Wednesday, May 31, 2023

[USN-6127-1] Linux kernel vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6127-1
May 31, 2023

linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15,
linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop,
linux-hwe-5.15, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency,
linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi
vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-kvm: Linux kernel for cloud environments
- linux-lowlatency: Linux low latency kernel
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-hwe-5.19: Linux hardware enablement (HWE) kernel
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems
- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems
- linux-hwe-5.15: Linux hardware enablement (HWE) kernel
- linux-lowlatency-hwe-5.15: Linux low latency kernel
- linux-oracle-5.15: Linux kernel for Oracle Cloud systems

Details:

Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in
the netfilter subsystem of the Linux kernel when processing batch requests,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-32233)

Gwangun Jung discovered that the Quick Fair Queueing scheduler
implementation in the Linux kernel contained an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-31436)

Reima Ishii discovered that the nested KVM implementation for Intel x86
processors in the Linux kernel did not properly validate control registers
in certain situations. An attacker in a guest VM could use this to cause a
denial of service (guest crash). (CVE-2023-30456)

It was discovered that the Broadcom FullMAC USB WiFi driver in the Linux
kernel did not properly perform data buffer size validation in some
situations. A physically proximate attacker could use this to craft a
malicious USB device that when inserted, could cause a denial of service
(system crash) or possibly expose sensitive information. (CVE-2023-1380)

Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu
Linux kernel contained a race condition when handling inode locking in some
situations. A local attacker could use this to cause a denial of service
(kernel deadlock). (CVE-2023-2612)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
linux-image-5.19.0-1019-raspi 5.19.0-1019.26
linux-image-5.19.0-1019-raspi-nolpae 5.19.0-1019.26
linux-image-5.19.0-1023-ibm 5.19.0-1023.25
linux-image-5.19.0-1024-kvm 5.19.0-1024.25
linux-image-5.19.0-1024-oracle 5.19.0-1024.27
linux-image-5.19.0-1025-gcp 5.19.0-1025.27
linux-image-5.19.0-1025-lowlatency 5.19.0-1025.26
linux-image-5.19.0-1025-lowlatency-64k 5.19.0-1025.26
linux-image-5.19.0-1026-aws 5.19.0-1026.27
linux-image-5.19.0-1027-azure 5.19.0-1027.30
linux-image-5.19.0-43-generic 5.19.0-43.44
linux-image-5.19.0-43-generic-64k 5.19.0-43.44
linux-image-5.19.0-43-generic-lpae 5.19.0-43.44
linux-image-aws 5.19.0.1026.23
linux-image-azure 5.19.0.1027.22
linux-image-gcp 5.19.0.1025.21
linux-image-generic 5.19.0.43.39
linux-image-generic-64k 5.19.0.43.39
linux-image-generic-lpae 5.19.0.43.39
linux-image-ibm 5.19.0.1023.20
linux-image-kvm 5.19.0.1024.21
linux-image-lowlatency 5.19.0.1025.21
linux-image-lowlatency-64k 5.19.0.1025.21
linux-image-oracle 5.19.0.1024.20
linux-image-raspi 5.19.0.1019.18
linux-image-raspi-nolpae 5.19.0.1019.18
linux-image-virtual 5.19.0.43.39

Ubuntu 22.04 LTS:
linux-image-5.15.0-1021-gkeop 5.15.0-1021.26
linux-image-5.15.0-1031-ibm 5.15.0-1031.34
linux-image-5.15.0-1034-gke 5.15.0-1034.39
linux-image-5.15.0-1034-kvm 5.15.0-1034.39
linux-image-5.15.0-1035-gcp 5.15.0-1035.43
linux-image-5.15.0-1036-oracle 5.15.0-1036.42
linux-image-5.15.0-1037-aws 5.15.0-1037.41
linux-image-5.15.0-1039-azure 5.15.0-1039.46
linux-image-5.15.0-73-generic 5.15.0-73.80
linux-image-5.15.0-73-generic-64k 5.15.0-73.80
linux-image-5.15.0-73-generic-lpae 5.15.0-73.80
linux-image-5.15.0-73-lowlatency 5.15.0-73.80
linux-image-5.15.0-73-lowlatency-64k 5.15.0-73.80
linux-image-5.19.0-43-generic 5.19.0-43.44~22.04.1
linux-image-5.19.0-43-generic-64k 5.19.0-43.44~22.04.1
linux-image-5.19.0-43-generic-lpae 5.19.0-43.44~22.04.1
linux-image-aws-lts-22.04 5.15.0.1037.36
linux-image-azure 5.15.0.1039.35
linux-image-azure-lts-22.04 5.15.0.1039.35
linux-image-gcp-lts-22.04 5.15.0.1035.31
linux-image-generic 5.15.0.73.71
linux-image-generic-64k 5.15.0.73.71
linux-image-generic-64k-hwe-22.04 5.19.0.43.44~22.04.17
linux-image-generic-hwe-22.04 5.19.0.43.44~22.04.17
linux-image-generic-lpae 5.15.0.73.71
linux-image-generic-lpae-hwe-22.04 5.19.0.43.44~22.04.17
linux-image-gke 5.15.0.1034.33
linux-image-gke-5.15 5.15.0.1034.33
linux-image-gkeop 5.15.0.1021.20
linux-image-gkeop-5.15 5.15.0.1021.20
linux-image-ibm 5.15.0.1031.27
linux-image-kvm 5.15.0.1034.30
linux-image-lowlatency 5.15.0.73.78
linux-image-lowlatency-64k 5.15.0.73.78
linux-image-oracle 5.15.0.1036.31
linux-image-virtual 5.15.0.73.71
linux-image-virtual-hwe-22.04 5.19.0.43.44~22.04.17

Ubuntu 20.04 LTS:
linux-image-5.15.0-1034-gke 5.15.0-1034.39~20.04.1
linux-image-5.15.0-1035-gcp 5.15.0-1035.43~20.04.1
linux-image-5.15.0-1036-oracle 5.15.0-1036.42~20.04.1
linux-image-5.15.0-1037-aws 5.15.0-1037.41~20.04.1
linux-image-5.15.0-1039-azure 5.15.0-1039.46~20.04.1
linux-image-5.15.0-73-generic 5.15.0-73.80~20.04.1
linux-image-5.15.0-73-generic-64k 5.15.0-73.80~20.04.1
linux-image-5.15.0-73-generic-lpae 5.15.0-73.80~20.04.1
linux-image-5.15.0-73-lowlatency 5.15.0-73.80~20.04.1
linux-image-5.15.0-73-lowlatency-64k 5.15.0-73.80~20.04.1
linux-image-aws 5.15.0.1037.41~20.04.26
linux-image-azure 5.15.0.1039.46~20.04.29
linux-image-azure-cvm 5.15.0.1039.46~20.04.29
linux-image-gcp 5.15.0.1035.43~20.04.1
linux-image-generic-64k-hwe-20.04 5.15.0.73.80~20.04.34
linux-image-generic-hwe-20.04 5.15.0.73.80~20.04.34
linux-image-generic-lpae-hwe-20.04 5.15.0.73.80~20.04.34
linux-image-gke-5.15 5.15.0.1034.39~20.04.1
linux-image-lowlatency-64k-hwe-20.04 5.15.0.73.80~20.04.31
linux-image-lowlatency-hwe-20.04 5.15.0.73.80~20.04.31
linux-image-oem-20.04 5.15.0.73.80~20.04.34
linux-image-oem-20.04b 5.15.0.73.80~20.04.34
linux-image-oem-20.04c 5.15.0.73.80~20.04.34
linux-image-oem-20.04d 5.15.0.73.80~20.04.34
linux-image-oracle 5.15.0.1036.42~20.04.1
linux-image-virtual-hwe-20.04 5.15.0.73.80~20.04.34

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-6127-1
CVE-2023-1380, CVE-2023-2612, CVE-2023-30456, CVE-2023-31436,
CVE-2023-32233

Package Information:
https://launchpad.net/ubuntu/+source/linux/5.19.0-43.44
https://launchpad.net/ubuntu/+source/linux-aws/5.19.0-1026.27
https://launchpad.net/ubuntu/+source/linux-azure/5.19.0-1027.30
https://launchpad.net/ubuntu/+source/linux-gcp/5.19.0-1025.27
https://launchpad.net/ubuntu/+source/linux-ibm/5.19.0-1023.25
https://launchpad.net/ubuntu/+source/linux-kvm/5.19.0-1024.25
https://launchpad.net/ubuntu/+source/linux-lowlatency/5.19.0-1025.26
https://launchpad.net/ubuntu/+source/linux-oracle/5.19.0-1024.27
https://launchpad.net/ubuntu/+source/linux-raspi/5.19.0-1019.26
https://launchpad.net/ubuntu/+source/linux/5.15.0-73.80
https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1037.41
https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1039.46
https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1035.43
https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1034.39
https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1021.26
https://launchpad.net/ubuntu/+source/linux-hwe-5.19/5.19.0-43.44~22.04.1
https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1031.34
https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1034.39
https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-73.80
https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1036.42
https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1037.41~20.04.1
https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1039.46~20.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1035.43~20.04.1
https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1034.39~20.04.1
https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-73.80~20.04.1

https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-73.80~20.04.1

https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1036.42~20.04.1

Re: F39 Change Proposal: No fedora-repos-modular in default installation (System Wide Change)

This proposal has now been submitted to FESCo https://pagure.io/fesco/issue/3007
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Re: F39 Change Proposal: Retire AWS CLI version 1 package awscli (System Wide Change)

This proposal has now been submitted to FESCo https://pagure.io/fesco/issue/3006
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Re: F39 Change Proposal: Flatpaks without Modules (System-Wide Change)

This proposal has now been submitted to FESCo for voting https://pagure.io/fesco/issue/3005
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[USN-6126-1] libvirt vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6126-1
May 31, 2023

libvirt vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in libvirt.

Software Description:
- libvirt: Libvirt virtualization toolkit

Details:

It was discovered that libvirt incorrectly handled the nwfilter driver. A
local attacker could possibly use this issue to cause libvirt to crash,
resulting in a denial of service. This issue only affected Ubuntu 22.04
LTS. (CVE-2022-0897)

It was discovered that libvirt incorrectly handled queries for the SR-IOV
PCI device capabilities. A local attacker could possibly use this issue to
cause libvirt to consume resources, leading to a denial of service.
(CVE-2023-2700)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
libvirt-daemon 9.0.0-2ubuntu1.1
libvirt-daemon-system 9.0.0-2ubuntu1.1
libvirt0 9.0.0-2ubuntu1.1

Ubuntu 22.10:
libvirt-daemon 8.6.0-0ubuntu3.2
libvirt-daemon-system 8.6.0-0ubuntu3.2
libvirt0 8.6.0-0ubuntu3.2

Ubuntu 22.04 LTS:
libvirt-daemon 8.0.0-1ubuntu7.5
libvirt-daemon-system 8.0.0-1ubuntu7.5
libvirt0 8.0.0-1ubuntu7.5

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6126-1
CVE-2022-0897, CVE-2023-2700

Package Information:
https://launchpad.net/ubuntu/+source/libvirt/9.0.0-2ubuntu1.1
https://launchpad.net/ubuntu/+source/libvirt/8.6.0-0ubuntu3.2
https://launchpad.net/ubuntu/+source/libvirt/8.0.0-1ubuntu7.5

Tuesday, May 30, 2023

[USN-6125-1] snapd vulnerability

==========================================================================
Ubuntu Security Notice USN-6125-1
May 31, 2023

snapd vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

An intended access restriction in snapd could be bypassed by strict mode snaps.

Software Description:
- snapd: Daemon and tooling that enable snap packages

Details:

It was discovered that the snap sandbox did not restrict the use of the
ioctl system call with a TIOCLINUX request. This could be exploited by a
malicious snap to inject commands into the controlling terminal which would
then be executed outside of the snap sandbox once the snap had exited. This
could allow an attacker to execute arbitrary commands outside of the
confined snap sandbox. Note: graphical terminal emulators like xterm,
gnome-terminal and others are not affected - this can only be exploited
when snaps are run on a virtual console.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
snapd 2.59.1+23.04ubuntu1.1

Ubuntu 22.10:
snapd 2.58+22.10.1

Ubuntu 22.04 LTS:
snapd 2.58+22.04.1

Ubuntu 20.04 LTS:
snapd 2.58+20.04.1

Ubuntu 18.04 LTS:
snapd 2.58+18.04.1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
snapd 2.54.3+16.04.0ubuntu0.1~esm6

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6125-1
CVE-2023-1523

Package Information:
https://launchpad.net/ubuntu/+source/snapd/2.59.1+23.04ubuntu1.1
https://launchpad.net/ubuntu/+source/snapd/2.58+22.10.1
https://launchpad.net/ubuntu/+source/snapd/2.58+22.04.1
https://launchpad.net/ubuntu/+source/snapd/2.58+20.04.1
https://launchpad.net/ubuntu/+source/snapd/2.58+18.04.1

[USN-6117-1] Apache Batik vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6117-1
May 30, 2023

batik vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Apache Batik.

Software Description:
- batik: SVG Library

Details:

It was discovered that Apache Batik incorrectly handled certain inputs. An
attacker could possibly use this to perform a cross site request forgery
attack. (CVE-2019-17566, CVE-2020-11987, CVE-2022-38398, CVE-2022-38648)

It was discovered that Apache Batik incorrectly handled Jar URLs in some
situations. A remote attacker could use this issue to access files on the
server. (CVE-2022-40146)

It was discovered that Apache Batik allowed running untrusted Java code from
an SVG. An attacker could use this issue to cause a denial of service,
or possibly execute arbitrary code. (CVE-2022-41704, CVE-2022-42890)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
libbatik-java 1.14-2ubuntu0.1

Ubuntu 22.04 LTS:
libbatik-java 1.14-1ubuntu0.2

Ubuntu 20.04 LTS:
libbatik-java 1.12-1ubuntu0.1

Ubuntu 18.04 LTS:
libbatik-java 1.10-2~18.04.1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libbatik-java 1.8-3ubuntu1+esm1

Ubuntu 14.04 LTS (Available with Ubuntu Pro):
libbatik-java 1.7.ubuntu-8ubuntu2.14.04.3+esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6117-1
CVE-2019-17566, CVE-2020-11987, CVE-2022-38398, CVE-2022-38648,
CVE-2022-40146, CVE-2022-41704, CVE-2022-42890

Package Information:
https://launchpad.net/ubuntu/+source/batik/1.14-2ubuntu0.1
https://launchpad.net/ubuntu/+source/batik/1.14-1ubuntu0.2
https://launchpad.net/ubuntu/+source/batik/1.12-1ubuntu0.1
https://launchpad.net/ubuntu/+source/batik/1.10-2~18.04.1

F39 Change Proposal: Aspell Depreciation (Self-Contained Change)

https://fedoraproject.org/wiki/Changes/AspellDeprecation

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==

Deprecating aspell package because there are better-supported spell
checkers like hunspell/enchant2 which could be used instead. It also
has an upstream with almost 4 years of no action.

== Owner ==

* Name: [[User:ljavorsk| Lukas Javorsky]]
* Email: ljavorsk@redhat.com


== Detailed Description ==
Upstream of the aspell package has been inactive for almost 4 years
now. Most of the packages that have been using aspell in the past did
migrate to the supported [https://github.com/hunspell/hunspell
hunspell package] or any other spell checker.

The plan is simple:

1) Deprecate aspell package.

2) Create Bugzilla tracker to request all packages to be migrated to
the hunspell or any other spell checker (let maintainers choose their
preferred one).

3) After all of the packages have been migrated, create a Change to
retire aspell from Fedora

== Feedback ==
Early feedback from the community is located in this
([https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YJWK522SSTYGIILBRC5BFVRAU74TQYHB/
Devel list announce])

== Benefit to Fedora ==

Fedora shouldn't maintain a dead package. This change will ensure
Fedora has relevant and upstreamed packages in it's repositories.


== Scope ==
* Proposal owners: Package aspell will be deprecated and the migration
request will be filled as a Bugzilla to all dependent packages

* Other developers: Migrate to hunspell package or any other supported
spellchecker present in Fedora repositories.

* Release engineering: No action required

* Policies and guidelines: N/A (not needed for this Change)

* Trademark approval: N/A (not needed for this Change)

* Alignment with Objectives:

== Upgrade/compatibility impact ==
As this is only deprecation change, nothing will need to be handled
manually. The dependent packages will migrate to hunspell or any other
supported spellchecker present in Fedora repositories.


== How To Test ==


== User Experience ==


== Dependencies ==
List of the packages from Fedora 39

=== Requires ===
repoquery -q --repo=rawhide{,-source} --whatrequires 'aspell*' | grep
-v '^aspell' | grep -v 'src$' | pkgname

eiskaltdcpp-qt

enchant-aspell

enchant2-aspell

kf5-sonnet-core

kf5-sonnet-core

moodle

perl-Code-TidyAll

perl-Text-Aspell

php-pspell

qa-tools

recoll

recoll

xedit

xmlcopyeditor

yagf

=== BuildRequires ===
repoquery -q --repo=rawhide{,-source} --whatrequires 'aspell*' | grep
-v '^aspell' | grep 'src$' | pkgname

eiskaltdcpp

enchant

enchant2

hunspell-az

hunspell-csb

hunspell-de

hunspell-en

hunspell-fa

hunspell-gv

hunspell-ky

ibus-typing-booster

inkscape

kf5-sonnet

logjam

perl-MouseX-ConfigFromFile

perl-MouseX-Types-Path-Class

perl-Text-Aspell

perl-Text-SpellChecker

PHP

recoll

tin

xmlcopyeditor

yagf

== Contingency Plan ==

* Contingency mechanism: No contingency mechanism is required for deprecation.
* Contingency deadline: Beta freeze
* Blocks release? No

''NOTE: If we don't finish this change by the deadline, it is possible
to just complete this change with the next release.''

== Documentation ==


== Release Notes ==



--
Aoife Moloney

Product Owner

Community Platform Engineering Team

Red Hat EMEA

Communications House

Cork Road

Waterford
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

F39 Change Proposal: Automatic Cloud Reboot on Updates (Self-Contained Change)

https://fedoraproject.org/wiki/Changes/Automatic_Cloud_Reboot_On_Updates

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.


== Summary ==
Cloud users can provide cloud-init metadata when creating a Fedora
cloud instance and that metadata can contain instructions to update
all packages on the system and reboot the system if any of those
updated packages need a reboot to go into effect. Fedora cloud
instances should write the `/var/run/reboot-required` file if a reboot
is needed after a dnf update so that cloud-init can reboot the
instance.

This issue originally surfaced in
[https://bugzilla.redhat.com/show_bug.cgi?id=1275409 RHBZ 1275409].

== Owner ==

* Name: [[User:mhayden| Major Hayden]]
* Email: major@redhat.com



== Detailed Description ==

Fedora cloud instances use cloud-init to do the initial configuration
of the instance. This includes setting up networking, assigning a
hostname, adding users/groups, and arbitrary scripts. There are also
two options that you can pass to cloud-init that are important for
this change:

* `package_update`: If set to `true`, all installed packages are
immediately updated on first boot
* `package_reboot_if_required`: If set to `true`, and the
`package_update` step wrote to `/var/run/reboot-required`, reboot the
system immediately after updating packages

📚 For more details, see cloud-init's module reference for
`[https://cloudinit.readthedocs.io/en/latest/reference/modules.html#package-update-upgrade-install
package_update]`.

🚨 '''WAIT A MOMENT. ARE WE TALKING ABOUT REBOOTING EVERY CLOUD
INSTANCE ON BOOT?''' 🚨 No! This change would require all three of
these things to happen before a reboot occurs:

* User provides `package_update: true` on instance creation
* '''AND''' user provides `package_reboot_if_required: true` on
instance creation
* '''AND''' `tracer` notices that at least one of the packages need a
reboot to go into effect

🤔 '''Where does this `/var/run/reboot-required` file come from?''' On
Debian and Ubuntu systems, `apt` automatically writes to
`/var/run/reboot-required` if a reboot is needed after a package
update. From there, `cloud-init` looks for the file
([https://github.com/canonical/cloud-init/blob/6d09df5e4786a2a6c79d6098ab413c93b205221c/cloudinit/config/cc_package_update_upgrade_install.py#L119-L134
relevant cloud-init code]) and if present, reboots the system
immediately.

✏️ '''How do we write this file on Fedora?''' Fedora systems have a
package called `tracer` and a corresponding dnf plugin,
`python3-dnf-plugin-tracer`, that analyzes `dnf` updates and provides
recommendations on reboots or user logouts to bring updates into
effect on the system. A recent
[https://github.com/FrostyX/tracer/pull/196 pull request] added
support for writing the `/var/run/reboot-required` file when a system
reboot is recommended. The `cloud-init` tool can read this file after
a package update and reboot if needed.

🔎 '''What does `tracer`'s output look like?'''

[root@tracer-testing ~]# tracer
You should restart:
* Some applications using:
sudo systemctl restart NetworkManager
sudo systemctl restart auditd
sudo systemctl restart chronyd
sudo systemctl restart dbus-broker
sudo systemctl restart qemu-guest-agent
sudo systemctl restart sshd
sudo systemctl restart systemd-journald
sudo systemctl restart systemd-logind
sudo systemctl restart systemd-oomd
sudo systemctl restart systemd-resolved
sudo systemctl restart systemd-udevd
sudo systemctl restart systemd-userdbd

* These applications manually:
(sd-pam)

Additionally, there are:
- 3 processes requiring restart of your session (i.e. Logging out
& Logging in again)
- 1 processes requiring reboot
[root@tracer-testing ~]# cat /var/run/reboot-required
Tracer says reboot is required

📋 '''What do we need to do?''' Add the `python3-dnf-plugin-tracer`
plugin to Fedora cloud images. No additional configuration is
necessary. This action pulls in five packages that are about 2.1MB
after installation:

=======================================================================================
Package Arch Version
Repository Size
=======================================================================================
Installing:
python3-dnf-plugin-tracer noarch 4.1.0-1.fc38
fedora 14 k
Installing dependencies:
python3-dnf-plugins-extras-common noarch 4.1.0-1.fc38
fedora 69 k
python3-psutil x86_64 5.9.2-2.fc38
fedora 271 k
python3-tracer noarch 0.7.8-5.fc38
fedora 172 k
tracer-common noarch 0.7.8-5.fc38
fedora 22 k

Transaction Summary
=======================================================================================
Install 5 Packages

Total download size: 547 k
Installed size: 2.1 M

== Feedback ==

One of the other ideas was to patch `cloud-init` to run `tracer`
directly and avoid the `/var/run/reboot-required` file altogether.
That would require a lot of work upstream in `cloud-init` to enable
the functionality and we would still need the same set of packages
installed in Fedora anyway. 🥵

== Benefit to Fedora ==

This change allows Fedora cloud instances to behave in the same way
that Debian-based instances already behave. When users request package
updates with a reboot now, `cloud-init` performs the update but never
reboots the system. This is an unexpected and confusing result for
users who come to Fedora from other distributions.

Rebooting automatically could also reduce the attack surface of an
instance that just came online since it would immediately reboot to
put all package updates into effect on the system. This reduces the
time that an unpatched instance is online prior to being fully
patched.

== Scope ==
* Proposal owners: This change is fairly isolated and only affects
Fedora cloud users who request package updates followed by a reboot in
their `cloud-init` metadata.

* Other developers: N/A

* Release engineering: N/A

* Policies and guidelines: N/A

* Trademark approval: N/A

* Alignment with Community Initiatives: N/A

== Upgrade/compatibility impact ==

Since this change only applies to `cloud-init` on the very first boot
of the instance, this wouldn't affect a user upgrading from one
version of Fedora to the next.

== How To Test ==

# Ensure you have a cloud image that has an update that needs a reboot
(kernel, openssl, etc)
# Boot an instance with the following `cloud-init` user data:

#cloud-config
package_update: true
package_upgrade: true
package_reboot_if_required: true

# Wait for the package updates to finish on the instance and verify
that it rebooted after updating

== User Experience ==

First, if a user never uses the `package_upgrade` and
`package_reboot_if_required` options in their `cloud-init` user data,
they won't be affected by this change. These options are not enabled
in `cloud-init` by default.

If a user does enable both of these options, they will see their cloud
instance come online, apply updates, and reboot if required. Most
cloud providers have very fast reboots, so the delay should not be a
problem.

== Dependencies ==

Nothing depends on this change.

== Contingency Plan ==

* Contingency mechanism: Push to Fedora 40 if the work cannot be done in time
* Contingency deadline: N/A
* Blocks release? N/A

== Documentation ==

Guidance for users in a blog post (Fedora Magazine) could be helpful
for this change. Many users might not be aware that they had the
option to ask for package updates and reboots via `cloud-init` for
their Fedora cloud instances.

== Release Notes ==

Fedora cloud instances now automatically reboot when a user requests
package updates followed by a reboot on the first boot of the
instance. The reboot only occurs if an updated package requires a
reboot to go into effect (such as a kernel or critical system
library).





--
Aoife Moloney

Product Owner

Community Platform Engineering Team

Red Hat EMEA

Communications House

Cork Road

Waterford
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Re: F39 Change Proposal: Build JDKs once, repack everywhere (System-Wide Change)


On Tue, May 30, 2023 at 7:37 PM Aoife Moloney <amoloney@redhat.com> wrote:
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==

This is the last step in
https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs
effort. Jdks in fedora are already static, and we repack portable
tarball into rpms. Currently, the portbale tarball is built for each
Fedora and Epel version. Goal here is to build each jdk
(8,11,17,21,latest (20)) only once, in oldest live Fedora xor Epel and
repack in all live fedoras.

== Owner ==

* Name: [[User:jvanek| Jiri Vanek]]
* Email: jvanek@redhat.com


== Detailed Description ==

As described in
https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs ;
during last year, packaging of JDKs had changed dramatically. As
described in same wiki page, and individual sub changes and devel
threads, with primary reason this - to lower maintenance and still
keep fedora java friendly.

* In first system wide change, we had changed JDKs to build properly
as standalone, portable jdk - the wey JDK is supposed to be built. I
repeat, we spent ten years by patching JDK to become properly dynamic
against system libs, and all patches went usptream, but it become
fight which can not be win

* as a second step we introduced portable rpms, which do not have any
system integration, only builds JDK and pack final tarball in RPM for
free use.

* In third step - without any noise, just verified with fesco -
https://pagure.io/fesco/issue/2907 - we stopped building JDK in fully
integrated rpms. Instead of this, normal RPMS BUildRequire portable
rpms and just unpack it, and repack it.

Now last step is ahead - to build portable LTS JDKs 8,11,17 and 21 in
oldest live Fedora, and repack everywhere. java-latest-openjdk, which
contains latest STS jdk - currently 20, soon briefly 21 and a bit
alter 22... Should be built in latest live EPEL - epel8 now. We have
verified, that such repacked JDKs work fine.

== Feedback ==


== Benefit to Fedora ==

java maintainers will finally some free time... No kidding -
maintenance and *certification* of  so much supported JDKs on so much
Fedora versions is  brutal.  By building once, and repack, we will
regain cycles to continue support Fedora with all LTS and one STS
javas.

If we fail to build once and repack everywhere, java maintainers will
most likely need to lower the number of JDKs in fedora to system one
only.

== Scope ==
* Proposal owners: Technically all jdks (except 8, where some more
tuning is needed, and epels for java-latest) are prepared, as they
have portable version, and rpms just reapck it.  Except tuning up the
jdk8 and epel for latest, scope owners are done.


* Other developers: There will be needed significant support from RCM
and maybe senior fedora leadership to help to finish the build in
oldest and enable to repack everywhere<!--


* '''Release engineering: [https://pagure.io/releng/issue/11438
#11438]'''  There will be needed significant support from RCM, where
I'm actually unsure what they will have to do to enable this. The mas
rebuild will not be needed.


* Policies and guidelines: AFAIK none (not needed for this Change)

* Trademark approval: N/A (not needed for this Change)

* Alignment with Community Initiatives: All supported JDKS will remain
in Fedora in highest possible quality with full QA and certification,
and its packagers will not lose their minds. note, that QA will still
run on all live fedoras, not only on the builder one.


== Upgrade/compatibility impact ==

The change should be completely transparent to any user.


== How To Test ==

`sudo dnf update/install "java*"` will install expected set of working packages.


== User Experience ==

The change should be absolutely transparent to any user.


== Dependencies ==

To finish this we will need heavy support from RCM, and maybe others.
Although there are precedents with such package, they all bites. From
SW point of view, the dependence chain is `normal RPMs build requires
portable RPMs` and that's all.


== Contingency Plan ==

* Contingency mechanism: It should be stright forward to revert back
to building per OS
* Contingency deadline: N/A
* Blocks release?  No. The change can be introduced even on the fly to
live distributions.

== Documentation ==

N/A (not a System Wide Change)

== Release Notes ==



--
Aoife Moloney

Product Owner

Community Platform Engineering Team

Red Hat EMEA

Communications House

Cork Road

Waterford


--

Aoife Moloney

Product Owner

Community Platform Engineering Team

Red Hat EMEA

Communications House

Cork Road

Waterford      

F39 Change Proposal: Build JDKs once, repack everywhere (System-Wide Change)

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==

This is the last step in
https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs
effort. Jdks in fedora are already static, and we repack portable
tarball into rpms. Currently, the portbale tarball is built for each
Fedora and Epel version. Goal here is to build each jdk
(8,11,17,21,latest (20)) only once, in oldest live Fedora xor Epel and
repack in all live fedoras.

== Owner ==

* Name: [[User:jvanek| Jiri Vanek]]
* Email: jvanek@redhat.com


== Detailed Description ==

As described in
https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs ;
during last year, packaging of JDKs had changed dramatically. As
described in same wiki page, and individual sub changes and devel
threads, with primary reason this - to lower maintenance and still
keep fedora java friendly.

* In first system wide change, we had changed JDKs to build properly
as standalone, portable jdk - the wey JDK is supposed to be built. I
repeat, we spent ten years by patching JDK to become properly dynamic
against system libs, and all patches went usptream, but it become
fight which can not be win

* as a second step we introduced portable rpms, which do not have any
system integration, only builds JDK and pack final tarball in RPM for
free use.

* In third step - without any noise, just verified with fesco -
https://pagure.io/fesco/issue/2907 - we stopped building JDK in fully
integrated rpms. Instead of this, normal RPMS BUildRequire portable
rpms and just unpack it, and repack it.

Now last step is ahead - to build portable LTS JDKs 8,11,17 and 21 in
oldest live Fedora, and repack everywhere. java-latest-openjdk, which
contains latest STS jdk - currently 20, soon briefly 21 and a bit
alter 22... Should be built in latest live EPEL - epel8 now. We have
verified, that such repacked JDKs work fine.

== Feedback ==


== Benefit to Fedora ==

java maintainers will finally some free time... No kidding -
maintenance and *certification* of so much supported JDKs on so much
Fedora versions is brutal. By building once, and repack, we will
regain cycles to continue support Fedora with all LTS and one STS
javas.

If we fail to build once and repack everywhere, java maintainers will
most likely need to lower the number of JDKs in fedora to system one
only.

== Scope ==
* Proposal owners: Technically all jdks (except 8, where some more
tuning is needed, and epels for java-latest) are prepared, as they
have portable version, and rpms just reapck it. Except tuning up the
jdk8 and epel for latest, scope owners are done.


* Other developers: There will be needed significant support from RCM
and maybe senior fedora leadership to help to finish the build in
oldest and enable to repack everywhere<!--


* '''Release engineering: [https://pagure.io/releng/issue/11438
#11438]'
'' There will be needed significant support from RCM, where
I'm actually unsure what they will have to do to enable this. The mas
rebuild will not be needed.


* Policies and guidelines: AFAIK none (not needed for this Change)

* Trademark approval: N/A (not needed for this Change)

* Alignment with Community Initiatives: All supported JDKS will remain
in Fedora in highest possible quality with full QA and certification,
and its packagers will not lose their minds. note, that QA will still
run on all live fedoras, not only on the builder one.


== Upgrade/compatibility impact ==

The change should be completely transparent to any user.


== How To Test ==

`sudo dnf update/install "java*"` will install expected set of working packages.


== User Experience ==

The change should be absolutely transparent to any user.


== Dependencies ==

To finish this we will need heavy support from RCM, and maybe others.
Although there are precedents with such package, they all bites. From
SW point of view, the dependence chain is `normal RPMs build requires
portable RPMs` and that's all.


== Contingency Plan ==

* Contingency mechanism: It should be stright forward to revert back
to building per OS
* Contingency deadline: N/A
* Blocks release? No. The change can be introduced even on the fly to
live distributions.

== Documentation ==

N/A (not a System Wide Change)

== Release Notes ==



--
Aoife Moloney

Product Owner

Community Platform Engineering Team

Red Hat EMEA

Communications House

Cork Road

Waterford
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[USN-6122-1] Linux kernel (OEM) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6122-1
May 30, 2023

linux-oem-6.1 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-oem-6.1: Linux kernel for OEM systems

Details:

Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in
the netfilter subsystem of the Linux kernel when processing batch requests,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-32233)

Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu
Linux kernel contained a race condition when handling inode locking in some
situations. A local attacker could use this to cause a denial of service
(kernel deadlock). (CVE-2023-2612)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
linux-image-6.1.0-1013-oem 6.1.0-1013.13
linux-image-oem-22.04c 6.1.0.1013.13

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-6122-1
CVE-2023-2612, CVE-2023-32233

Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-6.1/6.1.0-1013.13

[USN-6123-1] Linux kernel (OEM) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6123-1
May 30, 2023

linux-oem-6.0 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-oem-6.0: Linux kernel for OEM systems

Details:

Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in
the netfilter subsystem of the Linux kernel when processing batch requests,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-32233)

Reima Ishii discovered that the nested KVM implementation for Intel x86
processors in the Linux kernel did not properly validate control registers
in certain situations. An attacker in a guest VM could use this to cause a
denial of service (guest crash). (CVE-2023-30456)

It was discovered that the Xircom PCMCIA network device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2023-1670)

Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu
Linux kernel contained a race condition when handling inode locking in some
situations. A local attacker could use this to cause a denial of service
(kernel deadlock). (CVE-2023-2612)

It was discovered that the NTFS file system implementation in the Linux
kernel did not properly handle a loop termination condition, leading to an
out-of-bounds read vulnerability. A local attacker could use this to cause
a denial of service (system crash) or possibly expose sensitive
information. (CVE-2023-26606)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
linux-image-6.0.0-1017-oem 6.0.0-1017.17
linux-image-oem-22.04b 6.0.0.1017.17

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-6123-1
CVE-2023-1670, CVE-2023-2612, CVE-2023-26606, CVE-2023-30456,
CVE-2023-32233

Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-6.0/6.0.0-1017.17

[USN-6124-1] Linux kernel (OEM) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6124-1
May 30, 2023

linux-oem-5.17 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-oem-5.17: Linux kernel for OEM systems

Details:

Patryk Sondej and Piotr Krysiuk discovered that a race condition existed in
the netfilter subsystem of the Linux kernel when processing batch requests,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-32233)

Reima Ishii discovered that the nested KVM implementation for Intel x86
processors in the Linux kernel did not properly validate control registers
in certain situations. An attacker in a guest VM could use this to cause a
denial of service (guest crash). (CVE-2023-30456)

Gwnaun Jung discovered that the SFB packet scheduling implementation in the
Linux kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2022-3586)

It was discovered that the Intel i915 graphics driver in the Linux kernel
did not perform a GPU TLB flush in some situations. A local attacker could
use this to cause a denial of service or possibly execute arbitrary code.
(CVE-2022-4139)

It was discovered that the Xircom PCMCIA network device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2023-1670)

Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu
Linux kernel contained a race condition when handling inode locking in some
situations. A local attacker could use this to cause a denial of service
(kernel deadlock). (CVE-2023-2612)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
linux-image-5.17.0-1032-oem 5.17.0-1032.33
linux-image-oem-22.04 5.17.0.1032.30
linux-image-oem-22.04a 5.17.0.1032.30

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-6124-1
CVE-2022-3586, CVE-2022-4139, CVE-2023-1670, CVE-2023-2612,
CVE-2023-30456, CVE-2023-32233

Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1032.33

[USN-6121-1] Nanopb vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6121-1
May 30, 2023

nanopb vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Nanopb.

Software Description:
- nanopb: Protocol Buffers with small code size

Details:

It was discovered that Nanopb incorrectly handled certain decode messages.
An attacker could possibly use this cause a denial of service or expose
sensitive information. (CVE-2020-26243)

It was discovered that Nanopb incorrectly handled certain decode messages.
An attacker could possibly use this issue to cause a denial of service
or execute arbitrary code. (CVE-2021-21401)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS (Available with Ubuntu Pro):
nanopb 0.4.1-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6121-1
CVE-2020-26243, CVE-2021-21401

[USN-6120-1] SpiderMonkey vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6120-1
May 30, 2023

mozjs102 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in SpiderMonkey.

Software Description:
- mozjs102: SpiderMonkey JavaScript library

Details:

Several security issues were discovered in the SpiderMonkey JavaScript
library. If a user were tricked into opening malicious JavaScript
applications or processing malformed data, a remote attacker could exploit
a variety of issues related to JavaScript security, including denial of
service attacks, and arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
libmozjs-102-0 102.11.0-0ubuntu0.23.04.1

Ubuntu 22.10:
libmozjs-102-0 102.11.0-0ubuntu0.22.10.1

Ubuntu 22.04 LTS:
libmozjs-102-0 102.11.0-0ubuntu0.22.04.1

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6120-1
CVE-2023-25735, CVE-2023-25739, CVE-2023-25751, CVE-2023-29535,
CVE-2023-29536, CVE-2023-29548, CVE-2023-29550, CVE-2023-32211,
CVE-2023-32215

Package Information:
https://launchpad.net/ubuntu/+source/mozjs102/102.11.0-0ubuntu0.23.04.1
https://launchpad.net/ubuntu/+source/mozjs102/102.11.0-0ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/mozjs102/102.11.0-0ubuntu0.22.04.1

[USN-6119-1] OpenSSL vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6119-1
May 30, 2023

openssl, openssl1.0 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
- openssl1.0: Secure Socket Layer (SSL) cryptographic library and tools

Details:

Matt Caswell discovered that OpenSSL incorrectly handled certain ASN.1
object identifiers. A remote attacker could possibly use this issue to
cause OpenSSL to consume resources, resulting in a denial of service.
(CVE-2023-2650)

Anton Romanov discovered that OpenSSL incorrectly handled AES-XTS cipher
decryption on 64-bit ARM platforms. An attacker could possibly use this
issue to cause OpenSSL to crash, resulting in a denial of service. This
issue only affected Ubuntu 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04.
(CVE-2023-1255)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
libssl3 3.0.8-1ubuntu1.2

Ubuntu 22.10:
libssl3 3.0.5-2ubuntu2.3

Ubuntu 22.04 LTS:
libssl3 3.0.2-0ubuntu1.10

Ubuntu 20.04 LTS:
libssl1.1 1.1.1f-1ubuntu2.19

Ubuntu 18.04 LTS:
libssl1.0.0 1.0.2n-1ubuntu5.13
libssl1.1 1.1.1-1ubuntu2.1~18.04.23

After a standard system update you need to reboot your computer to make all
the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6119-1
CVE-2023-1255, CVE-2023-2650

Package Information:
https://launchpad.net/ubuntu/+source/openssl/3.0.8-1ubuntu1.2
https://launchpad.net/ubuntu/+source/openssl/3.0.5-2ubuntu2.3
https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.10
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.19
https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.23
https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu5.13

[USN-6118-1] Linux kernel (Oracle) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6118-1
May 30, 2023

linux-oracle, linux-oracle-5.4 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems

Details:

Zheng Wang discovered that the Intel i915 graphics driver in the Linux
kernel did not properly handle certain error conditions, leading to a
double-free. A local attacker could possibly use this to cause a denial of
service (system crash). (CVE-2022-3707)

Jordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did
not properly implement speculative execution barriers in usercopy functions
in certain situations. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2023-0459)

It was discovered that the TLS subsystem in the Linux kernel contained a
type confusion vulnerability in some situations. A local attacker could use
this to cause a denial of service (system crash) or possibly expose
sensitive information. (CVE-2023-1075)

It was discovered that the Reliable Datagram Sockets (RDS) protocol
implementation in the Linux kernel contained a type confusion vulnerability
in some situations. An attacker could use this to cause a denial of service
(system crash). (CVE-2023-1078)

Xingyuan Mo discovered that the x86 KVM implementation in the Linux kernel
did not properly initialize some data structures. A local attacker could
use this to expose sensitive information (kernel memory). (CVE-2023-1513)

It was discovered that a use-after-free vulnerability existed in the iSCSI
TCP implementation in the Linux kernel. A local attacker could possibly use
this to cause a denial of service (system crash). (CVE-2023-2162)

It was discovered that the NET/ROM protocol implementation in the Linux
kernel contained a race condition in some situations, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2023-32269)

Duoming Zhou discovered that a race condition existed in the infrared
receiver/transceiver driver in the Linux kernel, leading to a use-after-
free vulnerability. A privileged attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2023-1118)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
linux-image-5.4.0-1101-oracle 5.4.0-1101.110
linux-image-oracle-lts-20.04 5.4.0.1101.94

Ubuntu 18.04 LTS:
linux-image-5.4.0-1101-oracle 5.4.0-1101.110~18.04.1
linux-image-oracle 5.4.0.1101.110~18.04.73

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-6118-1
CVE-2022-3707, CVE-2023-0459, CVE-2023-1075, CVE-2023-1078,
CVE-2023-1118, CVE-2023-1513, CVE-2023-2162, CVE-2023-32269

Package Information:
https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1101.110
https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1101.110~18.04.1

[USN-6115-1] TeX Live vulnerability

==========================================================================
Ubuntu Security Notice USN-6115-1
May 30, 2023

texlive-bin vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

LuaTeX (TeX Live) could be made to run programs as your login if it
compiled a specially crafted TeX file.

Software Description:
- texlive-bin: Binaries for TeX Live

Details:

Max Chernoff discovered that LuaTeX (TeX Live) did not properly disable
shell escape. An attacker could possibly use this issue to execute
arbitrary shell commands.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
texlive-binaries 2022.20220321.62855-5ubuntu0.1

Ubuntu 22.10:
texlive-binaries 2022.20220321.62855-4ubuntu0.1

Ubuntu 22.04 LTS:
texlive-binaries 2021.20210626.59705-1ubuntu0.1

Ubuntu 20.04 LTS:
texlive-binaries 2019.20190605.51237-3ubuntu0.1

Ubuntu 18.04 LTS:
texlive-binaries 2017.20170613.44572-8ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6115-1
CVE-2023-32700

Package Information:
https://launchpad.net/ubuntu/+source/texlive-bin/2022.20220321.62855-5ubuntu0.1
https://launchpad.net/ubuntu/+source/texlive-bin/2022.20220321.62855-4ubuntu0.1
https://launchpad.net/ubuntu/+source/texlive-bin/2021.20210626.59705-1ubuntu0.1
https://launchpad.net/ubuntu/+source/texlive-bin/2019.20190605.51237-3ubuntu0.1
https://launchpad.net/ubuntu/+source/texlive-bin/2017.20170613.44572-8ubuntu0.2

[USN-6116-1] hawk vulnerability

==========================================================================
Ubuntu Security Notice USN-6116-1
May 30, 2023

node-hawk vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

hawk could be made to crash if it opened a specially crafted file.

Software Description:
- node-hawk: HTTP Holder-Of-Key Authentication Scheme

Details:

It was discovered that hawk incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
node-hawk 8.0.1+dfsg-1ubuntu0.22.10.1

Ubuntu 22.04 LTS:
node-hawk 8.0.1+dfsg-1ubuntu0.22.04.1

Ubuntu 20.04 LTS:
node-hawk 7.1.2+dfsg-1ubuntu0.1

Ubuntu 18.04 LTS:
node-hawk 6.0.1+dfsg-1+deb10u1build0.18.04.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6116-1
CVE-2022-29167

Package Information:
https://launchpad.net/ubuntu/+source/node-hawk/8.0.1+dfsg-1ubuntu0.22.10.1
https://launchpad.net/ubuntu/+source/node-hawk/8.0.1+dfsg-1ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/node-hawk/7.1.2+dfsg-1ubuntu0.1
https://launchpad.net/ubuntu/+source/node-hawk/6.0.1+dfsg-1+deb10u1build0.18.04.1

[USN-6114-1] nth-check vulnerability

==========================================================================
Ubuntu Security Notice USN-6114-1
May 30, 2023

node-nth-check vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

nth-check could be made to crash if it opened a specially crafted file.

Software Description:
- node-nth-check: Parses and compiles CSS nth-checks to highly optimized functions.

Details:

Yeting Li discovered that nth-check incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
node-nth-check 1.0.1-1+deb10u1build0.20.04.1

Ubuntu 18.04 LTS:
node-nth-check 1.0.1-1+deb10u1build0.18.04.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6114-1
CVE-2021-3803

Package Information:
https://launchpad.net/ubuntu/+source/node-nth-check/1.0.1-1+deb10u1build0.20.04.1
https://launchpad.net/ubuntu/+source/node-nth-check/1.0.1-1+deb10u1build0.18.04.1

[USN-6113-1] Jhead vulnerability

==========================================================================
Ubuntu Security Notice USN-6113-1
May 30, 2023

Jhead vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Jhead could be made to crash if it opened a specially crafted
file.

Software Description:
- jhead: Manipulate the non-image part of Exif compliant JPEG files

Details:

It was discovered that Jhead did not properly handle certain crafted images
while processing the Exif markers. An attacker could possibly use this
issue to crash Jhead, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
jhead 1:3.00-4+deb9u1ubuntu0.1~esm4

Ubuntu 14.04 LTS (Available with Ubuntu Pro):
jhead 1:2.97-1+deb8u2ubuntu0.1~esm4

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6113-1
CVE-2018-6612

Monday, May 29, 2023

Planned Outage - koji database - 2023-06-01 14:30 UTC

Planned Outage - koji database - 2023-06-01 14:30 UTC

There will be an outage starting at 2023-06-01 14:30UTC,
which will last approximately 8 hours.

To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto
or run:

date -d '2023-06-01 14:30UTC'

Reason for outage:

We will be moving the koji buildsystem database (and the virthost it runs on)
to RHEL9 and postgresql 15 (from RHEL8 and postgresql 12).
This outage will happen while the outage of s390x builders is occuring to
consolidate outages. During the outage window koji will be unavailable
and builds will not be possible. After this outage is over, the s390x
builder outage may still be ongoing, so archfull builds may still not
complete until that outage is over.

Affected Services:

koji.fedoraproject.org

Ticket Link:

https://pagure.io/fedora-infrastructure/issue/11350

Please join #fedora-admin or #fedora-noc on irc.libera.chat
or add comments to the ticket for this outage above.

Planned Outage - wiki upgrade - 2023-05-31 21:00 UTC

Planned Outage - wiki upgrade - 2023-05-31 21:00 UTC

There will be an outage starting at 2023-05-31 21:00 UTC
which will last approximately 3 hours.

To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto
or run:

date -d '2023-05-31 21:00UTC'

Reason for outage:

We will be upgrading our wiki and it's database server along with the virthosts they are hosted on.

Affected Services:

wiki will be unavailable during most of the outage.

Ticket Link:

https://pagure.io/fedora-infrastructure/issue/11349

Please join #fedora-admin or #fedora-noc on irc.libera.chat
or add comments to the ticket for this outage above.

[USN-6112-1] Perl vulnerability

==========================================================================
Ubuntu Security Notice USN-6112-1
May 29, 2023

perl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Perl could be made to install modules from untrusted sources.

Software Description:
- perl: Practical Extraction and Report Language

Details:

It was discovered that Perl was not properly verifying TLS certificates
when using CPAN together with HTTP::Tiny to download modules over HTTPS.
If a remote attacker were able to intercept communications, this flaw
could potentially be used to install altered modules.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  perl                            5.26.1-6ubuntu0.7

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  perl                            5.22.1-9ubuntu0.9+esm2

Ubuntu 14.04 LTS (Available with Ubuntu Pro):
  perl                            5.18.2-2ubuntu1.7+esm5

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6112-1
  CVE-2023-31484

Package Information:
  https://launchpad.net/ubuntu/+source/perl/5.26.1-6ubuntu0.7

[USN-6111-1] Flask vulnerability

==========================================================================
Ubuntu Security Notice USN-6111-1
May 29, 2023

flask vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Flask could be made to expose sensitive information in certain scenarios.

Software Description:
- flask: Micro web framework based on Werkzeug and Jinja2

Details:

It was discovered that Flask incorrectly handled certain data responses.
An attacker could possibly use this issue to expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
python3-flask 2.2.2-2ubuntu1.1

Ubuntu 22.10:
python3-flask 2.0.3-1ubuntu1.1

Ubuntu 22.04 LTS:
python3-flask 2.0.1-2ubuntu1.1

Ubuntu 20.04 LTS:
python3-flask 1.1.1-2ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6111-1
CVE-2023-30861

Package Information:
https://launchpad.net/ubuntu/+source/flask/2.2.2-2ubuntu1.1
https://launchpad.net/ubuntu/+source/flask/2.0.3-1ubuntu1.1
https://launchpad.net/ubuntu/+source/flask/2.0.1-2ubuntu1.1
https://launchpad.net/ubuntu/+source/flask/1.1.1-2ubuntu0.1

[USN-6005-2] Sudo vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6005-2
May 29, 2023

sudo vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Sudo.

Software Description:
- sudo: Provide limited super user privileges to specific users

Details:

USN-6005-1 fixed vulnerabilities in Sudo. This update
provides the corresponding updates for Ubuntu 16.04 LTS.

Original advisory details:

 Matthieu Barjole and Victor Cutillas discovered that Sudo incorrectly
 escaped control characters in log messages and sudoreplay output. An
 attacker could possibly use these issues to inject terminal control
 characters that alter output when being viewed.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
  sudo                               1.8.16-0ubuntu1.10+esm2
  sudo-ldap                       1.8.16-0ubuntu1.10+esm2

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-6005-2
  https://ubuntu.com/security/notices/USN-6005-1
  CVE-2023-28486, CVE-2023-28487

[USN-6110-1] Jhead vulnerabilities

==========================================================================
Ubuntu Security Notice USN-6110-1
May 29, 2023

Jhead vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Jhead could be made to crash if it opened a specially crafted
file.

Software Description:
- jhead: Manipulate the non-image part of Exif compliant JPEG files

Details:

It was discovered that Jhead did not properly handle certain crafted Canon
images when processing them. An attacker could possibly use this issue to
crash Jhead, resulting in a denial of service. (CVE-2021-3496)

It was discovered that Jhead did not properly handle certain crafted images
when printing Canon-specific information. An attacker could possibly use this
issue to crash Jhead, resulting in a denial of service. (CVE-2021-28275)

It was discovered that Jhead did not properly handle certain crafted images
when removing unknown sections. An attacker could possibly use this issue to
crash Jhead, resulting in a denial of service. (CVE-2021-28275)

Kyle Brown discovered that Jhead did not properly handle certain crafted
images when editing their comments. An attacker could possibly use this to
crash Jhead, resulting in a denial of service. (LP: #2020068)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
jhead 1:3.06.0.1-6ubuntu0.23.04.1

Ubuntu 22.10:
jhead 1:3.06.0.1-2ubuntu0.22.10.2

Ubuntu 22.04 LTS (Available with Ubuntu Pro):
jhead 1:3.06.0.1-2ubuntu0.22.04.1+esm1

Ubuntu 20.04 LTS (Available with Ubuntu Pro):
jhead 1:3.04-1ubuntu0.2+esm1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):
jhead 1:3.00-8~ubuntu0.2+esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
jhead 1:3.00-4+deb9u1ubuntu0.1~esm3

Ubuntu 14.04 LTS (Available with Ubuntu Pro):
jhead 1:2.97-1+deb8u2ubuntu0.1~esm3

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6110-1
CVE-2021-28275, CVE-2021-28277, CVE-2021-3496, https://launchpad.net/bugs/2020068

Package Information:
https://launchpad.net/ubuntu/+source/jhead/1:3.06.0.1-6ubuntu0.23.04.1
https://launchpad.net/ubuntu/+source/jhead/1:3.06.0.1-2ubuntu0.22.10.2

[USN-6097-1] Linux PTP vulnerability

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBGRa6wQBEADnW4tU+Yvks46R7v2gMC+bi14nzXWdsBYxTu/IvEXKRHNjxez/
BXetAHGOzi8ysvIJaB8GnxX+oi6QBei19ZoHYzVP5UtEPmJ6IjUechkHTrxYVzpv
XseG1PCLyz3qYbbKN06wctQl/xv7L8z6ExPa0u/M8a97AksPPM760wp0btsa8EtR
ycXdfmhFU72KtDuh5Rx3rwPHUeLj20aorVOj4FJFq7ARbfQTTO8M7Q14cVHha6gN
V2qMtQcaa0jhQ1gdWsE7fGIyKisYY3HIwIOy6uYSFy2BKXIDn5UEaI2rWF4B9nsY
ZKgWpJHeby1n5juJZwFuvTWZWdKvU+c5js5pqoR/Sj4qfH7QP2koxKqAaViNit4X
z8Mmk4++nB42AtQ7bVEaBr1CNGAIjXJq4URS5LQ7WiQDIiemYorKU3BKHuBcIwMa
WoLZP8p3v4Z4l1QaIEzXJzod7/fCJ9BW/f7wInEBA8ninuz6mruIiuIyrRDC9hDl
0esZ8zJ4V3eKt3+Y5peEEjRsnuof1drMtRDvCfS2zxARWYVPe137OGHP5BbZz7qe
PF0Gl/uAnPbCmaW0Jkg+tzP07iDS32dDDrdpqfCuewDT0CC9wT/dTbWBVXW1MlFv
9kd05kS+j6xttfhY8VRGILfp8EtJzFndgBECkVHcGPWG1i2wZeJdb/PG9wARAQAB
zSlFdmFuIENhdmlsbGUgPGV2YW4uY2F2aWxsZUBjYW5vbmljYWwuY29tPsLBlwQT
AQoAQQIbAwUJA8JnAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBAD2Fk6cLSG6
+8R+Dlja0SCmk5FnBQJkWu4hAhkBAAoJEFja0SCmk5FnvUcP/RjraJDmRFw4eI40
L4ImX1+VkC8VgVT+5rEk5qmD/bKvD983EH+5dPhCPzX3jt67W8hnHltbVKlXN1CP
FNKbuAr39mz3qsoSQHv+Dd3f0LEy85403PnZyQ8oWOWmPIY57r3uFOPwmZQpSlW2
iwojiCt9zp8mgOvGr8dlwesX+keyfDk6ux/W1qqBNF/007VZun5tXG7JEFCphRKk
nmIc0MFXItgAh81eciW9HGSfYUlVldado6QnBNVkTH1ALKuvWQG3p8U2VFz9cCj+
UaUh56z2D9ifE95H/LcyFgabdDkyVS4xxqgY241KFig/otXKYnNbPXgUR/+8L/2z
uO+G6rR4T2QbJ1VAXSE0SZznD+N9KaVAokL8AqVx+UnHu6MryRkQ2DPcyhu957oT
UOpPcA2ebiteR7QN9yDJ/8jReogaAL0rU7Ceg1TQ09UVF6+jpvM/+QCv+AIk1Bpy
NfM05ftfSMjMQ3tmCGz5eh5epfgMT019KDY9KA5qZ+a3W2YsSSauwbyvD4pmFv5Y
ptz5EZ0CW57HbZKbCXoZdZKIGhCPJH01NeZrhnnKYwsPU0L8RM15odnysh2V+GOU
ho6Wsevc0KtcudlwHEGHDqALH73F6B17IgG+8y8Td9sbd81l+eJFDLyMvrvTyLaw
rdr8rkuIKZqdnuUE3kLBCzqqPjhOzsFNBGRkbD8BEADMt8ySTjEIdCVmCN+WrdSJ
Fun3kLxxjTAjo9RoiD5J1B9QCvtm8EnOj8pvplBCIwC9GoRfEpNezbs0k9PZBiOW
B2jhT4rnY9vXyeErqHZ8k2yBxsSsmQUF2vvDF3RjyXZZxppmXn9iZLmmGgUpc9bh
f4jMLks+zBObhpiEO8J60M2aqqwB596LggqjXJBwD3utx93b7M+TWDy4ex74g/og
NMd4L9rc3XLXEm+V83jQsJvpRWxrHPwa0oZeG4OUeQqRtrWsVbGPRkTvzF96hd7F
75FFHX7wXUhPoma91RwfXKyDyBa4s+IWqneZ7n4lo3x+dlIOg6c2p4H3Uh05bwnM
yMv4Bu0S7qCPjwgfGvCw6BX0qNhhtZmkOGLX5ySftNjWzcW7ezhf9Ts7voFMpAYv
xYIXcZXQ+YS6DvGR2N2VG9GYiIMbQKPFyTNptghjcOKeQ53ozlW0EfCAVuE4iBTo
zKSCXtwzmdeHIOvzs64VTDINXJkJ2yJWsKkLaeG2hpk62XN6Y/drL6krvt2bqeg3
ZQIPzhpTNhLLYDMVzHOkJZQsC+QN+jq0QJm7ULC83nd54zcckZcE8a8kx6qec54f
KZ+HdhFMupgj0LE372T9eeDPSIcLoVVe+PWFXMM0OhPC65FKrw9lzvZUK5ntJem4
cfQtMyBPFlADV/ETsmp6RQARAQABwsF8BBgBCgAmFiEEAPYWTpwtIbr7xH4OWNrR
IKaTkWcFAmRkbD8CGwwFCQO5LIAACgkQWNrRIKaTkWdVURAArarvLvMiOjqw7nVr
CmxdrrVSkTUoB2OaGzedtAFGJ7JiZwBpotaOsq/E1yqrirznTgRM4LwdysvgkeSn
mm+/TALp1LCB1jgq4DyRYDMbywflMJplUaeVFk6dRLQf5zggoZ2RWuR599gcFjBT
H3nsYzctbA14j8qvdlpRDdN/LiyDU6CtMt31JSycT6a8uKJccU5WnxSAIm14z+QR
fcuw0aPOJWUSfd3HcCcuaXfivGdSzX/Vfw69Od+cvzBMPlzelmO65Kq9unoYRU2S
wauDcRUDSfTEBRj8SW/bIQFwYqYBkj5eJadeEpWc6qsElK+6Hqb43EPbpd+LwxX1
oqhrm7DHobqPHT6SHOiE1rz5QtLU8O9rLFs8zYud9Q+c+n9fFvdCItlNZFzG+dj/
zIQLrKhoKRKPUau7nDyUiPkXCTAdOmoAO/4oIVrbhsdg6hQIpH79q3qH1N7BTVkY
dF5hd8D9zojCIlK4BjF610iaMnQVKePK44NDu/BP1ea4TEHXjI+AWskDtz8EJskO
cFIOGjYtOzPvTllrvPltggzoxrNQjy3ozWqFSTMY11+mj64na5VFry/KF5pzuaWh
oW03SN0hX2alE71d1dLtC9ifhn0e4bLWMiQlWZAYxGelJ3jVE4KU6R9S6gswirbd
Xq2EIZRR3UlNrghtoLdy9NJCBmI=
=qCOb
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-6097-1
May 29, 2023

linuxptp vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Linux PTP could be made to crash, run arbitrary code, or expose
sensitive information if it received specially crafted input.

Software Description:
- linuxptp: Precision Time Protocol (PTP, IEEE1588) implementation for Linux

Details:

It was discovered that Linux PTP did not properly perform a length check
when forwarding a PTP message between ports. A remote attacker could
possibly use this issue to access sensitive information, execute
arbitrary code, or cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
linuxptp 1.9.2-1ubuntu0.1

Ubuntu 18.04 LTS:
linuxptp 1.8-1ubuntu0.1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
linuxptp 1.6-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6097-1
CVE-2021-3570


Package Information:
https://launchpad.net/ubuntu/+source/linuxptp/1.9.2-1ubuntu0.1
https://launchpad.net/ubuntu/+source/linuxptp/1.8-1ubuntu0.1