-----BEGIN PGP PUBLIC KEY BLOCK-----
xsDNBGO0wO8BDAC3+o6xMuhLB0k1/uQyI0JKO9r4gupWHVzIREKBLj65+EoUlSu7
tufjmUHLZYBXjZab/MxsV5PxI9zjt871sielcOtlNCyDpcgovcEymvr5CV+MuzlX
d/0GZGI27HOgiX4ldEbBwl0Wkyq3UZM4FHkoItfbPgo/GV4KyxiaXj5CRuPKXCBi
5JIGyTW9fTca7kTvpSrA10PEBUK6PWnP3Q2skFjn7fm5PTC6ePGlatmzCUZg/piK
RpTWs9XxjLnyHglhY1wlGbDtdPTc8xsPKJH88hp86c5Estt/9qNQq8aNsIQfPd+M
Wxf23Aif6xEVLLmQVjSWGZiEUW6vNrAqPPiHmwedOuq83alwmjBxgsKGQLaoZBh/
tcru2vwhpIRCX6i2wRuo+Erkpkbn53+Qc0IOE6q1v8oTiDoTzd+kbC6jXlH2UeC1
86Y2iAhsqyFEj/ZwcH6zB3+L6yDXiWs721Lt+rhpwaoSNqSlXsX6lV6ixrLrAiPp
eR2JJSjsPyC6OfcAEQEAAc0lRGF2aWQgTGFuZSA8ZGF2aWQubGFuZUBjYW5vbmlj
YWwuY29tPsLBDgQTAQoAOBYhBOrnoF81LMebxVVraAcBf+u4yTEQBQJjtMDvAhsD
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEAcBf+u4yTEQxcEL/2HKcLCMAR1i
i2VBqRMo8x537k5q5P0cNSGluozKCFwttrr8UPZuRiUx74gkHzeKaMwqKJUEaDjU
Yl5wev+a7izzwQAT5ILVVhG3/hbRCIkEufsOPo3iUNODlvoj0WAils+d5vCxzE7h
BmHj3Yf0xEHOjyU1Uv+3LCAUnqWxgkMxGfw3aEBxmX+zm76pXu+EZmqAPhsQPx7f
jrJ505P8NLQNdfoS5QfqbH0Yz6lMtFg9AhZrHr+YS+7d3F5GaiqfQbyMW48aaw+C
HdPS6ojsLR6on+wHkTm44h9RVnT3DBMJYLzq9Y0+CdemaCcXdNrcMda9SwOR1P35
nvG8Ywp2Nd32c+Sll2miYAkXdrPQs/zeGtUDfhgoPgz4La73+DXZcBdWnt5p9XyX
2SFw2DZXQ8GPr+Ude/fF6HcFw1rzx9pJ4yraHZI30+siyADB+qLgozWggAevYYjv
0Dnrp7g2k+lIsjh4YbSQYAwkW/rNXpo6dfi355/TShvNYVHd4A3rUs7AzQRjtMDv
AQwA4GPoBzQ3LUpGa5/uuSwVp22VFHxXQZ3IhGyGJ679Z+/ejfgcfv2nrTe6SHK+
A2An7iaN18TWb6Yu/buIYz03xQWYHtA9ddejygzydnM3JQDBL1cg0TU4BmmqwtAi
QuS0wJIjsLUHQnLCX35SezVCT9BK4/b+fzHbCj/uNLqGyqVkopFXo/OmduiwdoKh
apCFZPpJQD3+/T0D6OcTnATKZejRFRxRGzHoTEJxM13fJPnKIvhdpQj307nCp6L+
KqVTlP97q3VFzGN03r1grIO7N8SF47OsL70M84oIHQe66hNmqOYFgdkfPqXvxWO2
XgMMu5MITTNv6PuvPn3ke82u3x5e5ty/Qo5j0aVdaA28S/BslMDEizAwb1aVctSG
3itvSTOsPg1wxovbXPjwmqpd9OaS2BrxQYMVdqvDQgb1/H1yDZAAwg6a7UmxB5Sr
yTY6xJRwtaLNt94KqcJRNlNPo8EYNUGSYUfIsSPf1caZD/1gbnuO+Ub02TGAKg6M
Z4ObABEBAAHCwPYEGAEKACAWIQTq56BfNSzHm8VVa2gHAX/ruMkxEAUCY7TA7wIb
DAAKCRAHAX/ruMkxED/vC/97M5PVJzXxSIOPMZpvL9KtfI/B1oNwhrLBpmSwZud+
lQah6BWejIDp8o5sQjjuOIqNv/jDun0EAY69g8kNFqx8aeF6teEDCidtDa5mikr4
OfrE6NMMhIIrWTYizzh0kxo/CPGMSJsA1vBDA1F2Y3JIgW1rCy6O++79h7lYyK9D
/XIu+js9prNm8VTi69bV8PeCc4ggO+lmGngo/2NhTFNrUiRve7dYCSLCi9GafJf8
qkaP3S1Zk9y84h845jTK8CUCSW2O989BU0/iH6za0eMtZhcPBy5wkN5nXa9FT6e3
5OVH6Z1Gw/XKbiajDUzDIPXCKJLrMc36/t0DVj4ddro3H9hILUWqjplP1wz0MZ7A
RMJBsd85rE0ixsxkkCJ703/5UNLES/GiMj02RrajzKygWc6iaoKCj9SEhzj1SN6q
plk/i4VmQR4D/OVlZlitIqJsUIkq3KwBqk5uuvDsXFh677hgidhxDGrA+nkeBuzl
P8RB9WuqepDSf384NK1PS3w=
=fhwC
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5966-3
April 03, 2023
amanda regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in amanda.
Software Description:
- amanda: Advanced Maryland Automatic Network Disk Archiver (Client)
Details:
USN-5966-1 fixed vulnerabilities in amanda. Unfortunately that update
caused a regression and was reverted in USN-5966-2. This update provides
security fixes for Ubuntu 22.10, Ubuntu 22.04 LTS, Ubuntu 20.04
LTS and Ubuntu 18.04 LTS.
We apologize for the inconvenience.
Original advisory details:
Maher Azzouzi discovered an information disclosure vulnerability in the
calcsize binary within amanda. calcsize is a suid binary owned by root that
could possibly be used by a malicious local attacker to expose sensitive
file system information. (CVE-2022-37703)
Maher Azzouzi discovered a privilege escalation vulnerability in the
rundump binary within amanda. rundump is a suid binary owned by root that
did not perform adequate sanitization of environment variables or
commandline options and could possibly be used by a malicious local
attacker to escalate privileges. (CVE-2022-37704)
Maher Azzouzi discovered a privilege escalation vulnerability in the runtar
binary within amanda. runtar is a suid binary owned by root that did not
perform adequate sanitization of commandline options and could possibly be
used by a malicious local attacker to escalate privileges. (CVE-2022-37705)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
amanda-client 1:3.5.1-9ubuntu0.3
Ubuntu 22.04 LTS:
amanda-client 1:3.5.1-8ubuntu1.3
Ubuntu 20.04 LTS:
amanda-client 1:3.5.1-2ubuntu0.3
Ubuntu 18.04 LTS:
amanda-client 1:3.5.1-1ubuntu0.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5966-3
https://ubuntu.com/security/notices/USN-5966-1
https://launchpad.net/bugs/2012536
CVE-2022-37703, CVE-2022-37704, CVE-2022-37705
Package Information:
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-9ubuntu0.3
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-8ubuntu1.3
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-2ubuntu0.3
https://launchpad.net/ubuntu/+source/amanda/1:3.5.1-1ubuntu0.3
No comments:
Post a Comment