[USN-5358-2] Linux kernel vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5358-2
March 31, 2022

linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.13, linux-gcp-5.4,
linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gcp-5.13: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems
- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke-5.4: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop-5.4: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that the network traffic control implementation in the
Linux kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2022-1055)

It was discovered that the IPsec implementation in the Linux
kernel did not properly allocate enough memory when performing ESP
transformations, leading to a heap-based buffer overflow. A local
attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2022-27666)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
linux-image-5.13.0-1021-azure 5.13.0-1021.24
linux-image-azure 5.13.0.1021.21

Ubuntu 20.04 LTS:
linux-image-5.13.0-1023-gcp 5.13.0-1023.28~20.04.1
linux-image-5.4.0-1038-gkeop 5.4.0-1038.39
linux-image-5.4.0-1067-gke 5.4.0-1067.70
linux-image-5.4.0-1069-gcp 5.4.0-1069.73
linux-image-gcp 5.13.0.1023.28~20.04.1
linux-image-gcp-lts-20.04 5.4.0.1069.78
linux-image-gke 5.4.0.1067.77
linux-image-gkeop 5.4.0.1038.41

Ubuntu 18.04 LTS:
linux-image-5.4.0-1038-gkeop 5.4.0-1038.39~18.04.1
linux-image-5.4.0-1067-gke 5.4.0-1067.70~18.04.1
linux-image-5.4.0-1069-gcp 5.4.0-1069.73~18.04.1
linux-image-5.4.0-1071-aws 5.4.0-1071.76~18.04.1
linux-image-aws 5.4.0.1071.53
linux-image-gcp 5.4.0.1069.54
linux-image-gke-5.4 5.4.0.1067.70~18.04.31
linux-image-gkeop-5.4 5.4.0.1038.39~18.04.38

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5358-2
https://ubuntu.com/security/notices/USN-5358-1
CVE-2022-1055, CVE-2022-27666

Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/5.13.0-1021.24
https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1069.73
https://launchpad.net/ubuntu/+source/linux-gcp-5.13/5.13.0-1023.28~20.04.1
https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1067.70
https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1038.39
https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1071.76~18.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1069.73~18.04.1
https://launchpad.net/ubuntu/+source/linux-gke-5.4/5.4.0-1067.70~18.04.1
https://launchpad.net/ubuntu/+source/linux-gkeop-5.4/5.4.0-1038.39~18.04.1

[USN-5357-2] Linux kernel vulnerability

==========================================================================
Ubuntu Security Notice USN-5357-2
March 31, 2022

linux-aws-hwe, linux-gcp-4.15, linux-oracle vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

The system could be made to crash or run programs as an administrator.

Software Description:
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems

Details:

It was discovered that the IPsec implementation in the Linux
kernel did not properly allocate enough memory when performing ESP
transformations, leading to a heap-based buffer overflow. A local
attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
linux-image-4.15.0-1091-oracle 4.15.0-1091.100
linux-image-4.15.0-1120-gcp 4.15.0-1120.134
linux-image-gcp-lts-18.04 4.15.0.1120.139
linux-image-oracle-lts-18.04 4.15.0.1091.101

Ubuntu 16.04 ESM:
linux-image-4.15.0-1091-oracle 4.15.0-1091.100~16.04.1
linux-image-4.15.0-1126-aws-hwe 4.15.0-1126.135~16.04.2
linux-image-aws-hwe 4.15.0.1126.116
linux-image-oracle 4.15.0.1091.79

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5357-2
https://ubuntu.com/security/notices/USN-5357-1
CVE-2022-27666

Package Information:
https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1120.134
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1091.100

[USN-5362-1] Linux kernel (Intel IOTG) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5362-1
April 01, 2022

linux-intel-5.13 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-intel-5.13: Linux kernel for Intel IOTG

Details:

Nick Gregory discovered that the Linux kernel incorrectly handled network
offload functionality. A local attacker could use this to cause a denial of
service or possibly execute arbitrary code. (CVE-2022-25636)

Enrico Barberis, Pietro Frigo, Marius Muench, Herbert Bos, and Cristiano
Giuffrida discovered that hardware mitigations added by ARM to their
processors to address Spectre-BTI were insufficient. A local attacker could
potentially use this to expose sensitive information. (CVE-2022-23960)

It was discovered that the BPF verifier in the Linux kernel did not
properly restrict pointer types in certain situations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2022-23222)

Max Kellermann discovered that the Linux kernel incorrectly handled Unix
pipes. A local attacker could potentially use this to modify any file that
could be opened for reading. (CVE-2022-0847)

Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the
Linux kernel did not properly restrict access to the cgroups v1
release_agent feature. A local attacker could use this to gain
administrative privileges. (CVE-2022-0492)

William Liu and Jamie Hill-Daniel discovered that the file system context
functionality in the Linux kernel contained an integer underflow
vulnerability, leading to an out-of-bounds write. A local attacker could
use this to cause a denial of service (system crash) or execute arbitrary
code. (CVE-2022-0185)

Enrico Barberis, Pietro Frigo, Marius Muench, Herbert Bos, and Cristiano
Giuffrida discovered that hardware mitigations added by Intel to their
processors to address Spectre-BTI were insufficient. A local attacker could
potentially use this to expose sensitive information. (CVE-2022-0001)

Jann Horn discovered a race condition in the Unix domain socket
implementation in the Linux kernel that could result in a read-after-free.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2021-4083)

It was discovered that the NFS server implementation in the Linux kernel
contained an out-of-bounds write vulnerability. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2021-4090)

Kirill Tkhai discovered that the XFS file system implementation in the
Linux kernel did not calculate size correctly when pre-allocating space in
some situations. A local attacker could use this to expose sensitive
information. (CVE-2021-4155)

It was discovered that the AMD Radeon GPU driver in the Linux kernel did
not properly validate writes in the debugfs file system. A privileged
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2021-42327)

Sushma Venkatesh Reddy discovered that the Intel i915 graphics driver in
the Linux kernel did not perform a GPU TLB flush in some situations. A
local attacker could use this to cause a denial of service or possibly
execute arbitrary code. (CVE-2022-0330)

Samuel Page discovered that the Transparent Inter-Process Communication
(TIPC) protocol implementation in the Linux kernel contained a stack-based
buffer overflow. A remote attacker could use this to cause a denial of
service (system crash) for systems that have a TIPC bearer configured.
(CVE-2022-0435)

It was discovered that the KVM implementation for s390 systems in the Linux
kernel did not properly prevent memory operations on PVM guests that were
in non-protected mode. A local attacker could use this to obtain
unauthorized memory write access. (CVE-2022-0516)

It was discovered that the ICMPv6 implementation in the Linux kernel did
not properly deallocate memory in certain situations. A remote attacker
could possibly use this to cause a denial of service (memory exhaustion).
(CVE-2022-0742)

It was discovered that the VMware Virtual GPU driver in the Linux kernel
did not properly handle certain failure conditions, leading to a stale
entry in the file descriptor table. A local attacker could use this to
expose sensitive information or possibly gain administrative privileges.
(CVE-2022-22942)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
linux-image-5.13.0-1010-intel 5.13.0-1010.10
linux-image-intel 5.13.0.1010.11

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5362-1
CVE-2021-4083, CVE-2021-4090, CVE-2021-4155, CVE-2021-42327,
CVE-2022-0001, CVE-2022-0185, CVE-2022-0330, CVE-2022-0435,
CVE-2022-0492, CVE-2022-0516, CVE-2022-0742, CVE-2022-0847,
CVE-2022-22942, CVE-2022-23222, CVE-2022-23960, CVE-2022-25636

Package Information:
https://launchpad.net/ubuntu/+source/linux-intel-5.13/5.13.0-1010.10

[USN-5361-1] Linux kernel vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5361-1
April 01, 2022

linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty

Details:

It was discovered that the VFIO PCI driver in the Linux kernel did not
properly handle attempts to access disabled memory spaces. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2020-12888)

Mathy Vanhoef discovered that the Linux kernel's WiFi implementation did
not properly verify certain fragmented frames. A physically proximate
attacker could possibly use this issue to inject or decrypt packets.
(CVE-2020-26141)

Mathy Vanhoef discovered that the Linux kernel's WiFi implementation
accepted plaintext fragments in certain situations. A physically proximate
attacker could use this issue to inject packets. (CVE-2020-26145)

It was discovered that a race condition existed in the Atheros Ath9k WiFi
driver in the Linux kernel. An attacker could possibly use this to expose
sensitive information (WiFi network traffic). (CVE-2020-3702)

It was discovered a race condition existed in the Unix domain socket
implementation in the Linux kernel, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-0920)

It was discovered that the IPv6 implementation in the Linux kernel
contained a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2021-0935)

Zygo Blaxell discovered that the btrfs file system implementation in the
Linux kernel contained a race condition during certain cloning operations.
A local attacker could possibly use this to cause a denial of service
(system crash). (CVE-2021-28964)

Dan Carpenter discovered that the block device manager (dm) implementation
in the Linux kernel contained a buffer overflow in the ioctl for listing
devices. A privileged local attacker could use this to cause a denial of
service (system crash). (CVE-2021-31916)

It was discovered that the Option USB High Speed Mobile device driver in
the Linux kernel did not properly handle error conditions. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2021-37159)

It was discovered that the network packet filtering implementation in the
Linux kernel did not properly initialize information in certain
circumstances. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2021-39636)

Jann Horn discovered a race condition in the Unix domain socket
implementation in the Linux kernel that could result in a read-after-free.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2021-4083)

Luo Likang discovered that the FireDTV Firewire driver in the Linux kernel
did not properly perform bounds checking in some situations. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2021-42739)

Brendan Dolan-Gavitt discovered that the Marvell WiFi-Ex USB device driver
in the Linux kernel did not properly handle some error conditions. A
physically proximate attacker could use this to cause a denial of service
(system crash). (CVE-2021-43976)

Amit Klein discovered that the IPv4 implementation in the Linux kernel
could disclose internal state in some situations. An attacker could
possibly use this to expose sensitive information. (CVE-2021-45486)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
linux-image-4.4.0-1104-kvm 4.4.0-1104.113
linux-image-4.4.0-1139-aws 4.4.0-1139.153
linux-image-4.4.0-223-generic 4.4.0-223.256
linux-image-4.4.0-223-lowlatency 4.4.0-223.256
linux-image-aws 4.4.0.1139.144
linux-image-generic 4.4.0.223.230
linux-image-kvm 4.4.0.1104.102
linux-image-lowlatency 4.4.0.223.230
linux-image-virtual 4.4.0.223.230

Ubuntu 14.04 ESM:
linux-image-4.4.0-1103-aws 4.4.0-1103.108
linux-image-4.4.0-223-generic 4.4.0-223.256~14.04.1
linux-image-4.4.0-223-lowlatency 4.4.0-223.256~14.04.1
linux-image-aws 4.4.0.1103.101
linux-image-generic-lts-xenial 4.4.0.223.194
linux-image-lowlatency-lts-xenial 4.4.0.223.194
linux-image-virtual-lts-xenial 4.4.0.223.194

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5361-1
CVE-2020-12888, CVE-2020-26141, CVE-2020-26145, CVE-2020-3702,
CVE-2021-0920, CVE-2021-0935, CVE-2021-28964, CVE-2021-31916,
CVE-2021-37159, CVE-2021-39636, CVE-2021-4083, CVE-2021-42739,
CVE-2021-43976, CVE-2021-45486

[USN-5360-1] Tomcat vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5360-1
March 31, 2022

tomcat9 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Tomcat.

Software Description:
- tomcat9: Apache Tomcat 9 - Servlet and JSP engine

Details:

It was discovered that Tomcat incorrectly performed input verification.
A remote attacker could possibly use this issue to intercept sensitive
information. (CVE-2020-13943, CVE-2020-17527, CVE-2021-25122, CVE-2021-30640)

It was discovered that Tomcat did not properly deserialize untrusted data.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-9484, CVE-2021-33037)

It was discovered that Tomcat did not properly validate the input length. An
attacker could possibly use this to trigger an infinite loop, resulting in a
denial of service. (CVE-2020-9494, CVE-2021-25329, CVE-2021-41079)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
libtomcat9-embed-java 9.0.31-1ubuntu0.2
libtomcat9-java 9.0.31-1ubuntu0.2
tomcat9 9.0.31-1ubuntu0.2
tomcat9-common 9.0.31-1ubuntu0.2

Ubuntu 18.04 LTS:
libtomcat9-embed-java 9.0.16-3ubuntu0.18.04.2
libtomcat9-java 9.0.16-3ubuntu0.18.04.2
tomcat9 9.0.16-3ubuntu0.18.04.2
tomcat9-common 9.0.16-3ubuntu0.18.04.2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5360-1
CVE-2020-13943, CVE-2020-17527, CVE-2020-9484, CVE-2020-9494,
CVE-2021-25122, CVE-2021-25329, CVE-2021-30640, CVE-2021-33037,
CVE-2021-41079, https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911

Package Information:
https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.2
https://launchpad.net/ubuntu/+source/tomcat9/9.0.16-3ubuntu0.18.04.2

Ubuntu 22.04 (Jammy Jellyfish) Final Beta released

The Ubuntu team is pleased to announce the Beta release of the Ubuntu
22.04 LTS Desktop, Server, and Cloud products.

22.04 LTS, codenamed "Jammy Jellyfish", continues Ubuntu's proud tradition
of integrating the latest and greatest open source technologies into a
high-quality, easy-to-use Linux distribution. The team has been hard at
work through this cycle, introducing new features and fixing bugs.

This Beta release includes images from not only the Ubuntu Desktop,
Server, and Cloud products, but also the Kubuntu, Lubuntu, Ubuntu
Budgie, UbuntuKylin, Ubuntu MATE, Ubuntu Studio, and Xubuntu flavours.

The Beta images are known to be reasonably free of showstopper image
build or installer bugs, while representing a very recent snapshot of
22.04 LTS that should be representative of the features intended to ship
with the final release expected on April 21st, 2022.

Ubuntu, Ubuntu Server, Cloud Images:
Jammy Beta includes updated versions of most of our core set of
packages, including a current 5.15 kernel, and much more.

To upgrade to Ubuntu 22.04 LTS Beta from Ubuntu 21.10 or Ubuntu 20.04
LTS, follow these instructions:

https://help.ubuntu.com/community/JammyUpgrades

The Ubuntu 22.04 LTS Beta images can be downloaded at:

http://releases.ubuntu.com/22.04/ (Ubuntu and Ubuntu Server on x86)

This Ubuntu Server image features the next generation Subiquity server
installer, bringing the comfortable live session and speedy install of
the Ubuntu Desktop to server users.

Additional images can be found at the following links:

http://cloud-images.ubuntu.com/daily/server/jammy/current/ (Cloud Images)
http://cdimage.ubuntu.com/releases/22.04/beta/ (Non-x86)
http://cdimage.ubuntu.com/netboot/22.04/ (Netboot)

As fixes will be included in new images between now and release, any
daily cloud image from today or later (i.e. a serial of 20220331 or
higher) should be considered a Beta image. Bugs found should be filed
against the appropriate packages or, failing that, the cloud-images
project in Launchpad.

The full release notes for Ubuntu 22.04 LTS Beta can be found at:

https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668

Kubuntu:
Kubuntu is the KDE based flavour of Ubuntu. It uses the Plasma desktop
and includes a wide selection of tools from the KDE project.

The Beta images can be downloaded at:
http://cdimage.ubuntu.com/kubuntu/releases/22.04/beta/

Lubuntu:
Lubuntu is a flavor of Ubuntu which uses the Lightweight Qt Desktop
Environment (LXQt). The project's goal is to provide a lightweight
yet functional Linux distribution based on a rock-solid Ubuntu base.

The Beta images can be downloaded at:
http://cdimage.ubuntu.com/lubuntu/releases/22.04/beta/

Ubuntu Budgie:
Ubuntu Budgie is a community developed desktop, integrating Budgie
Desktop Environment with Ubuntu at its core.

The Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntu-budgie/releases/22.04/beta/

UbuntuKylin:
UbuntuKylin is a flavor of Ubuntu that is more suitable for Chinese
users.

The Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntukylin/releases/22.04/beta/

Ubuntu MATE:
Ubuntu MATE is a flavor of Ubuntu featuring the MATE desktop
environment.

The Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntu-mate/releases/22.04/beta/

Ubuntu Studio:
Ubuntu Studio is a flavor of Ubuntu that provides a full range of
multimedia content creation applications for each key workflow: audio,
graphics, video, photography and publishing.

The Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntustudio/releases/22.04/beta/

Xubuntu:
Xubuntu is a flavor of Ubuntu that comes with Xfce, which is a stable,
light and configurable desktop environment.

The Beta images can be downloaded at:
http://cdimage.ubuntu.com/xubuntu/releases/22.04/beta/

Regular daily images for Ubuntu, and all flavours, can be found at:
http://cdimage.ubuntu.com

Ubuntu is a full-featured Linux distribution for clients, servers and
clouds, with a fast and easy installation and regular releases. A
tightly-integrated selection of excellent applications is included, and
an incredible variety of add-on software is just a few clicks away.

Professional technical support is available from Canonical Limited and
hundreds of other companies around the world. For more information
about support, visit https://ubuntu.com/support

If you would like to help shape Ubuntu, take a look at the list of ways
you can participate at:
https://ubuntu.com/community/participate

Your comments, bug reports, patches and suggestions really help us to
improve this and future releases of Ubuntu. Instructions can be found
at: https://help.ubuntu.com/community/ReportingBugs

You can find out more about Ubuntu and about this Beta release on our
website and wiki.

To sign up for future Ubuntu announcements, please subscribe to Ubuntu's
very low volume announcement list at:

https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce

On behalf of the Ubuntu Release Team,

Łukasz 'sil2100' Zemczak

--
ubuntu-announce mailing list
ubuntu-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce

[USN-5359-1] rsync vulnerability

==========================================================================
Ubuntu Security Notice USN-5359-1
March 31, 2022

rsync vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

rsync could be made to crash or run programs if it received specially
crafted network traffic.

Software Description:
- rsync: fast, versatile, remote (and local) file-copying tool

Details:

Danilo Ramos discovered that rsync incorrectly handled memory when
performing certain zlib deflating operations. An attacker could use this
issue to cause rsync to crash, resulting in a denial of service, or
possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
rsync 3.1.3-8ubuntu0.3

Ubuntu 18.04 LTS:
rsync 3.1.2-2.1ubuntu1.4

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5359-1
CVE-2018-25032

Package Information:
https://launchpad.net/ubuntu/+source/rsync/3.1.3-8ubuntu0.3
https://launchpad.net/ubuntu/+source/rsync/3.1.2-2.1ubuntu1.4

[USN-5356-1] DOSBox vulnerabilities

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsDNBGIl7V0BDAC+6Rrs/dA9eDfxCA5DutvqKqSxwodFEgiMxDLnR0OSrwlYgTFh
X+OChdT+L0AyBJsjfsrWByRCm/Eky6JE9QtnmDpusvrYwXmVm/Whe/0W+qJ6rzzU
sL0GkZoOUt2JhTdYcJ1o2A+J3RgXUuXUENMrpFhUwwpu7YOaMgCrno64C4wBgK55
KDUCd6i5bM26P4csLNjRO4+qJj4m3Hve/iJgpb510XI3aS4azY/Rm+iXGrlGMi9T
PGEDcsjoO3zT7v3l0EA5SEhpbXBHOGy94vRcMBYuUZqhwfa8Mi/h1uTtTHmT/+1f
7eWoO0tPssex6mWIodZo1epKIfjhbW63C571XIB0ZIuqfChj4k5dgthUqeJXpRDl
v3l2wd5HYzbGu3Ie37PodIeocnTa2C/o6PvN+wA4+BYWgZXCdCA5TqVrM+HCwzmF
Guc6ALYNklgpxas/4ZP6tcQxMgU8oBQ1+3Ufef46iP/jo9CvFRQ5JystLhHLfVpm
BgcILk2rYwwWjE0AEQEAAc1ARGF2aWQgRmVybmFuZGV6IEdvbnphbGV6IDxkYXZp
ZC5mZXJuYW5kZXpnb256YWxlekBjYW5vbmljYWwuY29tPsLBFAQTAQoAPhYhBIhm
zS6qttOZ5NIT3RltQSE48z9kBQJiJe1dAhsDBQkDwmcABQsJCAcDBRUKCQgLBRYC
AwEAAh4BAheAAAoJEBltQSE48z9kbG0MALnqt1PxxnNeDW11/d8nV66k/rweAfYT
TqzJ0ikuNDh94AdeuLCsOLfMk64d3KMyswD+i8CaFhkKv2kIlD/QzOku3PBUo4PP
+NxKWzCWYG3ZcGApgdhr+y7G59ZvuKxO0xxzbRIQmcnAl1qr6PvHpaSQJ/w1eKMl
GTVX5PvZNxVvg3TZ6NQhX1n2gIeqCYo4C9e9aIYCk8w4Gu6NyMiUBuy0ybMkz9JL
X4wEeRc2aGuWtSAnOayqTyDpleVy0qCH7tufh1ZL0gNFN8UJptivtmVSjNh5nPwU
x+a42iTjU3uVUGZ/UdtTOpruXHAX0zporXYXNFzZUG82Um7mYB8ETx1EribDG7TC
ktYEA+XBkfZ6JhGeeKMsLt5GmcfXB/+EoKUZjSsx94kqFNAQe6X4Y/158tZ8Gt3J
k2Aj/VBZK7lSbFjIB/jdf6ydhwLRIXsAlVx8i2NYa3SxLZMfKaet8LA/y+GNZxnj
GCdRT9eEJOZ62VETYwd+pAPW5BamUv8kW87AzQRiJe1dAQwAp0ywqyunvK5Iwn7T
x+tzixODvTgwMc+uNrH3o6+Ra6+Bn+YLmuuOwiScRb+sSErXoDz/LgLF0oIB2ZIs
Be+FT0m/eUY3xLiGF8L9DvrRSmePyiiml9rrd1wduuhg6hQw6/ef08WayVEzFWCF
63sqQk18ZKatP3WnOhSd0OT5xOXcW2//NJwFni+cjfnYuUMpVNodCwFQJtEeYSZz
zxVEJd4AtfM/ynGznPyYIsybt+fUhDvVEI+neWflpLk9jrJ1XIAhObEWkmgH9KQ3
5VGN7aLVBkxdbz2yCM4Auz8+DnDyksxuvZ3wcsM/eyIPFoBLrh3xNLOrERNqjPR3
MSnEGkt3+dkiQ5LbcvOpittix8Ycc6qdYYL6Gfy4Lfr/VZUWeGrGsVc79C+aqQUe
1dJkqGMTk9CRNaGxUlSyQ5ylcyoNlLusPGO/3zPGBIY7fOlqTVR7LFmfyxHcoCmg
EqXxhooeJn2PmTOY6E2Ap5ViYr8akucmO6GPJxHXqgW7qNDdABEBAAHCwPwEGAEK
ACYWIQSIZs0uqrbTmeTSE90ZbUEhOPM/ZAUCYiXtXQIbDAUJA8JnAAAKCRAZbUEh
OPM/ZODXDACkYliQ7r5w5IbBniu2axcW5j3PGd+G9Cm90oirsd9v35qRxErYXwbP
b79gBTMxHGgw+4mIz3F2mzzynZ11joW+0Zr8Vgr3BKSNBS5hz9NfcwkdiubkGsoj
jhruNUFtQqBNyQIJh9CfECXq2puYY7H6lu13bBNb49TY6XzyvOni2A5WntQqN+Ap
/RkxkLIGnBwi4p06OYs9Atda8IrMv0zXxlzRNEqk1cniNsSyRWHruVvN6nhVuvwF
sNM6z7F48B8tTh3iKludMPVL5YgGQeVtN3rXOwPCq3f9Y6G67eJxs7HhQYtuj7Gn
c3porYgLw2xOh6BOa6dWby0/adS79+FdycEtlNRKlrLMneEL2Sk1zrKVd0uF96yX
VOS0nAHllLod67uFgjT85P2MZWN7dPD6jAhv9rOq9cgOCKB+ulACePOpoXDFzgND
w5FGDbZtHYnLrJWyyqnas4ms4pnmJsnHAyDBWYS8a6j82D7NSx/7MrH6bAFl18zK
7/zNmhJ06VU=
=JWgW
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================

Ubuntu Security Notice USN-5356-1
March 30, 2022

dosbox vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in DOSBox.

Software Description:
- dosbox: An Open Source DOS emulator to run old DOS games.

Details:

Alexandre Bartel discovered that DOSBox incorrectly handled
long lines in certain files. An attacker could possibly use
this issue to execute arbitrary code. (CVE-2019-7165)

Alexandre Bartel discovered that DOSBox incorrectly performed
access control over certain directories. An attacker could
possibly use this issue to execute arbitrary code.
(CVE-2019-12594)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
dosbox 0.74-4.3ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5356-1
CVE-2019-12594, CVE-2019-7165

Package Information:
https://launchpad.net/ubuntu/+source/dosbox/0.74-4.3ubuntu0.1

[USN-5358-1] Linux kernel vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5358-1
March 31, 2022

linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.13, linux-hwe-5.4,
linux-kvm, linux-oracle, linux-oracle-5.4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-hwe-5.13: Linux hardware enablement (HWE) kernel
- linux-hwe-5.4: Linux hardware enablement (HWE) kernel
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems

Details:

It was discovered that the network traffic control implementation in the
Linux kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2022-1055)

It was discovered that the IPsec implementation in the Linux
kernel did not properly allocate enough memory when performing ESP
transformations, leading to a heap-based buffer overflow. A local
attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2022-27666)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
linux-image-5.13.0-1020-kvm 5.13.0-1020.21
linux-image-5.13.0-1021-aws 5.13.0-1021.23
linux-image-5.13.0-1023-gcp 5.13.0-1023.28
linux-image-5.13.0-1025-oracle 5.13.0-1025.30
linux-image-5.13.0-39-generic 5.13.0-39.44
linux-image-5.13.0-39-generic-64k 5.13.0-39.44
linux-image-5.13.0-39-generic-lpae 5.13.0-39.44
linux-image-5.13.0-39-lowlatency 5.13.0-39.44
linux-image-aws 5.13.0.1021.22
linux-image-gcp 5.13.0.1023.21
linux-image-generic 5.13.0.39.48
linux-image-generic-64k 5.13.0.39.48
linux-image-generic-lpae 5.13.0.39.48
linux-image-gke 5.13.0.1023.21
linux-image-kvm 5.13.0.1020.20
linux-image-lowlatency 5.13.0.39.48
linux-image-oem-20.04 5.13.0.39.48
linux-image-oracle 5.13.0.1025.25
linux-image-virtual 5.13.0.39.48

Ubuntu 20.04 LTS:
linux-image-5.13.0-39-generic 5.13.0-39.44~20.04.1
linux-image-5.13.0-39-generic-64k 5.13.0-39.44~20.04.1
linux-image-5.13.0-39-generic-lpae 5.13.0-39.44~20.04.1
linux-image-5.13.0-39-lowlatency 5.13.0-39.44~20.04.1
linux-image-5.4.0-1061-kvm 5.4.0-1061.64
linux-image-5.4.0-1069-oracle 5.4.0-1069.75
linux-image-5.4.0-107-generic 5.4.0-107.121
linux-image-5.4.0-107-generic-lpae 5.4.0-107.121
linux-image-5.4.0-107-lowlatency 5.4.0-107.121
linux-image-5.4.0-1071-aws 5.4.0-1071.76
linux-image-5.4.0-1074-azure 5.4.0-1074.77
linux-image-aws-lts-20.04 5.4.0.1071.73
linux-image-azure-lts-20.04 5.4.0.1074.72
linux-image-generic 5.4.0.107.111
linux-image-generic-64k-hwe-20.04 5.13.0.39.44~20.04.24
linux-image-generic-hwe-20.04 5.13.0.39.44~20.04.24
linux-image-generic-lpae 5.4.0.107.111
linux-image-generic-lpae-hwe-20.04 5.13.0.39.44~20.04.24
linux-image-kvm 5.4.0.1061.60
linux-image-lowlatency 5.4.0.107.111
linux-image-lowlatency-hwe-20.04 5.13.0.39.44~20.04.24
linux-image-oem 5.4.0.107.111
linux-image-oem-osp1 5.4.0.107.111
linux-image-oracle-lts-20.04 5.4.0.1069.69
linux-image-virtual 5.4.0.107.111
linux-image-virtual-hwe-20.04 5.13.0.39.44~20.04.24

Ubuntu 18.04 LTS:
linux-image-5.4.0-1069-oracle 5.4.0-1069.75~18.04.1
linux-image-5.4.0-107-generic 5.4.0-107.121~18.04.1
linux-image-5.4.0-107-generic-lpae 5.4.0-107.121~18.04.1
linux-image-5.4.0-107-lowlatency 5.4.0-107.121~18.04.1
linux-image-generic-hwe-18.04 5.4.0.107.121~18.04.92
linux-image-generic-lpae-hwe-18.04 5.4.0.107.121~18.04.92
linux-image-lowlatency-hwe-18.04 5.4.0.107.121~18.04.92
linux-image-oem 5.4.0.107.121~18.04.92
linux-image-oem-osp1 5.4.0.107.121~18.04.92
linux-image-oracle 5.4.0.1069.75~18.04.48
linux-image-snapdragon-hwe-18.04 5.4.0.107.121~18.04.92
linux-image-virtual-hwe-18.04 5.4.0.107.121~18.04.92

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5358-1
CVE-2022-1055, CVE-2022-27666

Package Information:
https://launchpad.net/ubuntu/+source/linux/5.13.0-39.44
https://launchpad.net/ubuntu/+source/linux-aws/5.13.0-1021.23
https://launchpad.net/ubuntu/+source/linux-gcp/5.13.0-1023.28
https://launchpad.net/ubuntu/+source/linux-kvm/5.13.0-1020.21
https://launchpad.net/ubuntu/+source/linux-oracle/5.13.0-1025.30
https://launchpad.net/ubuntu/+source/linux/5.4.0-107.121
https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1071.76
https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1074.77
https://launchpad.net/ubuntu/+source/linux-hwe-5.13/5.13.0-39.44~20.04.1
https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1061.64
https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1069.75
https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-107.121~18.04.1
https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1069.75~18.04.1

[USN-5357-1] Linux kernel vulnerability

==========================================================================
Ubuntu Security Notice USN-5357-1
March 31, 2022

linux, linux-aws, linux-azure-4.15, linux-dell300x, linux-hwe, linux-kvm,
linux-snapdragon vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

The system could be made to crash or run programs as an administrator.

Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems
- linux-dell300x: Linux kernel for Dell 300x platforms
- linux-kvm: Linux kernel for cloud environments
- linux-snapdragon: Linux kernel for Qualcomm Snapdragon processors
- linux-hwe: Linux hardware enablement (HWE) kernel

Details:

It was discovered that the IPsec implementation in the Linux
kernel did not properly allocate enough memory when performing ESP
transformations, leading to a heap-based buffer overflow. A local
attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
linux-image-4.15.0-1040-dell300x 4.15.0-1040.45
linux-image-4.15.0-1112-kvm 4.15.0-1112.115
linux-image-4.15.0-1125-snapdragon 4.15.0-1125.134
linux-image-4.15.0-1126-aws 4.15.0-1126.135
linux-image-4.15.0-1136-azure 4.15.0-1136.149
linux-image-4.15.0-175-generic 4.15.0-175.184
linux-image-4.15.0-175-generic-lpae 4.15.0-175.184
linux-image-4.15.0-175-lowlatency 4.15.0-175.184
linux-image-aws-lts-18.04 4.15.0.1126.129
linux-image-azure-lts-18.04 4.15.0.1136.109
linux-image-dell300x 4.15.0.1040.42
linux-image-generic 4.15.0.175.164
linux-image-generic-lpae 4.15.0.175.164
linux-image-kvm 4.15.0.1112.108
linux-image-lowlatency 4.15.0.175.164
linux-image-snapdragon 4.15.0.1125.128
linux-image-virtual 4.15.0.175.164

Ubuntu 16.04 ESM:
linux-image-4.15.0-175-generic 4.15.0-175.184~16.04.1
linux-image-4.15.0-175-lowlatency 4.15.0-175.184~16.04.1
linux-image-generic-hwe-16.04 4.15.0.175.167
linux-image-lowlatency-hwe-16.04 4.15.0.175.167
linux-image-oem 4.15.0.175.167
linux-image-virtual-hwe-16.04 4.15.0.175.167

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5357-1
CVE-2022-27666

Package Information:
https://launchpad.net/ubuntu/+source/linux/4.15.0-175.184
https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1126.135
https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1136.149
https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1040.45
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1112.115
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1125.134

[USN-5355-2] zlib vulnerability

==========================================================================
Ubuntu Security Notice USN-5355-2
March 30, 2022

zlib vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

zlib could be made to crash or run programs if it received specially
crafted input.

Software Description:
- zlib: compression library - 32 bit runtime

Details:

USN-5355-1 fixed a vulnerability in zlib. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

Danilo Ramos discovered that zlib incorrectly handled memory when
performing certain deflating operations. An attacker could use this issue
to cause zlib to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
lib32z1 1:1.2.8.dfsg-2ubuntu4.3+esm1
lib64z1 1:1.2.8.dfsg-2ubuntu4.3+esm1
libx32z1 1:1.2.8.dfsg-2ubuntu4.3+esm1
zlib1g 1:1.2.8.dfsg-2ubuntu4.3+esm1

Ubuntu 14.04 ESM:
lib32z1 1:1.2.8.dfsg-1ubuntu1.1+esm1
lib64z1 1:1.2.8.dfsg-1ubuntu1.1+esm1
libx32z1 1:1.2.8.dfsg-1ubuntu1.1+esm1
zlib1g 1:1.2.8.dfsg-1ubuntu1.1+esm1

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5355-2
https://ubuntu.com/security/notices/USN-5355-1
CVE-2018-25032

胡矩昊

代開报销做账普瞟笳wx：yckj111999      开漂

 

2022-03-31

 

 

[USN-5355-1] zlib vulnerability

==========================================================================
Ubuntu Security Notice USN-5355-1
March 30, 2022

zlib vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

zlib could be made to crash or run programs if it received specially
crafted input.

Software Description:
- zlib: Lossless data-compression library

Details:

Danilo Ramos discovered that zlib incorrectly handled memory when
performing certain deflating operations. An attacker could use this issue
to cause zlib to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
lib32z1 1:1.2.11.dfsg-2ubuntu7.1
lib64z1 1:1.2.11.dfsg-2ubuntu7.1
libx32z1 1:1.2.11.dfsg-2ubuntu7.1
zlib1g 1:1.2.11.dfsg-2ubuntu7.1

Ubuntu 20.04 LTS:
lib32z1 1:1.2.11.dfsg-2ubuntu1.3
lib64z1 1:1.2.11.dfsg-2ubuntu1.3
libx32z1 1:1.2.11.dfsg-2ubuntu1.3
zlib1g 1:1.2.11.dfsg-2ubuntu1.3

Ubuntu 18.04 LTS:
lib32z1 1:1.2.11.dfsg-0ubuntu2.1
lib64z1 1:1.2.11.dfsg-0ubuntu2.1
libx32z1 1:1.2.11.dfsg-0ubuntu2.1
zlib1g 1:1.2.11.dfsg-0ubuntu2.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5355-1
CVE-2018-25032

Package Information:
https://launchpad.net/ubuntu/+source/zlib/1:1.2.11.dfsg-2ubuntu7.1
https://launchpad.net/ubuntu/+source/zlib/1:1.2.11.dfsg-2ubuntu1.3
https://launchpad.net/ubuntu/+source/zlib/1:1.2.11.dfsg-0ubuntu2.1

[USN-5354-1] Twisted vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5354-1
March 30, 2022

twisted vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Twisted.

Software Description:
- twisted: Event-based framework for internet applications

Details:

It was discovered that Twisted incorrectly filtered HTTP headers when
clients are being redirected to another origin. A remote attacker could
use this issue to obtain sensitive information. (CVE-2022-21712)

It was discovered that Twisted incorrectly processed SSH handshake data
on connection establishments. A remote attacker could use this issue to
cause Twisted to crash, resulting in a denial of service. (CVE-2022-21716)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
python3-twisted 20.3.0-7ubuntu1.1
python3-twisted-bin 20.3.0-7ubuntu1.1

Ubuntu 20.04 LTS:
python3-twisted 18.9.0-11ubuntu0.20.04.2
python3-twisted-bin 18.9.0-11ubuntu0.20.04.2

Ubuntu 18.04 LTS:
python-twisted 17.9.0-2ubuntu0.3
python-twisted-bin 17.9.0-2ubuntu0.3
python3-twisted 17.9.0-2ubuntu0.3
python3-twisted-bin 17.9.0-2ubuntu0.3

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5354-1
CVE-2022-21712, CVE-2022-21716

Package Information:
https://launchpad.net/ubuntu/+source/twisted/20.3.0-7ubuntu1.1
https://launchpad.net/ubuntu/+source/twisted/18.9.0-11ubuntu0.20.04.2
https://launchpad.net/ubuntu/+source/twisted/17.9.0-2ubuntu0.3

[USN-5351-2] Paramiko vulnerability

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsDNBGIl7V0BDAC+6Rrs/dA9eDfxCA5DutvqKqSxwodFEgiMxDLnR0OSrwlYgTFh
X+OChdT+L0AyBJsjfsrWByRCm/Eky6JE9QtnmDpusvrYwXmVm/Whe/0W+qJ6rzzU
sL0GkZoOUt2JhTdYcJ1o2A+J3RgXUuXUENMrpFhUwwpu7YOaMgCrno64C4wBgK55
KDUCd6i5bM26P4csLNjRO4+qJj4m3Hve/iJgpb510XI3aS4azY/Rm+iXGrlGMi9T
PGEDcsjoO3zT7v3l0EA5SEhpbXBHOGy94vRcMBYuUZqhwfa8Mi/h1uTtTHmT/+1f
7eWoO0tPssex6mWIodZo1epKIfjhbW63C571XIB0ZIuqfChj4k5dgthUqeJXpRDl
v3l2wd5HYzbGu3Ie37PodIeocnTa2C/o6PvN+wA4+BYWgZXCdCA5TqVrM+HCwzmF
Guc6ALYNklgpxas/4ZP6tcQxMgU8oBQ1+3Ufef46iP/jo9CvFRQ5JystLhHLfVpm
BgcILk2rYwwWjE0AEQEAAc1ARGF2aWQgRmVybmFuZGV6IEdvbnphbGV6IDxkYXZp
ZC5mZXJuYW5kZXpnb256YWxlekBjYW5vbmljYWwuY29tPsLBFAQTAQoAPhYhBIhm
zS6qttOZ5NIT3RltQSE48z9kBQJiJe1dAhsDBQkDwmcABQsJCAcDBRUKCQgLBRYC
AwEAAh4BAheAAAoJEBltQSE48z9kbG0MALnqt1PxxnNeDW11/d8nV66k/rweAfYT
TqzJ0ikuNDh94AdeuLCsOLfMk64d3KMyswD+i8CaFhkKv2kIlD/QzOku3PBUo4PP
+NxKWzCWYG3ZcGApgdhr+y7G59ZvuKxO0xxzbRIQmcnAl1qr6PvHpaSQJ/w1eKMl
GTVX5PvZNxVvg3TZ6NQhX1n2gIeqCYo4C9e9aIYCk8w4Gu6NyMiUBuy0ybMkz9JL
X4wEeRc2aGuWtSAnOayqTyDpleVy0qCH7tufh1ZL0gNFN8UJptivtmVSjNh5nPwU
x+a42iTjU3uVUGZ/UdtTOpruXHAX0zporXYXNFzZUG82Um7mYB8ETx1EribDG7TC
ktYEA+XBkfZ6JhGeeKMsLt5GmcfXB/+EoKUZjSsx94kqFNAQe6X4Y/158tZ8Gt3J
k2Aj/VBZK7lSbFjIB/jdf6ydhwLRIXsAlVx8i2NYa3SxLZMfKaet8LA/y+GNZxnj
GCdRT9eEJOZ62VETYwd+pAPW5BamUv8kW87AzQRiJe1dAQwAp0ywqyunvK5Iwn7T
x+tzixODvTgwMc+uNrH3o6+Ra6+Bn+YLmuuOwiScRb+sSErXoDz/LgLF0oIB2ZIs
Be+FT0m/eUY3xLiGF8L9DvrRSmePyiiml9rrd1wduuhg6hQw6/ef08WayVEzFWCF
63sqQk18ZKatP3WnOhSd0OT5xOXcW2//NJwFni+cjfnYuUMpVNodCwFQJtEeYSZz
zxVEJd4AtfM/ynGznPyYIsybt+fUhDvVEI+neWflpLk9jrJ1XIAhObEWkmgH9KQ3
5VGN7aLVBkxdbz2yCM4Auz8+DnDyksxuvZ3wcsM/eyIPFoBLrh3xNLOrERNqjPR3
MSnEGkt3+dkiQ5LbcvOpittix8Ycc6qdYYL6Gfy4Lfr/VZUWeGrGsVc79C+aqQUe
1dJkqGMTk9CRNaGxUlSyQ5ylcyoNlLusPGO/3zPGBIY7fOlqTVR7LFmfyxHcoCmg
EqXxhooeJn2PmTOY6E2Ap5ViYr8akucmO6GPJxHXqgW7qNDdABEBAAHCwPwEGAEK
ACYWIQSIZs0uqrbTmeTSE90ZbUEhOPM/ZAUCYiXtXQIbDAUJA8JnAAAKCRAZbUEh
OPM/ZODXDACkYliQ7r5w5IbBniu2axcW5j3PGd+G9Cm90oirsd9v35qRxErYXwbP
b79gBTMxHGgw+4mIz3F2mzzynZ11joW+0Zr8Vgr3BKSNBS5hz9NfcwkdiubkGsoj
jhruNUFtQqBNyQIJh9CfECXq2puYY7H6lu13bBNb49TY6XzyvOni2A5WntQqN+Ap
/RkxkLIGnBwi4p06OYs9Atda8IrMv0zXxlzRNEqk1cniNsSyRWHruVvN6nhVuvwF
sNM6z7F48B8tTh3iKludMPVL5YgGQeVtN3rXOwPCq3f9Y6G67eJxs7HhQYtuj7Gn
c3porYgLw2xOh6BOa6dWby0/adS79+FdycEtlNRKlrLMneEL2Sk1zrKVd0uF96yX
VOS0nAHllLod67uFgjT85P2MZWN7dPD6jAhv9rOq9cgOCKB+ulACePOpoXDFzgND
w5FGDbZtHYnLrJWyyqnas4ms4pnmJsnHAyDBWYS8a6j82D7NSx/7MrH6bAFl18zK
7/zNmhJ06VU=
=JWgW
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5351-2
March 30, 2022

paramiko vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Paramiko would allow unintended access to private key files.

Software Description:
- paramiko: Python SSH2 library

Details:

USN-5351-1 fixed a vulnerability in Paramiko. This update provides
the corresponding update for Ubuntu 16.04 ESM.

Original advisory details:

Jan Schejbal discovered that Paramiko incorrectly handled permissions when
writing private key files. A local attacker could possibly use this issue
to gain access to private keys.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
paramiko-doc 1.16.0-1ubuntu0.2+esm2
python-paramiko 1.16.0-1ubuntu0.2+esm2
python3-paramiko 1.16.0-1ubuntu0.2+esm2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5351-2
https://ubuntu.com/security/notices/USN-5351-1
CVE-2022-24302

[CentOS-announce] CESA-2022:1069 Important CentOS 7 expat Security Update

CentOS Errata and Security Advisory 2022:1069 Important

Upstream details at : https://access.redhat.com/errata/RHSA-2022:1069

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
c653aaa3759f6c65e6ccf1dafa36096bf4821f315dbf756943730947258100ef expat-2.1.0-14.el7_9.i686.rpm
b0179562abc1ff5d40c03661749ce4f7f4c7d58c428cecfc4a3711bfa98e6ec6 expat-2.1.0-14.el7_9.x86_64.rpm
f4c0956c54c55adea5769904bb460f6ab64b017d31e9a73f0a047345be6dd6af expat-devel-2.1.0-14.el7_9.i686.rpm
301d479dffc9084746269cad6d9be379a3c01fafa139c9203aa5c98ca7e9d79e expat-devel-2.1.0-14.el7_9.x86_64.rpm
a962654ff0fe134fdd88392c47a711e94bc84e08e27d0a7cb7d28e9150d2999a expat-static-2.1.0-14.el7_9.i686.rpm
46c46ba8573d8f101c53fe10179a66e853ec151d66f5dfb686fb60c5e75aa610 expat-static-2.1.0-14.el7_9.x86_64.rpm

Source:
6c86a22138aaddd33328f353b445995e9a67f824e4cb25423b1e07b325142366 expat-2.1.0-14.el7_9.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[USN-5350-1] Chromium vulnerability

==========================================================================
Ubuntu Security Notice USN-5350-1
March 28, 2022

chromium-browser vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Chromium could be made to execute arbitrary code if it received a specially
crafted input.

Software Description:
- chromium-browser: Chromium web browser, open-source version of Chrome

Details:

It was discovered that Chromium incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
chromium-browser 99.0.4844.84-0ubuntu0.18.04.1

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://ubuntu.com/security/notices/USN-5350-1
CVE-2022-1096

Package Information:
https://launchpad.net/ubuntu/+source/chromium-browser/99.0.4844.84-0ubuntu0.18.04.1

F37 Change: Build Fedora IoT Artifacts with osbuild (Self-Contained Change)

https://fedoraproject.org/wiki/Changes/IoTArtifactsWithOSBuild


== Summary ==
Build the key Fedora IoT artifacts such as the raw images and the
traditional anaconda installer with osbuild.

== Owner ==
* Name: [[User:pwhalen| Paul Whalen]]
* Email: [mailto:pwhalen@redhat.com| pwhalen@redhat.com]
* Name: [[User:obudai| Ondřej Budai]]
* Email: [mailto:obudai@redhat.com| ondrej@budai.cz]
* Name: [[User:pbrobinson| Peter Robinson]]
* Email: [mailto:pbrobinson@fedoraproject.org| pbrobinson@fedoraproject.org]


== Detailed Description ==

The intention for Fedora IoT was to always use osbuild for building
release artifacts but it wasn't initially ready to do that. With the
work being done as part of "RHEL for Edge" the Fedora IoT deliverables
now sadly trail behind the features and functionality of the
downstream. This will move all existing deliverable artifacts over to
being created with osbuild which will allow us to bring Fedora IoT
back to being the true upstream for RHEL for Edge and allow us to use
the leading edge that is Fedora to continue to innovate in the Edge
and IoT space.

== Benefit to Fedora ==

The benefit to Fedora is to allow the IoT Edition to go back to being
the true upstream for RHEL for Edge and for Fedora to be where all the
cool new innovation on the edge is being done.

== Scope ==
* Proposal owners:
** Test building IoT artifacts with osbuild to ensure they're
consistent with the existing ones
** Update to Fedora IoT profiles in osbuild
** Update to pungi configs to move over the artefact creation

* Other developers:
** No impact

* Release engineering: [https://pagure.io/releng/issue/10722 #10722]
* Policies and guidelines: N/A (not a System Wide Change)
* Trademark approval: N/A (not needed for this Change)

== Upgrade/compatibility impact ==
There is no upgrade impact. Existing IoT users will upgrade as before
as only new release artifacts will use the new mechanism. The
deployment of the artifacts should not initially change with them
being created with osbuild. There may well be new enhancements in the
future but those are out of scope of this change.

== How To Test ==

* All Fedora IoT artifacts should be consumable and testable as before.

== User Experience ==

There should be no IoT users, there is no impact to non IoT Edition users.

== Dependencies ==
N/A (not a System Wide Change)

== Contingency Plan ==

* Contingency mechanism: Roll back to the current means of generating images.
* Contingency deadline: Beta
* Blocks release? No.
* Blocks product? No.

== Documentation ==
N/A (not a System Wide Change)

== Release Notes ==
N/A


--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[CentOS-announce] CESA-2022:0850 Important CentOS 7 thunderbird Security Update

CentOS Errata and Security Advisory 2022:0850 Important

Upstream details at : https://access.redhat.com/errata/RHSA-2022:0850

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
d75ace9160c666f8c11b19909fd788117c9134c9ec1c12c636f6a45ee642ed18 thunderbird-91.7.0-2.el7.centos.x86_64.rpm

Source:
f12b857c03422ca4fd610898acf959c554126e0038b0cff81d2fd9466b1532bd thunderbird-91.7.0-2.el7.centos.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

Fedora 36 Beta Release Announcement

Fedora Linux 36 Beta Released
------------------------------------------
 
The Fedora Project is pleased to announce the immediate availability
of Fedora 36 Beta, the next step towards our planned Fedora 36 release
at the end of April.
 
Download the prerelease from our Get Fedora site:
* Get Fedora 36 Beta Workstation: https://getfedora.org/workstation/download/
* Get Fedora 36 Beta Server: https://getfedora.org/server/download/
* Get Fedora 36 IoT: https://getfedora.org/iot/download/
 
Or, check out one of our popular variants, including KDE Plasma, Xfce,
and other desktop environments, as well as images for ARM devices:
 
* Get Fedora 36 Beta Spins: https://spins.fedoraproject.org/prerelease
* Get Fedora 36 Beta Labs: https://labs.fedoraproject.org/prerelease
* Get Fedora 36 Beta ARM: https://arm.fedoraproject.org/prerelease
 
## Beta Release Highlights
 
* Fedora 36 Workstation Beta includes GNOME 42
* Update of programming languages and libraries: LXQt 1.0, Golang 1.18, Ruby 3.1
 
For more details about the release, read the full announcement at
 
* https://fedoramagazine.org/announcing-fedora-36-beta/
 
or look for the prerelease pages in the download sections at
 
* https://getfedora.org/
 
Since this is a Beta release, we expect that you may encounter bugs or
missing features. To report issues encountered during testing, contact
the Fedora QA team via the test@lists.fedoraproject.org mailing list or
in #fedora-qa on Libera Chat or the #qa:fedoraproject.org Matrix room.
 

Regards,

Tomas Hrcka

Fedora Release Engineering.

[CentOS-announce] CESA-2022:0824 Critical CentOS 7 firefox Security Update

CentOS Errata and Security Advisory 2022:0824 Critical

Upstream details at : https://access.redhat.com/errata/RHSA-2022:0824

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
078df219eb34b52cef5f93c17533da34f2eceaec30e85da8944716d38dfee196 firefox-91.7.0-3.el7.centos.i686.rpm
0b48a1dc6bd965ac5f800c44cf498da51c5fd0ec07bf16a07911d66f89932c4b firefox-91.7.0-3.el7.centos.x86_64.rpm

Source:
fe895a292e341716911619c187d5030176eda5d1c55869a61faf1cde01e442f1 firefox-91.7.0-3.el7.centos.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

F37 Change: Support FIDO Device Onboarding (Self-Contained Change proposal)

https://fedoraproject.org/wiki/Changes/FIDODeviceOnboarding

== Summary ==
Package and enable the
[https://fidoalliance.org/fido-alliance-creates-new-onboarding-standard-to-secure-internet-of-things-iot/
FIDO Device Onboarding] software stack for Zero Touch Onboarding on
Fedora IoT.

== Owner ==
* Name: [[User:pbrobinson| Peter Robinson]]
* Email: [mailto:pbrobinson@fedoraproject.org| pbrobinson@fedoraproject.org]
* Name: [[User:runcom| Antonio Murdaca]]
* Email: [mailto:amurdaca@redhat.com| amurdaca@redhat.com]


== Detailed Description ==

The ability for an IoT or Edge device to be plugged in and
automatically onboard itself with zero user interaction is critical to
be able to scale IoT/Edge to millions of devices. To do this in a
secure way with open standards across the industry is even more
critical. The FIDO IoT working group has worked with leaders in the
silicon industry such as Intel and Arm to produce the FIDO Device
onboarding spec which allows a device credential, a root and chain of
trust to ensure the secure onboarding of a device without the need of
stored credentials.

== Benefit to Fedora ==

The benefit to Fedora is to allow the IoT Edition to demonstrate the
use of leading edge open industry protocols for onboarding IoT and
Edge devices.

== Scope ==
* Proposal owners:
** Package the rust implementation of the FIDO device onboarding stack
including client, rendezvous service, owner onboarding service and
prototype manufacturing service.
** Enable the client service by default for IoT Edition
** Add the client service to the IoT Edition deliverables

* Other developers:
** No impact

* Release engineering: [https://pagure.io/releng/issue/10720 #10720]
* Policies and guidelines: N/A (not a System Wide Change)
* Trademark approval: N/A (not needed for this Change)

== Upgrade/compatibility impact ==
There is no upgrade impact. FIDO FDO is a single use onboarding
protocol and will not impact existing IoT user systems.

== How To Test ==

* Test with FDO all-in-one services. Documentation will be available
for testing.

== User Experience ==

No impact to non IoT Edition users.

The user experience for the IoT Edition is still evolving and this
will be updated as things fall into place later in Spring and early
Summer 2022.

== Dependencies ==
N/A (not a System Wide Change)

== Contingency Plan ==

* Contingency mechanism: Not shipping FDO as a package in Fedora or
including it in the IoT Edition
* Contingency deadline: GA
* Blocks release? No.
* Blocks product? No.

== Documentation ==
N/A (not a System Wide Change)

== Release Notes ==
Fedora IoT Edition supports the FIDO Device Onboarding 1.1
specification for zero touch onboarding of IoT and Edge devices.


--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[CentOS-announce] CESA-2022:1066 Important CentOS 7 openssl Security Update

CentOS Errata and Security Advisory 2022:1066 Important

Upstream details at : https://access.redhat.com/errata/RHSA-2022:1066

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
03b9fa607eacb360a4f21fe9861d8a7d571cf120e781d9e0c5639af4c8923a17 openssl-1.0.2k-25.el7_9.src.rpm
04f581972286e776f852cf380fd0a4c05af1556c3d62f8ad579d87985ee0467c openssl-1.0.2k-25.el7_9.x86_64.rpm
08396cb866f024b0054c16918fe544406f737f7ddefcecbda04ad29ab9a27a15 openssl-devel-1.0.2k-25.el7_9.i686.rpm
5989f8701c6fe912d154675a3f7ad276f5dccc5afc8ccce28405408ee673c16c openssl-devel-1.0.2k-25.el7_9.x86_64.rpm
7a1256ee4fd271d588649f70d8aa4492d3967b0afd9d82a145275924442baae0 openssl-libs-1.0.2k-25.el7_9.i686.rpm
c01bfc1d06b6e8d39a0bb038993a565a42a4f152542fec05d266098c4206140f openssl-libs-1.0.2k-25.el7_9.x86_64.rpm
593df90370183706f3bc69451b1aa4c6cd88b0a4d1d3964bc1b8e621b3d67d97 openssl-perl-1.0.2k-25.el7_9.x86_64.rpm
d2bc75a69afc2e940e2a933c55941d7c4f269ade992c161c681b9cd72ff158a4 openssl-static-1.0.2k-25.el7_9.i686.rpm
1adcef07e0e83f4fc27809eacf51bdd1d75267095f0cf92832e1d636e04e477c openssl-static-1.0.2k-25.el7_9.x86_64.rpm




--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2022:1045 Important CentOS 7 httpd Security Update

CentOS Errata and Security Advisory 2022:1045 Important

Upstream details at : https://access.redhat.com/errata/RHSA-2022:1045

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
35fc790f76f1d12e738a6b5cd1438085704844f9c267638a15f9cc080376b10d httpd-2.4.6-97.el7.centos.5.x86_64.rpm
57e3a74cb68c72426ee6a022b286950bbc4ac0c0a450be5d5e07d0a0ac91fcc0 httpd-devel-2.4.6-97.el7.centos.5.x86_64.rpm
a52b0985bc9791dee53f7a73f22051cc229824892249b53b748eaad81619a0bf httpd-manual-2.4.6-97.el7.centos.5.noarch.rpm
601f376aa7ef59f60e13ba11f0a9a7286b883a945173b5b829fe2e939b6b3d1e httpd-tools-2.4.6-97.el7.centos.5.x86_64.rpm
9bc8c09cfaaabcb254797b1579fccbbf5a7ac3febd8172c07ad6764c33c3270e mod_ldap-2.4.6-97.el7.centos.5.x86_64.rpm
d69a242a1a58b858cffa727cb8193e2ccaf358421e81076cf5c96b4a5082d5f9 mod_proxy_html-2.4.6-97.el7.centos.5.x86_64.rpm
1cd1ae8c0b9506f0a8066d9b0a935712889175386de9909062d20b0523e2876b mod_session-2.4.6-97.el7.centos.5.x86_64.rpm
e1558062e338ec19488115a645f60559e370f1ddbf06a4b6e522b9803ac21304 mod_ssl-2.4.6-97.el7.centos.5.x86_64.rpm

Source:
e7711bdac101195a87b7ceb1d05293aee71c10fdc9b7f662e593211c94448035 httpd-2.4.6-97.el7.centos.5.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2022:1032 CentOS 7 tzdata BugFix Update

CentOS Errata and Bugfix Advisory 2022:1032

Upstream details at : https://access.redhat.com/errata/RHBA-2022:1032

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
ef535692955e3b9dc14a633b487f86ba36720866a39c354e86275b7f23d6adba tzdata-2022a-1.el7.noarch.rpm
69bfe28a120aa3364ed2beefdae50126ff4e6b20ea1caf0f1054904964676724 tzdata-java-2022a-1.el7.noarch.rpm

Source:
3f0438cb6e72b6f0d7005a2e2783c608cc8603a480718b38697ffdc675096223 tzdata-2022a-1.el7.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[USN-5313-2] OpenJDK 11 regression

==========================================================================
Ubuntu Security Notice USN-5313-2
March 29, 2022

openjdk-lts regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

USN-5313-1 introduced a regression in OpenJDK 11.

Software Description:
- openjdk-lts: Open Source Java implementation

Details:

USN-5313-1 fixed vulnerabilities and added features in OpenJDK.
Unfortunately, that update introduced a regression in OpenJDK 11 that
could impact interoperability with some popular HTTP/2 servers making
it unable to connect to said servers. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that OpenJDK incorrectly handled deserialization filters.
An attacker could possibly use this issue to insert, delete or obtain
sensitive information. (CVE-2022-21248)

It was discovered that OpenJDK incorrectly read uncompressed TIFF files.
An attacker could possibly use this issue to cause a denial of service via
a specially crafted TIFF file. (CVE-2022-21277)

Jonni Passki discovered that OpenJDK incorrectly verified access
restrictions when performing URI resolution. An attacker could possibly
use this issue to obtain sensitive information. (CVE-2022-21282)

It was discovered that OpenJDK incorrectly handled certain regular
expressions in the Pattern class implementation. An attacker could
possibly use this issue to cause a denial of service. (CVE-2022-21283)

It was discovered that OpenJDK incorrectly handled specially crafted Java
class files. An attacker could possibly use this issue to cause a denial
of service. (CVE-2022-21291)

Markus Loewe discovered that OpenJDK incorrectly validated attributes
during object deserialization. An attacker could possibly use this issue
to cause a denial of service. (CVE-2022-21293, CVE-2022-21294)

Dan Rabe discovered that OpenJDK incorrectly verified access permissions
in the JAXP component. An attacker could possibly use this to specially
craft an XML file to obtain sensitive information. (CVE-2022-21296)

It was discovered that OpenJDK incorrectly handled XML entities. An
attacker could use this to specially craft an XML file that, when parsed,
would possibly cause a denial of service. (CVE-2022-21299)

Zhiqiang Zang discovered that OpenJDK incorrectly handled array indexes.
An attacker could possibly use this issue to obtain sensitive information.
(CVE-2022-21305)

It was discovered that OpenJDK incorrectly read very long attributes
values in JAR file manifests. An attacker could possibly use this to
specially craft JAR file to cause a denial of service. (CVE-2022-21340)

It was discovered that OpenJDK incorrectly validated input from serialized
streams. An attacker cold possibly use this issue to bypass sandbox
restrictions. (CVE-2022-21341)

Fabian Meumertzheim discovered that OpenJDK incorrectly handled certain
specially crafted BMP or TIFF files. An attacker could possibly use this
to cause a denial of service. (CVE-2022-21360, CVE-2022-21366)

It was discovered that an integer overflow could be triggered in OpenJDK
BMPImageReader class implementation. An attacker could possibly use this
to specially craft a BMP file to cause a denial of service.
(CVE-2022-21365)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
openjdk-11-jdk 11.0.14.1+1-0ubuntu1~21.10
openjdk-11-jdk-headless 11.0.14.1+1-0ubuntu1~21.10
openjdk-11-jre 11.0.14.1+1-0ubuntu1~21.10
openjdk-11-jre-headless 11.0.14.1+1-0ubuntu1~21.10
openjdk-11-jre-zero 11.0.14.1+1-0ubuntu1~21.10

Ubuntu 20.04 LTS:
openjdk-11-jdk 11.0.14.1+1-0ubuntu1~20.04
openjdk-11-jdk-headless 11.0.14.1+1-0ubuntu1~20.04
openjdk-11-jre 11.0.14.1+1-0ubuntu1~20.04
openjdk-11-jre-headless 11.0.14.1+1-0ubuntu1~20.04
openjdk-11-jre-zero 11.0.14.1+1-0ubuntu1~20.04

Ubuntu 18.04 LTS:
openjdk-11-jdk 11.0.14.1+1-0ubuntu1~18.04
openjdk-11-jdk-headless 11.0.14.1+1-0ubuntu1~18.04
openjdk-11-jre 11.0.14.1+1-0ubuntu1~18.04
openjdk-11-jre-headless 11.0.14.1+1-0ubuntu1~18.04
openjdk-11-jre-zero 11.0.14.1+1-0ubuntu1~18.04

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5313-2
https://ubuntu.com/security/notices/USN-5313-1
https://launchpad.net/bugs/1966338

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.14.1+1-0ubuntu1~21.10
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.14.1+1-0ubuntu1~20.04
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.14.1+1-0ubuntu1~18.04

[USN-5353-1] Linux kernel (OEM) vulnerability

==========================================================================
Ubuntu Security Notice USN-5353-1
March 28, 2022

linux-oem-5.14 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

The system could be made to crash or run programs as an administrator.

Software Description:
- linux-oem-5.14: Linux kernel for OEM systems

Details:

It was discovered that the IPsec implementation in the Linux
kernel did not properly allocate enough memory when performing ESP
transformations, leading to a heap-based buffer overflow. A local
attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
linux-image-5.14.0-1031-oem 5.14.0-1031.34
linux-image-oem-20.04 5.14.0.1031.28
linux-image-oem-20.04b 5.14.0.1031.28
linux-image-oem-20.04c 5.14.0.1031.28
linux-image-oem-20.04d 5.14.0.1031.28

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5353-1
CVE-2022-27666

Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1031.34

Planned Outage - Updates / Reboots - 2022-03-31 21:00 UTC

Planned Outage - Updates / Reboots - 2022-03-31 21:00 UTC

There will be an outage starting at 2022-03-31 21:00 UTC
which will last approximately 4 hours.

To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto
or run:

date -d '2022-03-31 21:00 UTC'

Reason for outage:

We will be updating all our instances and rebooting hardware nodes into new kernels.
This will catch us up on security updates before next weeks Fedora Linux 36 Final freeze.

Affected Services:

All services may experience slowdowns or short outages as servers are rebooted
and return to service. We will try and minimize disruptions, but users/maintainers
are advised to avoid activity in the outage window.

Ticket Link:

https://pagure.io/fedora-infrastructure/issue/10613

Please join #fedora-admin or #fedora-noc on irc.libera.chat
or add comments to the ticket for this outage above.

[USN-5352-1] Libtasn1 vulnerability

==========================================================================
Ubuntu Security Notice USN-5352-1
March 28, 2022

libtasn1-6 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Libtasn1 could be made to crash if it opened a specially crafted
file.

Software Description:
- libtasn1-6: Library to manage ASN.1 structures

Details:

It was discovered that Libtasn1 incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
libtasn1-6 4.7-3ubuntu0.16.04.3+esm2
libtasn1-bin 4.7-3ubuntu0.16.04.3+esm2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5352-1
CVE-2018-1000654

[USN-5351-1] Paramiko vulnerability

==========================================================================
Ubuntu Security Notice USN-5351-1
March 28, 2022

paramiko vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Paramiko would allow unintended access to private key files.

Software Description:
- paramiko: Python SSH2 library

Details:

Jan Schejbal discovered that Paramiko incorrectly handled permissions when
writing private key files. A local attacker could possibly use this issue
to gain access to private keys.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
python3-paramiko 2.7.2-1ubuntu1.1

Ubuntu 20.04 LTS:
python3-paramiko 2.6.0-2ubuntu0.1

Ubuntu 18.04 LTS:
python-paramiko 2.0.0-1ubuntu1.3
python3-paramiko 2.0.0-1ubuntu1.3

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5351-1
CVE-2022-24302

Package Information:
https://launchpad.net/ubuntu/+source/paramiko/2.7.2-1ubuntu1.1
https://launchpad.net/ubuntu/+source/paramiko/2.6.0-2ubuntu0.1
https://launchpad.net/ubuntu/+source/paramiko/2.0.0-1ubuntu1.3

[USN-5349-1] GNU binutils vulnerability

==========================================================================
Ubuntu Security Notice USN-5349-1
March 28, 2022

binutils vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

GNU binutils could be made to crash if it opened a specially crafted
file.

Software Description:
- binutils: GNU assembler, linker and binary utilities

Details:

It was discovered that GNU binutils gold incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
binutils 2.26.1-1ubuntu1~16.04.8+esm4
binutils-multiarch 2.26.1-1ubuntu1~16.04.8+esm4

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5349-1
CVE-2019-1010204

[USN-5348-1] Smarty vulnerabilities

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsDNBGIl7V0BDAC+6Rrs/dA9eDfxCA5DutvqKqSxwodFEgiMxDLnR0OSrwlYgTFh
X+OChdT+L0AyBJsjfsrWByRCm/Eky6JE9QtnmDpusvrYwXmVm/Whe/0W+qJ6rzzU
sL0GkZoOUt2JhTdYcJ1o2A+J3RgXUuXUENMrpFhUwwpu7YOaMgCrno64C4wBgK55
KDUCd6i5bM26P4csLNjRO4+qJj4m3Hve/iJgpb510XI3aS4azY/Rm+iXGrlGMi9T
PGEDcsjoO3zT7v3l0EA5SEhpbXBHOGy94vRcMBYuUZqhwfa8Mi/h1uTtTHmT/+1f
7eWoO0tPssex6mWIodZo1epKIfjhbW63C571XIB0ZIuqfChj4k5dgthUqeJXpRDl
v3l2wd5HYzbGu3Ie37PodIeocnTa2C/o6PvN+wA4+BYWgZXCdCA5TqVrM+HCwzmF
Guc6ALYNklgpxas/4ZP6tcQxMgU8oBQ1+3Ufef46iP/jo9CvFRQ5JystLhHLfVpm
BgcILk2rYwwWjE0AEQEAAc1ARGF2aWQgRmVybmFuZGV6IEdvbnphbGV6IDxkYXZp
ZC5mZXJuYW5kZXpnb256YWxlekBjYW5vbmljYWwuY29tPsLBFAQTAQoAPhYhBIhm
zS6qttOZ5NIT3RltQSE48z9kBQJiJe1dAhsDBQkDwmcABQsJCAcDBRUKCQgLBRYC
AwEAAh4BAheAAAoJEBltQSE48z9kbG0MALnqt1PxxnNeDW11/d8nV66k/rweAfYT
TqzJ0ikuNDh94AdeuLCsOLfMk64d3KMyswD+i8CaFhkKv2kIlD/QzOku3PBUo4PP
+NxKWzCWYG3ZcGApgdhr+y7G59ZvuKxO0xxzbRIQmcnAl1qr6PvHpaSQJ/w1eKMl
GTVX5PvZNxVvg3TZ6NQhX1n2gIeqCYo4C9e9aIYCk8w4Gu6NyMiUBuy0ybMkz9JL
X4wEeRc2aGuWtSAnOayqTyDpleVy0qCH7tufh1ZL0gNFN8UJptivtmVSjNh5nPwU
x+a42iTjU3uVUGZ/UdtTOpruXHAX0zporXYXNFzZUG82Um7mYB8ETx1EribDG7TC
ktYEA+XBkfZ6JhGeeKMsLt5GmcfXB/+EoKUZjSsx94kqFNAQe6X4Y/158tZ8Gt3J
k2Aj/VBZK7lSbFjIB/jdf6ydhwLRIXsAlVx8i2NYa3SxLZMfKaet8LA/y+GNZxnj
GCdRT9eEJOZ62VETYwd+pAPW5BamUv8kW87AzQRiJe1dAQwAp0ywqyunvK5Iwn7T
x+tzixODvTgwMc+uNrH3o6+Ra6+Bn+YLmuuOwiScRb+sSErXoDz/LgLF0oIB2ZIs
Be+FT0m/eUY3xLiGF8L9DvrRSmePyiiml9rrd1wduuhg6hQw6/ef08WayVEzFWCF
63sqQk18ZKatP3WnOhSd0OT5xOXcW2//NJwFni+cjfnYuUMpVNodCwFQJtEeYSZz
zxVEJd4AtfM/ynGznPyYIsybt+fUhDvVEI+neWflpLk9jrJ1XIAhObEWkmgH9KQ3
5VGN7aLVBkxdbz2yCM4Auz8+DnDyksxuvZ3wcsM/eyIPFoBLrh3xNLOrERNqjPR3
MSnEGkt3+dkiQ5LbcvOpittix8Ycc6qdYYL6Gfy4Lfr/VZUWeGrGsVc79C+aqQUe
1dJkqGMTk9CRNaGxUlSyQ5ylcyoNlLusPGO/3zPGBIY7fOlqTVR7LFmfyxHcoCmg
EqXxhooeJn2PmTOY6E2Ap5ViYr8akucmO6GPJxHXqgW7qNDdABEBAAHCwPwEGAEK
ACYWIQSIZs0uqrbTmeTSE90ZbUEhOPM/ZAUCYiXtXQIbDAUJA8JnAAAKCRAZbUEh
OPM/ZODXDACkYliQ7r5w5IbBniu2axcW5j3PGd+G9Cm90oirsd9v35qRxErYXwbP
b79gBTMxHGgw+4mIz3F2mzzynZ11joW+0Zr8Vgr3BKSNBS5hz9NfcwkdiubkGsoj
jhruNUFtQqBNyQIJh9CfECXq2puYY7H6lu13bBNb49TY6XzyvOni2A5WntQqN+Ap
/RkxkLIGnBwi4p06OYs9Atda8IrMv0zXxlzRNEqk1cniNsSyRWHruVvN6nhVuvwF
sNM6z7F48B8tTh3iKludMPVL5YgGQeVtN3rXOwPCq3f9Y6G67eJxs7HhQYtuj7Gn
c3porYgLw2xOh6BOa6dWby0/adS79+FdycEtlNRKlrLMneEL2Sk1zrKVd0uF96yX
VOS0nAHllLod67uFgjT85P2MZWN7dPD6jAhv9rOq9cgOCKB+ulACePOpoXDFzgND
w5FGDbZtHYnLrJWyyqnas4ms4pnmJsnHAyDBWYS8a6j82D7NSx/7MrH6bAFl18zK
7/zNmhJ06VU=
=JWgW
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5348-1
March 28, 2022

smarty3 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Smarty.

Software Description:
- smarty3: The compiling PHP template engine

Details:

David Gnedt and Thomas Konrad discovered that Smarty was incorrectly
sanitizing the paths present in the templates. An attacker could possibly
use this use to read arbitrary files when controlling the executed
template. (CVE-2018-13982)

It was discovered that Smarty was incorrectly sanitizing the paths
present in the templates. An attacker could possibly use this use to read
arbitrary files when controlling the executed template. (CVE-2018-16831)

It was discovered that Smarty was incorrectly validating security policy
data, allowing the execution of static classes even when not permitted by
the security settings. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2021-21408)

It was discovered that Smarty was incorrectly managing access control to
template objects, which allowed users to perform a sandbox escape. An
attacker could possibly use this issue to send specially crafted input to
applications that use Smarty and execute arbitrary code. (CVE-2021-26119)

It was discovered that Smarty was not checking for special characters
when setting function names during plugin compile operations. An attacker
could possibly use this issue to send specially crafted input to
applications that use Smarty and execute arbitrary code. (CVE-2021-26120)

It was discovered that Smarty was incorrectly sanitizing characters in
math strings processed by the math function. An attacker could possibly
use this issue to send specially crafted input to applications that use
Smarty and execute arbitrary code. (CVE-2021-29454)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
smarty3 3.1.39-2ubuntu0.21.10.1

Ubuntu 18.04 LTS:
smarty3 3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5348-1
CVE-2018-13982, CVE-2018-16831, CVE-2021-21408, CVE-2021-26119,
CVE-2021-26120, CVE-2021-29454

Package Information:
https://launchpad.net/ubuntu/+source/smarty3/3.1.39-2ubuntu0.21.10.1
https://launchpad.net/ubuntu/+source/smarty3/3.1.31+20161214.1.c7d42e4+selfpack1-3ubuntu0.1