aarch64 builders upgrade

Greetings.

I thought I would let everyone know that I have moved all the buildvm-a64
instances from some older hardware (lenovo emags) to newer hardware
(altra Mt. Snow). This should result in a noticable speed increase
along with allowing us to increase density of vm's per host.

If you notice any issues with buildvm-a64 machines, please file an
infrastructure ticket: https://pagure.io/fedora-infrastructure

Thanks,

kevin

[USN-5650-1] Linux kernel vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5650-1
September 30, 2022

linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty

Details:

It was discovered that the framebuffer driver on the Linux kernel did not
verify size limits when changing font or screen size, leading to an out-of-
bounds write. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

It was discovered that the virtual terminal driver in the Linux kernel did
not properly handle VGA console font changes, leading to an out-of-bounds
write. A local attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2021-33656)

Christian Brauner discovered that the XFS file system implementation in the
Linux kernel did not properly handle setgid file creation. A local attacker
could use this to gain elevated privileges. (CVE-2021-4037)

It was discovered that the ext4 file system implementation in the Linux
kernel did not properly initialize memory in some situations. A privileged
local attacker could use this to expose sensitive information (kernel
memory). (CVE-2022-0850)

Duoming Zhou discovered that the AX.25 amateur radio protocol
implementation in the Linux kernel did not handle detach events properly in
some situations. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2022-1199)

Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel during device detach operations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-1204)

Norbert Slusarek discovered that a race condition existed in the perf
subsystem in the Linux kernel, resulting in a use-after-free vulnerability.
A privileged local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-1729)

It was discovered that the Packet network protocol implementation in the
Linux kernel contained an out-of-bounds access. A remote attacker could use
this to expose sensitive information (kernel memory). (CVE-2022-20368)

It was discovered that the Open vSwitch implementation in the Linux kernel
contained an out of bounds write vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2022-2639)

Jann Horn discovered that the ASIX AX88179/178A USB Ethernet driver in the
Linux kernel contained multiple out-of-bounds vulnerabilities. A local
attacker with physical access could plug in a specially crafted USB device
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-2964)

Hao Sun and Jiacheng Xu discovered that the NILFS file system
implementation in the Linux kernel contained a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-2978)

Abhishek Shah discovered a race condition in the PF_KEYv2 implementation in
the Linux kernel. A local attacker could use this to cause a denial of
service (system crash) or possibly expose sensitive information (kernel
memory). (CVE-2022-3028)

It was discovered that the Journaled File System (JFS) in the Linux kernel
contained a null pointer dereference in some situations. A local attacker
could use this to cause a denial of service (system crash). (CVE-2022-3202)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that truncated
packets below the packet header size. When such rules are in place, a
remote attacker could possibly use this to cause a denial of service
(system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
linux-image-4.4.0-1114-kvm 4.4.0-1114.124
linux-image-4.4.0-1151-aws 4.4.0-1151.166
linux-image-4.4.0-234-generic 4.4.0-234.268
linux-image-4.4.0-234-lowlatency 4.4.0-234.268
linux-image-aws 4.4.0.1151.155
linux-image-generic 4.4.0.234.240
linux-image-kvm 4.4.0.1114.111
linux-image-lowlatency 4.4.0.234.240
linux-image-virtual 4.4.0.234.240

Ubuntu 14.04 ESM:
linux-image-4.4.0-1113-aws 4.4.0-1113.119
linux-image-4.4.0-234-generic 4.4.0-234.268~14.04.1
linux-image-4.4.0-234-lowlatency 4.4.0-234.268~14.04.1
linux-image-aws 4.4.0.1113.110
linux-image-generic-lts-xenial 4.4.0.234.203
linux-image-lowlatency-lts-xenial 4.4.0.234.203
linux-image-virtual-lts-xenial 4.4.0.234.203

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5650-1
CVE-2021-33655, CVE-2021-33656, CVE-2021-4037, CVE-2022-0850,
CVE-2022-1199, CVE-2022-1204, CVE-2022-1729, CVE-2022-20368,
CVE-2022-2639, CVE-2022-2964, CVE-2022-2978, CVE-2022-3028,
CVE-2022-3202, CVE-2022-36946

[USN-5648-1] Linux kernel (GKE) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5648-1
September 30, 2022

linux-gke-5.15 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did not
verify size limits when changing font or screen size, leading to an out-of-
bounds write. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Duoming Zhou discovered that race conditions existed in the timer handling
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in
use-after-free vulnerabilities. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux
kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-26365)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the
Linux kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in the
Linux kernel incorrectly handled socket buffers (skb) references when
communicating with certain backends. A local attacker could use this to
cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in
the Linux kernel on ARM platforms contained a race condition in certain
situations. An attacker in a guest VM could use this to cause a denial of
service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel
contained a double-free vulnerability in certain error conditions. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-34494, CVE-2022-34495)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that truncated
packets below the packet header size. When such rules are in place, a
remote attacker could possibly use this to cause a denial of service
(system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
linux-image-5.15.0-1016-gke 5.15.0-1016.19~20.04.1
linux-image-gke-5.15 5.15.0.1016.19~20.04.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5648-1
CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740,
CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744,
CVE-2022-34494, CVE-2022-34495, CVE-2022-36946

Package Information:
https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1016.19~20.04.1

Ubuntu 22.10 (Kinetic Kudu) Final Beta released

The Ubuntu team is pleased to announce the Beta release of the Ubuntu
22.10 Desktop, Server, and Cloud products.

Ubuntu 22.10, codenamed "Kinetic Kudu", continues Ubuntu's proud
tradition of integrating the latest and greatest open source
technologies into a high-quality, easy-to-use Linux distribution. The
team has been hard at work through this cycle, introducing new features
and fixing bugs.

This Beta release includes images from not only the Ubuntu Desktop,
Server, and Cloud products, but also the Kubuntu, Lubuntu, Ubuntu
Budgie, Ubuntu MATE, Ubuntu Studio, Ubuntu Unity, and Xubuntu flavours.

The Beta images are known to be reasonably free of showstopper image
build or installer bugs, while representing a very recent snapshot of
22.10 that should be representative of the features intended to ship
with the final release expected on October 20, 2022.

Ubuntu, Ubuntu Server, Cloud Images:
Kinetic Beta includes updated versions of most of our core set of
packages, including a current 5.19 kernel, and much more.

To upgrade to Ubuntu 22.10 Beta from Ubuntu 22.04, follow these
instructions:

https://help.ubuntu.com/community/KineticUpgrades

The Ubuntu 22.10 Beta images can be downloaded at:

https://releases.ubuntu.com/22.10/ (Ubuntu and Ubuntu Server on x86)

This Ubuntu Server image features the next generation Subiquity server
installer, bringing the comfortable live session and speedy install of
the Ubuntu Desktop to server users.

Additional images can be found at the following links:

https://cloud-images.ubuntu.com/daily/server/kinetic/current/ (Cloud Images)
https://cdimage.ubuntu.com/releases/22.10/beta/ (Non-x86)

As fixes will be included in new images between now and release, any
daily cloud image from today or later (i.e. a serial of 20220929 or
higher) should be considered a Beta image. Bugs found should be filed
against the appropriate packages or, failing that, the cloud-images
project in Launchpad.

The full release notes for Ubuntu 22.10 Beta can be found at:

https://discourse.ubuntu.com/t/kinetic-kudu-release-notes

Kubuntu:
Kubuntu is the KDE based flavour of Ubuntu. It uses the Plasma desktop
and includes a wide selection of tools from the KDE project.

The Beta images can be downloaded at:
https://cdimage.ubuntu.com/kubuntu/releases/22.10/beta/

Lubuntu:
Lubuntu is a flavor of Ubuntu which uses the Lightweight Qt Desktop
Environment (LXQt). The project's goal is to provide a lightweight
yet functional Linux distribution based on a rock-solid Ubuntu base.

The Beta images can be downloaded at:
https://cdimage.ubuntu.com/lubuntu/releases/22.10/beta/

Ubuntu Budgie:
Ubuntu Budgie is community developed desktop, integrating Budgie
Desktop Environment with Ubuntu at its core.

The Beta images can be downloaded at:
https://cdimage.ubuntu.com/ubuntu-budgie/releases/22.10/beta/

Ubuntu MATE:
Ubuntu MATE is a flavor of Ubuntu featuring the MATE desktop
environment.

The Beta images can be downloaded at:
https://cdimage.ubuntu.com/ubuntu-mate/releases/22.10/beta/

Ubuntu Studio:
Ubuntu Studio is a flavor of Ubuntu that provides a full range of
multimedia content creation applications for each key workflow: audio,
graphics, video, photography and publishing.

The Beta images can be downloaded at:
https://cdimage.ubuntu.com/ubuntustudio/releases/22.10/beta/

Ubuntu Unity:
Ubuntu Unity is a flavor of Ubuntu featuring the Unity7 desktop
environment.

The Beta images can be downloaded at:
https://cdimage.ubuntu.com/ubuntu-unity/releases/22.10/beta/

Xubuntu:
Xubuntu is a flavor of Ubuntu that comes with Xfce, which is a stable,
light and configurable desktop environment.

The Beta images can be downloaded at:
https://cdimage.ubuntu.com/xubuntu/releases/22.10/beta/

Regular daily images for Ubuntu, and all flavours, can be found at:
https://cdimage.ubuntu.com

Ubuntu is a full-featured Linux distribution for clients, servers and
clouds, with a fast and easy installation and regular releases. A
tightly-integrated selection of excellent applications is included, and
an incredible variety of add-on software is just a few clicks away.

Professional technical support is available from Canonical Limited and
hundreds of other companies around the world. For more information
about support, visit https://ubuntu.com/support

If you would like to help shape Ubuntu, take a look at the list of ways
you can participate at:
https://ubuntu.com/community/participate

Your comments, bug reports, patches and suggestions really help us to
improve this and future releases of Ubuntu. Instructions can be found
at:
https://help.ubuntu.com/community/ReportingBugs

You can find out more about Ubuntu and about this Beta release on our
website, IRC channel and wiki.

To sign up for future Ubuntu announcements, please subscribe to Ubuntu's
very low volume announcement list at:

https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce

On behalf of the Ubuntu Release Team,
--
Brian Murray

--
ubuntu-announce mailing list
ubuntu-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce

[USN-5647-1] Linux kernel (GCP) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5647-1
September 28, 2022

linux-gcp vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did not
verify size limits when changing font or screen size, leading to an out-of-
bounds write. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Moshe Kol, Amit Klein and Yossi Gilad discovered that the IP implementation
in the Linux kernel did not provide sufficient randomization when
calculating port offsets. An attacker could possibly use this to expose
sensitive information. (CVE-2022-1012, CVE-2022-32296)

Norbert Slusarek discovered that a race condition existed in the perf
subsystem in the Linux kernel, resulting in a use-after-free vulnerability.
A privileged local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-1729)

It was discovered that the device-mapper verity (dm-verity) driver in the
Linux kernel did not properly verify targets being loaded into the device-
mapper table. A privileged attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2022-2503)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that truncated
packets below the packet header size. When such rules are in place, a
remote attacker could possibly use this to cause a denial of service
(system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
linux-image-5.4.0-1089-gcp 5.4.0-1089.97
linux-image-gcp-lts-20.04 5.4.0.1089.94

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5647-1
CVE-2021-33655, CVE-2022-1012, CVE-2022-1729, CVE-2022-2503,
CVE-2022-32296, CVE-2022-36946

Package Information:
https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1089.97

[USN-5615-2] SQLite vulnerability

==========================================================================
Ubuntu Security Notice USN-5615-2
September 28, 2022

sqlite3 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

SQLite could be made to crash or execute arbitrary code.

Software Description:
- sqlite3: C library that implements an SQL database engine

Details:

USN-5615-1 fixed several vulnerabilities in SQLite. This update provides
the corresponding fix for CVE-2020-35525 for Ubuntu 16.04 ESM.

Original advisory details:

It was discovered that SQLite incorrectly handled INTERSEC query
processing. An attacker could use this issue to cause SQLite to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
sqlite3 3.11.0-1ubuntu1.5+esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5615-2
https://ubuntu.com/security/notices/USN-5615-1
CVE-2020-35525

[USN-5646-1] libXi vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5646-1
September 28, 2022

libxi vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in libxi.

Software Description:
- libxi: X11 Input extension library

Details:

Tobias Stoeckmann discovered that libXi did not properly manage memory
when handling X server responses. A remote attacker could use this issue
to cause libXi to crash, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
libxi6 2:1.7.6-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5646-1
CVE-2016-7945, CVE-2016-7946

[USN-5645-1] PostgreSQL vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5645-1
September 28, 2022

postgresql-9.5 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in PostgreSQL.

Software Description:
- postgresql-9.5: Object-relational SQL database

Details:

Jacob Champion discovered that PostgreSQL incorrectly handled SSL
certificate verification and encryption. A remote attacker could possibly
use this issue to inject arbitrary SQL queries when a connection is first
established. (CVE-2021-23214)

Tom Lane discovered that PostgreSQL incorrect handled certain array
subscripting calculations. An authenticated attacker could possibly use
this issue to overwrite server memory and escalate privileges.
(CVE-2021-32027)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
postgresql-9.5 9.5.25-0ubuntu0.16.04.1+esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5645-1
CVE-2021-23214, CVE-2021-32027

[USN-5644-1] Linux kernel (GCP) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5644-1
September 27, 2022

linux-gcp-5.15 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did not
verify size limits when changing font or screen size, leading to an out-of-
bounds write. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Duoming Zhou discovered that race conditions existed in the timer handling
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in
use-after-free vulnerabilities. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux
kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-26365)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the
Linux kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in the
Linux kernel incorrectly handled socket buffers (skb) references when
communicating with certain backends. A local attacker could use this to
cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in
the Linux kernel on ARM platforms contained a race condition in certain
situations. An attacker in a guest VM could use this to cause a denial of
service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel
contained a double-free vulnerability in certain error conditions. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-34494, CVE-2022-34495)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that truncated
packets below the packet header size. When such rules are in place, a
remote attacker could possibly use this to cause a denial of service
(system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
linux-image-5.15.0-1018-gcp 5.15.0-1018.24~20.04.1
linux-image-gcp 5.15.0.1018.24~20.04.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5644-1
CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740,
CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744,
CVE-2022-34494, CVE-2022-34495, CVE-2022-36946

Package Information:
https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1018.24~20.04.1

[USN-5643-1] Ghostscript vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5643-1
September 27, 2022

ghostscript vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Ghostscript.

Software Description:
- ghostscript: PostScript and PDF interpreter

Details:

It was discovered that GhostScript incorrectly handled certain PDF files.
If a user or automated system were tricked into opening a specially crafted
PDF file, a remote attacker could use this issue to cause GhostScript to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-27792)

It was discovered that GhostScript incorrectly handled certain PDF files.
If a user or automated system were tricked into opening a specially crafted
PDF file, a remote attacker could use this issue to cause GhostScript to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-2085)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
ghostscript 9.55.0~dfsg1-0ubuntu5.1

Ubuntu 20.04 LTS:
ghostscript 9.50~dfsg-5ubuntu4.6

Ubuntu 18.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.18.04.17

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5643-1
CVE-2020-27792, CVE-2022-2085

Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.55.0~dfsg1-0ubuntu5.1
https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.6
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.04.17

[USN-5641-1] Squid vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5641-1
September 26, 2022

squid, squid3 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Squid.

Software Description:
- squid: Web proxy cache server
- squid3: Web proxy cache server

Details:

Mikhail Evdokimov discovered that Squid incorrectly handled cache manager
ACLs. A remote attacker could possibly use this issue to obtain sensitive
information. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04
LTS. (CVE-2022-41317)

It was discovered that Squid incorrectly handled SSPI and SMB
authentication. A remote attacker could use this issue to cause Squid to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2022-41318)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
squid 5.2-1ubuntu4.2

Ubuntu 20.04 LTS:
squid 4.10-1ubuntu1.7

Ubuntu 18.04 LTS:
squid 3.5.27-1ubuntu1.14

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5641-1
CVE-2022-41317, CVE-2022-41318

Package Information:
https://launchpad.net/ubuntu/+source/squid/5.2-1ubuntu4.2
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.7
https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.14

[USN-5642-1] WebKitGTK vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5642-1
September 26, 2022

webkit2gtk vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in WebKitGTK.

Software Description:
- webkit2gtk: Web content engine library for GTK+

Details:

Several security issues were discovered in the WebKitGTK Web and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
libjavascriptcoregtk-4.0-18 2.36.8-0ubuntu0.22.04.1
libjavascriptcoregtk-4.1-0 2.36.8-0ubuntu0.22.04.1
libwebkit2gtk-4.0-37 2.36.8-0ubuntu0.22.04.1
libwebkit2gtk-4.1-0 2.36.8-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:
libjavascriptcoregtk-4.0-18 2.36.8-0ubuntu0.20.04.1
libwebkit2gtk-4.0-37 2.36.8-0ubuntu0.20.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5642-1
CVE-2022-32886

Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.8-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.8-0ubuntu0.20.04.1

[USN-5640-1] Linux kernel (Oracle) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5640-1
September 26, 2022

linux-oracle vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-oracle: Linux kernel for Oracle Cloud systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did not
verify size limits when changing font or screen size, leading to an out-of-
bounds write. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Duoming Zhou discovered that race conditions existed in the timer handling
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in
use-after-free vulnerabilities. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux
kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-26365)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the
Linux kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in the
Linux kernel incorrectly handled socket buffers (skb) references when
communicating with certain backends. A local attacker could use this to
cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in
the Linux kernel on ARM platforms contained a race condition in certain
situations. An attacker in a guest VM could use this to cause a denial of
service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel
contained a double-free vulnerability in certain error conditions. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-34494, CVE-2022-34495)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that truncated
packets below the packet header size. When such rules are in place, a
remote attacker could possibly use this to cause a denial of service
(system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
linux-image-5.15.0-1018-oracle 5.15.0-1018.23
linux-image-oracle 5.15.0.1018.16

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5640-1
CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740,
CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744,
CVE-2022-34494, CVE-2022-34495, CVE-2022-36946

Package Information:
https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1018.23

[USN-5639-1] Linux kernel (Azure CVM) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5639-1
September 26, 2022

linux-azure-fde vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did not
verify size limits when changing font or screen size, leading to an out-of-
bounds write. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Moshe Kol, Amit Klein and Yossi Gilad discovered that the IP implementation
in the Linux kernel did not provide sufficient randomization when
calculating port offsets. An attacker could possibly use this to expose
sensitive information. (CVE-2022-1012, CVE-2022-32296)

Norbert Slusarek discovered that a race condition existed in the perf
subsystem in the Linux kernel, resulting in a use-after-free vulnerability.
A privileged local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-1729)

It was discovered that the device-mapper verity (dm-verity) driver in the
Linux kernel did not properly verify targets being loaded into the device-
mapper table. A privileged attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2022-2503)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that truncated
packets below the packet header size. When such rules are in place, a
remote attacker could possibly use this to cause a denial of service
(system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
linux-image-5.4.0-1091-azure-fde 5.4.0-1091.96+cvm1.1
linux-image-azure-fde 5.4.0.1091.96+cvm1.31

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5639-1
CVE-2021-33655, CVE-2022-1012, CVE-2022-1729, CVE-2022-2503,
CVE-2022-32296, CVE-2022-36946

Package Information:
https://launchpad.net/ubuntu/+source/linux-azure-fde/5.4.0-1091.96+cvm1.1

[USN-5638-1] Expat vulnerability

==========================================================================
Ubuntu Security Notice USN-5638-1
September 26, 2022

expat vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Expat could be made to crash or execute arbitrary code.

Software Description:
- expat: XML parsing C library

Details:

Rhodri James discovered that Expat incorrectly handled memory when
processing certain malformed XML files. An attacker could possibly
use this issue to cause a crash or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
expat 2.1.0-7ubuntu0.16.04.5+esm6
lib64expat1 2.1.0-7ubuntu0.16.04.5+esm6
libexpat1 2.1.0-7ubuntu0.16.04.5+esm6

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5638-1
CVE-2022-40674

[USN-5637-1] libvpx vulnerability

==========================================================================
Ubuntu Security Notice USN-5637-1
September 26, 2022

libvpx vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

libvpx could be made to crash if it received specially crafted
network traffic.

Software Description:
- libvpx: VP8 and VP9 video codec

Details:

It was discovered that libvpx incorrectly handled certain WebM media
files. A remote attacker could use this issue to crash an application
using libvpx under certain conditions, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
libvpx3 1.5.0-2ubuntu1.1+esm1

Ubuntu 14.04 ESM:
libvpx1 1.3.0-2ubuntu0.1~esm2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5637-1
CVE-2020-0034

[USN-5636-1] SoS vulnerability

==========================================================================
Ubuntu Security Notice USN-5636-1
September 26, 2022

sosreport vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

SoS could be made do expose sensitive information.

Software Description:
- sosreport: Set of tools to gather troubleshooting data from a system

Details:

It was discovered that SoS incorrectly handled certain data.
An attacker could possibly use this issue to expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
sosreport 4.3-1ubuntu2.1

Ubuntu 20.04 LTS:
sosreport 4.3-1ubuntu0.20.04.2

Ubuntu 18.04 LTS:
sosreport 4.3-1ubuntu0.18.04.2

Ubuntu 16.04 ESM:
sosreport 3.9.1-1ubuntu0.16.04.2+esm1

Ubuntu 14.04 ESM:
sosreport 3.5-1~ubuntu14.04.3+esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5636-1
CVE-2022-2806

Package Information:
https://launchpad.net/ubuntu/+source/sosreport/4.3-1ubuntu2.1
https://launchpad.net/ubuntu/+source/sosreport/4.3-1ubuntu0.20.04.2
https://launchpad.net/ubuntu/+source/sosreport/4.3-1ubuntu0.18.04.2

OpenBSD Errata: September 26, 2022 (smtpd)

Errata patches for smtpd have been released for OpenBSD 7.0 and 7.1.

Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:

https://www.openbsd.org/errata70.html
https://www.openbsd.org/errata71.html

Orphaned packages looking for new maintainers

The following packages are orphaned and will be retired when they
are orphaned for six weeks, unless someone adopts them. If you know for sure
that the package should be retired, please do so now with a proper reason:
https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life

Note: If you received this mail directly you (co)maintain one of the affected
packages or a package that depends on one. Please adopt the affected package or
retire your depending package to avoid broken dependencies, otherwise your
package will fail to install and/or build when the affected package gets retired.

Request package ownership via the *Take* button in he left column on
https://src.fedoraproject.org/rpms/<pkgname>

Full report available at:
https://churchyard.fedorapeople.org/orphans-2022-09-26.txt
grep it for your FAS username and follow the dependency chain.

For human readable dependency chains,
see https://packager-dashboard.fedoraproject.org/
For all orphaned packages,
see https://packager-dashboard.fedoraproject.org/orphan

Package (co)maintainers Status Change
================================================================================
advancecomp cicku, orphan, tdawson, thias 1 weeks ago
amora orphan 2 weeks ago
blueberry nonamedotc, orphan, rathann 2 weeks ago
elementary-planner orphan 0 weeks ago
elementary-sound-theme orphan 2 weeks ago
elementary-theme orphan 2 weeks ago
erlang-esip bowlofeggs, erlang-maint-sig, 0 weeks ago
jcline, orphan
erlang-jiffy bowlofeggs, lkundrak, orphan 1 weeks ago
erlang-riak_ensemble bowlofeggs, erlang-maint-sig, 1 weeks ago
orphan
erlang-xmpp bowlofeggs, erlang-maint-sig, 0 weeks ago
jcline, orphan
espresso-ab avigne, orphan 3 weeks ago
geompp orphan 1 weeks ago
geteltorito orphan, rharwood 2 weeks ago
giada orphan 1 weeks ago
gimp-focusblur-plugin orphan 3 weeks ago
gmqcc orphan 3 weeks ago
golang-github-beevik-etree go-sig, mgoodwin, nathans, 0 weeks ago
orphan
golang-github-crewjam-httperr go-sig, mgoodwin, nathans, 0 weeks ago
orphan
golang-github-crewjam-saml go-sig, mgoodwin, nathans, 0 weeks ago
orphan
golang-github-dchest-uniuri go-sig, mgoodwin, nathans, 0 weeks ago
orphan
golang-github-gofrs-flock go-sig, orphan 0 weeks ago
golang-github-logr-stdr eclipseo, go-sig, orphan 0 weeks ago
golang-github-magefile-mage go-sig, mgoodwin, nathans, 0 weeks ago
orphan
golang-github-russellhaering- go-sig, mgoodwin, nathans, 0 weeks ago
goxmldsig orphan
golang-github-timberio-datemath go-sig, mgoodwin, nathans, 0 weeks ago
orphan
golang-github-ua-parser-uap go-sig, mgoodwin, nathans, 0 weeks ago
orphan
golang-github-urfave-cli-2 go-sig, mgoodwin, nathans, 0 weeks ago
orphan
granite orphan 2 weeks ago
hct avigne, orphan 3 weeks ago
kelbt orphan 3 weeks ago
libtvdb orphan 4 weeks ago
monobristol orphan 3 weeks ago
nautilus-search-tool orphan 1 weeks ago
novacom-client orphan 5 weeks ago
novacom-server orphan 5 weeks ago
origin go-sig, orphan, tdawson 3 weeks ago
owl-lisp huzaifas, orphan 2 weeks ago
perl-Parse-Debian-Packages orphan 3 weeks ago
perl-PatchReader orphan 1 weeks ago
php-psr-http-client orphan 3 weeks ago
pidgin-save-conv-order orphan 4 weeks ago
pinpoint orphan 1 weeks ago
pt-astra-sans-font orphan 2 weeks ago
pt-astra-serif-font orphan 2 weeks ago
python-august orphan 5 weeks ago
python-calligrabot merlinm, orphan 2 weeks ago
python-charon orphan 0 weeks ago
python-coreapi orphan 3 weeks ago
python-coreschema orphan 3 weeks ago
python-cu2qu orphan 5 weeks ago
python-drf-yasg orphan 3 weeks ago
python-evic orphan 5 weeks ago
python-googletrans orphan 4 weeks ago
python-hbmqtt orphan 1 weeks ago
python-itypes orphan 3 weeks ago
python-jaydebeapi orphan 5 weeks ago
python-pacpy orphan 3 weeks ago
python-phabricator orphan 3 weeks ago
python-pydenticon orphan 3 weeks ago
python-pytest-capturelog orphan, pviktori 3 weeks ago
python-qrencode orphan 3 weeks ago
python-w3lib orphan 2 weeks ago
qtscrob orphan 3 weeks ago
radamsa huzaifas, orphan 2 weeks ago
rubygem-font-awesome-rails abradshaw, ckyriakidou, 5 weeks ago
evgeni, fale, orphan, snecker
rubygem-hiera-eyaml orphan 3 weeks ago
rubygem-optimist orphan 3 weeks ago
rubygem-prawn-manual_builder abradshaw, ckyriakidou, 5 weeks ago
evgeni, fale, orphan, snecker
rust-cargo-bloat orphan, rust-sig 3 weeks ago
rust-just orphan, rust-sig 3 weeks ago
schroot orphan, zachcarter 5 weeks ago
scram orphan, vascom 3 weeks ago
scudcloud orphan 3 weeks ago
sgmanager orphan 3 weeks ago
shiny orphan 3 weeks ago
sticky-notes orphan 3 weeks ago
ufo2ft orphan 2 weeks ago
zola orphan 2 weeks ago

The following packages require above mentioned packages:
Report too long, see the full version at
https://churchyard.fedorapeople.org/orphans-2022-09-26.txt

See dependency chains of your packages at
https://packager-dashboard.fedoraproject.org/
See all orphaned packages at https://packager-dashboard.fedoraproject.org/orphan

Affected (co)maintainers (either directly or via packages' dependencies):
abradshaw: rubygem-prawn-manual_builder, rubygem-font-awesome-rails
aekoroglu: granite
amz: granite
anthr76: golang-github-urfave-cli-2
atim: granite
avigne: hct, espresso-ab
balajig8: advancecomp
bdperkin: golang-github-gofrs-flock
bowlofeggs: erlang-riak_ensemble, erlang-esip, erlang-jiffy, erlang-xmpp
brummbq: advancecomp
buckaroogeek: golang-github-urfave-cli-2
carlwgeorge: golang-github-urfave-cli-2
cdamian: php-psr-http-client
cheeselee: advancecomp
cicku: advancecomp
ckyriakidou: rubygem-prawn-manual_builder, rubygem-font-awesome-rails
copart: golang-github-gofrs-flock
cypret: golang-github-gofrs-flock
dcavalca: golang-github-urfave-cli-2, golang-github-gofrs-flock
echevemaster: python-w3lib
eclipseo: golang-github-urfave-cli-2, golang-github-gofrs-flock, advancecomp,
golang-github-logr-stdr
elmarco: golang-github-urfave-cli-2, golang-github-gofrs-flock
eparis: golang-github-urfave-cli-2, golang-github-gofrs-flock
ericedens: golang-github-gofrs-flock
erlang-maint-sig: erlang-riak_ensemble, erlang-esip, erlang-jiffy, erlang-xmpp
evgeni: rubygem-prawn-manual_builder, rubygem-font-awesome-rails
fab: golang-github-gofrs-flock
fale: golang-github-urfave-cli-2, rubygem-prawn-manual_builder,
golang-github-gofrs-flock, rubygem-font-awesome-rails
go-sig: origin, golang-github-crewjam-saml, golang-github-gofrs-flock,
golang-github-russellhaering-goxmldsig, golang-github-urfave-cli-2,
golang-github-beevik-etree, golang-github-magefile-mage,
golang-github-timberio-datemath, golang-github-logr-stdr,
golang-github-dchest-uniuri, golang-github-crewjam-httperr,
golang-github-ua-parser-uap
gotmax23: golang-github-urfave-cli-2, golang-github-gofrs-flock
gscrivano: golang-github-gofrs-flock
hpejakle: advancecomp
huzaifas: radamsa, owl-lisp
ignatenkobrain: python-coreschema, python-coreapi, python-itypes, python-drf-yasg
infra-sig: golang-github-gofrs-flock
jchaloup: golang-github-urfave-cli-2, golang-github-gofrs-flock
jcline: erlang-esip, erlang-jiffy, erlang-xmpp
jgrulich: advancecomp
jknife: granite
jonathanspw: python-w3lib
jreznik: advancecomp
kde-sig: advancecomp
kkofler: advancecomp
laiot: golang-github-urfave-cli-2
linkdupont: golang-github-urfave-cli-2, golang-github-gofrs-flock
lkundrak: erlang-jiffy
llaumgui: php-psr-http-client
lsm5: golang-github-urfave-cli-2, golang-github-gofrs-flock
lupinix: advancecomp
marcdeop: advancecomp
martinlanghoff: erlang-esip, erlang-jiffy, erlang-xmpp
mattia: golang-github-gofrs-flock
maxamillion: advancecomp
mbriza: advancecomp
merlinm: python-calligrabot
mgoodwin: golang-github-crewjam-saml, golang-github-russellhaering-goxmldsig,
golang-github-urfave-cli-2, golang-github-beevik-etree,
golang-github-magefile-mage, golang-github-timberio-datemath,
golang-github-dchest-uniuri, golang-github-crewjam-httperr,
golang-github-ua-parser-uap
mhayden: golang-github-gofrs-flock
mikelo2: golang-github-gofrs-flock
music: granite
nathans: golang-github-crewjam-saml, golang-github-russellhaering-goxmldsig,
golang-github-urfave-cli-2, golang-github-beevik-etree,
golang-github-magefile-mage, golang-github-timberio-datemath,
golang-github-dchest-uniuri, golang-github-crewjam-httperr,
golang-github-ua-parser-uap
ngompa: python-coreschema, golang-github-gofrs-flock, python-itypes,
python-coreapi, python-drf-yasg
nonamedotc: blueberry
olem: golang-github-urfave-cli-2, golang-github-gofrs-flock
peter: erlang-esip, erlang-jiffy, erlang-xmpp
pghmcfc: golang-github-gofrs-flock
philipp: golang-github-gofrs-flock
phuzion: advancecomp
pviktori: python-pytest-capturelog
qulogic: golang-github-gofrs-flock
raphgro: advancecomp
rathann: blueberry
rdieter: advancecomp
remi: php-psr-http-client
rharwood: geteltorito
rust-sig: rust-just, rust-cargo-bloat
sagitter: advancecomp
siwinski: php-psr-http-client
skottler: advancecomp
snecker: rubygem-prawn-manual_builder, rubygem-font-awesome-rails
spot: advancecomp
strigazi: golang-github-urfave-cli-2, golang-github-gofrs-flock
suve: granite
tdawson: rubygem-optimist, advancecomp, origin
than: advancecomp
thias: advancecomp
tstclair: golang-github-urfave-cli-2
ttomecek: python-pytest-capturelog
tuxbrewr: advancecomp
valtri: rubygem-optimist
vascom: scram
walters: golang-github-gofrs-flock
wef: granite
xavierb: erlang-esip, erlang-jiffy, erlang-xmpp
zachcarter: schroot

--
The script creating this output is run and developed by Fedora
Release Engineering. Please report issues at its pagure instance:
https://pagure.io/releng/
The sources of this script can be found at:
https://pagure.io/releng/blob/main/f/scripts/find_unblocked_orphans.py

Report finished at 2022-09-26 08:38:16 UTC
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Planned Outage - networking work - 2022-09-26 21:00 UTC and 2022-09-27 21:00 UTC

There will be an outage starting at 2022-09-26/2022-09-27 21:00 UTC,
which will last approximately 4 hours on 2022-09-26 and 5 hours on 2022-09-27.

To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto
or run:

date -d '2022-09-26 21:00UTC'
date -d '2022-09-27 21:00UTC'

Reason for outage:

On 2022-09-26 internet edge routers and switches will be upgraded. During this time period various
Fedora services will be down as switches and routers are rebooted.

On 2022-09-27 1gb internal switches will be upgraded. a 30min outage is likely during this time period.

Affected Services:

All services at the IAD2 datacenter

Ticket Link:

https://pagure.io/fedora-infrastructure/issue/10915

Please join #fedora-admin or #fedora-noc on irc.libera.chat
or add comments to the ticket for this outage above.

[USN-5635-1] Linux kernel (GKE) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5635-1
September 23, 2022

linux-gkeop vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did not
verify size limits when changing font or screen size, leading to an out-of-
bounds write. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)

Duoming Zhou discovered that race conditions existed in the timer handling
implementation of the Linux kernel's Rose X.25 protocol layer, resulting in
use-after-free vulnerabilities. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux
kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-26365)

Roger Pau Monné discovered that the Xen paravirtualization frontend in the
Linux kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in the
Linux kernel incorrectly handled socket buffers (skb) references when
communicating with certain backends. A local attacker could use this to
cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform in
the Linux kernel on ARM platforms contained a race condition in certain
situations. An attacker in a guest VM could use this to cause a denial of
service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel
contained a double-free vulnerability in certain error conditions. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-34494, CVE-2022-34495)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that truncated
packets below the packet header size. When such rules are in place, a
remote attacker could possibly use this to cause a denial of service
(system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
linux-image-5.15.0-1003-gkeop 5.15.0-1003.5
linux-image-gkeop 5.15.0.1003.5
linux-image-gkeop-5.15 5.15.0.1003.5

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5635-1
CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740,
CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744,
CVE-2022-34494, CVE-2022-34495, CVE-2022-36946

Package Information:
https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1003.5

OpenBSD Errata: September 23, 2022 (expat)

Errata patches for libexpat have been released for OpenBSD 7.0 and 7.1.

Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:

https://www.openbsd.org/errata70.html
https://www.openbsd.org/errata71.html

[arch-announce] Removing python2 from the repositories

Python 2 went end of life January 2020. Since then we have been actively cutting down the number of projects depending on python2 in our repositories, and we have finally been able to drop it from our distribution. If you still have python2 installed on your system consider removing it and any python2 package.

If you still require the python2 package you can keep it around, but please be aware that there will be no security updates. If you need a patched package please consult the AUR, or use an unofficial user repository.

URL: https://archlinux.org/news/removing-python2-from-the-repositories/

[USN-5629-1] Python vulnerability

==========================================================================
Ubuntu Security Notice USN-5629-1
September 22, 2022

python3.5 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Python could be made to redirect web traffic if its http.server
received a specially crafted request.

Software Description:
- python3.5: An interactive high-level object-oriented language

Details:

It was discovered that the Python http.server module incorrectly handled
certain URIs. An attacker could potentially use this to redirect web
traffic.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
libpython3.5 3.5.2-2ubuntu0~16.04.13+esm5
libpython3.5-minimal 3.5.2-2ubuntu0~16.04.13+esm5
libpython3.5-stdlib 3.5.2-2ubuntu0~16.04.13+esm5
python3.5 3.5.2-2ubuntu0~16.04.13+esm5
python3.5-minimal 3.5.2-2ubuntu0~16.04.13+esm5

After a standard system update you need to restart the python3
http.server to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5629-1
CVE-2021-28861

[USN-5631-1] libjpeg-turbo vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5631-1
September 22, 2022

libjpeg-turbo vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in libjpeg-turbo.

Software Description:
- libjpeg-turbo: library for handling JPEG files

Details:

It was discovered that libjpeg-turbo incorrectly handled certain EOF
characters. An attacker could possibly use this issue to cause
libjpeg-turbo to consume resource, leading to a denial of service. This
issue only affected Ubuntu 18.04 LTS. (CVE-2018-11813)

It was discovered that libjpeg-turbo incorrectly handled certain malformed
jpeg files. An attacker could possibly use this issue to cause
libjpeg-turbo to crash, resulting in a denial of service. (CVE-2020-17541,
CVE-2020-35538)

It was discovered that libjpeg-turbo incorrectly handled certain malformed
PPM files. An attacker could use this issue to cause libjpeg-turbo to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 20.04 LTS. (CVE-2021-46822)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
libjpeg-turbo8 2.0.3-0ubuntu1.20.04.3
libturbojpeg 2.0.3-0ubuntu1.20.04.3

Ubuntu 18.04 LTS:
libjpeg-turbo8 1.5.2-0ubuntu5.18.04.6
libturbojpeg 1.5.2-0ubuntu5.18.04.6

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5631-1
CVE-2018-11813, CVE-2020-17541, CVE-2020-35538, CVE-2021-46822

Package Information:
https://launchpad.net/ubuntu/+source/libjpeg-turbo/2.0.3-0ubuntu1.20.04.3
https://launchpad.net/ubuntu/+source/libjpeg-turbo/1.5.2-0ubuntu5.18.04.6

[USN-5632-1] OAuthLib vulnerability

==========================================================================
Ubuntu Security Notice USN-5632-1
September 22, 2022

python-oauthlib vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

OAuthLib could be made to crash if it received specially crafted network
traffic.

Software Description:
- python-oauthlib: generic, spec-compliant implementation of OAuth for Python3

Details:

Sebastian Chnelik discovered that OAuthLib incorrectly handled certain
redirect uris. A remote attacker could possibly use this issue to cause
OAuthLib to crash, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
python3-oauthlib 3.2.0-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5632-1
CVE-2022-36087

Package Information:
https://launchpad.net/ubuntu/+source/python-oauthlib/3.2.0-1ubuntu0.1

[USN-5634-1] Linux kernel (OEM) vulnerability

==========================================================================
Ubuntu Security Notice USN-5634-1
September 22, 2022

linux-oem-5.17 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

The system could be made to crash if it received specially crafted
network traffic.

Software Description:
- linux-oem-5.17: Linux kernel for OEM systems

Details:

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that
truncated packets below the packet header size. When such rules are in
place, a remote attacker could possibly use this to cause a denial of
service (system crash).

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
linux-image-5.17.0-1017-oem 5.17.0-1017.18
linux-image-oem-22.04 5.17.0.1017.16
linux-image-oem-22.04a 5.17.0.1017.16

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5634-1
CVE-2022-36946

Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1017.18

[USN-5633-1] Linux kernel vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5633-1
September 22, 2022

linux-gcp, linux-gke, linux-raspi vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-raspi: Linux kernel for Raspberry Pi systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did
not verify size limits when changing font or screen size, leading to an
out-of-bounds write. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2021-33655)

Duoming Zhou discovered that race conditions existed in the timer
handling implementation of the Linux kernel's Rose X.25 protocol layer,
resulting in use-after-free vulnerabilities. A local attacker could use
this to cause a denial of service (system crash). (CVE-2022-2318)

Roger Pau Monné discovered that the Xen virtual block driver in the
Linux kernel did not properly initialize memory pages to be used for
shared communication with the backend. A local attacker could use this
to expose sensitive information (guest kernel memory). (CVE-2022-26365)

Roger Pau Monné discovered that the Xen paravirtualization frontend in
the Linux kernel did not properly initialize memory pages to be used for
shared communication with the backend. A local attacker could use this
to expose sensitive information (guest kernel memory). (CVE-2022-33740)

It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741, CVE-2022-33742)

Jan Beulich discovered that the Xen network device frontend driver in
the Linux kernel incorrectly handled socket buffers (skb) references
when communicating with certain backends. A local attacker could use
this to cause a denial of service (guest crash). (CVE-2022-33743)

Oleksandr Tyshchenko discovered that the Xen paravirtualization platform
in the Linux kernel on ARM platforms contained a race condition in
certain situations. An attacker in a guest VM could use this to cause a
denial of service in the host OS. (CVE-2022-33744)

It was discovered that the virtio RPMSG bus driver in the Linux kernel
contained a double-free vulnerability in certain error conditions. A
local attacker could possibly use this to cause a denial of service
(system crash). (CVE-2022-34494, CVE-2022-34495)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that
truncated packets below the packet header size. When such rules are in
place, a remote attacker could possibly use this to cause a denial of
service (system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
linux-image-5.15.0-1015-raspi 5.15.0-1015.17
linux-image-5.15.0-1015-raspi-nolpae 5.15.0-1015.17
linux-image-5.15.0-1016-gke 5.15.0-1016.19
linux-image-5.15.0-1018-gcp 5.15.0-1018.24
linux-image-gcp 5.15.0.1018.16
linux-image-gke 5.15.0.1016.18
linux-image-gke-5.15 5.15.0.1016.18
linux-image-raspi 5.15.0.1015.14
linux-image-raspi-nolpae 5.15.0.1015.14

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5633-1
CVE-2021-33655, CVE-2022-2318, CVE-2022-26365, CVE-2022-33740,
CVE-2022-33741, CVE-2022-33742, CVE-2022-33743, CVE-2022-33744,
CVE-2022-34494, CVE-2022-34495, CVE-2022-36946

Package Information:
https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1018.24
https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1016.19
https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1015.17

[USN-5630-1] Linux kernel (Raspberry Pi) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5630-1
September 22, 2022

linux-raspi-5.4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-raspi-5.4: Linux kernel for Raspberry Pi systems

Details:

It was discovered that the framebuffer driver on the Linux kernel did
not verify size limits when changing font or screen size, leading to an
out-of-bounds write. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2021-33655)

Moshe Kol, Amit Klein and Yossi Gilad discovered that the IP
implementation in the Linux kernel did not provide sufficient
randomization when calculating port offsets. An attacker could possibly
use this to expose sensitive information.
(CVE-2022-1012, CVE-2022-32296)

Norbert Slusarek discovered that a race condition existed in the perf
subsystem in the Linux kernel, resulting in a use-after-free
vulnerability. A privileged local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-1729)

It was discovered that the device-mapper verity (dm-verity) driver in
the Linux kernel did not properly verify targets being loaded into the
device-mapper table. A privileged attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-2503)

Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that
truncated packets below the packet header size. When such rules are in
place, a remote attacker could possibly use this to cause a denial of
service (system crash). (CVE-2022-36946)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
linux-image-5.4.0-1070-raspi 5.4.0-1070.80~18.04.1
linux-image-raspi-hwe-18.04 5.4.0.1070.70

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5630-1
CVE-2021-33655, CVE-2022-1012, CVE-2022-1729, CVE-2022-2503,
CVE-2022-32296, CVE-2022-36946

Package Information:

https://launchpad.net/ubuntu/+source/linux-raspi-5.4/5.4.0-1070.80~18.04.1

[USN-5628-1] etcd vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5628-1
September 22, 2022

etcd vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in etcd.

Software Description:
- etcd: Transitional package for etcd-client and etcd-server

Details:

It was discovered that etcd incorrectly handled certain specially crafted
WAL files. An attacker could possibly use this issue to cause a denial of
service. (CVE-2020-15106, CVE-2020-15112)

It was discovered that etcd incorrectly handled directory permissions when
trying to create a directory that exists already. An attacker could
possibly use this issue to obtain sensitive information. (CVE-2020-15113)

It was discovered that etcd incorrectly handled endpoint setup. An
attacker could possibly use this issue to cause a denial of
service. (CVE-2020-15114)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
etcd 3.2.26+dfsg-6ubuntu0.1
etcd-client 3.2.26+dfsg-6ubuntu0.1
etcd-server 3.2.26+dfsg-6ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5628-1
CVE-2020-15106, CVE-2020-15112, CVE-2020-15113, CVE-2020-15114

Package Information:
https://launchpad.net/ubuntu/+source/etcd/3.2.26+dfsg-6ubuntu0.1

[USN-5627-1] PCRE vulnerabilities

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsDNBGIl7V0BDAC+6Rrs/dA9eDfxCA5DutvqKqSxwodFEgiMxDLnR0OSrwlYgTFh
X+OChdT+L0AyBJsjfsrWByRCm/Eky6JE9QtnmDpusvrYwXmVm/Whe/0W+qJ6rzzU
sL0GkZoOUt2JhTdYcJ1o2A+J3RgXUuXUENMrpFhUwwpu7YOaMgCrno64C4wBgK55
KDUCd6i5bM26P4csLNjRO4+qJj4m3Hve/iJgpb510XI3aS4azY/Rm+iXGrlGMi9T
PGEDcsjoO3zT7v3l0EA5SEhpbXBHOGy94vRcMBYuUZqhwfa8Mi/h1uTtTHmT/+1f
7eWoO0tPssex6mWIodZo1epKIfjhbW63C571XIB0ZIuqfChj4k5dgthUqeJXpRDl
v3l2wd5HYzbGu3Ie37PodIeocnTa2C/o6PvN+wA4+BYWgZXCdCA5TqVrM+HCwzmF
Guc6ALYNklgpxas/4ZP6tcQxMgU8oBQ1+3Ufef46iP/jo9CvFRQ5JystLhHLfVpm
BgcILk2rYwwWjE0AEQEAAc1ARGF2aWQgRmVybmFuZGV6IEdvbnphbGV6IDxkYXZp
ZC5mZXJuYW5kZXpnb256YWxlekBjYW5vbmljYWwuY29tPsLBFAQTAQoAPhYhBIhm
zS6qttOZ5NIT3RltQSE48z9kBQJiJe1dAhsDBQkDwmcABQsJCAcDBRUKCQgLBRYC
AwEAAh4BAheAAAoJEBltQSE48z9kbG0MALnqt1PxxnNeDW11/d8nV66k/rweAfYT
TqzJ0ikuNDh94AdeuLCsOLfMk64d3KMyswD+i8CaFhkKv2kIlD/QzOku3PBUo4PP
+NxKWzCWYG3ZcGApgdhr+y7G59ZvuKxO0xxzbRIQmcnAl1qr6PvHpaSQJ/w1eKMl
GTVX5PvZNxVvg3TZ6NQhX1n2gIeqCYo4C9e9aIYCk8w4Gu6NyMiUBuy0ybMkz9JL
X4wEeRc2aGuWtSAnOayqTyDpleVy0qCH7tufh1ZL0gNFN8UJptivtmVSjNh5nPwU
x+a42iTjU3uVUGZ/UdtTOpruXHAX0zporXYXNFzZUG82Um7mYB8ETx1EribDG7TC
ktYEA+XBkfZ6JhGeeKMsLt5GmcfXB/+EoKUZjSsx94kqFNAQe6X4Y/158tZ8Gt3J
k2Aj/VBZK7lSbFjIB/jdf6ydhwLRIXsAlVx8i2NYa3SxLZMfKaet8LA/y+GNZxnj
GCdRT9eEJOZ62VETYwd+pAPW5BamUv8kW87AzQRiJe1dAQwAp0ywqyunvK5Iwn7T
x+tzixODvTgwMc+uNrH3o6+Ra6+Bn+YLmuuOwiScRb+sSErXoDz/LgLF0oIB2ZIs
Be+FT0m/eUY3xLiGF8L9DvrRSmePyiiml9rrd1wduuhg6hQw6/ef08WayVEzFWCF
63sqQk18ZKatP3WnOhSd0OT5xOXcW2//NJwFni+cjfnYuUMpVNodCwFQJtEeYSZz
zxVEJd4AtfM/ynGznPyYIsybt+fUhDvVEI+neWflpLk9jrJ1XIAhObEWkmgH9KQ3
5VGN7aLVBkxdbz2yCM4Auz8+DnDyksxuvZ3wcsM/eyIPFoBLrh3xNLOrERNqjPR3
MSnEGkt3+dkiQ5LbcvOpittix8Ycc6qdYYL6Gfy4Lfr/VZUWeGrGsVc79C+aqQUe
1dJkqGMTk9CRNaGxUlSyQ5ylcyoNlLusPGO/3zPGBIY7fOlqTVR7LFmfyxHcoCmg
EqXxhooeJn2PmTOY6E2Ap5ViYr8akucmO6GPJxHXqgW7qNDdABEBAAHCwPwEGAEK
ACYWIQSIZs0uqrbTmeTSE90ZbUEhOPM/ZAUCYiXtXQIbDAUJA8JnAAAKCRAZbUEh
OPM/ZODXDACkYliQ7r5w5IbBniu2axcW5j3PGd+G9Cm90oirsd9v35qRxErYXwbP
b79gBTMxHGgw+4mIz3F2mzzynZ11joW+0Zr8Vgr3BKSNBS5hz9NfcwkdiubkGsoj
jhruNUFtQqBNyQIJh9CfECXq2puYY7H6lu13bBNb49TY6XzyvOni2A5WntQqN+Ap
/RkxkLIGnBwi4p06OYs9Atda8IrMv0zXxlzRNEqk1cniNsSyRWHruVvN6nhVuvwF
sNM6z7F48B8tTh3iKludMPVL5YgGQeVtN3rXOwPCq3f9Y6G67eJxs7HhQYtuj7Gn
c3porYgLw2xOh6BOa6dWby0/adS79+FdycEtlNRKlrLMneEL2Sk1zrKVd0uF96yX
VOS0nAHllLod67uFgjT85P2MZWN7dPD6jAhv9rOq9cgOCKB+ulACePOpoXDFzgND
w5FGDbZtHYnLrJWyyqnas4ms4pnmJsnHAyDBWYS8a6j82D7NSx/7MrH6bAFl18zK
7/zNmhJ06VU=
=JWgW
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5627-1
September 22, 2022

pcre2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

PCRE could be made to expose sensitive information.

Software Description:
- pcre2: Perl 5 Compatible Regular Expression Library

Details:

It was discovered that PCRE incorrectly handled memory when
handling certain regular expressions. An attacker could possibly
use this issue to cause applications using PCRE to expose
sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
  libpcre2-16-0                   10.39-3ubuntu0.1
  libpcre2-32-0                   10.39-3ubuntu0.1
  libpcre2-8-0                    10.39-3ubuntu0.1
  libpcre2-posix3                 10.39-3ubuntu0.1
  pcre2-utils                     10.39-3ubuntu0.1

Ubuntu 20.04 LTS:
  libpcre2-16-0                   10.34-7ubuntu0.1
  libpcre2-32-0                   10.34-7ubuntu0.1
  libpcre2-8-0                    10.34-7ubuntu0.1
  libpcre2-posix2                 10.34-7ubuntu0.1
  pcre2-utils                     10.34-7ubuntu0.1

After a standard system update you need to restart applications using PCRE,
such as the Apache HTTP server and Nginx, to make all the necessary
changes.

References:
  https://ubuntu.com/security/notices/USN-5627-1
  CVE-2022-1586, CVE-2022-1587

Package Information:
  https://launchpad.net/ubuntu/+source/pcre2/10.39-3ubuntu0.1
  https://launchpad.net/ubuntu/+source/pcre2/10.34-7ubuntu0.1

[USN-5626-2] Bind vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5626-2
September 21, 2022

bind9 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in Bind.

Software Description:
- bind9: Internet Domain Name Server

Details:

USN-5626-1 fixed several vulnerabilities in Bind. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind
incorrectly handled large delegations. A remote attacker could possibly use
this issue to reduce performance, leading to a denial of service.
(CVE-2022-2795)

It was discovered that Bind incorrectly handled memory when processing
ECDSA DNSSEC verification. A remote attacker could use this issue to
consume resources, leading to a denial of service. (CVE-2022-38177)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
bind9 1:9.10.3.dfsg.P4-8ubuntu1.19+esm3

Ubuntu 14.04 ESM:
bind9 1:9.9.5.dfsg-3ubuntu0.19+esm7

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5626-2
https://ubuntu.com/security/notices/USN-5626-1
CVE-2022-2795, CVE-2022-38177