==========================================================================
Ubuntu Security Notice USN-5855-3
March 31, 2023
imagemagick regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
USN-5855-1 introduced a regression in ImageMagick.
Software Description:
- imagemagick: Image manipulation programs and library
Details:
USN-5855-2 fixed vulnerabilities in ImageMagick. Unfortunately an additional
mitigation caused a regression. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that ImageMagick incorrectly handled certain PNG images.
If a user or automated system were tricked into opening a specially crafted
PNG file, an attacker could use this issue to cause ImageMagick to stop
responding, resulting in a denial of service, or possibly obtain the
contents of arbitrary files by including them into images.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
imagemagick 8:6.9.11.60+dfsg-1.3ubuntu0.22.10.4
imagemagick-6.q16 8:6.9.11.60+dfsg-1.3ubuntu0.22.10.4
libmagick++-6.q16-8 8:6.9.11.60+dfsg-1.3ubuntu0.22.10.4
libmagickcore-6.q16-6 8:6.9.11.60+dfsg-1.3ubuntu0.22.10.4
libmagickcore-6.q16-6-extra 8:6.9.11.60+dfsg-1.3ubuntu0.22.10.4
Ubuntu 22.04 LTS:
imagemagick 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
imagemagick-6.q16 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
libmagick++-6.q16-8 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
libmagickcore-6.q16-6 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
libmagickcore-6.q16-6-extra 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
Ubuntu 20.04 LTS:
imagemagick 8:6.9.10.23+dfsg-2.1ubuntu11.7
imagemagick-6.q16 8:6.9.10.23+dfsg-2.1ubuntu11.7
libmagick++-6.q16-8 8:6.9.10.23+dfsg-2.1ubuntu11.7
libmagickcore-6.q16-6 8:6.9.10.23+dfsg-2.1ubuntu11.7
libmagickcore-6.q16-6-extra 8:6.9.10.23+dfsg-2.1ubuntu11.7
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5855-3
https://ubuntu.com/security/notices/USN-5855-1
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/2004580
Package Information:
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.11.60+dfsg-1.3ubuntu0.22.10.4
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.10.23+dfsg-2.1ubuntu11.7
Friday, March 31, 2023
[USN-5991-1] Linux kernel (GCP) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5991-1
March 31, 2023
linux-gcp-4.15 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems
Details:
It was discovered that the System V IPC implementation in the Linux kernel
did not properly handle large shared memory counts. A local attacker could
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel
contained a null pointer dereference when handling certain messages from
user space. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-28328)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1147-gcp 4.15.0-1147.163
linux-image-gcp-lts-18.04 4.15.0.1147.161
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5991-1
CVE-2021-3669, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,
CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0394,
CVE-2023-23455, CVE-2023-23559, CVE-2023-28328
Package Information:
https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1147.163
Ubuntu Security Notice USN-5991-1
March 31, 2023
linux-gcp-4.15 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems
Details:
It was discovered that the System V IPC implementation in the Linux kernel
did not properly handle large shared memory counts. A local attacker could
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel
contained a null pointer dereference when handling certain messages from
user space. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-28328)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1147-gcp 4.15.0-1147.163
linux-image-gcp-lts-18.04 4.15.0.1147.161
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5991-1
CVE-2021-3669, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,
CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0394,
CVE-2023-23455, CVE-2023-23559, CVE-2023-28328
Package Information:
https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1147.163
Ubuntu 23.04 (Lunar Lobster) Beta released
The Ubuntu team is pleased to announce the Beta release of the Ubuntu 23.04
Desktop, Server, and Cloud products.
Desktop, Server, and Cloud products.
Ubuntu 23.04, codenamed "Lunar Lobster", continues Ubuntu's proud tradition of
integrating the latest and greatest open source technologies into a
high-quality, easy-to-use Linux distribution. The team has been hard at work
through this cycle, introducing new features and fixing bugs.
This Beta release includes images from not only the Ubuntu Desktop, Server, and
Cloud products, but also the Edubuntu, Kubuntu, Lubuntu, Ubuntu Budgie,
Ubuntu Cinnamon, Ubuntu Kylin, Ubuntu MATE, Ubuntu Studio, Ubuntu Unity, and
Xubuntu flavours.
The Beta images are known to be reasonably free of showstopper image build or
installer bugs, while representing a very recent snapshot of 23.04 that should
be representative of the features intended to ship with the final release
expected on April 20, 2023.
Ubuntu, Ubuntu Server, Cloud Images:
Lunar Beta includes updated versions of most of our core set of
packages, including a current 6.2 kernel, and much more.
To upgrade to Ubuntu 23.04 Beta from Ubuntu 22.10, follow these
instructions:
https://help.ubuntu.com/community/LunarUpgrades
The Ubuntu 23.04 Beta images can be downloaded at:
https://releases.ubuntu.com/23.04/ (Ubuntu and Ubuntu Server on x86)
The default Ubuntu Desktop installer is now a Flutter snap backed by Subiquity.
The legacy installer is still available in case of issues with the new installer.
This Ubuntu Server image features the next generation Subiquity server
installer, bringing the comfortable live session and speedy install of
the Ubuntu Desktop to server users.
Additional images can be found at the following links:
https://cloud-images.ubuntu.com/daily/server/lunar/current/ (Cloud Images)
https://cdimage.ubuntu.com/releases/23.04/beta/ (Non-x86)
As fixes will be included in new images between now and release, any
daily cloud image should be considered a Beta image. Bugs found should be
filed against the appropriate packages or, failing that, the cloud-images
project in Launchpad.
The full release notes for Ubuntu 23.04 Beta can be found at:
https://discourse.ubuntu.com/t/lunar-lobster-release-notes
Edubuntu:
Edubuntu is a flavor of Ubuntu designed as a free education oriented
operating system for children of all ages.
The Beta images can be downloaded at:
http://cdimage.ubuntu.com/edubuntu/releases/23.04/beta/
Kubuntu:
Kubuntu is the KDE based flavor of Ubuntu. It uses the Plasma desktop and
includes a wide selection of tools from the KDE project.
The Beta images can be downloaded at:
https://cdimage.ubuntu.com/kubuntu/releases/23.04/beta/
Lubuntu:
Lubuntu is a flavor of Ubuntu which uses the Lightweight Qt Desktop
Environment (LXQt). The project's goal is to provide a lightweight yet
functional Linux distribution based on a rock-solid Ubuntu base.
The Beta images can be downloaded at:
https://cdimage.ubuntu.com/lubuntu/releases/23.04/beta/
Ubuntu Budgie:
Ubuntu Budgie is a community developed desktop, integrating Budgie Desktop
Environment with Ubuntu at its core.
The Beta images can be downloaded at:
https://cdimage.ubuntu.com/ubuntu-budgie/releases/23.04/beta/
Ubuntu Cinnamon
Ubuntu Cinnamon is a flavor of Ubuntu featuring the Cinnamon desktop
environment.
The Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntucinnamon/releases/23.04/beta/
Ubuntu Kylin:
Ubuntu Kylin is a flavor of Ubuntu that is more suitable for Chinese users.
The Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntukylin/releases/23.04/beta/
Ubuntu MATE:
Ubuntu MATE is a flavor of Ubuntu featuring the MATE desktop environment.
The Beta images can be downloaded at:
https://cdimage.ubuntu.com/ubuntu-mate/releases/23.04/beta/
Ubuntu Studio:
Ubuntu Studio is a flavor of Ubuntu that provides a full range of multimedia
content creation applications for each key workflow: audio, graphics, video,
photography and publishing.
The Beta images can be downloaded at:
https://cdimage.ubuntu.com/ubuntustudio/releases/23.04/beta/
Ubuntu Unity:
Ubuntu Unity is a flavor of Ubuntu featuring the Unity7 desktop environment.
The Beta images can be downloaded at:
https://cdimage.ubuntu.com/ubuntu-unity/releases/23.04/beta/
Xubuntu:
Xubuntu is a flavor of Ubuntu that comes with Xfce, which is a stable, light
and configurable desktop environment.
The Beta images can be downloaded at:
https://cdimage.ubuntu.com/xubuntu/releases/23.04/beta/
Regular daily images for Ubuntu, and all flavours, can be found at:
https://cdimage.ubuntu.com
Ubuntu is a full-featured Linux distribution for clients, servers and clouds,
with a fast and easy installation and regular releases. A tightly-integrated
selection of excellent applications is included, and an incredible variety of
add-on software is just a few clicks away.
Professional technical support is available from Canonical Limited and hundreds
of other companies around the world. For more information about support, visit
https://ubuntu.com/support
If you would like to help shape Ubuntu, take a look at the list of ways you can
participate at:
https://ubuntu.com/community/participate
Your comments, bug reports, patches and suggestions really help us to improve
this and future releases of Ubuntu. Instructions can be found at:
https://help.ubuntu.com/community/ReportingBugs
You can find out more about Ubuntu and about this Beta release on our
website, IRC channel and wiki.
To sign up for future Ubuntu announcements, please subscribe to Ubuntu's
very low volume announcement list at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
On behalf of the Ubuntu Release Team,
--
Brian Murray
--
ubuntu-announce mailing list
ubuntu-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
Thursday, March 30, 2023
[USN-5990-1] musl vulnerabilities
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBGJo5iQBEADBDrePgICrxsoCWxlAiEKAgZgqeX1XhHxhDCkprNwOA9ZEU7G9
77BEHgYLSrAh3LraWYK+piBXBuHdg8KCUppUmEC4GtiHg+KxtxRjgZn/tjLD6vgZ
kwZYs0KXQVCK2bhSL0paEA78Xcx1B6xa8JArnjk87VoNl6RCjJESXkwlqGtQTEOp
bNxBy5Pd0T33xYeKcOz0GWY5ndkU1gD7NtMZdWZ8vcQclLquQO5OE33OhK78cU4Z
k4xFL5I5R4rBhlrOsw002bbD0+QI6wUKQByHfvcAz59eHS/wJOrAY/1p+IKql/4f
sRQQSRPSc+3CqELdxzF2s+AG0PciQms3RVYT6czH28Ce9C9BDAENga28FvQDf5Zi
STUeXZm0XJ9g+dLg+6FBPHp9wX+ybfAmIRXQlV4D6DledQAWjoBy3j09JOGQGSH0
S3EbQ68Qn2xyGBlYeFCZbMlKDN8NrpVCx9Jf6dDb3Qv2Do1yIIRu5x0vwKlNsQG0
NffMryLCQ0tVBNNiwqrHIbmZEhSUEmKf6u+zZsx1JMewe6fRw3hf3VOzENH5tGpZ
Z1Yg8m3E2yiXmPJ9cX3iZD0l7/L8CEiuMWt/q/NEDnKsGovi9N1r04Yxxo5lWoHr
+4taaOnC2C7YEHICIWx3lEU0lm24PbNG4QBJCJ8ctwG2rV3AMILCVSzW0QARAQAB
zSVNYXJrIEVzbGVyIDxtYXJrLmVzbGVyQGNhbm9uaWNhbC5jb20+wsGUBBMBCgA+
FiEELTsQ/oZuJMqL99Qt1guDyQUTvU8FAmJo5iQCGwMFCQPCZwAFCwkIBwIGFQoJ
CAsCBBYCAwECHgECF4AACgkQ1guDyQUTvU/Gqw/9F5ko+KS9CRXXcp4SkdhHB6aG
tD9rEJycEywPymmI+OwCJppmbQBzzwW7QGLHi8TTiWnWMSeikhSh0p9pPCc9rhLt
tYDlGZwoxXPt7PwS0k9JjITNviTNZD6uHIoYmFMxS65qdh7s7OSQj4+nTij1b+dV
qzaG4krGB/pav2D2adt4k02KfqIkPiLY0Jo+o8hKOx2HRh8xqEU/eySRtVvIx55c
D4Qh63KQv465Afz+QuKsbxuqA2iboUP/srYtMQtFi8TCF7/5gLwDbGDgOAYhIxyf
vgAH5dbBFB8lIMPjIeTbP0lE+xMHUmQsKhtYICnjhnGRJeT6vBlDFuUar5DYA3fI
m9LEAf1T1eMK4FBUSCv+cULlT9+rsHDbG6tiZU/BDp/mkKFs2Ax9W68+fgXy7bor
ixrgDhfSCsYWaxLsXW/GEmyCbp30PZlLr6kvfQq7CMEjeE79FEsef7/ppRH/t+mv
6p2xhb+DDbvqzcQZ7LQn3+PLxkR37spQRvevPxpx000CqTO5gV19w/2ZSPydm2Zd
44XSranzwDdD4o5ZsMXAPuCNlVAVzxAhxNj2QQL7xh9bdDDmM9Z7qBPwFX42n7mw
ryjBHqMtrSCSI8hupSh2B/bQSRyWd3/KQ2vlJMoq7H5EJiJYpb3blvb4tfoSfEag
PqYV1jJEcKImOGs988rOwU0EYmjmJAEQAL0wGwC8P1qj0fuLaFpPKBAFtxBqnJJc
c+63DjQ17/QJrYpKwGGkW6fz/Nn0nUDf88FdrHd7t6a9c3m82/gvsr8VjAD4SISp
DjPIpfCj5gWGAuhATWB0pwjWRsgFkIThaa0px6ZJFGdU9lJmi633Xsk4s9bws8kZ
pnwtk+StRueqcSElfLw1/gbu6EhcEH62iBb2qlRhgtntgy1dcnqDEQhcdccWSgna
+ZlDIo3Z75RWoIXxrtzUe9PDdG4Ou+k/H96mS7pZdmU6elbQlcDGYegYGH6OTYjv
Zyl81ACN9Y3Fcmc+luBMeuyQndHFnG6rjOwHr6iM9ZKRBq03QiAAp4vooPyLqG9n
ZmoeLH0Q7L2pVIwroVtsJvnjws5z3DujguZcLYCeA/WEXj8p0lYy9WVGrfJ7LyLp
+Uj7AdXFB6msED51Swb6QkpWrcC7V2COKZmfYGXFy7PdIwWeqgYjJ0zqEldHGDTD
V0yTuuER2bJ/T1WBVy9U46/KRUXYevgCZFGPbyO/vKLwKVbrbkimULMFcPJpKinF
PQs0ch7HA6PPog0wbux5Bm9O78lzYo/WFlvofFKTzfGEsnifCVXkcsu0Qp8m6DQZ
yeFO8SH3DHaHFaPKc3JYEFTdmP0PdvH8aqb5TVTb8G+hvxktDkCuCrlaoFVSCNhI
WfJ6rAxxYGuNABEBAAHCwXwEGAEKACYWIQQtOxD+hm4kyov31C3WC4PJBRO9TwUC
YmjmJAIbDAUJA8JnAAAKCRDWC4PJBRO9T3SnEACEprj9LsxvhbM6A/aLk3la8UD9
MYtLSmbl+KPGEvP0r7viPftolgV8O+tRG09Z7Wd/63WsHjA2Psgwdm49BziL8tCf
ONfVXCojPxR/uyL5ykPHSE/yC+mz3DTPWcncGCdteil6Cw43MHNCm2oYJ38VXAwV
9pikHeO5Pj5xukmc/bQr3v3NrDQI+AQpNbWs2r4vw+y01IidmMh12RkuGi2UYOga
jvfDeoSSEF7VJ6Qlij9UjatkbZpSHjn2rf+B9DdlkRNr5Vfd9/xaSFQoazdgNS/Q
HqOeZ+9HqNrUlHTH9BUaTkmV6MDXtEjVGfROXxXPw/q29QUzZUZE3agqmuxB3yar
PjW24mNu5Kd22rb06blTfBO0o7DOX9UwOVLfFLejfWAYANuXilcju9/3dHRsv6o9
9tGfRxJIMOPVY6JgswYISB7CwdA+Uda6UvU+qwYCRi7B8L13H3uhDKzA5sgRZnz2
oQw+bOB/ErZv78NVnhrdy9LAkLk0U8RVvH8sWPco4ZjQVou6wDMEsKaIlioU8x6n
YOi8LBpijWpaKEpCbU4nRdV/4d3eWr7tu1MWGcm70C6mrjypxI6TVCPg+gimjM4D
7LOpJKZJVGQg9JYPUhccp27Nn/3L2/Y9F3tKUfCTPHanOzHg4KNRRUr8CQD8qi+8
nWqztY9OeZjz0vagYM7BTQRiaOZoARAA6bzogRYAMYdwU2BsWFurvrghzEbqjguN
XwBiQ/90kXb3exYZvGXTCxdrV5FRjPU6eeX2TAyZRt6XnK6nyrZFlRAcXeWCeo05
d+mdK6fv4iOc/T0JeMZCrNm4BDjcGNOr7KImVQTNuoN9nVieVQSK/hRpSFPkNLbn
1oemHqZitxoI5HCBAVQrKR8d0REzn9Y1jdCHkhgSNaEcAww6CgF2Mlsw5txhmIh9
IZircfAzGU6lI1MgjPkDOFPDdwIoc8xtuAJB/G6gT8Ot9FQ3EMaV2zPTL7Jd1ZQR
hOrs75gjLlhOyYYb5Y3isaMKzUMYKQDFWrCws/sGEm2TwbD5gI6ipa2r71DcGijj
GJQITAQsS+rdUKBts+DPKfZR4nlLq41/utA4LJL2y33SFXeqylyIoKPs1FJ0JZyM
VXiWQyxAuPjYJPZbcSh8exj6rct/QVZgztSuvKxeaEqZ/xwkQ/uHWZxQy7lZxBbw
LCVH8HxVApD/tc3/U/jQjtQSblX3KnMia5rHjX+p9tYSSeLNPA99KNrqwLdDh9Mz
/Rm131NUHwlOEIpSeqDfs1+jQYy0QdZnxDHrIVnpIz6M8IVFRBo4LQmi0sPkzzEZ
A29s3+IzofztGXf+b+vZAmnOrQEgNPjdIVHfvQJVqcm1JdOzyuHEvN8IiV/90RAP
r2NqNrtRjQMAEQEAAcLBfAQYAQoAJhYhBC07EP6GbiTKi/fULdYLg8kFE71PBQJi
aOZoAhsgBQkDwmcAAAoJENYLg8kFE71PE2wQAK2ntrQ0902+a3KC/Ak7VhOTV0c0
my8e7mqesYRGXB158P7UJZS1grU6MjBbMsArFdshTRquSmEOnAB6ahnD+JNq+Jzf
9QKknvekzkjlC11FxTHMGncKnScsu8Vont+rFBA66JYLrh7my5CpzijTVTYC9HcA
SbnW0IzzJl90cVh5tC9S+m6Dh3kNcujWyJ8D+ceaEhwYE2LgbbDUSJa2p1tBiXQ6
SGu6nX0nyXL5p7zzRhAl/ao5cZ/FTijvdQe1Vzm7qArKj6A3ir5YOWzSnaCbfbSm
J2pPgZZCNybzStmcoZ73GgBJxIh89vixfBRLTJVECePLTw2gBmoxR1ziqs0pKW3H
y3VKBb+QMJAVmRwRlonMTgT5gHa8bCL8U7Qvx9jOrApOEqFee3dytIOoVsCUkNh0
vOKmlLuqrIopdbJm8F58qOV/eR5chfxax9jOSHkZ812LyMyxr8y6wn3d26XF4Ho1
tGRAYDI77qaLxaPbzIFas1t9X/+U+sz3Bg0exmi9/mp9wwvLJh3XOC+2MaHzBXGl
x+MvgOYIvEtZXVvfwjay19rhJRvn0D497VaVrhw7md5IbKY42h5qUCCzlHsqHEe5
YDxswWadH4fZhy+cEatf29lYJ2BaK+PIsmp22bxbxdGdoZ2cbqQXIko+3XxaiVp5
z7V5USx9zNkfsrbz
=3tFx
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5990-1
March 31, 2023
musl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 ESM
- Ubuntu 18.04 ESM
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in musl.
Software Description:
- musl: standard C library
Details:
It was discovered that musl did not handle certain i386 math functions
properly. An attacker could use this vulnerability to cause a denial of
service (crash) or possibly execute arbitrary code. This issue only
affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS.
(CVE-2019-14697)
It was discovered that musl did not handle wide-character conversion
properly. A remote attacker could use this vulnerability to cause resource
consumption (infinite loop), denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04
ESM, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-28928)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 ESM:
musl 1.1.24-1ubuntu0.1~esm1
musl-dev 1.1.24-1ubuntu0.1~esm1
Ubuntu 18.04 ESM:
musl 1.1.19-1ubuntu0.1~esm1
musl-dev 1.1.19-1ubuntu0.1~esm1
Ubuntu 16.04 ESM:
musl 1.1.9-1ubuntu0.1~esm3
musl-dev 1.1.9-1ubuntu0.1~esm3
Ubuntu 14.04 ESM:
musl 0.9.15-1ubuntu0.1~esm2
musl-dev 0.9.15-1ubuntu0.1~esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5990-1
CVE-2019-14697, CVE-2020-28928
xsFNBGJo5iQBEADBDrePgICrxsoCWxlAiEKAgZgqeX1XhHxhDCkprNwOA9ZEU7G9
77BEHgYLSrAh3LraWYK+piBXBuHdg8KCUppUmEC4GtiHg+KxtxRjgZn/tjLD6vgZ
kwZYs0KXQVCK2bhSL0paEA78Xcx1B6xa8JArnjk87VoNl6RCjJESXkwlqGtQTEOp
bNxBy5Pd0T33xYeKcOz0GWY5ndkU1gD7NtMZdWZ8vcQclLquQO5OE33OhK78cU4Z
k4xFL5I5R4rBhlrOsw002bbD0+QI6wUKQByHfvcAz59eHS/wJOrAY/1p+IKql/4f
sRQQSRPSc+3CqELdxzF2s+AG0PciQms3RVYT6czH28Ce9C9BDAENga28FvQDf5Zi
STUeXZm0XJ9g+dLg+6FBPHp9wX+ybfAmIRXQlV4D6DledQAWjoBy3j09JOGQGSH0
S3EbQ68Qn2xyGBlYeFCZbMlKDN8NrpVCx9Jf6dDb3Qv2Do1yIIRu5x0vwKlNsQG0
NffMryLCQ0tVBNNiwqrHIbmZEhSUEmKf6u+zZsx1JMewe6fRw3hf3VOzENH5tGpZ
Z1Yg8m3E2yiXmPJ9cX3iZD0l7/L8CEiuMWt/q/NEDnKsGovi9N1r04Yxxo5lWoHr
+4taaOnC2C7YEHICIWx3lEU0lm24PbNG4QBJCJ8ctwG2rV3AMILCVSzW0QARAQAB
zSVNYXJrIEVzbGVyIDxtYXJrLmVzbGVyQGNhbm9uaWNhbC5jb20+wsGUBBMBCgA+
FiEELTsQ/oZuJMqL99Qt1guDyQUTvU8FAmJo5iQCGwMFCQPCZwAFCwkIBwIGFQoJ
CAsCBBYCAwECHgECF4AACgkQ1guDyQUTvU/Gqw/9F5ko+KS9CRXXcp4SkdhHB6aG
tD9rEJycEywPymmI+OwCJppmbQBzzwW7QGLHi8TTiWnWMSeikhSh0p9pPCc9rhLt
tYDlGZwoxXPt7PwS0k9JjITNviTNZD6uHIoYmFMxS65qdh7s7OSQj4+nTij1b+dV
qzaG4krGB/pav2D2adt4k02KfqIkPiLY0Jo+o8hKOx2HRh8xqEU/eySRtVvIx55c
D4Qh63KQv465Afz+QuKsbxuqA2iboUP/srYtMQtFi8TCF7/5gLwDbGDgOAYhIxyf
vgAH5dbBFB8lIMPjIeTbP0lE+xMHUmQsKhtYICnjhnGRJeT6vBlDFuUar5DYA3fI
m9LEAf1T1eMK4FBUSCv+cULlT9+rsHDbG6tiZU/BDp/mkKFs2Ax9W68+fgXy7bor
ixrgDhfSCsYWaxLsXW/GEmyCbp30PZlLr6kvfQq7CMEjeE79FEsef7/ppRH/t+mv
6p2xhb+DDbvqzcQZ7LQn3+PLxkR37spQRvevPxpx000CqTO5gV19w/2ZSPydm2Zd
44XSranzwDdD4o5ZsMXAPuCNlVAVzxAhxNj2QQL7xh9bdDDmM9Z7qBPwFX42n7mw
ryjBHqMtrSCSI8hupSh2B/bQSRyWd3/KQ2vlJMoq7H5EJiJYpb3blvb4tfoSfEag
PqYV1jJEcKImOGs988rOwU0EYmjmJAEQAL0wGwC8P1qj0fuLaFpPKBAFtxBqnJJc
c+63DjQ17/QJrYpKwGGkW6fz/Nn0nUDf88FdrHd7t6a9c3m82/gvsr8VjAD4SISp
DjPIpfCj5gWGAuhATWB0pwjWRsgFkIThaa0px6ZJFGdU9lJmi633Xsk4s9bws8kZ
pnwtk+StRueqcSElfLw1/gbu6EhcEH62iBb2qlRhgtntgy1dcnqDEQhcdccWSgna
+ZlDIo3Z75RWoIXxrtzUe9PDdG4Ou+k/H96mS7pZdmU6elbQlcDGYegYGH6OTYjv
Zyl81ACN9Y3Fcmc+luBMeuyQndHFnG6rjOwHr6iM9ZKRBq03QiAAp4vooPyLqG9n
ZmoeLH0Q7L2pVIwroVtsJvnjws5z3DujguZcLYCeA/WEXj8p0lYy9WVGrfJ7LyLp
+Uj7AdXFB6msED51Swb6QkpWrcC7V2COKZmfYGXFy7PdIwWeqgYjJ0zqEldHGDTD
V0yTuuER2bJ/T1WBVy9U46/KRUXYevgCZFGPbyO/vKLwKVbrbkimULMFcPJpKinF
PQs0ch7HA6PPog0wbux5Bm9O78lzYo/WFlvofFKTzfGEsnifCVXkcsu0Qp8m6DQZ
yeFO8SH3DHaHFaPKc3JYEFTdmP0PdvH8aqb5TVTb8G+hvxktDkCuCrlaoFVSCNhI
WfJ6rAxxYGuNABEBAAHCwXwEGAEKACYWIQQtOxD+hm4kyov31C3WC4PJBRO9TwUC
YmjmJAIbDAUJA8JnAAAKCRDWC4PJBRO9T3SnEACEprj9LsxvhbM6A/aLk3la8UD9
MYtLSmbl+KPGEvP0r7viPftolgV8O+tRG09Z7Wd/63WsHjA2Psgwdm49BziL8tCf
ONfVXCojPxR/uyL5ykPHSE/yC+mz3DTPWcncGCdteil6Cw43MHNCm2oYJ38VXAwV
9pikHeO5Pj5xukmc/bQr3v3NrDQI+AQpNbWs2r4vw+y01IidmMh12RkuGi2UYOga
jvfDeoSSEF7VJ6Qlij9UjatkbZpSHjn2rf+B9DdlkRNr5Vfd9/xaSFQoazdgNS/Q
HqOeZ+9HqNrUlHTH9BUaTkmV6MDXtEjVGfROXxXPw/q29QUzZUZE3agqmuxB3yar
PjW24mNu5Kd22rb06blTfBO0o7DOX9UwOVLfFLejfWAYANuXilcju9/3dHRsv6o9
9tGfRxJIMOPVY6JgswYISB7CwdA+Uda6UvU+qwYCRi7B8L13H3uhDKzA5sgRZnz2
oQw+bOB/ErZv78NVnhrdy9LAkLk0U8RVvH8sWPco4ZjQVou6wDMEsKaIlioU8x6n
YOi8LBpijWpaKEpCbU4nRdV/4d3eWr7tu1MWGcm70C6mrjypxI6TVCPg+gimjM4D
7LOpJKZJVGQg9JYPUhccp27Nn/3L2/Y9F3tKUfCTPHanOzHg4KNRRUr8CQD8qi+8
nWqztY9OeZjz0vagYM7BTQRiaOZoARAA6bzogRYAMYdwU2BsWFurvrghzEbqjguN
XwBiQ/90kXb3exYZvGXTCxdrV5FRjPU6eeX2TAyZRt6XnK6nyrZFlRAcXeWCeo05
d+mdK6fv4iOc/T0JeMZCrNm4BDjcGNOr7KImVQTNuoN9nVieVQSK/hRpSFPkNLbn
1oemHqZitxoI5HCBAVQrKR8d0REzn9Y1jdCHkhgSNaEcAww6CgF2Mlsw5txhmIh9
IZircfAzGU6lI1MgjPkDOFPDdwIoc8xtuAJB/G6gT8Ot9FQ3EMaV2zPTL7Jd1ZQR
hOrs75gjLlhOyYYb5Y3isaMKzUMYKQDFWrCws/sGEm2TwbD5gI6ipa2r71DcGijj
GJQITAQsS+rdUKBts+DPKfZR4nlLq41/utA4LJL2y33SFXeqylyIoKPs1FJ0JZyM
VXiWQyxAuPjYJPZbcSh8exj6rct/QVZgztSuvKxeaEqZ/xwkQ/uHWZxQy7lZxBbw
LCVH8HxVApD/tc3/U/jQjtQSblX3KnMia5rHjX+p9tYSSeLNPA99KNrqwLdDh9Mz
/Rm131NUHwlOEIpSeqDfs1+jQYy0QdZnxDHrIVnpIz6M8IVFRBo4LQmi0sPkzzEZ
A29s3+IzofztGXf+b+vZAmnOrQEgNPjdIVHfvQJVqcm1JdOzyuHEvN8IiV/90RAP
r2NqNrtRjQMAEQEAAcLBfAQYAQoAJhYhBC07EP6GbiTKi/fULdYLg8kFE71PBQJi
aOZoAhsgBQkDwmcAAAoJENYLg8kFE71PE2wQAK2ntrQ0902+a3KC/Ak7VhOTV0c0
my8e7mqesYRGXB158P7UJZS1grU6MjBbMsArFdshTRquSmEOnAB6ahnD+JNq+Jzf
9QKknvekzkjlC11FxTHMGncKnScsu8Vont+rFBA66JYLrh7my5CpzijTVTYC9HcA
SbnW0IzzJl90cVh5tC9S+m6Dh3kNcujWyJ8D+ceaEhwYE2LgbbDUSJa2p1tBiXQ6
SGu6nX0nyXL5p7zzRhAl/ao5cZ/FTijvdQe1Vzm7qArKj6A3ir5YOWzSnaCbfbSm
J2pPgZZCNybzStmcoZ73GgBJxIh89vixfBRLTJVECePLTw2gBmoxR1ziqs0pKW3H
y3VKBb+QMJAVmRwRlonMTgT5gHa8bCL8U7Qvx9jOrApOEqFee3dytIOoVsCUkNh0
vOKmlLuqrIopdbJm8F58qOV/eR5chfxax9jOSHkZ812LyMyxr8y6wn3d26XF4Ho1
tGRAYDI77qaLxaPbzIFas1t9X/+U+sz3Bg0exmi9/mp9wwvLJh3XOC+2MaHzBXGl
x+MvgOYIvEtZXVvfwjay19rhJRvn0D497VaVrhw7md5IbKY42h5qUCCzlHsqHEe5
YDxswWadH4fZhy+cEatf29lYJ2BaK+PIsmp22bxbxdGdoZ2cbqQXIko+3XxaiVp5
z7V5USx9zNkfsrbz
=3tFx
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5990-1
March 31, 2023
musl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 ESM
- Ubuntu 18.04 ESM
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in musl.
Software Description:
- musl: standard C library
Details:
It was discovered that musl did not handle certain i386 math functions
properly. An attacker could use this vulnerability to cause a denial of
service (crash) or possibly execute arbitrary code. This issue only
affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS.
(CVE-2019-14697)
It was discovered that musl did not handle wide-character conversion
properly. A remote attacker could use this vulnerability to cause resource
consumption (infinite loop), denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04
ESM, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-28928)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 ESM:
musl 1.1.24-1ubuntu0.1~esm1
musl-dev 1.1.24-1ubuntu0.1~esm1
Ubuntu 18.04 ESM:
musl 1.1.19-1ubuntu0.1~esm1
musl-dev 1.1.19-1ubuntu0.1~esm1
Ubuntu 16.04 ESM:
musl 1.1.9-1ubuntu0.1~esm3
musl-dev 1.1.9-1ubuntu0.1~esm3
Ubuntu 14.04 ESM:
musl 0.9.15-1ubuntu0.1~esm2
musl-dev 0.9.15-1ubuntu0.1~esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5990-1
CVE-2019-14697, CVE-2020-28928
[USN-5989-1] GlusterFS vulnerability
==========================================================================
Ubuntu Security Notice USN-5989-1
March 30, 2023
glusterfs vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
GlusterFS could be made to crash if it received a specially
crafted request.
Software Description:
- glusterfs: clustered file-system
Details:
Tao Lyu discovered that GlusterFS did not properly handle certain
event notifications. An attacker could possibly use this issue to
cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
glusterfs-client 3.7.6-1ubuntu1+esm2
glusterfs-common 3.7.6-1ubuntu1+esm2
glusterfs-server 3.7.6-1ubuntu1+esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5989-1
CVE-2023-26253
Ubuntu Security Notice USN-5989-1
March 30, 2023
glusterfs vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
GlusterFS could be made to crash if it received a specially
crafted request.
Software Description:
- glusterfs: clustered file-system
Details:
Tao Lyu discovered that GlusterFS did not properly handle certain
event notifications. An attacker could possibly use this issue to
cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
glusterfs-client 3.7.6-1ubuntu1+esm2
glusterfs-common 3.7.6-1ubuntu1+esm2
glusterfs-server 3.7.6-1ubuntu1+esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5989-1
CVE-2023-26253
F39 proposal: RPM 4.19 (System-Wide Change proposal)
https://fedoraproject.org/wiki/Changes/RPM-4.19
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Update RPM to the [https://rpm.org/wiki/Releases/4.19.0 4.19] release.
== Owner ==
* Name: [[User:ffesti| Florian Festi]]
* Email: ffesti@redhat.com
== Detailed Description ==
RPM 4.19 contains various improvements over previous versions. Many of
them are internal in nature such as moving from automake to cmake,
improvements to the test suite, stripping copies of system functions,
splitting translations into a separate project and more. There are
still several user facing changes:
* New rpmsort(8) utility for sorting RPM versions
* x86-64 architecture levels (v2-v4) as architectures
* Support for %preuntrans and %postuntrans scriptlets
* Creating User and Groups from sysusers.d files including Provides
and Requires or Recommends
([https://github.com/rpm-software-management/rpm/pull/2432 PR],
[https://github.com/rpm-software-management/rpm/discussions/2277
Discussion])
* [https://rpm-software-management.github.io/rpm/manual/dynamic_specs.html
Dynamic Spec generation]
** find_lang now being able to generate language sub packages
The 4.19 alpha release is expected in April and the final release is
expected in time for the Fedora 39 release cycle as usual.
== Feedback ==
== Benefit to Fedora ==
This release comes with many improvements. It opens the possibility
for Fedora to adopt the new major features mentioned above.
== Scope ==
* Proposal owners:
** Release RPM 4.19 alpha
** Rebase RPM
** Assist with dealing with incompatibilities
** Integrate new User/Group handling
*** Conflicts with the current one including the Provides generation
in ''systemd-rpm-macros''
* Other developers:
** Test new release, report issues and bugs
* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Community Initiatives:
== Upgrade/compatibility impact ==
* %patch without arguments and options is an error
* %patchN syntax is deprecated
* File globbing is now more consistent
== How To Test ==
Rpm receives a thorough and constant testing via every single package
build, system installs and updates. New features can be tested
specifically as per their documentation.
== User Experience ==
There are no major differences in the normal user experience.
== Dependencies ==
* Deprecated APIs are removed. This may require adjustments to
software still using them.
* so-name of librpm changes. Packages depending on it are expected to
need a re-build
* Packages running in the changes mentioned in the
''Upgrade/compatibility impact'' section might need adjusting. This
should be relatively rare, though.
== Contingency Plan ==
* Contingency mechanism: Revert back to RPM 4.18
* Contingency deadline: Beta freeze
* Blocks release? No
== Documentation ==
Release notes at https://rpm.org/wiki/Releases/4.19.0 and reference manual at
https://rpm-software-management.github.io/rpm/manual/
== Release Notes ==
https://rpm.org/wiki/Releases/4.19.0 (still work in progress)
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Update RPM to the [https://rpm.org/wiki/Releases/4.19.0 4.19] release.
== Owner ==
* Name: [[User:ffesti| Florian Festi]]
* Email: ffesti@redhat.com
== Detailed Description ==
RPM 4.19 contains various improvements over previous versions. Many of
them are internal in nature such as moving from automake to cmake,
improvements to the test suite, stripping copies of system functions,
splitting translations into a separate project and more. There are
still several user facing changes:
* New rpmsort(8) utility for sorting RPM versions
* x86-64 architecture levels (v2-v4) as architectures
* Support for %preuntrans and %postuntrans scriptlets
* Creating User and Groups from sysusers.d files including Provides
and Requires or Recommends
([https://github.com/rpm-software-management/rpm/pull/2432 PR],
[https://github.com/rpm-software-management/rpm/discussions/2277
Discussion])
* [https://rpm-software-management.github.io/rpm/manual/dynamic_specs.html
Dynamic Spec generation]
** find_lang now being able to generate language sub packages
The 4.19 alpha release is expected in April and the final release is
expected in time for the Fedora 39 release cycle as usual.
== Feedback ==
== Benefit to Fedora ==
This release comes with many improvements. It opens the possibility
for Fedora to adopt the new major features mentioned above.
== Scope ==
* Proposal owners:
** Release RPM 4.19 alpha
** Rebase RPM
** Assist with dealing with incompatibilities
** Integrate new User/Group handling
*** Conflicts with the current one including the Provides generation
in ''systemd-rpm-macros''
* Other developers:
** Test new release, report issues and bugs
* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Community Initiatives:
== Upgrade/compatibility impact ==
* %patch without arguments and options is an error
* %patchN syntax is deprecated
* File globbing is now more consistent
== How To Test ==
Rpm receives a thorough and constant testing via every single package
build, system installs and updates. New features can be tested
specifically as per their documentation.
== User Experience ==
There are no major differences in the normal user experience.
== Dependencies ==
* Deprecated APIs are removed. This may require adjustments to
software still using them.
* so-name of librpm changes. Packages depending on it are expected to
need a re-build
* Packages running in the changes mentioned in the
''Upgrade/compatibility impact'' section might need adjusting. This
should be relatively rare, though.
== Contingency Plan ==
* Contingency mechanism: Revert back to RPM 4.18
* Contingency deadline: Beta freeze
* Blocks release? No
== Documentation ==
Release notes at https://rpm.org/wiki/Releases/4.19.0 and reference manual at
https://rpm-software-management.github.io/rpm/manual/
== Release Notes ==
https://rpm.org/wiki/Releases/4.19.0 (still work in progress)
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[USN-5988-1] Xcftools vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5988-1
March 29, 2023
xcftools vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Xcftools could be made to crash or run programs as an administrator
if it opened a specially crafted file.
Software Description:
- xcftools: command-line tools for extracting data for XCF files
Details:
It was discovered that integer overflows vulnerabilities existed in Xcftools.
An attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2019-5086, CVE-2019-5087)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
xcftools 1.0.7-6ubuntu0.20.04.1
Ubuntu 18.04 LTS:
xcftools 1.0.7-6ubuntu0.1
Ubuntu 16.04 ESM:
xcftools 1.0.7-5ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5988-1
CVE-2019-5086, CVE-2019-5087
Package Information:
https://launchpad.net/ubuntu/+source/xcftools/1.0.7-6ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/xcftools/1.0.7-6ubuntu0.1
Ubuntu Security Notice USN-5988-1
March 29, 2023
xcftools vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Xcftools could be made to crash or run programs as an administrator
if it opened a specially crafted file.
Software Description:
- xcftools: command-line tools for extracting data for XCF files
Details:
It was discovered that integer overflows vulnerabilities existed in Xcftools.
An attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2019-5086, CVE-2019-5087)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
xcftools 1.0.7-6ubuntu0.20.04.1
Ubuntu 18.04 LTS:
xcftools 1.0.7-6ubuntu0.1
Ubuntu 16.04 ESM:
xcftools 1.0.7-5ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5988-1
CVE-2019-5086, CVE-2019-5087
Package Information:
https://launchpad.net/ubuntu/+source/xcftools/1.0.7-6ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/xcftools/1.0.7-6ubuntu0.1
Wednesday, March 29, 2023
[announce] NYC*BUG Live next week April 5
We're back in action next week and working to line up some speakers.
Come talk about what you were up to during the dark days of the
pandemic... You must have done *something* interesting!
First Social/Open Mic in new location!, Anyone with an idea or opinion
to share.
2023-04-05 @ 18:45 - Five Mile Stone at 1640 2nd Ave (northeast Corner
of 2nd Ave and 85th St, 2nd floor). Please note the stairs to the second
floor are on the north wall as you enter from 2nd Ave.
Notice: Location Change
Abstract
We are "in the book" with the nice people over at Five Mile Stone for an
April 5th social/open mic. The location is accessible from both the Q,
4, 5, & 6 trains. With our standard meeting time of 18:45 and likely
start time of 19:00 EDT. We have the entire second floor to ourselves
with plenty of ventilation, a projector & screen, and most importantly;
isolation from the rest of the bar/restaurant. Hope to see you there.
Offsite Participation: We plan to stream via NYC*BUG Website unless the
speaker requests otherwise. Q&A will be via IRC on Libera.chat channel
#nycbug - Please preface your questions with '[Q]'
_______________________________________________
announce mailing list
announce@lists.nycbug.org
https://lists.nycbug.org:8443/mailman/listinfo/announce
Come talk about what you were up to during the dark days of the
pandemic... You must have done *something* interesting!
First Social/Open Mic in new location!, Anyone with an idea or opinion
to share.
2023-04-05 @ 18:45 - Five Mile Stone at 1640 2nd Ave (northeast Corner
of 2nd Ave and 85th St, 2nd floor). Please note the stairs to the second
floor are on the north wall as you enter from 2nd Ave.
Notice: Location Change
Abstract
We are "in the book" with the nice people over at Five Mile Stone for an
April 5th social/open mic. The location is accessible from both the Q,
4, 5, & 6 trains. With our standard meeting time of 18:45 and likely
start time of 19:00 EDT. We have the entire second floor to ourselves
with plenty of ventilation, a projector & screen, and most importantly;
isolation from the rest of the bar/restaurant. Hope to see you there.
Offsite Participation: We plan to stream via NYC*BUG Website unless the
speaker requests otherwise. Q&A will be via IRC on Libera.chat channel
#nycbug - Please preface your questions with '[Q]'
_______________________________________________
announce mailing list
announce@lists.nycbug.org
https://lists.nycbug.org:8443/mailman/listinfo/announce
[USN-5986-1] X.Org X Server vulnerability
==========================================================================
Ubuntu Security Notice USN-5986-1
March 29, 2023
xorg-server, xorg-server-hwe-18.04, xwayland vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
X.Org X Server could be made to crash or run programs as the administrator
if it received specially crafted input.
Software Description:
- xorg-server: X.Org X11 server
- xwayland: X server for running X clients under Wayland
- xorg-server-hwe-18.04: X.Org X11 server
Details:
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
certain memory operations. An attacker could possibly use these issues to
cause the X Server to crash, execute arbitrary code, or escalate
privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
xserver-xorg-core 2:21.1.4-2ubuntu1.7
xwayland 2:22.1.3-2ubuntu0.4
Ubuntu 22.04 LTS:
xserver-xorg-core 2:21.1.3-2ubuntu2.9
xwayland 2:22.1.1-1ubuntu0.6
Ubuntu 20.04 LTS:
xserver-xorg-core 2:1.20.13-1ubuntu1~20.04.8
xwayland 2:1.20.13-1ubuntu1~20.04.8
Ubuntu 18.04 LTS:
xserver-xorg-core 2:1.19.6-1ubuntu4.15
xserver-xorg-core-hwe-18.04 2:1.20.8-2ubuntu2.2~18.04.11
xwayland 2:1.19.6-1ubuntu4.15
xwayland-hwe-18.04 2:1.20.8-2ubuntu2.2~18.04.11
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5986-1
CVE-2023-1393
Package Information:
https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.4-2ubuntu1.7
https://launchpad.net/ubuntu/+source/xwayland/2:22.1.3-2ubuntu0.4
https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.3-2ubuntu2.9
https://launchpad.net/ubuntu/+source/xwayland/2:22.1.1-1ubuntu0.6
https://launchpad.net/ubuntu/+source/xorg-server/2:1.20.13-1ubuntu1~20.04.8
https://launchpad.net/ubuntu/+source/xorg-server/2:1.19.6-1ubuntu4.15
https://launchpad.net/ubuntu/+source/xorg-server-hwe-18.04/2:1.20.8-2ubuntu2.2~18.04.11
Ubuntu Security Notice USN-5986-1
March 29, 2023
xorg-server, xorg-server-hwe-18.04, xwayland vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
X.Org X Server could be made to crash or run programs as the administrator
if it received specially crafted input.
Software Description:
- xorg-server: X.Org X11 server
- xwayland: X server for running X clients under Wayland
- xorg-server-hwe-18.04: X.Org X11 server
Details:
Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
certain memory operations. An attacker could possibly use these issues to
cause the X Server to crash, execute arbitrary code, or escalate
privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
xserver-xorg-core 2:21.1.4-2ubuntu1.7
xwayland 2:22.1.3-2ubuntu0.4
Ubuntu 22.04 LTS:
xserver-xorg-core 2:21.1.3-2ubuntu2.9
xwayland 2:22.1.1-1ubuntu0.6
Ubuntu 20.04 LTS:
xserver-xorg-core 2:1.20.13-1ubuntu1~20.04.8
xwayland 2:1.20.13-1ubuntu1~20.04.8
Ubuntu 18.04 LTS:
xserver-xorg-core 2:1.19.6-1ubuntu4.15
xserver-xorg-core-hwe-18.04 2:1.20.8-2ubuntu2.2~18.04.11
xwayland 2:1.19.6-1ubuntu4.15
xwayland-hwe-18.04 2:1.20.8-2ubuntu2.2~18.04.11
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5986-1
CVE-2023-1393
Package Information:
https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.4-2ubuntu1.7
https://launchpad.net/ubuntu/+source/xwayland/2:22.1.3-2ubuntu0.4
https://launchpad.net/ubuntu/+source/xorg-server/2:21.1.3-2ubuntu2.9
https://launchpad.net/ubuntu/+source/xwayland/2:22.1.1-1ubuntu0.6
https://launchpad.net/ubuntu/+source/xorg-server/2:1.20.13-1ubuntu1~20.04.8
https://launchpad.net/ubuntu/+source/xorg-server/2:1.19.6-1ubuntu4.15
https://launchpad.net/ubuntu/+source/xorg-server-hwe-18.04/2:1.20.8-2ubuntu2.2~18.04.11
[USN-5987-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5987-1
March 29, 2023
linux-gke, linux-gke-5.15, linux-ibm, linux-kvm vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-kvm: Linux kernel for cloud environments
- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems
Details:
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly validate attributes in certain situations, leading
to an out-of-bounds write vulnerability. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-48423)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly validate attributes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2022-48424)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that the KSMBD implementation in the Linux kernel did not
properly validate buffer lengths, leading to a heap-based buffer overflow.
A remote attacker could possibly use this to cause a denial of service
(system crash). (CVE-2023-0210)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
Kyle Zeng discovered that the class-based queuing discipline implementation
in the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23454)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly handle a loop termination condition, leading to an
out-of-bounds read vulnerability. A local attacker could use this to cause
a denial of service (system crash) or possibly expose sensitive
information. (CVE-2023-26606)
Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel
contained a null pointer dereference when handling certain messages from
user space. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-28328)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.15.0-1027-ibm 5.15.0-1027.30
linux-image-5.15.0-1030-gke 5.15.0-1030.35
linux-image-5.15.0-1030-kvm 5.15.0-1030.35
linux-image-gke 5.15.0.1030.29
linux-image-gke-5.15 5.15.0.1030.29
linux-image-ibm 5.15.0.1027.23
linux-image-kvm 5.15.0.1030.26
Ubuntu 20.04 LTS:
linux-image-5.15.0-1029-gke 5.15.0-1029.34~20.04.1
linux-image-gke-5.15 5.15.0.1029.34~20.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5987-1
CVE-2022-2196, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,
CVE-2022-4382, CVE-2022-48423, CVE-2022-48424, CVE-2023-0045,
CVE-2023-0210, CVE-2023-0266, CVE-2023-23454, CVE-2023-23455,
CVE-2023-23559, CVE-2023-26606, CVE-2023-28328
Package Information:
https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1030.35
https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1027.30
https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1030.35
https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1029.34~20.04.1
Ubuntu Security Notice USN-5987-1
March 29, 2023
linux-gke, linux-gke-5.15, linux-ibm, linux-kvm vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-kvm: Linux kernel for cloud environments
- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems
Details:
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly validate attributes in certain situations, leading
to an out-of-bounds write vulnerability. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-48423)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly validate attributes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2022-48424)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that the KSMBD implementation in the Linux kernel did not
properly validate buffer lengths, leading to a heap-based buffer overflow.
A remote attacker could possibly use this to cause a denial of service
(system crash). (CVE-2023-0210)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
Kyle Zeng discovered that the class-based queuing discipline implementation
in the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23454)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly handle a loop termination condition, leading to an
out-of-bounds read vulnerability. A local attacker could use this to cause
a denial of service (system crash) or possibly expose sensitive
information. (CVE-2023-26606)
Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel
contained a null pointer dereference when handling certain messages from
user space. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-28328)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.15.0-1027-ibm 5.15.0-1027.30
linux-image-5.15.0-1030-gke 5.15.0-1030.35
linux-image-5.15.0-1030-kvm 5.15.0-1030.35
linux-image-gke 5.15.0.1030.29
linux-image-gke-5.15 5.15.0.1030.29
linux-image-ibm 5.15.0.1027.23
linux-image-kvm 5.15.0.1030.26
Ubuntu 20.04 LTS:
linux-image-5.15.0-1029-gke 5.15.0-1029.34~20.04.1
linux-image-gke-5.15 5.15.0.1029.34~20.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5987-1
CVE-2022-2196, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,
CVE-2022-4382, CVE-2022-48423, CVE-2022-48424, CVE-2023-0045,
CVE-2023-0210, CVE-2023-0266, CVE-2023-23454, CVE-2023-23455,
CVE-2023-23559, CVE-2023-26606, CVE-2023-28328
Package Information:
https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1030.35
https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1027.30
https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1030.35
https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1029.34~20.04.1
[USN-5985-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5985-1
March 29, 2023
linux-aws-5.4, linux-azure-5.4, linux-gcp-5.4, linux-hwe-5.4,
linux-ibm-5.4, linux-oracle-5.4, linux-raspi-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe-5.4: Linux hardware enablement (HWE) kernel
- linux-ibm-5.4: Linux kernel for IBM cloud systems
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems
- linux-raspi-5.4: Linux kernel for Raspberry Pi systems
Details:
It was discovered that the System V IPC implementation in the Linux kernel
did not properly handle large shared memory counts. A local attacker could
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-5.4.0-1046-ibm 5.4.0-1046.51~18.04.1
linux-image-5.4.0-1082-raspi 5.4.0-1082.93~18.04.1
linux-image-5.4.0-1098-oracle 5.4.0-1098.107~18.04.1
linux-image-5.4.0-1099-aws 5.4.0-1099.107~18.04.1
linux-image-5.4.0-1102-gcp 5.4.0-1102.111~18.04.2
linux-image-5.4.0-1105-azure 5.4.0-1105.111~18.04.1
linux-image-5.4.0-146-generic 5.4.0-146.163~18.04.1
linux-image-5.4.0-146-generic-lpae 5.4.0-146.163~18.04.1
linux-image-5.4.0-146-lowlatency 5.4.0-146.163~18.04.1
linux-image-aws 5.4.0.1099.77
linux-image-azure 5.4.0.1105.78
linux-image-gcp 5.4.0.1102.78
linux-image-generic-hwe-18.04 5.4.0.146.163~18.04.117
linux-image-generic-lpae-hwe-18.04 5.4.0.146.163~18.04.117
linux-image-ibm 5.4.0.1046.57
linux-image-lowlatency-hwe-18.04 5.4.0.146.163~18.04.117
linux-image-oem 5.4.0.146.163~18.04.117
linux-image-oem-osp1 5.4.0.146.163~18.04.117
linux-image-oracle 5.4.0.1098.107~18.04.70
linux-image-raspi-hwe-18.04 5.4.0.1082.79
linux-image-snapdragon-hwe-18.04 5.4.0.146.163~18.04.117
linux-image-virtual-hwe-18.04 5.4.0.146.163~18.04.117
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5985-1
CVE-2021-3669, CVE-2022-2196, CVE-2022-4382, CVE-2023-23559
Package Information:
https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1099.107~18.04.1
https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1105.111~18.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1102.111~18.04.2
https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-146.163~18.04.1
https://launchpad.net/ubuntu/+source/linux-ibm-5.4/5.4.0-1046.51~18.04.1
https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1098.107~18.04.1
https://launchpad.net/ubuntu/+source/linux-raspi-5.4/5.4.0-1082.93~18.04.1
Ubuntu Security Notice USN-5985-1
March 29, 2023
linux-aws-5.4, linux-azure-5.4, linux-gcp-5.4, linux-hwe-5.4,
linux-ibm-5.4, linux-oracle-5.4, linux-raspi-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe-5.4: Linux hardware enablement (HWE) kernel
- linux-ibm-5.4: Linux kernel for IBM cloud systems
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems
- linux-raspi-5.4: Linux kernel for Raspberry Pi systems
Details:
It was discovered that the System V IPC implementation in the Linux kernel
did not properly handle large shared memory counts. A local attacker could
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-5.4.0-1046-ibm 5.4.0-1046.51~18.04.1
linux-image-5.4.0-1082-raspi 5.4.0-1082.93~18.04.1
linux-image-5.4.0-1098-oracle 5.4.0-1098.107~18.04.1
linux-image-5.4.0-1099-aws 5.4.0-1099.107~18.04.1
linux-image-5.4.0-1102-gcp 5.4.0-1102.111~18.04.2
linux-image-5.4.0-1105-azure 5.4.0-1105.111~18.04.1
linux-image-5.4.0-146-generic 5.4.0-146.163~18.04.1
linux-image-5.4.0-146-generic-lpae 5.4.0-146.163~18.04.1
linux-image-5.4.0-146-lowlatency 5.4.0-146.163~18.04.1
linux-image-aws 5.4.0.1099.77
linux-image-azure 5.4.0.1105.78
linux-image-gcp 5.4.0.1102.78
linux-image-generic-hwe-18.04 5.4.0.146.163~18.04.117
linux-image-generic-lpae-hwe-18.04 5.4.0.146.163~18.04.117
linux-image-ibm 5.4.0.1046.57
linux-image-lowlatency-hwe-18.04 5.4.0.146.163~18.04.117
linux-image-oem 5.4.0.146.163~18.04.117
linux-image-oem-osp1 5.4.0.146.163~18.04.117
linux-image-oracle 5.4.0.1098.107~18.04.70
linux-image-raspi-hwe-18.04 5.4.0.1082.79
linux-image-snapdragon-hwe-18.04 5.4.0.146.163~18.04.117
linux-image-virtual-hwe-18.04 5.4.0.146.163~18.04.117
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5985-1
CVE-2021-3669, CVE-2022-2196, CVE-2022-4382, CVE-2023-23559
Package Information:
https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1099.107~18.04.1
https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1105.111~18.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1102.111~18.04.2
https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-146.163~18.04.1
https://launchpad.net/ubuntu/+source/linux-ibm-5.4/5.4.0-1046.51~18.04.1
https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1098.107~18.04.1
https://launchpad.net/ubuntu/+source/linux-raspi-5.4/5.4.0-1082.93~18.04.1
[USN-5984-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5984-1
March 29, 2023
linux, linux-aws, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2
vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-dell300x: Linux kernel for Dell 300x platforms
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi2: Linux kernel for Raspberry Pi systems
Details:
It was discovered that the System V IPC implementation in the Linux kernel
did not properly handle large shared memory counts. A local attacker could
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel
contained a null pointer dereference when handling certain messages from
user space. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-28328)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1062-dell300x 4.15.0-1062.67
linux-image-4.15.0-1116-oracle 4.15.0-1116.127
linux-image-4.15.0-1129-raspi2 4.15.0-1129.137
linux-image-4.15.0-1137-kvm 4.15.0-1137.142
linux-image-4.15.0-1153-aws 4.15.0-1153.166
linux-image-4.15.0-208-generic 4.15.0-208.220
linux-image-4.15.0-208-generic-lpae 4.15.0-208.220
linux-image-4.15.0-208-lowlatency 4.15.0-208.220
linux-image-aws-lts-18.04 4.15.0.1153.151
linux-image-dell300x 4.15.0.1062.61
linux-image-generic 4.15.0.208.191
linux-image-generic-lpae 4.15.0.208.191
linux-image-kvm 4.15.0.1137.128
linux-image-lowlatency 4.15.0.208.191
linux-image-oracle-lts-18.04 4.15.0.1116.121
linux-image-raspi2 4.15.0.1129.124
linux-image-virtual 4.15.0.208.191
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5984-1
CVE-2021-3669, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,
CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0394,
CVE-2023-23455, CVE-2023-23559, CVE-2023-28328
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.15.0-208.220
https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1153.166
https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1062.67
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1137.142
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1116.127
https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1129.137
Ubuntu Security Notice USN-5984-1
March 29, 2023
linux, linux-aws, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2
vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-dell300x: Linux kernel for Dell 300x platforms
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi2: Linux kernel for Raspberry Pi systems
Details:
It was discovered that the System V IPC implementation in the Linux kernel
did not properly handle large shared memory counts. A local attacker could
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel
contained a null pointer dereference when handling certain messages from
user space. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-28328)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1062-dell300x 4.15.0-1062.67
linux-image-4.15.0-1116-oracle 4.15.0-1116.127
linux-image-4.15.0-1129-raspi2 4.15.0-1129.137
linux-image-4.15.0-1137-kvm 4.15.0-1137.142
linux-image-4.15.0-1153-aws 4.15.0-1153.166
linux-image-4.15.0-208-generic 4.15.0-208.220
linux-image-4.15.0-208-generic-lpae 4.15.0-208.220
linux-image-4.15.0-208-lowlatency 4.15.0-208.220
linux-image-aws-lts-18.04 4.15.0.1153.151
linux-image-dell300x 4.15.0.1062.61
linux-image-generic 4.15.0.208.191
linux-image-generic-lpae 4.15.0.208.191
linux-image-kvm 4.15.0.1137.128
linux-image-lowlatency 4.15.0.208.191
linux-image-oracle-lts-18.04 4.15.0.1116.121
linux-image-raspi2 4.15.0.1129.124
linux-image-virtual 4.15.0.208.191
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5984-1
CVE-2021-3669, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,
CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0394,
CVE-2023-23455, CVE-2023-23559, CVE-2023-28328
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.15.0-208.220
https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1153.166
https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1062.67
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1137.142
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1116.127
https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1129.137
OpenBSD Errata: March 29, 2023 (xserver)
Errata patches for X11 server have been released for OpenBSD 7.1
and 7.2.
Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:
https://www.openbsd.org/errata71.html
https://www.openbsd.org/errata72.html
and 7.2.
Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:
https://www.openbsd.org/errata71.html
https://www.openbsd.org/errata72.html
[USN-5983-1] Nette vulnerability
==========================================================================
Ubuntu Security Notice USN-5983-1
March 29, 2023
php-nette vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Nette could be made to run programs if it received specially crafted
network traffic.
Software Description:
- php-nette: Nette Framework
Details:
Cyku Hong discovered that Nette was not properly handling and validating
data used for code generation. A remote attacker could possibly use this
issue to execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
php-nette 2.4-20160731-1ubuntu0.1
Ubuntu 16.04 ESM:
php-nette 2.3.8-1ubuntu1+esm1
After a standard system update you need to restart any applications using
Nette to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5983-1
CVE-2020-15227
Package Information:
https://launchpad.net/ubuntu/+source/php-nette/2.4-20160731-1ubuntu0.1
Ubuntu Security Notice USN-5983-1
March 29, 2023
php-nette vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Nette could be made to run programs if it received specially crafted
network traffic.
Software Description:
- php-nette: Nette Framework
Details:
Cyku Hong discovered that Nette was not properly handling and validating
data used for code generation. A remote attacker could possibly use this
issue to execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
php-nette 2.4-20160731-1ubuntu0.1
Ubuntu 16.04 ESM:
php-nette 2.3.8-1ubuntu1+esm1
After a standard system update you need to restart any applications using
Nette to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5983-1
CVE-2020-15227
Package Information:
https://launchpad.net/ubuntu/+source/php-nette/2.4-20160731-1ubuntu0.1
Tuesday, March 28, 2023
[USN-5982-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5982-1
March 28, 2023
linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15,
linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15,
linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle,
linux-oracle-5.15, linux-raspi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-lowlatency: Linux low latency kernel
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems
- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe-5.15: Linux hardware enablement (HWE) kernel
- linux-lowlatency-hwe-5.15: Linux low latency kernel
- linux-oracle-5.15: Linux kernel for Oracle Cloud systems
Details:
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly validate attributes in certain situations, leading
to an out-of-bounds write vulnerability. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-48423)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly validate attributes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2022-48424)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that the KSMBD implementation in the Linux kernel did not
properly validate buffer lengths, leading to a heap-based buffer overflow.
A remote attacker could possibly use this to cause a denial of service
(system crash). (CVE-2023-0210)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
Kyle Zeng discovered that the class-based queuing discipline implementation
in the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23454)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly handle a loop termination condition, leading to an
out-of-bounds read vulnerability. A local attacker could use this to cause
a denial of service (system crash) or possibly expose sensitive
information. (CVE-2023-26606)
Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel
contained a null pointer dereference when handling certain messages from
user space. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-28328)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.15.0-1017-gkeop 5.15.0-1017.22
linux-image-5.15.0-1026-raspi 5.15.0-1026.28
linux-image-5.15.0-1026-raspi-nolpae 5.15.0-1026.28
linux-image-5.15.0-1031-gcp 5.15.0-1031.38
linux-image-5.15.0-1032-oracle 5.15.0-1032.38
linux-image-5.15.0-1033-aws 5.15.0-1033.37
linux-image-5.15.0-1035-azure 5.15.0-1035.42
linux-image-5.15.0-1035-azure-fde 5.15.0-1035.42.1
linux-image-5.15.0-69-generic 5.15.0-69.76
linux-image-5.15.0-69-generic-64k 5.15.0-69.76
linux-image-5.15.0-69-generic-lpae 5.15.0-69.76
linux-image-5.15.0-69-lowlatency 5.15.0-69.76
linux-image-5.15.0-69-lowlatency-64k 5.15.0-69.76
linux-image-aws-lts-22.04 5.15.0.1033.32
linux-image-azure 5.15.0.1035.31
linux-image-azure-fde 5.15.0.1035.42.12
linux-image-azure-lts-22.04 5.15.0.1035.31
linux-image-gcp 5.15.0.1031.26
linux-image-generic 5.15.0.69.67
linux-image-generic-64k 5.15.0.69.67
linux-image-generic-lpae 5.15.0.69.67
linux-image-gkeop 5.15.0.1017.16
linux-image-gkeop-5.15 5.15.0.1017.16
linux-image-lowlatency 5.15.0.69.74
linux-image-lowlatency-64k 5.15.0.69.74
linux-image-oracle 5.15.0.1032.27
linux-image-raspi 5.15.0.1026.23
linux-image-raspi-nolpae 5.15.0.1026.23
linux-image-virtual 5.15.0.69.67
Ubuntu 20.04 LTS:
linux-image-5.15.0-1031-gcp 5.15.0-1031.38~20.04.1
linux-image-5.15.0-1032-oracle 5.15.0-1032.38~20.04.1
linux-image-5.15.0-1033-aws 5.15.0-1033.37~20.04.1
linux-image-5.15.0-1035-azure 5.15.0-1035.42~20.04.1
linux-image-5.15.0-69-generic 5.15.0-69.76~20.04.1
linux-image-5.15.0-69-generic-64k 5.15.0-69.76~20.04.1
linux-image-5.15.0-69-generic-lpae 5.15.0-69.76~20.04.1
linux-image-5.15.0-69-lowlatency 5.15.0-69.76~20.04.1
linux-image-5.15.0-69-lowlatency-64k 5.15.0-69.76~20.04.1
linux-image-aws 5.15.0.1033.37~20.04.22
linux-image-azure 5.15.0.1035.42~20.04.25
linux-image-gcp 5.15.0.1031.38~20.04.1
linux-image-generic-64k-hwe-20.04 5.15.0.69.76~20.04.30
linux-image-generic-hwe-20.04 5.15.0.69.76~20.04.30
linux-image-generic-lpae-hwe-20.04 5.15.0.69.76~20.04.30
linux-image-lowlatency-64k-hwe-20.04 5.15.0.69.76~20.04.27
linux-image-lowlatency-hwe-20.04 5.15.0.69.76~20.04.27
linux-image-oracle 5.15.0.1032.38~20.04.1
linux-image-virtual-hwe-20.04 5.15.0.69.76~20.04.30
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5982-1
CVE-2022-2196, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,
CVE-2022-4382, CVE-2022-48423, CVE-2022-48424, CVE-2023-0045,
CVE-2023-0210, CVE-2023-0266, CVE-2023-23454, CVE-2023-23455,
CVE-2023-23559, CVE-2023-26606, CVE-2023-28328
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.15.0-69.76
https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1033.37
https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1035.42
https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1035.42.1
https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1031.38
https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1017.22
https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-69.76
https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1032.38
https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1026.28
https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1033.37~20.04.1
https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1035.42~20.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1031.38~20.04.1
https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-69.76~20.04.1
https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-69.76~20.04.1
https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1032.38~20.04.1
Ubuntu Security Notice USN-5982-1
March 28, 2023
linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15,
linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15,
linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle,
linux-oracle-5.15, linux-raspi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-lowlatency: Linux low latency kernel
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems
- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe-5.15: Linux hardware enablement (HWE) kernel
- linux-lowlatency-hwe-5.15: Linux low latency kernel
- linux-oracle-5.15: Linux kernel for Oracle Cloud systems
Details:
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly validate attributes in certain situations, leading
to an out-of-bounds write vulnerability. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-48423)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly validate attributes in certain situations, leading
to an out-of-bounds read vulnerability. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2022-48424)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that the KSMBD implementation in the Linux kernel did not
properly validate buffer lengths, leading to a heap-based buffer overflow.
A remote attacker could possibly use this to cause a denial of service
(system crash). (CVE-2023-0210)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
Kyle Zeng discovered that the class-based queuing discipline implementation
in the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23454)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
It was discovered that the NTFS file system implementation in the Linux
kernel did not properly handle a loop termination condition, leading to an
out-of-bounds read vulnerability. A local attacker could use this to cause
a denial of service (system crash) or possibly expose sensitive
information. (CVE-2023-26606)
Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel
contained a null pointer dereference when handling certain messages from
user space. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-28328)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.15.0-1017-gkeop 5.15.0-1017.22
linux-image-5.15.0-1026-raspi 5.15.0-1026.28
linux-image-5.15.0-1026-raspi-nolpae 5.15.0-1026.28
linux-image-5.15.0-1031-gcp 5.15.0-1031.38
linux-image-5.15.0-1032-oracle 5.15.0-1032.38
linux-image-5.15.0-1033-aws 5.15.0-1033.37
linux-image-5.15.0-1035-azure 5.15.0-1035.42
linux-image-5.15.0-1035-azure-fde 5.15.0-1035.42.1
linux-image-5.15.0-69-generic 5.15.0-69.76
linux-image-5.15.0-69-generic-64k 5.15.0-69.76
linux-image-5.15.0-69-generic-lpae 5.15.0-69.76
linux-image-5.15.0-69-lowlatency 5.15.0-69.76
linux-image-5.15.0-69-lowlatency-64k 5.15.0-69.76
linux-image-aws-lts-22.04 5.15.0.1033.32
linux-image-azure 5.15.0.1035.31
linux-image-azure-fde 5.15.0.1035.42.12
linux-image-azure-lts-22.04 5.15.0.1035.31
linux-image-gcp 5.15.0.1031.26
linux-image-generic 5.15.0.69.67
linux-image-generic-64k 5.15.0.69.67
linux-image-generic-lpae 5.15.0.69.67
linux-image-gkeop 5.15.0.1017.16
linux-image-gkeop-5.15 5.15.0.1017.16
linux-image-lowlatency 5.15.0.69.74
linux-image-lowlatency-64k 5.15.0.69.74
linux-image-oracle 5.15.0.1032.27
linux-image-raspi 5.15.0.1026.23
linux-image-raspi-nolpae 5.15.0.1026.23
linux-image-virtual 5.15.0.69.67
Ubuntu 20.04 LTS:
linux-image-5.15.0-1031-gcp 5.15.0-1031.38~20.04.1
linux-image-5.15.0-1032-oracle 5.15.0-1032.38~20.04.1
linux-image-5.15.0-1033-aws 5.15.0-1033.37~20.04.1
linux-image-5.15.0-1035-azure 5.15.0-1035.42~20.04.1
linux-image-5.15.0-69-generic 5.15.0-69.76~20.04.1
linux-image-5.15.0-69-generic-64k 5.15.0-69.76~20.04.1
linux-image-5.15.0-69-generic-lpae 5.15.0-69.76~20.04.1
linux-image-5.15.0-69-lowlatency 5.15.0-69.76~20.04.1
linux-image-5.15.0-69-lowlatency-64k 5.15.0-69.76~20.04.1
linux-image-aws 5.15.0.1033.37~20.04.22
linux-image-azure 5.15.0.1035.42~20.04.25
linux-image-gcp 5.15.0.1031.38~20.04.1
linux-image-generic-64k-hwe-20.04 5.15.0.69.76~20.04.30
linux-image-generic-hwe-20.04 5.15.0.69.76~20.04.30
linux-image-generic-lpae-hwe-20.04 5.15.0.69.76~20.04.30
linux-image-lowlatency-64k-hwe-20.04 5.15.0.69.76~20.04.27
linux-image-lowlatency-hwe-20.04 5.15.0.69.76~20.04.27
linux-image-oracle 5.15.0.1032.38~20.04.1
linux-image-virtual-hwe-20.04 5.15.0.69.76~20.04.30
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5982-1
CVE-2022-2196, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,
CVE-2022-4382, CVE-2022-48423, CVE-2022-48424, CVE-2023-0045,
CVE-2023-0210, CVE-2023-0266, CVE-2023-23454, CVE-2023-23455,
CVE-2023-23559, CVE-2023-26606, CVE-2023-28328
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.15.0-69.76
https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1033.37
https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1035.42
https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1035.42.1
https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1031.38
https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1017.22
https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-69.76
https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1032.38
https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1026.28
https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1033.37~20.04.1
https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1035.42~20.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1031.38~20.04.1
https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-69.76~20.04.1
https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-69.76~20.04.1
https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1032.38~20.04.1
[USN-5980-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5980-1
March 28, 2023
linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop,
linux-ibm, linux-kvm, linux-oracle, linux-raspi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi: Linux kernel for Raspberry Pi systems
Details:
It was discovered that the System V IPC implementation in the Linux kernel
did not properly handle large shared memory counts. A local attacker could
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1046-ibm 5.4.0-1046.51
linux-image-5.4.0-1066-gkeop 5.4.0-1066.70
linux-image-5.4.0-1082-raspi 5.4.0-1082.93
linux-image-5.4.0-1088-kvm 5.4.0-1088.94
linux-image-5.4.0-1096-gke 5.4.0-1096.103
linux-image-5.4.0-1098-oracle 5.4.0-1098.107
linux-image-5.4.0-1099-aws 5.4.0-1099.107
linux-image-5.4.0-1102-gcp 5.4.0-1102.111
linux-image-5.4.0-1105-azure 5.4.0-1105.111
linux-image-5.4.0-146-generic 5.4.0-146.163
linux-image-5.4.0-146-generic-lpae 5.4.0-146.163
linux-image-5.4.0-146-lowlatency 5.4.0-146.163
linux-image-aws-lts-20.04 5.4.0.1099.96
linux-image-azure-lts-20.04 5.4.0.1105.98
linux-image-gcp-lts-20.04 5.4.0.1102.104
linux-image-generic 5.4.0.146.144
linux-image-generic-lpae 5.4.0.146.144
linux-image-gke 5.4.0.1096.101
linux-image-gke-5.4 5.4.0.1096.101
linux-image-gkeop 5.4.0.1066.64
linux-image-gkeop-5.4 5.4.0.1066.64
linux-image-ibm 5.4.0.1046.72
linux-image-ibm-lts-20.04 5.4.0.1046.72
linux-image-kvm 5.4.0.1088.82
linux-image-lowlatency 5.4.0.146.144
linux-image-oem 5.4.0.146.144
linux-image-oem-osp1 5.4.0.146.144
linux-image-oracle-lts-20.04 5.4.0.1098.91
linux-image-raspi 5.4.0.1082.112
linux-image-raspi2 5.4.0.1082.112
linux-image-virtual 5.4.0.146.144
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5980-1
CVE-2021-3669, CVE-2022-2196, CVE-2022-4382, CVE-2023-23559
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.4.0-146.163
https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1099.107
https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1105.111
https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1102.111
https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1096.103
https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1066.70
https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1046.51
https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1088.94
https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1098.107
https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1082.93
Ubuntu Security Notice USN-5980-1
March 28, 2023
linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop,
linux-ibm, linux-kvm, linux-oracle, linux-raspi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi: Linux kernel for Raspberry Pi systems
Details:
It was discovered that the System V IPC implementation in the Linux kernel
did not properly handle large shared memory counts. A local attacker could
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1046-ibm 5.4.0-1046.51
linux-image-5.4.0-1066-gkeop 5.4.0-1066.70
linux-image-5.4.0-1082-raspi 5.4.0-1082.93
linux-image-5.4.0-1088-kvm 5.4.0-1088.94
linux-image-5.4.0-1096-gke 5.4.0-1096.103
linux-image-5.4.0-1098-oracle 5.4.0-1098.107
linux-image-5.4.0-1099-aws 5.4.0-1099.107
linux-image-5.4.0-1102-gcp 5.4.0-1102.111
linux-image-5.4.0-1105-azure 5.4.0-1105.111
linux-image-5.4.0-146-generic 5.4.0-146.163
linux-image-5.4.0-146-generic-lpae 5.4.0-146.163
linux-image-5.4.0-146-lowlatency 5.4.0-146.163
linux-image-aws-lts-20.04 5.4.0.1099.96
linux-image-azure-lts-20.04 5.4.0.1105.98
linux-image-gcp-lts-20.04 5.4.0.1102.104
linux-image-generic 5.4.0.146.144
linux-image-generic-lpae 5.4.0.146.144
linux-image-gke 5.4.0.1096.101
linux-image-gke-5.4 5.4.0.1096.101
linux-image-gkeop 5.4.0.1066.64
linux-image-gkeop-5.4 5.4.0.1066.64
linux-image-ibm 5.4.0.1046.72
linux-image-ibm-lts-20.04 5.4.0.1046.72
linux-image-kvm 5.4.0.1088.82
linux-image-lowlatency 5.4.0.146.144
linux-image-oem 5.4.0.146.144
linux-image-oem-osp1 5.4.0.146.144
linux-image-oracle-lts-20.04 5.4.0.1098.91
linux-image-raspi 5.4.0.1082.112
linux-image-raspi2 5.4.0.1082.112
linux-image-virtual 5.4.0.146.144
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5980-1
CVE-2021-3669, CVE-2022-2196, CVE-2022-4382, CVE-2023-23559
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.4.0-146.163
https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1099.107
https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1105.111
https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1102.111
https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1096.103
https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1066.70
https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1046.51
https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1088.94
https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1098.107
https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1082.93
[USN-5981-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5981-1
March 28, 2023
linux-aws-hwe, linux-hwe, linux-oracle vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
- linux-oracle: Linux kernel for Oracle Cloud systems
Details:
It was discovered that the System V IPC implementation in the Linux kernel
did not properly handle large shared memory counts. A local attacker could
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel
contained a null pointer dereference when handling certain messages from
user space. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-28328)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.15.0-1116-oracle 4.15.0-1116.127~16.04.1
linux-image-4.15.0-1153-aws 4.15.0-1153.166~16.04.1
linux-image-4.15.0-208-generic 4.15.0-208.219~16.04.1
linux-image-4.15.0-208-lowlatency 4.15.0-208.219~16.04.1
linux-image-aws-hwe 4.15.0.1153.136
linux-image-generic-hwe-16.04 4.15.0.208.193
linux-image-lowlatency-hwe-16.04 4.15.0.208.193
linux-image-oem 4.15.0.208.193
linux-image-oracle 4.15.0.1116.97
linux-image-virtual-hwe-16.04 4.15.0.208.193
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5981-1
CVE-2021-3669, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,
CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0394,
CVE-2023-23455, CVE-2023-23559, CVE-2023-28328
Ubuntu Security Notice USN-5981-1
March 28, 2023
linux-aws-hwe, linux-hwe, linux-oracle vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
- linux-oracle: Linux kernel for Oracle Cloud systems
Details:
It was discovered that the System V IPC implementation in the Linux kernel
did not properly handle large shared memory counts. A local attacker could
use this to cause a denial of service (memory exhaustion). (CVE-2021-3669)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-3424)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not
properly perform reference counting in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2022-41218)
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
Kyle Zeng discovered that the ATM VC queuing discipline implementation in
the Linux kernel contained a type confusion vulnerability in some
situations. An attacker could use this to cause a denial of service (system
crash). (CVE-2023-23455)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel
contained a null pointer dereference when handling certain messages from
user space. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-28328)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.15.0-1116-oracle 4.15.0-1116.127~16.04.1
linux-image-4.15.0-1153-aws 4.15.0-1153.166~16.04.1
linux-image-4.15.0-208-generic 4.15.0-208.219~16.04.1
linux-image-4.15.0-208-lowlatency 4.15.0-208.219~16.04.1
linux-image-aws-hwe 4.15.0.1153.136
linux-image-generic-hwe-16.04 4.15.0.208.193
linux-image-lowlatency-hwe-16.04 4.15.0.208.193
linux-image-oem 4.15.0.208.193
linux-image-oracle 4.15.0.1116.97
linux-image-virtual-hwe-16.04 4.15.0.208.193
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5981-1
CVE-2021-3669, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,
CVE-2022-47929, CVE-2023-0045, CVE-2023-0266, CVE-2023-0394,
CVE-2023-23455, CVE-2023-23559, CVE-2023-28328
[USN-5686-4] Git vulnerability
==========================================================================
Ubuntu Security Notice USN-5686-4
March 28, 2023
git vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Git could be made to expose sensitive information.
Software Description:
- git: fast, scalable, distributed revision control system
Details:
USN-5686-1 fixed several vulnerabilities in Git. This update
provides the corresponding fix for CVE-2022-39253 on Ubuntu 16.04 ESM.
Original advisory details:
Cory Snider discovered that Git incorrectly handled certain symbolic
links.
An attacker could possibly use this issue to cause an unexpected
behaviour.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
git 1:2.7.4-0ubuntu1.10+esm6
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5686-4
https://ubuntu.com/security/notices/USN-5686-1
CVE-2022-39253
Ubuntu Security Notice USN-5686-4
March 28, 2023
git vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Git could be made to expose sensitive information.
Software Description:
- git: fast, scalable, distributed revision control system
Details:
USN-5686-1 fixed several vulnerabilities in Git. This update
provides the corresponding fix for CVE-2022-39253 on Ubuntu 16.04 ESM.
Original advisory details:
Cory Snider discovered that Git incorrectly handled certain symbolic
links.
An attacker could possibly use this issue to cause an unexpected
behaviour.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
git 1:2.7.4-0ubuntu1.10+esm6
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5686-4
https://ubuntu.com/security/notices/USN-5686-1
CVE-2022-39253
[USN-5979-1] Linux kernel (HWE) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5979-1
March 28, 2023
linux-hwe-5.19 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-hwe-5.19: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
It was discovered that a race condition existed in the Xen network backend
driver in the Linux kernel when handling dropped packets in certain
circumstances. An attacker could use this to cause a denial of service
(kernel deadlock). (CVE-2022-42328, CVE-2022-42329)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
It was discovered that the io_uring subsystem in the Linux kernel contained
a use-after-free vulnerability. A local attacker could possibly use this to
cause a denial of service (system crash) or execute arbitrary code.
(CVE-2023-0469)
It was discovered that the CIFS network file system implementation in the
Linux kernel contained a user-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2023-1195)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.19.0-38-generic 5.19.0-38.39~22.04.1
linux-image-5.19.0-38-generic-64k 5.19.0-38.39~22.04.1
linux-image-5.19.0-38-generic-lpae 5.19.0-38.39~22.04.1
linux-image-generic-64k-hwe-22.04 5.19.0.38.39~22.04.12
linux-image-generic-hwe-22.04 5.19.0.38.39~22.04.12
linux-image-generic-lpae-hwe-22.04 5.19.0.38.39~22.04.12
linux-image-virtual-hwe-22.04 5.19.0.38.39~22.04.12
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5979-1
CVE-2022-2196, CVE-2022-42328, CVE-2022-42329, CVE-2022-4382,
CVE-2023-0045, CVE-2023-0266, CVE-2023-0469, CVE-2023-1195,
CVE-2023-23559
Package Information:
https://launchpad.net/ubuntu/+source/linux-hwe-5.19/5.19.0-38.39~22.04.1
Ubuntu Security Notice USN-5979-1
March 28, 2023
linux-hwe-5.19 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-hwe-5.19: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
It was discovered that a race condition existed in the Xen network backend
driver in the Linux kernel when handling dropped packets in certain
circumstances. An attacker could use this to cause a denial of service
(kernel deadlock). (CVE-2022-42328, CVE-2022-42329)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
José Oliveira and Rodrigo Branco discovered that the prctl syscall
implementation in the Linux kernel did not properly protect against
indirect branch prediction attacks in some situations. A local attacker
could possibly use this to expose sensitive information. (CVE-2023-0045)
It was discovered that a use-after-free vulnerability existed in the
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could
use this to cause a denial of service (system crash). (CVE-2023-0266)
It was discovered that the io_uring subsystem in the Linux kernel contained
a use-after-free vulnerability. A local attacker could possibly use this to
cause a denial of service (system crash) or execute arbitrary code.
(CVE-2023-0469)
It was discovered that the CIFS network file system implementation in the
Linux kernel contained a user-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2023-1195)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.19.0-38-generic 5.19.0-38.39~22.04.1
linux-image-5.19.0-38-generic-64k 5.19.0-38.39~22.04.1
linux-image-5.19.0-38-generic-lpae 5.19.0-38.39~22.04.1
linux-image-generic-64k-hwe-22.04 5.19.0.38.39~22.04.12
linux-image-generic-hwe-22.04 5.19.0.38.39~22.04.12
linux-image-generic-lpae-hwe-22.04 5.19.0.38.39~22.04.12
linux-image-virtual-hwe-22.04 5.19.0.38.39~22.04.12
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5979-1
CVE-2022-2196, CVE-2022-42328, CVE-2022-42329, CVE-2022-4382,
CVE-2023-0045, CVE-2023-0266, CVE-2023-0469, CVE-2023-1195,
CVE-2023-23559
Package Information:
https://launchpad.net/ubuntu/+source/linux-hwe-5.19/5.19.0-38.39~22.04.1
Monday, March 27, 2023
[USN-5976-1] Linux kernel (OEM) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5976-1
March 27, 2023
linux-oem-5.14, linux-oem-5.17 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-5.17: Linux kernel for OEM systems
- linux-oem-5.14: Linux kernel for OEM systems
Details:
It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-0461)
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
It was discovered that the Intel 740 frame buffer driver in the Linux
kernel contained a divide by zero vulnerability. A local attacker could use
this to cause a denial of service (system crash). (CVE-2022-3061)
It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux
kernel did not properly perform bounds checking in some situations. A
physically proximate attacker could use this to craft a malicious USB
device that when inserted, could cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2022-3628)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
It was discovered that the NILFS2 file system implementation in the Linux
kernel did not properly deallocate memory in certain error conditions. An
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2022-3646)
Khalid Masum discovered that the NILFS2 file system implementation in the
Linux kernel did not properly handle certain error conditions, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service or possibly execute arbitrary code. (CVE-2022-3649)
It was discovered that a race condition existed in the Roccat HID driver in
the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-41850)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.17.0-1029-oem 5.17.0-1029.30
linux-image-oem-22.04 5.17.0.1029.27
linux-image-oem-22.04a 5.17.0.1029.27
Ubuntu 20.04 LTS:
linux-image-5.14.0-1059-oem 5.14.0-1059.67
linux-image-oem-20.04 5.14.0.1059.57
linux-image-oem-20.04b 5.14.0.1059.57
linux-image-oem-20.04c 5.14.0.1059.57
linux-image-oem-20.04d 5.14.0.1059.57
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5976-1
CVE-2022-2196, CVE-2022-3061, CVE-2022-3628, CVE-2022-36280,
CVE-2022-3646, CVE-2022-3649, CVE-2022-41850, CVE-2023-0394,
CVE-2023-0461
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1029.30
https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1059.67
Ubuntu Security Notice USN-5976-1
March 27, 2023
linux-oem-5.14, linux-oem-5.17 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-5.17: Linux kernel for OEM systems
- linux-oem-5.14: Linux kernel for OEM systems
Details:
It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-0461)
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
It was discovered that the Intel 740 frame buffer driver in the Linux
kernel contained a divide by zero vulnerability. A local attacker could use
this to cause a denial of service (system crash). (CVE-2022-3061)
It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux
kernel did not properly perform bounds checking in some situations. A
physically proximate attacker could use this to craft a malicious USB
device that when inserted, could cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2022-3628)
Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux
kernel contained an out-of-bounds write vulnerability. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2022-36280)
It was discovered that the NILFS2 file system implementation in the Linux
kernel did not properly deallocate memory in certain error conditions. An
attacker could use this to cause a denial of service (memory exhaustion).
(CVE-2022-3646)
Khalid Masum discovered that the NILFS2 file system implementation in the
Linux kernel did not properly handle certain error conditions, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service or possibly execute arbitrary code. (CVE-2022-3649)
It was discovered that a race condition existed in the Roccat HID driver in
the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-41850)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.17.0-1029-oem 5.17.0-1029.30
linux-image-oem-22.04 5.17.0.1029.27
linux-image-oem-22.04a 5.17.0.1029.27
Ubuntu 20.04 LTS:
linux-image-5.14.0-1059-oem 5.14.0-1059.67
linux-image-oem-20.04 5.14.0.1059.57
linux-image-oem-20.04b 5.14.0.1059.57
linux-image-oem-20.04c 5.14.0.1059.57
linux-image-oem-20.04d 5.14.0.1059.57
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5976-1
CVE-2022-2196, CVE-2022-3061, CVE-2022-3628, CVE-2022-36280,
CVE-2022-3646, CVE-2022-3649, CVE-2022-41850, CVE-2023-0394,
CVE-2023-0461
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1029.30
https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1059.67
[USN-5978-1] Linux kernel (OEM) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5978-1
March 27, 2023
linux-oem-6.1 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-6.1: Linux kernel for OEM systems
Details:
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-1281)
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
It was discovered that some AMD x86-64 processors with SMT enabled could
speculatively execute instructions using a return address from a sibling
thread. A local attacker could possibly use this to expose sensitive
information. (CVE-2022-27672)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
It was discovered that the NTFS file system implementation in the Linux
kernel contained a null pointer dereference in some situations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2022-4842)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
It was discovered that the Human Interface Device (HID) support driver in
the Linux kernel contained a type confusion vulnerability in some
situations. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-1073)
It was discovered that a memory leak existed in the SCTP protocol
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2023-1074)
It was discovered that the TLS subsystem in the Linux kernel contained a
type confusion vulnerability in some situations. A local attacker could use
this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2023-1075)
It was discovered that the Reliable Datagram Sockets (RDS) protocol
implementation in the Linux kernel contained a type confusion vulnerability
in some situations. An attacker could use this to cause a denial of service
(system crash). (CVE-2023-1078)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Lianhui Tang discovered that the MPLS implementation in the Linux kernel
did not properly handle certain sysctl allocation failure conditions,
leading to a double-free vulnerability. An attacker could use this to cause
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-6.1.0-1008-oem 6.1.0-1008.8
linux-image-oem-22.04c 6.1.0.1008.8
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5978-1
CVE-2022-2196, CVE-2022-27672, CVE-2022-4382, CVE-2022-4842,
CVE-2023-0394, CVE-2023-1073, CVE-2023-1074, CVE-2023-1075,
CVE-2023-1078, CVE-2023-1281, CVE-2023-23559, CVE-2023-26545
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-6.1/6.1.0-1008.8
Ubuntu Security Notice USN-5978-1
March 27, 2023
linux-oem-6.1 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-6.1: Linux kernel for OEM systems
Details:
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-1281)
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
It was discovered that some AMD x86-64 processors with SMT enabled could
speculatively execute instructions using a return address from a sibling
thread. A local attacker could possibly use this to expose sensitive
information. (CVE-2022-27672)
Gerald Lee discovered that the USB Gadget file system implementation in the
Linux kernel contained a race condition, leading to a use-after-free
vulnerability in some situations. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-4382)
It was discovered that the NTFS file system implementation in the Linux
kernel contained a null pointer dereference in some situations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2022-4842)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
It was discovered that the Human Interface Device (HID) support driver in
the Linux kernel contained a type confusion vulnerability in some
situations. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-1073)
It was discovered that a memory leak existed in the SCTP protocol
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2023-1074)
It was discovered that the TLS subsystem in the Linux kernel contained a
type confusion vulnerability in some situations. A local attacker could use
this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2023-1075)
It was discovered that the Reliable Datagram Sockets (RDS) protocol
implementation in the Linux kernel contained a type confusion vulnerability
in some situations. An attacker could use this to cause a denial of service
(system crash). (CVE-2023-1078)
It was discovered that the RNDIS USB driver in the Linux kernel contained
an integer overflow vulnerability. A local attacker with physical access
could plug in a malicious USB device to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2023-23559)
Lianhui Tang discovered that the MPLS implementation in the Linux kernel
did not properly handle certain sysctl allocation failure conditions,
leading to a double-free vulnerability. An attacker could use this to cause
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-6.1.0-1008-oem 6.1.0-1008.8
linux-image-oem-22.04c 6.1.0.1008.8
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5978-1
CVE-2022-2196, CVE-2022-27672, CVE-2022-4382, CVE-2022-4842,
CVE-2023-0394, CVE-2023-1073, CVE-2023-1074, CVE-2023-1075,
CVE-2023-1078, CVE-2023-1281, CVE-2023-23559, CVE-2023-26545
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-6.1/6.1.0-1008.8
[USN-5977-1] Linux kernel (OEM) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5977-1
March 27, 2023
linux-oem-6.0 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-6.0: Linux kernel for OEM systems
Details:
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-1281)
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
Thadeu Cascardo discovered that the io_uring subsystem contained a double-
free vulnerability in certain memory allocation error conditions. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2023-1032)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-6.0.0-1013-oem 6.0.0-1013.13
linux-image-oem-22.04b 6.0.0.1013.13
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5977-1
CVE-2022-2196, CVE-2023-1032, CVE-2023-1281
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-6.0/6.0.0-1013.13
Ubuntu Security Notice USN-5977-1
March 27, 2023
linux-oem-6.0 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-6.0: Linux kernel for OEM systems
Details:
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-1281)
It was discovered that the KVM VMX implementation in the Linux kernel did
not properly handle indirect branch prediction isolation between L1 and L2
VMs. An attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2022-2196)
Thadeu Cascardo discovered that the io_uring subsystem contained a double-
free vulnerability in certain memory allocation error conditions. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2023-1032)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-6.0.0-1013-oem 6.0.0-1013.13
linux-image-oem-22.04b 6.0.0.1013.13
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5977-1
CVE-2022-2196, CVE-2023-1032, CVE-2023-1281
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-6.0/6.0.0-1013.13
Subscribe to:
Posts (Atom)