Unix News Tutorials Events and Stuff: February 2023

Tuesday, February 28, 2023

[lfs-announce] LFS and BLFS Version 11.3 are released

The Linux From Scratch community is pleased to announce the release of
LFS Version 11.3, LFS Version 11.3 (systemd), BLFS Version 11.3, and
BLFS Version 11.3 (systemd).

This release is a major update to both LFS and BLFS.

The LFS release includes updates to gcc-12.2.0, glibc-2.36, and binutils-2.39. The
Linux kernel has also been updated to version 5.19.2.

I want to especially thank David Bryant for extensive review and update of
the text in LFS to clarify the text throughout the book.

The BLFS version includes approximately 1000 packages beyond the base
Linux From Scratch Version 11.2 book. This release has 1357 updates
from the previous BLFS version including package updates and numerous text and
formatting changes.

Other changes to BLFS include an addition of numerous python modules to the book to
allow generation of package documentation using the Gi-DocGen and Sphinx
applications. Also several desktop environments (DEs) have been upgraded:
Gnome 43
KDE/Plasma 5.26.5
Xfce 4.18

Finally a new Xorg driver, intel-media-driver, has been added to to the
book to provide video acceleration for Intel Broadwell CPUs and higher.

Thanks for this release goes to many contributors. Notably:

Douglas Reno
Pierre Labastie
Xi Ruoyao
Thomas Trepl
Ken Moffat
Tim Tassonis
David Bryant

You can read the books online[0]-[3], or download[4]-[7] to read locally.

Please direct any comments about this release to the LFS development
team at lfs-dev@lists.linuxfromscratch.org or
blfs-dev@lists.linuxfromscratch.org. Registration for the mailing lists
is required to avoid junk email.

-- Bruce Dubbs
LFS

[0] http://www.linuxfromscratch.org/lfs/view/11.3/
[1] http://www.linuxfromscratch.org/blfs/view/11.3/
[2] http://www.linuxfromscratch.org/lfs/view/11.3-systemd/
[3] http://www.linuxfromscratch.org/blfs/view/11.3-systemd/

[4] http://www.linuxfromscratch.org/lfs/downloads/11.3/
[5] http://www.linuxfromscratch.org/blfs/downloads/11.3/
[6] http://www.linuxfromscratch.org/lfs/downloads/11.3-systemd/
[7] http://www.linuxfromscratch.org/blfs/downloads/11.3-systemd/

[USN-5900-1] tar vulnerability

==========================================================================
Ubuntu Security Notice USN-5900-1
February 28, 2023

tar vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

tar could be made to crash or expose sensitive information
if it received a specially crafted file.

Software Description:
- tar: GNU version of the tar archiving utility

Details:

It was discovered that tar incorrectly handled certain files.
An attacker could possibly use this issue to expose sensitive information
or cause a crash.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
tar 1.34+dfsg-1ubuntu0.1.22.10.1

Ubuntu 22.04 LTS:
tar 1.34+dfsg-1ubuntu0.1.22.04.1

Ubuntu 20.04 LTS:
tar 1.30+dfsg-7ubuntu0.20.04.3

Ubuntu 18.04 LTS:
tar 1.29b-2ubuntu0.4

Ubuntu 16.04 ESM:
tar 1.28-2.1ubuntu0.2+esm2

Ubuntu 14.04 ESM:
tar 1.27.1-1ubuntu0.1+esm3

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5900-1
CVE-2022-48303

Package Information:
https://launchpad.net/ubuntu/+source/tar/1.34+dfsg-1ubuntu0.1.22.10.1
https://launchpad.net/ubuntu/+source/tar/1.34+dfsg-1ubuntu0.1.22.04.1
https://launchpad.net/ubuntu/+source/tar/1.30+dfsg-7ubuntu0.20.04.3
https://launchpad.net/ubuntu/+source/tar/1.29b-2ubuntu0.4

[USN-5638-4] Expat vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5638-4
February 28, 2023

expat vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM

Summary:

Expat could be made to crash or execute arbitrary code.

Software Description:
- expat: XML parsing C library

Details:

USN-5638-1 fixed several vulnerabilities in Expat. This update provides
the corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

Rhodri James discovered that Expat incorrectly handled memory when
processing certain malformed XML files. An attacker could possibly
use this issue to cause a crash or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
expat 2.1.0-4ubuntu1.4+esm7
libexpat1 2.1.0-4ubuntu1.4+esm7

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5638-4
https://ubuntu.com/security/notices/USN-5638-1
CVE-2022-40674, CVE-2022-43680

[USN-5903-1] lighttpd vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5903-1
February 28, 2023

lighttpd vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in lighttpd.

Software Description:
- lighttpd: fast webserver with minimal memory footprint

Details:

It was discovered that lighttpd incorrectly handled certain inputs, which could
result in a stack buffer overflow. A remote attacker could possibly use this
issue to cause a denial of service (DoS). (CVE-2022-22707, CVE-2022-41556)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
lighttpd 1.4.65-2ubuntu1.1

Ubuntu 22.04 LTS:
lighttpd 1.4.63-1ubuntu3.1

Ubuntu 20.04 LTS:
lighttpd 1.4.55-1ubuntu1.20.04.2

After a standard system update you need to restart lighttpd to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5903-1
CVE-2022-22707, CVE-2022-41556

Package Information:
https://launchpad.net/ubuntu/+source/lighttpd/1.4.65-2ubuntu1.1
https://launchpad.net/ubuntu/+source/lighttpd/1.4.63-1ubuntu3.1
https://launchpad.net/ubuntu/+source/lighttpd/1.4.55-1ubuntu1.20.04.2

[USN-5821-3] pip regression

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBGM0XCwBEAC/1sgU6QaxKU49T3i2BdLteX5GqAJfpwzSr2RBvr6L8W//AoUn
gP8z1eiDwutJ62pTf473COZoDXTgdi7R0zT0QCbCZoHo4hVR2VHnfmxOR94XCVSE
1rvO3HF5NVLGVJl2V465y2sz2L2IWTYu1xvY/4FPhtWXLwHJmojmDbuRHF2AmX8A
6ECxYuZAcadLOuQO8mQV95YgVoWmoAjJKb1audHcLA4MRglds7jr9GgYkYWQ38Gk
AM9R6DNEbRowxMBCwkj3jVz8r0kO1WOPWP0in1VvGMrlcSIgjaxW/re427CSB2LA
9QwFc+EmOE5PoNWCoAuPa+vhoo7xqTY2Qr2Wvu86PlpWS596RWFzmz5UVan5yhaB
qEoEsZc7ZQbS4Qwc7x4teKhk8xQjx6lRsO6g1b4Wlm6S0PcELo1J5zwC+16MSZff
eK3zuAdijyNwL2xl8XwShTUxFo/mpyB+W+zDUU8OBudsYwKYSWUbMZzferYlndcv
3atN6ZteWmuPtxHIGkkc5yChs1dsQ1ke1e9sUQA0UCdMVL4awA/LGSlo9ymTvL3Z
Qwh05ujgDs09p7AkUFLLDhgS437yxzT46RqYcurDMn27kwTcfd4s2FJZVV90+Dgr
z4o6lAjObZXVTsE+E2eLIxlXpfH2g3Nr/1Ipe9VZ5FetTgu32Bd3iRUQ2wARAQAB
zUBEYXZpZCBGZXJuYW5kZXogR29uemFsZXogPGRhdmlkLmZlcm5hbmRlemdvbnph
bGV6QGNhbm9uaWNhbC5jb20+wsGUBBMBCgA+FiEEZj5eir1e7OtcLCXYhqc8z4VO
y5oFAmM0XCwCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQhqc8
z4VOy5oojA/+MNrpuhfKM5Gm5h9cKMDUysMFfULChDjzQZdkM6Gh9xBFYyidoOq2
jOAs0xEk9vb6WfB+enfxFF1jmSXPISBvdHzoI4NpAoF+tf+e2tuC6TA+hLH/VqK8
yGy9SzChihpBLze6/S3dct6ayPew2lGC+r6gUMs8XiZyTMACoZR4ywt3BolWDGpp
6za7ylFUcJOTecqVRLVDKu5+8JrXSeG/jv1QqYR1ltHdAQVxkvctOVJciOcyIz45
XJkrjFJB/kMNE6sOq2z7lMKIauFZCTaLUVrq0brY4IHtXvsa/2vN6h9bWPFor3KU
hVIDhuEdjS4g3ge57+sCYrPGOHXRk+mJrqSd9T1bgLxXOP65kRUhecIRxfTovMTm
iifFcAY2Q/iEAn0SMCycmi9SZngaUd+IxYXk0tCfH2Y0q12vMuuuox94+A0t05Vr
0Vej0NiBebB01a90tcJBbIVV09NrOYXDhyDvUCsuineao+CNXKoM3SaNFjOiwZgz
yR1t2LcBlGVAQq/gySTE8X4WVIwVknUxcIUcOSzGDMEtd4X0qFv6A0oib/VEzuOz
JVE4WqiRCXKRws5j3KMHrNi4Inac/Ew0ph60NctY50xGxQqrHhxIZG9FKb1hM+Ov
cX2dy1HrLJwHf4le+Y4Yeobts8alQvJKd9IaVYZcKSt/M0JolPIPKdTOwU0EYzRc
LAEQANVn81wr2CkEdUQ0l8A5gN3NOft4P6TBQBvxK+9QW9n1l/JT7Pfa1lvE62xx
s+LIceFExzcq1Dfd9qnNBc39qY2XwIwNx7Gz67libTikfYhBO1gtfZ/i8GJuDjLH
xOAEBnDVogkE+lnBxfZ0adfldzJ3wKMQUU7LP6+dAmF91hyJO1HOQ5eOntWhbzqW
R69kRqlN7Wwd++7TbgqgiPtw6Vreu1BLlovkcImA6TZyJeD5SBN0eApBjWNZ5QCj
wd0hTeCUWCu2USBApZQn76ORTIpZ4j573DVvQZq88WsN875Yu2U2pHBQtEYFT8WG
Lrk5aNqDeQGw4jxGVvXwJjPOviGhhrzditvUD2L23fh7cTWSQJ6BZHoymLYQk3YZ
C19ewaoNsVt1a5WxomZdPspkJLaMyiXVT0tqtcyFDb6ekEZQsziU1egsXbnjXG+l
fsJmfv16k0C57EyeQLA66S7WFmjJ8dBmCx2J2WWW7etTbyU356AvZeLAiwMoGY4z
ZREemM6s2hdI6eKbartF3u+aQN8k72X8hfgAM3dl0nvfhx22CaqsR0rDk3A0tYS2
QOLnkzXpulEhidStLVLkRJw59eK4vu2CYZ37923vCvTlBctYHiRudTXQUaRQYiA+
jLdWiGiYWm6wN9TybY9GO7RY06Su1aQ2BMN8w3Why3rsRJK1ABEBAAHCwXwEGAEK
ACYWIQRmPl6KvV7s61wsJdiGpzzPhU7LmgUCYzRcLAIbDAUJAeEzgAAKCRCGpzzP
hU7Lmq0WD/46MGGZbPLp7XFh+rlotr1GBLZ0jwudoT8kkKHRpoMKRt4OZuOBjio7
3bXh74bscu1vmS1b35QvfIfiVrNOmQ8g9794598gpS7izrC/eJfenei93dqnwAMU
hEB16dEIbIevZUT3uYHNd6LgCVLdGLeauhAUZrfZ/NLvChw8+8I1Hn3Fhe5ablV7
ZfiOY/h/fC5MChBGH1izOFBkLEEeeAuaOTJKn4EYZFMitD69YGM621vCtC4jkI2g
bar8O0U9t3gyAS0WbtDz4UoMhdXOY4LIUH5KvvUby1lJq+LdS39HGvgtI+Exme0P
XajNpZBA/axARaUGyulxoz5+Y9InR0b4cIIMXWONVQ1pRglFEw6JrBvLcwS3SCfq
LW/p1ADFcLMcYMFQmJh7IYCD14gPreDELq+gmo57qDmHzaCQbh0XZB84qhIfS/cb
BFqT+0ccCLiTzAbyJeFAEu10KzLVBdUy/dysfHFevTrurObyK99MD1+6RIvNShds
gEMF3sanW3yugha6XoSd855nwiJBOJD8zff201m0IH/Dxzu/EC7zfG/SqoywZnGR
+N4bNLderqMXCgcyTcaLopQgExFMQoUmlRSHUGgPx5uXRkoTqY1V24c33lHp6G9G
GVCAGQawnWBNaJmlqoUcbIueao+hlICYiwhG/ZIP9jUceNt1LyJi9A==
=RGXl
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5821-3
February 28, 2023

python-pip regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

USN-5821-1 caused a regression in pip.

Software Description:
- python-pip: Python package installer

Details:

USN-5821-1 fixed a vulnerability in wheel and pip. Unfortunately,
it was missing a commit to fix it properly in pip.

We apologize for the inconvenience.

Original advisory details:

Sebastian Chnelik discovered that wheel incorrectly handled
certain file names when validated against a regex expression.
An attacker could possibly use this issue to cause a
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
python3-pip                     22.2+dfsg-1ubuntu0.2
python3-pip-whl                 22.2+dfsg-1ubuntu0.2

Ubuntu 22.04 LTS:
python3-pip                     22.0.2+dfsg-1ubuntu0.2
python3-pip-whl                 22.0.2+dfsg-1ubuntu0.2

Ubuntu 20.04 LTS:
python-pip-whl                  20.0.2-5ubuntu1.8
python3-pip                     20.0.2-5ubuntu1.8

Ubuntu 18.04 LTS:
python-pip                      9.0.1-2.3~ubuntu1.18.04.7
python-pip-whl                  9.0.1-2.3~ubuntu1.18.04.7
python3-pip                     9.0.1-2.3~ubuntu1.18.04.7

Ubuntu 16.04 ESM:
python-pip                      8.1.1-2ubuntu0.6+esm4
python-pip-whl                  8.1.1-2ubuntu0.6+esm4
python3-pip                     8.1.1-2ubuntu0.6+esm4

Ubuntu 14.04 ESM:
python-pip                      1.5.4-1ubuntu4+esm3
python-pip-whl                  1.5.4-1ubuntu4+esm3
python3-pip                     1.5.4-1ubuntu4+esm3

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5821-3
https://ubuntu.com/security/notices/USN-5821-1
CVE-2022-40898

Package Information:
https://launchpad.net/ubuntu/+source/python-pip/22.2+dfsg-1ubuntu0.2
https://launchpad.net/ubuntu/+source/python-pip/22.0.2+dfsg-1ubuntu0.2
https://launchpad.net/ubuntu/+source/python-pip/20.0.2-5ubuntu1.8
https://launchpad.net/ubuntu/+source/python-pip/9.0.1-2.3~ubuntu1.18.04.7

[USN-5901-1] GnuTLS vulnerability

==========================================================================
Ubuntu Security Notice USN-5901-1
February 28, 2023

gnutls28 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

GnuTLS could be made to expose sensitive information over the network.

Software Description:
- gnutls28: GNU TLS library

Details:

Hubert Kario discovered that GnuTLS had a timing side-channel when handling
certain RSA messages. A remote attacker could possibly use this issue to
recover sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
libgnutls30 3.7.7-2ubuntu2.1

Ubuntu 22.04 LTS:
libgnutls30 3.7.3-4ubuntu1.2

Ubuntu 20.04 LTS:
libgnutls30 3.6.13-2ubuntu1.8

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5901-1
CVE-2023-0361

Package Information:
https://launchpad.net/ubuntu/+source/gnutls28/3.7.7-2ubuntu2.1
https://launchpad.net/ubuntu/+source/gnutls28/3.7.3-4ubuntu1.2
https://launchpad.net/ubuntu/+source/gnutls28/3.6.13-2ubuntu1.8

[USN-5902-1] PHP vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5902-1
February 28, 2023

php7.2, php7.4, php8.1 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- php8.1: HTML-embedded scripting language interpreter
- php7.4: HTML-embedded scripting language interpreter
- php7.2: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain invalid Blowfish
password hashes. An invalid password hash could possibly allow applications
to accept any password as valid, contrary to expectations. (CVE-2023-0567)

It was discovered that PHP incorrectly handled resolving long paths. A
remote attacker could possibly use this issue to obtain or modify sensitive
information. (CVE-2023-0568)

It was discovered that PHP incorrectly handled a large number of parts in
HTTP form uploads. A remote attacker could possibly use this issue to cause
PHP to consume resources, leading to a denial of service. (CVE-2023-0662)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
libapache2-mod-php8.1 8.1.7-1ubuntu3.3
php8.1 8.1.7-1ubuntu3.3
php8.1-cgi 8.1.7-1ubuntu3.3
php8.1-cli 8.1.7-1ubuntu3.3
php8.1-fpm 8.1.7-1ubuntu3.3

Ubuntu 22.04 LTS:
libapache2-mod-php8.1 8.1.2-1ubuntu2.11
php8.1 8.1.2-1ubuntu2.11
php8.1-cgi 8.1.2-1ubuntu2.11
php8.1-cli 8.1.2-1ubuntu2.11
php8.1-fpm 8.1.2-1ubuntu2.11

Ubuntu 20.04 LTS:
libapache2-mod-php7.4 7.4.3-4ubuntu2.18
php7.4 7.4.3-4ubuntu2.18
php7.4-cgi 7.4.3-4ubuntu2.18
php7.4-cli 7.4.3-4ubuntu2.18
php7.4-fpm 7.4.3-4ubuntu2.18

Ubuntu 18.04 LTS:
libapache2-mod-php7.2 7.2.24-0ubuntu0.18.04.17
php7.2 7.2.24-0ubuntu0.18.04.17
php7.2-cgi 7.2.24-0ubuntu0.18.04.17
php7.2-cli 7.2.24-0ubuntu0.18.04.17
php7.2-fpm 7.2.24-0ubuntu0.18.04.17

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5902-1
CVE-2023-0567, CVE-2023-0568, CVE-2023-0662

Package Information:
https://launchpad.net/ubuntu/+source/php8.1/8.1.7-1ubuntu3.3
https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.11
https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.18
https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.17

[USN-5899-1] AWStats vulnerability

==========================================================================
Ubuntu Security Notice USN-5899-1
February 28, 2023

awstats vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

AWStats could allow cross-site scripting (XSS) attacks.

Software Description:
- awstats: powerful and featureful web server log analyzer

Details:

It was discovered that AWStats did not properly sanitize the content of
whois responses in the hostinfo plugin. An attacker could possibly use
this issue to conduct cross-site scripting (XSS) attacks.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
awstats                         7.8-2ubuntu0.22.10.1

Ubuntu 22.04 LTS:
awstats                         7.8-2ubuntu0.22.04.1

Ubuntu 20.04 LTS:
awstats                         7.6+dfsg-2ubuntu0.20.04.2

Ubuntu 18.04 LTS:
awstats                         7.6+dfsg-2ubuntu0.18.04.2

Ubuntu 16.04 ESM:
awstats                         7.4+dfsg-1ubuntu0.4+esm2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5899-1
CVE-2022-46391

Package Information:
https://launchpad.net/ubuntu/+source/awstats/7.8-2ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/awstats/7.8-2ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/awstats/7.6+dfsg-2ubuntu0.20.04.2
https://launchpad.net/ubuntu/+source/awstats/7.6+dfsg-2ubuntu0.18.04.2

[USN-5888-1] Python vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5888-1
February 27, 2023

python3.9 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Python.

Software Description:
- python3.9: An interactive high-level object-oriented language

Details:

It was discovered that Python incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to
execute arbitrary code. (CVE-2015-20107)

Hamza Avvan discovered that Python incorrectly handled certain inputs. If a
user or an automated system were tricked into running a specially
crafted input, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2021-28861)

It was discovered that Python incorrectly handled certain inputs. If a
user or an automated system were tricked into running a specially
crafted input, a remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2022-37454, CVE-2022-42919)

It was discovered that Python incorrectly handled certain inputs. If a
user or an automated system were tricked into running a specially
crafted input, a remote attacker could possibly use this issue to cause a
denial of service. (CVE-2022-45061, CVE-2023-24329)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
python3.9 3.9.5-3ubuntu0~20.04.1+esm1
python3.9-minimal 3.9.5-3ubuntu0~20.04.1+esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5888-1
CVE-2015-20107, CVE-2021-28861, CVE-2022-37454, CVE-2022-42919,
CVE-2022-45061, CVE-2023-24329

Package Information:
https://launchpad.net/ubuntu/+source/python3.9/3.9.5-3ubuntu0~20.04.1+esm1

Monday, February 27, 2023

[USN-5898-1] OpenJDK vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5898-1
February 28, 2023

openjdk-8 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in OpenJDK.

Software Description:
- openjdk-8: Open Source Java implementation

Details:

It was discovered that the Serialization component of OpenJDK did not
properly handle the deserialization of some CORBA objects. An attacker
could possibly use this to bypass Java sandbox restrictions.
(CVE-2023-21830)

Markus Loewe discovered that the Java Sound subsystem in OpenJDK did not
properly validate the origin of a Soundbank. An attacker could use this to
specially craft an untrusted Java application or applet that could load a
Soundbank from an attacker controlled remote URL. (CVE-2023-21843)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
openjdk-8-jdk 8u362-ga-0ubuntu1~22.10
openjdk-8-jre 8u362-ga-0ubuntu1~22.10
openjdk-8-jre-headless 8u362-ga-0ubuntu1~22.10
openjdk-8-jre-zero 8u362-ga-0ubuntu1~22.10

Ubuntu 22.04 LTS:
openjdk-8-jdk 8u362-ga-0ubuntu1~22.04
openjdk-8-jre 8u362-ga-0ubuntu1~22.04
openjdk-8-jre-headless 8u362-ga-0ubuntu1~22.04
openjdk-8-jre-zero 8u362-ga-0ubuntu1~22.04

Ubuntu 20.04 LTS:
openjdk-8-jdk 8u362-ga-0ubuntu1~20.04.1
openjdk-8-jre 8u362-ga-0ubuntu1~20.04.1
openjdk-8-jre-headless 8u362-ga-0ubuntu1~20.04.1
openjdk-8-jre-zero 8u362-ga-0ubuntu1~20.04.1

Ubuntu 18.04 LTS:
openjdk-8-jdk 8u362-ga-0ubuntu1~18.04.1
openjdk-8-jre 8u362-ga-0ubuntu1~18.04.1
openjdk-8-jre-headless 8u362-ga-0ubuntu1~18.04.1
openjdk-8-jre-zero 8u362-ga-0ubuntu1~18.04.1

Ubuntu 16.04 ESM:
openjdk-8-jdk 8u362-ga-0ubuntu1~16.04.1
openjdk-8-jre 8u362-ga-0ubuntu1~16.04.1
openjdk-8-jre-headless 8u362-ga-0ubuntu1~16.04.1
openjdk-8-jre-zero 8u362-ga-0ubuntu1~16.04.1

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5898-1
CVE-2023-21830, CVE-2023-21843

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-8/8u362-ga-0ubuntu1~22.10
https://launchpad.net/ubuntu/+source/openjdk-8/8u362-ga-0ubuntu1~22.04
https://launchpad.net/ubuntu/+source/openjdk-8/8u362-ga-0ubuntu1~20.04.1
https://launchpad.net/ubuntu/+source/openjdk-8/8u362-ga-0ubuntu1~18.04.1

[USN-5897-1] OpenJDK vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5897-1
February 28, 2023

openjdk-17, openjdk-19, openjdk-lts vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in OpenJDK.

Software Description:
- openjdk-17: Open Source Java implementation
- openjdk-19: Open Source Java implementation
- openjdk-lts: Open Source Java implementation

Details:

Juraj Somorovsky, Marcel Maehren, Nurullah Erinola, and Robert Merget
discovered that the DTLS implementation in the JSSE subsystem of OpenJDK
did not properly restrict handshake initiation requests from clients. A
remote attacker could possibly use this to cause a denial of service.
(CVE-2023-21835)

Markus Loewe discovered that the Java Sound subsystem in OpenJDK did not
properly validate the origin of a Soundbank. An attacker could use this to
specially craft an untrusted Java application or applet that could load a
Soundbank from an attacker controlled remote URL. (CVE-2023-21843)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
openjdk-11-jdk 11.0.18+10-0ubuntu1~22.10
openjdk-11-jre 11.0.18+10-0ubuntu1~22.10
openjdk-11-jre-headless 11.0.18+10-0ubuntu1~22.10
openjdk-11-jre-zero 11.0.18+10-0ubuntu1~22.10
openjdk-17-jdk 17.0.6+10-0ubuntu1~22.10
openjdk-17-jre 17.0.6+10-0ubuntu1~22.10
openjdk-17-jre-headless 17.0.6+10-0ubuntu1~22.10
openjdk-17-jre-zero 17.0.6+10-0ubuntu1~22.10
openjdk-19-jdk 19.0.2+7-0ubuntu3~22.10
openjdk-19-jre 19.0.2+7-0ubuntu3~22.10
openjdk-19-jre-headless 19.0.2+7-0ubuntu3~22.10
openjdk-19-jre-zero 19.0.2+7-0ubuntu3~22.10

Ubuntu 22.04 LTS:
openjdk-11-jdk 11.0.18+10-0ubuntu1~22.04
openjdk-11-jre 11.0.18+10-0ubuntu1~22.04
openjdk-11-jre-headless 11.0.18+10-0ubuntu1~22.04
openjdk-11-jre-zero 11.0.18+10-0ubuntu1~22.04
openjdk-17-jdk 17.0.6+10-0ubuntu1~22.04
openjdk-17-jre 17.0.6+10-0ubuntu1~22.04
openjdk-17-jre-headless 17.0.6+10-0ubuntu1~22.04
openjdk-17-jre-zero 17.0.6+10-0ubuntu1~22.04
openjdk-19-jdk 19.0.2+7-0ubuntu3~22.04
openjdk-19-jre 19.0.2+7-0ubuntu3~22.04
openjdk-19-jre-headless 19.0.2+7-0ubuntu3~22.04
openjdk-19-jre-zero 19.0.2+7-0ubuntu3~22.04

Ubuntu 20.04 LTS:
openjdk-11-jdk 11.0.18+10-0ubuntu1~20.04.1
openjdk-11-jre 11.0.18+10-0ubuntu1~20.04.1
openjdk-11-jre-headless 11.0.18+10-0ubuntu1~20.04.1
openjdk-11-jre-zero 11.0.18+10-0ubuntu1~20.04.1
openjdk-17-jdk 17.0.6+10-0ubuntu1~20.04.1
openjdk-17-jre 17.0.6+10-0ubuntu1~20.04.1
openjdk-17-jre-headless 17.0.6+10-0ubuntu1~20.04.1
openjdk-17-jre-zero 17.0.6+10-0ubuntu1~20.04.1

Ubuntu 18.04 LTS:
openjdk-11-jdk 11.0.18+10-0ubuntu1~18.04.1
openjdk-11-jre 11.0.18+10-0ubuntu1~18.04.1
openjdk-11-jre-headless 11.0.18+10-0ubuntu1~18.04.1
openjdk-11-jre-zero 11.0.18+10-0ubuntu1~18.04.1
openjdk-17-jdk 17.0.6+10-0ubuntu1~18.04.1
openjdk-17-jre 17.0.6+10-0ubuntu1~18.04.1
openjdk-17-jre-headless 17.0.6+10-0ubuntu1~18.04.1
openjdk-17-jre-zero 17.0.6+10-0ubuntu1~18.04.1

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5897-1
CVE-2023-21835, CVE-2023-21843

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.6+10-0ubuntu1~22.10
https://launchpad.net/ubuntu/+source/openjdk-19/19.0.2+7-0ubuntu3~22.10
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.18+10-0ubuntu1~22.10
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.6+10-0ubuntu1~22.04
https://launchpad.net/ubuntu/+source/openjdk-19/19.0.2+7-0ubuntu3~22.04
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.18+10-0ubuntu1~22.04
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.6+10-0ubuntu1~20.04.1
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.18+10-0ubuntu1~20.04.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.6+10-0ubuntu1~18.04.1
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.18+10-0ubuntu1~18.04.1

[USN-5895-1] MPlayer vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5895-1
February 27, 2023

mplayer vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in MPlayer.

Software Description:
- mplayer: movie player for Unix-like systems

Details:

It was discovered that MPlayer could be made to divide by zero when
processing certain malformed media files. If a user were tricked into
opening a specially crafted media file, an attacker could possibly use
this issue to cause MPlayer to crash, resulting in a denial of service.
(CVE-2022-38850, CVE-2022-38860, CVE-2022-38865)

It was discovered that MPlayer could be made to read out of bounds when
processing certain malformed media files. If a user were tricked into
opening a specially crafted media file, an attacker could possibly use
this issue to cause MPlayer to crash, resulting in a denial of service.
(CVE-2022-38851)

It was discovered that MPlayer could be made to write out of bounds when
processing certain malformed media files. If a user were tricked into
opening a specially crafted media file, an attacker could possibly use
this issue to cause MPlayer to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2022-38855, CVE-2022-38858,
CVE-2022-38863, CVE-2022-38864, CVE-2022-38866)

It was discovered that MPlayer did not properly managed memory when
processing certain malformed media files. If a user were tricked into
opening a specially crafted media file, an attacker could possibly use
this issue to cause MPlayer to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2022-38861)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
mencoder                        2:1.4+ds1-3ubuntu1.1
mplayer                         2:1.4+ds1-3ubuntu1.1

Ubuntu 22.04 LTS:
mencoder                        2:1.4+ds1-3ubuntu0.1
mplayer                         2:1.4+ds1-3ubuntu0.1

Ubuntu 20.04 LTS:
mencoder                        2:1.3.0-8+deb10u1build0.20.04.1
mplayer                         2:1.3.0-8+deb10u1build0.20.04.1

Ubuntu 18.04 LTS:
mencoder                        2:1.3.0-7ubuntu0.2
mplayer                         2:1.3.0-7ubuntu0.2

Ubuntu 16.04 ESM:
mencoder                        2:1.2.1-1ubuntu1.1+esm1
mplayer                         2:1.2.1-1ubuntu1.1+esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5895-1
CVE-2022-38850, CVE-2022-38851, CVE-2022-38855, CVE-2022-38858,
CVE-2022-38860, CVE-2022-38861, CVE-2022-38863, CVE-2022-38864,
CVE-2022-38865, CVE-2022-38866

Package Information:
https://launchpad.net/ubuntu/+source/mplayer/2:1.4+ds1-3ubuntu1.1
https://launchpad.net/ubuntu/+source/mplayer/2:1.4+ds1-3ubuntu0.1
https://launchpad.net/ubuntu/+source/mplayer/2:1.3.0-8+deb10u1build0.20.04.1
https://launchpad.net/ubuntu/+source/mplayer/2:1.3.0-7ubuntu0.2

[USN-5896-1] Rack vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5896-1
February 27, 2023

ruby-rack vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Rack.

Software Description:
- ruby-rack: modular Ruby webserver interface

Details:

It was discovered that Rack was not properly parsing data when processing
multipart POST requests. If a user or automated system were tricked into
sending a specially crafted multipart POST request to an application using
Rack, a remote attacker could possibly use this issue to cause a denial of
service. (CVE-2022-30122)

It was discovered that Rack was not properly escaping untrusted data when
performing logging operations, which could cause shell escaped sequences
to be written to a terminal. If a user or automated system were tricked
into sending a specially crafted request to an application using Rack, a
remote attacker could possibly use this issue to execute arbitrary code in
the machine running the application. (CVE-2022-30123)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
ruby-rack                       2.1.4-5ubuntu1+esm2

Ubuntu 20.04 LTS:
ruby-rack                       2.0.7-2ubuntu0.1+esm2

Ubuntu 18.04 LTS:
ruby-rack                       1.6.4-4ubuntu0.2+esm2

After a standard system update you need to restart any applications using
Rack to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5896-1
CVE-2022-30122, CVE-2022-30123

Package Information:

[USN-5894-1] curl vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5894-1
February 27, 2023

curl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in curl.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Harry Sintonen and Tomas Hoger discovered that curl incorrectly handled
TELNET connections when the -t option was used on the command line.
Uninitialized data possibly containing sensitive information could be sent
to the remote server, contrary to expectations. This issue was only fixed
in Ubuntu 14.04 ESM. (CVE-2021-22898, CVE-2021-22925)

It was discovered that curl incorrectly handled denials when using HTTP
proxies. A remote attacker could use this issue to cause curl to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2022-43552)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
curl 7.47.0-1ubuntu2.19+esm7
libcurl3 7.47.0-1ubuntu2.19+esm7
libcurl3-gnutls 7.47.0-1ubuntu2.19+esm7
libcurl3-nss 7.47.0-1ubuntu2.19+esm7

Ubuntu 14.04 ESM:
curl 7.35.0-1ubuntu2.20+esm14
libcurl3 7.35.0-1ubuntu2.20+esm14
libcurl3-gnutls 7.35.0-1ubuntu2.20+esm14
libcurl3-nss 7.35.0-1ubuntu2.20+esm14

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5894-1
CVE-2021-22898, CVE-2021-22925, CVE-2022-43552

[USN-5893-1] WebKitGTK vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5893-1
February 27, 2023

webkit2gtk vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in WebKitGTK.

Software Description:
- webkit2gtk: Web content engine library for GTK+

Details:

Several security issues were discovered in the WebKitGTK Web and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
libjavascriptcoregtk-4.0-18 2.38.5-0ubuntu0.22.10.1
libjavascriptcoregtk-4.1-0 2.38.5-0ubuntu0.22.10.1
libjavascriptcoregtk-5.0-0 2.38.5-0ubuntu0.22.10.1
libwebkit2gtk-4.0-37 2.38.5-0ubuntu0.22.10.1
libwebkit2gtk-4.1-0 2.38.5-0ubuntu0.22.10.1
libwebkit2gtk-5.0-0 2.38.5-0ubuntu0.22.10.1

Ubuntu 22.04 LTS:
libjavascriptcoregtk-4.0-18 2.38.5-0ubuntu0.22.04.1
libjavascriptcoregtk-4.1-0 2.38.5-0ubuntu0.22.04.1
libwebkit2gtk-4.0-37 2.38.5-0ubuntu0.22.04.1
libwebkit2gtk-4.1-0 2.38.5-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:
libjavascriptcoregtk-4.0-18 2.38.5-0ubuntu0.20.04.1
libwebkit2gtk-4.0-37 2.38.5-0ubuntu0.20.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5893-1
CVE-2023-23529

Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.38.5-0ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.38.5-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.38.5-0ubuntu0.20.04.1

[USN-5891-1] curl vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5891-1
February 27, 2023

curl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Harry Sintonen discovered that curl incorrectly handled HSTS support
when multiple URLs are requested serially. A remote attacker could possibly
use this issue to cause curl to use unencrypted connections. This issue
only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2023-23914)

Harry Sintonen discovered that curl incorrectly handled HSTS support
when multiple URLs are requested in parallel. A remote attacker could
possibly use this issue to cause curl to use unencrypted connections. This
issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2023-23915)

Patrick Monnerat discovered that curl incorrectly handled memory when
processing requests with multi-header compression. A remote attacker could
possibly use this issue to cause curl to consume resources, leading to a
denial of service. (CVE-2023-23916)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
curl 7.85.0-1ubuntu0.3
libcurl3-gnutls 7.85.0-1ubuntu0.3
libcurl3-nss 7.85.0-1ubuntu0.3
libcurl4 7.85.0-1ubuntu0.3

Ubuntu 22.04 LTS:
curl 7.81.0-1ubuntu1.8
libcurl3-gnutls 7.81.0-1ubuntu1.8
libcurl3-nss 7.81.0-1ubuntu1.8
libcurl4 7.81.0-1ubuntu1.8

Ubuntu 20.04 LTS:
curl 7.68.0-1ubuntu2.16
libcurl3-gnutls 7.68.0-1ubuntu2.16
libcurl3-nss 7.68.0-1ubuntu2.16
libcurl4 7.68.0-1ubuntu2.16

Ubuntu 18.04 LTS:
curl 7.58.0-2ubuntu3.23
libcurl3-gnutls 7.58.0-2ubuntu3.23
libcurl3-nss 7.58.0-2ubuntu3.23
libcurl4 7.58.0-2ubuntu3.23

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5891-1
CVE-2023-23914, CVE-2023-23915, CVE-2023-23916

Package Information:
https://launchpad.net/ubuntu/+source/curl/7.85.0-1ubuntu0.3
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.8
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.16
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.23

[USN-5892-1] NSS vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5892-1
February 27, 2023

nss vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in NSS.

Software Description:
- nss: Network Security Service library

Details:

It was discovered that NSS incorrectly handled client authentication
without a user certificate in the database. A remote attacker could
possibly use this issue to cause a NSS client to crash, resulting in a
denial of service. This issue only affected Ubuntu 22.10. (CVE-2022-3479)

Christian Holler discovered that NSS incorrectly handled certain PKCS 12
certificated bundles. A remote attacker could use this issue to cause NSS
to crash, leading to a denial of service, or possibly execute arbitrary
code. (CVE-2023-0767)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
libnss3 2:3.82-1ubuntu0.1

Ubuntu 22.04 LTS:
libnss3 2:3.68.2-0ubuntu1.2

Ubuntu 20.04 LTS:
libnss3 2:3.49.1-1ubuntu1.9

Ubuntu 18.04 LTS:
libnss3 2:3.35-2ubuntu2.16

After a standard system update you need to restart any applications that
use NSS to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5892-1
CVE-2022-3479, CVE-2023-0767

Package Information:
https://launchpad.net/ubuntu/+source/nss/2:3.82-1ubuntu0.1
https://launchpad.net/ubuntu/+source/nss/2:3.68.2-0ubuntu1.2
https://launchpad.net/ubuntu/+source/nss/2:3.49.1-1ubuntu1.9
https://launchpad.net/ubuntu/+source/nss/2:3.35-2ubuntu2.16

[USN-5890-1] Open vSwitch vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5890-1
February 27, 2023

openvswitch vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Open vSwitch.

Software Description:
- openvswitch: Ethernet virtual switch

Details:

Qian Chen discovered that Open vSwitch incorrectly handled certain
Organization Specific TLVs. A remote attacker could use this issue to cause
Open vSwitch to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
openvswitch-common 3.0.3-0ubuntu0.22.10.2

Ubuntu 22.04 LTS:
openvswitch-common 2.17.3-0ubuntu0.22.04.2

Ubuntu 20.04 LTS:
openvswitch-common 2.13.8-0ubuntu1.1

Ubuntu 18.04 LTS:
openvswitch-common 2.9.8-0ubuntu0.18.04.4

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5890-1
CVE-2022-4337, CVE-2022-4338

Package Information:
https://launchpad.net/ubuntu/+source/openvswitch/3.0.3-0ubuntu0.22.10.2
https://launchpad.net/ubuntu/+source/openvswitch/2.17.3-0ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/openvswitch/2.13.8-0ubuntu1.1
https://launchpad.net/ubuntu/+source/openvswitch/2.9.8-0ubuntu0.18.04.4

[USN-5889-1] ZoneMinder vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5889-1
February 27, 2023

zoneminder vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in ZoneMinder.

Software Description:
- zoneminder: video camera security and surveillance solution

Details:

It was discovered that ZoneMinder was not properly sanitizing URL
parameters for certain views. An attacker could possibly use this issue to
perform a cross-site scripting (XSS) attack. This issue was only fixed in
Ubuntu 16.04 ESM. (CVE-2019-6777)

It was discovered that ZoneMinder was not properly sanitizing stored user
input later printed to the user in certain views. An attacker could
possibly use this issue to perform a cross-site scripting (XSS) attack.
This issue was only fixed in Ubuntu 16.04 ESM. (CVE-2019-6990,
CVE-2019-6992)

It was discovered that ZoneMinder was not properly limiting data size and
not properly performing bound checks when processing username and password
data, which could lead to a stack buffer overflow. An attacker could
possibly use this issue to bypass authentication, cause a denial of
service or execute arbitrary code. This issue was only fixed in Ubuntu
16.04 ESM. (CVE-2019-6991)

It was discovered that ZoneMinder was not properly defining and filtering
data that was appended to the webroot URL of a view. An attacker could
possibly use this issue to perform cross-site scripting (XSS) attacks.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 20.04 LTS.
(CVE-2019-7325, CVE-2019-7329)

It was discovered that ZoneMinder was not properly sanitizing stored user
input later printed to the user in certain views. An attacker could
possibly use this issue to perform a cross-site scripting (XSS) attack.
This issue was only fixed in Ubuntu 20.04 LTS. (CVE-2019-7326)

It was discovered that ZoneMinder was not properly sanitizing URL
parameters for certain views. An attacker could possibly use this issue to
perform a cross-site scripting (XSS) attack. This issue was only fixed in
Ubuntu 20.04 LTS. (CVE-2019-7327, CVE-2019-7328, CVE-2019-7330,
CVE-2019-7332)

It was discovered that ZoneMinder was not properly sanitizing user input
in the monitor editing view. An attacker could possibly use this issue to
perform a cross-site scripting (XSS) attack. This issue was only fixed in
Ubuntu 16.04 ESM and Ubuntu 20.04 LTS. (CVE-2019-7331)

It was discovered that ZoneMinder was not properly sanitizing data related
to file paths in a system. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2022-29806)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
zoneminder                      1.36.12+dfsg1-1ubuntu0.1~esm1

Ubuntu 20.04 LTS:
zoneminder                      1.32.3-2ubuntu2+esm1

Ubuntu 16.04 ESM:
zoneminder                      1.29.0+dfsg-1ubuntu2+esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5889-1
CVE-2019-6777, CVE-2019-6990, CVE-2019-6991, CVE-2019-6992,
CVE-2019-7325, CVE-2019-7326, CVE-2019-7327, CVE-2019-7328,
CVE-2019-7329, CVE-2019-7330, CVE-2019-7331, CVE-2019-7332,
CVE-2022-29806

Package Information:

[USN-5887-1] ClamAV vulnerabilities

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBGM0XCwBEAC/1sgU6QaxKU49T3i2BdLteX5GqAJfpwzSr2RBvr6L8W//AoUn
gP8z1eiDwutJ62pTf473COZoDXTgdi7R0zT0QCbCZoHo4hVR2VHnfmxOR94XCVSE
1rvO3HF5NVLGVJl2V465y2sz2L2IWTYu1xvY/4FPhtWXLwHJmojmDbuRHF2AmX8A
6ECxYuZAcadLOuQO8mQV95YgVoWmoAjJKb1audHcLA4MRglds7jr9GgYkYWQ38Gk
AM9R6DNEbRowxMBCwkj3jVz8r0kO1WOPWP0in1VvGMrlcSIgjaxW/re427CSB2LA
9QwFc+EmOE5PoNWCoAuPa+vhoo7xqTY2Qr2Wvu86PlpWS596RWFzmz5UVan5yhaB
qEoEsZc7ZQbS4Qwc7x4teKhk8xQjx6lRsO6g1b4Wlm6S0PcELo1J5zwC+16MSZff
eK3zuAdijyNwL2xl8XwShTUxFo/mpyB+W+zDUU8OBudsYwKYSWUbMZzferYlndcv
3atN6ZteWmuPtxHIGkkc5yChs1dsQ1ke1e9sUQA0UCdMVL4awA/LGSlo9ymTvL3Z
Qwh05ujgDs09p7AkUFLLDhgS437yxzT46RqYcurDMn27kwTcfd4s2FJZVV90+Dgr
z4o6lAjObZXVTsE+E2eLIxlXpfH2g3Nr/1Ipe9VZ5FetTgu32Bd3iRUQ2wARAQAB
zUBEYXZpZCBGZXJuYW5kZXogR29uemFsZXogPGRhdmlkLmZlcm5hbmRlemdvbnph
bGV6QGNhbm9uaWNhbC5jb20+wsGUBBMBCgA+FiEEZj5eir1e7OtcLCXYhqc8z4VO
y5oFAmM0XCwCGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQhqc8
z4VOy5oojA/+MNrpuhfKM5Gm5h9cKMDUysMFfULChDjzQZdkM6Gh9xBFYyidoOq2
jOAs0xEk9vb6WfB+enfxFF1jmSXPISBvdHzoI4NpAoF+tf+e2tuC6TA+hLH/VqK8
yGy9SzChihpBLze6/S3dct6ayPew2lGC+r6gUMs8XiZyTMACoZR4ywt3BolWDGpp
6za7ylFUcJOTecqVRLVDKu5+8JrXSeG/jv1QqYR1ltHdAQVxkvctOVJciOcyIz45
XJkrjFJB/kMNE6sOq2z7lMKIauFZCTaLUVrq0brY4IHtXvsa/2vN6h9bWPFor3KU
hVIDhuEdjS4g3ge57+sCYrPGOHXRk+mJrqSd9T1bgLxXOP65kRUhecIRxfTovMTm
iifFcAY2Q/iEAn0SMCycmi9SZngaUd+IxYXk0tCfH2Y0q12vMuuuox94+A0t05Vr
0Vej0NiBebB01a90tcJBbIVV09NrOYXDhyDvUCsuineao+CNXKoM3SaNFjOiwZgz
yR1t2LcBlGVAQq/gySTE8X4WVIwVknUxcIUcOSzGDMEtd4X0qFv6A0oib/VEzuOz
JVE4WqiRCXKRws5j3KMHrNi4Inac/Ew0ph60NctY50xGxQqrHhxIZG9FKb1hM+Ov
cX2dy1HrLJwHf4le+Y4Yeobts8alQvJKd9IaVYZcKSt/M0JolPIPKdTOwU0EYzRc
LAEQANVn81wr2CkEdUQ0l8A5gN3NOft4P6TBQBvxK+9QW9n1l/JT7Pfa1lvE62xx
s+LIceFExzcq1Dfd9qnNBc39qY2XwIwNx7Gz67libTikfYhBO1gtfZ/i8GJuDjLH
xOAEBnDVogkE+lnBxfZ0adfldzJ3wKMQUU7LP6+dAmF91hyJO1HOQ5eOntWhbzqW
R69kRqlN7Wwd++7TbgqgiPtw6Vreu1BLlovkcImA6TZyJeD5SBN0eApBjWNZ5QCj
wd0hTeCUWCu2USBApZQn76ORTIpZ4j573DVvQZq88WsN875Yu2U2pHBQtEYFT8WG
Lrk5aNqDeQGw4jxGVvXwJjPOviGhhrzditvUD2L23fh7cTWSQJ6BZHoymLYQk3YZ
C19ewaoNsVt1a5WxomZdPspkJLaMyiXVT0tqtcyFDb6ekEZQsziU1egsXbnjXG+l
fsJmfv16k0C57EyeQLA66S7WFmjJ8dBmCx2J2WWW7etTbyU356AvZeLAiwMoGY4z
ZREemM6s2hdI6eKbartF3u+aQN8k72X8hfgAM3dl0nvfhx22CaqsR0rDk3A0tYS2
QOLnkzXpulEhidStLVLkRJw59eK4vu2CYZ37923vCvTlBctYHiRudTXQUaRQYiA+
jLdWiGiYWm6wN9TybY9GO7RY06Su1aQ2BMN8w3Why3rsRJK1ABEBAAHCwXwEGAEK
ACYWIQRmPl6KvV7s61wsJdiGpzzPhU7LmgUCYzRcLAIbDAUJAeEzgAAKCRCGpzzP
hU7Lmq0WD/46MGGZbPLp7XFh+rlotr1GBLZ0jwudoT8kkKHRpoMKRt4OZuOBjio7
3bXh74bscu1vmS1b35QvfIfiVrNOmQ8g9794598gpS7izrC/eJfenei93dqnwAMU
hEB16dEIbIevZUT3uYHNd6LgCVLdGLeauhAUZrfZ/NLvChw8+8I1Hn3Fhe5ablV7
ZfiOY/h/fC5MChBGH1izOFBkLEEeeAuaOTJKn4EYZFMitD69YGM621vCtC4jkI2g
bar8O0U9t3gyAS0WbtDz4UoMhdXOY4LIUH5KvvUby1lJq+LdS39HGvgtI+Exme0P
XajNpZBA/axARaUGyulxoz5+Y9InR0b4cIIMXWONVQ1pRglFEw6JrBvLcwS3SCfq
LW/p1ADFcLMcYMFQmJh7IYCD14gPreDELq+gmo57qDmHzaCQbh0XZB84qhIfS/cb
BFqT+0ccCLiTzAbyJeFAEu10KzLVBdUy/dysfHFevTrurObyK99MD1+6RIvNShds
gEMF3sanW3yugha6XoSd855nwiJBOJD8zff201m0IH/Dxzu/EC7zfG/SqoywZnGR
+N4bNLderqMXCgcyTcaLopQgExFMQoUmlRSHUGgPx5uXRkoTqY1V24c33lHp6G9G
GVCAGQawnWBNaJmlqoUcbIueao+hlICYiwhG/ZIP9jUceNt1LyJi9A==
=RGXl
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5887-1
February 27, 2023

clamav vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in ClamAV.

Software Description:
- clamav: Anti-virus utility for Unix

Details:

Simon Scannell discovered that ClamAV incorrectly handled parsing
HFS+ files. A remote attacker could possibly use this issue
to cause ClamAV to crash, resulting in a denial of service,
or execute arbitrary code. (CVE-2023-20032)

Simon Scannell discovered that ClamAV incorrectly handled parsing
DMG files. A remote attacker could possibly use this issue
to expose sensitive information. (CVE-2023-20052)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
clamav                          0.103.8+dfsg-0ubuntu0.22.10.1

Ubuntu 22.04 LTS:
clamav                          0.103.8+dfsg-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:
clamav                          0.103.8+dfsg-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:
clamav                          0.103.8+dfsg-0ubuntu0.18.04.1

Ubuntu 16.04 ESM:
clamav 0.103.8+dfsg-0ubuntu0.16.04.1+esm1

Ubuntu 14.04 ESM:
clamav 0.103.8+dfsg-0ubuntu0.14.04.1+esm1

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://ubuntu.com/security/notices/USN-5887-1
CVE-2023-20032, CVE-2023-20052

Package Information:
https://launchpad.net/ubuntu/+source/clamav/0.103.8+dfsg-0ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/clamav/0.103.8+dfsg-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/clamav/0.103.8+dfsg-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/clamav/0.103.8+dfsg-0ubuntu0.18.04.1

[USN-5886-1] Intel Microcode vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5886-1
February 27, 2023

intel-microcode vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in Intel Microcode.

Software Description:
- intel-microcode: Processor microcode for Intel CPUs

Details:

Erik C. Bjorge discovered that some Intel(R) Atom and Intel Xeon Scalable
Processors did not properly implement access controls for out-of-band
management. This may allow a privileged network-adjacent user to potentially
escalate privileges. (CVE-2022-21216)

Cfir Cohen, Erdem Aktas, Felix Wilhelm, James Forshaw, Josh Eads, Nagaraju
Kodalapura Nagabhushana Rao, Przemyslaw Duda, Liron Shacham and Ron Anderson
discovered that some Intel(R) Xeon(R) Processors used incorrect default
permissions in some memory controller configurations when using Intel(R)
Software Guard Extensions. This may allow a privileged local user to potentially
escalate privileges. (CVE-2022-33196)

It was discovered that some 3rd Generation Intel(R) Xeon(R) Scalable Processors
did not properly calculate microkey keying. This may allow a privileged local
user to potentially disclose information. (CVE-2022-33972)

Joseph Nuzman discovered that some Intel(R) Processors when using Intel(R)
Software Guard Extensions did not properly isolate shared resources. This may
allow a privileged local user to potentially disclose
information. (CVE-2022-38090)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
intel-microcode 3.20230214.0ubuntu0.22.10.1

Ubuntu 22.04 LTS:
intel-microcode 3.20230214.0ubuntu0.22.04.1

Ubuntu 20.04 LTS:
intel-microcode 3.20230214.0ubuntu0.20.04.1

Ubuntu 18.04 LTS:
intel-microcode 3.20230214.0ubuntu0.18.04.1

Ubuntu 16.04 ESM:
intel-microcode 3.20230214.0ubuntu0.16.04.1+esm1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5886-1
CVE-2022-21216, CVE-2022-33196, CVE-2022-33972, CVE-2022-38090

Package Information:
https://launchpad.net/ubuntu/+source/intel-microcode/3.20230214.0ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/intel-microcode/3.20230214.0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/intel-microcode/3.20230214.0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/intel-microcode/3.20230214.0ubuntu0.18.04.1

Sunday, February 26, 2023

[USN-5885-1] APR vulnerability

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsDNBGO0wO8BDAC3+o6xMuhLB0k1/uQyI0JKO9r4gupWHVzIREKBLj65+EoUlSu7
tufjmUHLZYBXjZab/MxsV5PxI9zjt871sielcOtlNCyDpcgovcEymvr5CV+MuzlX
d/0GZGI27HOgiX4ldEbBwl0Wkyq3UZM4FHkoItfbPgo/GV4KyxiaXj5CRuPKXCBi
5JIGyTW9fTca7kTvpSrA10PEBUK6PWnP3Q2skFjn7fm5PTC6ePGlatmzCUZg/piK
RpTWs9XxjLnyHglhY1wlGbDtdPTc8xsPKJH88hp86c5Estt/9qNQq8aNsIQfPd+M
Wxf23Aif6xEVLLmQVjSWGZiEUW6vNrAqPPiHmwedOuq83alwmjBxgsKGQLaoZBh/
tcru2vwhpIRCX6i2wRuo+Erkpkbn53+Qc0IOE6q1v8oTiDoTzd+kbC6jXlH2UeC1
86Y2iAhsqyFEj/ZwcH6zB3+L6yDXiWs721Lt+rhpwaoSNqSlXsX6lV6ixrLrAiPp
eR2JJSjsPyC6OfcAEQEAAc0lRGF2aWQgTGFuZSA8ZGF2aWQubGFuZUBjYW5vbmlj
YWwuY29tPsLBDgQTAQoAOBYhBOrnoF81LMebxVVraAcBf+u4yTEQBQJjtMDvAhsD
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEAcBf+u4yTEQxcEL/2HKcLCMAR1i
i2VBqRMo8x537k5q5P0cNSGluozKCFwttrr8UPZuRiUx74gkHzeKaMwqKJUEaDjU
Yl5wev+a7izzwQAT5ILVVhG3/hbRCIkEufsOPo3iUNODlvoj0WAils+d5vCxzE7h
BmHj3Yf0xEHOjyU1Uv+3LCAUnqWxgkMxGfw3aEBxmX+zm76pXu+EZmqAPhsQPx7f
jrJ505P8NLQNdfoS5QfqbH0Yz6lMtFg9AhZrHr+YS+7d3F5GaiqfQbyMW48aaw+C
HdPS6ojsLR6on+wHkTm44h9RVnT3DBMJYLzq9Y0+CdemaCcXdNrcMda9SwOR1P35
nvG8Ywp2Nd32c+Sll2miYAkXdrPQs/zeGtUDfhgoPgz4La73+DXZcBdWnt5p9XyX
2SFw2DZXQ8GPr+Ude/fF6HcFw1rzx9pJ4yraHZI30+siyADB+qLgozWggAevYYjv
0Dnrp7g2k+lIsjh4YbSQYAwkW/rNXpo6dfi355/TShvNYVHd4A3rUs7AzQRjtMDv
AQwA4GPoBzQ3LUpGa5/uuSwVp22VFHxXQZ3IhGyGJ679Z+/ejfgcfv2nrTe6SHK+
A2An7iaN18TWb6Yu/buIYz03xQWYHtA9ddejygzydnM3JQDBL1cg0TU4BmmqwtAi
QuS0wJIjsLUHQnLCX35SezVCT9BK4/b+fzHbCj/uNLqGyqVkopFXo/OmduiwdoKh
apCFZPpJQD3+/T0D6OcTnATKZejRFRxRGzHoTEJxM13fJPnKIvhdpQj307nCp6L+
KqVTlP97q3VFzGN03r1grIO7N8SF47OsL70M84oIHQe66hNmqOYFgdkfPqXvxWO2
XgMMu5MITTNv6PuvPn3ke82u3x5e5ty/Qo5j0aVdaA28S/BslMDEizAwb1aVctSG
3itvSTOsPg1wxovbXPjwmqpd9OaS2BrxQYMVdqvDQgb1/H1yDZAAwg6a7UmxB5Sr
yTY6xJRwtaLNt94KqcJRNlNPo8EYNUGSYUfIsSPf1caZD/1gbnuO+Ub02TGAKg6M
Z4ObABEBAAHCwPYEGAEKACAWIQTq56BfNSzHm8VVa2gHAX/ruMkxEAUCY7TA7wIb
DAAKCRAHAX/ruMkxED/vC/97M5PVJzXxSIOPMZpvL9KtfI/B1oNwhrLBpmSwZud+
lQah6BWejIDp8o5sQjjuOIqNv/jDun0EAY69g8kNFqx8aeF6teEDCidtDa5mikr4
OfrE6NMMhIIrWTYizzh0kxo/CPGMSJsA1vBDA1F2Y3JIgW1rCy6O++79h7lYyK9D
/XIu+js9prNm8VTi69bV8PeCc4ggO+lmGngo/2NhTFNrUiRve7dYCSLCi9GafJf8
qkaP3S1Zk9y84h845jTK8CUCSW2O989BU0/iH6za0eMtZhcPBy5wkN5nXa9FT6e3
5OVH6Z1Gw/XKbiajDUzDIPXCKJLrMc36/t0DVj4ddro3H9hILUWqjplP1wz0MZ7A
RMJBsd85rE0ixsxkkCJ703/5UNLES/GiMj02RrajzKygWc6iaoKCj9SEhzj1SN6q
plk/i4VmQR4D/OVlZlitIqJsUIkq3KwBqk5uuvDsXFh677hgidhxDGrA+nkeBuzl
P8RB9WuqepDSf384NK1PS3w=
=fhwC
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5885-1
February 27, 2023

apr vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS

Summary:

APR could possibly be made to crash or run programs if it received
specially crafted network traffic.

Software Description:
- apr: Apache Portable Runtime Library

Details:

Ronald Crane discovered integer overflow vulnerabilities in the Apache
Portable Runtime (APR) that could potentially result in memory corruption.
A remote attacker could possibly use these issues to cause a denial of
service or execute arbitary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
libapr1 1.7.0-8ubuntu0.22.10.1

Ubuntu 22.04 LTS:
libapr1 1.7.0-8ubuntu0.22.04.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5885-1
CVE-2022-24963

Package Information:
https://launchpad.net/ubuntu/+source/apr/1.7.0-8ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/apr/1.7.0-8ubuntu0.22.04.1

OpenBSD Errata: February 26, 2023 (wscons)

Errata patches for wscons(4) have been released for OpenBSD 7.1 and
7.2.

Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:

https://www.openbsd.org/errata71.html
https://www.openbsd.org/errata72.html

Thursday, February 23, 2023

Ubuntu 22.04.2 LTS released

The Ubuntu team is pleased to announce the release of Ubuntu 22.04.2 LTS
(Long-Term Support) for its Desktop, Server, and Cloud products, as well
as other flavours of Ubuntu with long-term support.

As usual, this point release includes many updates and updated
installation media has been provided so that fewer updates will need to
be downloaded after installation. These include security updates and
corrections for other high-severity bugs, with a focus on maintaining
stability and compatibility with Ubuntu 22.04 LTS.
22.04.2 also brings new RISC-V platform support, providing fresh images
for the LicheeRV and PolarFire Icicle Kit boards.

Kubuntu 22.04.2 LTS, Ubuntu Budgie 22.04.2 LTS, Ubuntu MATE 22.04.2 LTS,
Lubuntu 22.04.2 LTS, Ubuntu Kylin 22.04.2 LTS, Ubuntu Studio 22.04.2 LTS,
and Xubuntu 22.04.2 LTS are also now available. More details can be found
in their individual release notes (see 'Official flavours'):

https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668

Maintenance updates will be provided for 5 years for Ubuntu Desktop,
Ubuntu Server, Ubuntu Cloud, and Ubuntu Core. All the remaining
flavours will be supported for 3 years. Additional security support is
available with ESM (Extended Security Maintenance).

To get Ubuntu 22.04.2 LTS
-------------------------

In order to download Ubuntu 22.04.2 LTS, visit:

https://ubuntu.com/download

Users of Ubuntu 20.04 LTS will be offered an automatic upgrade to
22.04.2 LTS via Update Manager.

We recommend that all users read the 22.04.2 LTS release notes, which
document caveats and workarounds for known issues, as well as more
in-depth notes on the release itself. They are available at:

https://discourse.ubuntu.com/t/jammy-jellyfish-release-notes/24668

If you have a question, or if you think you may have found a bug but
aren't sure, you can try asking in any of the following places:

#ubuntu on irc.libera.chat
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
https://ubuntuforums.org
https://askubuntu.com

Help Shape Ubuntu
-----------------

If you would like to help shape Ubuntu, take a look at the list of ways
you can participate at:

https://discourse.ubuntu.com/contribute

About Ubuntu
------------

Ubuntu is a full-featured Linux distribution for desktops, laptops,
clouds and servers, with a fast and easy installation and regular
releases. A tightly-integrated selection of excellent applications is
included, and an incredible variety of add-on software is just a few
clicks away.

Professional services including support are available from Canonical and
hundreds of other companies around the world. For more information
about support, visit:

https://ubuntu.com/support

More Information
----------------

You can learn more about Ubuntu and about this release on our website
listed below:

https://ubuntu.com/

To sign up for future Ubuntu announcements, please subscribe to Ubuntu's
very low volume announcement list at:

https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce

On behalf of the Ubuntu Release Team,

Łukasz 'sil2100' Zemczak

--
ubuntu-announce mailing list
ubuntu-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce

[USN-5884-1] Linux kernel (AWS) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5884-1
February 23, 2023

linux-aws vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems

Details:

Kirill Tkhai discovered that the XFS file system implementation in the
Linux kernel did not calculate size correctly when pre-allocating space in
some situations. A local attacker could use this to expose sensitive
information. (CVE-2021-4155)

Lee Jones discovered that a use-after-free vulnerability existed in the
Bluetooth implementation in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2022-20566)

Duoming Zhou discovered that a race condition existed in the SLIP driver in
the Linux kernel, leading to a null pointer dereference vulnerability. An
attacker could use this to cause a denial of service (system crash).
(CVE-2022-41858)

Tamás Koczka discovered that the Bluetooth L2CAP implementation in the
Linux kernel did not properly initialize memory in some situations. A
physically proximate attacker could possibly use this to expose sensitive
information (kernel memory). (CVE-2022-42895)

José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)

It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
linux-image-4.4.0-1154-aws 4.4.0-1154.169
linux-image-aws 4.4.0.1154.158

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5884-1
CVE-2021-4155, CVE-2022-20566, CVE-2022-41858, CVE-2022-42895,
CVE-2023-0045, CVE-2023-23559

[USN-5882-1] DCMTK vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5882-1
February 22, 2023

dcmtk vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in DCMTK.

Software Description:
- dcmtk: OFFIS DICOM toolkit command line utilities

Details:

Gjoko Krstic discovered that DCMTK incorrectly handled buffers. If a user or
an automated system were tricked into opening a certain specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-8979)

Omar Ganiev discovered that DCMTK incorrectly handled buffers. If a user or
an automated system were tricked into opening a certain specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 18.04 LTS. (CVE-2019-1010228)

Jinsheng Ba discovered that DCMTK incorrectly handled certain requests. If a
user or an automated system were tricked into opening a certain specially
crafted input file, a remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2021-41687,
CVE-2021-41688, CVE-2021-41689, and CVE-2021-41690)

Sharon Brizinov and Noam Moshe discovered that DCMTK incorrectly handled
certain inputs. If a user or an automated system were tricked into opening
a certain specially crafted input file, a remote attacker could possibly use
this issue to execute arbitrary code. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2022-2119 and CVE-2022-2120)

Sharon Brizinov and Noam Moshe discovered that DCMTK incorrectly handled
pointers. If a user or an automated system were tricked into opening a
certain specially crafted input file, a remote attacker could possibly use
this issue to cause a denial of service. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2022-2121)

It was discovered that DCMTK incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a certain specially
crafted input file, a remote attacker could possibly use this issue to
cause a denial of service. This issue affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10.
(CVE-2022-43272)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
dcmtk 3.6.7-6ubuntu0.1
libdcmtk17 3.6.7-6ubuntu0.1

Ubuntu 22.04 LTS:
dcmtk 3.6.6-5ubuntu0.1~esm1
libdcmtk16 3.6.6-5ubuntu0.1~esm1

Ubuntu 20.04 LTS:
dcmtk 3.6.4-2.1ubuntu0.1~esm1
libdcmtk14 3.6.4-2.1ubuntu0.1~esm1

Ubuntu 18.04 LTS:
dcmtk 3.6.2-3ubuntu0.1~esm1
libdcmtk12 3.6.2-3ubuntu0.1~esm1

Ubuntu 16.04 ESM:
dcmtk 3.6.1~20150924-5ubuntu0.1~esm1
libdcmtk5 3.6.1~20150924-5ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-5882-1
CVE-2015-8979, CVE-2019-1010228, CVE-2021-41687, CVE-2021-41688,
CVE-2021-41689, CVE-2021-41690, CVE-2022-2119, CVE-2022-2120,
CVE-2022-2121, CVE-2022-43272

Package Information:
  https://launchpad.net/ubuntu/+source/dcmtk/3.6.7-6ubuntu0.1
  https://launchpad.net/ubuntu/+source/dcmtk/3.6.6-5ubuntu0.1~esm1
  https://launchpad.net/ubuntu/+source/dcmtk/3.6.4-2.1ubuntu0.1~esm1
  https://launchpad.net/ubuntu/+source/dcmtk/3.6.2-3ubuntu0.1~esm1