protect against Speculative Store Bypass (SSB) side-channel
attacks in some situations. A local attacker could possibly use this to
expose sensitive information. (CVE-2021-35477)
Murray McAllister discovered that the joystick device interface in the
Linux kernel did not properly validate data passed via an ioctl(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code on systems with a joystick device
registered. (CVE-2021-3612)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
It was discovered that the Option USB High Speed Mobile device driver in
the Linux kernel did not properly handle error conditions. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2021-37159)
Alois Wohlschlager discovered that the overlay file system in the Linux
kernel did not restrict private clones in some situations. An attacker
could use this to expose sensitive information. (CVE-2021-3732)
It was discovered that the Virtio console implementation in the Linux
kernel did not properly validate input lengths in some situations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2021-38160)
It was discovered that the BPF subsystem in the Linux kernel contained an
integer overflow in its hash table implementation. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2021-38166)
Michael Wakabayashi discovered that the NFSv4 client implementation in the
Linux kernel did not properly order connection setup operations. An
attacker controlling a remote NFS server could use this to cause a denial
of service on the client. (CVE-2021-38199)
It was discovered that the Sun RPC implementation in the Linux kernel
contained an out-of-bounds access error. A remote attacker could possibly
use this to cause a denial of service (system crash). (CVE-2021-38201)
It was discovered that the NFS server implementation in the Linux kernel
contained an out-of-bounds read when the trace even framework is being used
for nfsd. A remote attacker could possibly use this to cause a denial of
service (system crash). (CVE-2021-38202)
Naohiro Aota discovered that the btrfs file system in the Linux kernel
contained a race condition in situations that triggered allocations of new
system chunks. A local attacker could possibly use this to cause a denial
of service (deadlock). (CVE-2021-38203)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
It was discovered that the Xilinx 10/100 Ethernet Lite device driver in the
Linux kernel could report pointer addresses in some situations. An attacker
could use this information to ease the exploitation of another
vulnerability. (CVE-2021-38205)
It was discovered that the ext4 file system in the Linux kernel contained a
race condition when writing xattrs to an inode. A local attacker could use
this to cause a denial of service or possibly gain administrative
privileges. (CVE-2021-40490)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.13.0-1014-oem 5.13.0-1014.18
linux-image-oem-20.04c 5.13.0.1014.18
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5096-1
CVE-2021-34556, CVE-2021-35477, CVE-2021-3612, CVE-2021-3679,
CVE-2021-37159, CVE-2021-3732, CVE-2021-38160, CVE-2021-38166,
CVE-2021-38199, CVE-2021-38201, CVE-2021-38202, CVE-2021-38203,
CVE-2021-38204, CVE-2021-38205, CVE-2021-40490, CVE-2021-41073
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.13/5.13.0-1014.18
Ubuntu Security Notice USN-5096-1
September 29, 2021
linux-oem-5.13 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-5.13: Linux kernel for OEM systems
Details:
Valentina Palmiotti discovered that the io_uring subsystem in the Linux
kernel could be coerced to free adjacent memory. A local attacker could use
this to execute arbitrary code. (CVE-2021-41073)
Benedict Schlueter discovered that the BPF subsystem in the Linux kernel
did not properly protect against Speculative Store Bypass (SSB) side-
channel attacks in some situations. A local attacker could possibly use
this to expose sensitive information. (CVE-2021-34556)
Piotr Krysiuk discovered that the BPF subsystem in the Linux kernel did not
properly protect against Speculative Store Bypass (SSB) side-channel
attacks in some situations. A local attacker could possibly use this to
expose sensitive information. (CVE-2021-35477)
Murray McAllister discovered that the joystick device interface in the
Linux kernel did not properly validate data passed via an ioctl(). A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code on systems with a joystick device
registered. (CVE-2021-3612)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
It was discovered that the Option USB High Speed Mobile device driver in
the Linux kernel did not properly handle error conditions. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2021-37159)
Alois Wohlschlager discovered that the overlay file system in the Linux
kernel did not restrict private clones in some situations. An attacker
could use this to expose sensitive information. (CVE-2021-3732)
It was discovered that the Virtio console implementation in the Linux
kernel did not properly validate input lengths in some situations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2021-38160)
It was discovered that the BPF subsystem in the Linux kernel contained an
integer overflow in its hash table implementation. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2021-38166)
Michael Wakabayashi discovered that the NFSv4 client implementation in the
Linux kernel did not properly order connection setup operations. An
attacker controlling a remote NFS server could use this to cause a denial
of service on the client. (CVE-2021-38199)
It was discovered that the Sun RPC implementation in the Linux kernel
contained an out-of-bounds access error. A remote attacker could possibly
use this to cause a denial of service (system crash). (CVE-2021-38201)
It was discovered that the NFS server implementation in the Linux kernel
contained an out-of-bounds read when the trace even framework is being used
for nfsd. A remote attacker could possibly use this to cause a denial of
service (system crash). (CVE-2021-38202)
Naohiro Aota discovered that the btrfs file system in the Linux kernel
contained a race condition in situations that triggered allocations of new
system chunks. A local attacker could possibly use this to cause a denial
of service (deadlock). (CVE-2021-38203)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
It was discovered that the Xilinx 10/100 Ethernet Lite device driver in the
Linux kernel could report pointer addresses in some situations. An attacker
could use this information to ease the exploitation of another
vulnerability. (CVE-2021-38205)
It was discovered that the ext4 file system in the Linux kernel contained a
race condition when writing xattrs to an inode. A local attacker could use
this to cause a denial of service or possibly gain administrative
privileges. (CVE-2021-40490)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.13.0-1014-oem 5.13.0-1014.18
linux-image-oem-20.04c 5.13.0.1014.18
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5096-1
CVE-2021-34556, CVE-2021-35477, CVE-2021-3612, CVE-2021-3679,
CVE-2021-37159, CVE-2021-3732, CVE-2021-38160, CVE-2021-38166,
CVE-2021-38199, CVE-2021-38201, CVE-2021-38202, CVE-2021-38203,
CVE-2021-38204, CVE-2021-38205, CVE-2021-40490, CVE-2021-41073
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.13/5.13.0-1014.18
[USN-5095-1] Apache Commons IO vulnerability
==========================================================================
Ubuntu Security Notice USN-5095-1
September 29, 2021
commons-io vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Apache Commons IO could be made to expose sensitive information if it
received a specially crafted input.
Software Description:
- commons-io: Common useful IO related classes
Details:
It was discovered that Apache Commons IO incorrectly handled certain inputs.
An attacker could possibly use this issue to expose sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libcommons-io-java 2.6-2ubuntu0.20.04.1
Ubuntu 18.04 LTS:
libcommons-io-java 2.6-2ubuntu0.18.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5095-1
CVE-2021-29425
Package Information:
https://launchpad.net/ubuntu/+source/commons-io/2.6-2ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/commons-io/2.6-2ubuntu0.18.04.1
Ubuntu Security Notice USN-5095-1
September 29, 2021
commons-io vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Apache Commons IO could be made to expose sensitive information if it
received a specially crafted input.
Software Description:
- commons-io: Common useful IO related classes
Details:
It was discovered that Apache Commons IO incorrectly handled certain inputs.
An attacker could possibly use this issue to expose sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libcommons-io-java 2.6-2ubuntu0.20.04.1
Ubuntu 18.04 LTS:
libcommons-io-java 2.6-2ubuntu0.18.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5095-1
CVE-2021-29425
Package Information:
https://launchpad.net/ubuntu/+source/commons-io/2.6-2ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/commons-io/2.6-2ubuntu0.18.04.1
F36 Change: PHP 8.1 (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/php81
== Summary ==
Update the PHP stack in Fedora to latest version 8.1.x
== Owner ==
* Name: [[User:Remi| Remi Collet]] and [[SIGs/PHP|PHP SIG]]
* Email: remi at fedoraproject dot org
== Current status ==
* An testing module is available in my
[https://blog.remirepo.net/post/2021/09/02/PHP-on-the-road-to-the-8.1.0-release]
* List of [https://github.com/remicollet/remirepo/issues/177
extensions compatibility list]
* [https://wiki.php.net/todo/php81 Upstream schedule for 8.1]
* Sep 30th 2020 PHP 8.1.0RC1 was released
== Detailed Description ==
Update the PHP stack in Fedora to latest version 8.1.x.
Fedora have a 6 months cycle, PHP and a 1 year, common practice for some years
* 2 Fedora cycles for each PHP minor release (exceptions below)
* 3 Fedora cycles for latest minor (e.g. 5.6 or 7.4) to give more time
before next major
* 1 Fedora cycle for first major (e.g. 7.0 or 8.0)
== Benefit to Fedora ==
Provides the latest PHP version to developers and system administrators.
== Scope ==
* Proposal owners: Check Koschei status. Test with latest version to
ensure compatibility. Work with upstream on bug fixing. Needed mass
rebuild (C extensions) done by change owner.
* Other developers: N/A (not a System Wide Change)
* Release engineering: N/A
* Policies and guidelines: N/A
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
N/A (not a System Wide Change)
== How To Test ==
* The PHP stack (extensions and libraries) are monitored by Koschei,
see the [https://apps.fedoraproject.org/koschei/groups/php?order_by=state%2C-started
Koschei PHP group]
* install and play with your web applications
== User Experience ==
Developers and system administrators will have the great benefit or
running the latest PHP version.
== Dependencies ==
All php-* packages (and some *-php)
== Contingency Plan ==
* Contingency mechanism: Drop not compatible packages.
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change)
== Documentation ==
* [https://www.php.net/manual/en/migration80.php Migrating from PHP
8.0.x to PHP 8.1.x]
* [https://raw.githubusercontent.com/php/php-src/PHP-8.1/UPGRADING UPGRADING]
* [https://raw.githubusercontent.com/php/php-src/PHP-8.1/UPGRADING.INTERNALS
UPGRADING.INTERNALS]
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
== Summary ==
Update the PHP stack in Fedora to latest version 8.1.x
== Owner ==
* Name: [[User:Remi| Remi Collet]] and [[SIGs/PHP|PHP SIG]]
* Email: remi at fedoraproject dot org
== Current status ==
* An testing module is available in my
[https://blog.remirepo.net/post/2021/09/02/PHP-on-the-road-to-the-8.1.0-release]
* List of [https://github.com/remicollet/remirepo/issues/177
extensions compatibility list]
* [https://wiki.php.net/todo/php81 Upstream schedule for 8.1]
* Sep 30th 2020 PHP 8.1.0RC1 was released
== Detailed Description ==
Update the PHP stack in Fedora to latest version 8.1.x.
Fedora have a 6 months cycle, PHP and a 1 year, common practice for some years
* 2 Fedora cycles for each PHP minor release (exceptions below)
* 3 Fedora cycles for latest minor (e.g. 5.6 or 7.4) to give more time
before next major
* 1 Fedora cycle for first major (e.g. 7.0 or 8.0)
== Benefit to Fedora ==
Provides the latest PHP version to developers and system administrators.
== Scope ==
* Proposal owners: Check Koschei status. Test with latest version to
ensure compatibility. Work with upstream on bug fixing. Needed mass
rebuild (C extensions) done by change owner.
* Other developers: N/A (not a System Wide Change)
* Release engineering: N/A
* Policies and guidelines: N/A
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
N/A (not a System Wide Change)
== How To Test ==
* The PHP stack (extensions and libraries) are monitored by Koschei,
see the [https://apps.fedoraproject.org/koschei/groups/php?order_by=state%2C-started
Koschei PHP group]
* install and play with your web applications
== User Experience ==
Developers and system administrators will have the great benefit or
running the latest PHP version.
== Dependencies ==
All php-* packages (and some *-php)
== Contingency Plan ==
* Contingency mechanism: Drop not compatible packages.
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change)
== Documentation ==
* [https://www.php.net/manual/en/migration80.php Migrating from PHP
8.0.x to PHP 8.1.x]
* [https://raw.githubusercontent.com/php/php-src/PHP-8.1/UPGRADING UPGRADING]
* [https://raw.githubusercontent.com/php/php-src/PHP-8.1/UPGRADING.INTERNALS
UPGRADING.INTERNALS]
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[USN-5092-2] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5092-2
September 29, 2021
linux-hwe-5.11, linux-azure, linux-azure-5.11, linux-oracle-5.11
vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-signed-azure: Signed kernel image azure
- linux-azure-5.11: Linux kernel for Microsoft Azure cloud systems
- linux-hwe-5.11: Linux hardware enablement (HWE) kernel
- linux-oracle-5.11: Linux kernel for Oracle Cloud systems
Details:
Valentina Palmiotti discovered that the io_uring subsystem in the Linux
kernel could be coerced to free adjacent memory. A local attacker could use
this to execute arbitrary code. (CVE-2021-41073)
Ofek Kirzner, Adam Morrison, Benedict Schlueter, and Piotr Krysiuk
discovered that the BPF verifier in the Linux kernel missed possible
mispredicted branches due to type confusion, allowing a side-channel
attack. An attacker could use this to expose sensitive information.
(CVE-2021-33624)
Benedict Schlueter discovered that the BPF subsystem in the Linux kernel
did not properly protect against Speculatively Store Bypass (SSB) side-
channel attacks in some situations. A local attacker could possibly use
this to expose sensitive information. (CVE-2021-34556)
Piotr Krysiuk discovered that the BPF subsystem in the Linux kernel did not
properly protect against Speculatively Store Bypass (SSB) side-channel
attacks in some situations. A local attacker could possibly use this to
expose sensitive information. (CVE-2021-35477)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
It was discovered that the Option USB High Speed Mobile device driver in
the Linux kernel did not properly handle error conditions. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2021-37159)
Alexey Kardashevskiy discovered that the KVM implementation for PowerPC
systems in the Linux kernel did not properly validate RTAS arguments in
some situations. An attacker in a guest vm could use this to cause a denial
of service (host OS crash) or possibly execute arbitrary code.
(CVE-2021-37576)
It was discovered that the Virtio console implementation in the Linux
kernel did not properly validate input lengths in some situations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2021-38160)
Michael Wakabayashi discovered that the NFSv4 client implementation in the
Linux kernel did not properly order connection setup operations. An
attacker controlling a remote NFS server could use this to cause a denial
of service on the client. (CVE-2021-38199)
It was discovered that the Sun RPC implementation in the Linux kernel
contained an out-of-bounds access error. A remote attacker could possibly
use this to cause a denial of service (system crash). (CVE-2021-38201)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
It was discovered that the Xilinx 10/100 Ethernet Lite device driver in the
Linux kernel could report pointer addresses in some situations. An attacker
could use this information to ease the exploitation of another
vulnerability. (CVE-2021-38205)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
linux-image-5.11.0-1017-azure 5.11.0-1017.18
linux-image-azure 5.11.0.1017.18
Ubuntu 20.04 LTS:
linux-image-5.11.0-1017-azure 5.11.0-1017.18~20.04.1
linux-image-5.11.0-1019-oracle 5.11.0-1019.20~20.04.1
linux-image-5.11.0-37-generic 5.11.0-37.41~20.04.2
linux-image-5.11.0-37-generic-64k 5.11.0-37.41~20.04.2
linux-image-5.11.0-37-generic-lpae 5.11.0-37.41~20.04.2
linux-image-5.11.0-37-lowlatency 5.11.0-37.41~20.04.2
linux-image-azure-edge 5.11.0.1017.18~20.04.16
linux-image-generic-64k-hwe-20.04 5.11.0.37.41~20.04.16
linux-image-generic-hwe-20.04 5.11.0.37.41~20.04.16
linux-image-generic-lpae-hwe-20.04 5.11.0.37.41~20.04.16
linux-image-lowlatency-hwe-20.04 5.11.0.37.41~20.04.16
linux-image-oracle 5.11.0.1019.20~20.04.12
linux-image-virtual-hwe-20.04 5.11.0.37.41~20.04.16
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5092-2
https://ubuntu.com/security/notices/USN-5092-1
CVE-2021-33624, CVE-2021-34556, CVE-2021-35477, CVE-2021-3679,
CVE-2021-37159, CVE-2021-37576, CVE-2021-38160, CVE-2021-38199,
CVE-2021-38201, CVE-2021-38204, CVE-2021-38205, CVE-2021-41073
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/5.11.0-1017.18
https://launchpad.net/ubuntu/+source/linux-signed-azure/5.11.0-1017.18
https://launchpad.net/ubuntu/+source/linux-azure-5.11/5.11.0-1017.18~20.04.1
https://launchpad.net/ubuntu/+source/linux-hwe-5.11/5.11.0-37.41~20.04.2
https://launchpad.net/ubuntu/+source/linux-oracle-5.11/5.11.0-1019.20~20.04.1
Ubuntu Security Notice USN-5092-2
September 29, 2021
linux-hwe-5.11, linux-azure, linux-azure-5.11, linux-oracle-5.11
vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-signed-azure: Signed kernel image azure
- linux-azure-5.11: Linux kernel for Microsoft Azure cloud systems
- linux-hwe-5.11: Linux hardware enablement (HWE) kernel
- linux-oracle-5.11: Linux kernel for Oracle Cloud systems
Details:
Valentina Palmiotti discovered that the io_uring subsystem in the Linux
kernel could be coerced to free adjacent memory. A local attacker could use
this to execute arbitrary code. (CVE-2021-41073)
Ofek Kirzner, Adam Morrison, Benedict Schlueter, and Piotr Krysiuk
discovered that the BPF verifier in the Linux kernel missed possible
mispredicted branches due to type confusion, allowing a side-channel
attack. An attacker could use this to expose sensitive information.
(CVE-2021-33624)
Benedict Schlueter discovered that the BPF subsystem in the Linux kernel
did not properly protect against Speculatively Store Bypass (SSB) side-
channel attacks in some situations. A local attacker could possibly use
this to expose sensitive information. (CVE-2021-34556)
Piotr Krysiuk discovered that the BPF subsystem in the Linux kernel did not
properly protect against Speculatively Store Bypass (SSB) side-channel
attacks in some situations. A local attacker could possibly use this to
expose sensitive information. (CVE-2021-35477)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
It was discovered that the Option USB High Speed Mobile device driver in
the Linux kernel did not properly handle error conditions. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2021-37159)
Alexey Kardashevskiy discovered that the KVM implementation for PowerPC
systems in the Linux kernel did not properly validate RTAS arguments in
some situations. An attacker in a guest vm could use this to cause a denial
of service (host OS crash) or possibly execute arbitrary code.
(CVE-2021-37576)
It was discovered that the Virtio console implementation in the Linux
kernel did not properly validate input lengths in some situations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2021-38160)
Michael Wakabayashi discovered that the NFSv4 client implementation in the
Linux kernel did not properly order connection setup operations. An
attacker controlling a remote NFS server could use this to cause a denial
of service on the client. (CVE-2021-38199)
It was discovered that the Sun RPC implementation in the Linux kernel
contained an out-of-bounds access error. A remote attacker could possibly
use this to cause a denial of service (system crash). (CVE-2021-38201)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
It was discovered that the Xilinx 10/100 Ethernet Lite device driver in the
Linux kernel could report pointer addresses in some situations. An attacker
could use this information to ease the exploitation of another
vulnerability. (CVE-2021-38205)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
linux-image-5.11.0-1017-azure 5.11.0-1017.18
linux-image-azure 5.11.0.1017.18
Ubuntu 20.04 LTS:
linux-image-5.11.0-1017-azure 5.11.0-1017.18~20.04.1
linux-image-5.11.0-1019-oracle 5.11.0-1019.20~20.04.1
linux-image-5.11.0-37-generic 5.11.0-37.41~20.04.2
linux-image-5.11.0-37-generic-64k 5.11.0-37.41~20.04.2
linux-image-5.11.0-37-generic-lpae 5.11.0-37.41~20.04.2
linux-image-5.11.0-37-lowlatency 5.11.0-37.41~20.04.2
linux-image-azure-edge 5.11.0.1017.18~20.04.16
linux-image-generic-64k-hwe-20.04 5.11.0.37.41~20.04.16
linux-image-generic-hwe-20.04 5.11.0.37.41~20.04.16
linux-image-generic-lpae-hwe-20.04 5.11.0.37.41~20.04.16
linux-image-lowlatency-hwe-20.04 5.11.0.37.41~20.04.16
linux-image-oracle 5.11.0.1019.20~20.04.12
linux-image-virtual-hwe-20.04 5.11.0.37.41~20.04.16
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5092-2
https://ubuntu.com/security/notices/USN-5092-1
CVE-2021-33624, CVE-2021-34556, CVE-2021-35477, CVE-2021-3679,
CVE-2021-37159, CVE-2021-37576, CVE-2021-38160, CVE-2021-38199,
CVE-2021-38201, CVE-2021-38204, CVE-2021-38205, CVE-2021-41073
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/5.11.0-1017.18
https://launchpad.net/ubuntu/+source/linux-signed-azure/5.11.0-1017.18
https://launchpad.net/ubuntu/+source/linux-azure-5.11/5.11.0-1017.18~20.04.1
https://launchpad.net/ubuntu/+source/linux-hwe-5.11/5.11.0-37.41~20.04.2
https://launchpad.net/ubuntu/+source/linux-oracle-5.11/5.11.0-1019.20~20.04.1
[USN-5094-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5094-1
September 29, 2021
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15,
linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm,
linux-oracle, linux-snapdragon vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems
- linux-dell300x: Linux kernel for Dell 300x platforms
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-snapdragon: Linux kernel for Qualcomm Snapdragon processors
- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly perform reference counting in some situations,
leading to a use-after-free vulnerability. An attacker who could start and
control a VM could possibly use this to expose sensitive information or
execute arbitrary code. (CVE-2021-22543)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
Alois Wohlschlager discovered that the overlay file system in the Linux
kernel did not restrict private clones in some situations. An attacker
could use this to expose sensitive information. (CVE-2021-3732)
Alexey Kardashevskiy discovered that the KVM implementation for PowerPC
systems in the Linux kernel did not properly validate RTAS arguments in
some situations. An attacker in a guest vm could use this to cause a denial
of service (host OS crash) or possibly execute arbitrary code.
(CVE-2021-37576)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
It was discovered that the Xilinx 10/100 Ethernet Lite device driver in the
Linux kernel could report pointer addresses in some situations. An attacker
could use this information to ease the exploitation of another
vulnerability. (CVE-2021-38205)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1028-dell300x 4.15.0-1028.33
linux-image-4.15.0-1081-oracle 4.15.0-1081.89
linux-image-4.15.0-1100-kvm 4.15.0-1100.102
linux-image-4.15.0-1109-gcp 4.15.0-1109.123
linux-image-4.15.0-1112-aws 4.15.0-1112.119
linux-image-4.15.0-1113-snapdragon 4.15.0-1113.122
linux-image-4.15.0-1124-azure 4.15.0-1124.137
linux-image-4.15.0-159-generic 4.15.0-159.167
linux-image-4.15.0-159-generic-lpae 4.15.0-159.167
linux-image-4.15.0-159-lowlatency 4.15.0-159.167
linux-image-aws-lts-18.04 4.15.0.1112.115
linux-image-azure-lts-18.04 4.15.0.1124.97
linux-image-dell300x 4.15.0.1028.30
linux-image-gcp-lts-18.04 4.15.0.1109.128
linux-image-generic 4.15.0.159.148
linux-image-generic-lpae 4.15.0.159.148
linux-image-kvm 4.15.0.1100.96
linux-image-lowlatency 4.15.0.159.148
linux-image-oracle-lts-18.04 4.15.0.1081.91
linux-image-snapdragon 4.15.0.1113.116
linux-image-virtual 4.15.0.159.148
Ubuntu 16.04 ESM:
linux-image-4.15.0-1081-oracle 4.15.0-1081.89~16.04.1
linux-image-4.15.0-1109-gcp 4.15.0-1109.123~16.04.1
linux-image-4.15.0-1112-aws 4.15.0-1112.119~16.04.1
linux-image-4.15.0-1124-azure 4.15.0-1124.137~16.04.1
linux-image-4.15.0-159-generic 4.15.0-159.167~16.04.1
linux-image-4.15.0-159-lowlatency 4.15.0-159.167~16.04.1
linux-image-aws-hwe 4.15.0.1112.103
linux-image-azure 4.15.0.1124.115
linux-image-gcp 4.15.0.1109.110
linux-image-generic-hwe-16.04 4.15.0.159.152
linux-image-gke 4.15.0.1109.110
linux-image-lowlatency-hwe-16.04 4.15.0.159.152
linux-image-oem 4.15.0.159.152
linux-image-oracle 4.15.0.1081.69
linux-image-virtual-hwe-16.04 4.15.0.159.152
Ubuntu 14.04 ESM:
linux-image-4.15.0-1124-azure 4.15.0-1124.137~14.04.1
linux-image-azure 4.15.0.1124.97
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5094-1
CVE-2021-22543, CVE-2021-3679, CVE-2021-3732, CVE-2021-37576,
CVE-2021-38204, CVE-2021-38205
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.15.0-159.167
https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1112.119
https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1124.137
https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1028.33
https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1109.123
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1100.102
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1081.89
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1113.122
Ubuntu Security Notice USN-5094-1
September 29, 2021
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15,
linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm,
linux-oracle, linux-snapdragon vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems
- linux-dell300x: Linux kernel for Dell 300x platforms
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-snapdragon: Linux kernel for Qualcomm Snapdragon processors
- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the KVM hypervisor implementation in the Linux
kernel did not properly perform reference counting in some situations,
leading to a use-after-free vulnerability. An attacker who could start and
control a VM could possibly use this to expose sensitive information or
execute arbitrary code. (CVE-2021-22543)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
Alois Wohlschlager discovered that the overlay file system in the Linux
kernel did not restrict private clones in some situations. An attacker
could use this to expose sensitive information. (CVE-2021-3732)
Alexey Kardashevskiy discovered that the KVM implementation for PowerPC
systems in the Linux kernel did not properly validate RTAS arguments in
some situations. An attacker in a guest vm could use this to cause a denial
of service (host OS crash) or possibly execute arbitrary code.
(CVE-2021-37576)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
It was discovered that the Xilinx 10/100 Ethernet Lite device driver in the
Linux kernel could report pointer addresses in some situations. An attacker
could use this information to ease the exploitation of another
vulnerability. (CVE-2021-38205)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1028-dell300x 4.15.0-1028.33
linux-image-4.15.0-1081-oracle 4.15.0-1081.89
linux-image-4.15.0-1100-kvm 4.15.0-1100.102
linux-image-4.15.0-1109-gcp 4.15.0-1109.123
linux-image-4.15.0-1112-aws 4.15.0-1112.119
linux-image-4.15.0-1113-snapdragon 4.15.0-1113.122
linux-image-4.15.0-1124-azure 4.15.0-1124.137
linux-image-4.15.0-159-generic 4.15.0-159.167
linux-image-4.15.0-159-generic-lpae 4.15.0-159.167
linux-image-4.15.0-159-lowlatency 4.15.0-159.167
linux-image-aws-lts-18.04 4.15.0.1112.115
linux-image-azure-lts-18.04 4.15.0.1124.97
linux-image-dell300x 4.15.0.1028.30
linux-image-gcp-lts-18.04 4.15.0.1109.128
linux-image-generic 4.15.0.159.148
linux-image-generic-lpae 4.15.0.159.148
linux-image-kvm 4.15.0.1100.96
linux-image-lowlatency 4.15.0.159.148
linux-image-oracle-lts-18.04 4.15.0.1081.91
linux-image-snapdragon 4.15.0.1113.116
linux-image-virtual 4.15.0.159.148
Ubuntu 16.04 ESM:
linux-image-4.15.0-1081-oracle 4.15.0-1081.89~16.04.1
linux-image-4.15.0-1109-gcp 4.15.0-1109.123~16.04.1
linux-image-4.15.0-1112-aws 4.15.0-1112.119~16.04.1
linux-image-4.15.0-1124-azure 4.15.0-1124.137~16.04.1
linux-image-4.15.0-159-generic 4.15.0-159.167~16.04.1
linux-image-4.15.0-159-lowlatency 4.15.0-159.167~16.04.1
linux-image-aws-hwe 4.15.0.1112.103
linux-image-azure 4.15.0.1124.115
linux-image-gcp 4.15.0.1109.110
linux-image-generic-hwe-16.04 4.15.0.159.152
linux-image-gke 4.15.0.1109.110
linux-image-lowlatency-hwe-16.04 4.15.0.159.152
linux-image-oem 4.15.0.159.152
linux-image-oracle 4.15.0.1081.69
linux-image-virtual-hwe-16.04 4.15.0.159.152
Ubuntu 14.04 ESM:
linux-image-4.15.0-1124-azure 4.15.0-1124.137~14.04.1
linux-image-azure 4.15.0.1124.97
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5094-1
CVE-2021-22543, CVE-2021-3679, CVE-2021-3732, CVE-2021-37576,
CVE-2021-38204, CVE-2021-38205
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.15.0-159.167
https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1112.119
https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1124.137
https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1028.33
https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1109.123
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1100.102
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1081.89
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1113.122
Tuesday, September 28, 2021
[USN-5090-4] Apache HTTP Server regression
==========================================================================
Ubuntu Security Notice USN-5090-4
September 28, 2021
apache2 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
USN-5090-1 introduced a regression in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
USN-5090-1 fixed vulnerabilities in Apache HTTP Server. One of the upstream
fixes introduced a regression in UDS URIs. This update fixes the problem.
Original advisory details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled certain crafted methods. A remote attacker could
possibly use this issue to perform request splitting or cache poisoning
attacks. (CVE-2021-33193)
It was discovered that the Apache HTTP Server incorrectly handled certain
malformed requests. A remote attacker could possibly use this issue to
cause the server to crash, resulting in a denial of service.
(CVE-2021-34798)
Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly
handled certain request uri-paths. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04.
(CVE-2021-36160)
It was discovered that the Apache HTTP Server incorrectly handled escaping
quotes. If the server was configured with third-party modules, a remote
attacker could use this issue to cause the server to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2021-39275)
It was discovered that the Apache mod_proxy module incorrectly handled
certain request uri-paths. A remote attacker could possibly use this issue
to cause the server to forward requests to arbitrary origin servers.
(CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
apache2 2.4.18-2ubuntu3.17+esm3
apache2-bin 2.4.18-2ubuntu3.17+esm3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5090-4
https://ubuntu.com/security/notices/USN-5090-1
https://launchpad.net/bugs/XXXXXX
Ubuntu Security Notice USN-5090-4
September 28, 2021
apache2 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
USN-5090-1 introduced a regression in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
USN-5090-1 fixed vulnerabilities in Apache HTTP Server. One of the upstream
fixes introduced a regression in UDS URIs. This update fixes the problem.
Original advisory details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled certain crafted methods. A remote attacker could
possibly use this issue to perform request splitting or cache poisoning
attacks. (CVE-2021-33193)
It was discovered that the Apache HTTP Server incorrectly handled certain
malformed requests. A remote attacker could possibly use this issue to
cause the server to crash, resulting in a denial of service.
(CVE-2021-34798)
Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly
handled certain request uri-paths. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04.
(CVE-2021-36160)
It was discovered that the Apache HTTP Server incorrectly handled escaping
quotes. If the server was configured with third-party modules, a remote
attacker could use this issue to cause the server to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2021-39275)
It was discovered that the Apache mod_proxy module incorrectly handled
certain request uri-paths. A remote attacker could possibly use this issue
to cause the server to forward requests to arbitrary origin servers.
(CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
apache2 2.4.18-2ubuntu3.17+esm3
apache2-bin 2.4.18-2ubuntu3.17+esm3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5090-4
https://ubuntu.com/security/notices/USN-5090-1
https://launchpad.net/bugs/XXXXXX
[USN-5090-3] Apache HTTP Server regression
==========================================================================
Ubuntu Security Notice USN-5090-3
September 28, 2021
apache2 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
USN-5090-1 introduced a regression in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
USN-5090-1 fixed vulnerabilities in Apache HTTP Server. One of the upstream
fixes introduced a regression in UDS URIs. This update fixes the problem.
Original advisory details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled certain crafted methods. A remote attacker could
possibly use this issue to perform request splitting or cache poisoning
attacks. (CVE-2021-33193)
It was discovered that the Apache HTTP Server incorrectly handled certain
malformed requests. A remote attacker could possibly use this issue to
cause the server to crash, resulting in a denial of service.
(CVE-2021-34798)
Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly
handled certain request uri-paths. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04.
(CVE-2021-36160)
It was discovered that the Apache HTTP Server incorrectly handled escaping
quotes. If the server was configured with third-party modules, a remote
attacker could use this issue to cause the server to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2021-39275)
It was discovered that the Apache mod_proxy module incorrectly handled
certain request uri-paths. A remote attacker could possibly use this issue
to cause the server to forward requests to arbitrary origin servers.
(CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
apache2 2.4.46-4ubuntu1.3
apache2-bin 2.4.46-4ubuntu1.3
Ubuntu 20.04 LTS:
apache2 2.4.41-4ubuntu3.6
apache2-bin 2.4.41-4ubuntu3.6
Ubuntu 18.04 LTS:
apache2 2.4.29-1ubuntu4.18
apache2-bin 2.4.29-1ubuntu4.18
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5090-3
https://ubuntu.com/security/notices/USN-5090-1
https://launchpad.net/bugs/1945311
Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.46-4ubuntu1.3
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.6
https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.18
Ubuntu Security Notice USN-5090-3
September 28, 2021
apache2 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
USN-5090-1 introduced a regression in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
USN-5090-1 fixed vulnerabilities in Apache HTTP Server. One of the upstream
fixes introduced a regression in UDS URIs. This update fixes the problem.
Original advisory details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled certain crafted methods. A remote attacker could
possibly use this issue to perform request splitting or cache poisoning
attacks. (CVE-2021-33193)
It was discovered that the Apache HTTP Server incorrectly handled certain
malformed requests. A remote attacker could possibly use this issue to
cause the server to crash, resulting in a denial of service.
(CVE-2021-34798)
Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly
handled certain request uri-paths. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04.
(CVE-2021-36160)
It was discovered that the Apache HTTP Server incorrectly handled escaping
quotes. If the server was configured with third-party modules, a remote
attacker could use this issue to cause the server to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2021-39275)
It was discovered that the Apache mod_proxy module incorrectly handled
certain request uri-paths. A remote attacker could possibly use this issue
to cause the server to forward requests to arbitrary origin servers.
(CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
apache2 2.4.46-4ubuntu1.3
apache2-bin 2.4.46-4ubuntu1.3
Ubuntu 20.04 LTS:
apache2 2.4.41-4ubuntu3.6
apache2-bin 2.4.41-4ubuntu3.6
Ubuntu 18.04 LTS:
apache2 2.4.29-1ubuntu4.18
apache2-bin 2.4.29-1ubuntu4.18
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5090-3
https://ubuntu.com/security/notices/USN-5090-1
https://launchpad.net/bugs/1945311
Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.46-4ubuntu1.3
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.6
https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.18
Fedora Linux 35 Beta Release Announcement
Fedora Linux 35 Beta Released
------------------------------------------
The Fedora Project is pleased to announce the immediate availability
of Fedora 35 Beta, the next step towards our planned Fedora 35 release
at the end of October.
Download the prerelease from our Get Fedora site:
* Get Fedora 35 Beta Workstation: https://getfedora.org/workstation/download/
* Get Fedora 35 Beta Server: https://getfedora.org/server/download/
* Get Fedora 35 IoT: https://getfedora.org/iot/download/
Or, check out one of our popular variants, including KDE Plasma, Xfce,
and other desktop environments, as well as images for ARM devices:
* Get Fedora 35 Beta Spins: https://spins.fedoraproject.org/prerelease
* Get Fedora 35 Beta Labs: https://labs.fedoraproject.org/prerelease
* Get Fedora 35 Beta ARM: https://arm.fedoraproject.org/prerelease
## Beta Release Highlights
* Fedora 35 Workstation Beta includes GNOME 41
* Fedora Kinoite—a KDE Plasma environment based on rpm-ostree technology
* Fedora Linux 35 builds on the switch to PipeWire for managing audio
by introducing WirePlumber as the default session manager.
* Python 3.10, Perl 5.34, PHP 8.0 updated versions.
* And more ...
For more details about the release, read the full announcement at
* https://fedoramagazine.org/announcing-fedora-35-beta/
or look for the prerelease pages in the download sections at
* https://getfedora.org/
Since this is a Beta release, we expect that you may encounter bugs or
missing features. To report issues encountered during testing, contact
the Fedora QA team via the test@lists.fedoraproject.org mailing list or
in #fedora-qa on Libera Chat.
Regards,
Mohan Boddu
Fedora Release Engineering.
_______________________________________________
announce mailing list -- announce@lists.fedoraproject.org
To unsubscribe send an email to announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
------------------------------------------
The Fedora Project is pleased to announce the immediate availability
of Fedora 35 Beta, the next step towards our planned Fedora 35 release
at the end of October.
Download the prerelease from our Get Fedora site:
* Get Fedora 35 Beta Workstation: https://getfedora.org/workstation/download/
* Get Fedora 35 Beta Server: https://getfedora.org/server/download/
* Get Fedora 35 IoT: https://getfedora.org/iot/download/
Or, check out one of our popular variants, including KDE Plasma, Xfce,
and other desktop environments, as well as images for ARM devices:
* Get Fedora 35 Beta Spins: https://spins.fedoraproject.org/prerelease
* Get Fedora 35 Beta Labs: https://labs.fedoraproject.org/prerelease
* Get Fedora 35 Beta ARM: https://arm.fedoraproject.org/prerelease
## Beta Release Highlights
* Fedora 35 Workstation Beta includes GNOME 41
* Fedora Kinoite—a KDE Plasma environment based on rpm-ostree technology
* Fedora Linux 35 builds on the switch to PipeWire for managing audio
by introducing WirePlumber as the default session manager.
* Python 3.10, Perl 5.34, PHP 8.0 updated versions.
* And more ...
For more details about the release, read the full announcement at
* https://fedoramagazine.org/announcing-fedora-35-beta/
or look for the prerelease pages in the download sections at
* https://getfedora.org/
Since this is a Beta release, we expect that you may encounter bugs or
missing features. To report issues encountered during testing, contact
the Fedora QA team via the test@lists.fedoraproject.org mailing list or
in #fedora-qa on Libera Chat.
Regards,
Mohan Boddu
Fedora Release Engineering.
_______________________________________________
announce mailing list -- announce@lists.fedoraproject.org
To unsubscribe send an email to announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[USN-5093-1] Vim vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5093-1
September 28, 2021
vim vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in Vim.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
Brian Carpenter discovered that vim incorrectly handled memory
when opening certain files. If a user was tricked into opening
a specially crafted file, a remote attacker could crash the
application, leading to a denial of service, or possibly execute
arbitrary code with user privileges. This issue only affected
Ubuntu 20.04 LTS and Ubuntu 21.04. (CVE-2021-3770)
Brian Carpenter discovered that vim incorrectly handled memory
when opening certain files. If a user was tricked into opening
a specially crafted file, a remote attacker could crash the
application, leading to a denial of service, or possibly execute
arbitrary code with user privileges. (CVE-2021-3778)
Dhiraj Mishra discovered that vim incorrectly handled memory
when opening certain files. If a user was tricked into opening
a specially crafted file, a remote attacker could crash the
application, leading to a denial of service, or possibly execute
arbitrary code with user privileges. (CVE-2021-3796)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
vim 2:8.2.2434-1ubuntu1.1
Ubuntu 20.04 LTS:
vim 2:8.1.2269-1ubuntu5.3
Ubuntu 18.04 LTS:
vim 2:8.0.1453-1ubuntu1.6
Ubuntu 16.04 ESM:
vim 2:7.4.1689-3ubuntu1.5+esm2
Ubuntu 14.04 ESM:
vim 2:7.4.052-1ubuntu3.1+esm3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5093-1
CVE-2021-3770, CVE-2021-3778, CVE-2021-3796
Package Information:
https://launchpad.net/ubuntu/+source/vim/2:8.2.2434-1ubuntu1.1
https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.3
https://launchpad.net/ubuntu/+source/vim/2:8.0.1453-1ubuntu1.6
Ubuntu Security Notice USN-5093-1
September 28, 2021
vim vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in Vim.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
Brian Carpenter discovered that vim incorrectly handled memory
when opening certain files. If a user was tricked into opening
a specially crafted file, a remote attacker could crash the
application, leading to a denial of service, or possibly execute
arbitrary code with user privileges. This issue only affected
Ubuntu 20.04 LTS and Ubuntu 21.04. (CVE-2021-3770)
Brian Carpenter discovered that vim incorrectly handled memory
when opening certain files. If a user was tricked into opening
a specially crafted file, a remote attacker could crash the
application, leading to a denial of service, or possibly execute
arbitrary code with user privileges. (CVE-2021-3778)
Dhiraj Mishra discovered that vim incorrectly handled memory
when opening certain files. If a user was tricked into opening
a specially crafted file, a remote attacker could crash the
application, leading to a denial of service, or possibly execute
arbitrary code with user privileges. (CVE-2021-3796)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
vim 2:8.2.2434-1ubuntu1.1
Ubuntu 20.04 LTS:
vim 2:8.1.2269-1ubuntu5.3
Ubuntu 18.04 LTS:
vim 2:8.0.1453-1ubuntu1.6
Ubuntu 16.04 ESM:
vim 2:7.4.1689-3ubuntu1.5+esm2
Ubuntu 14.04 ESM:
vim 2:7.4.052-1ubuntu3.1+esm3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5093-1
CVE-2021-3770, CVE-2021-3778, CVE-2021-3796
Package Information:
https://launchpad.net/ubuntu/+source/vim/2:8.2.2434-1ubuntu1.1
https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.3
https://launchpad.net/ubuntu/+source/vim/2:8.0.1453-1ubuntu1.6
Monday, September 27, 2021
[USN-5092-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5092-1
September 28, 2021
linux, linux-aws, linux-aws-5.11, linux-gcp, linux-kvm, linux-oracle,
linux-raspi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-aws-5.11: Linux kernel for Amazon Web Services (AWS) systems
Details:
Valentina Palmiotti discovered that the io_uring subsystem in the Linux
kernel could be coerced to free adjacent memory. A local attacker could use
this to execute arbitrary code. (CVE-2021-41073)
Ofek Kirzner, Adam Morrison, Benedict Schlueter, and Piotr Krysiuk
discovered that the BPF verifier in the Linux kernel missed possible
mispredicted branches due to type confusion, allowing a side-channel
attack. An attacker could use this to expose sensitive information.
(CVE-2021-33624)
Benedict Schlueter discovered that the BPF subsystem in the Linux kernel
did not properly protect against Speculatively Store Bypass (SSB) side-
channel attacks in some situations. A local attacker could possibly use
this to expose sensitive information. (CVE-2021-34556)
Piotr Krysiuk discovered that the BPF subsystem in the Linux kernel did not
properly protect against Speculatively Store Bypass (SSB) side-channel
attacks in some situations. A local attacker could possibly use this to
expose sensitive information. (CVE-2021-35477)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
It was discovered that the Option USB High Speed Mobile device driver in
the Linux kernel did not properly handle error conditions. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2021-37159)
Alexey Kardashevskiy discovered that the KVM implementation for PowerPC
systems in the Linux kernel did not properly validate RTAS arguments in
some situations. An attacker in a guest vm could use this to cause a denial
of service (host OS crash) or possibly execute arbitrary code.
(CVE-2021-37576)
It was discovered that the Virtio console implementation in the Linux
kernel did not properly validate input lengths in some situations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2021-38160)
Michael Wakabayashi discovered that the NFSv4 client implementation in the
Linux kernel did not properly order connection setup operations. An
attacker controlling a remote NFS server could use this to cause a denial
of service on the client. (CVE-2021-38199)
It was discovered that the Sun RPC implementation in the Linux kernel
contained an out-of-bounds access error. A remote attacker could possibly
use this to cause a denial of service (system crash). (CVE-2021-38201)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
It was discovered that the Xilinx 10/100 Ethernet Lite device driver in the
Linux kernel could report pointer addresses in some situations. An attacker
could use this information to ease the exploitation of another
vulnerability. (CVE-2021-38205)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
linux-image-5.11.0-1017-kvm 5.11.0-1017.18
linux-image-5.11.0-1019-aws 5.11.0-1019.20
linux-image-5.11.0-1019-oracle 5.11.0-1019.20
linux-image-5.11.0-1019-raspi 5.11.0-1019.20
linux-image-5.11.0-1019-raspi-nolpae 5.11.0-1019.20
linux-image-5.11.0-1020-gcp 5.11.0-1020.22
linux-image-5.11.0-37-generic 5.11.0-37.41
linux-image-5.11.0-37-generic-64k 5.11.0-37.41
linux-image-5.11.0-37-generic-lpae 5.11.0-37.41
linux-image-5.11.0-37-lowlatency 5.11.0-37.41
linux-image-aws 5.11.0.1019.20
linux-image-gcp 5.11.0.1020.20
linux-image-generic 5.11.0.37.39
linux-image-generic-64k 5.11.0.37.39
linux-image-generic-lpae 5.11.0.37.39
linux-image-gke 5.11.0.1020.20
linux-image-kvm 5.11.0.1017.18
linux-image-lowlatency 5.11.0.37.39
linux-image-oem-20.04 5.11.0.37.39
linux-image-oracle 5.11.0.1019.20
linux-image-raspi 5.11.0.1019.17
linux-image-raspi-nolpae 5.11.0.1019.17
linux-image-virtual 5.11.0.37.39
Ubuntu 20.04 LTS:
linux-image-5.11.0-1019-aws 5.11.0-1019.20~20.04.1
linux-image-aws 5.11.0.1019.20~20.04.18
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5092-1
CVE-2021-33624, CVE-2021-34556, CVE-2021-35477, CVE-2021-3679,
CVE-2021-37159, CVE-2021-37576, CVE-2021-38160, CVE-2021-38199,
CVE-2021-38201, CVE-2021-38204, CVE-2021-38205, CVE-2021-41073
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.11.0-37.41
https://launchpad.net/ubuntu/+source/linux-aws/5.11.0-1019.20
https://launchpad.net/ubuntu/+source/linux-gcp/5.11.0-1020.22
https://launchpad.net/ubuntu/+source/linux-kvm/5.11.0-1017.18
https://launchpad.net/ubuntu/+source/linux-oracle/5.11.0-1019.20
https://launchpad.net/ubuntu/+source/linux-raspi/5.11.0-1019.20
https://launchpad.net/ubuntu/+source/linux-aws-5.11/5.11.0-1019.20~20.04.1
Ubuntu Security Notice USN-5092-1
September 28, 2021
linux, linux-aws, linux-aws-5.11, linux-gcp, linux-kvm, linux-oracle,
linux-raspi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-aws-5.11: Linux kernel for Amazon Web Services (AWS) systems
Details:
Valentina Palmiotti discovered that the io_uring subsystem in the Linux
kernel could be coerced to free adjacent memory. A local attacker could use
this to execute arbitrary code. (CVE-2021-41073)
Ofek Kirzner, Adam Morrison, Benedict Schlueter, and Piotr Krysiuk
discovered that the BPF verifier in the Linux kernel missed possible
mispredicted branches due to type confusion, allowing a side-channel
attack. An attacker could use this to expose sensitive information.
(CVE-2021-33624)
Benedict Schlueter discovered that the BPF subsystem in the Linux kernel
did not properly protect against Speculatively Store Bypass (SSB) side-
channel attacks in some situations. A local attacker could possibly use
this to expose sensitive information. (CVE-2021-34556)
Piotr Krysiuk discovered that the BPF subsystem in the Linux kernel did not
properly protect against Speculatively Store Bypass (SSB) side-channel
attacks in some situations. A local attacker could possibly use this to
expose sensitive information. (CVE-2021-35477)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
It was discovered that the Option USB High Speed Mobile device driver in
the Linux kernel did not properly handle error conditions. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2021-37159)
Alexey Kardashevskiy discovered that the KVM implementation for PowerPC
systems in the Linux kernel did not properly validate RTAS arguments in
some situations. An attacker in a guest vm could use this to cause a denial
of service (host OS crash) or possibly execute arbitrary code.
(CVE-2021-37576)
It was discovered that the Virtio console implementation in the Linux
kernel did not properly validate input lengths in some situations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2021-38160)
Michael Wakabayashi discovered that the NFSv4 client implementation in the
Linux kernel did not properly order connection setup operations. An
attacker controlling a remote NFS server could use this to cause a denial
of service on the client. (CVE-2021-38199)
It was discovered that the Sun RPC implementation in the Linux kernel
contained an out-of-bounds access error. A remote attacker could possibly
use this to cause a denial of service (system crash). (CVE-2021-38201)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
It was discovered that the Xilinx 10/100 Ethernet Lite device driver in the
Linux kernel could report pointer addresses in some situations. An attacker
could use this information to ease the exploitation of another
vulnerability. (CVE-2021-38205)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
linux-image-5.11.0-1017-kvm 5.11.0-1017.18
linux-image-5.11.0-1019-aws 5.11.0-1019.20
linux-image-5.11.0-1019-oracle 5.11.0-1019.20
linux-image-5.11.0-1019-raspi 5.11.0-1019.20
linux-image-5.11.0-1019-raspi-nolpae 5.11.0-1019.20
linux-image-5.11.0-1020-gcp 5.11.0-1020.22
linux-image-5.11.0-37-generic 5.11.0-37.41
linux-image-5.11.0-37-generic-64k 5.11.0-37.41
linux-image-5.11.0-37-generic-lpae 5.11.0-37.41
linux-image-5.11.0-37-lowlatency 5.11.0-37.41
linux-image-aws 5.11.0.1019.20
linux-image-gcp 5.11.0.1020.20
linux-image-generic 5.11.0.37.39
linux-image-generic-64k 5.11.0.37.39
linux-image-generic-lpae 5.11.0.37.39
linux-image-gke 5.11.0.1020.20
linux-image-kvm 5.11.0.1017.18
linux-image-lowlatency 5.11.0.37.39
linux-image-oem-20.04 5.11.0.37.39
linux-image-oracle 5.11.0.1019.20
linux-image-raspi 5.11.0.1019.17
linux-image-raspi-nolpae 5.11.0.1019.17
linux-image-virtual 5.11.0.37.39
Ubuntu 20.04 LTS:
linux-image-5.11.0-1019-aws 5.11.0-1019.20~20.04.1
linux-image-aws 5.11.0.1019.20~20.04.18
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5092-1
CVE-2021-33624, CVE-2021-34556, CVE-2021-35477, CVE-2021-3679,
CVE-2021-37159, CVE-2021-37576, CVE-2021-38160, CVE-2021-38199,
CVE-2021-38201, CVE-2021-38204, CVE-2021-38205, CVE-2021-41073
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.11.0-37.41
https://launchpad.net/ubuntu/+source/linux-aws/5.11.0-1019.20
https://launchpad.net/ubuntu/+source/linux-gcp/5.11.0-1020.22
https://launchpad.net/ubuntu/+source/linux-kvm/5.11.0-1017.18
https://launchpad.net/ubuntu/+source/linux-oracle/5.11.0-1019.20
https://launchpad.net/ubuntu/+source/linux-raspi/5.11.0-1019.20
https://launchpad.net/ubuntu/+source/linux-aws-5.11/5.11.0-1019.20~20.04.1
[USN-5091-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5091-1
September 28, 2021
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp,
linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4,
linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke-5.4: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop-5.4: Linux kernel for Google Container Engine (GKE) systems
- linux-hwe-5.4: Linux hardware enablement (HWE) kernel
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems
Details:
Ofek Kirzner, Adam Morrison, Benedict Schlueter, and Piotr Krysiuk
discovered that the BPF verifier in the Linux kernel missed possible
mispredicted branches due to type confusion, allowing a side-channel
attack. An attacker could use this to expose sensitive information.
(CVE-2021-33624)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
Alexey Kardashevskiy discovered that the KVM implementation for PowerPC
systems in the Linux kernel did not properly validate RTAS arguments in
some situations. An attacker in a guest vm could use this to cause a denial
of service (host OS crash) or possibly execute arbitrary code.
(CVE-2021-37576)
It was discovered that the Virtio console implementation in the Linux
kernel did not properly validate input lengths in some situations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2021-38160)
Michael Wakabayashi discovered that the NVSv4 client implementation in the
Linux kernel did not properly order connection setup operations. An
attacker controlling a remote NFS server could use this to cause a denial
of service on the client. (CVE-2021-38199)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1024-gkeop 5.4.0-1024.25
linux-image-5.4.0-1047-kvm 5.4.0-1047.49
linux-image-5.4.0-1053-gcp 5.4.0-1053.57
linux-image-5.4.0-1053-gke 5.4.0-1053.56
linux-image-5.4.0-1055-oracle 5.4.0-1055.59
linux-image-5.4.0-1057-aws 5.4.0-1057.60
linux-image-5.4.0-1059-azure 5.4.0-1059.62
linux-image-5.4.0-88-generic 5.4.0-88.99
linux-image-5.4.0-88-generic-lpae 5.4.0-88.99
linux-image-5.4.0-88-lowlatency 5.4.0-88.99
linux-image-aws-lts-20.04 5.4.0.1057.60
linux-image-azure-lts-20.04 5.4.0.1059.57
linux-image-gcp-lts-20.04 5.4.0.1053.63
linux-image-generic 5.4.0.88.92
linux-image-generic-lpae 5.4.0.88.92
linux-image-gke 5.4.0.1053.63
linux-image-gke-5.4 5.4.0.1053.63
linux-image-gkeop 5.4.0.1024.27
linux-image-gkeop-5.4 5.4.0.1024.27
linux-image-kvm 5.4.0.1047.46
linux-image-lowlatency 5.4.0.88.92
linux-image-oem 5.4.0.88.92
linux-image-oem-osp1 5.4.0.88.92
linux-image-oracle-lts-20.04 5.4.0.1055.55
linux-image-virtual 5.4.0.88.92
Ubuntu 18.04 LTS:
linux-image-5.4.0-1024-gkeop 5.4.0-1024.25~18.04.1
linux-image-5.4.0-1053-gcp 5.4.0-1053.57~18.04.1
linux-image-5.4.0-1053-gke 5.4.0-1053.56~18.04.1
linux-image-5.4.0-1055-oracle 5.4.0-1055.59~18.04.1
linux-image-5.4.0-1057-aws 5.4.0-1057.60~18.04.1
linux-image-5.4.0-1059-azure 5.4.0-1059.62~18.04.1
linux-image-5.4.0-87-generic 5.4.0-87.98~18.04.1
linux-image-5.4.0-87-generic-lpae 5.4.0-87.98~18.04.1
linux-image-5.4.0-87-lowlatency 5.4.0-87.98~18.04.1
linux-image-aws 5.4.0.1057.40
linux-image-azure 5.4.0.1059.39
linux-image-gcp 5.4.0.1053.39
linux-image-generic-hwe-18.04 5.4.0.87.98~18.04.78
linux-image-generic-lpae-hwe-18.04 5.4.0.87.98~18.04.78
linux-image-gke-5.4 5.4.0.1053.56~18.04.18
linux-image-gkeop-5.4 5.4.0.1024.25~18.04.25
linux-image-lowlatency-hwe-18.04 5.4.0.87.98~18.04.78
linux-image-oem 5.4.0.87.98~18.04.78
linux-image-oem-osp1 5.4.0.87.98~18.04.78
linux-image-oracle 5.4.0.1055.59~18.04.35
linux-image-snapdragon-hwe-18.04 5.4.0.87.98~18.04.78
linux-image-virtual-hwe-18.04 5.4.0.87.98~18.04.78
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5091-1
CVE-2021-33624, CVE-2021-3679, CVE-2021-37576, CVE-2021-38160,
CVE-2021-38199, CVE-2021-38204
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.4.0-88.99
https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1057.60
https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1059.62
https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1053.57
https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1053.56
https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1024.25
https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1047.49
https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1055.59
https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1057.60~18.04.1
https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1059.62~18.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1053.57~18.04.1
https://launchpad.net/ubuntu/+source/linux-gke-5.4/5.4.0-1053.56~18.04.1
https://launchpad.net/ubuntu/+source/linux-gkeop-5.4/5.4.0-1024.25~18.04.1
https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-87.98~18.04.1
https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1055.59~18.04.1
Ubuntu Security Notice USN-5091-1
September 28, 2021
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp,
linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4,
linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke-5.4: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop-5.4: Linux kernel for Google Container Engine (GKE) systems
- linux-hwe-5.4: Linux hardware enablement (HWE) kernel
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems
Details:
Ofek Kirzner, Adam Morrison, Benedict Schlueter, and Piotr Krysiuk
discovered that the BPF verifier in the Linux kernel missed possible
mispredicted branches due to type confusion, allowing a side-channel
attack. An attacker could use this to expose sensitive information.
(CVE-2021-33624)
It was discovered that the tracing subsystem in the Linux kernel did not
properly keep track of per-cpu ring buffer state. A privileged attacker
could use this to cause a denial of service. (CVE-2021-3679)
Alexey Kardashevskiy discovered that the KVM implementation for PowerPC
systems in the Linux kernel did not properly validate RTAS arguments in
some situations. An attacker in a guest vm could use this to cause a denial
of service (host OS crash) or possibly execute arbitrary code.
(CVE-2021-37576)
It was discovered that the Virtio console implementation in the Linux
kernel did not properly validate input lengths in some situations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2021-38160)
Michael Wakabayashi discovered that the NVSv4 client implementation in the
Linux kernel did not properly order connection setup operations. An
attacker controlling a remote NFS server could use this to cause a denial
of service on the client. (CVE-2021-38199)
It was discovered that the MAX-3421 host USB device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2021-38204)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1024-gkeop 5.4.0-1024.25
linux-image-5.4.0-1047-kvm 5.4.0-1047.49
linux-image-5.4.0-1053-gcp 5.4.0-1053.57
linux-image-5.4.0-1053-gke 5.4.0-1053.56
linux-image-5.4.0-1055-oracle 5.4.0-1055.59
linux-image-5.4.0-1057-aws 5.4.0-1057.60
linux-image-5.4.0-1059-azure 5.4.0-1059.62
linux-image-5.4.0-88-generic 5.4.0-88.99
linux-image-5.4.0-88-generic-lpae 5.4.0-88.99
linux-image-5.4.0-88-lowlatency 5.4.0-88.99
linux-image-aws-lts-20.04 5.4.0.1057.60
linux-image-azure-lts-20.04 5.4.0.1059.57
linux-image-gcp-lts-20.04 5.4.0.1053.63
linux-image-generic 5.4.0.88.92
linux-image-generic-lpae 5.4.0.88.92
linux-image-gke 5.4.0.1053.63
linux-image-gke-5.4 5.4.0.1053.63
linux-image-gkeop 5.4.0.1024.27
linux-image-gkeop-5.4 5.4.0.1024.27
linux-image-kvm 5.4.0.1047.46
linux-image-lowlatency 5.4.0.88.92
linux-image-oem 5.4.0.88.92
linux-image-oem-osp1 5.4.0.88.92
linux-image-oracle-lts-20.04 5.4.0.1055.55
linux-image-virtual 5.4.0.88.92
Ubuntu 18.04 LTS:
linux-image-5.4.0-1024-gkeop 5.4.0-1024.25~18.04.1
linux-image-5.4.0-1053-gcp 5.4.0-1053.57~18.04.1
linux-image-5.4.0-1053-gke 5.4.0-1053.56~18.04.1
linux-image-5.4.0-1055-oracle 5.4.0-1055.59~18.04.1
linux-image-5.4.0-1057-aws 5.4.0-1057.60~18.04.1
linux-image-5.4.0-1059-azure 5.4.0-1059.62~18.04.1
linux-image-5.4.0-87-generic 5.4.0-87.98~18.04.1
linux-image-5.4.0-87-generic-lpae 5.4.0-87.98~18.04.1
linux-image-5.4.0-87-lowlatency 5.4.0-87.98~18.04.1
linux-image-aws 5.4.0.1057.40
linux-image-azure 5.4.0.1059.39
linux-image-gcp 5.4.0.1053.39
linux-image-generic-hwe-18.04 5.4.0.87.98~18.04.78
linux-image-generic-lpae-hwe-18.04 5.4.0.87.98~18.04.78
linux-image-gke-5.4 5.4.0.1053.56~18.04.18
linux-image-gkeop-5.4 5.4.0.1024.25~18.04.25
linux-image-lowlatency-hwe-18.04 5.4.0.87.98~18.04.78
linux-image-oem 5.4.0.87.98~18.04.78
linux-image-oem-osp1 5.4.0.87.98~18.04.78
linux-image-oracle 5.4.0.1055.59~18.04.35
linux-image-snapdragon-hwe-18.04 5.4.0.87.98~18.04.78
linux-image-virtual-hwe-18.04 5.4.0.87.98~18.04.78
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5091-1
CVE-2021-33624, CVE-2021-3679, CVE-2021-37576, CVE-2021-38160,
CVE-2021-38199, CVE-2021-38204
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.4.0-88.99
https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1057.60
https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1059.62
https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1053.57
https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1053.56
https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1024.25
https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1047.49
https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1055.59
https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1057.60~18.04.1
https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1059.62~18.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1053.57~18.04.1
https://launchpad.net/ubuntu/+source/linux-gke-5.4/5.4.0-1053.56~18.04.1
https://launchpad.net/ubuntu/+source/linux-gkeop-5.4/5.4.0-1024.25~18.04.1
https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-87.98~18.04.1
https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1055.59~18.04.1
[USN-5090-2] Apache HTTP Server vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5090-2
September 27, 2021
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
USN-5090-1 fixed several vulnerabilities in Apache. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that the Apache HTTP Server incorrectly handled certain
malformed requests. A remote attacker could possibly use this issue to
cause the server to crash, resulting in a denial of service.
(CVE-2021-34798)
It was discovered that the Apache HTTP Server incorrectly handled escaping
quotes. If the server was configured with third-party modules, a remote
attacker could use this issue to cause the server to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2021-39275)
It was discovered that the Apache mod_proxy module incorrectly handled
certain request uri-paths. A remote attacker could possibly use this issue
to cause the server to forward requests to arbitrary origin servers.
(CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
apache2 2.4.18-2ubuntu3.17+esm2
apache2-bin 2.4.18-2ubuntu3.17+esm2
Ubuntu 14.04 ESM:
apache2 2.4.7-1ubuntu4.22+esm2
apache2-bin 2.4.7-1ubuntu4.22+esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5090-2
https://ubuntu.com/security/notices/USN-5090-1
CVE-2021-34798, CVE-2021-39275, CVE-2021-40438
Ubuntu Security Notice USN-5090-2
September 27, 2021
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
USN-5090-1 fixed several vulnerabilities in Apache. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that the Apache HTTP Server incorrectly handled certain
malformed requests. A remote attacker could possibly use this issue to
cause the server to crash, resulting in a denial of service.
(CVE-2021-34798)
It was discovered that the Apache HTTP Server incorrectly handled escaping
quotes. If the server was configured with third-party modules, a remote
attacker could use this issue to cause the server to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2021-39275)
It was discovered that the Apache mod_proxy module incorrectly handled
certain request uri-paths. A remote attacker could possibly use this issue
to cause the server to forward requests to arbitrary origin servers.
(CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
apache2 2.4.18-2ubuntu3.17+esm2
apache2-bin 2.4.18-2ubuntu3.17+esm2
Ubuntu 14.04 ESM:
apache2 2.4.7-1ubuntu4.22+esm2
apache2-bin 2.4.7-1ubuntu4.22+esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5090-2
https://ubuntu.com/security/notices/USN-5090-1
CVE-2021-34798, CVE-2021-39275, CVE-2021-40438
[USN-5090-1] Apache HTTP Server vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5090-1
September 27, 2021
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled certain crafted methods. A remote attacker could
possibly use this issue to perform request splitting or cache poisoning
attacks. (CVE-2021-33193)
It was discovered that the Apache HTTP Server incorrectly handled certain
malformed requests. A remote attacker could possibly use this issue to
cause the server to crash, resulting in a denial of service.
(CVE-2021-34798)
Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly
handled certain request uri-paths. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04.
(CVE-2021-36160)
It was discovered that the Apache HTTP Server incorrectly handled escaping
quotes. If the server was configured with third-party modules, a remote
attacker could use this issue to cause the server to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2021-39275)
It was discovered that the Apache mod_proxy module incorrectly handled
certain request uri-paths. A remote attacker could possibly use this issue
to cause the server to forward requests to arbitrary origin servers.
(CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
apache2 2.4.46-4ubuntu1.2
apache2-bin 2.4.46-4ubuntu1.2
Ubuntu 20.04 LTS:
apache2 2.4.41-4ubuntu3.5
apache2-bin 2.4.41-4ubuntu3.5
Ubuntu 18.04 LTS:
apache2 2.4.29-1ubuntu4.17
apache2-bin 2.4.29-1ubuntu4.17
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5090-1
CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275,
CVE-2021-40438
Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.46-4ubuntu1.2
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.5
https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.17
Ubuntu Security Notice USN-5090-1
September 27, 2021
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled certain crafted methods. A remote attacker could
possibly use this issue to perform request splitting or cache poisoning
attacks. (CVE-2021-33193)
It was discovered that the Apache HTTP Server incorrectly handled certain
malformed requests. A remote attacker could possibly use this issue to
cause the server to crash, resulting in a denial of service.
(CVE-2021-34798)
Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly
handled certain request uri-paths. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04.
(CVE-2021-36160)
It was discovered that the Apache HTTP Server incorrectly handled escaping
quotes. If the server was configured with third-party modules, a remote
attacker could use this issue to cause the server to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2021-39275)
It was discovered that the Apache mod_proxy module incorrectly handled
certain request uri-paths. A remote attacker could possibly use this issue
to cause the server to forward requests to arbitrary origin servers.
(CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
apache2 2.4.46-4ubuntu1.2
apache2-bin 2.4.46-4ubuntu1.2
Ubuntu 20.04 LTS:
apache2 2.4.41-4ubuntu3.5
apache2-bin 2.4.41-4ubuntu3.5
Ubuntu 18.04 LTS:
apache2 2.4.29-1ubuntu4.17
apache2-bin 2.4.29-1ubuntu4.17
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5090-1
CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275,
CVE-2021-40438
Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.46-4ubuntu1.2
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.5
https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.17
[CentOS-announce] CEBA-2021:3333 CentOS 7 device-mapper-multipath BugFix Update
CentOS Errata and Bugfix Advisory 2021:3333
Upstream details at : https://access.redhat.com/errata/RHBA-2021:3333
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
0cfe90113fcfe21d6f21f6022481283b9b35ca916c02484fc39e89b88fcffa8a device-mapper-multipath-0.4.9-135.el7_9.x86_64.rpm
973cf0ccc163c9374db09502b1e69f3323abc0960eca2ad66bfae874ac23d131 device-mapper-multipath-devel-0.4.9-135.el7_9.i686.rpm
49c502046e8fd1833a810286c8db37a87f18dc47667827f45a56267aefdac60f device-mapper-multipath-devel-0.4.9-135.el7_9.x86_64.rpm
ec4cb2d5a569d854ac525bd458045223e598500765770d860e5bf0b84a41767b device-mapper-multipath-libs-0.4.9-135.el7_9.i686.rpm
61772a9e48d677eb7feb9225da4fdbfa417f99764a26adf0ba4e311baad2696c device-mapper-multipath-libs-0.4.9-135.el7_9.x86_64.rpm
3d901cc9a4697e9c08105de93d1a190650a8439e1dabe11a97d17c67cd1d951c device-mapper-multipath-sysvinit-0.4.9-135.el7_9.x86_64.rpm
f901d903838a840af4b07b7405171f08944a919391efff75f782b9d2c5a6a8a7 kpartx-0.4.9-135.el7_9.x86_64.rpm
4c0432991858f896026445ef401636f12a857102f3329b8a5d034aa2e99e2bd4 libdmmp-0.4.9-135.el7_9.i686.rpm
828fe4eb26915648840d50ea3daa571c3735822ed66eced81dd20b12dff3e10e libdmmp-0.4.9-135.el7_9.x86_64.rpm
a8bf325bc65d56d5cd74d8b007f3b2f09f0d1f6deccd0c0d0f56f515423fe6eb libdmmp-devel-0.4.9-135.el7_9.i686.rpm
ab2e63b3fe04a633b718c47d41143f7ffa9fb32076d41cfdb01feaef74cd6158 libdmmp-devel-0.4.9-135.el7_9.x86_64.rpm
Source:
a936d8b085df37c56fb79f41886f88a37227712e99e97605c91e56f997f292b7 device-mapper-multipath-0.4.9-135.el7_9.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHBA-2021:3333
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
0cfe90113fcfe21d6f21f6022481283b9b35ca916c02484fc39e89b88fcffa8a device-mapper-multipath-0.4.9-135.el7_9.x86_64.rpm
973cf0ccc163c9374db09502b1e69f3323abc0960eca2ad66bfae874ac23d131 device-mapper-multipath-devel-0.4.9-135.el7_9.i686.rpm
49c502046e8fd1833a810286c8db37a87f18dc47667827f45a56267aefdac60f device-mapper-multipath-devel-0.4.9-135.el7_9.x86_64.rpm
ec4cb2d5a569d854ac525bd458045223e598500765770d860e5bf0b84a41767b device-mapper-multipath-libs-0.4.9-135.el7_9.i686.rpm
61772a9e48d677eb7feb9225da4fdbfa417f99764a26adf0ba4e311baad2696c device-mapper-multipath-libs-0.4.9-135.el7_9.x86_64.rpm
3d901cc9a4697e9c08105de93d1a190650a8439e1dabe11a97d17c67cd1d951c device-mapper-multipath-sysvinit-0.4.9-135.el7_9.x86_64.rpm
f901d903838a840af4b07b7405171f08944a919391efff75f782b9d2c5a6a8a7 kpartx-0.4.9-135.el7_9.x86_64.rpm
4c0432991858f896026445ef401636f12a857102f3329b8a5d034aa2e99e2bd4 libdmmp-0.4.9-135.el7_9.i686.rpm
828fe4eb26915648840d50ea3daa571c3735822ed66eced81dd20b12dff3e10e libdmmp-0.4.9-135.el7_9.x86_64.rpm
a8bf325bc65d56d5cd74d8b007f3b2f09f0d1f6deccd0c0d0f56f515423fe6eb libdmmp-devel-0.4.9-135.el7_9.i686.rpm
ab2e63b3fe04a633b718c47d41143f7ffa9fb32076d41cfdb01feaef74cd6158 libdmmp-devel-0.4.9-135.el7_9.x86_64.rpm
Source:
a936d8b085df37c56fb79f41886f88a37227712e99e97605c91e56f997f292b7 device-mapper-multipath-0.4.9-135.el7_9.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CEBA-2021:3334 CentOS 7 openldap BugFix Update
CentOS Errata and Bugfix Advisory 2021:3334
Upstream details at : https://access.redhat.com/errata/RHBA-2021:3334
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
912bd6993c1df63e3c9381201d80fe8178c75ff27aeb3b45999e28983222ff86 openldap-2.4.44-24.el7_9.i686.rpm
4d12827b417a44adfb6029689a3750767d051d27bb01400addcf87233d9c73aa openldap-2.4.44-24.el7_9.x86_64.rpm
cc0d2cbf6bd6a4619b82b4666f297b6d0d894f6e665d587919aeb24e013118a5 openldap-clients-2.4.44-24.el7_9.x86_64.rpm
ae3c48f21e37c807df89c63a1fa1216f44279908239b46e4dc5f7fc63160d0dd openldap-devel-2.4.44-24.el7_9.i686.rpm
9711433d3deaee69fd66f5b86d352d4250222cc0624b6a64b1cab5215d69348b openldap-devel-2.4.44-24.el7_9.x86_64.rpm
8f4f01e9c17c3579c8a8e8757582b5911c301c9f5219d0fa56b868db7964640f openldap-servers-2.4.44-24.el7_9.x86_64.rpm
2a6f1dc296b8103e565b9c2b18d2f04ed098a133f239f299f974b5430b5cda97 openldap-servers-sql-2.4.44-24.el7_9.x86_64.rpm
Source:
d9e03e7eb56351d1e58f69e6dc23937dfbf1403273e7985e7fa30d78cd2b65d4 openldap-2.4.44-24.el7_9.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHBA-2021:3334
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
912bd6993c1df63e3c9381201d80fe8178c75ff27aeb3b45999e28983222ff86 openldap-2.4.44-24.el7_9.i686.rpm
4d12827b417a44adfb6029689a3750767d051d27bb01400addcf87233d9c73aa openldap-2.4.44-24.el7_9.x86_64.rpm
cc0d2cbf6bd6a4619b82b4666f297b6d0d894f6e665d587919aeb24e013118a5 openldap-clients-2.4.44-24.el7_9.x86_64.rpm
ae3c48f21e37c807df89c63a1fa1216f44279908239b46e4dc5f7fc63160d0dd openldap-devel-2.4.44-24.el7_9.i686.rpm
9711433d3deaee69fd66f5b86d352d4250222cc0624b6a64b1cab5215d69348b openldap-devel-2.4.44-24.el7_9.x86_64.rpm
8f4f01e9c17c3579c8a8e8757582b5911c301c9f5219d0fa56b868db7964640f openldap-servers-2.4.44-24.el7_9.x86_64.rpm
2a6f1dc296b8103e565b9c2b18d2f04ed098a133f239f299f974b5430b5cda97 openldap-servers-sql-2.4.44-24.el7_9.x86_64.rpm
Source:
d9e03e7eb56351d1e58f69e6dc23937dfbf1403273e7985e7fa30d78cd2b65d4 openldap-2.4.44-24.el7_9.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CEBA-2021:3335 CentOS 7 sos BugFix Update
CentOS Errata and Bugfix Advisory 2021:3335
Upstream details at : https://access.redhat.com/errata/RHBA-2021:3335
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
f53f33bb25947de42ac961faa1b3edbf1207b3e8028e8c283c139b943b66ed73 sos-3.9-5.el7.centos.7.noarch.rpm
Source:
1e338b36f1f5d43008636224aaad6391d56783821441918f4882f170c0a74f0c sos-3.9-5.el7.centos.7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHBA-2021:3335
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
f53f33bb25947de42ac961faa1b3edbf1207b3e8028e8c283c139b943b66ed73 sos-3.9-5.el7.centos.7.noarch.rpm
Source:
1e338b36f1f5d43008636224aaad6391d56783821441918f4882f170c0a74f0c sos-3.9-5.el7.centos.7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2021:3438 Moderate CentOS 7 kernel Security Update
CentOS Errata and Security Advisory 2021:3438 Moderate
Upstream details at : https://access.redhat.com/errata/RHSA-2021:3438
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
19575eb2feb5e29ed339c078e462e2a4ac7a44f0888328185fc248a30681b82e bpftool-3.10.0-1160.42.2.el7.x86_64.rpm
93f5058bbfe57b3134debfc599214a91d401380ef38ec57336a0d995704d9c26 kernel-3.10.0-1160.42.2.el7.x86_64.rpm
2c64dd985521f02ada8ac0415b1d852ab79d87ebdf2950e421d8258a4d86d153 kernel-abi-whitelists-3.10.0-1160.42.2.el7.noarch.rpm
39ce1d8d6ffa3efde898b475b2be150a92edca9d2aadf7ed8d5d69e6865175f9 kernel-debug-3.10.0-1160.42.2.el7.x86_64.rpm
f066c4d77c32004d1843615beab2f59dce9664e5e79aaf6f5453d44d0d9e02fe kernel-debug-devel-3.10.0-1160.42.2.el7.x86_64.rpm
07505d8e7877d8a5114d6db605a9dc9c2132c0d32d978e2df599fa2e69887780 kernel-devel-3.10.0-1160.42.2.el7.x86_64.rpm
d79bdff199cc5f9127f01f99ca4906b965b3c5fb198906c1ed16e725d5bbe25f kernel-doc-3.10.0-1160.42.2.el7.noarch.rpm
2617375bbb0a52fe637164f0f40bbbc00ea29b150dd35ba0e0f79447454ad604 kernel-headers-3.10.0-1160.42.2.el7.x86_64.rpm
6ec6b4d2ab3c7cf65dceaadd6a13d91e6ca7e48b3d6bf5712f0c0bf3639015b0 kernel-tools-3.10.0-1160.42.2.el7.x86_64.rpm
d196c69e20dcc6a970af086c699d1d015396019ac8638386994deb8017fcc72b kernel-tools-libs-3.10.0-1160.42.2.el7.x86_64.rpm
02cbd7332b3ce796fb31c211ff00e807700217dbe4cbf3860f61c4a3bb69beb8 kernel-tools-libs-devel-3.10.0-1160.42.2.el7.x86_64.rpm
290f6f5895e4d30a12a9560261497d6ad631dbba6dd34aa352f5df74c5b51a5f perf-3.10.0-1160.42.2.el7.x86_64.rpm
1a19777f00999ca9d5a879d29fb67c078a61e7584353514d1ff9875c172b83be python-perf-3.10.0-1160.42.2.el7.x86_64.rpm
Source:
35c09fa9e23fc090f029ae192d7d10869105e07083999152bb2ff03963986a23 kernel-3.10.0-1160.42.2.el7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2021:3438
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
19575eb2feb5e29ed339c078e462e2a4ac7a44f0888328185fc248a30681b82e bpftool-3.10.0-1160.42.2.el7.x86_64.rpm
93f5058bbfe57b3134debfc599214a91d401380ef38ec57336a0d995704d9c26 kernel-3.10.0-1160.42.2.el7.x86_64.rpm
2c64dd985521f02ada8ac0415b1d852ab79d87ebdf2950e421d8258a4d86d153 kernel-abi-whitelists-3.10.0-1160.42.2.el7.noarch.rpm
39ce1d8d6ffa3efde898b475b2be150a92edca9d2aadf7ed8d5d69e6865175f9 kernel-debug-3.10.0-1160.42.2.el7.x86_64.rpm
f066c4d77c32004d1843615beab2f59dce9664e5e79aaf6f5453d44d0d9e02fe kernel-debug-devel-3.10.0-1160.42.2.el7.x86_64.rpm
07505d8e7877d8a5114d6db605a9dc9c2132c0d32d978e2df599fa2e69887780 kernel-devel-3.10.0-1160.42.2.el7.x86_64.rpm
d79bdff199cc5f9127f01f99ca4906b965b3c5fb198906c1ed16e725d5bbe25f kernel-doc-3.10.0-1160.42.2.el7.noarch.rpm
2617375bbb0a52fe637164f0f40bbbc00ea29b150dd35ba0e0f79447454ad604 kernel-headers-3.10.0-1160.42.2.el7.x86_64.rpm
6ec6b4d2ab3c7cf65dceaadd6a13d91e6ca7e48b3d6bf5712f0c0bf3639015b0 kernel-tools-3.10.0-1160.42.2.el7.x86_64.rpm
d196c69e20dcc6a970af086c699d1d015396019ac8638386994deb8017fcc72b kernel-tools-libs-3.10.0-1160.42.2.el7.x86_64.rpm
02cbd7332b3ce796fb31c211ff00e807700217dbe4cbf3860f61c4a3bb69beb8 kernel-tools-libs-devel-3.10.0-1160.42.2.el7.x86_64.rpm
290f6f5895e4d30a12a9560261497d6ad631dbba6dd34aa352f5df74c5b51a5f perf-3.10.0-1160.42.2.el7.x86_64.rpm
1a19777f00999ca9d5a879d29fb67c078a61e7584353514d1ff9875c172b83be python-perf-3.10.0-1160.42.2.el7.x86_64.rpm
Source:
35c09fa9e23fc090f029ae192d7d10869105e07083999152bb2ff03963986a23 kernel-3.10.0-1160.42.2.el7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Sunday, September 26, 2021
OpenBSD Errata: September 27, 2021 (libressl)
An errata patch for LibreSSL has been released for OpenBSD 6.8 and
OpenBSD 6.9.
A stack overread could occur when checking X.509 name constraints.
Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:
https://www.openbsd.org/errata68.html
https://www.openbsd.org/errata69.html
OpenBSD 6.9.
A stack overread could occur when checking X.509 name constraints.
Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:
https://www.openbsd.org/errata68.html
https://www.openbsd.org/errata69.html
OpenBSD Errata: September 27, 2021 (sshd)
An errata patch for sshd(8) has been released for OpenBSD 6.8 and
OpenBSD 6.9.
sshd(8) from OpenSSH 6.2 (OpenBSD 5.3) through 8.7 (OpenBSD 6.9) failed to
correctly initialise supplemental groups when executing an
AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a
AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has
been set to run the command as a different user. Instead these commands
would inherit the groups that sshd(8) was started with.
Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain
unintended privilege.
Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled
by default in sshd_config(5).
Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:
https://www.openbsd.org/errata68.html
https://www.openbsd.org/errata69.html
OpenBSD 6.9.
sshd(8) from OpenSSH 6.2 (OpenBSD 5.3) through 8.7 (OpenBSD 6.9) failed to
correctly initialise supplemental groups when executing an
AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a
AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has
been set to run the command as a different user. Instead these commands
would inherit the groups that sshd(8) was started with.
Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain
unintended privilege.
Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled
by default in sshd_config(5).
Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:
https://www.openbsd.org/errata68.html
https://www.openbsd.org/errata69.html
Thursday, September 23, 2021
Ubuntu 21.10 (Impish Indri) Final Beta released
The Ubuntu team is pleased to announce the Beta release of the Ubuntu
21.10 Desktop, Server, and Cloud products.
21.10 Desktop, Server, and Cloud products.
Ubuntu 21.10, codenamed "Impish Indri", continues Ubuntu's proud tradition
of integrating the latest and greatest open source technologies into a
high-quality, easy-to-use Linux distribution. The team has been hard at
work through this cycle, introducing new features and fixing bugs.
This Beta release includes images from not only the Ubuntu Desktop,
Server, and Cloud products, but also the Kubuntu, Lubuntu, Ubuntu
Budgie, UbuntuKylin, Ubuntu MATE, Ubuntu Studio, and Xubuntu flavours.
The Beta images are known to be reasonably free of showstopper image
build or installer bugs, while representing a very recent snapshot of
21.10 that should be representative of the features intended to ship
with the final release expected on October 14, 2021.
Ubuntu, Ubuntu Server, Cloud Images:
Impish Beta includes updated versions of most of our core set of
packages, including a current 5.13 kernel, and much more.
To upgrade to Ubuntu 21.10 Beta from Ubuntu 21.04, follow these
instructions:
https://help.ubuntu.com/community/ImpishUpgrades
The Ubuntu 21.10 Beta images can be downloaded at:
http://releases.ubuntu.com/21.10/ (Ubuntu and Ubuntu Server on x86)
This Ubuntu Server image features the next generation Subiquity server
installer, bringing the comfortable live session and speedy install of
the Ubuntu Desktop to server users.
Additional images can be found at the following links:
http://cloud-images.ubuntu.com/daily/server/impish/current/ (Cloud Images)
http://cdimage.ubuntu.com/releases/21.10/beta/ (Non-x86)
As fixes will be included in new images between now and release, any
daily cloud image from today or later (i.e. a serial of 20210923 or
higher) should be considered a Beta image. Bugs found should be filed
against the appropriate packages or, failing that, the cloud-images
project in Launchpad.
The full release notes for Ubuntu 21.10 Beta can be found at:
https://discourse.ubuntu.com/t/impish-indri-release-notes
Kubuntu:
Kubuntu is the KDE based flavour of Ubuntu. It uses the Plasma desktop
and includes a wide selection of tools from the KDE project.
The Beta images can be downloaded at:
http://cdimage.ubuntu.com/kubuntu/releases/21.10/beta/
Lubuntu:
Lubuntu is a flavor of Ubuntu which uses the Lightweight Qt Desktop
Environment (LXQt). The project's goal is to provide a lightweight
yet functional Linux distribution based on a rock-solid Ubuntu base.
The Beta images can be downloaded at:
http://cdimage.ubuntu.com/lubuntu/releases/21.10/beta/
Ubuntu Budgie:
Ubuntu Budgie is community developed desktop, integrating Budgie
Desktop Environment with Ubuntu at its core.
The Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntu-budgie/releases/21.10/beta/
UbuntuKylin:
UbuntuKylin is a flavor of Ubuntu that is more suitable for Chinese
users.
The Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntukylin/releases/21.10/beta/
Ubuntu MATE:
Ubuntu MATE is a flavor of Ubuntu featuring the MATE desktop
environment.
The Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntu-mate/releases/21.10/beta/
Ubuntu Studio:
Ubuntu Studio is a flavor of Ubuntu that provides a full range of
multimedia content creation applications for each key workflow: audio,
graphics, video, photography and publishing.
The Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntustudio/releases/21.10/beta/
Xubuntu:
Xubuntu is a flavor of Ubuntu that comes with Xfce, which is a stable,
light and configurable desktop environment.
The Beta images can be downloaded at:
http://cdimage.ubuntu.com/xubuntu/releases/21.10/beta/
Regular daily images for Ubuntu, and all flavours, can be found at:
http://cdimage.ubuntu.com
Ubuntu is a full-featured Linux distribution for clients, servers and
clouds, with a fast and easy installation and regular releases. A
tightly-integrated selection of excellent applications is included, and
an incredible variety of add-on software is just a few clicks away.
Professional technical support is available from Canonical Limited and
hundreds of other companies around the world. For more information
about support, visit https://ubuntu.com/support
If you would like to help shape Ubuntu, take a look at the list of ways
you can participate at:
https://ubuntu.com/community/participate
Your comments, bug reports, patches and suggestions really help us to
improve this and future releases of Ubuntu. Instructions can be found
at:
https://help.ubuntu.com/community/ReportingBugs
You can find out more about Ubuntu and about this Beta release on our
website, IRC channel and wiki.
To sign up for future Ubuntu announcements, please subscribe to Ubuntu's
very low volume announcement list at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
On behalf of the Ubuntu Release Team,
--
Brian Murray
--
ubuntu-announce mailing list
ubuntu-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
rpki-client-7.3 released
rpki-client 7.3 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon.
rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties (RP) to
facilitate validation of the Route Origin of a BGP announcement. The
program queries the RPKI repository system and outputs Validated ROA
Payloads in the configuration format of OpenBGPD, BIRD, and also as
CSV or JSON objects for consumption by other routing stacks.
See RFC 6811 for a description of how BGP Prefix Origin Validation
secures the Internet's global routing system.
rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.
This release includes the following changes to the previous release:
* Improve the HTTP client code (status code handling, http proxy
support, keep-alive).
* In RRDP, do not access URI with userinfo (@-sign)
* Improve RRDP syncing by considering a notification file serial
jumping backwards as synced repository.
* Make -R (rsync only) also apply to the fetching of TA files.
* Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude all others.
* When producing output for OpenBGPd, make use of the 'roa-set
expires' attribute to prevent machines from loading outdated roa-sets.
* In RRDP, limit the number of deltas to 300 per repo. If more deltas
exist, downloading a full snapshot is faster.
* Limit the validation depth of X509 certificate chains to 12, double
the current depth seen in RPKI.
rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.3, and a libtls library compatible
with LibreSSL 3.3 or later.
rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!
It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.
The mirrors where rpki-client can be found are on
https://www.rpki-client.org/portable.html
Reporting Bugs:
===============
General bugs may be reported to tech@openbsd.org
Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable
We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.
rpki-client directory of any OpenBSD mirror soon.
rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties (RP) to
facilitate validation of the Route Origin of a BGP announcement. The
program queries the RPKI repository system and outputs Validated ROA
Payloads in the configuration format of OpenBGPD, BIRD, and also as
CSV or JSON objects for consumption by other routing stacks.
See RFC 6811 for a description of how BGP Prefix Origin Validation
secures the Internet's global routing system.
rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.
This release includes the following changes to the previous release:
* Improve the HTTP client code (status code handling, http proxy
support, keep-alive).
* In RRDP, do not access URI with userinfo (@-sign)
* Improve RRDP syncing by considering a notification file serial
jumping backwards as synced repository.
* Make -R (rsync only) also apply to the fetching of TA files.
* Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude all others.
* When producing output for OpenBGPd, make use of the 'roa-set
expires' attribute to prevent machines from loading outdated roa-sets.
* In RRDP, limit the number of deltas to 300 per repo. If more deltas
exist, downloading a full snapshot is faster.
* Limit the validation depth of X509 certificate chains to 12, double
the current depth seen in RPKI.
rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.3, and a libtls library compatible
with LibreSSL 3.3 or later.
rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!
It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.
The mirrors where rpki-client can be found are on
https://www.rpki-client.org/portable.html
Reporting Bugs:
===============
General bugs may be reported to tech@openbsd.org
Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable
We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.
Fedora Linux 35 Beta is GO
The Fedora Linux 35 Beta RC2 compose[1] is GO and will be shipped live
on Tuesday, 28 September 2021.
For more information please check the Go/No-Go meeting minutes[2] or log[3].
Thank you to everyone who has and still is working on this release!
The Final Freeze begins on
Tuesday 5 October.
[1] https://dl.fedoraproject.org/pub/alt/stage/35_Beta-1.2/
[2] https://meetbot.fedoraproject.org/fedora-meeting/2021-09-23/f35-beta-go_no_go-meeting.2021-09-23-17.00.html
[3] https://meetbot.fedoraproject.org/fedora-meeting/2021-09-23/f35-beta-go_no_go-meeting.2021-09-23-17.00.log.html
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
on Tuesday, 28 September 2021.
For more information please check the Go/No-Go meeting minutes[2] or log[3].
Thank you to everyone who has and still is working on this release!
The Final Freeze begins on
Tuesday 5 October.
[1] https://dl.fedoraproject.org/pub/alt/stage/35_Beta-1.2/
[2] https://meetbot.fedoraproject.org/fedora-meeting/2021-09-23/f35-beta-go_no_go-meeting.2021-09-23-17.00.html
[3] https://meetbot.fedoraproject.org/fedora-meeting/2021-09-23/f35-beta-go_no_go-meeting.2021-09-23-17.00.log.html
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[CentOS-announce] CEBA-2021:3649 CentOS 7 ca-certificates BugFix Update
CentOS Errata and Bugfix Advisory 2021:3649
Upstream details at : https://access.redhat.com/errata/RHBA-2021:3649
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
9f9e0be0e6d0c8e91635d575846d138d0cea0db6757dc477c7f61b90b17bd8bd ca-certificates-2021.2.50-72.el7_9.noarch.rpm
Source:
dc2cf4f9f51313e8fe6df3bd5e7c30926a99c2ad861a2bbfa4fd6210c00daaf6 ca-certificates-2021.2.50-72.el7_9.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHBA-2021:3649
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
9f9e0be0e6d0c8e91635d575846d138d0cea0db6757dc477c7f61b90b17bd8bd ca-certificates-2021.2.50-72.el7_9.noarch.rpm
Source:
dc2cf4f9f51313e8fe6df3bd5e7c30926a99c2ad861a2bbfa4fd6210c00daaf6 ca-certificates-2021.2.50-72.el7_9.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[USN-5089-2] ca-certificates update
==========================================================================
Ubuntu Security Notice USN-5089-2
September 23, 2021
ca-certificates update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
A certificate about to expire was removed from ca-certificates.
Software Description:
- ca-certificates: Common CA certificates
Details:
USN-5089-1 updated ca-certificates. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
The ca-certificates package contained a CA certificate that will expire on
2021-09-30 and will cause connectivity issues. This update removes the
"DST Root CA X3" CA.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
ca-certificates 20210119~16.04.1ubuntu0.1~esm1
Ubuntu 14.04 ESM:
ca-certificates 20190110~14.04.1~esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5089-2
https://ubuntu.com/security/notices/USN-5089-1
https://launchpad.net/bugs/XXXXXX
Ubuntu Security Notice USN-5089-2
September 23, 2021
ca-certificates update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
A certificate about to expire was removed from ca-certificates.
Software Description:
- ca-certificates: Common CA certificates
Details:
USN-5089-1 updated ca-certificates. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
The ca-certificates package contained a CA certificate that will expire on
2021-09-30 and will cause connectivity issues. This update removes the
"DST Root CA X3" CA.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
ca-certificates 20210119~16.04.1ubuntu0.1~esm1
Ubuntu 14.04 ESM:
ca-certificates 20190110~14.04.1~esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5089-2
https://ubuntu.com/security/notices/USN-5089-1
https://launchpad.net/bugs/XXXXXX
[USN-5089-1] ca-certificates update
==========================================================================
Ubuntu Security Notice USN-5089-1
September 23, 2021
ca-certificates update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
A certificate about to expire was removed from ca-certificates.
Software Description:
- ca-certificates: Common CA certificates
Details:
The ca-certificates package contained a CA certificate that will expire on
2021-09-30 and will cause connectivity issues. This update removes the
"DST Root CA X3" CA.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
ca-certificates 20210119ubuntu0.21.04.1
Ubuntu 20.04 LTS:
ca-certificates 20210119~20.04.2
Ubuntu 18.04 LTS:
ca-certificates 20210119~18.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5089-1
https://launchpad.net/bugs/1944481
Package Information:
https://launchpad.net/ubuntu/+source/ca-certificates/20210119ubuntu0.21.04.1
https://launchpad.net/ubuntu/+source/ca-certificates/20210119~20.04.2
https://launchpad.net/ubuntu/+source/ca-certificates/20210119~18.04.2
Ubuntu Security Notice USN-5089-1
September 23, 2021
ca-certificates update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
A certificate about to expire was removed from ca-certificates.
Software Description:
- ca-certificates: Common CA certificates
Details:
The ca-certificates package contained a CA certificate that will expire on
2021-09-30 and will cause connectivity issues. This update removes the
"DST Root CA X3" CA.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
ca-certificates 20210119ubuntu0.21.04.1
Ubuntu 20.04 LTS:
ca-certificates 20210119~20.04.2
Ubuntu 18.04 LTS:
ca-certificates 20210119~18.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5089-1
https://launchpad.net/bugs/1944481
Package Information:
https://launchpad.net/ubuntu/+source/ca-certificates/20210119ubuntu0.21.04.1
https://launchpad.net/ubuntu/+source/ca-certificates/20210119~20.04.2
https://launchpad.net/ubuntu/+source/ca-certificates/20210119~18.04.2
[USN-5088-1] EDK II vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5088-1
September 23, 2021
edk2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in EDK II.
Software Description:
- edk2: UEFI firmware for virtual machines
Details:
It was discovered that EDK II incorrectly handled input validation in
MdeModulePkg. A local user could possibly use this issue to cause EDK II to
crash, resulting in a denial of service, obtain sensitive information or
execute arbitrary code. (CVE-2019-11098)
Paul Kehrer discovered that OpenSSL used in EDK II incorrectly handled
certain input lengths in EVP functions. An attacker could possibly use this
issue to cause EDK II to crash, resulting in a denial of service.
(CVE-2021-23840)
Ingo Schwarze discovered that OpenSSL used in EDK II incorrectly handled
certain ASN.1 strings. An attacker could use this issue to cause EDK II to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2021-3712)
It was discovered that EDK II incorrectly decoded certain strings. A remote
attacker could use this issue to cause EDK II to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2021-38575)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
ovmf 2020.11-4ubuntu0.1
ovmf-ia32 2020.11-4ubuntu0.1
qemu-efi 2020.11-4ubuntu0.1
qemu-efi-aarch64 2020.11-4ubuntu0.1
qemu-efi-arm 2020.11-4ubuntu0.1
Ubuntu 20.04 LTS:
ovmf 0~20191122.bd85bf54-2ubuntu3.3
qemu-efi 0~20191122.bd85bf54-2ubuntu3.3
qemu-efi-aarch64 0~20191122.bd85bf54-2ubuntu3.3
qemu-efi-arm 0~20191122.bd85bf54-2ubuntu3.3
After a standard system update you need to restart the virtual machines
that use the affected firmware to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5088-1
CVE-2019-11098, CVE-2021-23840, CVE-2021-3712, CVE-2021-38575
Package Information:
https://launchpad.net/ubuntu/+source/edk2/2020.11-4ubuntu0.1
https://launchpad.net/ubuntu/+source/edk2/0~20191122.bd85bf54-2ubuntu3.3
Ubuntu Security Notice USN-5088-1
September 23, 2021
edk2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in EDK II.
Software Description:
- edk2: UEFI firmware for virtual machines
Details:
It was discovered that EDK II incorrectly handled input validation in
MdeModulePkg. A local user could possibly use this issue to cause EDK II to
crash, resulting in a denial of service, obtain sensitive information or
execute arbitrary code. (CVE-2019-11098)
Paul Kehrer discovered that OpenSSL used in EDK II incorrectly handled
certain input lengths in EVP functions. An attacker could possibly use this
issue to cause EDK II to crash, resulting in a denial of service.
(CVE-2021-23840)
Ingo Schwarze discovered that OpenSSL used in EDK II incorrectly handled
certain ASN.1 strings. An attacker could use this issue to cause EDK II to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2021-3712)
It was discovered that EDK II incorrectly decoded certain strings. A remote
attacker could use this issue to cause EDK II to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2021-38575)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
ovmf 2020.11-4ubuntu0.1
ovmf-ia32 2020.11-4ubuntu0.1
qemu-efi 2020.11-4ubuntu0.1
qemu-efi-aarch64 2020.11-4ubuntu0.1
qemu-efi-arm 2020.11-4ubuntu0.1
Ubuntu 20.04 LTS:
ovmf 0~20191122.bd85bf54-2ubuntu3.3
qemu-efi 0~20191122.bd85bf54-2ubuntu3.3
qemu-efi-aarch64 0~20191122.bd85bf54-2ubuntu3.3
qemu-efi-arm 0~20191122.bd85bf54-2ubuntu3.3
After a standard system update you need to restart the virtual machines
that use the affected firmware to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5088-1
CVE-2019-11098, CVE-2021-23840, CVE-2021-3712, CVE-2021-38575
Package Information:
https://launchpad.net/ubuntu/+source/edk2/2020.11-4ubuntu0.1
https://launchpad.net/ubuntu/+source/edk2/0~20191122.bd85bf54-2ubuntu3.3
OpenBGPD 7.2 released
We have released OpenBGPD 7.2, which will be arriving in the
OpenBGPD directory of your local OpenBSD mirror soon.
This release includes the following changes to the previous release:
* Support for RFC 9072 - Extended Optional Parameters Lenght for
BGP OPEN Message
* Support for RFC 8050 - MRT Format with BGP Additional Path Extensions
* Implement receive side of RFC 7911 - Advertisement of Multiple Paths
in BGP. OpenBGPD is currently not able to send multiple paths out.
* Improve checks of VRPs loaded via RTR or from the roa-set table.
* Allow to optionally specify an expiry time for roa-set entries to
mitigate BGP route decision making based on outdated RPKI data.
OpenBGPD's companion rpki-client(8) produces roa-sets with the
new 'expires' property
OpenBGPD-portable is known to compile and run on FreeBSD, and
the Linux distributions Alpine, Debian, Fedora, RHEL/CentOS and Ubuntu.
It is our hope that packagers take interest and help adapt OpenBGPD-portable
to more distributions.
We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.
OpenBGPD directory of your local OpenBSD mirror soon.
This release includes the following changes to the previous release:
* Support for RFC 9072 - Extended Optional Parameters Lenght for
BGP OPEN Message
* Support for RFC 8050 - MRT Format with BGP Additional Path Extensions
* Implement receive side of RFC 7911 - Advertisement of Multiple Paths
in BGP. OpenBGPD is currently not able to send multiple paths out.
* Improve checks of VRPs loaded via RTR or from the roa-set table.
* Allow to optionally specify an expiry time for roa-set entries to
mitigate BGP route decision making based on outdated RPKI data.
OpenBGPD's companion rpki-client(8) produces roa-sets with the
new 'expires' property
OpenBGPD-portable is known to compile and run on FreeBSD, and
the Linux distributions Alpine, Debian, Fedora, RHEL/CentOS and Ubuntu.
It is our hope that packagers take interest and help adapt OpenBGPD-portable
to more distributions.
We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.
Wednesday, September 22, 2021
[USN-5087-1] WebKitGTK vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5087-1
September 22, 2021
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in WebKitGTK.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
libjavascriptcoregtk-4.0-18 2.32.4-0ubuntu0.21.04.1
libwebkit2gtk-4.0-37 2.32.4-0ubuntu0.21.04.1
Ubuntu 20.04 LTS:
libjavascriptcoregtk-4.0-18 2.32.4-0ubuntu0.20.04.1
libwebkit2gtk-4.0-37 2.32.4-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
libjavascriptcoregtk-4.0-18 2.32.4-0ubuntu0.18.04.1
libwebkit2gtk-4.0-37 2.32.4-0ubuntu0.18.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5087-1
CVE-2021-30858
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.32.4-0ubuntu0.21.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.32.4-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.32.4-0ubuntu0.18.04.1
Ubuntu Security Notice USN-5087-1
September 22, 2021
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in WebKitGTK.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 21.04:
libjavascriptcoregtk-4.0-18 2.32.4-0ubuntu0.21.04.1
libwebkit2gtk-4.0-37 2.32.4-0ubuntu0.21.04.1
Ubuntu 20.04 LTS:
libjavascriptcoregtk-4.0-18 2.32.4-0ubuntu0.20.04.1
libwebkit2gtk-4.0-37 2.32.4-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
libjavascriptcoregtk-4.0-18 2.32.4-0ubuntu0.18.04.1
libwebkit2gtk-4.0-37 2.32.4-0ubuntu0.18.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5087-1
CVE-2021-30858
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.32.4-0ubuntu0.21.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.32.4-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.32.4-0ubuntu0.18.04.1
Subscribe to:
Posts (Atom)